ATT&CK Mapped SentinelOne Queries
MITRE ATT&CK mapped queries for SentinelOne Deep Visiblity
This project aims to document SentinelOne Deep Visibility queries for detecting Windows TTPs generated by Red Canary Co's Atomic Red Team framework. Not all techniques documented within the Atomic Red Team project will have matching queries, due to limited data sources within SentinelOne some detections will be limited; we'll eventually expand beyond A.R.T. and just call these ATT&CK mapped queries, but I like the idea of having a framework to test these detections.
These queries have been crafted and tested on Liberty console release and should support Deep Visibility 3.0. Recommending that your Sentinel Agents be on 4.2.x or newer, as some of the indicator data being queried is only collected by newer agents.