Link Search Menu Expand Document

SentinelOneNewProcess

ID: 100023

Description:

New Process

Repository: Group: SentinelOne Type: event

Default Status:

Disabled

Tags:
 

Selector:

Query:

Filters:

Field MUST hit
@event_type @sentinelone
@sentinelone.type ProcessCreation
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sentinelone.uuid SentinelOne.AgentID  

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
ComputerName @sentinelone.agent.computerName
AgentID @sentinelone.uuid
ParentProcess @sentinelone.data.parent.name
ParentCommand @sentinelone.data.parent.commandLine
Command @sentinelone.data.process.commandLine
Process @sentinelone.data.process.name
Username @sentinelone.agent.lastLoggedInUserName

Correlation Rules:

First Occurrence:

Name Window Fields
NewProcess 10 days @sentinelone.data.process.name
  Risks: ML_NEW_APP
NewParentProcess 10 days @sentinelone.data.parent.name
  Risks: ML_NEW_APP

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)