SentinelOneNewProcess
ID: 100023
Description:
New Process
Repository: Group: SentinelOne Type: event
Default Status:
Disabled
| Tags: |
|---|
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @event_type | @sentinelone |
| @sentinelone.type | ProcessCreation |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @sentinelone.uuid | SentinelOne.AgentID |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| ComputerName | @sentinelone.agent.computerName |
| AgentID | @sentinelone.uuid |
| ParentProcess | @sentinelone.data.parent.name |
| ParentCommand | @sentinelone.data.parent.commandLine |
| Command | @sentinelone.data.process.commandLine |
| Process | @sentinelone.data.process.name |
| Username | @sentinelone.agent.lastLoggedInUserName |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewProcess | 10 days | @sentinelone.data.process.name |
| Risks: | ML_NEW_APP | |
| NewParentProcess | 10 days | @sentinelone.data.parent.name |
| Risks: | ML_NEW_APP |
History:
| User | Date | | :— | :— | | — | — |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)