SentinelOne - Resolved/unresolved Threats
submitted
S
Steven King
Adjust as needed - working on some reporting KPI metrics and wanted to share. Credit to support for the query!
Current unresolved threats
Threats[? time_since(threatInfo.createdAt,
days
) <30
&& threatInfo.incidentStatus == unresolved
][Threat Name:
threatInfo. threatName, |
Path:
threatInfo.filePath, |
Status:
threatInfo.incidentStatusDescription] | length(@)Unresolved threats over 30d
Threats[? time_since(threatInfo.createdAt,
days
) >30
&& threatInfo.incidentStatus == unresolved
][Threat Name:
threatInfo. threatName, |
Path:
threatInfo.filePath, |
Status:
threatInfo.incidentStatusDescription] | length(@)Resolved threats last 30d
Threats[? time_since(threatInfo.createdAt,
days
) <30
&& threatInfo.incidentStatus == resolved
][Threat Name:
threatInfo. threatName, |
Path:
threatInfo.filePath, |
Status:
threatInfo.incidentStatusDescription] | length(@)J
Jared Meidal
I found the need to add backticks to the syntax for this to work for me
Threats[? time_since(threatInfo.createdAt,
days
) <30
] | length(@)