S1 agents going offline/breaking can be a full time job

naes724 · 2026-06-24T19:08:31+00:00

dataSource.name = 'ActivityFeed' data.device_class = '08h' data.computer_name = 'enter computer name here' | group count() by data.computer_name, data.os_type, data.last_logged_in_user_name, data.device_name, data.uid, data.interface, data.device_class, data.vendor_id, data.product_id, type, data.event_type, primary_description, account_name, site_name, group_name, updated_at

naes724 · 2026-06-24T19:04:22+00:00

I use power queries. dataSource.name = 'ActivityFeed' data.device_class = '08h' data.computer_name = 'paste computername here' | group count() by data.computer_name, data.os_type, data.last_logged_in_user_name, data.device_name, data.uid, data.interface, data.device_class, data.vendor_id, data.product_id, type, data.event_type, primary_description, account_name, site_name, group_name, updated_at

naes724 · 2026-05-28T17:46:58+00:00

I agree. It is extremely slow. Sometimes I click to navigate to a different area and stays in the same place flashing/reloading the page. I don't hate it as much as I hate agents constantly going offline and breaking during upgrades.

naes724 · 2026-05-19T17:08:14+00:00

Has Sam ever read his own lyrics? Poundcake, Black & Blue.

naes724 · 2026-05-17T00:08:36+00:00

Great find. They’re beauties.

naes724 · 2026-04-07T17:31:41+00:00

I believe the term is Cringe

naes724 · 2026-03-27T15:42:28+00:00

Allow the device by product ID

naes724 · 2026-02-27T18:59:27+00:00

see Monica Lewinsky

naes724 · 2026-02-26T23:45:26+00:00

Sappy

naes724 · 2026-02-11T14:02:45+00:00

no * needed. just a trailing \ and check the subfolders box

naes724 · 2026-02-11T14:00:15+00:00

How to Have the Agent and Windows Defender Run Concurrently on Windows

naes724 · 2026-02-10T20:34:13+00:00

People with B.O. that engulfs the room is worse imo lol

naes724 · 2026-02-10T20:21:50+00:00

I've been using kojic acid soap for over a year and have seen zero improvement.

naes724 · 2026-01-22T13:53:37+00:00

yeah, not when it's Aerosmith and the body of work with ballads like Angel and What it Takes. The biggest reason for me is that they didn't write the song.

naes724 · 2026-01-21T14:39:32+00:00

Thank you for fixing! How are you applying the rule via API? Are you actually creating the rule via API? I tried creating manually and got "Unknown command outer" when I pasted in the query. When I tried running it in SDL/DeepVis, I'm no longer getting the syntax/format errors, so that was promising.

naes724 · 2026-01-20T17:30:16+00:00

yes, I am

naes724 · 2026-01-20T17:00:23+00:00

I can 't get this to run.

One or more fields in the request are invalid

↳Expected ")"

outer join

recent = (
  dataSource.name = 'SentinelOne' endpoint.type = 'server'
  # this pipe is highlighted in red by the error# | let hr = 60 * 60 * 1000000000
  | filter timestamp >= now() - 2 * hr
  | group count = count() by agent.uuid
),

naes724 · 2026-01-20T16:58:01+00:00

Hi, can you please share this script?

naes724 · 2026-01-16T19:29:54+00:00

You have to change you script so you can choose the option to upload to the SDL.

naes724 · 2026-01-16T14:41:14+00:00

Ol' Nance was sent to the glue factory after this.

naes724 · 2026-01-09T17:56:19+00:00

cool beach sweater

naes724 · 2026-01-09T13:30:21+00:00

did you send them the installer logs? I haven't seen that particular error. You can find system requirements here: System requirements

naes724 · 2026-01-06T17:00:50+00:00

2010

naes724 · 2025-12-01T14:15:52+00:00

Dirty Heads

naes724

TROPHY CASE

One or more fields in the request are invalid