SCENARIO

Deep Visibility is SentinelOne's EDR telemetry engine that provides comprehensive endpoint data collection for threat hunting, incident investigation, and forensic analysis. This guide provides practical threat hunting procedures, query syntax reference, and a library of detection queries mapped to MITRE ATT&CK.

Use this guide when:

Proactively hunting for threats across client environments
Investigating alerts and suspicious activity
Searching for Indicators of Compromise (IOCs)
Building custom detection rules (STAR)
Conducting forensic timeline analysis
Validating security controls effectiveness

Prerequisites:

SentinelOne Singularity Complete license
Deep Visibility enabled in policy
Console access with Viewer role or higher
Basic understanding of attack techniques

Reference Documentation:

REQUIREMENTS & ASSUMPTIONS

Technical Requirements

Requirement	Details
SKU	Singularity Complete or higher
Agent Version	4.2.x or newer recommended
Policy Setting	Deep Visibility: Enabled
Data Retention	14 days default (upgradeable to 30/90/365)
Console Role	Viewer, IR Team, or Admin

Data Collection Scope

Deep Visibility collects:

Process execution (creation, termination, command lines)
File operations (create, modify, delete, rename)
Network connections (TCP/UDP, DNS queries)
Registry changes (Windows)
Login events
Module/DLL loads
Scheduled tasks
Service operations
Cross-process operations (injection, handles)

S1QL QUERY LANGUAGE REFERENCE

Basic Syntax Structure

Field Operator "Value" AND/OR Field Operator "Value"

Common Fields

Process Fields

Field	Description	Example
`SrcProcName`	Source process name	`SrcProcName = "powershell.exe"`
`TgtProcName`	Target process name	`TgtProcName = "cmd.exe"`
`SrcProcCmdLine`	Source command line	`SrcProcCmdLine Contains "-enc"`
`TgtProcCmdLine`	Target command line	`TgtProcCmdLine Contains "/c"`
`SrcProcParentName`	Parent process name	`SrcProcParentName = "explorer.exe"`
`SrcProcImagePath`	Full process path	`SrcProcImagePath Contains "Temp"`
`TgtProcImagePath`	Target process path	`TgtProcImagePath Contains "System32"`
`SrcProcCmdScript`	Script content	`SrcProcCmdScript Contains "Invoke-"`
`SrcProcUser`	Process owner	`SrcProcUser Contains "SYSTEM"`
`ProcessIntegrityLevel`	Integrity level	`ProcessIntegrityLevel = "HIGH"`
`SrcProcVerifiedStatus`	Signature status	`SrcProcVerifiedStatus != "verified"`
`SrcProcPublisher`	Code signing publisher	`SrcProcPublisher != "MICROSOFT"`

File Fields

Field	Description	Example
`FileFullName`	Full file path	`FileFullName Contains "Startup"`
`FilePath`	Directory path	`FilePath Contains "Downloads"`
`FileName`	File name only	`FileName = "malware.exe"`
`TgtFileExtension`	File extension	`TgtFileExtension = "exe"`
`FileType`	File type	`FileType = "PE"`
`FileMD5`	MD5 hash	`FileMD5 = "abc123..."`
`FileSha1`	SHA1 hash	`FileSha1 = "def456..."`
`FileSha256`	SHA256 hash	`FileSha256 = "ghi789..."`
`FileIsExecutable`	Is executable	`FileIsExecutable = "true"`
`TgtFileIsExecutable`	Target is executable	`TgtFileIsExecutable = "true"`

Network Fields

Field	Description	Example
`DstIp`	Destination IP	`DstIp = "192.168.1.100"`
`SrcIp`	Source IP	`SrcIp = "10.0.0.5"`
`DstPort`	Destination port	`DstPort = 443`
`SrcPort`	Source port	`SrcPort = 54321`
`NetConnStatus`	Connection status	`NetConnStatus = "SUCCESS"`
`DnsRequest`	DNS query	`DnsRequest Contains "evil.com"`
`DnsResponse`	DNS response	`DnsResponse = "1.2.3.4"`

