Solutions/SentinelOne/Hunting Queries/SentinelOneNewRules.yaml (25 lines of code) (raw):
id: 9c3a38e4-0975-4f96-82ee-90ce68bec76a
name: Sentinel One - New rules
description: |
'Query shows new rules.'
severity: Low
requiredDataConnectors:
- connectorId: SentinelOne
dataTypes:
- SentinelOne
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
SentinelOne
| where TimeGenerated > ago(24h)
| where ActivityType == 3600
| order by EventCreationTime
| project EventCreationTime, DataRuleName, DataRuleQueryDetails, DataStatus, DataUserName
| extend AccountCustomEntity = DataUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity