detection.wiki
Blog

SentinelOne

104 events across 2 channels

Event IDTitleChannel
1Windows Agent is starting in mode. Agent version, running on Windows.Operational
2Policy was changed in the Console: %1.Operational
3Policy was changed with override commands: %1.Operational
4Failed to register with management because it no longer exists.Operational
5Failed to register with management: %1 (%2).Operational
6Threat remediation: Failed to delete file %1 because it was already deleted.Operational
7Threat remediation: Failed to delete file %1.Operational
8Threat remediation: Failed to rename file %1 to %2 because the file was deleted.Operational
9Threat remediation: Failed to rename file %1 to %2 because the file's parent …Operational
10Threat remediation: Failed to rename file %1 to %2 because the destination path …Operational
11Threat remediation: Failed to rename file %1 to %2.Operational
12Threat remediation: Failed to restore file %1 to timestamp %2 because no …Operational
13Threat remediation: Failed to restore file %1 to timestamp %2 because it is …Operational
14Threat remediation: Failed to restore file %1 to timestamp %2 because access was …Operational
15Threat remediation: Failed to restore registry value (key: %1, value: %2) …Operational
16Threat mitigation: Failed to kill malicious processes because the true context …Operational
17Threat mitigation completion after reboot requested another reboot.Operational
18Threat mitigation: Not killing process %1 (Path: %2, Process ID: %3) due to …Operational
19Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) because it …Operational
20Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) because it …Operational
21Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) due to an …Operational
22Threat mitigation: Cannot kill threads of process %1 (Path: %2, Process ID: %3) …Operational
23Threat mitigation: Failed to quarantine file %1 because the file is remote.Operational
24Threat mitigation: Failed to quarantine file %1 because the file belongs to a …Operational
25Threat mitigation: Failed to scramble file %1.Operational
26Threat mitigation: skipping quarantine of file %1 because the file was already …Operational
27Threat mitigation: Failed to quarantine file %1 because the file does not exist.Operational
28Threat mitigation: A reboot is required to complete the quarantine of file %1.Operational
29Threat mitigation: Failed to quarantine a file.Operational
30Network quarantine failed.Operational
31Malware detected!Operational
32Mitigation report True Context ID: %1 Action: %2 Result: %3.Operational
33Failed to unquarantine file because the file cannot be foundOperational
34Unquarantine: Failed to restore file times for %1.Operational
35Failed to unquarantine files affected by threat of True Context ID %1.Operational
36Network unquarantine failed.Operational
37Policy not changed. Verification key not provided.Operational
38Policy not changed. The provided verification key is incorrect.Operational
39Policy not changed. A parameter cannot be both set and undefined.Operational
40Policy not changed. Parameter was not provided.Operational
41Policy not changed. The value is not valid for: invalid URL.Operational
42Policy not changed. The value is not valid.Operational
43Policy not changed. The provided proxy credentials are invalid.Operational
44Policy not changed. Failed to write value for UI Language due to errorOperational
45Policy not changed. Invalid UI configuration property.Operational
46Policy not changed. Invalid engine status.Operational
47Policy not changed. Invalid parameter.Operational
48Policy not changed.Operational
49Policy not changed. Cannot undefine parameter.Operational
50Cannot scan because the path does not exist.Operational
51Cannot scan because it is not a folder.Operational
52Scan not started because a previous scan is still in progress.Operational
53Cannot scan because Sentinel Agent is not running.Operational
54Scan aborted.Operational
55Full Disk Scan started.Operational
56Scan of started.Operational
57Scan completed successfully.Operational
58Failed to execute command %1.Operational
59Remote Shell: %1.Operational
60Agent Upgrade: BITS job created for downloading the new Agent.Operational
61Agent Upgrade: BITS download job complete.Operational
62Agent Upgrade: BITS download job failed.Operational
63Agent Upgrade: BITS download job failed.Operational
64Agent Upgrade: BITS is unavailable.Operational
65Agent handled the creation of process %1 (PID: %2).Operational
66DB pruning %1.Operational
67Customer ID: %1.Operational
68Mark as on True Context ID received from Deep VisibilityOperational
69Failed to Mark True Context ID %1 as %2.Operational
70Failed to Mark as: True Context ID.Operational
71True Context ID was changed from suspicious to threatOperational
72Failed to Mark as: True Context ID.Operational
73Failed to Mark as Suspicious True Context ID %1.Operational
74Failed to Mark as True Context ID.Operational
75Agent handled the termination of process %1 (PID: %2).Operational
76Agent encountered invalid pattern: %1.Operational
77USB device was based on SentinelOne Device Control policyOperational
78Bluetooth device was based on SentinelOne Device Control policyOperational
79%1 device %2 was %3 based on SentinelOne Device Control policy %4.Operational
80The agent encountered an error that is usually ignored, but shouldn't be ignored …Operational
81Scan ended.Operational
82BlueKeep exploitation attempt detected from: %1.Operational
83Resizing the VSS diff area on %2 was blocked.Operational
84Blocked %5 connection.Firewall
85Unable to handle configuration change, dropping the configurationOperational
86UI storage reached maximum allowed file sizeOperational
87UI storage read error %2 "%1".Operational
88UI storage write error %2 "%1".Operational
89UI storage is corrupted and will be deleted.Operational
90Error deleting corrupted UI storage.Operational
91Remote script orchestrator: script %1 execution completed.Operational
92File was detected as a malicious driver when attempting to load it (Malicious …Operational
93SentinelCTL command of type "%1" was executed - result was: %2.Operational
94Anti-tampering was activated.Operational
95Anti-tampering was deactivated.Operational
96Agent upgrade was initiated.Operational
97Windows Agent is shutting down.Operational
98Sentinel process has crashed.Operational
99Dump file was deleted, as dump limit of %1 was reached.Operational
100The agent has successfully connected to the SentinelOne console (%1).Operational
101The agent received a command from consoleOperational
102Entering disable mode by command.Operational
103Exiting disable mode.Operational
104Operational

