cribl-control-plane 0.0.13__py3-none-any.whl

cribl_control_plane/models/outputsentineloneaisiem.py

@@ -0,0 +1,505 @@
+"""Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT."""
+
+from __future__ import annotations
+from cribl_control_plane import utils
+from cribl_control_plane.types import BaseModel
+from cribl_control_plane.utils import validate_open_enum
+from enum import Enum
+import pydantic
+from pydantic.functional_validators import PlainValidator
+from typing import List, Optional
+from typing_extensions import Annotated, NotRequired, TypedDict
+
+
+class OutputSentinelOneAiSiemType(str, Enum, metaclass=utils.OpenEnumMeta):
+    SENTINEL_ONE_AI_SIEM = "sentinel_one_ai_siem"
+
+
+class OutputSentinelOneAiSiemRegion(str, Enum, metaclass=utils.OpenEnumMeta):
+    r"""The SentinelOne region to send events to. In most cases you can find the region by either looking at your SentinelOne URL or knowing what geographic region your SentinelOne instance is contained in."""
+
+    US = "US"
+    CA = "CA"
+    EMEA = "EMEA"
+    AP = "AP"
+    APS = "APS"
+    AU = "AU"
+    CUSTOM = "Custom"
+
+
+class AISIEMEndpointPath(str, Enum, metaclass=utils.OpenEnumMeta):
+    r"""Regional endpoint used to send events to, such as /services/collector/event or /services/collector/raw"""
+
+    ROOT_SERVICES_COLLECTOR_EVENT = "/services/collector/event"
+    ROOT_SERVICES_COLLECTOR_RAW = "/services/collector/raw"
+
+
+class OutputSentinelOneAiSiemExtraHTTPHeaderTypedDict(TypedDict):
+    value: str
+    name: NotRequired[str]
+
+
+class OutputSentinelOneAiSiemExtraHTTPHeader(BaseModel):
+    value: str
+
+    name: Optional[str] = None
+
+
+class OutputSentinelOneAiSiemFailedRequestLoggingMode(
+    str, Enum, metaclass=utils.OpenEnumMeta
+):
+    r"""Data to log when a request fails. All headers are redacted by default, unless listed as safe headers below."""
+
+    PAYLOAD = "payload"
+    PAYLOAD_AND_HEADERS = "payloadAndHeaders"
+    NONE = "none"
+
+
+class OutputSentinelOneAiSiemAuthenticationMethod(
+    str, Enum, metaclass=utils.OpenEnumMeta
+):
+    r"""Select Manual to enter an auth token directly, or select Secret to use a text secret to authenticate"""
+
+    MANUAL = "manual"
+    SECRET = "secret"
+
+
+class OutputSentinelOneAiSiemResponseRetrySettingTypedDict(TypedDict):
+    http_status: float
+    r"""The HTTP response status code that will trigger retries"""
+    initial_backoff: NotRequired[float]
+    r"""How long, in milliseconds, Cribl Stream should wait before initiating backoff. Maximum interval is 600,000 ms (10 minutes)."""
+    backoff_rate: NotRequired[float]
+    r"""Base for exponential backoff. A value of 2 (default) means Cribl Stream will retry after 2 seconds, then 4 seconds, then 8 seconds, etc."""
+    max_backoff: NotRequired[float]
+    r"""The maximum backoff interval, in milliseconds, Cribl Stream should apply. Default (and minimum) is 10,000 ms (10 seconds); maximum is 180,000 ms (180 seconds)."""
+
+
+class OutputSentinelOneAiSiemResponseRetrySetting(BaseModel):
+    http_status: Annotated[float, pydantic.Field(alias="httpStatus")]
+    r"""The HTTP response status code that will trigger retries"""
+
+    initial_backoff: Annotated[
+        Optional[float], pydantic.Field(alias="initialBackoff")
+    ] = 1000
+    r"""How long, in milliseconds, Cribl Stream should wait before initiating backoff. Maximum interval is 600,000 ms (10 minutes)."""
+
+    backoff_rate: Annotated[Optional[float], pydantic.Field(alias="backoffRate")] = 2
+    r"""Base for exponential backoff. A value of 2 (default) means Cribl Stream will retry after 2 seconds, then 4 seconds, then 8 seconds, etc."""
