From Sigma to SentinelOne: Detecting Password Access via Notepad with Uncoder AI

How It Works

The Sigma rule shown is designed to detect Notepad opening files with names suggesting password storage, which may indicate unauthorized credential access or suspicious behavior on Windows systems.

Left Panel – Sigma Rule:

  • Looks for process creation events where:
    • Parent process is explorer.exe
    • Child process is notepad.exe
    • Command line contains strings like password*.txt, password*.csv, etc.
  • Tagged under MITRE technique T1083 (File and Directory Discovery)
  • Uses process_creation telemetry from Windows

Explore Uncoder AI

Right Panel – SentinelOne Query:

Uncoder AI automatically translates the detection into SentinelOne Event Query syntax:

(SrcProcImagePath ContainsCIS "explorer.exe" AND 

 TgtProcImagePath ContainsCIS "notepad.exe" AND 

 (TgtProcCmdLine ContainsCIS "password.txt" OR ...))

It maps:

  • Parent/child process relationships
  • Command line pattern matching (case-insensitive string matching via ContainsCIS)
  • Wildcards and multiple extensions

This translation is ready to deploy in SentinelOne for threat hunting or real-time alerting.

Why It’s Innovative

Writing detection logic for SentinelOne manually requires:

  • Understanding SentinelOne’s schema and syntax
  • Replicating complex logic around process relationships and CLI content
  • Handling multiple matching conditions efficiently

Uncoder AI solves this by:

  • Automatically parsing Sigma YAML-based rules
  • Mapping fields and logic into SentinelOne’s query structure
  • Preserving semantic intent (process hierarchy + keyword matching)

This allows security teams to bring powerful behavioral detections into SentinelOne with no manual scripting.

AI Summaries Make Complex Detection Instantly Understandable

Operational Value

This capability provides immediate benefits to detection engineers:

  • Rapid Sigma rule reuse across SentinelOne environments
  • Detection of unauthorized or risky credential access activity
  • Reduced engineering overhead with accurate cross-platform logic
  • Better visibility into file access patterns involving sensitive keywords

Uncoder AI transforms abstract detections into actionable endpoint queries, empowering proactive threat hunting in SentinelOne.

Explore Uncoder AI

The post From Sigma to SentinelOne: Detecting Password Access via Notepad with Uncoder AI appeared first on SOC Prime.