diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml
index 6d696ba54ff..b19508f94a0 100644
--- a/packages/sentinel_one/changelog.yml
+++ b/packages/sentinel_one/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.0.1"
+  changes:
+    - description: Split domain-qualified `user.name` values into `user.domain`.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/16728
 - version: "2.0.0"
   changes:
     - description: |
diff --git a/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml
index be9d961eae3..a694d653a9f 100644
--- a/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/sentinel_one/data_stream/agent/elasticsearch/ingest_pipeline/default.yml
@@ -664,6 +664,11 @@ processors:
       field: json.osUsername
       target_field: user.name
       ignore_missing: true
+  - dissect:
+      field: user.name
+      pattern: '%{user.domain}\%{user.name}'
+      if: ctx.user?.name?.contains('\\') == true
+      description: "Split user and domain"
   - append:
       field: related.user
       value: '{{{user.name}}}'
diff --git a/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
index 67c2846f93d..48177287144 100644
--- a/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
@@ -265,6 +265,11 @@ processors:
       field: json.alertInfo.loginsUserName
       target_field: user.name
       ignore_missing: true
+  - dissect:
+      field: user.name
+      pattern: '%{user.domain}\%{user.name}'
+      if: ctx.user?.name?.contains('\\') == true
+      description: "Split user and domain"
   - append:
       field: related.user
       value: '{{{user.name}}}'
diff --git a/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log b/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log
index 63923383d1d..74173708e80 100644
--- a/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log
+++ b/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log
@@ -3,5 +3,5 @@
 {"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"detect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"00-00-5E-00-53-00"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[{"category":"General","description":"Detected by the Static Engine","ids":[43],"tactics":[]},{"category":"Exploitation","description":"Document behaves abnormally","ids":[62],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Indirect command was executed","ids":[427],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Office program ran macro","ids":[434],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Process wrote to a hidden file section","ids":[169],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Suspicious registry key was created","ids":[171],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Exploit","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:57:34.744922Z","detectionEngines":[{"key":"pre_execution","title":"On-Write Static AI"},{"key":"data_files","title":"Documents, Scripts"}],"detectionType":"dynamic","engines":["Documents, Scripts","On-Write ABC"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"TXT","fileExtensionType":"Document","filePath":"test/path/user","fileSize":238592,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:57:34.444000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":"test/path/user","md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.EXE","pendingActions":false,"processUser":"test_user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"7XXXXXXXXXDD5A41","threatId":"123456789","threatName":"Threats","updatedAt":"2022-04-06T08:57:37.672873Z"},"whiteningOptions":["hash","path","file_type"]}
 {"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"detect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"00-00-5E-00-53-00"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[{"category":"General","description":"Detected by the Static Engine","ids":[43],"tactics":[]},{"category":"Exploitation","description":"Document behaves abnormally","ids":[62],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Indirect command was executed","ids":[427],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Office program ran macro","ids":[434],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Process wrote to a hidden file section","ids":[169],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Suspicious registry key was created","ids":[171],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"PUA","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:57:34.744922Z","detectionEngines":[{"key":"pre_execution","title":"On-Write Static AI"},{"key":"data_files","title":"Documents, Scripts"}],"detectionType":"dynamic","engines":["Documents, Scripts","On-Write ABC"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"TXT","fileExtensionType":"Document","filePath":"test/path/user","fileSize":238592,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:57:34.444000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":"test/path/user","md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.EXE","pendingActions":false,"processUser":"test_user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"7XXXXXXXXXDD5A41","threatId":"123456789","threatName":"Threats","updatedAt":"2022-04-06T08:57:37.672873Z"},"whiteningOptions":["hash","path","file_type"]}
