## SentinelOne Schema

### S1Account

Represents a SentinelOne account, which is the top-level organizational unit for managing SentinelOne resources.

For site-scoped MSSP deployments where the API token cannot enumerate
`/web/api/v2.1/accounts`, Cartography synthesizes `S1Account` nodes from the
parent account metadata returned by `/web/api/v2.1/sites`.

> **Ontology Mapping**: This node has the extra label `Tenant` to enable cross-platform queries for tenant accounts across different systems (e.g., OktaOrganization, AWSAccount).

| Field | Description |
|-------|-------------|
| firstseen | Timestamp of when a sync job first discovered this node |
| lastupdated | Timestamp of the last time the node was updated |
| **id** | The unique identifier for the SentinelOne account. |
| **name** | The name of the SentinelOne account |
| account_type | The type of account (e.g., Trial, Paid) |
| active_agents | Number of active agents in the account |
| created_at | ISO 8601 timestamp of when the account was created |
| expiration | ISO 8601 timestamp of when the account expires |
| number_of_sites | Number of sites configured in the account |
| state | Current state of the account (e.g., Active, Deleted, Expired) |

#### Relationships

- A S1Account contains S1Agents.

    ```
    (S1Account)-[RESOURCE]->(S1Agent)
    ```

- A S1Account contains S1Applications.

    ```
    (S1Account)-[RESOURCE]->(S1Application)
    ```

- A S1Account contains S1ApplicationVersions.

    ```
    (S1Account)-[RESOURCE]->(S1ApplicationVersion)
    ```

- A S1Account has security risks through S1AppFindings.

    ```
    (S1Account)-[RESOURCE]->(S1AppFinding)
    ```

### S1Agent

Represents a SentinelOne agent installed on an endpoint device.

> **Ontology Mapping**: This node participates in the `Device` ontology through
> serial-number correlation, with hostname fallback when hostnames are unique,
> allowing cross-platform queries against endpoint devices observed in
> SentinelOne.

| Field | Description |
|-------|-------------|
| firstseen | Timestamp of when a sync job first discovered this node |
| lastupdated | Timestamp of the last time the node was updated |
| **id** | The unique identifier for the SentinelOne agent |
| **uuid** | The UUID of the agent |
| **computer_name** | The name of the computer where the agent is installed |
| **serial_number** | The serial number of the endpoint device |
| public_ip | The public IP address reported by SentinelOne for the endpoint device |
| local_ips | Local IPv4 addresses reported by SentinelOne network interfaces for the endpoint device |
| firewall_enabled | Boolean indicating if the firewall is enabled |
| os_name | The name of the operating system |
| os_revision | The operating system revision/version |
| domain | The domain the computer belongs to |
| last_active | ISO 8601 timestamp of when the agent was last active |
| last_successful_scan | ISO 8601 timestamp of the last successful scan |
| scan_status | Status of the last scan |

#### Relationships

- A S1Agent belongs to a S1Account.

    ```
    (S1Agent)<-[RESOURCE]-(S1Account)
    ```

- A S1Agent has installed S1ApplicationVersions.

    ```
    (S1Agent)-[HAS_INSTALLED]->(S1ApplicationVersion)
    ```

- A S1Agent is affected by S1AppFindings.

    ```
    (S1Agent)<-[AFFECTS]-(S1AppFinding)
    ```

- A S1Agent can be observed as an ontology Device.

    ```
    (Device)-[OBSERVED_AS]->(S1Agent)
    ```

### S1Application

Represents an application managed by SentinelOne.

| Field | Description |
|-------|-------------|
| firstseen | Timestamp of when a sync job first discovered this node |
| lastupdated | Timestamp of the last time the node was updated |
| **id** | The unique identifier for the application (normalized vendor:name) |
| **name** | The name of the application |
| **vendor** | The vendor of the application |

#### Relationships

- A S1Application belongs to a S1Account.

    ```
    (S1Application)<-[RESOURCE]-(S1Account)
    ```

- A S1Application has S1ApplicationVersions.

    ```
    (S1Application)-[VERSION]->(S1ApplicationVersion)
    ```

### S1ApplicationVersion

Represents a specific version of an application.

| Field | Description |
|-------|-------------|
| firstseen | Timestamp of when a sync job first discovered this node |
| lastupdated | Timestamp of the last time the node was updated |
| **id** | The unique identifier for the application version (normalized vendor:name:version) |
| **version** | The version string |
| application_name | The name of the application |
| application_vendor | The vendor of the application |

#### Relationships

- A S1ApplicationVersion belongs to a S1Account.

    ```
    (S1ApplicationVersion)<-[RESOURCE]-(S1Account)
    ```

- A S1ApplicationVersion is installed on S1Agents.

    ```
    (S1Agent)-[HAS_INSTALLED]->(S1ApplicationVersion)
    ```

    The HAS_INSTALLED relationship includes additional properties:

    | Property | Description |
    |----------|-------------|
    | installeddatetime | ISO 8601 timestamp of when the application was installed |
    | installationpath | The file system path where the application is installed |

- A S1ApplicationVersion belongs to a S1Application.

    ```
    (S1Application)-[VERSION]->(S1ApplicationVersion)
    ```

- A S1ApplicationVersion is affected by S1AppFindings.

    ```
    (S1AppFinding)-[AFFECTS]->(S1ApplicationVersion)
    ```

### S1AppFinding::S1Finding::Risk::CVE

Represents a specific **instance** of a vulnerability detection (finding) on a specific endpoint. Unlike generic CVE definitions, each `S1AppFinding` node represents a unique finding on a specific agent. It carries the `:CVE` ontology label (it is keyed on a `cve_id`), so it participates in cross-tool vulnerability queries.

| Field | Description |
|-------|-------------|
| firstseen | Timestamp of when a sync job first discovered this node |
| lastupdated | Timestamp of the last time the node was updated |
| **id** | The unique identifier for the specific finding instance (API ID) |
| **cve_id** | The CVE identifier (e.g., CVE-2023-12345) |
| risk_score | Risk score |
| report_confidence | Confidence level of the report |
| days_detected | Number of days since detection |
| detection_date | ISO 8601 timestamp of detection (e.g. 2018-02-27T04:49:26.257525Z) |
| last_scan_date | ISO 8601 timestamp of last scan (e.g. 2018-02-27T04:49:26.257525Z) |
| last_scan_result | Result of the last scan |
| status | Status of the finding (e.g., Active) |
| mitigation_status | Status of mitigation |
| mitigation_status_reason | Reason for mitigation status |
| mitigation_status_changed_by | User who changed mitigation status |
| mitigation_status_change_time | Time of mitigation status change |
| marked_by | User who marked the finding |
| marked_date | Date when finding was marked |
| mark_type_description | Description of mark type |
| reason | Reason for the finding |
| remediation_level | Remediation level of the finding |

#### Relationships

- A S1AppFinding belongs to a S1Account (scoped cleanup).

    ```
    (S1Account)-[RESOURCE]->(S1AppFinding)
    ```

- A S1AppFinding affects a specific S1Agent (the endpoint where it was found).

    ```
    (S1AppFinding)-[AFFECTS]->(S1Agent)
    ```

- A S1AppFinding affects a specific S1ApplicationVersion (the vulnerable software).

    ```
    (S1AppFinding)-[AFFECTS]->(S1ApplicationVersion)
    ```

- A S1AppFinding is linked to a generic CVE definition.

    ```
    (S1AppFinding)-[LINKED_TO]->(CVE)
    ```
