id: acd0a127-461e-48c8-96fa-27d14595abe0 name: Sentinel One - Sources by alert count description: | 'Query shows sources (hosts) by alert count.' severity: High requiredDataConnectors: - connectorId: SentinelOne dataTypes: - SentinelOne tactics: - InitialAccess relevantTechniques: - T1204 query: | SentinelOne | where TimeGenerated > ago(24h) | where ActivityType == 3608 | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage) | summarize count() by DstHostname | extend HostCustomEntity = DstHostname entityMappings: - entityType: Host fieldMappings: - identifier: HostName columnName: HostCustomEntity