SentinelOne

104 events across 2 channels

Event	Title	Channel	Sample
1	Windows Agent is starting in AgentMode mode.	Operational	N
2	Policy was changed in the Console: %1.	Operational	N
3	Policy was changed with override commands: %1.	Operational	N
4	Failed to register with management because it no longer exists.	Operational	N
5	Failed to register with management: Reason (ErrorCode).	Operational	N
6	Threat remediation: Failed to delete file FilePath because it was already …	Operational	N
7	Threat remediation: Failed to delete file FilePath.	Operational	N
8	Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath …	Operational	N
9	Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath …	Operational	N
10	Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath …	Operational	N
11	Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath.	Operational	N
12	Threat remediation: Failed to restore file FilePath to timestamp …	Operational	N
13	Threat remediation: Failed to restore file FilePath to timestamp …	Operational	N
14	Threat remediation: Failed to restore file FilePath to timestamp …	Operational	N
15	Threat remediation: Failed to restore registry value (key: RegistryKeyPath, …	Operational	N
16	Threat mitigation: Failed to kill malicious processes because the true context …	Operational	N
17	Threat mitigation completion after reboot requested another reboot.	Operational	N
18	Threat mitigation: Not killing process ProcessName (Path: ProcessPath, Process …	Operational	N
19	Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process …	Operational	N
20	Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process …	Operational	N
21	Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process …	Operational	N
22	Threat mitigation: Cannot kill threads of process ProcessName (Path: …	Operational	N
23	Threat mitigation: Failed to quarantine file FilePath because the file is …	Operational	N
24	Threat mitigation: Failed to quarantine file FilePath because the file belongs …	Operational	N
25	Threat mitigation: Failed to scramble file FilePath.	Operational	N
26	Threat mitigation: skipping quarantine of file FilePath because the file was …	Operational	N
27	Threat mitigation: Failed to quarantine file FilePath because the file does not …	Operational	N
28	Threat mitigation: A reboot is required to complete the quarantine of file …	Operational	N
29	Threat mitigation: Failed to quarantine a file.	Operational	N
30	Network quarantine failed.	Operational	N
31	Malware detected!	Operational	N
32	Mitigation report.	Operational	N
33	Failed to unquarantine file FilePath because the file cannot be found.	Operational	N
34	Unquarantine: Failed to restore file times for FilePath.	Operational	N
35	Failed to unquarantine files affected by threat of True Context ID …	Operational	N
36	Network unquarantine failed.	Operational	N
37	Policy not changed. Verification key not provided.	Operational	N
38	Policy not changed. The provided verification key is incorrect.	Operational	N
39	Policy not changed. A parameter cannot be both set and undefined.	Operational	N
40	Policy not changed. Parameter was not provided.	Operational	N
41	Policy not changed.	Operational	N
42	Policy not changed.	Operational	N
43	Policy not changed. The provided proxy credentials are invalid.	Operational	N
44	Policy not changed.	Operational	N
45	Policy not changed.	Operational	N
46	Policy not changed.	Operational	N
47	Policy not changed.	Operational	N
48	Policy not changed.	Operational	N
49	Policy not changed.	Operational	N
50	Cannot scan Path because the path does not exist.	Operational	N
51	Cannot scan Path because it is not a folder.	Operational	N
52	Scan not started because a previous scan is still in progress.	Operational	N
53	Cannot scan because Sentinel Agent is not running.	Operational	N
54	Scan aborted.	Operational	N
55	Full Disk Scan started.	Operational	N
56	Scan of Path started.	Operational	N
57	Scan completed successfully.	Operational	N
58	Failed to execute command Command.	Operational	N
59	Remote Shell: Error.	Operational	N
60	Agent Upgrade: BITS job created for downloading the new Agent.	Operational	N
61	Agent Upgrade: BITS download job complete.	Operational	N
62	Agent Upgrade: BITS download job failed.	Operational	N
63	Agent Upgrade: BITS download job failed.	Operational	N
64	Agent Upgrade: BITS is unavailable.	Operational	N
65	Agent handled the creation of process Name (PID: PID).	Operational	N
66	DB pruning Result.	Operational	N
67	Customer ID: customerID.	Operational	N
68	Mark as Status on True Context ID TrueContextID received from Deep Visibility.	Operational	N
69	Failed to Mark True Context ID TrueContextID as Status.	Operational	N
70	Failed to Mark as Status: True Context ID TrueContextID.	Operational	N
71	True Context ID TrueContextID was changed from suspicious to threat.	Operational	N
72	Failed to Mark as Status: True Context ID TrueContextID.	Operational	N
73	Failed to Mark as Suspicious True Context ID TrueContextID.	Operational	N
74	Failed to Mark as Status True Context ID TrueContextID.	Operational	N
75	Agent handled the termination of process Name (PID: PID).	Operational	N
76	Agent encountered invalid pattern: Pattern.	Operational	N
77	USB device DeviceName was Action based on SentinelOne Device Control policy.	Operational	N
78	Bluetooth device DeviceName was Action based on SentinelOne Device Control …	Operational	N
79	Interface device DeviceName was Action based on SentinelOne Device Control …	Operational	N
80	The agent encountered an error that is usually ignored, but shouldn't be ignored …	Operational	N
81	Scan ended.	Operational	N
82	BlueKeep exploitation attempt detected from: IP.	Operational	N
83	Resizing the VSS diff area on VolumeName was blocked.	Operational	N
84	Blocked PacketDirection connection.	Firewall	N
85	Unable to handle configuration change, dropping the configuration	Operational	N
86	UI storage reached maximum allowed file size	Operational	N
87	UI storage read error ErrorCode "ErrorMessage".	Operational	N
88	UI storage write error ErrorCode "ErrorMessage".	Operational	N
89	UI storage is corrupted and will be deleted.	Operational	N
90	Error deleting corrupted UI storage.	Operational	N
91	Remote script orchestrator: script ScriptName execution completed.	Operational	N
92	File FilePath was detected as a malicious driver when attempting to load it …	Operational	N
93	SentinelCTL command of type "CommandType" was executed - result was: Result.	Operational	N
94	Anti-tampering was activated.	Operational	N
95	Anti-tampering was deactivated.	Operational	N
96	Agent upgrade was initiated.	Operational	N
97	Windows Agent is shutting down.	Operational	N
98	Sentinel process has crashed.	Operational	N
99	Dump file was deleted, as dump limit of DumpFileLimit was reached.	Operational	N
100	The agent has successfully connected to the SentinelOne console (ConsoleURL).	Operational	N
101	The agent received a "CommandType" command from console.	Operational	N
102	Entering disable mode by command.	Operational	N
103	Exiting disable mode.	Operational	N
104	Event ID 104	Operational	N

