Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

update to reflect replacement by sentinelone-queries

Browse Source
This commit is contained in:
keyboardcrunch
2021-01-11 13:40:30 -06:00
committed by GitHub
parent 9310ec5c67
commit 6a228d23ee
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+3
View File
@@ -1,6 +1,9 @@
# ATT&CK Mapped SentinelOne Queries # ATT&CK Mapped SentinelOne Queries
[MITRE ATT&CK](https://attack.mitre.org/) mapped queries for SentinelOne Deep Visiblity [MITRE ATT&CK](https://attack.mitre.org/) mapped queries for SentinelOne Deep Visiblity
## DISCONTINUED
*This project has been replaced by the [SentinelOne-Queries](https://github.com/keyboardcrunch/sentinelone-queries) repository which moves towards shareable signatures and for use in tooling. New repo is built of the work within this repository and most testing is still performed against Atomic Red Team. These queries will not be updated as detections change between Agent versions etc.*
This project aims to document SentinelOne Deep Visibility queries for detecting Windows TTPs generated by Red Canary Co's Atomic Red Team framework. Not all techniques documented within the Atomic Red Team project will have matching queries, due to limited data sources within SentinelOne some detections will be limited; we'll eventually expand beyond A.R.T. and just call these ATT&CK mapped queries, but I like the idea of having a framework to test these detections. This project aims to document SentinelOne Deep Visibility queries for detecting Windows TTPs generated by Red Canary Co's Atomic Red Team framework. Not all techniques documented within the Atomic Red Team project will have matching queries, due to limited data sources within SentinelOne some detections will be limited; we'll eventually expand beyond A.R.T. and just call these ATT&CK mapped queries, but I like the idea of having a framework to test these detections.
*These queries have been crafted and tested on Liberty console release and should support Deep Visibility 3.0. Recommending that your Sentinel Agents be on 4.2.x or newer, as some of the indicator data being queried is only collected by newer agents.* *These queries have been crafted and tested on Liberty console release and should support Deep Visibility 3.0. Recommending that your Sentinel Agents be on 4.2.x or newer, as some of the indicator data being queried is only collected by newer agents.*