/SentinelOne-ATTACK-Queries

MITRE ATT&CK mapped queries for SentinelOne Deep Visiblity

MIT LicenseMIT

ATT&CK Mapped SentinelOne Queries

MITRE ATT&CK mapped queries for SentinelOne Deep Visiblity

DISCONTINUED

This project has been replaced by the SentinelOne-Queries repository which moves towards shareable signatures and for use in tooling. New repo is built of the work within this repository and most testing is still performed against Atomic Red Team. These queries will not be updated as detections change between Agent versions etc.

This project aims to document SentinelOne Deep Visibility queries for detecting Windows TTPs generated by Red Canary Co's Atomic Red Team framework. Not all techniques documented within the Atomic Red Team project will have matching queries, due to limited data sources within SentinelOne some detections will be limited; we'll eventually expand beyond A.R.T. and just call these ATT&CK mapped queries, but I like the idea of having a framework to test these detections.

These queries have been crafted and tested on Liberty console release and should support Deep Visibility 3.0. Recommending that your Sentinel Agents be on 4.2.x or newer, as some of the indicator data being queried is only collected by newer agents.

Tactics (COMPLETED)

Privilege Escalation

Initial Access

Persistence

Execution

Lateral Movement

Impact

Exfiltration

Tactics (IN PROGRESS)

Defense Evasion

Discovery

Command and Control

Collection

Credential Access