Registry Fields (Windows)

Field	Description	Example
`RegistryKeyPath`	Registry key path	`RegistryKeyPath Contains "Run"`
`RegistryPath`	Full registry path	`RegistryPath Contains "CurrentVersion"`
`RegistryValue`	Registry value data	`RegistryValue Contains ".exe"`

Event Fields

Field	Description	Example
`EventType`	Type of event	`EventType = "Process Creation"`
`EventTime`	Event timestamp	Used for time filtering
`AgentName`	Endpoint hostname	`AgentName = "WORKSTATION-01"`
`AgentOS`	Operating system	`AgentOS = "windows"`
`SiteName`	Site name	`SiteName = "Production"`
`StorylineId`	Storyline identifier	`StorylineId = "ABC123..."`
`IndicatorName`	Indicator type	`IndicatorName = "ScheduleTaskRegister"`

Event Types

-- Process Events
EventType = "Process Creation"
EventType = "Process Termination"
EventType = "Process Modified"
EventType = "Duplicate Process Handle"
EventType = "Open Remote Process Handle"
 
-- File Events
EventType = "File Creation"
EventType = "File Modification"
EventType = "File Deletion"
EventType = "File Rename"
EventType = "File Scan"
 
-- Network Events
EventType = "IP Connect"
EventType = "IP Listen"
EventType = "DNS Resolved"
EventType = "DNS Unresolved"
 
-- Registry Events (Windows)
EventType = "Registry Key Create"
EventType = "Registry Key Delete"
EventType = "Registry Value Create"
EventType = "Registry Value Modified"
EventType = "Registry Value Delete"
 
-- Other Events
EventType = "Module Load"
EventType = "Scheduled Task"
EventType = "Driver Load"
EventType = "Login"
EventType = "Logout"

Operators

Operator	Description	Example
`=`	Equals	`ProcessName = "cmd.exe"`
`!=`	Not equals	`ProcessName != "explorer.exe"`
`Contains`	Contains (case-sensitive)	`CmdLine Contains "password"`
`ContainsCIS`	Contains (case-insensitive)	`CmdLine ContainsCIS "PASSWORD"`
`Does Not ContainCIS`	Does not contain	`Path Does Not ContainCIS "System32"`
`In`	In list	`Name In ("cmd.exe","powershell.exe")`
`In Contains`	In list (partial match)	`CmdLine In Contains ("net","user")`
`In Contains Anycase`	In list (case-insensitive)	`Name In Contains Anycase ("CMD","PS")`
`Not In`	Not in list	`Name Not In ("svchost.exe")`
`RegExp`	Regular expression	`CmdLine RegExp "^.*\.exe$"`
`StartswithCIS`	Starts with	`Path StartswithCIS "C:\Users"`
`EndswithCIS`	Ends with	`Name EndswithCIS ".dll"`
`Is Empty`	Field is empty	`DstIp Is Empty`
`Is Not Empty`	Field has value	`DstIp Is Not Empty`

Logical Operators

-- AND: Both conditions must be true
EventType = "Process Creation" AND ProcessName = "cmd.exe"
 
-- OR: Either condition can be true
ProcessName = "cmd.exe" OR ProcessName = "powershell.exe"
 
-- Grouping with parentheses
(ProcessName = "cmd.exe" OR ProcessName = "powershell.exe") AND UserName = "SYSTEM"

Time Filtering

Time is filtered via the console UI (last 1 hour, 24 hours, 7 days, 14 days, or custom range).

