Of course. To establish a rigid and scalable process for creating security detection rules, you can define five distinct roles. This model separates the development lifecycle into specialized phases, ensuring quality control, focus, and clear handoffs at each stage.
This structure is highly effective in a multi-customer environment like yours, as it allows for parallel development and consistent quality across different client needs.
| import re | |
| def transform_detection_fields(text_block: str) -> str: | |
| """ | |
| Transforms specific .key and .value field patterns into a single line. | |
| It looks for pairs of lines like: | |
| security_result.detection_fields.key = "Status" | |
| security_result.detection_fields.value = "inProgress" |
| from datetime import date, timedelta | |
| def get_date_range(): | |
| """ | |
| Calculates and returns date strings for 30 days prior to and 30 days after the current date. | |
| Returns: | |
| tuple: A tuple containing two strings: | |
| - The date 30 days ago (YYYY-MM-DD). | |
| - The date 30 days from now (YYYY-MM-DD). |
These indicators focus on detecting anomalous cloud application and identity behavior.
Cloud Audit / Identity Logs:
Indicator: New OAuth application granted high-risk permissions (e.g., Mail.ReadWrite, Contacts.Read, full_access) by an unusual user or at an odd time.
Indicator: A service principal or application credential is created and used within a short timeframe from a new or suspicious location.
| <# | |
| .SYNOPSIS | |
| Creates or updates a registry value to change the default File Explorer view. | |
| .DESCRIPTION | |
| This script sets the "LaunchTo" DWORD value in the Windows Registry for the current user. | |
| This specific value controls what File Explorer opens to by default. | |
| - Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | |
| - Name: LaunchTo | |
| - Type: DWORD |
The key to creating meaningful detections from SentinelOne's Threats API is to construct your own severity and priority model based on the context provided in the threatInfo object. Instead of a single severity field, you'll use a combination of data points to build a more nuanced understanding of the threat.
Here are the key threatInfo fields to focus on and how to use them to assign a severity level:
| threatInfo Field | How to Use for Severity |
|---|---|
| confidenceLevel | Primary Severity Indicator. This is your most important field. SentinelOne's confidence is a strong indicator of maliciousness. |
| - Malicious: Highest severity. The AI has high confidence the activity is malicious. | |
| - Suspicious: Medium to high severity. Requires investigation as it could be a precursor to an attack or a legitimate but unusual admin activity. |
python3 -m venv venv
source venv/bin/activate
touch requirements.txt
pip install -r requirements.txt