Merge pull request #11678 from Azure/v-sabiraj-SentinelOneAnalyticrule

Updating Analytic rule with correct Activity type

Author: v-prasadboke

Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml

@@ -18,14 +18,13 @@ relevantTechniques:
   - T1070
 query: | 
   SentinelOne
-  | where ActivityType == 31
+  | where ActivityType == 51
   | summarize count() by DataComputerName, bin(TimeGenerated, 30m)
   | where count_ > 1
-  | extend HostCustomEntity = DataComputerName
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: HostName
-        columnName: HostCustomEntity
-version: 1.0.1
+        columnName: DataComputerName
+version: 1.0.2
 kind: Scheduled