Welcome back to the SentinelOne journey! As promised, we’re diving deep into the Deep Visibility feature—a powerhouse for threat hunting and data analysis. Let me take you on a step-by-step walkthrough, starting with the Enhanced Deep Visibility, which is SentinelOne’s newer and improved version, and then comparing it with the Legacy Deep Visibility. I’ll show you how to unleash its potential for hunting threats effectively. Buckle up, and let’s get started!
-------------------------------------------------------------------------------------------------------------
What Is Deep Visibility?
Deep Visibility is SentinelOne’s capability to collect and analyze data from endpoints and integrated sources, offering unmatched granularity for security investigations. It stores this data for up to 90 days by default, allowing for retrospective analysis. If you’re serious about understanding threats in your network, this is where the magic happens.
Before diving into the technical details, let’s clarify a few key concepts:
Singularity™ Data Lake
This advanced feature builds on Deep Visibility, creating a unified platform to manage and analyze all your data. It combines EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), and even non-security data.
Key Features:
Centralized Data: Consolidates security, environmental, and third-party data for seamless analysis.
Enhanced Querying: Includes tools like PowerQueries for advanced searches.
Custom Views: Supports EDR, XDR, and "All Data" views for tailored investigations.
Visualization: Offers customizable dashboards with graphs and JSON-based configurations.
Quick Note: Some of these advanced features are add-ons. You may need to subscribe to them separately.
-------------------------------------------------------------------------------------------------------------
Starting with Enhanced Deep Visibility
Let’s move to the Enhanced version because it’s simpler, faster, and more efficient than the Legacy version. As we proceed, I’ll show you why it’s my preferred choice for threat hunting.
1. Understanding the Interface
When you open Deep Visibility, you’ll notice three main views at the top-left corner:
EDR: Displays structured security data collected from SentinelOne agents.
XDR: Merges EDR data with data from integrated third-party sources.
All Data: Combines everything—security and environmental logs.
Example Use Case:
If you’re hunting for incoming connections on a specific endpoint, you might start with the EDR view to focus on structured security data, then move to XDR for broader context.
How to Query:
endpoint.name = "EndpointName" AND event.network.direction = 'INCOMING'
This query will list all incoming network events for the specified endpoint.
Above one is simplest example i have given
With SentinelOne deep visibility, you can monitor search for and investigate activities using indicators such as file hashes, file names, domains, or any other relevant parameters(I cannot name them all do check it out on your own). These capabilities enable comprehensive threat detection and response, helping you quickly identify and address security risks.
In the future, based on demand, I plan to create a detailed article that will provide in-depth guidance on crafting queries and maximizing the platform's potential. For now, this overview should serve as a sufficient introduction.
-------------------------------------------------------------------------------------------------------------
2. PowerQueries: The Game Changer
What are PowerQueries?
PowerQueries are SentinelOne’s advanced query-building tools for precise data retrieval. Think of them as the swiss-army knife for analysts. They’re designed for scenarios where regular Event Search might fall short.
Why Use PowerQueries?
Targeted Results: Fetch only the data you need.
Event Correlation: Combine data from multiple sources for deeper insights.
Statistical Analysis: Use grouping functions to spot anomalies.
In my perspective, I see PowerQuery as a tool for crafting threat queries that provide structured, tabular outputs. This makes it especially useful for reporting and analysis. PowerQuery has broad applications, and I often view it as a versatile resource for security use cases. For example, I could use PowerQuery to identify failed login attempts or investigate whether a specific user has transferred data to a USB device. These examples demonstrate the potential of PowerQuery in simplifying complex investigations while maintaining precision and clarity.
Example 1: Failed Login Attempts
Example 2: USB Data Transfer
Tip: If you’re not familiar with query writing, don’t worry. SentinelOne provides built-in tools and even a Purple AI assistant (more on this later) to guide you.
This is where PowerQuery becomes invaluable. It helps you focus on what you are looking for by streamlining data queries and presenting results effectively. In my view, PowerQuery can be utilized in numerous ways, though there might be additional applications I haven't explored yet—feel free to share your insights or suggestions in the comments.
As for functionalities like saving or sharing searches, these are quite intuitive and self-explanatory, so I won’t elaborate on them here. Any searches you save can be easily accessed under the "Search" column. A screenshot is included below for better clarity.
-------------------------------------------------------------------------------------------------------------
3. Purple AI: Your Hunting Buddy
Purple AI is SentinelOne’s answer to simplifying threat hunting. If writing queries isn’t your strong suit, this feature allows you to type commands in plain English. Purple AI then translates them into actionable queries.
Example:
Type:“Show all connections made by PowerShell to public IPs.”