Event ID 1 — Windows Agent is starting in mode. Agent version, running on Windows.

Provider
SentinelOne
Channel
Operational

Message

Windows Agent is starting in %3 mode. Agent version %1, running on Windows %2.

Fields

NameDescription
ProductVersion
WindowsVersion
AgentMode

Event ID 2 — Policy was changed in the Console: %1.

Provider
SentinelOne
Channel
Operational

Message

Policy was changed in the Console:



%1

Event ID 3 — Policy was changed with override commands: %1.

Provider
SentinelOne
Channel
Operational

Message

Policy was changed with override commands:



%1

Event ID 4 — Failed to register with management because it no longer exists.

Provider
SentinelOne
Channel
Operational

Message

Failed to register with management because it no longer exists. Not retrying.

Fields

NameDescription
ErrorCode

Event ID 5 — Failed to register with management: %1 (%2).

Provider
SentinelOne
Channel
Operational

Message

Failed to register with management: %1 (%2). Retrying in %3 seconds.

Fields

NameDescription
Reason
ErrorCode
RetrySeconds

Event ID 6 — Threat remediation: Failed to delete file %1 because it was already deleted.

Provider
SentinelOne
Channel
Operational

Message

Threat remediation: Failed to delete file %1 because it was already deleted.

Fields

NameDescription
FilePath

Event ID 7 — Threat remediation: Failed to delete file %1.

Provider
SentinelOne
Channel
Operational

Message

Threat remediation: Failed to delete file %1.

Error: %2

Fields

NameDescription
FilePath
Error

Event ID 8 — Threat remediation: Failed to rename file %1 to %2 because the file was deleted.

Provider
SentinelOne
Channel
Operational

Message

Threat remediation: Failed to rename file %1 to %2 because the file was deleted.

Fields

NameDescription
SourceFilePath
DestinationFilePath

Event ID 9 — Threat remediation: Failed to rename file %1 to %2 because the file's parent directory does not exist.

Provider
SentinelOne
Channel
Operational

Message

Threat remediation: Failed to rename file %1 to %2 because the file's parent directory does not exist.

Fields

NameDescription
SourceFilePath
DestinationFilePath

Event ID 10 — Threat remediation: Failed to rename file %1 to %2 because the destination path already exists.

Provider
SentinelOne
Channel
Operational

Message

Threat remediation: Failed to rename file %1 to %2 because the destination path already exists.

