diff --git a/packages/sentinel_one_cloud_funnel/changelog.yml b/packages/sentinel_one_cloud_funnel/changelog.yml
index b55f0be1142..5e9cb19adfd 100644
--- a/packages/sentinel_one_cloud_funnel/changelog.yml
+++ b/packages/sentinel_one_cloud_funnel/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.8.1"
+  changes:
+    - description: Fix missing event.action in network events.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/12285
 - version: "1.8.0"
   changes:
     - description: Add support for Access Point ARN when collecting logs via the AWS S3 Bucket.
diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-network-action.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-network-action.log-expected.json
index 24fa9194512..878bfd5fcae 100644
--- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-network-action.log-expected.json
+++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-network-action.log-expected.json
@@ -11,6 +11,9 @@
                 "version": "8.11.0"
             },
             "event": {
+                "action": [
+                    "connection_attempted"
+                ],
                 "category": [
                     "network"
                 ],
diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-network-action.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-network-action.yml
index 7d597eb2cf6..59a75a854ba 100644
--- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-network-action.yml
+++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-network-action.yml
@@ -12,12 +12,12 @@ processors:
       field: event.action
       value: [connection_attempted]
       if: (ctx.sentinel_one_cloud_funnel?.event?.type == 'IPConnect' || ctx.sentinel_one_cloud_funnel?.event?.type == 'IP Connect') &&
-          ctx.sentinel_one_cloud_funnel?.event?.network?.direction == "OUTGOING"
+          ctx.json.event?.network?.direction == "OUTGOING"
   - set:
       field: event.action
       value: [connection_accepted]
       if: (ctx.sentinel_one_cloud_funnel?.event?.type == 'IPConnect' || ctx.sentinel_one_cloud_funnel?.event?.type == 'IP Connect') &&
-          ctx.sentinel_one_cloud_funnel?.event?.network?.direction == "INCOMING"
+          ctx.json.event?.network?.direction == "INCOMING"
   - rename:
       field: json.k8sCluster.containerId
       target_field: sentinel_one_cloud_funnel.event.k8s_cluster.container.id
diff --git a/packages/sentinel_one_cloud_funnel/manifest.yml b/packages/sentinel_one_cloud_funnel/manifest.yml
index cbe4f6e2cd3..b61a0daa552 100644
--- a/packages/sentinel_one_cloud_funnel/manifest.yml
+++ b/packages/sentinel_one_cloud_funnel/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: sentinel_one_cloud_funnel
 title: SentinelOne Cloud Funnel
-version: "1.8.0"
+version: "1.8.1"
 description: Collect logs from SentinelOne Cloud Funnel with Elastic Agent.
 type: integration
 categories: ["security", "edr_xdr"]