What kind of telemetry can I analyze with this skill?

You can query a wide range of data including process creations, network connections, file modifications, registry changes, DNS requests, and login events.

Can I search across all my MSP clients at once?

Yes, you can scope your hunts by site or search across the entire Singularity Data Lake depending on your SentinelOne API token permissions.

Is this syntax compatible with Splunk SPL or KQL?

No, SentinelOne uses PowerQuery, which is a Scalyr-based pipeline language. This skill specifically handles the unique syntax and constraints of the SentinelOne environment.

How many results can I retrieve per query?

The skill supports a maximum of 100 rows per query to maintain performance and focus on the most relevant security events during an investigation.

Do I need to know PowerQuery syntax to use this skill?

No, while you can write manual queries, the skill recommends using the integrated Purple AI tool to generate complex PowerQuery strings from natural language descriptions.

SentinelOne Threat Hunting

Name: SentinelOne Threat Hunting
Author: wyre-technology

bywyre-technology

•

安全与测试

Executes advanced security telemetry queries and forensic investigations within the SentinelOne Singularity Data Lake using PowerQuery.

This skill empowers security analysts and MSPs to perform deep-dive threat hunting and incident response across client environments managed by SentinelOne. By leveraging PowerQuery syntax and Singularity Data Lake telemetry, it enables the detection of sophisticated attack patterns like lateral movement, credential access, and LOLBIN activity. The skill streamlines the investigation process by integrating with Purple AI for natural language query generation, managing precise time ranges, and providing structured insights into process events, network connections, and registry changes.

主要功能

01Access pre-defined hunting scenarios for common threats like LSASS dumping and C2 beaconing

023 GitHub stars

03Analyze process, network, file, and registry telemetry for indicators of compromise

04Generate optimized query syntax from natural language using Purple AI integration

05Manage precise time ranges with ISO-to-Unix epoch timestamp conversion

06Execute complex PowerQuery searches against the Singularity Data Lake

使用场景

01Proactively hunting for stealthy lateral movement or persistence across multiple managed endpoints

02Analyzing DNS and network telemetry to identify potential command-and-control (C2) communication

03Conducting deep forensic investigations following a security alert to identify root causes

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add wyre-technology/msp-claude-plugins threat-hunting

For use in Claude.ai and ChatGPT

Download Skill