SCENARIO

Storyline Active Response (STAR) is SentinelOne's cloud-based automated hunting, detection, and response engine that allows security teams to create custom detection rules without requiring agent updates. STAR rules convert Deep Visibility queries into automated detections that trigger alerts and response actions when matches occur.

Use this guide when:

Creating custom detection rules for client-specific threats
Automating response to known attack patterns
Converting threat hunting queries into persistent detections
Building industry-specific or compliance-focused detections
Responding rapidly to emerging threats and zero-day IOCs
Reducing alert fatigue with high-fidelity custom rules

Prerequisites:

SentinelOne Singularity Complete license
Console access with Admin or IR Team role
Deep Visibility enabled in policy
Understanding of S1QL query syntax (see Deep Visibility guide)

Reference Documentation:

REQUIREMENTS & ASSUMPTIONS

Technical Requirements

Requirement	Details
SKU	Singularity Complete or higher
Console Role	Admin, IR Team, or SOC
Feature	STAR Custom Rules enabled
Max Rules	Up to 1,000 active STAR rules
Agent Version	4.2.x or newer recommended

STAR Rule Capabilities

What STAR Can Do:

Evaluate endpoint events in near real-time
Trigger alerts on query matches
Execute automated response actions (kill, quarantine)
Treat matches as suspicious or malicious threats
Deploy rules to entire fleet or specific scopes
Support 200+ telemetry attributes
Use regular expressions for pattern matching

What STAR Cannot Do:

Real-time blocking before execution (detection-based, not prevention)
Block by file name alone (hash-based blocking supported)
Replace behavioral AI engine (complementary, not replacement)
Prevent initial execution (responds after telemetry is collected)

Understanding STAR vs Other Features

Feature	Purpose	Timing
Static AI	Pre-execution file analysis	Before execution
Behavioral AI	Runtime behavior detection	During execution
STAR Rules	Custom pattern detection	After telemetry collection
Blacklist	Known-bad hash blocking	Before execution

STAR rules are best for detection and response rather than prevention. They complement the AI engines by adding custom detection logic for threats the AI hasn't seen.

STAR RULE ARCHITECTURE

How STAR Rules Work

┌─────────────────────────────────────────────────────────────────────┐
│                      STAR RULE PROCESSING FLOW                       │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────────────────┐ │
│  │  Endpoint   │───▶│   Agent     │───▶│  Singularity Data Lake  │ │
│  │  Activity   │    │  Telemetry  │    │  (Deep Visibility)      │ │
│  └─────────────┘    └─────────────┘    └───────────┬─────────────┘ │
│                                                     │               │
│                                                     ▼               │
│                                        ┌─────────────────────────┐ │
│                                        │   STAR Rules Engine     │ │
│                                        │   (Pattern Matching)    │ │
│                                        └───────────┬─────────────┘ │
│                                                     │               │
│                            ┌────────────────────────┼────────────┐ │
│                            │                        │            │ │
│                            ▼                        ▼            ▼ │
│                   ┌────────────────┐    ┌────────────┐  ┌───────┐ │
│                   │  Alert Only    │    │   Kill     │  │Quarant│ │
│                   │  (Notify SOC)  │    │  Process   │  │ -ine  │ │
│                   └────────────────┘    └────────────┘  └───────┘ │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

Rule Components

STAR Rule Structure:
  # Identification
  Name: "Rule name (descriptive)"
  Description: "What this rule detects"
 
  # Scope
  Scope: Site | Group | Account
  Target Sites/Groups: [selected scopes]
 
  # Detection Logic
  Query: "S1QL query from Deep Visibility"
 
  # Classification
  Severity: Info | Low | Medium | High | Critical
  MITRE Tactic: [TA00XX]
  MITRE Technique: [T1XXX.XXX]
 
  # Response Configuration
  Treat as Threat: Yes | No
  Threat Type: Suspicious | Malicious
  Response Actions:
    - Alert Only
    - Kill Process
    - Network Quarantine
    - Remediate
    - Rollback
 
  # Status
  Status: Active | Disabled | Test Mode
  Expiration: None | Date

CREATING STAR RULES

Method 1: From Deep Visibility Query

Step-by-Step Process:

Navigate to Deep Visibility
- Console → Visibility → Deep Visibility

Write and Test Your Query

-- Example: Detect encoded PowerShell
EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
SrcProcCmdLine ContainsCIS "-enc"

Run Query and Validate Results
- Execute the query
- Review results for false positives
- Refine query if needed
Create STAR Rule
- Click Create STAR Rule button
- Or: Click Save → Create Custom Rule
Configure Rule Settings
- Name: Descriptive name (e.g., "Encoded PowerShell Execution")
- Description: Purpose and detection logic explanation
- Scope: Select sites/groups to apply rule
- Severity: Select appropriate level
- MITRE Mapping: Select tactic and technique
Configure Response Actions
- Alert Only: Generate alert for SOC review
- Treat as Threat: Enable automated response
  - Suspicious: Uses suspicious threat policy
  - Malicious: Uses malicious threat policy
- Kill Process: Terminate matching process
- Network Quarantine: Isolate endpoint
Save and Activate
- Click Save
- Rule is immediately active (unless set to disabled)

Method 2: From STAR Rules Interface

Step-by-Step Process:

Navigate to STAR Rules
- Console → Sentinels → STAR Custom Rules tab
Click "New Rule"

Configure Rule

┌─────────────────────────────────────────────────────────────────┐
│ Create Custom Rule                                              │
├─────────────────────────────────────────────────────────────────┤
│ Name: [_______________________________________]                 │
│                                                                 │
│ Description: [_______________________________________________]  │
│              [_______________________________________________]  │
│                                                                 │
│ Scope: [Account ▼] Sites: [Select...] Groups: [Select...]      │
│                                                                 │
│ Query:                                                          │
│ ┌─────────────────────────────────────────────────────────────┐│
│ │ EventType = "Process Creation" AND                          ││
│ │ SrcProcName = "powershell.exe" AND                         ││
│ │ SrcProcCmdLine ContainsCIS "-enc"                          ││
│ └─────────────────────────────────────────────────────────────┘│
│                                                                 │
│ Severity: [Medium ▼]                                           │
│                                                                 │
│ MITRE ATT&CK:                                                  │
│   Tactic: [Execution ▼]                                        │
│   Technique: [T1059.001 - PowerShell ▼]                        │
│                                                                 │
│ Response:                                                       │
│   [✓] Alert                                                     │
│   [ ] Treat as Threat                                          │
│       [ ] Suspicious  [ ] Malicious                            │
│                                                                 │
│ Status: [Active ▼]                                             │
│                                                                 │
│ [Cancel]                                    [Save Rule]         │
└─────────────────────────────────────────────────────────────────┘

Validate Query Syntax
- Console validates S1QL syntax
- Errors highlighted in red
Save Rule
- Click Save Rule
- Rule immediately active

Method 3: Via API

function New-S1STARRule {
    param(
        [Parameter(Mandatory=$true)]
        [string]$ApiToken,
 
        [Parameter(Mandatory=$true)]
        [string]$ConsoleUrl,
 
        [Parameter(Mandatory=$true)]
        [string]$RuleName,
 
        [Parameter(Mandatory=$true)]
        [string]$Query,
 
        [Parameter(Mandatory=$true)]
        [string]$Description,
 
        [Parameter(Mandatory=$true)]
        [ValidateSet("Info", "Low", "Medium", "High", "Critical")]
        [string]$Severity,
 
        [string]$SiteId,
 
        [bool]$TreatAsThreat = $false,
 
        [ValidateSet("Suspicious", "Malicious")]
        [string]$ThreatType = "Suspicious",
 
        [bool]$Enabled = $true
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    # Map severity to API values
    $severityMap = @{
        "Info" = "Info"
        "Low" = "Low"
        "Medium" = "Medium"
        "High" = "High"
        "Critical" = "Critical"
    }
 
    $body = @{
        data = @{
            name = $RuleName
            description = $Description
            queryType = "events"
            query = $Query
            severity = $severityMap[$Severity]
            status = if ($Enabled) { "Active" } else { "Disabled" }
            treatAsThreat = $TreatAsThreat
        }
    }
 
    if ($SiteId) {
        $body.data.siteIds = @($SiteId)
    }
 
    if ($TreatAsThreat) {
        $body.data.networkQuarantine = $false
        $body.data.treatAsThreat = $true
        # Note: Actual threat type handling depends on policy
    }
 
    $bodyJson = $body | ConvertTo-Json -Depth 5
 
    try {
        $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules" `
            -Method POST -Headers $headers -Body $bodyJson
 
        Write-Host "[SUCCESS] Created STAR rule: $RuleName" -ForegroundColor Green
        Write-Host "Rule ID: $($response.data.id)"
        return $response.data
    }
    catch {
        Write-Error "Failed to create STAR rule: $($_.Exception.Message)"
        return $null
    }
}
 
# Example usage
$rule = New-S1STARRule `
    -ApiToken "YOUR_API_TOKEN" `
    -ConsoleUrl "https://tenant.sentinelone.net" `
    -RuleName "Encoded PowerShell Detection" `
    -Query 'EventType = "Process Creation" AND SrcProcName = "powershell.exe" AND SrcProcCmdLine ContainsCIS "-enc"' `
    -Description "Detects PowerShell execution with encoded commands (T1059.001)" `
    -Severity "High" `
    -TreatAsThreat $false `
    -Enabled $true

RESPONSE ACTIONS

Available Response Options

Action	Description	Use Case
Alert Only	Generate alert, no automated action	Low-confidence detections, monitoring
Kill Process	Terminate the matching process	High-confidence malicious activity
Network Quarantine	Isolate endpoint from network	Active breach, lateral movement
Treat as Suspicious	Apply suspicious threat policy	Medium-confidence detections
Treat as Malicious	Apply malicious threat policy	High-confidence threats

Response Action Decision Matrix

                         Confidence Level
                    Low      Medium      High
                 ┌────────┬──────────┬──────────┐
    Low          │ Alert  │  Alert   │  Alert   │
    Risk         │ Only   │  Only    │  Only    │
                 ├────────┼──────────┼──────────┤
    Medium       │ Alert  │  Alert + │  Kill    │
    Risk         │ Only   │ Suspic.  │ Process  │
                 ├────────┼──────────┼──────────┤
    High         │ Alert +│  Kill    │  Kill +  │
    Risk         │ Suspic.│ Process  │Quarantine│
                 └────────┴──────────┴──────────┘

Configuring Threat Treatment

When Treat as Threat is enabled:

Suspicious Threat Policy:

Agent applies configured suspicious threat response
Typically: Alert + optional kill
Good for medium-confidence detections

Malicious Threat Policy:

Agent applies configured malicious threat response
Typically: Kill + Quarantine + Remediate
Reserve for high-confidence detections

# Example policy alignment
Suspicious Policy:
  Kill: Optional
  Quarantine: No
  Remediate: No
  Rollback: No
 
Malicious Policy:
  Kill: Yes
  Quarantine: Yes
  Remediate: Yes
  Rollback: Optional

RULE MANAGEMENT

Viewing STAR Rules

Console Navigation:

Console → Sentinels → STAR Custom Rules

Rule List Columns:

Name
Status (Active/Disabled)
Scope (Sites/Groups)
Severity
Created By
Last Modified
Match Count

Editing Rules

Navigate to STAR Custom Rules
Click rule name
Modify settings
Click Save

Note: Changes take effect immediately across all in-scope endpoints.

Disabling/Enabling Rules

Via Console:

Navigate to STAR Custom Rules
Click rule checkbox
Click Actions → Disable or Enable

Via API:

function Set-S1STARRuleStatus {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$RuleId,
        [ValidateSet("Active", "Disabled")]
        [string]$Status
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $body = @{
        data = @{
            status = $Status
        }
    } | ConvertTo-Json
 
    Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules/$RuleId" `
        -Method PUT -Headers $headers -Body $body
}

Deleting Rules

Navigate to STAR Custom Rules
Click rule checkbox
Click Actions → Delete
Confirm deletion

Warning: Deletion is permanent. Consider disabling instead for temporary removal.

Exporting/Importing Rules

Export (via API):

function Export-S1STARRules {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$OutputPath = ".\star-rules-export.json"
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $rules = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules" `
        -Method GET -Headers $headers
 
    $rules.data | ConvertTo-Json -Depth 10 | Out-File $OutputPath
    Write-Host "Exported $($rules.data.Count) rules to $OutputPath"
}

Import (via API):

function Import-S1STARRules {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$InputPath,
        [string]$TargetSiteId
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $rules = Get-Content $InputPath | ConvertFrom-Json
 
    foreach ($rule in $rules) {
        $body = @{
            data = @{
                name = $rule.name
                description = $rule.description
                query = $rule.query
                severity = $rule.severity
                status = "Disabled"  # Import as disabled for review
                siteIds = @($TargetSiteId)
            }
        } | ConvertTo-Json -Depth 5
 
        try {
            Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules" `
                -Method POST -Headers $headers -Body $body
            Write-Host "[OK] Imported: $($rule.name)" -ForegroundColor Green
        }
        catch {
            Write-Host "[FAIL] $($rule.name): $($_.Exception.Message)" -ForegroundColor Red
        }
    }
}

STAR RULE LIBRARY

High-Fidelity Detection Rules

These rules have high confidence with low false positive rates:

Credential Access

LSASS Memory Access (T1003.001)

TgtProcName = "lsass.exe" AND
EventType = "Open Remote Process Handle" AND
SrcProcName Not In ("svchost.exe", "lsm.exe", "wmiprvse.exe", "csrss.exe",
"wininit.exe", "MsMpEng.exe", "SentinelAgent.exe")

Severity: Critical
Response: Alert + Treat as Malicious
False Positives: Rare (legitimate security tools)

Mimikatz Command Line (T1003)

TgtProcCmdLine In Contains Anycase ("sekurlsa::", "lsadump::",
"privilege::debug", "token::elevate", "kerberos::ptt")

Severity: Critical
Response: Kill Process + Treat as Malicious
False Positives: Very rare

Defense Evasion

Event Log Clearing (T1070.001)

(TgtProcName = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR
(SrcProcCmdLine ContainsCIS "Clear-EventLog" AND
 SrcProcParentName Not In ("svchost.exe", "WmiPrvSE.exe"))

Severity: High
Response: Alert + Treat as Suspicious
False Positives: IT maintenance scripts (whitelist as needed)

AMSI Bypass (T1562.001)

SrcProcCmdLine ContainsCIS "AmsiUtils" AND
SrcProcCmdLine ContainsCIS "amsiInitFailed"

Severity: Critical
Response: Kill Process + Treat as Malicious
False Positives: Very rare

Disable Windows Defender (T1562.001)

TgtProcCmdLine ContainsCIS "Set-MpPreference" AND
(TgtProcCmdLine ContainsCIS "DisableRealtimeMonitoring" OR
 TgtProcCmdLine ContainsCIS "DisableBehaviorMonitoring" OR
 TgtProcCmdLine ContainsCIS "DisableIOAVProtection")

Severity: High
Response: Alert + Treat as Suspicious
False Positives: Rare (lab environments)

Execution

Encoded PowerShell (T1059.001)

EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
(SrcProcCmdLine ContainsCIS "-enc" OR
 SrcProcCmdLine ContainsCIS "-encodedcommand" OR
 SrcProcCmdLine ContainsCIS "frombase64string") AND
SrcProcParentName Not In ("svchost.exe", "services.exe")

Severity: High
Response: Alert (many legitimate uses)
False Positives: Common (SCCM, management tools)

PowerShell Download Cradle (T1059.001)

EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
(SrcProcCmdLine ContainsCIS "downloadstring" OR
 SrcProcCmdLine ContainsCIS "downloadfile" OR
 SrcProcCmdLine ContainsCIS "invoke-webrequest" AND
 SrcProcCmdLine RegExp "https?://") AND
SrcProcParentName Not In ("svchost.exe", "services.exe", "OfficeClickToRun.exe")

Severity: High
Response: Alert + Treat as Suspicious
False Positives: Moderate (legitimate scripts)

Persistence

Scheduled Task Creation (T1053.005)

(TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create") AND
SrcProcParentName Not In ("services.exe", "svchost.exe", "msiexec.exe",
"OfficeClickToRun.exe", "MicrosoftEdgeUpdate.exe")

Severity: Medium
Response: Alert Only
False Positives: Common (software installations)

Registry Run Key Modification (T1547.001)

RegistryKeyPath ContainsCIS "Windows\\CurrentVersion\\Run" AND
EventType In ("Registry Key Create", "Registry Value Create", "Registry Value Modified") AND
SrcProcParentName Not In ("smss.exe", "svchost.exe", "msiexec.exe", "SetupHost.exe")

Severity: Medium
Response: Alert Only
False Positives: Common (software installations)

Web Shell Creation (T1505.003)