Fields

NameDescription
SourceFilePath
DestinationFilePath

Event ID 11 — Threat remediation: Failed to rename file %1 to %2.

Provider
SentinelOne
Channel
Operational

Message

Threat remediation: Failed to rename file %1 to %2.

Error: %3

Fields

NameDescription
SourceFilePath
DestinationFilePath
Error

Event ID 12 — Threat remediation: Failed to restore file %1 to timestamp %2 because no snapshots were found up to the desired period.

Provider
SentinelOne
Channel
Operational

Message

Threat remediation: Failed to restore file %1 to timestamp %2 because no snapshots were found up to the desired period.

Fields

NameDescription
FilePath
DesiredTimestamp

Event ID 13 — Threat remediation: Failed to restore file %1 to timestamp %2 because it is being used by another process.

Provider
SentinelOne
Channel
Operational

Message

Threat remediation: Failed to restore file %1 to timestamp %2 because it is being used by another process.

Fields

NameDescription
FilePath
DesiredTimestamp

Event ID 14 — Threat remediation: Failed to restore file %1 to timestamp %2 because access was denied.

Provider
SentinelOne
Channel
Operational

Message

Threat remediation: Failed to restore file %1 to timestamp %2 because access was denied.

Fields

NameDescription
FilePath
DesiredTimestamp

Event ID 15 — Threat remediation: Failed to restore registry value (key: %1, value: %2) because it does not exist.

Provider
SentinelOne
Channel
Operational

Message

Threat remediation: Failed to restore registry value (key: %1, value: %2) because it does not exist.

Fields

NameDescription
RegistryKeyPath
Value

Event ID 16 — Threat mitigation: Failed to kill malicious processes because the true context does not exist.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Failed to kill malicious processes because the true context does not exist.

Event ID 17 — Threat mitigation completion after reboot requested another reboot.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation completion after reboot requested another reboot.

True Context ID: %1, Mitigation action: %2

Fields

NameDescription
TrueContextID
MitigationAction

Event ID 18 — Threat mitigation: Not killing process %1 (Path: %2, Process ID: %3) due to relation %4.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Not killing process %1 (Path: %2, Process ID: %3) due to relation %4.

Fields

NameDescription
ProcessName
ProcessPath
ProcessID
Relation

Event ID 19 — Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) because it is a core OS process.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) because it is a core OS process.

Fields

NameDescription
ProcessName
ProcessPath
ProcessID

Event ID 20 — Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) because it is signed by SentinelOne.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) because it is signed by SentinelOne.

Fields

NameDescription
ProcessName
ProcessPath
ProcessID

Event ID 21 — Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) due to an unknown error.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Cannot kill process %1 (Path: %2, Process ID: %3) due to an unknown error.

Fields

NameDescription
ProcessName
ProcessPath
ProcessID

Event ID 22 — Threat mitigation: Cannot kill threads of process %1 (Path: %2, Process ID: %3) due to an unknown error.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Cannot kill threads of process %1 (Path: %2, Process ID: %3) due to an unknown error.

Fields

NameDescription
ProcessName
ProcessPath
ProcessID

Event ID 23 — Threat mitigation: Failed to quarantine file %1 because the file is remote.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Failed to quarantine file %1 because the file is remote.

Fields

NameDescription
FilePath

Event ID 24 — Threat mitigation: Failed to quarantine file %1 because the file belongs to a core OS process.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Failed to quarantine file %1 because the file belongs to a core OS process.

Fields

NameDescription
FilePath

Event ID 25 — Threat mitigation: Failed to scramble file %1.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Failed to scramble file %1.

Error: %2

Fields

NameDescription
FilePath
Error

Event ID 26 — Threat mitigation: skipping quarantine of file %1 because the file was already quarantined by another threat mitigation.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: skipping quarantine of file %1 because the file was already quarantined by another threat mitigation.

Fields

NameDescription
FilePath

Event ID 27 — Threat mitigation: Failed to quarantine file %1 because the file does not exist.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Failed to quarantine file %1 because the file does not exist.

Fields

NameDescription
FilePath

Event ID 28 — Threat mitigation: A reboot is required to complete the quarantine of file %1.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: A reboot is required to complete the quarantine of file %1.

Fields

NameDescription
FilePath

Event ID 29 — Threat mitigation: Failed to quarantine a file.

