SentinelOne parser function version 1.0.1 fails

[q0njg3m1]

Describe the bug
The SentinelOne parser function version 1.0.1 fails with the following error: "'extend' operator: Failed to resolve scalar expression named 'Data'".

[v-sudkharat]

Hi @q0njg3m1, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-sudkharat]

@q0njg3m1, Could you please let us know which solution version your using?

[q0njg3m1]

SentinelOne version 3.0.3. I just noticed that update 3.0.4 is available. I'll update it now and let you know if that fixes the issue. Thanks!

[q0njg3m1]

It fails to update from the existing 3.0.3 to 3.0.4 with the following error:
Deployment template validation failed: 'The resource 'Microsoft.OperationalInsights/workspaces/law_name_here/providers/Microsoft.SecurityInsights/metadata/DataConnector-SentinelOne' at line '2040' and column '9' is defined multiple times in a template. Please see https://aka.ms/arm-syntax-resources for usage details.'

[v-sudkharat]

@q0njg3m1, Our team has fixed the issue about the 3.0.4 solution deployment, it will get available in upcoming few days, so just updated the solution and then you can check for the parser.
Meantime, can you please share the SentinelOne logs with us on below shared mail ID to check for the missing column, based on the parser error it looks the data has been missing and due to that the parser could not get the required fields to run.
Mail ID - [email protected]
Thanks!

[q0njg3m1]

Hi @v-sudkharat,

I'll share some sample logs in a few minutes. As you'll see from the logs there is no column named "Data" in the SentinelOne_CL table. All the columns that start with the letters "D" or "d" are: DataFields_s (string), description_s (string), detectionState_s (string), domain_s (string). Also here is a screenshot:

Thanks!

[v-sudkharat]

@q0njg3m1, Thanks for sharing it, will check on it and get back to you.