EventType = "File Creation" AND
FileFullName ContainsCIS "inetpub\\wwwroot" AND
TgtFileExtension In Contains Anycase ("jsp", "aspx", "php", "asp", "jspx") AND
SrcProcName Not In ("explorer.exe", "msdeploy.exe", "w3wp.exe", "WebDeploy.exe")

Severity: Critical
Response: Alert + Treat as Malicious
False Positives: Rare (legitimate deployments)

WMI Event Subscription (T1546.003)

SrcProcCmdLine ContainsCIS "New-CimInstance" AND
SrcProcCmdLine ContainsCIS "root/subscription"

Severity: High
Response: Alert + Treat as Suspicious
False Positives: Rare

Lateral Movement

PsExec Execution (T1021.002)

(SrcProcName ContainsCIS "psexec" OR
 SrcProcDisplayName ContainsCIS "Execute processes remotely") AND
DstIp Is Not Empty

Severity: High
Response: Alert Only (legitimate admin use)
False Positives: Common (IT administration)

Pass the Hash/Ticket (T1550)

TgtProcCmdLine In Contains Anycase ("sekurlsa::pth", "/ntlm:", "kerberos::ptt",
"kerberos::golden", "kerberos::silver")

Severity: Critical
Response: Kill Process + Treat as Malicious
False Positives: Very rare

RDP Hijacking (T1563.002)

SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"

Severity: Critical
Response: Alert + Treat as Malicious
False Positives: Very rare

Medium-Fidelity Hunt Rules

These rules cast a wider net and may require tuning:

Suspicious Process Chains

Office Spawning Shell

SrcProcName In ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe") AND
TgtProcName In ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "certutil.exe", "regsvr32.exe")

Severity: Medium
Response: Alert Only
Tuning Required: Whitelist legitimate macros

Browser Spawning Shell

SrcProcName In ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe") AND
TgtProcName In ("cmd.exe", "powershell.exe", "mshta.exe")

Severity: Medium
Response: Alert Only
Tuning Required: Browser extensions may trigger

Suspicious File Operations

Executable in User Temp

EventType = "File Creation" AND
FileFullName ContainsCIS "\\AppData\\Local\\Temp\\" AND
TgtFileExtension In ("exe", "dll", "scr", "bat", "cmd", "ps1") AND
TgtFileIsExecutable = "true"

Severity: Low
Response: Alert Only
Tuning Required: Many legitimate installers use temp

Script in Startup Folder

EventType = "File Creation" AND
FileFullName ContainsCIS "Programs\\Startup" AND
TgtFileExtension In Contains ("vbs", "js", "bat", "cmd", "ps1", "wsf")

Severity: High
Response: Alert + Treat as Suspicious
Tuning Required: Some legitimate apps use startup scripts

Industry-Specific Rules

Healthcare (HIPAA)

Access to Medical Record Paths

EventType = "File Read" AND
(FileFullName ContainsCIS "\\PatientRecords\\" OR
 FileFullName ContainsCIS "\\MedicalFiles\\" OR
 FileFullName ContainsCIS "\\PHI\\") AND
SrcProcName Not In ("EMR_Application.exe", "approved_apps...")

Financial Services (PCI-DSS)

Access to Cardholder Data

EventType In ("File Read", "File Copy") AND
(FileFullName ContainsCIS "\\CardData\\" OR
 FileFullName ContainsCIS "\\PAN\\" OR
 FileFullName RegExp "\\b[0-9]{13,16}\\b")

Legal/Law Firms

Bulk Document Access

EventType = "File Read" AND
FileFullName ContainsCIS "\\CaseMatter\\" AND
SrcProcName Not In ("Outlook.exe", "WINWORD.exe", "approved_dms.exe")

BEST PRACTICES

Rule Development Workflow

┌─────────────────────────────────────────────────────────────────────┐
│                    STAR RULE DEVELOPMENT LIFECYCLE                   │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  1. IDENTIFY    →   2. DEVELOP     →   3. TEST      →   4. TUNE    │
│  Threat/use         Write query        Run in DV        Reduce FPs  │
│  case               in DV              validate         whitelist   │
│                                                                     │
│  5. DEPLOY      →   6. MONITOR     →   7. REFINE    →   8. DOCUMENT│
│  Create rule        Watch alerts       Adjust as        Record      │
│  (alert only)       for FPs            needed           decisions   │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

Naming Convention

[Severity]-[Category]-[Technique]-[Description]

Examples:
- HIGH-CRED-T1003-LSASS_Memory_Access
- CRIT-EXEC-T1059-Encoded_PowerShell_Download
- MED-PERSIST-T1547-Registry_Run_Key_Modification
- HIGH-LATMOV-T1021-PsExec_Remote_Execution

Severity Guidelines

Severity	Criteria	Response
Critical	Active attack, high confidence, immediate risk	Auto-response recommended
High	Likely malicious, requires investigation	Alert + possible auto-response
Medium	Suspicious, may be legitimate	Alert, manual review
Low	Informational, baseline monitoring	Alert, low priority
Info	Audit trail, compliance	Logging only

Scoping Strategy

# Recommended scope hierarchy
Account-Level Rules:
  - Critical/universal detections
  - Zero-day IOCs
  - Known malware signatures
 
Site-Level Rules:
  - Client-specific threats
  - Industry-specific rules
  - Compliance requirements
 
Group-Level Rules:
  - Server-specific detections
  - Workstation-specific rules
  - VIP/executive monitoring

False Positive Management

Whitelisting Strategies:

Process Exclusions:

-- Add to query
AND SrcProcName Not In ("legitimate_app.exe", "trusted_tool.exe")
AND SrcProcParentName Not In ("services.exe", "svchost.exe")

Path Exclusions:

-- Add to query
AND FileFullName Does Not ContainCIS "\\Approved\\Path\\"
AND SrcProcImagePath Does Not ContainCIS "\\Program Files\\"

User Exclusions:

-- Add to query (use sparingly)
AND SrcProcUser Does Not ContainCIS "service_account"

Publisher Exclusions:

-- Add to query
AND SrcProcPublisher Not In ("MICROSOFT CORPORATION", "TRUSTED VENDOR")

Documentation Template

## STAR Rule: [Rule Name]
 
### Overview
- **Created:** YYYY-MM-DD
- **Author:** [Name]
- **Version:** 1.0
- **Status:** Active | Disabled | Testing
 
### Detection Logic
- **MITRE Technique:** T1XXX.XXX - [Name]
- **MITRE Tactic:** [Tactic]
- **Description:** [What this rule detects]
 
### Query
```sql
[S1QL Query Here]

Configuration

Severity: [Level]
Scope: [Sites/Groups]
Response: [Alert Only | Kill | Quarantine]
Treat as Threat: Yes/No

False Positives

Known FP #1: [Description] - Mitigated by: [exclusion]
Known FP #2: [Description] - Mitigated by: [exclusion]

Testing

Test Date: YYYY-MM-DD
Test Results: [Pass/Fail]
Matches in Test Period: [Count]

References

[Link to threat intel]
[Link to MITRE page]

Changelog

Date	Version	Change
YYYY-MM-DD	1.0	Initial creation


---

## MONITORING AND ALERTING

### Viewing STAR Alerts

**Console Navigation:**
- Console → Activity → Alerts
- Filter: Type = "Custom Rule"

**Alert Information:**
- Rule name and description
- Matched endpoint
- Process details
- Storyline link
- Timestamp

### Alert Response Workflow

```markdown
## STAR Alert Response Checklist

Alert: _________________
Rule: _________________
Endpoint: _________________
Time: _________________

### Initial Assessment
- [ ] Review alert details
- [ ] Check rule description and intent
- [ ] Assess severity level

### Investigation
- [ ] Click Storyline link for full context
- [ ] Review process tree
- [ ] Check parent/child relationships
- [ ] Look for related activity

### Determination
- [ ] True Positive - Malicious activity confirmed
- [ ] True Positive - Suspicious, needs monitoring
- [ ] False Positive - Legitimate activity
- [ ] Unknown - Requires deeper investigation

### Response (if True Positive)
- [ ] Isolate endpoint (if not auto-quarantined)
- [ ] Kill malicious process (if not auto-killed)
- [ ] Collect forensic evidence
- [ ] Initiate incident response

### Documentation
- [ ] Document findings
- [ ] Update rule if needed (reduce FPs)
- [ ] Add to threat intel if new IOC

Creating Alert Notifications

Navigate to Settings → Notifications
Create notification rule:
- Trigger: Custom Rule Alert
- Severity: [Select threshold]
- Recipients: SOC team email/Slack
- Frequency: Immediate or digest

