Open svinusje opened 5 months ago
ghost
commented
4 months ago Hi @svinusje , SentinelOne Query Language is being deprecated by S1 itself, as per updates and products release notes they seem to be moving to Power Query, so you should take a look at https://github.com/7RedViolin/pySigma-backend-sentinelone-pq
svinusje
commented
4 months ago @fanavarr in which release notes/updates did you read this? This query language is even included in one of their newest features (correlation searches). And also the S1 engineers i talked with are not aware that that the query language will be deprecated. Only the old language will be deprecated with the 2.0 language which contains a rename of the fields as what i stated in my first post.
ghost
commented
4 months ago Hi @svinusje you are right, bad choice of words from my end, I meant that pq is being more used with the Datase/Scalyr acquisition, which brings more querying capabilities, but you are right, I do apologize if my comment cause you any inconvenience.
When i have a look at the fields the pySigma-backend-sentinelone is generating it seems to use the old syntax.
for example: TgtFileLocation has become tgt.file.path , TgtFileIsSigned has become tgt.file.isSigned, ...
Can you have a look at the new naming please?