 {"agentDetectionInfo":{"accountId":"1234567890123456789","accountName":"Default","agentDetectionState":null,"agentDomain":"WORKGROUP","agentIpV4":"10.0.0.1","agentIpV6":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"","agentMitigationMode":"detect","agentOsName":"linux","agentOsRevision":"1234","agentRegisteredAt":"2022-04-06T08:26:45.515278Z","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"1234567890123456789","groupName":"Default Group","siteId":"1234567890123456789","siteName":"Default site"},"agentRealtimeInfo":{"accountId":"1234567890123456789","accountName":"Default","activeThreats":7,"agentComputerName":"test-LINUX","agentDecommissionedAt":null,"agentDomain":"WORKGROUP","agentId":"1234567890123456789","agentInfected":true,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"server","agentMitigationMode":"detect","agentNetworkStatus":"connected","agentOsName":"linux","agentOsRevision":"1234","agentOsType":"linux","agentUuid":"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx","agentVersion":"21.x.x.1234","groupId":"1234567890123456789","groupName":"Default Group","networkInterfaces":[{"id":"1234567890123456789","inet":["10.0.0.1"],"inet6":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"name":"Ethernet","physical":"00-00-5E-00-53-00"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2022-04-06T09:18:21.090855Z","scanStartedAt":"2022-04-06T08:26:52.838047Z","scanStatus":"finished","siteId":"1234567890123456789","siteName":"Default site","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"labels":null,"name":null},"id":"1234567890123456789","indicators":[{"category":"General","description":"Detected by the Static Engine","ids":[43],"tactics":[]},{"category":"Exploitation","description":"Document behaves abnormally","ids":[62],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Indirect command was executed","ids":[427],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com/","name":"T1234"},{"link":"https://example.com/","name":"T1234"}]}]},{"category":"Evasion","description":"Office program ran macro","ids":[434],"tactics":[{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Initial Access","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]},{"name":"Execution","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Process wrote to a hidden file section","ids":[169],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]},{"category":"Evasion","description":"Suspicious registry key was created","ids":[171],"tactics":[{"name":"Defense Evasion","source":"DEFAULT","techniques":[{"link":"https://example.com","name":"T1234"}]}]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"namespace":null,"namespaceLabels":null,"node":null,"pod":null,"podLabels":null},"mitigationStatus":[],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Downloader","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"1234567890123456789","confidenceLevel":"malicious","createdAt":"2022-04-06T08:57:34.744922Z","detectionEngines":[{"key":"pre_execution","title":"On-Write Static AI"},{"key":"data_files","title":"Documents, Scripts"}],"detectionType":"dynamic","engines":["Documents, Scripts","On-Write ABC"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"TXT","fileExtensionType":"Document","filePath":"test/path/user","fileSize":238592,"fileVerificationType":"NotSigned","identifiedAt":"2022-04-06T08:57:34.444000Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"maliciousProcessArguments":"test/path/user","md5":null,"mitigatedPreemptively":false,"mitigationStatus":"not_mitigated","mitigationStatusDescription":"Not mitigated","originatorProcess":"default.EXE","pendingActions":false,"processUser":"test_user","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"sha1":"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d","sha256":null,"storyline":"7XXXXXXXXXDD5A41","threatId":"123456789","threatName":"Threats","updatedAt":"2022-04-06T08:57:37.672873Z"},"whiteningOptions":["hash","path","file_type"]}
-{"agentDetectionInfo":{"accountId":"11111111111111111","accountName":"REDACTED","agentDetectionState":null,"agentDomain":"domain.com","agentIpV4":"192.168.100.226,10.251.20.65,127.0.0.1","agentIpV6":"2a02:cf40::1,2a02:cf40::2,2a02:cf40::3,2a02:cf40::4,2a02:cf40::5,2a02:cf40::6,2a02:cf40::7,2a02:cf40::8,2a02:cf40::9,2a02:cf40::a,2a02:cf40::b,2a02:cf40::c,2a02:cf40::d,2a02:cf40::e,2a02:cf40::f,2a02:cf40::10,2a02:cf40::11,2a02:cf40::12,2a02:cf40::13,2a02:cf40::14,::1,fe80::1","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"user","agentMitigationMode":"protect","agentOsName":"macOS","agentOsRevision":"15.1.1 (24B91)","agentRegisteredAt":"2023-07-04T11:28:10.412301Z","agentUuid":"REDACTED","agentVersion":"24.3.2.7753","assetVersion":"","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"REDACTED","groupName":"REDACTED","siteId":"REDACTED","siteName":"REDACTED"},"agentRealtimeInfo":{"accountId":"1458520677752505410","accountName":"REDACTED","activeThreats":0,"agentComputerName":"arvchristos MacBook Pro","agentDecommissionedAt":null,"agentDomain":"REDACTED","agentId":"REDACTED","agentInfected":false,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"laptop","agentMitigationMode":"protect","agentNetworkStatus":"connected","agentOsName":"macOS","agentOsRevision":"15.1.1 (24B91)","agentOsType":"macos","agentUuid":"REDACTED","agentVersion":"24.3.2.7753","groupId":"REDACTED","groupName":"REDACTED","networkInterfaces":[{"id":"2107157764033527810","inet":[],"inet6":[],"name":"ap1","physical":"00-01-02-03-04-05"},{"id":"1721688730762582514","inet":[],"inet6":[],"name":"Thunderbolt Bridge","physical":"00-01-02-03-04-05"},{"id":"1721688730770971123","inet":[],"inet6":[],"name":"en3","physical":"00-01-02-03-04-05"},{"id":"2137006397647190909","inet":[],"inet6":["fe80::f01d:18ff:fedc:24e7"],"name":"awdl0","physical":"00-01-02-03-04-05"},{"id":"1721688730779359735","inet":[],"inet6":[],"name":"Ethernet Adapter (en4)","physical":"00-01-02-03-04-05"},{"id":"1721688730779359736","inet":[],"inet6":[],"name":"anpi2","physical":"00-01-02-03-04-05"},{"id":"1721688730787748346","inet":[],"inet6":[],"name":"anpi1","physical":"00-01-02-03-04-05"},{"id":"1721688730787748347","inet":[],"inet6":[],"name":"Ethernet Adapter (en5)","physical":"00-01-02-03-04-05"},{"id":"1721688730787748348","inet":[],"inet6":[],"name":"anpi0","physical":"00-01-02-03-04-05"},{"id":"1721688730787748349","inet":[],"inet6":[],"name":"Ethernet Adapter (en6)","physical":"00-01-02-03-04-05"},{"id":"1721688730796136958","inet":[],"inet6":[],"name":"en2","physical":"00-01-02-03-04-05"},{"id":"1721688730770971124","inet":["127.0.0.1"],"inet6":["fe80::f527:f2:7fe8:be1d","fe80::8ea1:6e0f:3940:34bf","fe80::1f73:5e77:ce02:840","fe80::ee7d:b31d:fd3:2637","fe80::c85b:19e6:ac49:3359","fe80::eb3d:3b75:995b:21c","fe80::b2ac:a595:f1f8:d25","fe80::f17c:755c:2525:22a5","fe80::b035:5bcf:7bac:c829","fe80::c15a:5465:a6a8:8e10","fe80::6c6c:29fd:aaea:ddd0","fe80::ce81:b1c:bd2c:69e","::1","fe80::1"],"name":"utun5","physical":"00-01-02-03-04-05"},{"id":"2139357156401579711","inet":["172.20.14.160"],"inet6":["fe80::148f:e31e:e780:dcf5"],"name":"Wi-Fi","physical":"00-01-02-03-04-05"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2023-07-05T10:48:43.160438Z","scanStartedAt":"2023-07-04T11:28:32.292630Z","scanStatus":"finished","siteId":"REDACTED","siteName":"REDACTED","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"isContainerQuarantine":null,"labels":null,"name":null},"ecsInfo":{"clusterName":null,"serviceArn":null,"serviceName":null,"taskArn":null,"taskAvailabilityZone":null,"taskDefinitionArn":null,"taskDefinitionFamily":null,"taskDefinitionRevision":null,"type":null,"version":null},"id":"2120407777501474123","indicators":[{"category":"Abnormalities","description":"The Entry point for this binary is an RWX section. It might contain self-modifying code","ids":[32],"tactics":[]},{"category":"Hiding/Stealthiness","description":"The majority of sections in this PE have high entropy, a sign of obfuscation or packing","ids":[29],"tactics":[]},{"category":"Abnormalities","description":"This binary has an RWX section. It might contain self-modifying code","ids":[33],"tactics":[]},{"category":"Abnormalities","description":"This binary has non-English version info","ids":[15],"tactics":[]},{"category":"Hiding/Stealthiness","description":"This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)","ids":[12],"tactics":[]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"isContainerQuarantine":null,"namespace":null,"namespaceLabels":null,"node":null,"nodeLabels":null,"pod":null,"podLabels":null},"mitigationStatus":[{"action":"remediate","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2025-01-04T14:31:44.940669Z","latestReport":null,"mitigationEndedAt":"2025-01-04T14:31:44.932389Z","mitigationStartedAt":"2025-01-04T14:31:44.932387Z","reportId":"REDACTED","status":"success"},{"action":"quarantine","actionsCounters":{"failed":0,"notFound":0,"pendingReboot":0,"success":1,"total":1},"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2025-01-04T14:31:44.890256Z","latestReport":"/threats/mitigation-report/REDACTED","mitigationEndedAt":"2025-01-04T14:31:44.890266Z","mitigationStartedAt":"2025-01-04T14:31:44.890269Z","reportId":"REDACTED","status":"success"},{"action":"kill","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2025-01-04T14:31:44.812073Z","latestReport":null,"mitigationEndedAt":"2025-01-04T14:31:44.779654Z","mitigationStartedAt":"2025-01-04T14:31:44.779653Z","reportId":"REDACTED","status":"success"}],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":null,"classification":"Malware","classificationSource":"Static","cloudFilesHashVerdict":null,"collectionId":"REDACTED","confidenceLevel":"malicious","createdAt":"2025-01-04T14:31:44.711820Z","detectionEngines":[{"key":"pre_execution_suspicious","title":"On-Write Static AI - Suspicious"}],"detectionType":"static","engines":["On-Write DFI - Suspicious"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":null,"fileExtensionType":null,"filePath":"/Users/REDACTED/Downloads/uc232a_windows_setup_v1.0.084/UC232A_Windows_Setup.exe","fileSize":0,"fileVerificationType":null,"identifiedAt":"2025-01-04T14:31:43Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"macroModules":null,"maliciousProcessArguments":null,"md5":null,"mitigatedPreemptively":false,"mitigationStatus":"mitigated","mitigationStatusDescription":"Mitigated","originatorProcess":"ArchiveService","pendingActions":false,"processUser":"root","publisherName":null,"reachedEventsLimit":null,"rebootRequired":false,"rootProcessUpn":null,"sha1":"fb212d2614de0275fc350b6c8d057525190ea8d8","sha256":"49280a15191065129e434f96444b29af83aa54d85fb6912030c62ab7ad2e4440","storyline":"BD777E0B-65E9-470E-B0E0-4390C99951DF","threatId":"REDACTED","threatName":"UC232A_Windows_Setup.exe","updatedAt":"2025-01-04T14:31:44.938250Z"},"whiteningOptions":["hash","path"]}