API REFERENCE

List STAR Rules

function Get-S1STARRules {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$SiteId
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $url = "$ConsoleUrl/web/api/v2.1/star-rules"
    if ($SiteId) {
        $url += "?siteIds=$SiteId"
    }
 
    $response = Invoke-RestMethod -Uri $url -Method GET -Headers $headers
    return $response.data
}
 
# Example
$rules = Get-S1STARRules -ApiToken $token -ConsoleUrl $url
$rules | Format-Table name, severity, status, matchCount

Get Rule Details

function Get-S1STARRule {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$RuleId
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules/$RuleId" `
        -Method GET -Headers $headers
    return $response.data
}

Update Rule

function Update-S1STARRule {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$RuleId,
        [hashtable]$Updates
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $body = @{ data = $Updates } | ConvertTo-Json -Depth 5
 
    $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules/$RuleId" `
        -Method PUT -Headers $headers -Body $body
    return $response.data
}
 
# Example: Update severity
Update-S1STARRule -ApiToken $token -ConsoleUrl $url -RuleId "123" -Updates @{
    severity = "Critical"
}

Delete Rule

function Remove-S1STARRule {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$RuleId
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules/$RuleId" `
        -Method DELETE -Headers $headers
 
    Write-Host "Deleted rule: $RuleId"
}

Bulk Rule Deployment Script

<#
.SYNOPSIS
    Deploy standard STAR rules to a new client site
.DESCRIPTION
    Creates a set of high-fidelity STAR rules for new client onboarding
#>
 
param(
    [Parameter(Mandatory=$true)]
    [string]$ApiToken,
 
    [Parameter(Mandatory=$true)]
    [string]$ConsoleUrl,
 
    [Parameter(Mandatory=$true)]
    [string]$SiteId,
 
    [string]$RuleSetPath = ".\star-rules-baseline.json"
)
 
# Baseline rule set
$baselineRules = @(
    @{
        name = "CRIT-CRED-T1003-LSASS_Memory_Access"
        description = "Detects suspicious access to LSASS process memory (credential dumping)"
        query = 'TgtProcName = "lsass.exe" AND EventType = "Open Remote Process Handle" AND SrcProcName Not In ("svchost.exe","lsm.exe","wmiprvse.exe","csrss.exe","wininit.exe","MsMpEng.exe","SentinelAgent.exe")'
        severity = "Critical"
        treatAsThreat = $true
    },
    @{
        name = "CRIT-EXEC-T1059-Mimikatz_Commands"
        description = "Detects Mimikatz command-line arguments"
        query = 'TgtProcCmdLine In Contains Anycase ("sekurlsa::","lsadump::","privilege::debug","token::elevate","kerberos::ptt")'
        severity = "Critical"
        treatAsThreat = $true
    },
    @{
        name = "HIGH-EVADE-T1070-Event_Log_Clearing"
        description = "Detects Windows event log clearing"
        query = '(TgtProcName = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR (SrcProcCmdLine ContainsCIS "Clear-EventLog" AND SrcProcParentName Not In ("svchost.exe","WmiPrvSE.exe"))'
        severity = "High"
        treatAsThreat = $false
    },
    @{
        name = "HIGH-EVADE-T1562-AMSI_Bypass"
        description = "Detects AMSI bypass attempts"
        query = 'SrcProcCmdLine ContainsCIS "AmsiUtils" AND SrcProcCmdLine ContainsCIS "amsiInitFailed"'
        severity = "Critical"
        treatAsThreat = $true
    },
    @{
        name = "HIGH-EXEC-T1059-PowerShell_Download"
        description = "Detects PowerShell download cradles"
        query = 'EventType = "Process Creation" AND SrcProcName = "powershell.exe" AND (SrcProcCmdLine ContainsCIS "downloadstring" OR SrcProcCmdLine ContainsCIS "downloadfile" OR SrcProcCmdLine ContainsCIS "invoke-webrequest") AND SrcProcParentName Not In ("svchost.exe","services.exe")'
        severity = "High"
        treatAsThreat = $false
    },
    @{
        name = "CRIT-PERSIST-T1505-Web_Shell_Creation"
        description = "Detects web shell file creation in IIS directories"
        query = 'EventType = "File Creation" AND FileFullName ContainsCIS "inetpub\\wwwroot" AND TgtFileExtension In Contains Anycase ("jsp","aspx","php","asp") AND SrcProcName Not In ("explorer.exe","msdeploy.exe","w3wp.exe")'
        severity = "Critical"
        treatAsThreat = $true
    },
    @{
        name = "CRIT-LATMOV-T1550-Pass_The_Hash"
        description = "Detects Pass-the-Hash and Pass-the-Ticket attacks"
        query = 'TgtProcCmdLine In Contains Anycase ("sekurlsa::pth","/ntlm:","kerberos::ptt","kerberos::golden")'
        severity = "Critical"
        treatAsThreat = $true
    },
    @{
        name = "HIGH-LATMOV-T1563-RDP_Hijacking"
        description = "Detects RDP session hijacking via tscon"
        query = 'SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"'
        severity = "Critical"
        treatAsThreat = $true
    }
)
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
Write-Host "Deploying $($baselineRules.Count) baseline STAR rules to site $SiteId" -ForegroundColor Cyan
 
$results = @()
 
foreach ($rule in $baselineRules) {
    $body = @{
        data = @{
            name = $rule.name
            description = $rule.description
            query = $rule.query
            severity = $rule.severity
            status = "Active"
            treatAsThreat = $rule.treatAsThreat
            siteIds = @($SiteId)
        }
    } | ConvertTo-Json -Depth 5
 
    try {
        $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules" `
            -Method POST -Headers $headers -Body $body
 
        Write-Host "[OK] Created: $($rule.name)" -ForegroundColor Green
        $results += [PSCustomObject]@{
            Rule = $rule.name
            Status = "Created"
            RuleId = $response.data.id
        }
    }
    catch {
        Write-Host "[FAIL] $($rule.name): $($_.Exception.Message)" -ForegroundColor Red
        $results += [PSCustomObject]@{
            Rule = $rule.name
            Status = "Failed"
            Error = $_.Exception.Message
        }
    }
 
    Start-Sleep -Milliseconds 500  # Rate limiting
}
 
Write-Host "`n=== Deployment Summary ===" -ForegroundColor Cyan
$results | Format-Table -AutoSize
 
$successCount = ($results | Where-Object { $_.Status -eq "Created" }).Count
Write-Host "Successfully deployed $successCount of $($baselineRules.Count) rules"

TROUBLESHOOTING

Common Issues

Issue: Rule not triggering alerts

Verify rule status is "Active"
Check scope includes target endpoints
Confirm query syntax is valid
Verify Deep Visibility is enabled on endpoints
Check time range - telemetry must exist first

Issue: Too many false positives

Add exclusions for legitimate processes
Narrow query scope
Increase specificity of pattern matching
Consider moving to lower severity

Issue: Rule creation fails

Validate S1QL syntax in Deep Visibility first
Check for unsupported operators
Verify field names are correct
Check API permissions

Issue: Response action not executing

Verify "Treat as Threat" is enabled
Check agent policy allows the response action
Confirm agent is connected and healthy
Review policy precedence

Query Validation

Always test queries in Deep Visibility before creating STAR rules:

-- Test your query
[Your Query Here]
 
-- If results are expected, query is valid
-- If no results, check:
-- 1. Time range
-- 2. Field names
-- 3. Operator syntax
-- 4. Case sensitivity

SOURCES

REVISION HISTORY

Version	Date	Author	Changes
1.0	2026-01-08	CosmicBytez	Initial creation

SCENARIO

Use this guide when:

Creating custom detection rules for client-specific threats
Automating response to known attack patterns
Converting threat hunting queries into persistent detections
Building industry-specific or compliance-focused detections
Responding rapidly to emerging threats and zero-day IOCs
Reducing alert fatigue with high-fidelity custom rules

Prerequisites:

SentinelOne Singularity Complete license
Console access with Admin or IR Team role
Deep Visibility enabled in policy
Understanding of S1QL query syntax (see Deep Visibility guide)

Reference Documentation:

REQUIREMENTS & ASSUMPTIONS

Technical Requirements

Requirement	Details
SKU	Singularity Complete or higher
Console Role	Admin, IR Team, or SOC
Feature	STAR Custom Rules enabled
Max Rules	Up to 1,000 active STAR rules
Agent Version	4.2.x or newer recommended

STAR Rule Capabilities

What STAR Can Do:

Evaluate endpoint events in near real-time
Trigger alerts on query matches
Execute automated response actions (kill, quarantine)
Treat matches as suspicious or malicious threats
Deploy rules to entire fleet or specific scopes
Support 200+ telemetry attributes
Use regular expressions for pattern matching

What STAR Cannot Do:

Real-time blocking before execution (detection-based, not prevention)
Block by file name alone (hash-based blocking supported)
Replace behavioral AI engine (complementary, not replacement)
Prevent initial execution (responds after telemetry is collected)

Understanding STAR vs Other Features

Feature	Purpose	Timing
Static AI	Pre-execution file analysis	Before execution
Behavioral AI	Runtime behavior detection	During execution
STAR Rules	Custom pattern detection	After telemetry collection
Blacklist	Known-bad hash blocking	Before execution

STAR rules are best for detection and response rather than prevention. They complement the AI engines by adding custom detection logic for threats the AI hasn't seen.

