[FR] SentinelOne PowerQuery Performance

[rc-csmith]

Which category is the feature part of?

• [ ] Definition File
• [x] Code/Logic Feature
• [ ] Other (please explain)

Which product is the feature part of?

• [ ] All Products
• [ ] Carbon Black Response
• [ ] Carbon Black Threat Hunter
• [ ] Defender for Endpoints
• [x] SentinelOne
• [ ] Cortex
• [ ] Other

Use Cases

Proposal

When using a definition file, each individual entry is treated as a single query. For example, the following definition file will generate three individual queries that will require at least three separate API calls. Instead, it could all be merged into a single query and reduce the number of API calls.

Example definition file:

{
  "programA":{
    "process_name":["cmd.exe"],
    "cmdline":["/c powershell.exe"],
    "filemod":["powershell_log.exe"]
  }
}

Current queries that get generated

tgt.process.name in ("cmd.exe")
tgt.process.command_line in ("/c powershell.exe")
tgt.file.path in ("powershell_log.exe")

Proposed change

tgt.process.name in ("cmd.exe") or tgt.process.command_line in ("/c powershell.exe") or tgt.file.path in ("powershell_log.exe")

Additional Context

N/A