SentinelOne
| where ActivityType == 3020
| project EventCreationTime, SrcUserName, Hash=EventSubStatus
| extend AccountCustomEntity = SrcUserName, HashCustomEntity = Hash, HashAlgorithmCustomEntity = "SHA1"
description: |
'Detects when blacklist hash was deleted.'
version: 1.0.0
tactics:
- DefenseEvasion
queryFrequency: 1h
query: |
SentinelOne
| where ActivityType == 3020
| project EventCreationTime, SrcUserName, Hash=EventSubStatus
| extend AccountCustomEntity = SrcUserName, HashCustomEntity = Hash, HashAlgorithmCustomEntity = "SHA1"
status: Available
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
relevantTechniques:
- T1070
id: de339761-2298-4b37-8f1b-80ebd4f0b5f6
queryPeriod: 1h
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
- fieldMappings:
- identifier: Value
columnName: HashCustomEntity
- identifier: Algorithm
columnName: HashAlgorithmCustomEntity
entityType: FileHash
severity: Medium
name: Sentinel One - Blacklist hash deleted
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneBlacklistHashDeleted.yaml
requiredDataConnectors:
- dataTypes:
- SentinelOne
connectorId: SentinelOne