Accessing Deep Visibility

Log in to SentinelOne Console
Navigate to Visibility → Deep Visibility
Select scope:
- Account (all sites)
- Specific Site
- Specific Group
- Specific Agent
Set time range (default: last 24 hours)
Enter query or use query builder

Query Builder Interface

┌─────────────────────────────────────────────────────────────────┐
│ Deep Visibility                                    [Time: 24h ▼]│
├─────────────────────────────────────────────────────────────────┤
│ Scope: Account ▼  |  Site: All ▼  |  Group: All ▼              │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Query: EventType = "Process Creation" AND SrcProcName =    │ │
│ │        "powershell.exe"                                     │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ [Run Query]  [Save to Watchlist]  [Create STAR Rule]           │
├─────────────────────────────────────────────────────────────────┤
│ Results: 1,234 events                                           │
│ ┌────────┬────────────┬────────────┬──────────────────────────┐ │
│ │ Time   │ Agent      │ Process    │ Command Line             │ │
│ ├────────┼────────────┼────────────┼──────────────────────────┤ │
│ │ 10:15  │ WKS-001    │ powershell │ powershell.exe -enc ...  │ │
│ │ 10:14  │ WKS-002    │ powershell │ powershell.exe -file ... │ │
│ └────────┴────────────┴────────────┴──────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘

Query Autocomplete

The console provides:

Field name suggestions
Operator suggestions
Value completion (for known values)
Syntax validation

THREAT HUNTING METHODOLOGY

Six-Step Hunting Process

┌─────────────────────────────────────────────────────────────────┐
│                    THREAT HUNTING WORKFLOW                       │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  1. HYPOTHESIS    →   2. DATA COLLECTION   →   3. ANALYSIS     │
│  "What am I           "Query Deep              "Review results  │
│   looking for?"        Visibility"              for anomalies"  │
│                                                                 │
│  4. INVESTIGATION →   5. RESPONSE          →   6. DOCUMENTATION│
│  "Pivot on             "Contain, remediate,    "Record findings │
│   findings"             improve defenses"       and queries"    │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Hunting Approaches

1. IOC-Based Hunting

Search for known malicious indicators:

-- Search for known malicious hash
FileSha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
 
-- Search for known C2 domain
DnsRequest ContainsCIS "malicious-domain.com"
 
-- Search for known C2 IP
DstIp = "192.168.100.100"

2. TTP-Based Hunting

Search for attack techniques regardless of specific tools:

-- Hunt for encoded PowerShell (T1059.001)
EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
SrcProcCmdLine ContainsCIS "-enc"
 
-- Hunt for credential dumping (T1003)
TgtProcName = "lsass.exe" AND
EventType = "Open Remote Process Handle"

3. Anomaly-Based Hunting

Search for unusual behavior patterns:

-- Unusual parent-child process relationship
SrcProcName = "excel.exe" AND
TgtProcName In ("cmd.exe", "powershell.exe", "wscript.exe")
 
-- Process running from unusual location
EventType = "Process Creation" AND
TgtProcImagePath ContainsCIS "\Users\" AND
TgtProcImagePath ContainsCIS "\AppData\" AND
TgtFileIsExecutable = "true"

4. Baseline Deviation Hunting

Compare current activity against known-good baselines:

-- New scheduled tasks (compare against baseline)
IndicatorName = "ScheduleTaskRegister" AND
SrcProcParentName Not In ("services.exe", "svchost.exe", "OfficeClickToRun.exe")
 
-- Unusual outbound connections
EventType = "IP Connect" AND
DstPort Not In (80, 443, 53, 123) AND
SrcProcName Not In ("chrome.exe", "firefox.exe", "msedge.exe")

MITRE ATT&CK HUNTING QUERIES

Initial Access (TA0001)

T1566.001 - Spearphishing Attachment

-- Office spawning suspicious child processes
(SrcProcName In ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe") AND
TgtProcName In ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe"))

T1566.002 - Spearphishing Link

-- Browser spawning suspicious processes
(SrcProcName In ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe") AND
TgtProcName In ("cmd.exe", "powershell.exe", "mshta.exe", "wscript.exe"))

Execution (TA0002)

T1059.001 - PowerShell

-- Encoded PowerShell commands
EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
(SrcProcCmdLine ContainsCIS "-enc" OR
 SrcProcCmdLine ContainsCIS "-encodedcommand" OR
 SrcProcCmdLine ContainsCIS "frombase64string")
 
