diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml index 28d4a142899..4b14bc38b50 100755 --- a/Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml @@ -18,14 +18,13 @@ relevantTechniques: - T1070 query: | SentinelOne - | where ActivityType == 31 + | where ActivityType == 51 | summarize count() by DataComputerName, bin(TimeGenerated, 30m) | where count_ > 1 - | extend HostCustomEntity = DataComputerName entityMappings: - entityType: Host fieldMappings: - identifier: HostName - columnName: HostCustomEntity -version: 1.0.1 + columnName: DataComputerName +version: 1.0.2 kind: Scheduled diff --git a/Solutions/SentinelOne/Package/3.0.5.zip b/Solutions/SentinelOne/Package/3.0.5.zip new file mode 100644 index 00000000000..99663e52d5b Binary files /dev/null and b/Solutions/SentinelOne/Package/3.0.5.zip differ diff --git a/Solutions/SentinelOne/Package/mainTemplate.json b/Solutions/SentinelOne/Package/mainTemplate.json index 77e2c89acda..c839224c937 100644 --- a/Solutions/SentinelOne/Package/mainTemplate.json +++ b/Solutions/SentinelOne/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "SentinelOne", - "_solutionVersion": "3.0.4", + "_solutionVersion": "3.0.5", "solutionId": "azuresentinel.azure-sentinel-solution-sentinelone", "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", @@ -95,11 +95,11 @@ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','382f37b3-b49a-492f-b436-a4717c8c5c3e','-', '1.0.1')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.1", + "analyticRuleVersion2": "1.0.2", "_analyticRulecontentId2": "4ad87e4a-d045-4c6b-9652-c9de27fcb442", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4ad87e4a-d045-4c6b-9652-c9de27fcb442')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4ad87e4a-d045-4c6b-9652-c9de27fcb442')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4ad87e4a-d045-4c6b-9652-c9de27fcb442','-', '1.0.1')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4ad87e4a-d045-4c6b-9652-c9de27fcb442','-', '1.0.2')))]" }, "analyticRuleObject3": { "analyticRuleVersion3": "1.0.2", @@ -320,8 +320,7 @@ ], "connectivityCriteria": [ { - "type": "HasDataConnectors", - "value": null + "type": "HasDataConnectors" } ], "availability": { @@ -378,7 +377,7 @@ "parameters": { "label": "API Token", "placeholder": "API Token", - "type": "password", + "type": "securestring", "name": "apitoken" }, "type": "Textbox" @@ -2110,8 +2109,7 @@ ], "connectivityCriteria": [ { - "type": "HasDataConnectors", - "value": null + "type": "HasDataConnectors" } ], "availability": { @@ -2168,7 +2166,7 @@ "parameters": { "label": "API Token", "placeholder": "API Token", - "type": "password", + "type": "securestring", "name": "apitoken" }, "type": "Textbox" @@ -2261,7 +2259,7 @@ }, "apitoken": { "defaultValue": "apitoken", - "type": "string", + "type": "securestring", "minLength": 1 } }, @@ -2672,7 +2670,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOne data connector with template version 3.0.4", + "description": "SentinelOne data connector with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -3029,7 +3027,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOne Workbook with template version 3.0.4", + "description": "SentinelOne Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -3117,7 +3115,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOne Data Parser with template version 3.0.4", + "description": "SentinelOne Data Parser with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -3249,7 +3247,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAdminLoginNewIP_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneAdminLoginNewIP_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -3277,10 +3275,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -3292,22 +3290,22 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] } ] } @@ -3363,7 +3361,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAgentUninstalled_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneAgentUninstalled_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -3380,7 +3378,7 @@ "description": "Detects when agent was uninstalled from multiple hosts.", "displayName": "Sentinel One - Agent uninstalled from multiple hosts", "enabled": false, - "query": "SentinelOne\n| where ActivityType == 31\n| summarize count() by DataComputerName, bin(TimeGenerated, 30m)\n| where count_ > 1\n| extend HostCustomEntity = DataComputerName\n", + "query": "SentinelOne\n| where ActivityType == 51\n| summarize count() by DataComputerName, bin(TimeGenerated, 30m)\n| where count_ > 1\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "High", @@ -3391,10 +3389,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -3405,13 +3403,13 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", - "columnName": "HostCustomEntity" + "columnName": "DataComputerName" } - ], - "entityType": "Host" + ] } ] } @@ -3467,7 +3465,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAlertFromCustomRule_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneAlertFromCustomRule_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -3495,10 +3493,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -3509,13 +3507,13 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] } ] } @@ -3571,7 +3569,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneBlacklistHashDeleted_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneBlacklistHashDeleted_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -3599,10 +3597,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -3613,15 +3611,16 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { "identifier": "Value", @@ -3631,8 +3630,7 @@ "identifier": "Algorithm", "columnName": "HashAlgorithmCustomEntity" } - ], - "entityType": "FileHash" + ] } ] } @@ -3688,7 +3686,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneExclusionAdded_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneExclusionAdded_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -3716,10 +3714,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -3730,13 +3728,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -3792,7 +3790,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneMultipleAlertsOnHost_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneMultipleAlertsOnHost_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -3820,10 +3818,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -3834,13 +3832,13 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] } ] } @@ -3896,7 +3894,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneNewAdmin_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneNewAdmin_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -3924,10 +3922,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -3938,13 +3936,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -4000,7 +3998,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneRuleDeleted_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneRuleDeleted_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -4028,10 +4026,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -4042,13 +4040,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -4104,7 +4102,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneRuleDisabled_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneRuleDisabled_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -4132,10 +4130,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -4146,13 +4144,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -4208,7 +4206,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneSameCustomRuleHitOnDiffHosts_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneSameCustomRuleHitOnDiffHosts_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -4236,10 +4234,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -4252,13 +4250,13 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] } ] } @@ -4314,7 +4312,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneViewAgentPassphrase_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SentinelOneViewAgentPassphrase_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -4342,10 +4340,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne" - ], - "connectorId": "SentinelOne" + ] } ], "tactics": [ @@ -4356,22 +4354,22 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] } ] } @@ -4427,7 +4425,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAgentNotUpdated_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SentinelOneAgentNotUpdated_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -4512,7 +4510,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAgentStatus_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SentinelOneAgentStatus_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -4597,7 +4595,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneAlertTriggers_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SentinelOneAlertTriggers_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -4682,7 +4680,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneHostNotScanned_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SentinelOneHostNotScanned_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -4767,7 +4765,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneNewRules_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SentinelOneNewRules_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -4852,7 +4850,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneRulesDeleted_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SentinelOneRulesDeleted_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -4937,7 +4935,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneScannedHosts_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SentinelOneScannedHosts_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -5022,7 +5020,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneSourcesByAlertCount_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SentinelOneSourcesByAlertCount_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -5107,7 +5105,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneUninstalledAgents_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SentinelOneUninstalledAgents_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -5192,7 +5190,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SentinelOneUsersByAlertCount_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SentinelOneUsersByAlertCount_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -5273,7 +5271,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.4", + "version": "3.0.5", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "SentinelOne", diff --git a/Solutions/SentinelOne/ReleaseNotes.md b/Solutions/SentinelOne/ReleaseNotes.md index 33a60a8aef2..7db9a1bd0e7 100644 --- a/Solutions/SentinelOne/ReleaseNotes.md +++ b/Solutions/SentinelOne/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.5 | 20-01-2025 | Updated "Sentinel One - Agent uninstalled from multiple hosts" **Analytic Rule** with ActivityType | | 3.0.4 | 15-01-2025 | Added older Function app **Data Connector** again to SOlution until final deprecation of Function app happens | | 3.0.3 | 12-12-2024 | Added new CCP **Data Connector** and Updated **Parser** | | 3.0.2 | 11-09-2024 | Updated the python runtime version to 3.11 in **Data Connector** Function App |