[FR] Add Sigma Support for Product SentinelOne in PowerQuery mode - Githubissues

redcanaryco / surveyor

A cross-platform baselining, threat hunting, and attack surface analysis tool for security teams.

MIT License

166 stars 62 forks source link

[FR] Add Sigma Support for Product SentinelOne in PowerQuery mode #140

Closed rc-csmith closed 10 months ago

rc-csmith commented 11 months ago

Which category is the feature part of?

[ ] Definition File
[x] Code/Logic Feature
[ ] Other (please explain)

Which product is the feature part of?

[ ] All Products
[ ] Carbon Black Response
[ ] Carbon Black Threat Hunter
[ ] Defender for Endpoints
[x] SentinelOne
[ ] Cortex
[ ] Other

Use Cases

Sigma support for SentinelOne is only available for Deep Visibility which is slower and less accurate than PowerQuery.

Proposal

Add support for SentinelOne PowerQuery since it is now available in the pySigma plugin directory: https://github.com/SigmaHQ/pySigma-plugin-directory/blob/main/pySigma-plugins-v1.json

Additional Context

N/A