Event ID 1: Windows Agent is starting in AgentMode mode.

Provider: SentinelOne
Channel: Operational

Description

Windows Agent is starting in AgentMode mode. Agent version ProductVersion, running on Windows WindowsVersion.

Message #

Windows Agent is starting in %3 mode. Agent version %1, running on Windows %2.

Fields #

Name	Description
`ProductVersion` UnicodeString
`WindowsVersion` UnicodeString
`AgentMode` UnicodeString

Event ID 2: Policy was changed in the Console: %1.

Provider: SentinelOne
Channel: Operational

Description

Policy was changed in the Console.

Message #

Policy was changed in the Console:



%1

Event ID 3: Policy was changed with override commands: %1.

Provider: SentinelOne
Channel: Operational

Description

Policy was changed with override commands.

Message #

Policy was changed with override commands:



%1

Event ID 4: Failed to register with management because it no longer exists.

Provider: SentinelOne
Channel: Operational

Description

Failed to register with management because it no longer exists. Not retrying.

Message #

Failed to register with management because it no longer exists. Not retrying.

Fields #

Name	Description
`ErrorCode` Int32

Event ID 5: Failed to register with management: Reason (ErrorCode).

Provider: SentinelOne
Channel: Operational

Description

Failed to register with management: Reason (ErrorCode). Retrying in RetrySeconds seconds.

Message #

Failed to register with management: %1 (%2). Retrying in %3 seconds.

Fields #

Name	Description
`Reason` AnsiString
`ErrorCode` Int32
`RetrySeconds` Int32

Event ID 6: Threat remediation: Failed to delete file FilePath because it was already deleted.

Provider: SentinelOne
Channel: Operational

Description

Threat remediation: Failed to delete file FilePath because it was already deleted.

Message #

Threat remediation: Failed to delete file %1 because it was already deleted.

Fields #

Name	Description
`FilePath` UnicodeString

Event ID 7: Threat remediation: Failed to delete file FilePath.

Provider: SentinelOne
Channel: Operational

Description

Threat remediation: Failed to delete file FilePath.

Message #

Threat remediation: Failed to delete file %1.

Error: %2

Fields #

Name	Description
`FilePath` UnicodeString
`Error` UInt32

Event ID 8: Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath because the file was deleted.

Provider: SentinelOne
Channel: Operational

Description

Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath because the file was deleted.

Message #

Threat remediation: Failed to rename file %1 to %2 because the file was deleted.

Fields #

Name	Description
`SourceFilePath` UnicodeString
`DestinationFilePath` UnicodeString

Event ID 9: Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath because the file's parent directory does not exist.

Provider: SentinelOne
Channel: Operational

Description

Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath because the file's parent directory does not exist.

Message #

Threat remediation: Failed to rename file %1 to %2 because the file's parent directory does not exist.

Fields #

Name	Description
`SourceFilePath` UnicodeString
`DestinationFilePath` UnicodeString

Event ID 10: Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath because the destination path already exists.

Provider: SentinelOne
Channel: Operational

Description

Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath because the destination path already exists.

Message #

Threat remediation: Failed to rename file %1 to %2 because the destination path already exists.

Fields #

Name	Description
`SourceFilePath` UnicodeString
`DestinationFilePath` UnicodeString

Event ID 11: Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath.

Provider: SentinelOne
Channel: Operational

Description

Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath.

Message #

Threat remediation: Failed to rename file %1 to %2.

Error: %3

Fields #

Name	Description
`SourceFilePath` UnicodeString
`DestinationFilePath` UnicodeString
`Error` UInt32

Event ID 12: Threat remediation: Failed to restore file FilePath to timestamp DesiredTimestamp because no snapshots were found up to the desired period.

