
How It Works
The Sigma rule shown is designed to detect Notepad opening files with names suggesting password storage, which may indicate unauthorized credential access or suspicious behavior on Windows systems.
Left Panel – Sigma Rule:
- Looks for process creation events where:
- Parent process is
explorer.exe
- Child process is
notepad.exe
- Command line contains strings like
password*.txt
,password*.csv
, etc.
- Parent process is
- Tagged under MITRE technique
T1083
(File and Directory Discovery) - Uses
process_creation
telemetry from Windows
Right Panel – SentinelOne Query:
Uncoder AI automatically translates the detection into SentinelOne Event Query syntax:
(SrcProcImagePath ContainsCIS "explorer.exe" AND
TgtProcImagePath ContainsCIS "notepad.exe" AND
(TgtProcCmdLine ContainsCIS "password.txt" OR ...))
It maps:
- Parent/child process relationships
- Command line pattern matching (case-insensitive string matching via
ContainsCIS
) - Wildcards and multiple extensions
This translation is ready to deploy in SentinelOne for threat hunting or real-time alerting.
Why It’s Innovative
Writing detection logic for SentinelOne manually requires:
- Understanding SentinelOne’s schema and syntax
- Replicating complex logic around process relationships and CLI content
- Handling multiple matching conditions efficiently
Uncoder AI solves this by:
- Automatically parsing Sigma YAML-based rules
- Mapping fields and logic into SentinelOne’s query structure
- Preserving semantic intent (process hierarchy + keyword matching)
This allows security teams to bring powerful behavioral detections into SentinelOne with no manual scripting.
Operational Value
This capability provides immediate benefits to detection engineers:
- Rapid Sigma rule reuse across SentinelOne environments
- Detection of unauthorized or risky credential access activity
- Reduced engineering overhead with accurate cross-platform logic
- Better visibility into file access patterns involving sensitive keywords
Uncoder AI transforms abstract detections into actionable endpoint queries, empowering proactive threat hunting in SentinelOne.
The post From Sigma to SentinelOne: Detecting Password Access via Notepad with Uncoder AI appeared first on SOC Prime.