id: 8d1ca735-e29a-4bea-a2ec-93162790b686 name: Sentinel One - Deleted rules description: | 'Query shows deleted rules.' severity: Medium requiredDataConnectors: - connectorId: SentinelOne dataTypes: - SentinelOne tactics: - DefenseEvasion relevantTechniques: - T1070 query: | SentinelOne | where TimeGenerated > ago(24h) | where ActivityType == 3602 | order by EventCreationTime | project EventCreationTime, DataRuleName, DataRuleQueryDetails, DataStatus, DataUserName | extend AccountCustomEntity = DataUserName entityMappings: - entityType: Account fieldMappings: - identifier: Name columnName: AccountCustomEntity