Link Search Menu Expand Document

SentinelOneThreat

ID: 100068

Description:

SentinelOne Malware Threat

Repository: Group: SentinelOne Type: event

Default Status:

Enabled

Tags:
SentinelOne
 

Selector:

Query:

Filters:

Field MUST hit
@event_type @sentinelone
@parser SentinelOneEventParser
@sentinelone.cat MALWARE
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sentinelone.sourceAgentUuid SentinelOne.AgentID security alert

Risks:

Risks Base Score Dimension
ALERT_END_POINT 800 alert
ALERT_HIGH_CONFIDENCE 2000 alert

Attributes:

Alias Key
Category @sentinelone.cat
OS @sentinelone.sourceOsType
Hostname @sentinelone.sourceHostName
AgentID @sentinelone.sourceAgentUuid
Description @sentinelone.eventDesc
FilePath @sentinelone.filePath
EventID @sentinelone.eventID
FileHash @sentinelone.fileHash
ThreatID @sentinelone.threatID
CommandLineArguments @sentinelone.threatCommandLineArguments
ID @sentinelone.sourceAgentId
MitigationStatus @sentinelone.threatMitigationStatus
Customer @sentinelone.siteName
DetectingEngine @sentinelone.threatDetectingEngine

Correlation Rules:

First Occurrence:

Name Window Fields
NewAgent 10 days @sentinelone.sourceAgentUuid
  Risks: ML_NEW_ASSET
NewEventID 10 days @sentinelone.eventID
  Risks: ML_NEW_ALERT

History:

User Date
ho*d@fluencysecurity.com 2021 Jan 31 19:55:34 EST
ho*d@fluencysecurity.com 2021 Jan 31 19:57:13 EST
al*r@fluencysecurity.com 2021 Feb 18 11:38:22 EST
je*y@fortify24x7.com 2021 Feb 18 12:15:13 EST
al*r@fluencysecurity.com 2021 Feb 18 12:27:12 EST
ho*d@fluencysecurity.com 2021 Mar 16 12:25:05 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)