SEKOIA-IO · mchupeau-sk · May 21, 2026 · May 20, 2026
diff --git a/...perations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/...perations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md
@@ -3091,6 +3091,72 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
 	```
 
 
+=== "test_device_events_was_remediated.json"
+
+    ```json
+
+    {
+        "message": "{\"time\": \"2026-04-22T08:55:20.0566356Z\", \"tenantId\": \"11111111-1111-1111-1111-111111111111\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2026-04-22T08:54:07.4544604Z\", \"properties\": {\"DeviceId\": \"abcdef0123456789abcdef0123456789abcdef01\", \"DeviceName\": \"workstation-01\", \"ReportId\": 1792872386, \"InitiatingProcessId\": 0, \"InitiatingProcessCreationTime\": null, \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"SHA1\": \"d476b323caa8be04324c59695c5a37acfa089851\", \"MD5\": \"8a3657a582ae4b798dff61233e589069\", \"FileName\": \"wwwroot.zip\", \"FolderPath\": \"D:\\\\Harp\", \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"ThreatName\\\":\\\"Trojan:Win32/Casdet!rfn\\\",\\\"WasExecutingWhileDetected\\\":false,\\\"Action\\\":2,\\\"WasRemediated\\\":true,\\\"SignatureName\\\":\\\"Trojan:Win32/Casdet!rfn\\\",\\\"IsConcrete\\\":true,\\\"ReportSource\\\":\\\"WindowsDefender\\\"}\", \"InitiatingProcessAccountSid\": \"S-1-5-21-1111111111-2222222222-3333333333-1001\", \"AppGuardContainerId\": null, \"InitiatingProcessSHA256\": null, \"SHA256\": null, \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"AntivirusDetection\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": null, \"AccountSid\": null, \"RemoteDeviceName\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"InitiatingProcessUniqueId\": \"0\", \"Timestamp\": \"2026-04-22T08:53:50.6527771Z\", \"MachineGroup\": \"UnassignedGroup\"}, \"Tenant\": \"DefaultTenant\"}",
+        "event": {
+            "category": [
+                "host"
+            ],
+            "dataset": "device_events",
+            "type": [
+                "info"
+            ]
+        },
+        "@timestamp": "2026-04-22T08:53:50.652777Z",
+        "action": {
+            "name": "Publish",
+            "properties": {
+                "IsInitiatingProcessRemoteSession": "false",
+                "WasRemediated": true
+            },
+            "type": "AntivirusDetection"
+        },
+        "agent": {
+            "id": "abcdef0123456789abcdef0123456789abcdef01"
+        },
+        "file": {
+            "directory": "D:\\Harp",
+            "hash": {
+                "md5": "8a3657a582ae4b798dff61233e589069",
+                "sha1": "d476b323caa8be04324c59695c5a37acfa089851"
+            },
+            "name": "wwwroot.zip"
+        },
+        "host": {
+            "id": "abcdef0123456789abcdef0123456789abcdef01",
+            "name": "workstation-01"
+        },
+        "microsoft": {
+            "defender": {
+                "report": {
+                    "id": "1792872386"
+                }
+            }
+        },
+        "process": {
+            "parent": {
+                "pid": 0
+            },
+            "pid": 0,
+            "user": {
+                "id": "S-1-5-21-1111111111-2222222222-3333333333-1001"
+            }
+        },
+        "related": {
+            "hash": [
+                "8a3657a582ae4b798dff61233e589069",
+                "d476b323caa8be04324c59695c5a37acfa089851"
+            ]
+        }
+    }
+
+	```
+
+
 === "test_device_file_certificate_info.json"
 
     ```json
@@ -6785,6 +6851,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`action.properties.UserAgentTags` | `list` | More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot |
 |`action.properties.UserLevelAction` | `keyword` | Action taken on the email in response to matches to a mailbox policy defined by the recipient |
 |`action.properties.UserLevelPolicy` | `keyword` | End-user mailbox policy that triggered the action taken on the email |
+|`action.properties.WasRemediated` | `boolean` | Indicates whether the threat identified was remediated |
 |`agent.id` | `keyword` | Unique identifier of this agent. |
 |`agent.version` | `keyword` | Version of the agent. |
 |`client.geo.city_name` | `keyword` | City name. |

diff --git a/...ns_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md b/...ns_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md