STAR RULE ARCHITECTURE

How STAR Rules Work

┌─────────────────────────────────────────────────────────────────────┐
│                      STAR RULE PROCESSING FLOW                       │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────────────────┐ │
│  │  Endpoint   │───▶│   Agent     │───▶│  Singularity Data Lake  │ │
│  │  Activity   │    │  Telemetry  │    │  (Deep Visibility)      │ │
│  └─────────────┘    └─────────────┘    └───────────┬─────────────┘ │
│                                                     │               │
│                                                     ▼               │
│                                        ┌─────────────────────────┐ │
│                                        │   STAR Rules Engine     │ │
│                                        │   (Pattern Matching)    │ │
│                                        └───────────┬─────────────┘ │
│                                                     │               │
│                            ┌────────────────────────┼────────────┐ │
│                            │                        │            │ │
│                            ▼                        ▼            ▼ │
│                   ┌────────────────┐    ┌────────────┐  ┌───────┐ │
│                   │  Alert Only    │    │   Kill     │  │Quarant│ │
│                   │  (Notify SOC)  │    │  Process   │  │ -ine  │ │
│                   └────────────────┘    └────────────┘  └───────┘ │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

Rule Components

STAR Rule Structure:
  # Identification
  Name: "Rule name (descriptive)"
  Description: "What this rule detects"
 
  # Scope
  Scope: Site | Group | Account
  Target Sites/Groups: [selected scopes]
 
  # Detection Logic
  Query: "S1QL query from Deep Visibility"
 
  # Classification
  Severity: Info | Low | Medium | High | Critical
  MITRE Tactic: [TA00XX]
  MITRE Technique: [T1XXX.XXX]
 
  # Response Configuration
  Treat as Threat: Yes | No
  Threat Type: Suspicious | Malicious
  Response Actions:
    - Alert Only
    - Kill Process
    - Network Quarantine
    - Remediate
    - Rollback
 
  # Status
  Status: Active | Disabled | Test Mode
  Expiration: None | Date

CREATING STAR RULES

Method 1: From Deep Visibility Query

Step-by-Step Process:

Navigate to Deep Visibility
- Console → Visibility → Deep Visibility

Write and Test Your Query

-- Example: Detect encoded PowerShell
EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
SrcProcCmdLine ContainsCIS "-enc"

Run Query and Validate Results
- Execute the query
- Review results for false positives
- Refine query if needed
Create STAR Rule
- Click Create STAR Rule button
- Or: Click Save → Create Custom Rule
Configure Rule Settings
- Name: Descriptive name (e.g., "Encoded PowerShell Execution")
- Description: Purpose and detection logic explanation
- Scope: Select sites/groups to apply rule
- Severity: Select appropriate level
- MITRE Mapping: Select tactic and technique
Configure Response Actions
- Alert Only: Generate alert for SOC review
- Treat as Threat: Enable automated response
  - Suspicious: Uses suspicious threat policy
  - Malicious: Uses malicious threat policy
- Kill Process: Terminate matching process
- Network Quarantine: Isolate endpoint
Save and Activate
- Click Save
- Rule is immediately active (unless set to disabled)

Method 2: From STAR Rules Interface

Step-by-Step Process:

Navigate to STAR Rules
- Console → Sentinels → STAR Custom Rules tab
Click "New Rule"

Configure Rule

┌─────────────────────────────────────────────────────────────────┐
│ Create Custom Rule                                              │
├─────────────────────────────────────────────────────────────────┤
│ Name: [_______________________________________]                 │
│                                                                 │
│ Description: [_______________________________________________]  │
│              [_______________________________________________]  │
│                                                                 │
│ Scope: [Account ▼] Sites: [Select...] Groups: [Select...]      │
│                                                                 │
│ Query:                                                          │
│ ┌─────────────────────────────────────────────────────────────┐│
│ │ EventType = "Process Creation" AND                          ││
│ │ SrcProcName = "powershell.exe" AND                         ││
│ │ SrcProcCmdLine ContainsCIS "-enc"                          ││
│ └─────────────────────────────────────────────────────────────┘│
│                                                                 │
│ Severity: [Medium ▼]                                           │
│                                                                 │
│ MITRE ATT&CK:                                                  │
│   Tactic: [Execution ▼]                                        │
│   Technique: [T1059.001 - PowerShell ▼]                        │
│                                                                 │
│ Response:                                                       │
│   [✓] Alert                                                     │
│   [ ] Treat as Threat                                          │
│       [ ] Suspicious  [ ] Malicious                            │
│                                                                 │
│ Status: [Active ▼]                                             │
│                                                                 │
│ [Cancel]                                    [Save Rule]         │
└─────────────────────────────────────────────────────────────────┘

Validate Query Syntax
- Console validates S1QL syntax
- Errors highlighted in red
Save Rule
- Click Save Rule
- Rule immediately active

Method 3: Via API

function New-S1STARRule {
    param(
        [Parameter(Mandatory=$true)]
        [string]$ApiToken,
 
        [Parameter(Mandatory=$true)]
        [string]$ConsoleUrl,
 
        [Parameter(Mandatory=$true)]
        [string]$RuleName,
 
        [Parameter(Mandatory=$true)]
        [string]$Query,
 
        [Parameter(Mandatory=$true)]
        [string]$Description,
 
        [Parameter(Mandatory=$true)]
        [ValidateSet("Info", "Low", "Medium", "High", "Critical")]
        [string]$Severity,
 
        [string]$SiteId,
 
        [bool]$TreatAsThreat = $false,
 
        [ValidateSet("Suspicious", "Malicious")]
        [string]$ThreatType = "Suspicious",
 
        [bool]$Enabled = $true
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    # Map severity to API values
    $severityMap = @{
        "Info" = "Info"
        "Low" = "Low"
        "Medium" = "Medium"
        "High" = "High"
        "Critical" = "Critical"
    }
 
    $body = @{
        data = @{
            name = $RuleName
            description = $Description
            queryType = "events"
            query = $Query
            severity = $severityMap[$Severity]
            status = if ($Enabled) { "Active" } else { "Disabled" }
            treatAsThreat = $TreatAsThreat
        }
    }
 
    if ($SiteId) {
        $body.data.siteIds = @($SiteId)
    }
 
    if ($TreatAsThreat) {
        $body.data.networkQuarantine = $false
        $body.data.treatAsThreat = $true
        # Note: Actual threat type handling depends on policy
    }
 
    $bodyJson = $body | ConvertTo-Json -Depth 5
 
    try {
        $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules" `
            -Method POST -Headers $headers -Body $bodyJson
 
        Write-Host "[SUCCESS] Created STAR rule: $RuleName" -ForegroundColor Green
        Write-Host "Rule ID: $($response.data.id)"
        return $response.data
    }
    catch {
        Write-Error "Failed to create STAR rule: $($_.Exception.Message)"
        return $null
    }
}
 
# Example usage
$rule = New-S1STARRule `
    -ApiToken "YOUR_API_TOKEN" `
    -ConsoleUrl "https://tenant.sentinelone.net" `
    -RuleName "Encoded PowerShell Detection" `
    -Query 'EventType = "Process Creation" AND SrcProcName = "powershell.exe" AND SrcProcCmdLine ContainsCIS "-enc"' `
    -Description "Detects PowerShell execution with encoded commands (T1059.001)" `
    -Severity "High" `
    -TreatAsThreat $false `
    -Enabled $true

RESPONSE ACTIONS

Available Response Options

Action	Description	Use Case
Alert Only	Generate alert, no automated action	Low-confidence detections, monitoring
Kill Process	Terminate the matching process	High-confidence malicious activity
Network Quarantine	Isolate endpoint from network	Active breach, lateral movement
Treat as Suspicious	Apply suspicious threat policy	Medium-confidence detections
Treat as Malicious	Apply malicious threat policy	High-confidence threats

