SentinelOne Complete customer may create custom detection rules. To create a Single Event Custom Rule via the SentinelOne Console:
In the Sentinels toolbar, click STAR Custom Rules or, in Visibility, click STAR Custom Rules.
Click New Rule or click on a rule to edit it.
The Create Custom Rule wizard opens.
In Details:
Enter a Name and Description for the rule.
In Rule Severity, select the severity of the rule in your environment.
Set an Expiration Date within 6 months for the rule, or set it as Permanent.
Select the scope in which to apply the rule.
Click Next.
The Condition screen opens.
Make sure Single Event is selected.
In Query Filter, add a query in S1QL 2.0 syntax for the rule.
For help with writing queries in S1QL 2.0, click Help with Query Language.
Recommended: Test your rule. You can:
Click Simulate Rule to quickly estimate how many alerts your rule may generate.
The wizard shows an estimate of the number of alerts this rule will trigger over a period of 7 days.
Please Note:
If your query has a syntax error, an error message will show below the query. Fix the query, and then click Simulate Rule again.
For best results, try to narrow your query as much as possible. You can adjust your query and simulate the results multiple times.
Thoroughly test the query by running it in Event Search and ajdusting it as necessary.
To open the rule query in Event Search, click the search sign and then, in the Search for Matching Events window, click Search.
For best results, try to narrow your query as much as possible. You can adjust your query and simulate the results multiple times.
To set a cool-off period for your rule that suppresses additional alerts after the first one, click Cool-off Period and configure the duration.
Click Next.
If your query has a syntax error, an error message will show below the query. Fix the query, then click Next.
In the Actions window, select if SentinelOne responds with automatic mitigation when rule results are found, and which mitigation actions to use.
Treat as threat - The rule result shows as a threat in the Threats page. Select which mitigation policy is applied, based on the endpoint that triggered the alert:
Suspicious Threat Policy - The settings for the endpoint in Policy for Suspicious Threats are applied (Detect or Protect).
Malicious Threat Policy - The settings for the endpoint in Policy for Malicious Threats are applied (Detect or Protect).
Network Quarantine - SentinelOne disconnects endpoints with rule matches from the network. You can reconnect the endpoints after you are sure that they are not a threat to your network.
Please note:
If you would like to create a custom alert that will accure as issue withing Guardz you must select “Treat as Threat".
In the Summary window, review the rule details.
To edit details, click Back.
Save your rule
To save your rule as a draft without activating it, click Save Draft. You can activate your rule with the Actions menu.
To save your rule and activate it immediately, select Activate rule immediately after saving, and then click Activate.
The new rule is created and appears on the Detections page.
To activate a Custom Detection Rule:
In the Sentinels toolbar, click STAR Custom Rules or, in Visibility, click STAR Custom Rules.
Select the rule.
Click Actions > Activate.
