Merge pull request #11678 from Azure/v-sabiraj-SentinelOneAnalyticrule

Updating Analytic rule with correct Activity type
Azure · Jan 20, 2025 · 93780c6 · 93780c6
2 parents 3653fbd + 999cc82
commit 93780c6
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 91 deletions.
diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml
@@ -18,14 +18,13 @@ relevantTechniques:
   - T1070
 query: | 
   SentinelOne
-  | where ActivityType == 31
+  | where ActivityType == 51
   | summarize count() by DataComputerName, bin(TimeGenerated, 30m)
   | where count_ > 1
-  | extend HostCustomEntity = DataComputerName
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: HostName
-        columnName: HostCustomEntity
-version: 1.0.1
+        columnName: DataComputerName
+version: 1.0.2
 kind: Scheduled
diff --git a/Solutions/SentinelOne/Package/3.0.5.zip b/Solutions/SentinelOne/Package/3.0.5.zip