Response Action Decision Matrix

                         Confidence Level
                    Low      Medium      High
                 ┌────────┬──────────┬──────────┐
    Low          │ Alert  │  Alert   │  Alert   │
    Risk         │ Only   │  Only    │  Only    │
                 ├────────┼──────────┼──────────┤
    Medium       │ Alert  │  Alert + │  Kill    │
    Risk         │ Only   │ Suspic.  │ Process  │
                 ├────────┼──────────┼──────────┤
    High         │ Alert +│  Kill    │  Kill +  │
    Risk         │ Suspic.│ Process  │Quarantine│
                 └────────┴──────────┴──────────┘

Configuring Threat Treatment

When Treat as Threat is enabled:

Suspicious Threat Policy:

Agent applies configured suspicious threat response
Typically: Alert + optional kill
Good for medium-confidence detections

Malicious Threat Policy:

Agent applies configured malicious threat response
Typically: Kill + Quarantine + Remediate
Reserve for high-confidence detections

# Example policy alignment
Suspicious Policy:
  Kill: Optional
  Quarantine: No
  Remediate: No
  Rollback: No
 
Malicious Policy:
  Kill: Yes
  Quarantine: Yes
  Remediate: Yes
  Rollback: Optional

RULE MANAGEMENT

Viewing STAR Rules

Console Navigation:

Console → Sentinels → STAR Custom Rules

Rule List Columns:

Name
Status (Active/Disabled)
Scope (Sites/Groups)
Severity
Created By
Last Modified
Match Count

Editing Rules

Navigate to STAR Custom Rules
Click rule name
Modify settings
Click Save

Note: Changes take effect immediately across all in-scope endpoints.

Disabling/Enabling Rules

Via Console:

Navigate to STAR Custom Rules
Click rule checkbox
Click Actions → Disable or Enable

Via API:

function Set-S1STARRuleStatus {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$RuleId,
        [ValidateSet("Active", "Disabled")]
        [string]$Status
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $body = @{
        data = @{
            status = $Status
        }
    } | ConvertTo-Json
 
    Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules/$RuleId" `
        -Method PUT -Headers $headers -Body $body
}

Deleting Rules

Navigate to STAR Custom Rules
Click rule checkbox
Click Actions → Delete
Confirm deletion

Warning: Deletion is permanent. Consider disabling instead for temporary removal.

Exporting/Importing Rules

Export (via API):

function Export-S1STARRules {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$OutputPath = ".\star-rules-export.json"
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $rules = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules" `
        -Method GET -Headers $headers
 
    $rules.data | ConvertTo-Json -Depth 10 | Out-File $OutputPath
    Write-Host "Exported $($rules.data.Count) rules to $OutputPath"
}

Import (via API):

function Import-S1STARRules {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$InputPath,
        [string]$TargetSiteId
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $rules = Get-Content $InputPath | ConvertFrom-Json
 
    foreach ($rule in $rules) {
        $body = @{
            data = @{
                name = $rule.name
                description = $rule.description
                query = $rule.query
                severity = $rule.severity
                status = "Disabled"  # Import as disabled for review
                siteIds = @($TargetSiteId)
            }
        } | ConvertTo-Json -Depth 5
 
        try {
            Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules" `
                -Method POST -Headers $headers -Body $body
            Write-Host "[OK] Imported: $($rule.name)" -ForegroundColor Green
        }
        catch {
            Write-Host "[FAIL] $($rule.name): $($_.Exception.Message)" -ForegroundColor Red
        }
    }
}

STAR RULE LIBRARY

High-Fidelity Detection Rules

These rules have high confidence with low false positive rates:

Credential Access

LSASS Memory Access (T1003.001)

TgtProcName = "lsass.exe" AND
EventType = "Open Remote Process Handle" AND
SrcProcName Not In ("svchost.exe", "lsm.exe", "wmiprvse.exe", "csrss.exe",
"wininit.exe", "MsMpEng.exe", "SentinelAgent.exe")

Severity: Critical
Response: Alert + Treat as Malicious
False Positives: Rare (legitimate security tools)

Mimikatz Command Line (T1003)

TgtProcCmdLine In Contains Anycase ("sekurlsa::", "lsadump::",
"privilege::debug", "token::elevate", "kerberos::ptt")

Severity: Critical
Response: Kill Process + Treat as Malicious
False Positives: Very rare

Defense Evasion

Event Log Clearing (T1070.001)

(TgtProcName = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR
(SrcProcCmdLine ContainsCIS "Clear-EventLog" AND
 SrcProcParentName Not In ("svchost.exe", "WmiPrvSE.exe"))

Severity: High
Response: Alert + Treat as Suspicious
False Positives: IT maintenance scripts (whitelist as needed)

AMSI Bypass (T1562.001)

SrcProcCmdLine ContainsCIS "AmsiUtils" AND
SrcProcCmdLine ContainsCIS "amsiInitFailed"

Severity: Critical
Response: Kill Process + Treat as Malicious
False Positives: Very rare

Disable Windows Defender (T1562.001)

TgtProcCmdLine ContainsCIS "Set-MpPreference" AND
(TgtProcCmdLine ContainsCIS "DisableRealtimeMonitoring" OR
 TgtProcCmdLine ContainsCIS "DisableBehaviorMonitoring" OR
 TgtProcCmdLine ContainsCIS "DisableIOAVProtection")

Severity: High
Response: Alert + Treat as Suspicious
False Positives: Rare (lab environments)

Execution

Encoded PowerShell (T1059.001)

EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
(SrcProcCmdLine ContainsCIS "-enc" OR
 SrcProcCmdLine ContainsCIS "-encodedcommand" OR
 SrcProcCmdLine ContainsCIS "frombase64string") AND
SrcProcParentName Not In ("svchost.exe", "services.exe")

Severity: High
Response: Alert (many legitimate uses)
False Positives: Common (SCCM, management tools)

PowerShell Download Cradle (T1059.001)

EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
(SrcProcCmdLine ContainsCIS "downloadstring" OR
 SrcProcCmdLine ContainsCIS "downloadfile" OR
 SrcProcCmdLine ContainsCIS "invoke-webrequest" AND
 SrcProcCmdLine RegExp "https?://") AND
SrcProcParentName Not In ("svchost.exe", "services.exe", "OfficeClickToRun.exe")

Severity: High
Response: Alert + Treat as Suspicious
False Positives: Moderate (legitimate scripts)

Persistence

Scheduled Task Creation (T1053.005)

(TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create") AND
SrcProcParentName Not In ("services.exe", "svchost.exe", "msiexec.exe",
"OfficeClickToRun.exe", "MicrosoftEdgeUpdate.exe")

Severity: Medium
Response: Alert Only
False Positives: Common (software installations)

Registry Run Key Modification (T1547.001)

RegistryKeyPath ContainsCIS "Windows\\CurrentVersion\\Run" AND
EventType In ("Registry Key Create", "Registry Value Create", "Registry Value Modified") AND
SrcProcParentName Not In ("smss.exe", "svchost.exe", "msiexec.exe", "SetupHost.exe")

Severity: Medium
Response: Alert Only
False Positives: Common (software installations)

Web Shell Creation (T1505.003)

EventType = "File Creation" AND
FileFullName ContainsCIS "inetpub\\wwwroot" AND
TgtFileExtension In Contains Anycase ("jsp", "aspx", "php", "asp", "jspx") AND
SrcProcName Not In ("explorer.exe", "msdeploy.exe", "w3wp.exe", "WebDeploy.exe")

Severity: Critical
Response: Alert + Treat as Malicious
False Positives: Rare (legitimate deployments)

WMI Event Subscription (T1546.003)

SrcProcCmdLine ContainsCIS "New-CimInstance" AND
SrcProcCmdLine ContainsCIS "root/subscription"

Severity: High
Response: Alert + Treat as Suspicious
False Positives: Rare

Lateral Movement

PsExec Execution (T1021.002)

(SrcProcName ContainsCIS "psexec" OR
 SrcProcDisplayName ContainsCIS "Execute processes remotely") AND
DstIp Is Not Empty

Severity: High
Response: Alert Only (legitimate admin use)
False Positives: Common (IT administration)

Pass the Hash/Ticket (T1550)

TgtProcCmdLine In Contains Anycase ("sekurlsa::pth", "/ntlm:", "kerberos::ptt",
"kerberos::golden", "kerberos::silver")