Provider: SentinelOne
Channel: Operational

Description

Threat remediation: Failed to restore file FilePath to timestamp DesiredTimestamp because no snapshots were found up to the desired period.

Message #

Threat remediation: Failed to restore file %1 to timestamp %2 because no snapshots were found up to the desired period.

Fields #

Name	Description
`FilePath` UnicodeString
`DesiredTimestamp` FILETIME

Event ID 13: Threat remediation: Failed to restore file FilePath to timestamp DesiredTimestamp because it is being used by another process.

Provider: SentinelOne
Channel: Operational

Description

Threat remediation: Failed to restore file FilePath to timestamp DesiredTimestamp because it is being used by another process.

Message #

Threat remediation: Failed to restore file %1 to timestamp %2 because it is being used by another process.

Fields #

Name	Description
`FilePath` UnicodeString
`DesiredTimestamp` FILETIME

Event ID 14: Threat remediation: Failed to restore file FilePath to timestamp DesiredTimestamp because access was denied.

Provider: SentinelOne
Channel: Operational

Description

Threat remediation: Failed to restore file FilePath to timestamp DesiredTimestamp because access was denied.

Message #

Threat remediation: Failed to restore file %1 to timestamp %2 because access was denied.

Fields #

Name	Description
`FilePath` UnicodeString
`DesiredTimestamp` FILETIME

Event ID 15: Threat remediation: Failed to restore registry value (key: RegistryKeyPath, value: Value) because it does not exist.

Provider: SentinelOne
Channel: Operational

Description

Threat remediation: Failed to restore registry value (key: RegistryKeyPath, value: Value) because it does not exist.

Message #

Threat remediation: Failed to restore registry value (key: %1, value: %2) because it does not exist.

Fields #

Name	Description
`RegistryKeyPath` UnicodeString
`Value` UnicodeString

Event ID 16: Threat mitigation: Failed to kill malicious processes because the true context does not exist.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Failed to kill malicious processes because the true context does not exist.

Message #

Threat mitigation: Failed to kill malicious processes because the true context does not exist.

Event ID 17: Threat mitigation completion after reboot requested another reboot.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation completion after reboot requested another reboot.

Message #

Threat mitigation completion after reboot requested another reboot.

True Context ID: %1, Mitigation action: %2

Fields #

Name	Description
`TrueContextID` UnicodeString
`MitigationAction` UnicodeString

Event ID 18: Threat mitigation: Not killing process ProcessName (Path: ProcessPath, Process ID: ProcessID) due to relation Relation.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Not killing process ProcessName (Path: ProcessPath, Process ID: ProcessID) due to relation Relation.

Message #

Threat mitigation: Not killing process %1 (Path: %2, Process ID: %3) due to relation %4.

Fields #

Name	Description
`ProcessName` UnicodeString
`ProcessPath` UnicodeString
`ProcessID` UInt32
`Relation` UnicodeString

Event ID 19: Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process ID: ProcessID) because it is a core OS process.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process ID: ProcessID) because it is a core OS process.

Message #

Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) because it is a core OS process.

Fields #

Name	Description
`ProcessName` UnicodeString
`ProcessPath` UnicodeString
`ProcessID` UInt32

Event ID 20: Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process ID: ProcessID) because it is signed by SentinelOne.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process ID: ProcessID) because it is signed by SentinelOne.

Message #

Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) because it is signed by SentinelOne.

Fields #

Name	Description
`ProcessName` UnicodeString
`ProcessPath` UnicodeString
`ProcessID` UInt32

Event ID 21: Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process ID: ProcessID) due to an unknown error.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process ID: ProcessID) due to an unknown error.

Message #

Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) due to an unknown error.

Fields #

Name	Description
`ProcessName` UnicodeString
`ProcessPath` UnicodeString
`ProcessID` UInt32

Event ID 22: Threat mitigation: Cannot kill threads of process ProcessName (Path: ProcessPath, Process ID: ProcessID) due to an unknown error.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Cannot kill threads of process ProcessName (Path: ProcessPath, Process ID: ProcessID) due to an unknown error.

Message #

Threat mitigation: Cannot kill threads of process %1 (Path: %2, Process ID: %3) due to an unknown error.

Fields #

Name	Description
`ProcessName` UnicodeString
`ProcessPath` UnicodeString
`ProcessID` UInt32

Event ID 23: Threat mitigation: Failed to quarantine file FilePath because the file is remote.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Failed to quarantine file FilePath because the file is remote.

Message #

Threat mitigation: Failed to quarantine file %1 because the file is remote.

Fields #

Name	Description
`FilePath` UnicodeString

Event ID 24: Threat mitigation: Failed to quarantine file FilePath because the file belongs to a core OS process.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Failed to quarantine file FilePath because the file belongs to a core OS process.

Message #

Threat mitigation: Failed to quarantine file %1 because the file belongs to a core OS process.

Fields #

Name	Description
`FilePath` UnicodeString

Event ID 25: Threat mitigation: Failed to scramble file FilePath.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Failed to scramble file FilePath.