@@ -2763,6 +2763,90 @@ In this section, you will find examples of raw logs as generated natively by the
 
 
 
+=== "test_device_events_was_remediated"
+
+
+    ```json
+	{
+        "time": "2026-04-22T08:55:20.0566356Z",
+        "tenantId": "11111111-1111-1111-1111-111111111111",
+        "operationName": "Publish",
+        "category": "AdvancedHunting-DeviceEvents",
+        "_TimeReceivedBySvc": "2026-04-22T08:54:07.4544604Z",
+        "properties": {
+            "DeviceId": "abcdef0123456789abcdef0123456789abcdef01",
+            "DeviceName": "workstation-01",
+            "ReportId": 1792872386,
+            "InitiatingProcessId": 0,
+            "InitiatingProcessCreationTime": null,
+            "InitiatingProcessCommandLine": null,
+            "InitiatingProcessParentFileName": null,
+            "InitiatingProcessParentId": 0,
+            "InitiatingProcessParentCreationTime": null,
+            "InitiatingProcessSHA1": null,
+            "InitiatingProcessMD5": null,
+            "InitiatingProcessFileName": "",
+            "InitiatingProcessFolderPath": null,
+            "InitiatingProcessAccountName": null,
+            "InitiatingProcessAccountDomain": null,
+            "SHA1": "d476b323caa8be04324c59695c5a37acfa089851",
+            "MD5": "8a3657a582ae4b798dff61233e589069",
+            "FileName": "wwwroot.zip",
+            "FolderPath": "D:\\Harp",
+            "AccountName": null,
+            "AccountDomain": null,
+            "AdditionalFields": "{\"ThreatName\":\"Trojan:Win32/Casdet!rfn\",\"WasExecutingWhileDetected\":false,\"Action\":2,\"WasRemediated\":true,\"SignatureName\":\"Trojan:Win32/Casdet!rfn\",\"IsConcrete\":true,\"ReportSource\":\"WindowsDefender\"}",
+            "InitiatingProcessAccountSid": "S-1-5-21-1111111111-2222222222-3333333333-1001",
+            "AppGuardContainerId": null,
+            "InitiatingProcessSHA256": null,
+            "SHA256": null,
+            "RemoteUrl": null,
+            "ProcessCreationTime": null,
+            "ProcessTokenElevation": null,
+            "ActionType": "AntivirusDetection",
+            "FileOriginUrl": null,
+            "FileOriginIP": null,
+            "InitiatingProcessLogonId": null,
+            "AccountSid": null,
+            "RemoteDeviceName": null,
+            "RegistryKey": null,
+            "RegistryValueName": null,
+            "RegistryValueData": null,
+            "LogonId": null,
+            "LocalIP": null,
+            "LocalPort": null,
+            "RemoteIP": null,
+            "RemotePort": null,
+            "ProcessId": null,
+            "ProcessCommandLine": null,
+            "InitiatingProcessAccountUpn": null,
+            "InitiatingProcessAccountObjectId": null,
+            "FileSize": null,
+            "InitiatingProcessFileSize": null,
+            "InitiatingProcessVersionInfoCompanyName": null,
+            "InitiatingProcessVersionInfoProductName": null,
+            "InitiatingProcessVersionInfoProductVersion": null,
+            "InitiatingProcessVersionInfoInternalFileName": null,
+            "InitiatingProcessVersionInfoOriginalFileName": null,
+            "InitiatingProcessVersionInfoFileDescription": null,
+            "InitiatingProcessSessionId": null,
+            "IsInitiatingProcessRemoteSession": false,
+            "InitiatingProcessRemoteSessionDeviceName": null,
+            "InitiatingProcessRemoteSessionIP": null,
+            "CreatedProcessSessionId": null,
+            "IsProcessRemoteSession": false,
+            "ProcessRemoteSessionDeviceName": null,
+            "ProcessRemoteSessionIP": null,
+            "InitiatingProcessUniqueId": "0",
+            "Timestamp": "2026-04-22T08:53:50.6527771Z",
+            "MachineGroup": "UnassignedGroup"
+        },
+        "Tenant": "DefaultTenant"
+    }
+    ```
+
+
+
 === "test_device_file_certificate_info"
 
 

diff --git a/...perations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/...perations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md
@@ -365,6 +365,165 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
 	```
 
 
+=== "activity-type-2012.json"
+
+    ```json
+
+    {