-- PowerShell download cradles
EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
(SrcProcCmdLine ContainsCIS "downloadstring" OR
 SrcProcCmdLine ContainsCIS "downloadfile" OR
 SrcProcCmdLine ContainsCIS "invoke-webrequest" OR
 SrcProcCmdLine ContainsCIS "wget" OR
 SrcProcCmdLine ContainsCIS "curl" OR
 SrcProcCmdLine ContainsCIS "iwr")
 
-- PowerShell executing from unusual locations
EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
SrcProcImagePath Does Not ContainCIS "System32" AND
SrcProcImagePath Does Not ContainCIS "SysWOW64"

T1059.003 - Windows Command Shell

-- CMD with suspicious commands
EventType = "Process Creation" AND
TgtProcName = "cmd.exe" AND
(TgtProcCmdLine ContainsCIS "/c " OR TgtProcCmdLine ContainsCIS "/k ") AND
(TgtProcCmdLine In Contains Anycase ("whoami", "net user", "net localgroup",
 "systeminfo", "tasklist", "ipconfig", "netstat", "reg query"))

T1059.005 - Visual Basic Script

-- WScript/CScript execution
EventType = "Process Creation" AND
TgtProcName In ("wscript.exe", "cscript.exe") AND
(TgtProcCmdLine ContainsCIS ".vbs" OR TgtProcCmdLine ContainsCIS ".js")

T1047 - Windows Management Instrumentation

-- WMIC process creation
TgtProcName = "wmic.exe" AND
TgtProcCmdLine ContainsCIS "process call create"
 
-- WMIC remote execution
TgtProcName = "wmic.exe" AND
TgtProcCmdLine ContainsCIS "/node:"

T1053.005 - Scheduled Task

-- Schtasks creation
(TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create") OR
(SrcProcCmdLine ContainsCIS "New-ScheduledTask" OR
 SrcProcCmdScript ContainsCIS "New-ScheduledTask")
 
-- Via Indicator
IndicatorName = "ScheduleTaskRegister" AND
SrcProcParentName Not In ("services.exe", "OfficeClickToRun.exe", "svchost.exe")

Persistence (TA0003)

T1547.001 - Registry Run Keys

-- Run key modifications
(RegistryKeyPath ContainsCIS "Windows\\CurrentVersion\\Run" AND
EventType In ("Registry Key Create", "Registry Value Create", "Registry Value Modified")) AND
SrcProcParentName Not In ("smss.exe", "svchost.exe", "SetupHost.exe", "msiexec.exe")
 
-- Startup folder file creation
FileFullName ContainsCIS "Programs\\Startup" AND
TgtFileExtension In Contains ("exe", "vbs", "bat", "cmd", "ps1", "lnk") AND
EventType = "File Creation"

T1053.005 - Scheduled Tasks (Persistence)

IndicatorName = "ScheduleTaskRegister" AND
SrcProcParentName Not In ("Integrator.exe", "OfficeClickToRun.exe", "services.exe",
"OneDriveSetup.exe", "Ccm32BitLauncher.exe", "WmiPrvSE.exe")

T1543.003 - Windows Service

-- Service creation via sc.exe
TgtProcName = "sc.exe" AND
TgtProcCmdLine Contains "binPath="
 
-- Service creation via PowerShell
SrcProcCmdLine ContainsCIS "New-Service" OR
SrcProcCmdScript ContainsCIS "New-Service"

T1505.003 - Web Shell

-- Web shell file creation
EventType = "File Creation" AND
FileFullName ContainsCIS "inetpub\\wwwroot" AND
TgtFileExtension In Contains Anycase ("jsp", "aspx", "php", "asp") AND
SrcProcName Not In ("explorer.exe", "msdeploy.exe", "w3wp.exe")