Message #

Threat mitigation: Failed to scramble file %1.

Error: %2

Fields #

Name	Description
`FilePath` UnicodeString
`Error` AnsiString

Event ID 26: Threat mitigation: skipping quarantine of file FilePath because the file was already quarantined by another threat mitigation.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: skipping quarantine of file FilePath because the file was already quarantined by another threat mitigation.

Message #

Threat mitigation: skipping quarantine of file %1 because the file was already quarantined by another threat mitigation.

Fields #

Name	Description
`FilePath` UnicodeString

Event ID 27: Threat mitigation: Failed to quarantine file FilePath because the file does not exist.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Failed to quarantine file FilePath because the file does not exist.

Message #

Threat mitigation: Failed to quarantine file %1 because the file does not exist.

Fields #

Name	Description
`FilePath` UnicodeString

Event ID 28: Threat mitigation: A reboot is required to complete the quarantine of file FilePath.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: A reboot is required to complete the quarantine of file FilePath.

Message #

Threat mitigation: A reboot is required to complete the quarantine of file %1.

Fields #

Name	Description
`FilePath` UnicodeString

Event ID 29: Threat mitigation: Failed to quarantine a file.

Provider: SentinelOne
Channel: Operational

Description

Threat mitigation: Failed to quarantine a file.

Message #

Threat mitigation: Failed to quarantine a file.

Error: %1

Fields #

Name	Description
`Error` AnsiString

Event ID 30: Network quarantine failed.

Provider: SentinelOne
Channel: Operational

Description

Network quarantine failed.

Message #

Network quarantine failed.

Error: %1

Fields #

Name	Description
`Error` AnsiString

Event ID 31: Malware detected!

Provider: SentinelOne
Channel: Operational

Description

Malware detected!

Message #

Malware detected!



True Context ID: %1

Name: %2

Path: %3

Detection engine: %4

Fields #

Name	Description
`TrueContextID` UnicodeString
`Name` UnicodeString
`Path` UnicodeString
`DetectionEngine` UnicodeString

Event ID 32: Mitigation report.

Provider: SentinelOne
Channel: Operational

Description

Mitigation report.

Message #

Mitigation report



True Context ID: %1

Action: %2

Result: %3

Fields #

Name	Description
`TrueContextID` UnicodeString
`Action` UnicodeString
`Result` UnicodeString

Event ID 33: Failed to unquarantine file FilePath because the file cannot be found.

Provider: SentinelOne
Channel: Operational

Description

Failed to unquarantine file FilePath because the file cannot be found.

Message #

Failed to unquarantine file %1 because the file cannot be found

Fields #

Name	Description
`FilePath` UnicodeString

Event ID 34: Unquarantine: Failed to restore file times for FilePath.

Provider: SentinelOne
Channel: Operational

Description

Unquarantine: Failed to restore file times for FilePath.

Message #

Unquarantine: Failed to restore file times for %1.

Error: %2

Fields #

Name	Description
`FilePath` UnicodeString
`Error` AnsiString

Event ID 35: Failed to unquarantine files affected by threat of True Context ID TrueContextID.

Provider: SentinelOne
Channel: Operational

Description

Failed to unquarantine files affected by threat of True Context ID TrueContextID.

Message #

Failed to unquarantine files affected by threat of True Context ID %1.

Error: %2

Fields #

Name	Description
`TrueContextID` UnicodeString
`Error` AnsiString

Event ID 36: Network unquarantine failed.

Provider: SentinelOne
Channel: Operational

Description

Network unquarantine failed.

Message #

Network unquarantine failed.

Error: %1

Fields #

Name	Description
`Error` AnsiString

Event ID 37: Policy not changed. Verification key not provided.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. Verification key not provided. Get the Agent passphrase and enter it with the -k flag.

Message #

Policy not changed. Verification key not provided. Get the Agent passphrase and enter it with the -k flag.

Event ID 38: Policy not changed. The provided verification key is incorrect.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. The provided verification key is incorrect.

Message #

Policy not changed. The provided verification key is incorrect.

Event ID 39: Policy not changed. A parameter cannot be both set and undefined.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. A parameter cannot be both set and undefined.

Message #

Policy not changed. A parameter cannot be both set and undefined.

Event ID 40: Policy not changed. Parameter was not provided.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. Parameter was not provided.

Message #

Policy not changed. Parameter was not provided.

Event ID 41: Policy not changed.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. The value Value is not valid for Parameter: invalid URL.

Message #

Policy not changed. The value %2 is not valid for %1: invalid URL.

Fields #

Name	Description
`Parameter` UnicodeString
`Value` UnicodeString

Event ID 42: Policy not changed.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. The value Value is not valid. Remove the slash from the end of the URL.

Message #

Policy not changed. The value %2 is not valid. Remove the slash from the end of the URL.

Fields #

Name	Description
`Parameter` UnicodeString
`Value` UnicodeString

Event ID 43: Policy not changed. The provided proxy credentials are invalid.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. The provided proxy credentials are invalid.

Message #

Policy not changed. The provided proxy credentials are invalid.

Fields #

Name	Description
`Parameter` UnicodeString

Event ID 44: Policy not changed.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. Failed to write value Parameter for UI Language due to error: Value.