+        "message": "{\"accountId\": \"1111111111111111111\", \"activityType\": 2012, \"agentId\": \"2222222222222222222\", \"createdAt\": \"2026-03-25T13:56:08.271507Z\", \"data\": {\"accountName\": \"ACCOUNT\", \"computerName\": \"EXAMPLE\", \"externalServiceId\": \"app-name\", \"fileContentHash\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\", \"fileDisplayName\": \"virus.exe\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\virus.exe\", \"fullScopeDetails\": \"Group WORKSTATION P/P in Site SITENAME of Account ACCOUNT\", \"fullScopeDetailsPath\": \"Global / ACCOUNT / SITENAME/ WORKSTATION P/P\", \"groupName\": \"WORKSTATION P/P\", \"ipAddress\": null, \"isAlert\": false, \"newStatus\": null, \"originalStatus\": \"mitigated\", \"realUser\": null, \"siteName\": \"SITENAME\", \"sourceType\": \"API\", \"threatClassification\": \"Malware\", \"threatClassificationSource\": \"Static\", \"username\": \"MDR (johndoe@example.com)\"}, \"groupId\": \"3333333333333333333\", \"id\": \"5555555555555555555\", \"primaryDescription\": \"The management user MDR (johndoe@example.com) issued a remediate command to threat virus.exe on agent EXAMPLE.\", \"secondaryDescription\": \"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\virus.exe\", \"siteId\": \"6666666666666666666\", \"threatId\": \"7777777777777777777\", \"updatedAt\": \"2026-03-25T13:56:08.271509Z\", \"userId\": \"4444444444444444444\"}",
+        "event": {
+            "action": "User Issued Remediate Command",
+            "category": [
+                "intrusion_detection"
+            ],
+            "reason": "The management user MDR (johndoe@example.com) issued a remediate command to threat virus.exe on agent EXAMPLE.",
+            "type": [
+                "info"
+            ]
+        },
+        "@timestamp": "2026-03-25T13:56:08.271507Z",
+        "action": {
+            "type": "2012"
+        },
+        "agent": {
+            "id": "2222222222222222222"
+        },
+        "file": {
+            "hash": {
+                "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc"
+            },
+            "name": "virus.exe",
+            "path": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\virus.exe"
+        },
+        "group": {
+            "id": "3333333333333333333"
+        },
+        "host": {
+            "name": "EXAMPLE"
+        },
+        "organization": {
+            "id": "1111111111111111111"
+        },
+        "related": {
+            "hash": [
+                "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc"
+            ],
+            "user": [
+                "MDR (johndoe@example.com)"
+            ]
+        },
+        "sentinelone": {
+            "createdAt": "2026-03-25T13:56:08.271507Z",
+            "data": {
+                "accountName": "ACCOUNT",
+                "computerName": "EXAMPLE",
+                "externalServiceId": "app-name",
+                "fileDisplayName": "virus.exe",
+                "fullScopeDetails": "Group WORKSTATION P/P in Site SITENAME of Account ACCOUNT",
+                "fullScopeDetailsPath": "Global / ACCOUNT / SITENAME/ WORKSTATION P/P",
+                "groupName": "WORKSTATION P/P",
+                "originalStatus": "mitigated",
+                "siteName": "SITENAME",
+                "threatClassification": "Malware",
+                "threatClassificationSource": "Static"
+            },
+            "eventid": 5555555555555555555,
+            "secondaryDescription": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\virus.exe",
+            "siteId": 6666666666666666666,
+            "threatId": "7777777777777777777",
+            "updatedAt": "2026-03-25T13:56:08.271509Z"
+        },
+        "threat": {
+            "software": {
+                "type": "Malware"
+            }
+        },
+        "user": {
+            "id": "4444444444444444444",
+            "name": "MDR (johndoe@example.com)"
+        }
+    }
+
+	```
+
+
+=== "activity-type-2030.json"
+
+    ```json
+
+    {