+
+    max_backoff: Annotated[Optional[float], pydantic.Field(alias="maxBackoff")] = 10000
+    r"""The maximum backoff interval, in milliseconds, Cribl Stream should apply. Default (and minimum) is 10,000 ms (10 seconds); maximum is 180,000 ms (180 seconds)."""
+
+
+class OutputSentinelOneAiSiemTimeoutRetrySettingsTypedDict(TypedDict):
+    timeout_retry: NotRequired[bool]
+    initial_backoff: NotRequired[float]
+    r"""How long, in milliseconds, Cribl Stream should wait before initiating backoff. Maximum interval is 600,000 ms (10 minutes)."""
+    backoff_rate: NotRequired[float]
+    r"""Base for exponential backoff. A value of 2 (default) means Cribl Stream will retry after 2 seconds, then 4 seconds, then 8 seconds, etc."""
+    max_backoff: NotRequired[float]
+    r"""The maximum backoff interval, in milliseconds, Cribl Stream should apply. Default (and minimum) is 10,000 ms (10 seconds); maximum is 180,000 ms (180 seconds)."""
+
+
+class OutputSentinelOneAiSiemTimeoutRetrySettings(BaseModel):
+    timeout_retry: Annotated[Optional[bool], pydantic.Field(alias="timeoutRetry")] = (
+        False
+    )
+
+    initial_backoff: Annotated[
+        Optional[float], pydantic.Field(alias="initialBackoff")
+    ] = 1000
+    r"""How long, in milliseconds, Cribl Stream should wait before initiating backoff. Maximum interval is 600,000 ms (10 minutes)."""
+
+    backoff_rate: Annotated[Optional[float], pydantic.Field(alias="backoffRate")] = 2
+    r"""Base for exponential backoff. A value of 2 (default) means Cribl Stream will retry after 2 seconds, then 4 seconds, then 8 seconds, etc."""
+
+    max_backoff: Annotated[Optional[float], pydantic.Field(alias="maxBackoff")] = 10000
+    r"""The maximum backoff interval, in milliseconds, Cribl Stream should apply. Default (and minimum) is 10,000 ms (10 seconds); maximum is 180,000 ms (180 seconds)."""
+
+
+class OutputSentinelOneAiSiemBackpressureBehavior(
+    str, Enum, metaclass=utils.OpenEnumMeta
+):
+    r"""How to handle events when all receivers are exerting backpressure"""
+
+    BLOCK = "block"
+    DROP = "drop"
+    QUEUE = "queue"
+
+
+class OutputSentinelOneAiSiemCompression(str, Enum, metaclass=utils.OpenEnumMeta):
+    r"""Codec to use to compress the persisted data"""
+
+    NONE = "none"
+    GZIP = "gzip"
+
+
+class OutputSentinelOneAiSiemQueueFullBehavior(str, Enum, metaclass=utils.OpenEnumMeta):
+    r"""How to handle events when the queue is exerting backpressure (full capacity or low disk). 'Block' is the same behavior as non-PQ blocking. 'Drop new data' throws away incoming data, while leaving the contents of the PQ unchanged."""
+
+    BLOCK = "block"
+    DROP = "drop"
+
+
+class OutputSentinelOneAiSiemMode(str, Enum, metaclass=utils.OpenEnumMeta):
+    r"""In Error mode, PQ writes events to the filesystem if the Destination is unavailable. In Backpressure mode, PQ writes events to the filesystem when it detects backpressure from the Destination. In Always On mode, PQ always writes events to the filesystem."""
+
+    ERROR = "error"
+    BACKPRESSURE = "backpressure"
+    ALWAYS = "always"
+
+
+class OutputSentinelOneAiSiemPqControlsTypedDict(TypedDict):
+    pass
+
+
+class OutputSentinelOneAiSiemPqControls(BaseModel):
+    pass
+
+
+class OutputSentinelOneAiSiemTypedDict(TypedDict):
+    id: NotRequired[str]
+    r"""Unique ID for this output"""
+    type: NotRequired[OutputSentinelOneAiSiemType]
+    pipeline: NotRequired[str]
+    r"""Pipeline to process data before sending out to this output"""
+    system_fields: NotRequired[List[str]]
+    r"""Fields to automatically add to events, such as cribl_pipe. Supports wildcards."""
+    environment: NotRequired[str]
+    r"""Optionally, enable this config only on a specified Git branch. If empty, will be enabled everywhere."""
