id: 4b2ed4b6-10bf-4b2c-b31e-ae51b575dfd4 name: Sentinel One - Agent status description: | 'Query shows agent properties.' severity: Low requiredDataConnectors: - connectorId: SentinelOne dataTypes: - SentinelOne tactics: - DefenseEvasion relevantTechniques: - T1070 query: | SentinelOne | where TimeGenerated > ago(24h) | where EventType =~ 'Agents.' | extend Properties = pack('IsActive', IsActive,'ActiveThreats',ActiveThreats,'FirewallEnabled',FirewallEnabled,'Infected',Infected,'IsUpToDate',IsUpToDate,'MitigationMode',MitigationMode,'MitigationModeSuspicious',MitigationModeSuspicious,'NetworkStatus',NetworkStatus) | summarize max(TimeGenerated) by ComputerName, tostring(Properties) | extend HostCustomEntity = ComputerName entityMappings: - entityType: Host fieldMappings: - identifier: HostName columnName: HostCustomEntity