T1546.003 - WMI Event Subscription

SrcProcCmdLine ContainsCIS "New-CimInstance -Namespace root/subscription" OR
SrcProcCmdScript ContainsCIS "New-CimInstance -Namespace root/subscription" OR
SrcProcCmdLine ContainsCIS "__EventFilter" OR
SrcProcCmdLine ContainsCIS "CommandLineEventConsumer"

T1037.001 - Logon Scripts

SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR
(RegistryKeyPath ContainsCIS "UserInitMprLogonScript" AND
 EventType = "Registry Value Create")

Privilege Escalation (TA0004)

T1548.002 - UAC Bypass

-- Common UAC bypass registry keys
(SrcProcCmdLine ContainsCIS "ms-settings\\shell\\open\\command" OR
SrcProcCmdLine ContainsCIS "mscfile\\shell\\open\\command") OR
-- CMSTPLUA COM bypass
(TgtProcDisplayName = "COM Surrogate" AND
TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}")

T1134 - Access Token Manipulation

-- Token impersonation indicators
SrcProcCmdLine ContainsCIS "ImpersonateLoggedOnUser" OR
SrcProcCmdScript ContainsCIS "ImpersonateLoggedOnUser" OR
SrcProcCmdLine ContainsCIS "DuplicateTokenEx" OR
SrcProcCmdScript ContainsCIS "DuplicateTokenEx"

Defense Evasion (TA0005)

T1070.001 - Clear Windows Event Logs

-- Event log clearing
(TgtProcName = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR
((SrcProcCmdLine ContainsCIS "Clear-EventLog" OR
  SrcProcCmdScript ContainsCIS "Clear-EventLog") AND
 SrcProcParentName Not In ("WmiPrvSE.exe", "svchost.exe"))

T1562.001 - Disable Security Tools

-- Disable Defender
TgtProcCmdLine ContainsCIS "Set-MpPreference" AND
TgtProcCmdLine ContainsCIS "DisableRealtimeMonitoring"
 
-- Disable Sysmon
(TgtProcName = "fltmc.exe" AND TgtProcCmdLine ContainsCIS "unload SysmonDrv") OR
(TgtProcName = "sysmon.exe" AND TgtProcCmdLine ContainsCIS "-u")
 
-- AMSI bypass
SrcProcCmdLine ContainsCIS "AmsiUtils" AND SrcProcCmdLine ContainsCIS "amsiInitFailed" OR
SrcProcCmdScript ContainsCIS "AmsiUtils" AND SrcProcCmdScript ContainsCIS "amsiInitFailed"

T1562.004 - Disable System Firewall

-- Disable Windows Firewall
TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "state off"
 
-- Add firewall rules
TgtProcName = "netsh.exe" AND
TgtProcCmdLine ContainsCIS "add rule" AND
TgtProcCmdLine ContainsCIS "dir=in"

T1218.005 - Mshta

-- Mshta spawning processes or loading remote content
(SrcProcName = "mshta.exe" AND EventType = "Open Remote Process Handle") OR
(SrcProcName = "mshta.exe" AND
 SrcProcCmdLine RegExp "https?:\\/\\/(www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b")

T1218.011 - Rundll32

-- Rundll32 with suspicious arguments
TgtProcName = "rundll32.exe" AND
(TgtProcCmdLine ContainsCIS "javascript:" OR
 TgtProcCmdLine ContainsCIS "vbscript:" OR
 TgtProcCmdLine ContainsCIS "shell32.dll,Control_RunDLL" OR
 TgtProcCmdLine ContainsCIS ",#")

T1055 - Process Injection

-- MavInject usage
TgtProcName = "mavinject.exe" AND
TgtProcCmdLine ContainsCIS "/injectrunning" AND
SrcProcName Not In ("AppVClient.exe") AND
SrcProcParentName Not In ("smss.exe")
 
-- Process hollowing indicators
SrcProcCmdScript ContainsCIS "Start-Hollow" OR
TgtProcCmdLine ContainsCIS "Start-Hollow"

T1197 - BITS Jobs

-- BITS download
((TgtProcName In Contains Anycase ("bitsadmin.exe", "desktopimgdownldr.exe") AND
  TgtProcCmdLine RegExp "https?:\\/\\/") OR
 (TgtProcName = "powershell.exe" AND TgtProcCmdLine ContainsCIS "Start-BitsTransfer")) AND
SrcProcParentName Not In ("services.exe", "smss.exe", "wininit.exe")

Credential Access (TA0006)

T1003.001 - LSASS Memory

-- LSASS access
TgtProcName = "lsass.exe" AND
EventType = "Open Remote Process Handle" AND
SrcProcName Not In ("svchost.exe", "lsm.exe", "wmiprvse.exe", "taskmgr.exe",
"procexp64.exe", "procexp.exe", "MsMpEng.exe")
 
-- Mimikatz indicators
TgtProcCmdLine In Contains Anycase ("sekurlsa::", "lsadump::", "kerberos::",
"privilege::debug", "token::elevate")

T1003.002 - SAM Database

-- SAM/SYSTEM registry access
(TgtProcCmdLine ContainsCIS "reg save" AND
 TgtProcCmdLine In Contains Anycase ("sam", "system", "security")) OR
(SrcProcCmdLine ContainsCIS "Copy-Item" AND
 SrcProcCmdLine ContainsCIS "config\\SAM")

T1558.003 - Kerberoasting

-- Kerberoast indicators
SrcProcCmdLine ContainsCIS "Invoke-Kerberoast" OR
SrcProcCmdScript ContainsCIS "Invoke-Kerberoast" OR
(TgtProcCmdLine ContainsCIS "setspn" AND TgtProcCmdLine ContainsCIS "-Q")

T1552.001 - Credentials in Files

-- Searching for credential files
(TgtProcCmdLine ContainsCIS "findstr" OR TgtProcCmdLine ContainsCIS "Select-String") AND
TgtProcCmdLine In Contains Anycase ("password", "credential", "secret", "apikey", "token")

Discovery (TA0007)

T1087 - Account Discovery

-- Local account enumeration
TgtProcCmdLine In Contains Anycase ("net user", "net localgroup", "Get-LocalUser",
"Get-LocalGroupMember", "whoami /all")
 
-- Domain account enumeration
TgtProcCmdLine In Contains Anycase ("net group /domain", "Get-ADUser", "Get-ADGroup",
"Get-ADGroupMember", "dsquery")

T1082 - System Information Discovery

TgtProcCmdLine In Contains Anycase ("systeminfo", "hostname", "Get-ComputerInfo",
"wmic computersystem get", "wmic os get")

T1083 - File and Directory Discovery

TgtProcCmdLine In Contains Anycase ("dir /s", "Get-ChildItem -Recurse", "tree /f",
"find / -name", "ls -laR") AND
TgtProcCmdLine In Contains Anycase ("password", "credential", "config", "backup")

TgtProcCmdLine In Contains Anycase ("net share", "net view", "Get-SmbShare",
"Get-WmiObject Win32_Share")

Lateral Movement (TA0008)

T1550.002/003 - Pass the Hash / Pass the Ticket

-- Mimikatz PTH/PTT
TgtProcCmdLine In Contains Anycase ("sekurlsa::pth", "/ntlm:", "kerberos::ptt")

T1563.002 - RDP Hijacking

-- RDP session hijacking
SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"

T1021.001 - Remote Desktop Protocol

-- Scripted RDP credential storage
TgtProcName = "cmdkey.exe" AND
TgtProcCmdLine ContainsCIS "/generic:TERMSRV" AND
TgtProcCmdLine ContainsCIS "/user:" AND
TgtProcCmdLine ContainsCIS "/pass:"

T1021.002 - SMB/Windows Admin Shares

-- Net use and PSDrive mapping
TgtProcCmdLine ContainsCIS "New-PSDrive" OR
(TgtProcName = "net.exe" AND TgtProcCmdLine ContainsCIS "use ")

