Query: Highlight timeline entries with user involvement

Description

This query helps identify timeline events where user interaction played a role, whether through direct actions such as threat mitigation, policy changes, or command execution. By isolating events tied to specific user accounts, security teams can better understand human involvement in the lifecycle of a threat, verify authorized activity, and support audit and compliance requirements.

Query

Tables used in this query:

• sentinelone_timeline

SQL