id: f3a7cedd-6fc3-4661-a0ad-c1738e531917 name: Sentinel One - Uninstalled agents description: | 'Query shows uninstalled agents.' severity: Medium requiredDataConnectors: - connectorId: SentinelOne dataTypes: - SentinelOne tactics: - DefenseEvasion relevantTechniques: - T1070 query: | SentinelOne | where TimeGenerated > ago(24h) | where ActivityType == 31 | extend HostCustomEntity = DataComputerName entityMappings: - entityType: Host fieldMappings: - identifier: HostName columnName: HostCustomEntity