Message #

Policy not changed. Failed to write value %1 for UI Language due to error: %2

Fields #

Name	Description
`Parameter` UnicodeString
`Value` UnicodeString
`Error` AnsiString

Event ID 45: Policy not changed.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. Invalid UI configuration property Parameter.

Message #

Policy not changed. Invalid UI configuration property %1.

Fields #

Name	Description
`Parameter` UnicodeString

Event ID 46: Policy not changed.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. Invalid engine status Value.

Message #

Policy not changed. Invalid engine status %2.

Engine status must be one of: "off", "suppressed", "disable", "local".

Fields #

Name	Description
`Parameter` UnicodeString
`Value` UnicodeString

Event ID 47: Policy not changed.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. Invalid parameter Parameter: Error.

Message #

Policy not changed. Invalid parameter %1: %2.

Fields #

Name	Description
`Parameter` UnicodeString
`Error` AnsiString

Event ID 48: Policy not changed.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed.

Message #

Policy not changed.

Error: %3.

Parameter: %1

Invalid given value: %2

Fields #

Name	Description
`Parameter` UnicodeString
`Value` UnicodeString
`Error` AnsiString

Event ID 49: Policy not changed.

Provider: SentinelOne
Channel: Operational

Description

Policy not changed. Cannot undefine parameter Parameter.

Message #

Policy not changed. Cannot undefine parameter %1.

Fields #

Name	Description
`Parameter` UnicodeString

Event ID 50: Cannot scan Path because the path does not exist.

Provider: SentinelOne
Channel: Operational

Description

Cannot scan Path because the path does not exist.

Message #

Cannot scan %1 because the path does not exist.

Fields #

Name	Description
`Path` UnicodeString

Event ID 51: Cannot scan Path because it is not a folder.

Provider: SentinelOne
Channel: Operational

Description

Cannot scan Path because it is not a folder.

Message #

Cannot scan %1 because it is not a folder.

Fields #

Name	Description
`Path` UnicodeString

Event ID 52: Scan not started because a previous scan is still in progress.

Provider: SentinelOne
Channel: Operational

Description

Scan not started because a previous scan is still in progress.

Message #

Scan not started because a previous scan is still in progress.

Event ID 53: Cannot scan because Sentinel Agent is not running.

Provider: SentinelOne
Channel: Operational

Description

Cannot scan because Sentinel Agent is not running. Load the Agent and try again.

Message #

Cannot scan because Sentinel Agent is not running. Load the Agent and try again.

Event ID 54: Scan aborted.

Provider: SentinelOne
Channel: Operational

Description

Scan aborted.

Message #

Scan aborted.

Event ID 55: Full Disk Scan started.

Provider: SentinelOne
Channel: Operational

Description

Full Disk Scan started.

Message #

Full Disk Scan started.

Event ID 56: Scan of Path started.

Provider: SentinelOne
Channel: Operational

Description

Scan of Path started.

Message #

Scan of %1 started.

Fields #

Name	Description
`Path` UnicodeString

Event ID 57: Scan completed successfully.

Provider: SentinelOne
Channel: Operational

Description

Scan completed successfully.

Message #

Scan completed successfully.

Event ID 58: Failed to execute command Command.

Provider: SentinelOne
Channel: Operational

Description

Failed to execute command Command.

Message #

Failed to execute command %1.

Error: %2

Fields #

Name	Description
`Command` UnicodeString
`Error` UnicodeString

Event ID 59: Remote Shell: Error.

Provider: SentinelOne
Channel: Operational

Description

Remote Shell: Error.

Message #

Remote Shell: %1

Fields #

Name	Description
`Error` UnicodeString

Event ID 60: Agent Upgrade: BITS job created for downloading the new Agent.

Provider: SentinelOne
Channel: Operational

Description

Agent Upgrade: BITS job created for downloading the new Agent.

Message #

Agent Upgrade: BITS job created for downloading the new Agent.

Job title: %1

GUID: %2

Destination: %3

Fields #

Name	Description
`BITSJobTitle` UnicodeString
`BITSJobGUID` UnicodeString
`DownloadDestination` UnicodeString

Event ID 61: Agent Upgrade: BITS download job complete.

Provider: SentinelOne
Channel: Operational

Description

Agent Upgrade: BITS download job complete. Executing installation.

Message #

Agent Upgrade: BITS download job complete. Executing installation.

Job title: %1

GUID: %2

Destination: %3

Fields #

Name	Description
`BITSJobTitle` UnicodeString
`BITSJobGUID` UnicodeString
`DownloadDestinationPath` UnicodeString

Event ID 62: Agent Upgrade: BITS download job failed.

Provider: SentinelOne
Channel: Operational

Description

Agent Upgrade: BITS download job failed.

Message #

Agent Upgrade: BITS download job failed.

Error: %1 (%2)

Job title: %3

GUID: %4

Fields #

Name	Description
`ErrorMessage` UnicodeString
`ErrorCode` UInt32
`BITSJobTitle` UnicodeString
`BITSJobGUID` UnicodeString

Event ID 63: Agent Upgrade: BITS download job failed.

Provider: SentinelOne
Channel: Operational

Description

Agent Upgrade: BITS download job failed. Falling back to the classic downloader.

Message #

Agent Upgrade: BITS download job failed. Falling back to the classic downloader.

Error: %1 (%2)

Job title: %3

GUID: %4

Fields #

Name	Description
`ErrorMessage` UnicodeString
`ErrorCode` UInt32
`BITSJobTitle` UnicodeString
`BITSJobGUID` UnicodeString

Event ID 64: Agent Upgrade: BITS is unavailable.

Provider: SentinelOne
Channel: Operational

Description

Agent Upgrade: BITS is unavailable. Falling back to the classic downloader.

Message #

Agent Upgrade: BITS is unavailable. Falling back to the classic downloader.

Event ID 65: Agent handled the creation of process Name (PID: PID).

Provider: SentinelOne
Channel: Operational

Description

Agent handled the creation of process Name (PID: PID).

Message #

Agent handled the creation of process %1 (PID: %2).

Fields #

Name	Description
`Name` UnicodeString
`PID` UInt32
`UID` UnicodeString
`GroupUID` UnicodeString

Event ID 66: DB pruning Result.

Provider: SentinelOne
Channel: Operational

Description

DB pruning Result.

Message #

DB pruning %1.

Size before: %2

Size after: %3

New DB GUID: %4

Old DB path: %5

New DB path: %6

Fields #

Name	Description
`Result` UnicodeString
`SizeBefore` UInt64
`SizeAfter` UInt64
`NewGUID` UnicodeString
`OldPath` UnicodeString
`NewPath` UnicodeString

Event ID 67: Customer ID: customerID.

Provider: SentinelOne
Channel: Operational

Description

Customer ID: customerID.

Message #

Customer ID: %1

Fields #

Name	Description
`customerID` UnicodeString

Event ID 68: Mark as Status on True Context ID TrueContextID received from Deep Visibility.

Provider: SentinelOne
Channel: Operational

Description

Mark as Status on True Context ID TrueContextID received from Deep Visibility.

Message #

Mark as %2 on True Context ID %1 received from Deep Visibility

Fields #

Name	Description
`TrueContextID` UnicodeString
`Status` UnicodeString	NTSTATUS reference

Event ID 69: Failed to Mark True Context ID TrueContextID as Status.

Provider: SentinelOne
Channel: Operational

Description

Failed to Mark True Context ID TrueContextID as Status.

Message #

Failed to Mark True Context ID %1 as %2.

Error: True Context ID was not found on the Agent

Fields #

Name	Description
`TrueContextID` UnicodeString
`Status` UnicodeString	NTSTATUS reference

Event ID 70: Failed to Mark as Status: True Context ID TrueContextID.

Provider: SentinelOne
Channel: Operational

Description

Failed to Mark as Status: True Context ID TrueContextID.

Message #

Failed to Mark as %2: True Context ID %1.

Error: Already marked

Fields #

Name	Description
`TrueContextID` UnicodeString
`Status` UnicodeString	NTSTATUS reference

Event ID 71: True Context ID TrueContextID was changed from suspicious to threat.

Provider: SentinelOne
Channel: Operational

Description

True Context ID TrueContextID was changed from suspicious to threat.

Message #

True Context ID %1 was changed from suspicious to threat

Fields #

Name	Description
`TrueContextID` UnicodeString

Event ID 72: Failed to Mark as Status: True Context ID TrueContextID.

Provider: SentinelOne
Channel: Operational

Description

Failed to Mark as Status: True Context ID TrueContextID.

Message #

Failed to Mark as %2: True Context ID %1.

Error: Marked as Exclusion

Fields #

Name	Description
`TrueContextID` UnicodeString
`Status` UnicodeString	NTSTATUS reference

Event ID 73: Failed to Mark as Suspicious True Context ID TrueContextID.

Provider: SentinelOne
Channel: Operational

Description

Failed to Mark as Suspicious True Context ID TrueContextID.

Message #

Failed to Mark as Suspicious True Context ID %1.

Error: Already marked as Threat

Fields #

Name	Description
`TrueContextID` UnicodeString

Event ID 74: Failed to Mark as Status True Context ID TrueContextID.

Provider: SentinelOne
Channel: Operational

Description

Failed to Mark as Status True Context ID TrueContextID.

Message #

Failed to Mark as %2 True Context ID %1.

Error: Status is invalid

Fields #

Name	Description
`TrueContextID` UnicodeString
`Status` UnicodeString	NTSTATUS reference

Event ID 75: Agent handled the termination of process Name (PID: PID).

Provider: SentinelOne
Channel: Operational

Description

Agent handled the termination of process Name (PID: PID).

Message #

Agent handled the termination of process %1 (PID: %2).

Fields #

Name	Description
`Name` UnicodeString
`PID` UInt32
`UID` UnicodeString
`GroupUID` UnicodeString

Event ID 76: Agent encountered invalid pattern: Pattern.

Provider: SentinelOne
Channel: Operational

Description

Agent encountered invalid pattern: Pattern.

Message #

Agent encountered invalid pattern: %1.

Fields #

Name	Description
`Pattern` UnicodeString

Event ID 77: USB device DeviceName was Action based on SentinelOne Device Control policy.