Provider
SentinelOne
Channel
Operational

Message

Threat mitigation: Failed to quarantine a file.

Error: %1

Fields

NameDescription
Error

Event ID 30 — Network quarantine failed.

Provider
SentinelOne
Channel
Operational

Message

Network quarantine failed.

Error: %1

Fields

NameDescription
Error

Event ID 31 — Malware detected!

Provider
SentinelOne
Channel
Operational

Message

Malware detected!



True Context ID: %1

Name: %2

Path: %3

Detection engine: %4

Fields

NameDescription
TrueContextID
Name
Path
DetectionEngine

Event ID 32 — Mitigation report True Context ID: %1 Action: %2 Result: %3.

Provider
SentinelOne
Channel
Operational

Message

Mitigation report



True Context ID: %1

Action: %2

Result: %3

Fields

NameDescription
TrueContextID
Action
Result

Event ID 33 — Failed to unquarantine file because the file cannot be found

Provider
SentinelOne
Channel
Operational

Message

Failed to unquarantine file %1 because the file cannot be found

Fields

NameDescription
FilePath

Event ID 34 — Unquarantine: Failed to restore file times for %1.

Provider
SentinelOne
Channel
Operational

Message

Unquarantine: Failed to restore file times for %1.

Error: %2

Fields

NameDescription
FilePath
Error

Event ID 35 — Failed to unquarantine files affected by threat of True Context ID %1.

Provider
SentinelOne
Channel
Operational

Message

Failed to unquarantine files affected by threat of True Context ID %1.

Error: %2

Fields

NameDescription
TrueContextID
Error

Event ID 36 — Network unquarantine failed.

Provider
SentinelOne
Channel
Operational

Message

Network unquarantine failed.

Error: %1

Fields

NameDescription
Error

Event ID 37 — Policy not changed. Verification key not provided.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. Verification key not provided. Get the Agent passphrase and enter it with the -k flag.

Event ID 38 — Policy not changed. The provided verification key is incorrect.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. The provided verification key is incorrect.

Event ID 39 — Policy not changed. A parameter cannot be both set and undefined.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. A parameter cannot be both set and undefined.

Event ID 40 — Policy not changed. Parameter was not provided.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. Parameter was not provided.

Event ID 41 — Policy not changed. The value is not valid for: invalid URL.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. The value %2 is not valid for %1: invalid URL.

Fields

NameDescription
Parameter
Value

Event ID 42 — Policy not changed. The value is not valid.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. The value %2 is not valid. Remove the slash from the end of the URL.

Fields

NameDescription
Parameter
Value

Event ID 43 — Policy not changed. The provided proxy credentials are invalid.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. The provided proxy credentials are invalid.

Fields

NameDescription
Parameter

Event ID 44 — Policy not changed. Failed to write value for UI Language due to error

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. Failed to write value %1 for UI Language due to error: %2

Fields

NameDescription
Parameter
Value
Error

Event ID 45 — Policy not changed. Invalid UI configuration property.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. Invalid UI configuration property %1.

Fields

NameDescription
Parameter

Event ID 46 — Policy not changed. Invalid engine status.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. Invalid engine status %2.

Engine status must be one of: "off", "suppressed", "disable", "local".

Fields

NameDescription
Parameter
Value

Event ID 47 — Policy not changed. Invalid parameter.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. Invalid parameter %1: %2.

Fields

NameDescription
Parameter
Error

Event ID 48 — Policy not changed.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed.

Error: %3.

Parameter: %1

Invalid given value: %2

Fields

NameDescription
Parameter
Value
Error

Event ID 49 — Policy not changed. Cannot undefine parameter.

Provider
SentinelOne
Channel
Operational

Message

Policy not changed. Cannot undefine parameter %1.

Fields

NameDescription
Parameter

Event ID 50 — Cannot scan because the path does not exist.

Provider
SentinelOne
Channel
Operational

Message

Cannot scan %1 because the path does not exist.

Fields

NameDescription
Path

Event ID 51 — Cannot scan because it is not a folder.

Provider
SentinelOne
Channel
Operational

Message

Cannot scan %1 because it is not a folder.

Fields

NameDescription
Path

Event ID 52 — Scan not started because a previous scan is still in progress.