+    streamtags: NotRequired[List[str]]
+    r"""Tags for filtering and grouping in @{product}"""
+    region: NotRequired[OutputSentinelOneAiSiemRegion]
+    r"""The SentinelOne region to send events to. In most cases you can find the region by either looking at your SentinelOne URL or knowing what geographic region your SentinelOne instance is contained in."""
+    endpoint: NotRequired[AISIEMEndpointPath]
+    r"""Regional endpoint used to send events to, such as /services/collector/event or /services/collector/raw"""
+    concurrency: NotRequired[float]
+    r"""Maximum number of ongoing requests before blocking"""
+    max_payload_size_kb: NotRequired[float]
+    r"""Maximum size, in KB, of the request body"""
+    max_payload_events: NotRequired[float]
+    r"""Maximum number of events to include in the request body. Default is 0 (unlimited)."""
+    compress: NotRequired[bool]
+    r"""Compress the payload body before sending"""
+    reject_unauthorized: NotRequired[bool]
+    r"""Reject certificates not authorized by a CA in the CA certificate path or by another trusted CA (such as the system's).
+    Enabled by default. When this setting is also present in TLS Settings (Client Side),
+    that value will take precedence.
+    """
+    timeout_sec: NotRequired[float]
+    r"""Amount of time, in seconds, to wait for a request to complete before canceling it"""
+    flush_period_sec: NotRequired[float]
+    r"""Maximum time between requests. Small values could cause the payload size to be smaller than the configured Body size limit."""
+    extra_http_headers: NotRequired[
+        List[OutputSentinelOneAiSiemExtraHTTPHeaderTypedDict]
+    ]
+    r"""Headers to add to all events"""
+    failed_request_logging_mode: NotRequired[
+        OutputSentinelOneAiSiemFailedRequestLoggingMode
+    ]
+    r"""Data to log when a request fails. All headers are redacted by default, unless listed as safe headers below."""
+    safe_headers: NotRequired[List[str]]
+    r"""List of headers that are safe to log in plain text"""
+    auth_type: NotRequired[OutputSentinelOneAiSiemAuthenticationMethod]
+    r"""Select Manual to enter an auth token directly, or select Secret to use a text secret to authenticate"""
+    response_retry_settings: NotRequired[
+        List[OutputSentinelOneAiSiemResponseRetrySettingTypedDict]
+    ]
+    r"""Automatically retry after unsuccessful response status codes, such as 429 (Too Many Requests) or 503 (Service Unavailable)"""
+    timeout_retry_settings: NotRequired[
+        OutputSentinelOneAiSiemTimeoutRetrySettingsTypedDict
+    ]
+    response_honor_retry_after_header: NotRequired[bool]
+    r"""Honor any Retry-After header that specifies a delay (in seconds) no longer than 180 seconds after the retry request. @{product} limits the delay to 180 seconds, even if the Retry-After header specifies a longer delay. When enabled, takes precedence over user-configured retry options. When disabled, all Retry-After headers are ignored."""
+    on_backpressure: NotRequired[OutputSentinelOneAiSiemBackpressureBehavior]
+    r"""How to handle events when all receivers are exerting backpressure"""
+    description: NotRequired[str]
+    token: NotRequired[str]
+    r"""In the SentinelOne Console select Policy & Settings then select the Singularity AI SIEM section, API Keys will be at the bottom. Under Log Access Keys select a Write token and copy it here"""
+    text_secret: NotRequired[str]
+    r"""Select or create a stored text secret"""
+    base_url: NotRequired[str]
+    r"""Base URL of the endpoint used to send events to, such as https://<Your-S1-Tenant>.sentinelone.net. Must begin with http:// or https://, can include a port number, and no trailing slashes. Matches pattern: ^https?://[a-zA-Z0-9.-]+(:[0-9]+)?$."""
+    host_expression: NotRequired[str]
+    r"""Define serverHost for events using a JavaScript expression. You must enclose text constants in quotes (such as, 'myServer')."""
+    source_expression: NotRequired[str]
+    r"""Define logFile for events using a JavaScript expression. You must enclose text constants in quotes (such as, 'myLogFile.txt')."""
+    source_type_expression: NotRequired[str]
+    r"""Define the parser for events using a JavaScript expression. This value helps parse data into AI SIEM. You must enclose text constants in quotes (such as, 'dottedJson'). For custom parsers, substitute 'dottedJson' with your parser's name."""
+    data_source_category_expression: NotRequired[str]
+    r"""Define the dataSource.category for events using a JavaScript expression. This value helps categorize data and helps enable extra features in SentinelOne AI SIEM. You must enclose text constants in quotes. The default value is 'security'."""
+    data_source_name_expression: NotRequired[str]
+    r"""Define the dataSource.name for events using a JavaScript expression. This value should reflect the type of data being inserted into AI SIEM. You must enclose text constants in quotes (such as, 'networkActivity' or 'authLogs')."""
+    data_source_vendor_expression: NotRequired[str]
+    r"""Define the dataSource.vendor for events using a JavaScript expression. This value should reflect the vendor of the data being inserted into AI SIEM. You must enclose text constants in quotes (such as, 'Cisco' or 'Microsoft')."""
+    event_type_expression: NotRequired[str]
+    r"""Optionally, define the event.type for events using a JavaScript expression. This value acts as a label, grouping events into meaningful categories. You must enclose text constants in quotes (such as, 'Process Creation' or 'Network Connection')."""
+    host: NotRequired[str]
+    r"""Define the serverHost for events using a JavaScript expression. This value will be passed to AI SIEM. You must enclose text constants in quotes (such as, 'myServerName')."""
+    source: NotRequired[str]
+    r"""Specify the logFile value to pass as a parameter to SentinelOne AI SIEM. Don't quote this value. The default is cribl."""
+    source_type: NotRequired[str]
+    r"""Specify the sourcetype parameter for SentinelOne AI SIEM, which determines the parser. Don't quote this value. For custom parsers, substitute hecRawParser with your parser's name. The default is hecRawParser."""
+    data_source_category: NotRequired[str]
+    r"""Specify the dataSource.category value to pass as a parameter to SentinelOne AI SIEM. This value helps categorize data and enables additional features. Don't quote this value. The default is security."""
+    data_source_name: NotRequired[str]
+    r"""Specify the dataSource.name value to pass as a parameter to AI SIEM. This value should reflect the type of data being inserted. Don't quote this value. The default is cribl."""
+    data_source_vendor: NotRequired[str]
+    r"""Specify the dataSource.vendorvalue to pass as a parameter to AI SIEM. This value should reflect the vendor of the data being inserted. Don't quote this value. The default is cribl."""
+    event_type: NotRequired[str]
+    r"""Specify the event.type value to pass as an optional parameter to AI SIEM. This value acts as a label, grouping events into meaningful categories like Process Creation, File Modification, or Network Connection. Don't quote this value. By default, this field is empty."""
+    pq_max_file_size: NotRequired[str]
+    r"""The maximum size to store in each queue file before closing and optionally compressing (KB, MB, etc.)"""
+    pq_max_size: NotRequired[str]
+    r"""The maximum disk space that the queue can consume (as an average per Worker Process) before queueing stops. Enter a numeral with units of KB, MB, etc."""
+    pq_path: NotRequired[str]
+    r"""The location for the persistent queue files. To this field's value, the system will append: /<worker-id>/<output-id>."""
+    pq_compress: NotRequired[OutputSentinelOneAiSiemCompression]
+    r"""Codec to use to compress the persisted data"""
+    pq_on_backpressure: NotRequired[OutputSentinelOneAiSiemQueueFullBehavior]
+    r"""How to handle events when the queue is exerting backpressure (full capacity or low disk). 'Block' is the same behavior as non-PQ blocking. 'Drop new data' throws away incoming data, while leaving the contents of the PQ unchanged."""
+    pq_mode: NotRequired[OutputSentinelOneAiSiemMode]
+    r"""In Error mode, PQ writes events to the filesystem if the Destination is unavailable. In Backpressure mode, PQ writes events to the filesystem when it detects backpressure from the Destination. In Always On mode, PQ always writes events to the filesystem."""
+    pq_controls: NotRequired[OutputSentinelOneAiSiemPqControlsTypedDict]
+
+
+class OutputSentinelOneAiSiem(BaseModel):
+    id: Optional[str] = None
+    r"""Unique ID for this output"""
+
+    type: Annotated[
+        Optional[OutputSentinelOneAiSiemType], PlainValidator(validate_open_enum(False))
+    ] = None
+
+    pipeline: Optional[str] = None
+    r"""Pipeline to process data before sending out to this output"""
+
+    system_fields: Annotated[
+        Optional[List[str]], pydantic.Field(alias="systemFields")
+    ] = None
+    r"""Fields to automatically add to events, such as cribl_pipe. Supports wildcards."""
+
+    environment: Optional[str] = None
+    r"""Optionally, enable this config only on a specified Git branch. If empty, will be enabled everywhere."""
+
+    streamtags: Optional[List[str]] = None
+    r"""Tags for filtering and grouping in @{product}"""
+
+    region: Annotated[
+        Optional[OutputSentinelOneAiSiemRegion],
+        PlainValidator(validate_open_enum(False)),
+    ] = OutputSentinelOneAiSiemRegion.US
+    r"""The SentinelOne region to send events to. In most cases you can find the region by either looking at your SentinelOne URL or knowing what geographic region your SentinelOne instance is contained in."""
+
+    endpoint: Annotated[
+        Optional[AISIEMEndpointPath], PlainValidator(validate_open_enum(False))
+    ] = AISIEMEndpointPath.ROOT_SERVICES_COLLECTOR_EVENT
+    r"""Regional endpoint used to send events to, such as /services/collector/event or /services/collector/raw"""
+
+    concurrency: Optional[float] = 5
+    r"""Maximum number of ongoing requests before blocking"""
+
+    max_payload_size_kb: Annotated[
+        Optional[float], pydantic.Field(alias="maxPayloadSizeKB")
+    ] = 5120
+    r"""Maximum size, in KB, of the request body"""
+
+    max_payload_events: Annotated[
+        Optional[float], pydantic.Field(alias="maxPayloadEvents")
+    ] = 0
+    r"""Maximum number of events to include in the request body. Default is 0 (unlimited)."""
+
+    compress: Optional[bool] = True
+    r"""Compress the payload body before sending"""
+
+    reject_unauthorized: Annotated[
+        Optional[bool], pydantic.Field(alias="rejectUnauthorized")
+    ] = True
+    r"""Reject certificates not authorized by a CA in the CA certificate path or by another trusted CA (such as the system's).
+    Enabled by default. When this setting is also present in TLS Settings (Client Side),
+    that value will take precedence.
+    """
+
+    timeout_sec: Annotated[Optional[float], pydantic.Field(alias="timeoutSec")] = 30
+    r"""Amount of time, in seconds, to wait for a request to complete before canceling it"""
+
+    flush_period_sec: Annotated[
+        Optional[float], pydantic.Field(alias="flushPeriodSec")
+    ] = 5
+    r"""Maximum time between requests. Small values could cause the payload size to be smaller than the configured Body size limit."""
+
+    extra_http_headers: Annotated[
+        Optional[List[OutputSentinelOneAiSiemExtraHTTPHeader]],
+        pydantic.Field(alias="extraHttpHeaders"),
+    ] = None
+    r"""Headers to add to all events"""
+
+    failed_request_logging_mode: Annotated[
+        Annotated[
+            Optional[OutputSentinelOneAiSiemFailedRequestLoggingMode],
+            PlainValidator(validate_open_enum(False)),
+        ],
+        pydantic.Field(alias="failedRequestLoggingMode"),
+    ] = OutputSentinelOneAiSiemFailedRequestLoggingMode.NONE
+    r"""Data to log when a request fails. All headers are redacted by default, unless listed as safe headers below."""
+
+    safe_headers: Annotated[
+        Optional[List[str]], pydantic.Field(alias="safeHeaders")
+    ] = None
+    r"""List of headers that are safe to log in plain text"""
+
+    auth_type: Annotated[
+        Annotated[
+            Optional[OutputSentinelOneAiSiemAuthenticationMethod],
+            PlainValidator(validate_open_enum(False)),
+        ],
+        pydantic.Field(alias="authType"),
+    ] = OutputSentinelOneAiSiemAuthenticationMethod.MANUAL
+    r"""Select Manual to enter an auth token directly, or select Secret to use a text secret to authenticate"""
+
+    response_retry_settings: Annotated[
+        Optional[List[OutputSentinelOneAiSiemResponseRetrySetting]],
+        pydantic.Field(alias="responseRetrySettings"),
+    ] = None
+    r"""Automatically retry after unsuccessful response status codes, such as 429 (Too Many Requests) or 503 (Service Unavailable)"""
+
+    timeout_retry_settings: Annotated[
+        Optional[OutputSentinelOneAiSiemTimeoutRetrySettings],
+        pydantic.Field(alias="timeoutRetrySettings"),
+    ] = None
+
+    response_honor_retry_after_header: Annotated[
+        Optional[bool], pydantic.Field(alias="responseHonorRetryAfterHeader")
+    ] = False
+    r"""Honor any Retry-After header that specifies a delay (in seconds) no longer than 180 seconds after the retry request. @{product} limits the delay to 180 seconds, even if the Retry-After header specifies a longer delay. When enabled, takes precedence over user-configured retry options. When disabled, all Retry-After headers are ignored."""