+{"agentDetectionInfo":{"accountId":"11111111111111111","accountName":"REDACTED","agentDetectionState":null,"agentDomain":"domain.com","agentIpV4":"192.168.100.226,10.251.20.65,127.0.0.1","agentIpV6":"2a02:cf40::1,2a02:cf40::2,2a02:cf40::3,2a02:cf40::4,2a02:cf40::5,2a02:cf40::6,2a02:cf40::7,2a02:cf40::8,2a02:cf40::9,2a02:cf40::a,2a02:cf40::b,2a02:cf40::c,2a02:cf40::d,2a02:cf40::e,2a02:cf40::f,2a02:cf40::10,2a02:cf40::11,2a02:cf40::12,2a02:cf40::13,2a02:cf40::14,::1,fe80::1","agentLastLoggedInUpn":null,"agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"TESTDOMAIN\\user","agentMitigationMode":"protect","agentOsName":"macOS","agentOsRevision":"15.1.1 (24B91)","agentRegisteredAt":"2023-07-04T11:28:10.412301Z","agentUuid":"REDACTED","agentVersion":"24.3.2.7753","assetVersion":"","cloudProviders":{},"externalIp":"81.2.69.143","groupId":"REDACTED","groupName":"REDACTED","siteId":"REDACTED","siteName":"REDACTED"},"agentRealtimeInfo":{"accountId":"1458520677752505410","accountName":"REDACTED","activeThreats":0,"agentComputerName":"arvchristos MacBook Pro","agentDecommissionedAt":null,"agentDomain":"REDACTED","agentId":"REDACTED","agentInfected":false,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"laptop","agentMitigationMode":"protect","agentNetworkStatus":"connected","agentOsName":"macOS","agentOsRevision":"15.1.1 (24B91)","agentOsType":"macos","agentUuid":"REDACTED","agentVersion":"24.3.2.7753","groupId":"REDACTED","groupName":"REDACTED","networkInterfaces":[{"id":"2107157764033527810","inet":[],"inet6":[],"name":"ap1","physical":"00-01-02-03-04-05"},{"id":"1721688730762582514","inet":[],"inet6":[],"name":"Thunderbolt Bridge","physical":"00-01-02-03-04-05"},{"id":"1721688730770971123","inet":[],"inet6":[],"name":"en3","physical":"00-01-02-03-04-05"},{"id":"2137006397647190909","inet":[],"inet6":["fe80::f01d:18ff:fedc:24e7"],"name":"awdl0","physical":"00-01-02-03-04-05"},{"id":"1721688730779359735","inet":[],"inet6":[],"name":"Ethernet Adapter (en4)","physical":"00-01-02-03-04-05"},{"id":"1721688730779359736","inet":[],"inet6":[],"name":"anpi2","physical":"00-01-02-03-04-05"},{"id":"1721688730787748346","inet":[],"inet6":[],"name":"anpi1","physical":"00-01-02-03-04-05"},{"id":"1721688730787748347","inet":[],"inet6":[],"name":"Ethernet Adapter (en5)","physical":"00-01-02-03-04-05"},{"id":"1721688730787748348","inet":[],"inet6":[],"name":"anpi0","physical":"00-01-02-03-04-05"},{"id":"1721688730787748349","inet":[],"inet6":[],"name":"Ethernet Adapter (en6)","physical":"00-01-02-03-04-05"},{"id":"1721688730796136958","inet":[],"inet6":[],"name":"en2","physical":"00-01-02-03-04-05"},{"id":"1721688730770971124","inet":["127.0.0.1"],"inet6":["fe80::f527:f2:7fe8:be1d","fe80::8ea1:6e0f:3940:34bf","fe80::1f73:5e77:ce02:840","fe80::ee7d:b31d:fd3:2637","fe80::c85b:19e6:ac49:3359","fe80::eb3d:3b75:995b:21c","fe80::b2ac:a595:f1f8:d25","fe80::f17c:755c:2525:22a5","fe80::b035:5bcf:7bac:c829","fe80::c15a:5465:a6a8:8e10","fe80::6c6c:29fd:aaea:ddd0","fe80::ce81:b1c:bd2c:69e","::1","fe80::1"],"name":"utun5","physical":"00-01-02-03-04-05"},{"id":"2139357156401579711","inet":["172.20.14.160"],"inet6":["fe80::148f:e31e:e780:dcf5"],"name":"Wi-Fi","physical":"00-01-02-03-04-05"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2023-07-05T10:48:43.160438Z","scanStartedAt":"2023-07-04T11:28:32.292630Z","scanStatus":"finished","siteId":"REDACTED","siteName":"REDACTED","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"isContainerQuarantine":null,"labels":null,"name":null},"ecsInfo":{"clusterName":null,"serviceArn":null,"serviceName":null,"taskArn":null,"taskAvailabilityZone":null,"taskDefinitionArn":null,"taskDefinitionFamily":null,"taskDefinitionRevision":null,"type":null,"version":null},"id":"2120407777501474123","indicators":[{"category":"Abnormalities","description":"The Entry point for this binary is an RWX section. It might contain self-modifying code","ids":[32],"tactics":[]},{"category":"Hiding/Stealthiness","description":"The majority of sections in this PE have high entropy, a sign of obfuscation or packing","ids":[29],"tactics":[]},{"category":"Abnormalities","description":"This binary has an RWX section. It might contain self-modifying code","ids":[33],"tactics":[]},{"category":"Abnormalities","description":"This binary has non-English version info","ids":[15],"tactics":[]},{"category":"Hiding/Stealthiness","description":"This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)","ids":[12],"tactics":[]}],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"isContainerQuarantine":null,"namespace":null,"namespaceLabels":null,"node":null,"nodeLabels":null,"pod":null,"podLabels":null},"mitigationStatus":[{"action":"remediate","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2025-01-04T14:31:44.940669Z","latestReport":null,"mitigationEndedAt":"2025-01-04T14:31:44.932389Z","mitigationStartedAt":"2025-01-04T14:31:44.932387Z","reportId":"REDACTED","status":"success"},{"action":"quarantine","actionsCounters":{"failed":0,"notFound":0,"pendingReboot":0,"success":1,"total":1},"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2025-01-04T14:31:44.890256Z","latestReport":"/threats/mitigation-report/REDACTED","mitigationEndedAt":"2025-01-04T14:31:44.890266Z","mitigationStartedAt":"2025-01-04T14:31:44.890269Z","reportId":"REDACTED","status":"success"},{"action":"kill","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2025-01-04T14:31:44.812073Z","latestReport":null,"mitigationEndedAt":"2025-01-04T14:31:44.779654Z","mitigationStartedAt":"2025-01-04T14:31:44.779653Z","reportId":"REDACTED","status":"success"}],"threatInfo":{"analystVerdict":"undefined","analystVerdictDescription":"Undefined","automaticallyResolved":false,"browserType":null,"certificateId":null,"classification":"Malware","classificationSource":"Static","cloudFilesHashVerdict":null,"collectionId":"REDACTED","confidenceLevel":"malicious","createdAt":"2025-01-04T14:31:44.711820Z","detectionEngines":[{"key":"pre_execution_suspicious","title":"On-Write Static AI - Suspicious"}],"detectionType":"static","engines":["On-Write DFI - Suspicious"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":null,"fileExtensionType":null,"filePath":"/Users/REDACTED/Downloads/uc232a_windows_setup_v1.0.084/UC232A_Windows_Setup.exe","fileSize":0,"fileVerificationType":null,"identifiedAt":"2025-01-04T14:31:43Z","incidentStatus":"unresolved","incidentStatusDescription":"Unresolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"macroModules":null,"maliciousProcessArguments":null,"md5":null,"mitigatedPreemptively":false,"mitigationStatus":"mitigated","mitigationStatusDescription":"Mitigated","originatorProcess":"ArchiveService","pendingActions":false,"processUser":"root","publisherName":null,"reachedEventsLimit":null,"rebootRequired":false,"rootProcessUpn":null,"sha1":"fb212d2614de0275fc350b6c8d057525190ea8d8","sha256":"49280a15191065129e434f96444b29af83aa54d85fb6912030c62ab7ad2e4440","storyline":"BD777E0B-65E9-470E-B0E0-4390C99951DF","threatId":"REDACTED","threatName":"UC232A_Windows_Setup.exe","updatedAt":"2025-01-04T14:31:44.938250Z"},"whiteningOptions":["hash","path"]}
