Sentinel One: layout improvements to inputs section

Currently when users configure Sentinel One integration, 2 options are presented to the users:

- Collect SentinelOne logs via API (CEL)
  - 2 data streams supported by CEL input: `application` and `application_risk` (More to be added here).
- Collect SentinelOne logs via API (HTTP JSON)
  - 5 data streams supported by HTTPJSON input: `activity`, `agent`, `alert`, `group`, and `threat`.


<img width="670" height="679" alt="Image" src="https://github.com/user-attachments/assets/acecc46c-86ec-491b-abb4-8bc8e36ade83" />


While the options are intuitive to some users who are aware of CEL and HTTPJSON inputs, users who do not know about them or the reason why both exist, will face significant challenge to choose the right option. Also the current options do not mention CEL and HTTPJSON as `input` which makes it harder even for users who are familiar with beats ecosystem to understand. 
Hence this layout could be modified to improve the user experience.

Some ideas for improvement:

1. Update title to use the word `input`. This makes it slightly clear for users familiar with beats. However uncertainty could still exist.

    <img width="667" height="269" alt="Image" src="https://github.com/user-attachments/assets/fb140bda-020f-4f65-99dc-35fcba3abd7f" />
    
2. Change the input title to add data stream names and removed the words `CEL` and `HTTPJSON`.

    <img width="667" height="269" alt="Image" src="https://github.com/user-attachments/assets/4be32e8d-4c8f-466c-bcd1-7fd95663ec13" />






Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sentinel One: layout improvements to inputs section #15724

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Sentinel One: layout improvements to inputs section #15724

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions