This is the SentinelOne backend for pySigma. It provides the package sigma.backends.sentinelone with the SentinelOneBackend class.
Further, it contains the processing pipelines in sigma.pipelines.sentinelone for field renames and error handling. This pipeline is automatically applied to SigmaRule and SigmaCollection objects passed to the SentinelOneBackend class.
It supports the following output formats:
- default: plain SentinelOne Deep Visibility queries
- json: JSON formatted SentinelOne Deep Visibility queries that includes the query, rule name, rule ID, and rule description
This backend is currently maintained by:
This can be install via pip from PyPI or using pySigma's plugin functionality
pip install pysigma-backend-sentinelonefrom sigma.plugins import SigmaPluginDirectory
plugins = SigmaPluginDirectory.default_plugin_directory()
plugins.get_plugin_by_id("sentinelone").install()sigma convert -t sentinelone proc_creation_win_office_onenote_susp_child_processes.ymlfrom sigma.backends.sentinelone import SentinelOneBackend
from sigma.rule import SigmaRule
rule = SigmaRule.from_yaml("""
title: Invoke-Mimikatz CommandLine
status: test
logsource:
category: process_creation
product: windows
detection:
sel:
CommandLine|contains: Invoke-Mimikatz
condition: sel""")
backend = SentinelOneBackend()
print(backend.convert_rule(rule)[0])- Backend uses Deep Visibility syntax
- Pipeline uses Deep Visibility field names
- Pipeline supports
linux,windows, andmacosproduct types - Pipeline supports the following category types for field mappings
process_creationfile_eventfile_changefile_renamefile_deleteimage_loadpipe_creationregistry_addregistry_deleteregistry_eventregistry_setdns_querydnsnetwork_connectionfirewall
- Any unsupported fields or categories will throw errors