+        "message": "{\"accountId\": \"1111111111111111111\", \"activityType\": 2030, \"agentId\": \"2222222222222222222\", \"createdAt\": \"2026-03-25T13:56:05.063212Z\", \"data\": {\"accountName\": \"ACCOUNT\", \"computerName\": \"EXAMPLE\", \"escapedMaliciousProcessArguments\": \"\\\"\\\\\\\"H:\\\\\\\\Archive\\\\\\\\Photos\\\\\\\\1.png\\\\\\\"\\\"\", \"externalServiceId\": \"app-name\", \"fileDisplayName\": \"virus.exe\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\virus.exe\", \"fullScopeDetails\": \"Group WORKSTATION P/P in Site SITENAME of Account ACCOUNT\", \"fullScopeDetailsPath\": \"Global / ACCOUNT / SITENAME / WORKSTATION P/P\", \"groupName\": \"WORKSTATION P/P\", \"ipAddress\": null, \"newAnalystVerdict\": \"true_positive\", \"newAnalystVerdictTitle\": \"True positive\", \"oldAnalystVerdict\": \"undefined\", \"oldAnalystVerdictTitle\": \"Undefined\", \"realUser\": null, \"siteName\": \"SITENAME\", \"sourceType\": \"API\", \"threatClassification\": \"Malware\", \"threatClassificationSource\": \"Static\", \"username\": \"MDR (johndoe@example.com)\"}, \"groupId\": \"3333333333333333333\", \"id\": \"5555555555555555555\", \"primaryDescription\": \"The management user MDR (johndoe@example.com) changed the analyst verdict for virus.exe from Undefined to True positive.\", \"siteId\": \"6666666666666666666\", \"threatId\": \"7777777777777777777\", \"updatedAt\": \"2026-03-25T13:56:05.063214Z\", \"userId\": \"4444444444444444444\"}",
+        "event": {
+            "action": "Analyst Verdict Changes",
+            "category": [
+                "intrusion_detection"
+            ],
+            "reason": "The management user MDR (johndoe@example.com) changed the analyst verdict for virus.exe from Undefined to True positive.",
+            "type": [
+                "info"
+            ]
+        },
+        "@timestamp": "2026-03-25T13:56:05.063212Z",
+        "action": {
+            "type": "2030"
+        },
+        "agent": {
+            "id": "2222222222222222222"
+        },
+        "file": {
+            "name": "virus.exe",
+            "path": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\virus.exe"
+        },
+        "group": {
+            "id": "3333333333333333333"
+        },
+        "host": {
+            "name": "EXAMPLE"
+        },
+        "organization": {
+            "id": "1111111111111111111"
+        },
+        "related": {
+            "user": [
+                "MDR (johndoe@example.com)"
+            ]
+        },
+        "sentinelone": {
+            "createdAt": "2026-03-25T13:56:05.063212Z",
+            "data": {
+                "accountName": "ACCOUNT",
+                "computerName": "EXAMPLE",
+                "escapedMaliciousProcessArguments": "\"\\\"H:\\\\Archive\\\\Photos\\\\1.png\\\"\"",
+                "externalServiceId": "app-name",
+                "fileDisplayName": "virus.exe",
+                "fullScopeDetails": "Group WORKSTATION P/P in Site SITENAME of Account ACCOUNT",
+                "fullScopeDetailsPath": "Global / ACCOUNT / SITENAME / WORKSTATION P/P",
+                "groupName": "WORKSTATION P/P",
+                "newAnalystVerdict": "true_positive",
+                "oldAnalystVerdict": "undefined",
+                "siteName": "SITENAME",
+                "threatClassification": "Malware",
+                "threatClassificationSource": "Static"
+            },
+            "eventid": 5555555555555555555,
+            "siteId": 6666666666666666666,
+            "threatId": "7777777777777777777",
+            "updatedAt": "2026-03-25T13:56:05.063214Z"
+        },
+        "threat": {
+            "software": {
+                "type": "Malware"
+            }
+        },
+        "user": {
+            "id": "4444444444444444444",
+            "name": "MDR (johndoe@example.com)"
+        }
+    }
+
+	```
+
+
 === "activity-type-25.json"
 
     ```json
@@ -3957,6 +4116,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`sentinelone.data.exclusionType` | `keyword` |  |
 |`sentinelone.data.expiration` | `keyword` |  |
 |`sentinelone.data.externalIp` | `keyword` |  |
+|`sentinelone.data.externalServiceId` | `keyword` |  |
 |`sentinelone.data.externalip` | `keyword` |  |
 |`sentinelone.data.fileDisplayName` | `keyword` |  |
 |`sentinelone.data.fullScopeDetails` | `keyword` |  |
@@ -4002,10 +4162,12 @@ The following table lists the fields that are extracted, normalized under the EC
 |`sentinelone.data.modulepath` | `keyword` |  |
 |`sentinelone.data.modulesha1` | `keyword` |  |
 |`sentinelone.data.neteventdirection` | `keyword` |  |
+|`sentinelone.data.newAnalystVerdict` | `keyword` |  |
 |`sentinelone.data.newGroupId` | `keyword` |  |
 |`sentinelone.data.newGroupName` | `keyword` |  |
 |`sentinelone.data.newStatus` | `keyword` |  |
 |`sentinelone.data.numberOfEvents` | `int` |  |
+|`sentinelone.data.oldAnalystVerdict` | `keyword` |  |
 |`sentinelone.data.oldGroupId` | `keyword` |  |
 |`sentinelone.data.oldGroupName` | `keyword` |  |
 |`sentinelone.data.order` | `long` |  |