Severity: Critical
Response: Kill Process + Treat as Malicious
False Positives: Very rare

RDP Hijacking (T1563.002)

SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"

Severity: Critical
Response: Alert + Treat as Malicious
False Positives: Very rare

Medium-Fidelity Hunt Rules

These rules cast a wider net and may require tuning:

Suspicious Process Chains

Office Spawning Shell

SrcProcName In ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe") AND
TgtProcName In ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "certutil.exe", "regsvr32.exe")

Severity: Medium
Response: Alert Only
Tuning Required: Whitelist legitimate macros

Browser Spawning Shell

SrcProcName In ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe") AND
TgtProcName In ("cmd.exe", "powershell.exe", "mshta.exe")

Severity: Medium
Response: Alert Only
Tuning Required: Browser extensions may trigger

Suspicious File Operations

Executable in User Temp

EventType = "File Creation" AND
FileFullName ContainsCIS "\\AppData\\Local\\Temp\\" AND
TgtFileExtension In ("exe", "dll", "scr", "bat", "cmd", "ps1") AND
TgtFileIsExecutable = "true"

Severity: Low
Response: Alert Only
Tuning Required: Many legitimate installers use temp

Script in Startup Folder

EventType = "File Creation" AND
FileFullName ContainsCIS "Programs\\Startup" AND
TgtFileExtension In Contains ("vbs", "js", "bat", "cmd", "ps1", "wsf")

Severity: High
Response: Alert + Treat as Suspicious
Tuning Required: Some legitimate apps use startup scripts

Industry-Specific Rules

Healthcare (HIPAA)

Access to Medical Record Paths

EventType = "File Read" AND
(FileFullName ContainsCIS "\\PatientRecords\\" OR
 FileFullName ContainsCIS "\\MedicalFiles\\" OR
 FileFullName ContainsCIS "\\PHI\\") AND
SrcProcName Not In ("EMR_Application.exe", "approved_apps...")

Financial Services (PCI-DSS)

Access to Cardholder Data

EventType In ("File Read", "File Copy") AND
(FileFullName ContainsCIS "\\CardData\\" OR
 FileFullName ContainsCIS "\\PAN\\" OR
 FileFullName RegExp "\\b[0-9]{13,16}\\b")

Legal/Law Firms

Bulk Document Access

EventType = "File Read" AND
FileFullName ContainsCIS "\\CaseMatter\\" AND
SrcProcName Not In ("Outlook.exe", "WINWORD.exe", "approved_dms.exe")

BEST PRACTICES

Rule Development Workflow

┌─────────────────────────────────────────────────────────────────────┐
│                    STAR RULE DEVELOPMENT LIFECYCLE                   │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  1. IDENTIFY    →   2. DEVELOP     →   3. TEST      →   4. TUNE    │
│  Threat/use         Write query        Run in DV        Reduce FPs  │
│  case               in DV              validate         whitelist   │
│                                                                     │
│  5. DEPLOY      →   6. MONITOR     →   7. REFINE    →   8. DOCUMENT│
│  Create rule        Watch alerts       Adjust as        Record      │
│  (alert only)       for FPs            needed           decisions   │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

Naming Convention

[Severity]-[Category]-[Technique]-[Description]

Examples:
- HIGH-CRED-T1003-LSASS_Memory_Access
- CRIT-EXEC-T1059-Encoded_PowerShell_Download
- MED-PERSIST-T1547-Registry_Run_Key_Modification
- HIGH-LATMOV-T1021-PsExec_Remote_Execution

Severity Guidelines

Severity	Criteria	Response
Critical	Active attack, high confidence, immediate risk	Auto-response recommended
High	Likely malicious, requires investigation	Alert + possible auto-response
Medium	Suspicious, may be legitimate	Alert, manual review
Low	Informational, baseline monitoring	Alert, low priority
Info	Audit trail, compliance	Logging only

Scoping Strategy

# Recommended scope hierarchy
Account-Level Rules:
  - Critical/universal detections
  - Zero-day IOCs
  - Known malware signatures
 
Site-Level Rules:
  - Client-specific threats
  - Industry-specific rules
  - Compliance requirements
 
Group-Level Rules:
  - Server-specific detections
  - Workstation-specific rules
  - VIP/executive monitoring

False Positive Management

Whitelisting Strategies:

Process Exclusions:

-- Add to query
AND SrcProcName Not In ("legitimate_app.exe", "trusted_tool.exe")
AND SrcProcParentName Not In ("services.exe", "svchost.exe")

Path Exclusions:

-- Add to query
AND FileFullName Does Not ContainCIS "\\Approved\\Path\\"
AND SrcProcImagePath Does Not ContainCIS "\\Program Files\\"

User Exclusions:

-- Add to query (use sparingly)
AND SrcProcUser Does Not ContainCIS "service_account"

Publisher Exclusions:

-- Add to query
AND SrcProcPublisher Not In ("MICROSOFT CORPORATION", "TRUSTED VENDOR")

Documentation Template

## STAR Rule: [Rule Name]
 
### Overview
- **Created:** YYYY-MM-DD
- **Author:** [Name]
- **Version:** 1.0
- **Status:** Active | Disabled | Testing
 
### Detection Logic
- **MITRE Technique:** T1XXX.XXX - [Name]
- **MITRE Tactic:** [Tactic]
- **Description:** [What this rule detects]
 
### Query
```sql
[S1QL Query Here]

Configuration

Severity: [Level]
Scope: [Sites/Groups]
Response: [Alert Only | Kill | Quarantine]
Treat as Threat: Yes/No

False Positives

Known FP #1: [Description] - Mitigated by: [exclusion]
Known FP #2: [Description] - Mitigated by: [exclusion]

Testing

Test Date: YYYY-MM-DD
Test Results: [Pass/Fail]
Matches in Test Period: [Count]

References

[Link to threat intel]
[Link to MITRE page]

Changelog

Date	Version	Change
YYYY-MM-DD	1.0	Initial creation


---

## MONITORING AND ALERTING

### Viewing STAR Alerts

**Console Navigation:**
- Console → Activity → Alerts
- Filter: Type = "Custom Rule"

**Alert Information:**
- Rule name and description
- Matched endpoint
- Process details
- Storyline link
- Timestamp

### Alert Response Workflow

```markdown
## STAR Alert Response Checklist

Alert: _________________
Rule: _________________
Endpoint: _________________
Time: _________________

### Initial Assessment
- [ ] Review alert details
- [ ] Check rule description and intent
- [ ] Assess severity level

### Investigation
- [ ] Click Storyline link for full context
- [ ] Review process tree
- [ ] Check parent/child relationships
- [ ] Look for related activity

### Determination
- [ ] True Positive - Malicious activity confirmed
- [ ] True Positive - Suspicious, needs monitoring
- [ ] False Positive - Legitimate activity
- [ ] Unknown - Requires deeper investigation

### Response (if True Positive)
- [ ] Isolate endpoint (if not auto-quarantined)
- [ ] Kill malicious process (if not auto-killed)
- [ ] Collect forensic evidence
- [ ] Initiate incident response

### Documentation
- [ ] Document findings
- [ ] Update rule if needed (reduce FPs)
- [ ] Add to threat intel if new IOC

Creating Alert Notifications

Navigate to Settings → Notifications
Create notification rule:
- Trigger: Custom Rule Alert
- Severity: [Select threshold]
- Recipients: SOC team email/Slack
- Frequency: Immediate or digest

API REFERENCE

List STAR Rules

function Get-S1STARRules {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$SiteId
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $url = "$ConsoleUrl/web/api/v2.1/star-rules"
    if ($SiteId) {
        $url += "?siteIds=$SiteId"
    }
 
    $response = Invoke-RestMethod -Uri $url -Method GET -Headers $headers
    return $response.data
}
 
# Example
$rules = Get-S1STARRules -ApiToken $token -ConsoleUrl $url
$rules | Format-Table name, severity, status, matchCount

Get Rule Details

function Get-S1STARRule {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$RuleId
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules/$RuleId" `
        -Method GET -Headers $headers
    return $response.data
}

Update Rule

function Update-S1STARRule {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$RuleId,
        [hashtable]$Updates
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $body = @{ data = $Updates } | ConvertTo-Json -Depth 5
 
    $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules/$RuleId" `
        -Method PUT -Headers $headers -Body $body
    return $response.data
}
 
# Example: Update severity
Update-S1STARRule -ApiToken $token -ConsoleUrl $url -RuleId "123" -Updates @{
    severity = "Critical"
}