 {"agentDetectionInfo":{"accountId":"1341089495639497756","accountName":"MyAccountName","agentDetectionState":"full_mode","agentDomain":"domain.local","agentIpV4":"10.239.153.8","agentIpV6":"","agentLastLoggedInUpn":"name.surname@xxx.xxx","agentLastLoggedInUserMail":null,"agentLastLoggedInUserName":"username","agentMitigationMode":"protect","agentOsName":"Windows 11 Enterprise","agentOsRevision":"22631","agentRegisteredAt":"2023-06-01T08:01:56.832409Z","agentUuid":"7faaf3df17314exxx8c063de167b0e416","agentVersion":"24.1.5.277","assetVersion":"277","cloudProviders":{},"externalIp":"81.2.69.144","groupId":"1341132821935792047","groupName":"Default Group","siteId":"1341132821910626222","siteName":"windows"},"agentRealtimeInfo":{"accountId":"1341089495639499999","accountName":"MyAccountName","activeThreats":0,"agentComputerName":"99999","agentDecommissionedAt":null,"agentDomain":"domain.local","agentId":"1697667xxx483013694","agentInfected":false,"agentIsActive":true,"agentIsDecommissioned":false,"agentMachineType":"laptop","agentMitigationMode":"protect","agentNetworkStatus":"connected","agentOsName":"Windows 11 Enterprise","agentOsRevision":"22631","agentOsType":"windows","agentUuid":"7faaf3df17314exxx8c063de167b0e416","agentVersion":"24.1.5.277","groupId":"1341132xxx935792047","groupName":"Default Group","networkInterfaces":[{"id":"2122017713487462603","inet":["10.239.153.8"],"inet6":[],"name":"Wi-Fi","physical":"70:d8:23:8e:9c:22"}],"operationalState":"na","rebootRequired":false,"scanAbortedAt":null,"scanFinishedAt":"2024-07-12T11:06:37.830732Z","scanStartedAt":"2024-07-12T10:01:50.384501Z","scanStatus":"finished","siteId":"13411xxx21910626222","siteName":"windows","storageName":null,"storageType":null,"userActionsNeeded":[]},"containerInfo":{"id":null,"image":null,"isContainerQuarantine":null,"labels":null,"name":null},"ecsInfo":{"clusterName":null,"serviceArn":null,"serviceName":null,"taskArn":null,"taskAvailabilityZone":null,"taskDefinitionArn":null,"taskDefinitionFamily":null,"taskDefinitionRevision":null,"type":null,"version":null},"id":"2188336463262791521","indicators":[],"kubernetesInfo":{"cluster":null,"controllerKind":null,"controllerLabels":null,"controllerName":null,"isContainerQuarantine":null,"namespace":null,"namespaceLabels":null,"node":null,"nodeLabels":null,"pod":null,"podLabels":null},"mitigationStatus":[{"action":"kill","actionsCounters":null,"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2025-04-08T07:53:55.153478Z","latestReport":null,"mitigationEndedAt":"2025-04-08T07:53:55.143102Z","mitigationStartedAt":"2025-04-08T07:53:55.143101Z","reportId":"2188336463849994086","status":"success"},{"action":"quarantine","actionsCounters":{"failed":0,"notFound":0,"pendingReboot":0,"success":1,"total":1},"agentSupportsReport":true,"groupNotFound":false,"lastUpdate":"2025-04-08T07:53:55.242007Z","latestReport":"/threats/mitigation-report/21883xxxx4596580203","mitigationEndedAt":"2025-04-08T07:53:54.996000Z","mitigationStartedAt":"2025-04-08T07:53:54.996000Z","reportId":"21883xxx4596580203","status":"success"}],"threatInfo":{"analystVerdict":"true_positive","analystVerdictDescription":"True positive","automaticallyResolved":false,"browserType":null,"certificateId":"","classification":"Malware","classificationSource":"Static","cloudFilesHashVerdict":"black","collectionId":"2134739034820830297","confidenceLevel":"malicious","createdAt":"2025-04-08T07:53:55.082368Z","detectionEngines":[{"key":"sentinelone_cloud","title":"SentinelOne Cloud"}],"detectionType":"static","engines":["SentinelOne Cloud"],"externalTicketExists":false,"externalTicketId":null,"failedActions":false,"fileExtension":"RBF","fileExtensionType":"Unknown","filePath":"\\\\Device\\\\HarddiskVolume3\\\\Config.Msi\\\\44371a.rbf","fileSize":177664,"fileVerificationType":"NotSigned","identifiedAt":"2025-04-08T07:53:54.980000Z","incidentStatus":"resolved","incidentStatusDescription":"Resolved","initiatedBy":"agent_policy","initiatedByDescription":"Agent Policy","initiatingUserId":null,"initiatingUsername":null,"isFileless":false,"isValidCertificate":false,"macroModules":null,"maliciousProcessArguments":null,"md5":null,"mitigatedPreemptively":false,"mitigationStatus":"mitigated","mitigationStatusDescription":"Mitigated","originatorProcess":"msiexec.exe","pendingActions":false,"processUser":"domain.local\\\\username","publisherName":"","reachedEventsLimit":false,"rebootRequired":false,"rootProcessUpn":null,"sha1":"b648fe6b2eb07c08f14cbb67e6ad272b0d119295","sha256":"ce6a1603ea351a8989ddb1ca1521212c9388b740ff8e3347f2768dae0fa95d3f","storyline":"A423EDD7DE41BB8B","threatId":"2188336463262xxx521","threatName":"44371a.rbf","updatedAt":"2025-04-08T08:17:59.621368Z"},"whiteningOptions":["hash"]}
diff --git a/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json b/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json
index 85afc01f478..3c37f2d7483 100644
