SentinelOne Singularity Platform
Query’s integration with SentinelOne Singularity Platform allows analysts to do the following:
- Retrieves user detail information (Email Address, username) for a user
- Retrieves user device information (IP Address, Hostname,) for a device
- Retrieves malicious file information & details (file name, hash value)
- Retrieves Security Finding information when malicious activity is detected (title, event time, event name, severity, etc).
For example, the analyst could obtain the following context:
- Searching by the user’s hostname, i.e. hostname equals barbs_computer, the response would contain any malicious activity (Security Event) that has been detected by SentinelOne Singularity Platform.
- Searching by a device’s IP, i.e. IP equals x.x.x.x , the response would provide all the usernames and hostnames that have been associated with that IP address and malicious activity.
To integrate SentinelOne Singularity Platform, see integration documentation here.
The integration will normalize data pulled from SentinelOne Singularity Platform into Query’s OCSF based Query Data Model (QDM) which then enables cross-platform joins, compounding the analyst’s ability to investigate. Query normalizes SentinelOne data into QDM User, Device, Malware, and numerous other objects, and Security Finding events. Analysts can see key attributes like hostname, IP Address, state of any malicious activity, DNS hostnames, and subnet in the QDM device, security finding, and observables objects..
With the federated join capabilities, the analyst can now see context on that entity pulled from additional data sources Query is integrated with. Based upon additional integrations in your environment, Query can show you:
- Suspected IP addresses joined with Threat Intelligence data.
- Additional alerts correlated with the user or the device, such as based upon email, web, or file activity.
- Relevant follow up searches to get vulnerability, malware, and threat intelligence information associated with related entities like files, processes, and applications on that device.