Provider
SentinelOne
Channel
Operational

Message

Scan not started because a previous scan is still in progress.

Event ID 53 — Cannot scan because Sentinel Agent is not running.

Provider
SentinelOne
Channel
Operational

Message

Cannot scan because Sentinel Agent is not running. Load the Agent and try again.

Event ID 54 — Scan aborted.

Provider
SentinelOne
Channel
Operational

Message

Scan aborted.

Event ID 55 — Full Disk Scan started.

Provider
SentinelOne
Channel
Operational

Message

Full Disk Scan started.

Event ID 56 — Scan of started.

Provider
SentinelOne
Channel
Operational

Message

Scan of %1 started.

Fields

NameDescription
Path

Event ID 57 — Scan completed successfully.

Provider
SentinelOne
Channel
Operational

Message

Scan completed successfully.

Event ID 58 — Failed to execute command %1.

Provider
SentinelOne
Channel
Operational

Message

Failed to execute command %1.

Error: %2

Fields

NameDescription
Command
Error

Event ID 59 — Remote Shell: %1.

Provider
SentinelOne
Channel
Operational

Message

Remote Shell: %1

Fields

NameDescription
Error

Event ID 60 — Agent Upgrade: BITS job created for downloading the new Agent.

Provider
SentinelOne
Channel
Operational

Message

Agent Upgrade: BITS job created for downloading the new Agent.

Job title: %1

GUID: %2

Destination: %3

Fields

NameDescription
BITSJobTitle
BITSJobGUID
DownloadDestination

Event ID 61 — Agent Upgrade: BITS download job complete.

Provider
SentinelOne
Channel
Operational

Message

Agent Upgrade: BITS download job complete. Executing installation.

Job title: %1

GUID: %2

Destination: %3

Fields

NameDescription
BITSJobTitle
BITSJobGUID
DownloadDestinationPath

Event ID 62 — Agent Upgrade: BITS download job failed.

Provider
SentinelOne
Channel
Operational

Message

Agent Upgrade: BITS download job failed.

Error: %1 (%2)

Job title: %3

GUID: %4

Fields

NameDescription
ErrorMessage
ErrorCode
BITSJobTitle
BITSJobGUID

Event ID 63 — Agent Upgrade: BITS download job failed.

Provider
SentinelOne
Channel
Operational

Message

Agent Upgrade: BITS download job failed. Falling back to the classic downloader.

Error: %1 (%2)

Job title: %3

GUID: %4

Fields

NameDescription
ErrorMessage
ErrorCode
BITSJobTitle
BITSJobGUID

Event ID 64 — Agent Upgrade: BITS is unavailable.

Provider
SentinelOne
Channel
Operational

Message

Agent Upgrade: BITS is unavailable. Falling back to the classic downloader.

Event ID 65 — Agent handled the creation of process %1 (PID: %2).

Provider
SentinelOne
Channel
Operational

Message

Agent handled the creation of process %1 (PID: %2).

Fields

NameDescription
Name
PID
UID
GroupUID

Event ID 66 — DB pruning %1.

Provider
SentinelOne
Channel
Operational

Message

DB pruning %1.

Size before: %2

Size after: %3

New DB GUID: %4

Old DB path: %5

New DB path: %6

Fields

NameDescription
Result
SizeBefore
SizeAfter
NewGUID
OldPath
NewPath

Event ID 67 — Customer ID: %1.

Provider
SentinelOne
Channel
Operational

Message

Customer ID: %1

Fields

NameDescription
customerID

Event ID 68 — Mark as on True Context ID received from Deep Visibility

Provider
SentinelOne
Channel
Operational

Message

Mark as %2 on True Context ID %1 received from Deep Visibility

Fields

NameDescription
TrueContextID
Status

Event ID 69 — Failed to Mark True Context ID %1 as %2.

Provider
SentinelOne
Channel
Operational

Message

Failed to Mark True Context ID %1 as %2.

Error: True Context ID was not found on the Agent

Fields

NameDescription
TrueContextID
Status

Event ID 70 — Failed to Mark as: True Context ID.

Provider
SentinelOne
Channel
Operational

Message

Failed to Mark as %2: True Context ID %1.