--- a/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json
+++ b/packages/sentinel_one/data_stream/threat/_dev/test/pipeline/test-pipeline-threat.log-expected.json
@@ -1522,7 +1522,7 @@
                 ],
                 "id": "2120407777501474123",
                 "kind": "alert",
-                "original": "{\"agentDetectionInfo\":{\"accountId\":\"11111111111111111\",\"accountName\":\"REDACTED\",\"agentDetectionState\":null,\"agentDomain\":\"domain.com\",\"agentIpV4\":\"192.168.100.226,10.251.20.65,127.0.0.1\",\"agentIpV6\":\"2a02:cf40::1,2a02:cf40::2,2a02:cf40::3,2a02:cf40::4,2a02:cf40::5,2a02:cf40::6,2a02:cf40::7,2a02:cf40::8,2a02:cf40::9,2a02:cf40::a,2a02:cf40::b,2a02:cf40::c,2a02:cf40::d,2a02:cf40::e,2a02:cf40::f,2a02:cf40::10,2a02:cf40::11,2a02:cf40::12,2a02:cf40::13,2a02:cf40::14,::1,fe80::1\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"user\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"macOS\",\"agentOsRevision\":\"15.1.1 (24B91)\",\"agentRegisteredAt\":\"2023-07-04T11:28:10.412301Z\",\"agentUuid\":\"REDACTED\",\"agentVersion\":\"24.3.2.7753\",\"assetVersion\":\"\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"REDACTED\",\"groupName\":\"REDACTED\",\"siteId\":\"REDACTED\",\"siteName\":\"REDACTED\"},\"agentRealtimeInfo\":{\"accountId\":\"1458520677752505410\",\"accountName\":\"REDACTED\",\"activeThreats\":0,\"agentComputerName\":\"arvchristos MacBook Pro\",\"agentDecommissionedAt\":null,\"agentDomain\":\"REDACTED\",\"agentId\":\"REDACTED\",\"agentInfected\":false,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"laptop\",\"agentMitigationMode\":\"protect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"macOS\",\"agentOsRevision\":\"15.1.1 (24B91)\",\"agentOsType\":\"macos\",\"agentUuid\":\"REDACTED\",\"agentVersion\":\"24.3.2.7753\",\"groupId\":\"REDACTED\",\"groupName\":\"REDACTED\",\"networkInterfaces\":[{\"id\":\"2107157764033527810\",\"inet\":[],\"inet6\":[],\"name\":\"ap1\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730762582514\",\"inet\":[],\"inet6\":[],\"name\":\"Thunderbolt Bridge\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730770971123\",\"inet\":[],\"inet6\":[],\"name\":\"en3\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"2137006397647190909\",\"inet\":[],\"inet6\":[\"fe80::f01d:18ff:fedc:24e7\"],\"name\":\"awdl0\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730779359735\",\"inet\":[],\"inet6\":[],\"name\":\"Ethernet Adapter (en4)\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730779359736\",\"inet\":[],\"inet6\":[],\"name\":\"anpi2\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730787748346\",\"inet\":[],\"inet6\":[],\"name\":\"anpi1\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730787748347\",\"inet\":[],\"inet6\":[],\"name\":\"Ethernet Adapter (en5)\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730787748348\",\"inet\":[],\"inet6\":[],\"name\":\"anpi0\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730787748349\",\"inet\":[],\"inet6\":[],\"name\":\"Ethernet Adapter (en6)\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730796136958\",\"inet\":[],\"inet6\":[],\"name\":\"en2\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730770971124\",\"inet\":[\"127.0.0.1\"],\"inet6\":[\"fe80::f527:f2:7fe8:be1d\",\"fe80::8ea1:6e0f:3940:34bf\",\"fe80::1f73:5e77:ce02:840\",\"fe80::ee7d:b31d:fd3:2637\",\"fe80::c85b:19e6:ac49:3359\",\"fe80::eb3d:3b75:995b:21c\",\"fe80::b2ac:a595:f1f8:d25\",\"fe80::f17c:755c:2525:22a5\",\"fe80::b035:5bcf:7bac:c829\",\"fe80::c15a:5465:a6a8:8e10\",\"fe80::6c6c:29fd:aaea:ddd0\",\"fe80::ce81:b1c:bd2c:69e\",\"::1\",\"fe80::1\"],\"name\":\"utun5\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"2139357156401579711\",\"inet\":[\"172.20.14.160\"],\"inet6\":[\"fe80::148f:e31e:e780:dcf5\"],\"name\":\"Wi-Fi\",\"physical\":\"00-01-02-03-04-05\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2023-07-05T10:48:43.160438Z\",\"scanStartedAt\":\"2023-07-04T11:28:32.292630Z\",\"scanStatus\":\"finished\",\"siteId\":\"REDACTED\",\"siteName\":\"REDACTED\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"isContainerQuarantine\":null,\"labels\":null,\"name\":null},\"ecsInfo\":{\"clusterName\":null,\"serviceArn\":null,\"serviceName\":null,\"taskArn\":null,\"taskAvailabilityZone\":null,\"taskDefinitionArn\":null,\"taskDefinitionFamily\":null,\"taskDefinitionRevision\":null,\"type\":null,\"version\":null},\"id\":\"2120407777501474123\",\"indicators\":[{\"category\":\"Abnormalities\",\"description\":\"The Entry point for this binary is an RWX section. It might contain self-modifying code\",\"ids\":[32],\"tactics\":[]},{\"category\":\"Hiding/Stealthiness\",\"description\":\"The majority of sections in this PE have high entropy, a sign of obfuscation or packing\",\"ids\":[29],\"tactics\":[]},{\"category\":\"Abnormalities\",\"description\":\"This binary has an RWX section. It might contain self-modifying code\",\"ids\":[33],\"tactics\":[]},{\"category\":\"Abnormalities\",\"description\":\"This binary has non-English version