Good morning, I'm having difficulty creating a parse for google secops, I'm trying to create one so that it can understand the CEF type logs for SentinelOne platform alerts, however, the platform's native parse is only coming as "GENERIC EVENTS" can anyone help me with this?
Example:
<11>2026-03-19 15:44:38,623 sentinel - CEF:0|SentinelOne|Mgmt|S-26.1.2#54|2031|Kill pending to reboot|1|fileHash=b8082b235c59d8107521a107b86333cjc438f26e filePath=\Device\HarddiskVolume3\Users\amanda.venancio\Downloads\DiagnosticoBB.exe osName=Windows 11 Pro ip=187.57.19.222 cat=SystemEvent suser=DAGSOL-CP-NOT01 rt=#arcsightDate(Thu, 19 Mar 2026, 15:42:30 UTC) activityID=2438619939868258346 activityType=2031 siteId=1680549457304650281 siteName=CNF Geral accountId=1680549539123612181 accountName=CNF notificationScope=SITEUDM OUTPUT:
metadata.event_timestamp: "2026-03-23T12:43:14Z"
metadata.event_type: "GENERIC_EVENT"
metadata.vendor_name: "SentinelOne"
metadata.product_name: "Singularity XDR"
metadata.product_event_type: "Threats"
metadata.log_type: "SENTINELONE_ALERT"
security_result[0].alert_state: "ALERTING"
I tried using AI (NL Parser Extension) but it always gives an error.