Error: Already marked

Fields

NameDescription
TrueContextID
Status

Event ID 71 — True Context ID was changed from suspicious to threat

Provider
SentinelOne
Channel
Operational

Message

True Context ID %1 was changed from suspicious to threat

Fields

NameDescription
TrueContextID

Event ID 72 — Failed to Mark as: True Context ID.

Provider
SentinelOne
Channel
Operational

Message

Failed to Mark as %2: True Context ID %1.

Error: Marked as Exclusion

Fields

NameDescription
TrueContextID
Status

Event ID 73 — Failed to Mark as Suspicious True Context ID %1.

Provider
SentinelOne
Channel
Operational

Message

Failed to Mark as Suspicious True Context ID %1.

Error: Already marked as Threat

Fields

NameDescription
TrueContextID

Event ID 74 — Failed to Mark as True Context ID.

Provider
SentinelOne
Channel
Operational

Message

Failed to Mark as %2 True Context ID %1.

Error: Status is invalid

Fields

NameDescription
TrueContextID
Status

Event ID 75 — Agent handled the termination of process %1 (PID: %2).

Provider
SentinelOne
Channel
Operational

Message

Agent handled the termination of process %1 (PID: %2).

Fields

NameDescription
Name
PID
UID
GroupUID

Event ID 76 — Agent encountered invalid pattern: %1.

Provider
SentinelOne
Channel
Operational

Message

Agent encountered invalid pattern: %1.

Fields

NameDescription
Pattern

Event ID 77 — USB device was based on SentinelOne Device Control policy

Provider
SentinelOne
Channel
Operational

Message

USB device %1 was %2 based on SentinelOne Device Control policy



Class: %3

Interface: USB

Vendor ID: %4

Product ID: %5

Serial ID: %6

Device Name: %1

Fields

NameDescription
DeviceName
Action
UsbDeviceClass
VendorId
ProductId
SerialId

Event ID 78 — Bluetooth device was based on SentinelOne Device Control policy

Provider
SentinelOne
Channel
Operational

Message

Bluetooth device %1 was %2 based on SentinelOne Device Control policy



Class: %3

Minor Class: %4

Interface: Bluetooth

Vendor ID: %5

Product ID: %6

Manufacturer Name: %7

Bluetooth Address: %8

Device Name: %1

Bluetooth Version: %9

GATT Service: %10

Device Information: %11

Fields

NameDescription
DeviceName
Action
DeviceClass
DeviceMinorClass
VendorId
ProductId
ManufacturerName
BluetoothAddress
BluetoothVersion
GATTService
DeviceInformation

Event ID 79 — %1 device %2 was %3 based on SentinelOne Device Control policy %4.

Provider
SentinelOne
Channel
Operational

Message

%1 device %2 was %3 based on SentinelOne Device Control policy



%4

Fields

NameDescription
Interface
DeviceName
Action
Info

Event ID 80 — The agent encountered an error that is usually ignored, but shouldn't be ignored in automation: %1.

Provider
SentinelOne
Channel
Operational

Message

The agent encountered an error that is usually ignored, but shouldn't be ignored in automation: %1

Fields

NameDescription
Message

Event ID 81 — Scan ended.

Provider
SentinelOne
Channel
Operational

Message

Scan ended.

Scan start time: %1

Scan end time: %2

Scanned %3

Scan triggered by: %4

Total files scanned: %5

Malicious files count: %6

Excluded malicious files count: %7

Scan status: %8

Fields

NameDescription
ScanStartTime
ScanEndTime
ScannedPath
TriggerType
ScannedCount
MaliciousCount
ExcludedMaliciousCount
Status

Event ID 82 — BlueKeep exploitation attempt detected from: %1.

Provider
SentinelOne
Channel
Operational

Message

BlueKeep exploitation attempt detected from: %1

Fields

NameDescription
IP

Event ID 83 — Resizing the VSS diff area on %2 was blocked.

Provider
SentinelOne
Channel
Operational

Message

Resizing the VSS diff area on %2 was blocked.

The existing diff area has %3 used bytes and %4 allocated bytes.

The requested new diff area maximum was %5 bytes.

Fields

NameDescription
VolumeNameLength
VolumeName
OldDiffAreaUsed
OldDiffAreaAllocated
NewDiffAreaMaximum

Event ID 84 — Blocked %5 connection.