Delete Rule

function Remove-S1STARRule {
    param(
        [string]$ApiToken,
        [string]$ConsoleUrl,
        [string]$RuleId
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules/$RuleId" `
        -Method DELETE -Headers $headers
 
    Write-Host "Deleted rule: $RuleId"
}

Bulk Rule Deployment Script

<#
.SYNOPSIS
    Deploy standard STAR rules to a new client site
.DESCRIPTION
    Creates a set of high-fidelity STAR rules for new client onboarding
#>
 
param(
    [Parameter(Mandatory=$true)]
    [string]$ApiToken,
 
    [Parameter(Mandatory=$true)]
    [string]$ConsoleUrl,
 
    [Parameter(Mandatory=$true)]
    [string]$SiteId,
 
    [string]$RuleSetPath = ".\star-rules-baseline.json"
)
 
# Baseline rule set
$baselineRules = @(
    @{
        name = "CRIT-CRED-T1003-LSASS_Memory_Access"
        description = "Detects suspicious access to LSASS process memory (credential dumping)"
        query = 'TgtProcName = "lsass.exe" AND EventType = "Open Remote Process Handle" AND SrcProcName Not In ("svchost.exe","lsm.exe","wmiprvse.exe","csrss.exe","wininit.exe","MsMpEng.exe","SentinelAgent.exe")'
        severity = "Critical"
        treatAsThreat = $true
    },
    @{
        name = "CRIT-EXEC-T1059-Mimikatz_Commands"
        description = "Detects Mimikatz command-line arguments"
        query = 'TgtProcCmdLine In Contains Anycase ("sekurlsa::","lsadump::","privilege::debug","token::elevate","kerberos::ptt")'
        severity = "Critical"
        treatAsThreat = $true
    },
    @{
        name = "HIGH-EVADE-T1070-Event_Log_Clearing"
        description = "Detects Windows event log clearing"
        query = '(TgtProcName = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR (SrcProcCmdLine ContainsCIS "Clear-EventLog" AND SrcProcParentName Not In ("svchost.exe","WmiPrvSE.exe"))'
        severity = "High"
        treatAsThreat = $false
    },
    @{
        name = "HIGH-EVADE-T1562-AMSI_Bypass"
        description = "Detects AMSI bypass attempts"
        query = 'SrcProcCmdLine ContainsCIS "AmsiUtils" AND SrcProcCmdLine ContainsCIS "amsiInitFailed"'
        severity = "Critical"
        treatAsThreat = $true
    },
    @{
        name = "HIGH-EXEC-T1059-PowerShell_Download"
        description = "Detects PowerShell download cradles"
        query = 'EventType = "Process Creation" AND SrcProcName = "powershell.exe" AND (SrcProcCmdLine ContainsCIS "downloadstring" OR SrcProcCmdLine ContainsCIS "downloadfile" OR SrcProcCmdLine ContainsCIS "invoke-webrequest") AND SrcProcParentName Not In ("svchost.exe","services.exe")'
        severity = "High"
        treatAsThreat = $false
    },
    @{
        name = "CRIT-PERSIST-T1505-Web_Shell_Creation"
        description = "Detects web shell file creation in IIS directories"
        query = 'EventType = "File Creation" AND FileFullName ContainsCIS "inetpub\\wwwroot" AND TgtFileExtension In Contains Anycase ("jsp","aspx","php","asp") AND SrcProcName Not In ("explorer.exe","msdeploy.exe","w3wp.exe")'
        severity = "Critical"
        treatAsThreat = $true
    },
    @{
        name = "CRIT-LATMOV-T1550-Pass_The_Hash"
        description = "Detects Pass-the-Hash and Pass-the-Ticket attacks"
        query = 'TgtProcCmdLine In Contains Anycase ("sekurlsa::pth","/ntlm:","kerberos::ptt","kerberos::golden")'
        severity = "Critical"
        treatAsThreat = $true
    },
    @{
        name = "HIGH-LATMOV-T1563-RDP_Hijacking"
        description = "Detects RDP session hijacking via tscon"
        query = 'SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"'
        severity = "Critical"
        treatAsThreat = $true
    }
)
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
Write-Host "Deploying $($baselineRules.Count) baseline STAR rules to site $SiteId" -ForegroundColor Cyan
 
$results = @()
 
foreach ($rule in $baselineRules) {
    $body = @{
        data = @{
            name = $rule.name
            description = $rule.description
            query = $rule.query
            severity = $rule.severity
            status = "Active"
            treatAsThreat = $rule.treatAsThreat
            siteIds = @($SiteId)
        }
    } | ConvertTo-Json -Depth 5
 
    try {
        $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/star-rules" `
            -Method POST -Headers $headers -Body $body
 
        Write-Host "[OK] Created: $($rule.name)" -ForegroundColor Green
        $results += [PSCustomObject]@{
            Rule = $rule.name
            Status = "Created"
            RuleId = $response.data.id
        }
    }
    catch {
        Write-Host "[FAIL] $($rule.name): $($_.Exception.Message)" -ForegroundColor Red
        $results += [PSCustomObject]@{
            Rule = $rule.name
            Status = "Failed"
            Error = $_.Exception.Message
        }
    }
 
    Start-Sleep -Milliseconds 500  # Rate limiting
}
 
Write-Host "`n=== Deployment Summary ===" -ForegroundColor Cyan
$results | Format-Table -AutoSize
 
$successCount = ($results | Where-Object { $_.Status -eq "Created" }).Count
Write-Host "Successfully deployed $successCount of $($baselineRules.Count) rules"

TROUBLESHOOTING

Common Issues

Issue: Rule not triggering alerts

Verify rule status is "Active"
Check scope includes target endpoints
Confirm query syntax is valid
Verify Deep Visibility is enabled on endpoints
Check time range - telemetry must exist first

Issue: Too many false positives

Add exclusions for legitimate processes
Narrow query scope
Increase specificity of pattern matching
Consider moving to lower severity

Issue: Rule creation fails

Validate S1QL syntax in Deep Visibility first
Check for unsupported operators
Verify field names are correct
Check API permissions

Issue: Response action not executing

Verify "Treat as Threat" is enabled
Check agent policy allows the response action
Confirm agent is connected and healthy
Review policy precedence

Query Validation

Always test queries in Deep Visibility before creating STAR rules:

-- Test your query
[Your Query Here]
 
-- If results are expected, query is valid
-- If no results, check:
-- 1. Time range
-- 2. Field names
-- 3. Operator syntax
-- 4. Case sensitivity

SOURCES

REVISION HISTORY

Version	Date	Author	Changes
1.0	2026-01-08	CosmicBytez	Initial creation

SCENARIO

REQUIREMENTS & ASSUMPTIONS

Technical Requirements

STAR Rule Capabilities

Understanding STAR vs Other Features

STAR RULE ARCHITECTURE

How STAR Rules Work

Rule Components

CREATING STAR RULES

Method 1: From Deep Visibility Query

Method 2: From STAR Rules Interface

Method 3: Via API

RESPONSE ACTIONS

Available Response Options

Response Action Decision Matrix

Configuring Threat Treatment

RULE MANAGEMENT

Viewing STAR Rules

Editing Rules

Disabling/Enabling Rules

Deleting Rules

Exporting/Importing Rules

STAR RULE LIBRARY

High-Fidelity Detection Rules

Credential Access

Defense Evasion

Execution

Persistence

Lateral Movement

Medium-Fidelity Hunt Rules

Suspicious Process Chains

Suspicious File Operations

Industry-Specific Rules

Healthcare (HIPAA)

Financial Services (PCI-DSS)

Legal/Law Firms

BEST PRACTICES

Rule Development Workflow

Naming Convention

Severity Guidelines

Scoping Strategy

False Positive Management

Documentation Template

Configuration

False Positives

Testing

References

Changelog

Creating Alert Notifications

API REFERENCE

List STAR Rules

Get Rule Details

Update Rule

Delete Rule

Bulk Rule Deployment Script

TROUBLESHOOTING

Common Issues

Query Validation

RELATED DOCUMENTATION

SOURCES

REVISION HISTORY

Related Reading

SCENARIO

REQUIREMENTS & ASSUMPTIONS

Technical Requirements

STAR Rule Capabilities

Understanding STAR vs Other Features

STAR RULE ARCHITECTURE

How STAR Rules Work

Rule Components

CREATING STAR RULES

Method 1: From Deep Visibility Query

Method 2: From STAR Rules Interface

Method 3: Via API

RESPONSE ACTIONS

Available Response Options

Response Action Decision Matrix

Configuring Threat Treatment

RULE MANAGEMENT

Viewing STAR Rules