info\",\"ids\":[15],\"tactics\":[]},{\"category\":\"Hiding/Stealthiness\",\"description\":\"This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)\",\"ids\":[12],\"tactics\":[]}],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"isContainerQuarantine\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"nodeLabels\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"remediate\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2025-01-04T14:31:44.940669Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2025-01-04T14:31:44.932389Z\",\"mitigationStartedAt\":\"2025-01-04T14:31:44.932387Z\",\"reportId\":\"REDACTED\",\"status\":\"success\"},{\"action\":\"quarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2025-01-04T14:31:44.890256Z\",\"latestReport\":\"/threats/mitigation-report/REDACTED\",\"mitigationEndedAt\":\"2025-01-04T14:31:44.890266Z\",\"mitigationStartedAt\":\"2025-01-04T14:31:44.890269Z\",\"reportId\":\"REDACTED\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2025-01-04T14:31:44.812073Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2025-01-04T14:31:44.779654Z\",\"mitigationStartedAt\":\"2025-01-04T14:31:44.779653Z\",\"reportId\":\"REDACTED\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":null,\"classification\":\"Malware\",\"classificationSource\":\"Static\",\"cloudFilesHashVerdict\":null,\"collectionId\":\"REDACTED\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2025-01-04T14:31:44.711820Z\",\"detectionEngines\":[{\"key\":\"pre_execution_suspicious\",\"title\":\"On-Write Static AI - Suspicious\"}],\"detectionType\":\"static\",\"engines\":[\"On-Write DFI - Suspicious\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":null,\"fileExtensionType\":null,\"filePath\":\"/Users/REDACTED/Downloads/uc232a_windows_setup_v1.0.084/UC232A_Windows_Setup.exe\",\"fileSize\":0,\"fileVerificationType\":null,\"identifiedAt\":\"2025-01-04T14:31:43Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"macroModules\":null,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"mitigated\",\"mitigationStatusDescription\":\"Mitigated\",\"originatorProcess\":\"ArchiveService\",\"pendingActions\":false,\"processUser\":\"root\",\"publisherName\":null,\"reachedEventsLimit\":null,\"rebootRequired\":false,\"rootProcessUpn\":null,\"sha1\":\"fb212d2614de0275fc350b6c8d057525190ea8d8\",\"sha256\":\"49280a15191065129e434f96444b29af83aa54d85fb6912030c62ab7ad2e4440\",\"storyline\":\"BD777E0B-65E9-470E-B0E0-4390C99951DF\",\"threatId\":\"REDACTED\",\"threatName\":\"UC232A_Windows_Setup.exe\",\"updatedAt\":\"2025-01-04T14:31:44.938250Z\"},\"whiteningOptions\":[\"hash\",\"path\"]}",
+                "original": "{\"agentDetectionInfo\":{\"accountId\":\"11111111111111111\",\"accountName\":\"REDACTED\",\"agentDetectionState\":null,\"agentDomain\":\"domain.com\",\"agentIpV4\":\"192.168.100.226,10.251.20.65,127.0.0.1\",\"agentIpV6\":\"2a02:cf40::1,2a02:cf40::2,2a02:cf40::3,2a02:cf40::4,2a02:cf40::5,2a02:cf40::6,2a02:cf40::7,2a02:cf40::8,2a02:cf40::9,2a02:cf40::a,2a02:cf40::b,2a02:cf40::c,2a02:cf40::d,2a02:cf40::e,2a02:cf40::f,2a02:cf40::10,2a02:cf40::11,2a02:cf40::12,2a02:cf40::13,2a02:cf40::14,::1,fe80::1\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"TESTDOMAIN\\\\user\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"macOS\",\"agentOsRevision\":\"15.1.1 (24B91)\",\"agentRegisteredAt\":\"2023-07-04T11:28:10.412301Z\",\"agentUuid\":\"REDACTED\",\"agentVersion\":\"24.3.2.7753\",\"assetVersion\":\"\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"REDACTED\",\"groupName\":\"REDACTED\",\"siteId\":\"REDACTED\",\"siteName\":\"REDACTED\"},\"agentRealtimeInfo\":{\"accountId\":\"1458520677752505410\",\"accountName\":\"REDACTED\",\"activeThreats\":0,\"agentComputerName\":\"arvchristos MacBook Pro\",\"agentDecommissionedAt\":null,\"agentDomain\":\"REDACTED\",\"agentId\":\"REDACTED\",\"agentInfected\":false,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"laptop\",\"agentMitigationMode\":\"protect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"macOS\",\"agentOsRevision\":\"15.1.1 (24B91)\",\"agentOsType\":\"macos\",\"agentUuid\":\"REDACTED\",\"agentVersion\":\"24.3.2.7753\",\"groupId\":\"REDACTED\",\"groupName\":\"REDACTED\",\"networkInterfaces\":[{\"id\":\"2107157764033527810\",\"inet\":[],\"inet6\":[],\"name\":\"ap1\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730762582514\",\"inet\":[],\"inet6\":[],\"name\":\"Thunderbolt Bridge\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730770971123\",\"inet\":[],\"inet6\":[],\"name\":\"en3\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"2137006397647190909\",\"inet\":[],\"inet6\":[\"fe80::f01d:18ff:fedc:24e7\"],\"name\":\"awdl0\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730779359735\",\"inet\":[],\"inet6\":[],\"name\":\"Ethernet Adapter (en4)\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730779359736\",\"inet\":[],\"inet6\":[],\"name\":\"anpi2\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730787748346\",\"inet\":[],\"inet6\":[],\"name\":\"anpi1\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730787748347\",\"inet\":[],\"inet6\":[],\"name\":\"Ethernet Adapter (en5)\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730787748348\",\"inet\":[],\"inet6\":[],\"name\":\"anpi0\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730787748349\",\"inet\":[],\"inet6\":[],\"name\":\"Ethernet Adapter (en6)\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730796136958\",\"inet\":[],\"inet6\":[],\"name\":\"en2\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"1721688730770971124\",\"inet\":[\"127.0.0.1\"],\"inet6\":[\"fe80::f527:f2:7fe8:be1d\",\"fe80::8ea1:6e0f:3940:34bf\",\"fe80::1f73:5e77:ce02:840\",\"fe80::ee7d:b31d:fd3:2637\",\"fe80::c85b:19e6:ac49:3359\",\"fe80::eb3d:3b75:995b:21c\",\"fe80::b2ac:a595:f1f8:d25\",\"fe80::f17c:755c:2525:22a5\",\"fe80::b035:5bcf:7bac:c829\",\"fe80::c15a:5465:a6a8:8e10\",\"fe80::6c6c:29fd:aaea:ddd0\",\"fe80::ce81:b1c:bd2c:69e\",\"::1\",\"fe80::1\"],\"name\":\"utun5\",\"physical\":\"00-01-02-03-04-05\"},{\"id\":\"2139357156401579711\",\"inet\":[\"172.20.14.160\"],\"inet6\":[\"fe80::148f:e31e:e780:dcf5\"],\"name\":\"Wi-Fi\",\"physical\":\"00-01-02-03-04-05\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2023-07-05T10:48:43.160438Z\",\"scanStartedAt\":\"2023-07-04T11:28:32.292630Z\",\"scanStatus\":\"finished\",\"siteId\":\"REDACTED\",\"siteName\":\"REDACTED\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"isContainerQuarantine\":null,\"labels\":null,\"name\":null},\"ecsInfo\":{\"clusterName\":null,\"serviceArn\":null,\"serviceName\":null,\"taskArn\":null,\"taskAvailabilityZone\":null,\"taskDefinitionArn\":null,\"taskDefinitionFamily\":null,\"taskDefinitionRevision\":null,\"type\":null,\"version\":null},\"id\":\"2120407777501474123\",\"indicators\":[{\"category\":\"Abnormalities\",\"description\":\"The