What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    SentinelOne EPP - Detection Rules

    Juan Romero

    18-Dec-2025

    SentinelOne EPP - Detection Rules

    Intro

    Rule: New Active Threat Malicious Detected

    Severity

    High

    Detection Details

    Threat with confidence level malicious detected

    Mitre ID

    T1059 – Command and Scripting Interpreter
    T1204 – User Execution
    T1105 – Ingress Tool Transfer
    T1486 – Data Encrypted for Impact

    Graylog Query

    syslog_type:sentinelone AND cat:MALWARE AND threatConfidenceLevel:malicious

    Rule: New Active Threat Suspicious Detected

    Severity

    Medium

    Detection Details

    Threat with confidence level suspicious detected

    Mitre ID

    T1059 – Command and Scripting Interpreter
    T1036 – Masquerading
    T1078 – Valid Accounts
    T1027 – Obfuscated/Encrypted Files or Information

    Graylog Query

    syslog_type:sentinelone AND cat:MALWARE AND threatConfidenceLevel:suspicious

    Rule: New Mitigation, Kill performed successfully

    Severity

    Medium

    Detection Details

    Kill performed successfully

    Mitre ID

    T1059 – Command and Scripting Interpreter
    T1204 – User Execution
    T1105 – Ingress Tool Transfer
    T1486 – Data Encrypted for Impact

    Graylog Query

    syslog_type:sentinelone AND cat:MITIGATION AND eventDesc:"Kill performed successfully"

    Rule: New Mitigation, Quarantine performed successfully

    Severity

    Medium

    Detection Details

    Quarantine performed successfully

    Mitre ID

    T1547 – Boot or Logon Autostart Execution
    T1053 – Scheduled Task/Job
    T1105 – Ingress Tool Transfer

    Graylog Query

    syslog_type:sentinelone AND cat:MITIGATION AND eventDesc:"Quarantine performed successfully"

    Rule: New Exclusion was added/modified by user

    Severity

    Medium

    Detection Details

    Exclusion was added/modified by user

    Mitre ID

    T1562.001 – Disable or Modify Tools
    T1562.006 – Indicator Blocking

    Graylog Query

    syslog_type:sentinelone AND cat:WHITELISTBLACKLIST AND eventDesc:"Exclusion was added/modified by user"

    Rule: New Path Exclusion added

    Severity

    Medium

    Detection Details

    Path Exclusion added

    Mitre ID

    T1562.001 – Disable or Modify Tools

    Graylog Query

    syslog_type:sentinelone AND cat:WHITELISTBLACKLIST AND eventDesc:"Path Exclusion added"

    Rule: Analyst verdict changed to "True Positive"

    Severity

    High

    Detection Details

    A management user changed the analyst verdict to True positive.

    Mitre ID

    T1059 – Command and Scripting Interpreter
    T1204 – User Execution
    T1105 – Ingress Tool Transfer
    T1486 – Data Encrypted for Impact

    Graylog Query

    syslog_type:sentinelone AND cat:THREATMANAGEMENT AND data_newAnalystVerdict:true_positive

    Rule: Analyst verdict changed to "False Positive"

    Severity

    Medium

    Detection Details

    A management user changed the analyst verdict to False Positive.

    Mitre ID

    T1059 – Command and Scripting Interpreter
    T1036 – Masquerading
    T1078 – Valid Accounts
    T1027 – Obfuscated/Encrypted Files or Information

    Graylog Query

    syslog_type:sentinelone AND cat:THREATMANAGEMENT AND data_newAnalystVerdict:false_positive
    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.