39 lines
1.6 KiB
XML
39 lines
1.6 KiB
XML
|
<!-- Rules for SentinelOne via API -->
|
||
|
|
|
||
|
|
<!-- SentinelOne logs grouped -->
|
||
|
|
<group name="sentinelone_API">
|
||
|
|
<rule id="100600" level="3">
|
||
|
|
<decoded_as>json</decoded_as>
|
||
|
|
<location>/var/log/sentinelone.json</location>
|
||
|
|
<description>Logs from SentinelOne.</description>
|
||
|
|
</rule>
|
||
|
|
|
||
|
|
<!-- Rules to detect active threat -->
|
||
|
|
<rule id="100601" level="10">
|
||
|
|
<if_sid>100600</if_sid>
|
||
|
|
<field name="agentDetectionInfo.agentMitigationMode">detect</field>
|
||
|
|
<description>SentinelOne: New active threat $(threatInfo.threatName) detected on $(agentRealtimeInfo.agentComputerName).</description>
|
||
|
|
</rule>
|
||
|
|
|
||
|
|
<!-- Rules to detect successfully mitigated threat -->
|
||
|
|
<rule id="100602" level="5">
|
||
|
|
<if_sid>100600</if_sid>
|
||
|
|
<field name="threatInfo.mitigationStatus">mitigated</field>
|
||
|
|
<description>SentinelOne: Threat $(threatInfo.threatName) successfully mitigated on $(agentRealtimeInfo.agentComputerName).</description>
|
||
|
|
</rule>
|
||
|
|
|
||
|
|
<!-- Rules to detect multiple active threats -->
|
||
|
|
<rule id="100603" level="12" ignore="120">
|
||
|
|
<if_sid>100600</if_sid>
|
||
|
|
<field name="agentRealtimeInfo.activeThreats">[4-9]\d*|\d{2,}</field>
|
||
|
|
<description>SentinelOne: Multiple active threats detected on $(agentRealtimeInfo.agentComputerName).</description>
|
||
|
|
</rule>
|
||
|
|
|
||
|
|
<!-- Rules to detect reboot required -->
|
||
|
|
<rule id="100604" level="7">
|
||
|
|
<if_sid>100600</if_sid>
|
||
|
|
<field name="agentRealtimeInfo.rebootRequired">true</field>
|
||
|
|
<description>SentinelOne: System reboot required on $(agentRealtimeInfo.agentComputerName) to complete actions.</description>
|
||
|
|
</rule>
|
||
|
|
</group>
|