Link Search Menu Expand Document

SentinelOneManagement

ID: 100072

Description:

SentinelOne THREATMANAGEMENT event

Repository: Group: SentinelOne Type: event

Default Status:

Enabled

Tags:
SentinelOne
 

Selector:

Query:

Filters:

Field MUST hit
@event_type @sentinelone
@parser SentinelOneEventParser
@sentinelone.cat THREATMANAGEMENT
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sentinelone.sourceAgentUuid SentinelOne.AgentID security alert

Risks:

Risks Base Score Dimension
Timeline 0 -

Attributes:

Alias Key
Category @sentinelone.cat
OsType @sentinelone.sourceOsType
ComputerName @sentinelone.sourceHostName
AgentID @sentinelone.sourceAgentUuid
Description @sentinelone.eventDesc
FilePath @sentinelone.filePath
EventID @sentinelone.eventID
FileHash @sentinelone.fileHash
ThreatID @sentinelone.threatID
ID @sentinelone.sourceAgentId
MitigationStatus @sentinelone.threatMitigationStatus
SiteName @sentinelone.siteName
GroupName @sentinelone.sourceGroupName
DomainName @sentinelone.sourceDnsDomain
UserName @sentinelone.sourceUserName
Classification @sentinelone.threatClassification

Correlation Rules:

First Occurrence:

Name Window Fields
NewAgent 10 days @sentinelone.sourceAgentUuid
  Risks: ML_NEW_ASSET
NewEventID 10 days @sentinelone.eventID
  Risks: ML_NEW_ALERT

History:

User Date
ho*d@fluencysecurity.com 2021 Jan 31 19:56:24 EST
em*n@fluencysecurity.com 2021 Feb 24 14:17:51 EST
em*n@fluencysecurity.com 2021 Feb 26 10:01:45 EST

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)