Entry point for this binary is an RWX section. It might contain self-modifying code\",\"ids\":[32],\"tactics\":[]},{\"category\":\"Hiding/Stealthiness\",\"description\":\"The majority of sections in this PE have high entropy, a sign of obfuscation or packing\",\"ids\":[29],\"tactics\":[]},{\"category\":\"Abnormalities\",\"description\":\"This binary has an RWX section. It might contain self-modifying code\",\"ids\":[33],\"tactics\":[]},{\"category\":\"Abnormalities\",\"description\":\"This binary has non-English version info\",\"ids\":[15],\"tactics\":[]},{\"category\":\"Hiding/Stealthiness\",\"description\":\"This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)\",\"ids\":[12],\"tactics\":[]}],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"isContainerQuarantine\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"nodeLabels\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"remediate\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2025-01-04T14:31:44.940669Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2025-01-04T14:31:44.932389Z\",\"mitigationStartedAt\":\"2025-01-04T14:31:44.932387Z\",\"reportId\":\"REDACTED\",\"status\":\"success\"},{\"action\":\"quarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2025-01-04T14:31:44.890256Z\",\"latestReport\":\"/threats/mitigation-report/REDACTED\",\"mitigationEndedAt\":\"2025-01-04T14:31:44.890266Z\",\"mitigationStartedAt\":\"2025-01-04T14:31:44.890269Z\",\"reportId\":\"REDACTED\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2025-01-04T14:31:44.812073Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2025-01-04T14:31:44.779654Z\",\"mitigationStartedAt\":\"2025-01-04T14:31:44.779653Z\",\"reportId\":\"REDACTED\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":null,\"classification\":\"Malware\",\"classificationSource\":\"Static\",\"cloudFilesHashVerdict\":null,\"collectionId\":\"REDACTED\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2025-01-04T14:31:44.711820Z\",\"detectionEngines\":[{\"key\":\"pre_execution_suspicious\",\"title\":\"On-Write Static AI - Suspicious\"}],\"detectionType\":\"static\",\"engines\":[\"On-Write DFI - Suspicious\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":null,\"fileExtensionType\":null,\"filePath\":\"/Users/REDACTED/Downloads/uc232a_windows_setup_v1.0.084/UC232A_Windows_Setup.exe\",\"fileSize\":0,\"fileVerificationType\":null,\"identifiedAt\":\"2025-01-04T14:31:43Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"macroModules\":null,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"mitigated\",\"mitigationStatusDescription\":\"Mitigated\",\"originatorProcess\":\"ArchiveService\",\"pendingActions\":false,\"processUser\":\"root\",\"publisherName\":null,\"reachedEventsLimit\":null,\"rebootRequired\":false,\"rootProcessUpn\":null,\"sha1\":\"fb212d2614de0275fc350b6c8d057525190ea8d8\",\"sha256\":\"49280a15191065129e434f96444b29af83aa54d85fb6912030c62ab7ad2e4440\",\"storyline\":\"BD777E0B-65E9-470E-B0E0-4390C99951DF\",\"threatId\":\"REDACTED\",\"threatName\":\"UC232A_Windows_Setup.exe\",\"updatedAt\":\"2025-01-04T14:31:44.938250Z\"},\"whiteningOptions\":[\"hash\",\"path\"]}",
                 "type": [
                     "info"
                 ]
@@ -1954,6 +1954,7 @@
                 }
             },
             "user": {
+                "domain": "TESTDOMAIN",
                 "name": "user"
             }
         },
diff --git a/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
index 1d71d1f97dc..9fed5c21b2c 100644
--- a/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/sentinel_one/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
@@ -184,6 +184,11 @@ processors:
       field: user.name
       copy_from: json.threatInfo.processUser
       ignore_empty_value: true
+  - dissect:
+      field: user.name
+      pattern: '%{user.domain}\%{user.name}'
+      if: ctx.user?.name?.contains('\\') == true
+      description: "Split user and domain"
   - append:
       field: related.user
       value: '{{{user.name}}}'
diff --git a/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml
index 5a21ef38c50..027f06071b5 100644
--- a/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/sentinel_one/data_stream/threat_event/elasticsearch/ingest_pipeline/default.yml
@@ -773,6 +773,11 @@ processors:
       tag: set_user_name
       copy_from: sentinel_one.threat_event.user
       ignore_empty_value: true
+  - dissect:
+      field: user.name
+      pattern: '%{user.domain}\%{user.name}'
+      if: ctx.user?.name?.contains('\\') == true
+      description: "Split user and domain"
   - append:
       field: related.user
       tag: append_user_name_into_related_user
diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml
index 9643c6ab7c2..962fb89d053 100644
--- a/packages/sentinel_one/manifest.yml
+++ b/packages/sentinel_one/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.4.0"
 name: sentinel_one
 title: SentinelOne
-version: "2.0.0"
+version: "2.0.1"
 description: Collect logs from SentinelOne with Elastic Agent.
 type: integration
 categories: