Link Search Menu Expand Document

SentinelOne_Device_Blocked

ID: 100269

Description:

SentinelOne has blocked a device

Repository: Group: SentinelOne Type: event

Default Status:

Enabled

Tags:
SentinelOne
 

Selector:

Query:

Filters:

Field MUST hit
@sentinelone.endpointDeviceControlEventType blocked
@sentinelone.cat EndpointDeviceControlEvent
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sentinelone.sourceUserName username security alert

Risks:

Risks Base Score Dimension
ALERT_POLICY 200 alert

Attributes:

Alias Key
Category @sentinelone.cat
OS @sentinelone.sourceOsType
Hostname @sentinelone.sourceHostName
AgentID @sentinelone.sourceAgentUuid
Description @sentinelone.eventDesc
EventID @sentinelone.eventID
ID @sentinelone.sourceAgentId
DeviceControlInterface @sentinelone.endpointDeviceControlInterface
DeviceControlDeviceName @sentinelone.endpointDeviceControlDeviceName
Username @sentinelone.sourceUserName

Correlation Rules:

First Occurrence:

Name Window Fields
NewAgent 10 days @sentinelone.sourceAgentUuid
  Risks: ML_NEW_ASSET
NewEventID 10 days @sentinelone.eventID
  Risks: ML_NEW_ALERT

History:

User Date
em*n@fluencysecurity.com 2021 Jun 9 15:30:00 EDT
em*n@fluencysecurity.com 2021 Jun 9 15:30:22 EDT
em*n@fluencysecurity.com 2021 Jun 9 15:47:56 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)