Scripts stolen and heavily based on rcegan/ConvertSigmaRepo2KQL, played by GitHub Actions that converts Sigma rules to SentinelOne PowerQuery via PySigma.
Firstly, modify the 'rules_directory' variable to reflect the location of your Sigma process creation rules. If using in CI/CD and you're cloning the Sigma repo in each time, you can leave this value as-is.
Next, modify the 'output_directory' to match whichever folder you want the rules to be dumped into. Expect over 1000+ results.
| Datasource | Rule type | Platform | 3rd level | Status |
|---|---|---|---|---|
| SigmaHQ | rules-threat-hunting | cloud | 2 folders | ❌ Not applicable |
| SigmaHQ | rules-threat-hunting | linux | file_event | |
| SigmaHQ | rules-threat-hunting | linux | process_creation | |
| SigmaHQ | rules-threat-hunting | macos | file_event | |
| SigmaHQ | rules-threat-hunting | macos | process_creation | |
| SigmaHQ | rules-threat-hunting | web | proxy_generic | ❌ Not applicable |
| SigmaHQ | rules-threat-hunting | windows | builtin | |
| SigmaHQ | rules-threat-hunting | windows | create_remote_threat | |
| SigmaHQ | rules-threat-hunting | windows | file | |
| SigmaHQ | rules-threat-hunting | windows | image_load | |
| SigmaHQ | rules-threat-hunting | windows | network_connection | |
| SigmaHQ | rules-threat-hunting | windows | pipe_created | |
| SigmaHQ | rules-threat-hunting | windows | powershell | |
| SigmaHQ | rules-threat-hunting | windows | process_access | ✅ Implemented |
| SigmaHQ | rules-threat-hunting | windows | process_creation | ✅ Implemented |
| SigmaHQ | rules-threat-hunting | windows | registry | |
| SigmaHQ | rules | application | 10 folders | ❌ Not applicable |
| SigmaHQ | rules | category | 2 folders | ❌ Not applicable |
| SigmaHQ | rules | cloud | 9 folders | ❌ Not applicable |
| SigmaHQ | rules | compliance | N/A | ❌ Not applicable |
| SigmaHQ | rules | linux | auditd | |
| SigmaHQ | rules | linux | builtin | |
| SigmaHQ | rules | linux | file_event | |
| SigmaHQ | rules | linux | network_connection | |
| SigmaHQ | rules | linux | process_creation | ✅ Implemented |
| SigmaHQ | rules | macos | file_event | ✅ Implemented |
| SigmaHQ | rules | macos | process_creation | ✅ Implemented |
| SigmaHQ | rules | network | cisco | ❌ Not applicable |
| SigmaHQ | rules | network | dns | |
| SigmaHQ | rules | network | firewall | |
| SigmaHQ | rules | network | huawei | ❌ Not applicable |
| SigmaHQ | rules | network | juniper | ❌ Not applicable |
| SigmaHQ | rules | network | zeek | ❌ Not applicable |
| SigmaHQ | rules | web | 3 folders | ❌ Not applicable |
| SigmaHQ | rules | windows | builtin | |
| SigmaHQ | rules | windows | create_remote_threat | |
| SigmaHQ | rules | windows | dns_query | ✅ Implemented |
| SigmaHQ | rules | windows | driver_load | ❌ Not applicable |
| SigmaHQ | rules | windows | file | |
| SigmaHQ | rules | windows | image_load | ✅ Implemented |
| SigmaHQ | rules | windows | network_connection | |
| SigmaHQ | rules | windows | pipe_created | |
| SigmaHQ | rules | windows | powershell | |
| SigmaHQ | rules | windows | process_access | |
| SigmaHQ | rules | windows | process_creation | ✅ Implemented |
| SigmaHQ | rules | windows | process_tampering | |
| SigmaHQ | rules | windows | raw_access_thread | |
| SigmaHQ | rules | windows | registry | ✅ Implemented |
| SigmaHQ | rules | windows | sysmon | ❌ Not applicable |
| SigmaHQ | rules | windows | wmi_event | ❌ Not applicable |
| Category | Operating System | Destination Folder | Last GitHub Actions execution status |
|---|---|---|---|
| SigmaHQ | rules-threat-hunting | Windows | S1PQ - Threat Hunting - Windows - Process Creation |
| SigmaHQ | rules | Linux | S1PQ - Linux - Network Connection |
| SigmaHQ | rules | Linux | S1PQ - Linux - Process Creation |
| SigmaHQ | rules | MacOS | S1PQ - MacOS - File Event |
| SigmaHQ | rules | MacOS | S1PQ - MacOS - Process Creation |
| SigmaHQ | rules | Windows | S1PQ - Windows - DNS Query |
| SigmaHQ | rules | Windows | S1PQ - Windows - Image Load |
| SigmaHQ | rules | Windows | S1PQ - Windows - Process Creation |
| SigmaHQ | rules | Windows | S1PQ - Windows - Registry |
For GitHub Workflow, you can find an example of workflow here: [Example Workflow.md](Example Workflow.md)
To see what result sigma-to-s1pq-converter-win_process_creation_markdown.py is generating, please look at [SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md](SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md)
-
Python Environment: Ensure you have Python installed on your system. You can download it from python.org.
-
Required Libraries: os: This is a standard library in Python, so no additional installation is needed. datetime: Also a standard library in Python. sigma.rule: This is part of the Sigma project. You need to install the Sigma library. sigma.backends.sentinelone_pq: This is a specific backend for Sigma, so you need to install the Sigma backends.
You can install the Sigma library and its backends using pip:
pip install sigma pip install sigma-backends
-
Sigma Rules Directory: Ensure you have a directory containing Sigma rule files in YAML format. The script expects these files to be located in sigma/rules/windows/process_creation/.
-
Output Directory: The script creates an output directory named SentinelOne_PQ - Windows Process Creation if it doesn’t already exist. Ensure you have the necessary permissions to create directories and write files in the specified location.
-
File Handling: The script reads and writes files, so make sure the paths specified in rules_directory and output_directory are correct and accessible.
-
Error Handling: The script includes basic error handling to catch exceptions during file processing. Ensure you have proper error logging or handling mechanisms in place if you plan to run this script in a production environment.
-
GitHub Account: Ensure you have a GitHub account and a repository where you can add this workflow.
-
GitHub Actions: Enable GitHub Actions in your repository settings.
-
Python Environment: The workflow sets up Python 3.10 using the actions/setup-python action. Ensure your script (sigma-to-s1pq-converter-win_process_creation_markdown.py) is compatible with Python 3.10.
-
Required Libraries:
sigma-cli: This is installed using pip install sigma-cli.
sigma-cli pipelines: Installed using sigma plugin install sentinelone-pq.
-
Sigma Repository: The workflow clones the Sigma repository from GitHub. Ensure you have internet access to clone the repository.
-
Permissions: The workflow requires write permissions to the repository contents to commit and push changes.
-
Cron Schedule: The workflow is scheduled to run daily at midnight. Ensure the cron syntax ("0 0 * * *") is correct for your desired schedule.
-
Directory Structure: The workflow creates a directory named S1PQ - Windows Process Creation in the GitHub workspace. Ensure your script handles paths correctly and writes output to this directory.
-
GitHub Actions:
- actions/checkout@v4.2.0: Used to check out the repository code.
- actions/setup-python@v4.7.1: Used to set up the Python environment.
- stefanzweifel/git-auto-commit-action@v5: Used to commit and push changes automatically.
-
Script Execution: Ensure your script (sigma-to-s1pq-converter-win_process_creation_markdown.py) is present in the repository and executable.
Many thanks to: