Fields not up to date?

[svinusje]

When i have a look at the fields the pySigma-backend-sentinelone is generating it seems to use the old syntax.

for example: TgtFileLocation has become tgt.file.path , TgtFileIsSigned has become tgt.file.isSigned, ...

Can you have a look at the new naming please?

[ghost]

Hi @svinusje , SentinelOne Query Language is being deprecated by S1 itself, as per updates and products release notes they seem to be moving to Power Query, so you should take a look at https://github.com/7RedViolin/pySigma-backend-sentinelone-pq

[svinusje]

@fanavarr in which release notes/updates did you read this? This query language is even included in one of their newest features (correlation searches). And also the S1 engineers i talked with are not aware that that the query language will be deprecated. Only the old language will be deprecated with the 2.0 language which contains a rename of the fields as what i stated in my first post.

[ghost]

Hi @svinusje you are right, bad choice of words from my end, I meant that pq is being more used with the Datase/Scalyr acquisition, which brings more querying capabilities, but you are right, I do apologize if my comment cause you any inconvenience.