What Changed
The SentinelOne solution (v3.1.0) ships a new SentinelOne V2 (via Codeless Connector Framework) data connector targeting the SentinelOne GraphQL UAM Alerts API. The legacy connectors (Azure Function and original CCF) poll REST endpoints for alerts and threats, which do NOT expose UAM detections.
This PR also ships an additive fix to createCCPConnector.ps1 correcting a bug where solutions with more than one CCF connector only emitted the primary table into each templateSpec, leaving additional tables missing at connect-time and causing InvalidPayload / InvalidOutputTable errors.
Data Source
The V2 connector ingests five data types:
| Data type | Source API | Log Analytics table |
|---|---|---|
| Activities | GET /web/api/v2.1/activities (REST) | SentinelOneActivities_CL |
| Agents | GET /web/api/v2.1/agents (REST) | SentinelOneAgents_CL |
| Groups | GET /web/api/v2.1/groups (REST) | SentinelOneGroups_CL |
| Threats | GET /web/api/v2.1/threats (REST) | SentinelOneThreats_CL |
| UAM Alerts | POST /web/api/v2.1/unifiedalerts/graphql (GraphQL) | SentinelOneAlertsV2_CL |
The SentinelOneAlertsV2_CL table exposes new columns: AlertId, AlertName, DetectedAt, Severity, AnalystVerdict, StorylineId, AttackSurfaces, ConfidenceLevel, Classification, Product, Vendor, AssigneeName, AssigneeEmail, Assets, DataSources.
Security Impact (Visibility and Fidelity)
Detection gap: Deployments running only the legacy SentinelOne connector have never ingested UAM alerts. SentinelOne Wayfinder threat-hunting detections, cloud alerts, identity alerts, STAR rules, and third-party alert integrations are surfaced exclusively via the GraphQL UAM endpoint and are completely absent from any Sentinel workspace without V2.
Parser update: SentinelOne.yaml (v1.0.2) now unions SentinelOne_view and a new SentinelOneAlertsV2_view. V1 mapping is untouched. Existing Analytic Rules, Hunting Queries, workbooks, and custom detections referencing the SentinelOne parser function continue to work unmodified. UAM alerts are an isolated branch; queries opt in via SentinelOne where isnotempty(AlertName).
Two parser guards handle V1/V2 schema differences: column_ifexists(AlertInfo, empty-string) replaces bare AlertInfo references, preventing errors when V2 rows pass through the V1 branch.
Packaging fix: The createCCPConnector.ps1 fix activates only for multi-connector solutions. Single-connector solutions are byte-identical to baseline.
Ingestion Mechanism
Pure CCF/DCR-based ingestion with no Azure Function to deploy or maintain. Authentication via SentinelOne API token (Service User). Supports multiple instances for MSSP scenarios.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlertsV2_CL.json
Solutions/SentinelOne/Data Connectors/README.md
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/SentinelOneV2_ConnectorDefinition.json
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/SentinelOneV2_DCR.json
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/SentinelOneV2_PollerConfig.json
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneActivities.json
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneAgents.json
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneAlertsV2.json
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneGroups.json
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneThreats.json
Solutions/SentinelOne/Parsers/SentinelOne.yaml
Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_SentinelOne.json, createUiDefinition.json, mainTemplate.json)