sentinelone-star-custom-rules

Enumerate STAR custom detection rules in the SentinelOne service.

sentinelone-star-custom-rules [profile=PROFILE]

profile=PROFILE: Connect profile code of SentinelOne

Output Fields

Field	Type	Name	Description
profile	String	Connect profile	e.g. sentinelone
rule_id	String	Rule ID	e.g. 1234567890123456789
rule_name	String	Rule name	e.g. AI Assistant Detected
severity	String	Severity	e.g. Critical, High, Medium, Low
status	String	Status	e.g. Active, Draft, Activating, Disabled
status_reason	String	Status reason	e.g. Rule was activated by admin@example.com
query_type	String	Query type	e.g. events, processes
query_lang	String	Query language	e.g. 1.0, 2.0
s1ql	String	S1QL query	e.g. event.type = 'Process Creation' and (src.process.cmdline ...
description	String	Description	e.g. AI Assistant Behavioral Detection
scope_hierarchy	String	Scope hierarchy	e.g. global, account, site, group
scope_name	String	Scope name
account_id	String	Account ID
account_name	String	Account name
site_id	String	Site ID
site_name	String	Site name
generated_alerts	Integer	Generated alerts	e.g. 2
last_alert_time	Date	Last alert time	e.g. 2026-05-05 22:22:22+0900
treat_as_threat	String	Treat as threat	e.g. Malicious
network_quarantine	Boolean	Network quarantine	e.g. false
active_response	Boolean	Active response	e.g. true
expiration_mode	String	Expiration mode	e.g. Permanent, Temporary
expiration_date	Date	Expiration date	e.g. 2025-10-28 00:00:00+0900
is_expired	Boolean	Expired	e.g. false
is_editable	Boolean	Editable	e.g. false
reached_limit	Boolean	Reached alert limit	e.g. false
creator	String	Creator	e.g. admin@example.com
creator_id	String	Creator ID	e.g. 1234567890123456789
updater_id	String	Updater ID	e.g. 1234567890123456789
template_rule_id	String	Template rule ID
created	Date	Created time	e.g. 2026-02-12 09:29:58+0900
updated	Date	Updated time	e.g. 2026-04-28 16:52:59+0900