SentinelOne Queries
Collected from everywhere over the years.
- Apps running from recycle bin
FileFullName RegExp ".*\$Recycle\.Bin.*"
- Apps running user directories
FileFullName RegExp ".*\\AppData\\.*"
- Bits Transfers
FileFullName RegExp ".*bitsadmin\.exe.*"
- PowerShell
FileFullName RegExp ".*PowerShell.exe*"
FileFullName RegExp "\.ps1"
FileFullName RegExp "\.psm1"
FileFullName RegExp "\.psd1"
- Psexec usage
FileFullName RegExp ".*psexec.*"
- File sharing program usage
FileFullName RegExp ".*OneDrive.*" OR FileFullName RegExp ".*DropBox.exe.*" OR FileFullName RegExp ".*Box.*" OR FileFullName RegExp ".*icloud.*"
FileFullName RegExp ".*egnyte.*" OR FileFullName RegExp ".*dropsend.*" OR FileFullName RegExp ".*Hightail.*" OR FileFullName RegExp ".*justcloud.*" OR FileFullName RegExp ".*Onehub.*"
OR ImageFileName="*OpenDrive*" OR ImageFileName="*sharedfile*" OR ImageFileName="*SugarSync*" OR ImageFileName="*4shared*" OR ImageFileName="*Google\\Drive*" OR ImageFileName="*owncloud*")|table ComputerName UserName ImageFileName FileName SHA256HashData
- All Detection Events
EventType=Event_ExternalApiEvent Severity>0 | table_time ComputerName CommandLine DetectDescription DetectName EventType FileName FilePath IOCType MD5String MachineDomain ParentProcessId ProcessId ProcessStartTime SHA1String SHA256String Severity SeverityName UTCTimestamp timestamp
DstPort = "23" or DstPort ="21" or DstPort = "22" or DstPort = "3389"
ProcessImagePath CONTAINS "$Recycle.Bin"
ProcessImagePath RegExp ".*AppData.*" OR ProcessImagePath RegExp ".*Desktop.*"
FileFullName RegExp ".*AppData.*" OR FileFullName RegExp ".*Desktop.*"
DstPort = "23" or DstPort ="21" or DstPort = "22" or DstPort = "3389"
ProcessImagePath CONTAINS "$Recycle.Bin"
ProcessImagePath RegExp ".*AppData.*" OR ProcessImagePath RegExp ".*Desktop.*"
FileFullName RegExp ".*AppData.*" OR FileFullName RegExp ".*Desktop.*"