Link Search Menu Expand Document

SentinelOneQuarantineOK

ID: 100070

Description:

SentinelOne Mitigation:Quarantine performed successfully

Repository: Fluency Group: SentinelOne Type: event

Default Status:

Enabled

Tags:
SentinelOne
 

Selector:

Query:

Filters:

Field MUST hit
@event_type @sentinelone
@parser SentinelOneEventParser
@sentinelone.cat MITIGATION
@sentinelone.eventID 2004
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sentinelone.sourceAgentUuid SentinelOne.AgentID security alert

Risks:

Risks Base Score Dimension
ALERT_END_POINT 800 alert
ALERT_HIGH_CONFIDENCE 2000 alert

Attributes:

Alias Key
Category @sentinelone.cat
OS @sentinelone.sourceOsType
Hostname @sentinelone.sourceHostName
AgentID @sentinelone.sourceAgentUuid
Description @sentinelone.eventDesc
FilePath @sentinelone.filePath
EventID @sentinelone.eventID
FileHash @sentinelone.fileHash
ThreatID @sentinelone.threatID
CommandLineArguments @sentinelone.threatCommandLineArguments
ID @sentinelone.sourceAgentId
MitigationStatus @sentinelone.threatMitigationStatus
Customer @sentinelone.siteName

Correlation Rules:

First Occurrence:

Name Window Fields
NewAgent 10 days @sentinelone.sourceAgentUuid
  Risks: ML_NEW_ASSET
NewEventID 10 days @sentinelone.eventID
  Risks: ML_NEW_ALERT

History:

User Date
ho*d@fluencysecurity.com 2021 Jan 31 19:57:33 EST
em*n@fluencysecurity.com 2021 Feb 24 14:16:57 EST
ho*d@fluencysecurity.com 2021 Jun 30 22:34:22 EDT
ho*d@fluencysecurity.com 2021 Jul 2 22:24:41 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)