pySigma-backend-sentinelone-pq

pySigma SentinelOne PQ Backend

This is the SentinelOne PowerQuery (PQ) backend for pySigma. It provides the package sigma.backends.sentinelone with the SentinelOnePQBackend class. Further, it contains the processing pipelines in sigma.pipelines.sentinelone for field renames and error handling. This pipeline is automatically applied to SigmaRule and SigmaCollection objects passed to the SentinelOnePQBackend class.

It supports the following output formats:

• default: plaintext queries
• json: JSON formatted queries that includes the query, rule name, rule ID, and rule description

This backend is currently maintained by:

• Cori Smith

Installation

This can be install via pip from PyPI or using pySigma's plugin functionality

PyPI

pip install pysigma-backend-sentinelone-pq

pySigma

from sigma.plugins import SigmaPluginDirectory
plugins = SigmaPluginDirectory.default_plugin_directory()
plugins.get_plugin_by_id("sentinelone_pq").install()

Usage

sigma-cli

sigma convert -t sentinelone_pq proc_creation_win_office_onenote_susp_child_processes.yml

pySigma

from sigma.backends.sentinelone_pq import SentinelOnePQBackend
from sigma.rule import SigmaRule

rule = SigmaRule.from_yaml("""
title: Invoke-Mimikatz CommandLine
status: test
logsource:
    category: process_creation
    product: windows
detection:
    sel:
        CommandLine|contains: Invoke-Mimikatz
    condition: sel""")


backend = SentinelOnePQBackend()
print(backend.convert_rule(rule)[0])

Side Notes & Limitations

• Backend uses PowerQuery syntax
• Pipeline uses PowerQuery field names
• Pipeline supports linux, windows, and macos product types
• Pipeline supports the following category types for field mappings
  • process_creation
  • file_event
  • file_change
  • file_rename
  • file_delete
  • image_load
  • pipe_creation
  • registry_add
  • registry_delete
  • registry_event
  • registry_set
  • dns_query
  • dns
  • network_connection
  • firewall
• Any unsupported fields or categories will throw errors