SentinelOneQuarantineOK
ID: 100070
Description:
SentinelOne Mitigation:Quarantine performed successfully
Repository: Fluency Group: SentinelOne Type: event
Default Status:
Enabled
| Tags: |
|---|
| SentinelOne |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @event_type | @sentinelone |
| @parser | SentinelOneEventParser |
| @sentinelone.cat | MITIGATION |
| @sentinelone.eventID | 2004 |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @sentinelone.sourceAgentUuid | SentinelOne.AgentID | security alert |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| ALERT_END_POINT | 800 | alert |
| ALERT_HIGH_CONFIDENCE | 2000 | alert |
Attributes:
| Alias | Key |
|---|---|
| Category | @sentinelone.cat |
| OS | @sentinelone.sourceOsType |
| Hostname | @sentinelone.sourceHostName |
| AgentID | @sentinelone.sourceAgentUuid |
| Description | @sentinelone.eventDesc |
| FilePath | @sentinelone.filePath |
| EventID | @sentinelone.eventID |
| FileHash | @sentinelone.fileHash |
| ThreatID | @sentinelone.threatID |
| CommandLineArguments | @sentinelone.threatCommandLineArguments |
| ID | @sentinelone.sourceAgentId |
| MitigationStatus | @sentinelone.threatMitigationStatus |
| Customer | @sentinelone.siteName |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewAgent | 10 days | @sentinelone.sourceAgentUuid |
| Risks: | ML_NEW_ASSET | |
| NewEventID | 10 days | @sentinelone.eventID |
| Risks: | ML_NEW_ALERT |
History:
| User | Date |
|---|---|
| ho*d@fluencysecurity.com | 2021 Jan 31 19:57:33 EST |
| em*n@fluencysecurity.com | 2021 Feb 24 14:16:57 EST |
| ho*d@fluencysecurity.com | 2021 Jun 30 22:34:22 EDT |
| ho*d@fluencysecurity.com | 2021 Jul 2 22:24:41 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)