+
+    on_backpressure: Annotated[
+        Annotated[
+            Optional[OutputSentinelOneAiSiemBackpressureBehavior],
+            PlainValidator(validate_open_enum(False)),
+        ],
+        pydantic.Field(alias="onBackpressure"),
+    ] = OutputSentinelOneAiSiemBackpressureBehavior.BLOCK
+    r"""How to handle events when all receivers are exerting backpressure"""
+
+    description: Optional[str] = None
+
+    token: Optional[str] = None
+    r"""In the SentinelOne Console select Policy & Settings then select the Singularity AI SIEM section, API Keys will be at the bottom. Under Log Access Keys select a Write token and copy it here"""
+
+    text_secret: Annotated[Optional[str], pydantic.Field(alias="textSecret")] = None
+    r"""Select or create a stored text secret"""
+
+    base_url: Annotated[Optional[str], pydantic.Field(alias="baseUrl")] = (
+        "https://<Your-S1-Tenant>.sentinelone.net"
+    )
+    r"""Base URL of the endpoint used to send events to, such as https://<Your-S1-Tenant>.sentinelone.net. Must begin with http:// or https://, can include a port number, and no trailing slashes. Matches pattern: ^https?://[a-zA-Z0-9.-]+(:[0-9]+)?$."""
+
+    host_expression: Annotated[
+        Optional[str], pydantic.Field(alias="hostExpression")
+    ] = "__e.host || C.os.hostname()"
+    r"""Define serverHost for events using a JavaScript expression. You must enclose text constants in quotes (such as, 'myServer')."""
+
+    source_expression: Annotated[
+        Optional[str], pydantic.Field(alias="sourceExpression")
+    ] = "__e.source || (__e.__criblMetrics ? 'metrics' : 'cribl')"
+    r"""Define logFile for events using a JavaScript expression. You must enclose text constants in quotes (such as, 'myLogFile.txt')."""
+
+    source_type_expression: Annotated[
+        Optional[str], pydantic.Field(alias="sourceTypeExpression")
+    ] = "__e.sourcetype || 'dottedJson'"
+    r"""Define the parser for events using a JavaScript expression. This value helps parse data into AI SIEM. You must enclose text constants in quotes (such as, 'dottedJson'). For custom parsers, substitute 'dottedJson' with your parser's name."""
+
+    data_source_category_expression: Annotated[
+        Optional[str], pydantic.Field(alias="dataSourceCategoryExpression")
+    ] = "'security'"
+    r"""Define the dataSource.category for events using a JavaScript expression. This value helps categorize data and helps enable extra features in SentinelOne AI SIEM. You must enclose text constants in quotes. The default value is 'security'."""
+
+    data_source_name_expression: Annotated[
+        Optional[str], pydantic.Field(alias="dataSourceNameExpression")
+    ] = "__e.__dataSourceName || 'cribl'"
+    r"""Define the dataSource.name for events using a JavaScript expression. This value should reflect the type of data being inserted into AI SIEM. You must enclose text constants in quotes (such as, 'networkActivity' or 'authLogs')."""
+
+    data_source_vendor_expression: Annotated[
+        Optional[str], pydantic.Field(alias="dataSourceVendorExpression")
+    ] = "__e.__dataSourceVendor || 'cribl'"
+    r"""Define the dataSource.vendor for events using a JavaScript expression. This value should reflect the vendor of the data being inserted into AI SIEM. You must enclose text constants in quotes (such as, 'Cisco' or 'Microsoft')."""
+
+    event_type_expression: Annotated[
+        Optional[str], pydantic.Field(alias="eventTypeExpression")
+    ] = ""
+    r"""Optionally, define the event.type for events using a JavaScript expression. This value acts as a label, grouping events into meaningful categories. You must enclose text constants in quotes (such as, 'Process Creation' or 'Network Connection')."""
+
+    host: Optional[str] = "C.os.hostname()"
+    r"""Define the serverHost for events using a JavaScript expression. This value will be passed to AI SIEM. You must enclose text constants in quotes (such as, 'myServerName')."""
+
+    source: Optional[str] = "cribl"
+    r"""Specify the logFile value to pass as a parameter to SentinelOne AI SIEM. Don't quote this value. The default is cribl."""
+
+    source_type: Annotated[Optional[str], pydantic.Field(alias="sourceType")] = (
+        "hecRawParser"
+    )
+    r"""Specify the sourcetype parameter for SentinelOne AI SIEM, which determines the parser. Don't quote this value. For custom parsers, substitute hecRawParser with your parser's name. The default is hecRawParser."""
+
+    data_source_category: Annotated[
+        Optional[str], pydantic.Field(alias="dataSourceCategory")
+    ] = "security"
+    r"""Specify the dataSource.category value to pass as a parameter to SentinelOne AI SIEM. This value helps categorize data and enables additional features. Don't quote this value. The default is security."""
+
+    data_source_name: Annotated[
+        Optional[str], pydantic.Field(alias="dataSourceName")
+    ] = "cribl"
+    r"""Specify the dataSource.name value to pass as a parameter to AI SIEM. This value should reflect the type of data being inserted. Don't quote this value. The default is cribl."""
+
+    data_source_vendor: Annotated[
+        Optional[str], pydantic.Field(alias="dataSourceVendor")
+    ] = "cribl"
+    r"""Specify the dataSource.vendorvalue to pass as a parameter to AI SIEM. This value should reflect the vendor of the data being inserted. Don't quote this value. The default is cribl."""
+
+    event_type: Annotated[Optional[str], pydantic.Field(alias="eventType")] = ""
+    r"""Specify the event.type value to pass as an optional parameter to AI SIEM. This value acts as a label, grouping events into meaningful categories like Process Creation, File Modification, or Network Connection. Don't quote this value. By default, this field is empty."""
+
+    pq_max_file_size: Annotated[
+        Optional[str], pydantic.Field(alias="pqMaxFileSize")
+    ] = "1 MB"
+    r"""The maximum size to store in each queue file before closing and optionally compressing (KB, MB, etc.)"""
+
+    pq_max_size: Annotated[Optional[str], pydantic.Field(alias="pqMaxSize")] = "5GB"
+    r"""The maximum disk space that the queue can consume (as an average per Worker Process) before queueing stops. Enter a numeral with units of KB, MB, etc."""
+
+    pq_path: Annotated[Optional[str], pydantic.Field(alias="pqPath")] = (
+        "$CRIBL_HOME/state/queues"
+    )
+    r"""The location for the persistent queue files. To this field's value, the system will append: /<worker-id>/<output-id>."""
+
+    pq_compress: Annotated[
+        Annotated[
+            Optional[OutputSentinelOneAiSiemCompression],
+            PlainValidator(validate_open_enum(False)),
+        ],
+        pydantic.Field(alias="pqCompress"),
+    ] = OutputSentinelOneAiSiemCompression.NONE
+    r"""Codec to use to compress the persisted data"""
+
+    pq_on_backpressure: Annotated[
+        Annotated[
+            Optional[OutputSentinelOneAiSiemQueueFullBehavior],
+            PlainValidator(validate_open_enum(False)),
+        ],
+        pydantic.Field(alias="pqOnBackpressure"),
+    ] = OutputSentinelOneAiSiemQueueFullBehavior.BLOCK
+    r"""How to handle events when the queue is exerting backpressure (full capacity or low disk). 'Block' is the same behavior as non-PQ blocking. 'Drop new data' throws away incoming data, while leaving the contents of the PQ unchanged."""
+
+    pq_mode: Annotated[
+        Annotated[
+            Optional[OutputSentinelOneAiSiemMode],
+            PlainValidator(validate_open_enum(False)),
+        ],
+        pydantic.Field(alias="pqMode"),
+    ] = OutputSentinelOneAiSiemMode.ERROR
+    r"""In Error mode, PQ writes events to the filesystem if the Destination is unavailable. In Backpressure mode, PQ writes events to the filesystem when it detects backpressure from the Destination. In Always On mode, PQ always writes events to the filesystem."""
+
+    pq_controls: Annotated[
+        Optional[OutputSentinelOneAiSiemPqControls], pydantic.Field(alias="pqControls")
+    ] = None