Link Search Menu Expand Document

SentinelOneManagement

ID: 100072

Description:

SentinelOne THREATMANAGEMENT event

Repository: Group: SentinelOne Type: event

Default Status:

Enabled

Tags:
SentinelOne
 

Selector:

Query:

Filters:

Field MUST hit
@event_type @sentinelone
@parser SentinelOneEventParser
@sentinelone.cat THREATMANAGEMENT
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sentinelone.sourceAgentUuid SentinelOne.AgentID security alert

Risks:

Risks Base Score Dimension
Timeline 0 -

Attributes:

Alias Key
Category @sentinelone.cat
OsType @sentinelone.sourceOsType
ComputerName @sentinelone.sourceHostName
AgentID @sentinelone.sourceAgentUuid
Description @sentinelone.eventDesc
FilePath @sentinelone.filePath
EventID @sentinelone.eventID
FileHash @sentinelone.fileHash
ThreatID @sentinelone.threatID
ID @sentinelone.sourceAgentId
MitigationStatus @sentinelone.threatMitigationStatus
SiteName @sentinelone.siteName
GroupName @sentinelone.sourceGroupName
DomainName @sentinelone.sourceDnsDomain
UserName @sentinelone.sourceUserName
Classification @sentinelone.threatClassification

Correlation Rules:

First Occurrence:

Name Window Fields
NewAgent 10 days @sentinelone.sourceAgentUuid
  Risks: ML_NEW_ASSET
NewEventID 10 days @sentinelone.eventID
  Risks: ML_NEW_ALERT

History:

User Date
ho*d@fluencysecurity.com 2021 Jan 31 19:56:24 EST
em*n@fluencysecurity.com 2021 Feb 24 14:17:51 EST
em*n@fluencysecurity.com 2021 Feb 26 10:01:45 EST

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)