Provider: SentinelOne
Channel: Operational

Description

USB device DeviceName was Action based on SentinelOne Device Control policy.

Message #

USB device %1 was %2 based on SentinelOne Device Control policy



Class: %3

Interface: USB

Vendor ID: %4

Product ID: %5

Serial ID: %6

Device Name: %1

Fields #

Name	Description
`DeviceName` UnicodeString
`Action` UnicodeString
`UsbDeviceClass` UnicodeString
`VendorId` UnicodeString
`ProductId` UnicodeString
`SerialId` UnicodeString

Event ID 78: Bluetooth device DeviceName was Action based on SentinelOne Device Control policy.

Provider: SentinelOne
Channel: Operational

Description

Bluetooth device DeviceName was Action based on SentinelOne Device Control policy.

Message #

Bluetooth device %1 was %2 based on SentinelOne Device Control policy



Class: %3

Minor Class: %4

Interface: Bluetooth

Vendor ID: %5

Product ID: %6

Manufacturer Name: %7

Bluetooth Address: %8

Device Name: %1

Bluetooth Version: %9

GATT Service: %10

Device Information: %11

Fields #

Name	Description
`DeviceName` UnicodeString
`Action` UnicodeString
`DeviceClass` UnicodeString
`DeviceMinorClass` UnicodeString
`VendorId` UnicodeString
`ProductId` UnicodeString
`ManufacturerName` UnicodeString
`BluetoothAddress` UnicodeString
`BluetoothVersion` UnicodeString
`GATTService` UnicodeString
`DeviceInformation` UnicodeString

Event ID 79: Interface device DeviceName was Action based on SentinelOne Device Control policy Info.

Provider: SentinelOne
Channel: Operational

Description

Interface device DeviceName was Action based on SentinelOne Device Control policy.

Message #

%1 device %2 was %3 based on SentinelOne Device Control policy



%4

Fields #

Name	Description
`Interface` UnicodeString
`DeviceName` UnicodeString
`Action` UnicodeString
`Info` UnicodeString

Event ID 80: The agent encountered an error that is usually ignored, but shouldn't be ignored in automation: Message.

Provider: SentinelOne
Channel: Operational

Description

The agent encountered an error that is usually ignored, but shouldn't be ignored in automation: Message.

Message #

The agent encountered an error that is usually ignored, but shouldn't be ignored in automation: %1

Fields #

Name	Description
`Message` UnicodeString

Event ID 81: Scan ended.

Provider: SentinelOne
Channel: Operational

Description

Scan ended.

Message #

Scan ended.

Scan start time: %1

Scan end time: %2

Scanned %3

Scan triggered by: %4

Total files scanned: %5

Malicious files count: %6

Excluded malicious files count: %7

Scan status: %8

Fields #

Name	Description
`ScanStartTime` FILETIME
`ScanEndTime` FILETIME
`ScannedPath` UnicodeString
`TriggerType` UnicodeString
`ScannedCount` UInt64
`MaliciousCount` UInt64
`ExcludedMaliciousCount` UInt64
`Status` UnicodeString	NTSTATUS reference

Event ID 82: BlueKeep exploitation attempt detected from: IP.

Provider: SentinelOne
Channel: Operational

Description

BlueKeep exploitation attempt detected from: IP.

Message #

BlueKeep exploitation attempt detected from: %1

Fields #

Name	Description
`IP` UnicodeString

Event ID 83: Resizing the VSS diff area on VolumeName was blocked.

Provider: SentinelOne
Channel: Operational

Description

Resizing the VSS diff area on VolumeName was blocked.

Message #

Resizing the VSS diff area on %2 was blocked.

The existing diff area has %3 used bytes and %4 allocated bytes.

The requested new diff area maximum was %5 bytes.

Fields #

Name	Description
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`OldDiffAreaUsed` Int64
`OldDiffAreaAllocated` Int64
`NewDiffAreaMaximum` Int64

Event ID 84: Blocked PacketDirection connection.

Provider: SentinelOne
Channel: Firewall

Description

Blocked PacketDirection connection. Rule Id: RuleId Rule Name: RuleName PID: ProcessId Remote Address: RemoteAddress:Port, FQDN: Fqdn.

Message #

Blocked %5 connection. Rule Id: %9 Rule Name: %10 PID: %3 Remote Address: %1:%2, FQDN: %8.

Application Name :%4.

Fields #

Name	Description
`RemoteAddress` UnicodeString
`Port` UInt16
`ProcessId` UInt32
`AppId` UnicodeString
`PacketDirection` UnicodeString
`FilterId` UInt64
`LayerId` UInt16
`Fqdn` UnicodeString
`RuleId` UnicodeString
`RuleName` UnicodeString

Event ID 85: Unable to handle configuration change, dropping the configuration

Provider: SentinelOne
Channel: Operational

Description

Unable to handle configuration change, dropping the configuration.

Message #

Unable to handle configuration change, dropping the configuration

Event ID 86: UI storage reached maximum allowed file size

Provider: SentinelOne
Channel: Operational

Description

UI storage reached maximum allowed file size.

Message #

UI storage reached maximum allowed file size

Event ID 87: UI storage read error ErrorCode "ErrorMessage".

Provider: SentinelOne
Channel: Operational

Description

UI storage read error ErrorCode "ErrorMessage".

Message #

UI storage read error %2 "%1"

Fields #

Name	Description
`ErrorMessage` UnicodeString
`ErrorCode` Int32

Event ID 88: UI storage write error ErrorCode "ErrorMessage".

Provider: SentinelOne
Channel: Operational

Description

UI storage write error ErrorCode "ErrorMessage".

Message #

UI storage write error %2 "%1"

Fields #

Name	Description
`ErrorMessage` UnicodeString
`ErrorCode` Int32

Event ID 89: UI storage is corrupted and will be deleted.

Provider: SentinelOne
Channel: Operational

Description

UI storage is corrupted and will be deleted.

Message #

UI storage is corrupted and will be deleted.

Event ID 90: Error deleting corrupted UI storage.

Provider: SentinelOne
Channel: Operational

Description

Error deleting corrupted UI storage.

Message #

Error deleting corrupted UI storage.

Event ID 91: Remote script orchestrator: script ScriptName execution completed.

Provider: SentinelOne
Channel: Operational

Description

Remote script orchestrator: script ScriptName execution completed. Start time: StartTime, duration: Duration milliseconds, exit status: ExitCode.

Message #

Remote script orchestrator: script %1 execution completed. Start time: %2, duration: %3 milliseconds, exit status: %4.

Fields #

Name	Description
`ScriptName` UnicodeString
`StartTime` FILETIME
`Duration` UInt64
`ExitCode` UInt64

Event ID 92: File FilePath was detected as a malicious driver when attempting to load it (Malicious Driver Type: MaliciousDriverType).

Provider: SentinelOne
Channel: Operational

Description

File FilePath was detected as a malicious driver when attempting to load it (Malicious Driver Type: MaliciousDriverType).

Message #

File %1 was detected as a malicious driver when attempting to load it (Malicious Driver Type: %2)

Fields #

Name	Description
`FilePath` UnicodeString
`MaliciousDriverType` UInt32

Event ID 93: SentinelCTL command of type "CommandType" was executed - result was: Result.

Provider: SentinelOne
Channel: Operational

Description

SentinelCTL command of type "CommandType" was executed - result was: Result.

Message #

SentinelCTL command of type "%1" was executed - result was: %2.

Fields #

Name	Description
`CommandType` UnicodeString
`Result` UInt32

Event ID 94: Anti-tampering was activated.

Provider: SentinelOne
Channel: Operational

Description

Anti-tampering was activated.

Message #

Anti-tampering was activated.

Event ID 95: Anti-tampering was deactivated.

Provider: SentinelOne
Channel: Operational

Description

Anti-tampering was deactivated.

Message #

Anti-tampering was deactivated.

Event ID 96: Agent upgrade was initiated.

Provider: SentinelOne
Channel: Operational

Description

Agent upgrade was initiated. (OldVersion -> NewVersion).

Message #

Agent upgrade was initiated. (%1 -> %2)

Fields #

Name	Description
`OldVersion` UnicodeString
`NewVersion` UnicodeString

Event ID 97: Windows Agent is shutting down.

Provider: SentinelOne
Channel: Operational

Description

Windows Agent is shutting down.

Message #

Windows Agent is shutting down.

Event ID 98: Sentinel process has crashed.

Provider: SentinelOne
Channel: Operational

Description

Sentinel process has crashed. Dump file path: "DumpPath".

Message #

Sentinel process has crashed. Dump file path: "%1".

Fields #

Name	Description
`DumpPath` UnicodeString

Event ID 99: Dump file was deleted, as dump limit of DumpFileLimit was reached.

Provider: SentinelOne
Channel: Operational

Description

Dump file was deleted, as dump limit of DumpFileLimit was reached. Dump file path: "DumpPath".

Message #

Dump file was deleted, as dump limit of %1 was reached. Dump file path: "%2".

Fields #

Name	Description
`DumpFileLimit` UInt32
`DumpPath` UnicodeString

Event ID 100: The agent has successfully connected to the SentinelOne console (ConsoleURL).

Provider: SentinelOne
Channel: Operational

Description

The agent has successfully connected to the SentinelOne console (ConsoleURL).

Message #

The agent has successfully connected to the SentinelOne console (%1).

Fields #

Name	Description
`ConsoleURL` UnicodeString

Event ID 101: The agent received a "CommandType" command from console.

Provider: SentinelOne
Channel: Operational

Description

The agent received a "CommandType" command from console.

Message #

The agent received a "%1" command from console

Fields #

Name	Description
`CommandType` UnicodeString

Event ID 102: Entering disable mode by command.

Provider: SentinelOne
Channel: Operational

Description

Entering disable mode by command.

Message #

Entering disable mode by command.

Event ID 103: Exiting disable mode.

Provider: SentinelOne
Channel: Operational

Description

Exiting disable mode.

Message #

Exiting disable mode.

Event ID 104

Provider: SentinelOne
Channel: Operational

Message #

%1

Fields #

Name	Description
`CommSdkMessage` AnsiString

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)