A userscript that enhances the SentinelOne PowerQuery interface with a custom threat hunting button that follow the website UI / UX design interface.
- Custom Hunting Queries Menu: Access a curated collection of threat hunting queries organized by category
- Query Pinning: Pin frequently used queries for quick access
- Search & Filter: Search through queries by name or description
- Cell Copy Buttons: One-click copy functionality for each query result cell
- Compact UI: Clean, organized interface that integrates seamlessly with SentinelOne
- Install a userscript manager like Tampermonkey or Greasemonkey
- Click here to install the script
- The script will automatically load when you visit SentinelOne PowerQuery pages
After the first installation there will be a Tampermonkey popup asking to allow the fetch to grab all the detection rules. You need to click the button "Always allow domain".
By default, the script comes with a comprehensive set of pre-configured threat hunting rules covering various categories such as:
- Installation & Persistence
- Process Execution
- Network Activity
- Registry Modifications
- File System Activity
- And more...
You can modify the script to use your own custom rules by changing the QUERIES_URL constant. Here's how:
- const QUERIES_URL = "https://raw.githubusercontent.com/LasCC/SentinelOne-Userscript/refs/heads/master/s1_powerquery_hunting.json";
+ const QUERIES_URL = "https://your-domain.com/path/to/your/custom-rules.json";The JSON file should contain an array of rule objects with the following structure:
[
{
"category": "Installation & Persistence",
"name": "EpiBrowser and OneStart installation",
"query": "your rule (json encoded)"
},
]- category: The category name for organizing queries (e.g., "Network Activity", "Process Execution")
- name: Display name for the query
- query: The actual detection query
- Navigate to any SentinelOne PowerQuery page (
*.sentinelone.net/query*) - Look for the "Hunting Queries" button in the toolbar
- Click to open the dropdown menu with all available queries
- Use the search bar to find specific queries
- Filter by category using the tabs
- Click on any query to execute it immediately
- Use the star icon to pin/unpin frequently used queries
- Chrome/Chromium-based browsers with Tampermonkey
- Firefox with Greasemonkey or Tampermonkey
Feel free to contribute additional hunting queries, bug fixes, or feature improvements by submitting pull requests to the GitHub repository.