Purple AI generates the query and rule for you:
click on open powerquery as per screenshot
Using AI tools is certainly beneficial, but I strongly encourage you to learn how to create queries manually. While AI simplifies many tasks, not all organizations may buy built-in AI-driven query features. In such cases, your ability to craft queries independently will be essential and could prevent potential challenges. Moreover, creating your own queries allows for better customization and accuracy in your analysis.
If you’d like, I can compile a list of sample queries to help you get started. Feel free to reach out via email or reply directly to this article, and I’d be happy to create detailed guides and examples for you.
-------------------------------------------------------------------------------------------------------------
4. Creating Custom Dashboards
Dashboards in Enhanced Deep Visibility are a breeze and which is self-explanatory You can visualize trends, monitor system health, and even build reusable dashboards tailored to your needs.
Pro Tip: Use the Dashboard Library
Prebuilt dashboards make it easy to get started. From system health to incident trends, you’ll find templates for almost every use case.
-------------------------------------------------------------------------------------------------------------
Next to the Dashboard section, you'll find the Star Custom Rules feature. We'll delve into this in detail in future articles, but in simple terms, it allows you to create custom detection rules. For example, as I’ve mentioned before, while SentinelOne’s AI detection is powerful, it's always best to supplement it by creating your own rules under Star Custom Rules for more precise detections.
Moving on, near the Star Custom Rules, you’ll see the Docs column. This section contains comprehensive documentation for various tasks, such as data ingestion, log parsing (e.g., logs from Zscaler or other tools), working with graphs, PowerQueries, and much more. It’s a valuable resource to explore and reference as needed.
On the left-hand side of the Search section, you'll find a tab called Logs. This is where you can view all the logs ingested from various tools. It provides insights into the volume of logs and their sources, making it easier to track and manage log data effectively.
-------------------------------------------------------------------------------------------------------------
5. Legacy Deep Visibility: Still Useful?
While I’m a big fan of the Enhanced version, Legacy Deep Visibility has its own charm. Here’s where it shines:
As shown in the screenshot, this is how the Legacy Console appears.
S1QL (SentinelOne Query Language): Provides a structured way to query data, similar to S2QL.
For example, I hunted for executions of rundll32 or regsvr32 scripts. When comparing the Legacy Console and the Enhanced Console, you’ll notice slight differences, particularly in the Command structure. Personally, I prefer the Enhanced version for its improved functionality, but the choice is yours.
I recommend exploring resources like the following for detailed query references and cheat sheets:
These provide valuable insights into creating and running queries in the Legacy Console. However, I strongly advise against copying and pasting queries directly without understanding them. Always verify what a query does and ensure its relevance to your objective.
The Legacy Console has some notable missing features, such as Purple AI and the Dashboard, which are present in the Enhanced Console. However, one feature exclusive to Legacy Deep Visibility is the Threat Hunter Extension:
Hunter Extension: A browser extension for quick IOC hunting. For example, you can copy a list of suspicious IPs from a webpage, and the extension automatically builds a query for them.
Example:
In simple terms, this browser extension allows you to copy IOCs (Indicators of Compromise) from websites. For instance, if a website contains 100 IOCs, the extension captures them all. You can then select and search them directly in the Legacy Deep Visibility console, which generates a query and performs the hunt automatically. Unfortunately, this feature is not available in the Enhanced Console, making Legacy Deep Visibility particularly powerful for IOC hunting in such scenarios.
-------------------------------------------------------------------------------------------------------------
Threat Hunting in Deep Visibility
Threat hunting in SentinelOne is where the tool truly shines. Here’s a simple workflow:
Writing Custom Rules or Using Fields
Let’s say you want to check incoming connections on port 445:
If you’re unsure about the syntax, use the Fields section to build your query visually. Select the port, direction, and select include in search(This will create an query for you automatically).
or else
For more complex searches, like detecting PowerShell connections to public IPs, let Purple AI and PowerQuery handle it. (If u have this enabled)
-------------------------------------------------------------------------------------------------------------
Conclusion
SentinelOne’s Deep Visibility is a treasure trove for security professionals. Whether you’re using the Enhanced version for its intuitive interface or the Legacy version for its robust features like the Hunter extension, there’s something for everyone.
Final Advice:
Explore PowerQueries; they’re your best friend for precision.
Leverage Purple AI if you’re new to threat hunting.
Build and customize dashboards to streamline your workflows.
If using Legacy, check out the Hunter extension for quick IOC hunting.
SentinelOne offers immense depth. If you want me to write a detailed guide on query writing or any specific feature, let me know in the comments or drop me an email.'
Until next time, happy hunting! 🛡️
Akash Patel
Comments