-
Notifications
You must be signed in to change notification settings - Fork 71
SentinelOne
Nuances and common questions when using SentinelOne
- Contents
- PowerQuery vs. Deep Visibility
- How are queries built?
- How does Surveyor handle scoping using Site ID and Account ID?
- Is there a rate limit?
By default, Surveyor uses PowerQuery since it is faster and returns more accurate results when compared to Deep Visibility. That being said, PowerQuery itself is still in beta. If you want/need to use Deep Visibility, you can specify the --dv parameter at execution.
In PowerQuery, Surveyor builds queries to fit the format
<INSERT_YOUR_QUERY_PARAMETERS>
<INSERT_FILTERS>
| group count() by endpoint.name, src.process.user, src.process.image.path, src.process.cmdline, src.process.name, src.process.publisher, url.address, tgt.file.internalName, src.process.startTime, site.id, site.name, src.process.storyline.id
In Deep Visibility, Surveyor builds queries to fit the format
<INSERT_YOUR_QUERY_PARAMETERS> AND <INSERT_FILTERS>
So when using the --query parameter or the query field in a definition file, you need to format your query to fill in the <INSERT_YOUR_QUERY_PARAMETERS> section.
That is followed by the <INSERT_FILTERS> section which is populated if you use the --hostname or --username filter parameters.
Time filters are not included in the query body but in the headers for the API calls.
Below is a chart describing the ways Site IDs and Account IDs are handled based on the type of query performed.
| Site ID Provided? | Account ID Provided? | Is Site ID included within Account ID? | PowerQuery | Deep Visibility |
|---|---|---|---|---|
| Yes | Yes | Yes | Will only return results for the Site ID | Will return results for the Account ID |
| Yes | No | N/A | Will only return results for the Site ID | Will only return results for the Site ID |
| Yes | Yes | No | Will return results for the provided Site ID and the provided Account ID | Will return results for the provided Site ID and the provided Account ID |
| No | Yes | N/A | Will return results for the provided Account ID | Will return results for the provided Site ID |
| No | No | N/A | Will return results for the entire environment | Will return results for the entire environment |
There isn't a rate limit for PowerQuery.
The rate limit for Deep Visibility is one request per minute.