Provider
SentinelOne
Channel
Firewall

Message

Blocked %5 connection. Rule Id: %9 Rule Name: %10 PID: %3 Remote Address: %1:%2, FQDN: %8.

Application Name :%4.

Fields

NameDescription
RemoteAddress
Port
ProcessId
AppId
PacketDirection
FilterId
LayerId
Fqdn
RuleId
RuleName

Event ID 85 — Unable to handle configuration change, dropping the configuration

Provider
SentinelOne
Channel
Operational

Message

Unable to handle configuration change, dropping the configuration

Event ID 86 — UI storage reached maximum allowed file size

Provider
SentinelOne
Channel
Operational

Message

UI storage reached maximum allowed file size

Event ID 87 — UI storage read error %2 "%1".

Provider
SentinelOne
Channel
Operational

Message

UI storage read error %2 "%1"

Fields

NameDescription
ErrorMessage
ErrorCode

Event ID 88 — UI storage write error %2 "%1".

Provider
SentinelOne
Channel
Operational

Message

UI storage write error %2 "%1"

Fields

NameDescription
ErrorMessage
ErrorCode

Event ID 89 — UI storage is corrupted and will be deleted.

Provider
SentinelOne
Channel
Operational

Message

UI storage is corrupted and will be deleted.

Event ID 90 — Error deleting corrupted UI storage.

Provider
SentinelOne
Channel
Operational

Message

Error deleting corrupted UI storage.

Event ID 91 — Remote script orchestrator: script %1 execution completed.

Provider
SentinelOne
Channel
Operational

Message

Remote script orchestrator: script %1 execution completed. Start time: %2, duration: %3 milliseconds, exit status: %4.

Fields

NameDescription
ScriptName
StartTime
Duration
ExitCode

Event ID 92 — File was detected as a malicious driver when attempting to load it (Malicious Driver Type:)

Provider
SentinelOne
Channel
Operational

Message

File %1 was detected as a malicious driver when attempting to load it (Malicious Driver Type: %2)

Fields

NameDescription
FilePath
MaliciousDriverType

Event ID 93 — SentinelCTL command of type "%1" was executed - result was: %2.

Provider
SentinelOne
Channel
Operational

Message

SentinelCTL command of type "%1" was executed - result was: %2.

Fields

NameDescription
CommandType
Result

Event ID 94 — Anti-tampering was activated.

Provider
SentinelOne
Channel
Operational

Message

Anti-tampering was activated.

Event ID 95 — Anti-tampering was deactivated.

Provider
SentinelOne
Channel
Operational

Message

Anti-tampering was deactivated.

Event ID 96 — Agent upgrade was initiated.

Provider
SentinelOne
Channel
Operational

Message

Agent upgrade was initiated. (%1 -> %2)

Fields

NameDescription
OldVersion
NewVersion

Event ID 97 — Windows Agent is shutting down.

Provider
SentinelOne
Channel
Operational

Message

Windows Agent is shutting down.

Event ID 98 — Sentinel process has crashed.

Provider
SentinelOne
Channel
Operational

Message

Sentinel process has crashed. Dump file path: "%1".

Fields

NameDescription
DumpPath

Event ID 99 — Dump file was deleted, as dump limit of %1 was reached.

Provider
SentinelOne
Channel
Operational

Message

Dump file was deleted, as dump limit of %1 was reached. Dump file path: "%2".

Fields

NameDescription
DumpFileLimit
DumpPath

Event ID 100 — The agent has successfully connected to the SentinelOne console (%1).

Provider
SentinelOne
Channel
Operational

Message

The agent has successfully connected to the SentinelOne console (%1).

Fields

NameDescription
ConsoleURL

Event ID 101 — The agent received a command from console

Provider
SentinelOne
Channel
Operational

Message

The agent received a "%1" command from console

Fields

NameDescription
CommandType

Event ID 102 — Entering disable mode by command.

Provider
SentinelOne
Channel
Operational

Message

Entering disable mode by command.

Event ID 103 — Exiting disable mode.

Provider
SentinelOne
Channel
Operational

Message

Exiting disable mode.

Event ID 104 —

Provider
SentinelOne
Channel
Operational

Message

%1

Fields

NameDescription
CommSdkMessage