T1021.006 - Windows Remote Management

-- WinRM/WMIC/PsExec lateral movement
(TgtProcCmdLine ContainsCIS "MMC20.application" AND
 TgtProcCmdLine ContainsCIS "ExecuteShellCommand") OR
(TgtProcName = "wmic.exe" AND TgtProcCmdLine ContainsCIS "/node:" AND
 TgtProcCmdLine ContainsCIS "process call create") OR
((SrcProcName ContainsCIS "psexec.exe" OR
  SrcProcDisplayName = "Execute processes remotely") AND DstIp Is Not Empty)

Collection (TA0009)

T1560.001 - Archive via Utility

-- Data staging via archive
TgtProcName In ("7z.exe", "7za.exe", "rar.exe", "zip.exe", "tar.exe") OR
(TgtProcName = "powershell.exe" AND
 TgtProcCmdLine ContainsCIS "Compress-Archive")

T1113 - Screen Capture

SrcProcCmdLine ContainsCIS "[System.Windows.Forms.Screen]" OR
SrcProcCmdScript ContainsCIS "[System.Windows.Forms.Screen]" OR
SrcProcCmdLine ContainsCIS "CopyFromScreen"

Exfiltration (TA0010)

T1048 - Exfiltration Over Alternative Protocol

-- DNS exfiltration (long subdomains)
EventType = "DNS Resolved" AND
DnsRequest RegExp "^[a-zA-Z0-9]{30,}\\."
 
-- Exfil over ICMP
TgtProcName = "ping.exe" AND
TgtProcCmdLine ContainsCIS "-l" AND
TgtProcCmdLine RegExp "-l [0-9]{4,}"

T1567 - Exfiltration to Cloud Storage

-- Uploads to file sharing services
DnsRequest In Contains Anycase ("dropbox.com", "drive.google.com", "onedrive.live.com",
"mega.nz", "sendspace.com", "wetransfer.com", "file.io") AND
SrcProcName Not In ("OneDrive.exe", "Dropbox.exe", "googledrivesync.exe")

Command and Control (TA0011)

T1071.001 - Web Protocols

-- Suspicious HTTP/HTTPS connections
EventType = "IP Connect" AND
DstPort In (80, 443, 8080, 8443) AND
SrcProcName Not In ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
"outlook.exe", "teams.exe", "slack.exe") AND
SrcProcVerifiedStatus != "verified"

T1071.004 - DNS

-- Suspicious DNS queries (potential C2 or tunneling)
EventType = "DNS Resolved" AND
(DnsRequest RegExp "^[a-zA-Z0-9-]{20,}\\." OR  -- Long subdomain
 DnsRequest RegExp "\\.(xyz|top|tk|ml|ga|cf|gq)$")  -- Suspicious TLDs

T1095 - Non-Application Layer Protocol

-- Connections on non-standard ports
EventType = "IP Connect" AND
DstPort Not In (20, 21, 22, 23, 25, 53, 80, 110, 123, 143, 443, 445, 993, 995,
3389, 5985, 5986) AND
NetConnStatus = "SUCCESS"

WATCHLISTS AND AUTOMATION

Creating Watchlists

Watchlists allow scheduled query execution with automatic alerting:

Run your query in Deep Visibility
Click Save to Watchlist
Configure:
- Name: Descriptive name
- Description: Purpose and expected results
- Schedule: Frequency (hourly, daily, weekly)
- Notification: Email or console alert

Recommended Watchlists

Watchlist Name	Query Focus	Schedule
Encoded PowerShell	T1059.001	Every 4 hours
LSASS Access	T1003.001	Every hour
Scheduled Task Creation	T1053.005	Every 4 hours
Event Log Clearing	T1070.001	Every hour
Unusual Outbound Connections	T1071	Daily
New Services Created	T1543.003	Every 4 hours
Web Shell Detection	T1505.003	Every hour
Lateral Movement Indicators	T1021	Every 2 hours

Converting to STAR Rules

High-confidence queries can become automated detection rules:

Run query in Deep Visibility
Click Create STAR Rule
Configure rule:
- Name: Detection rule name
- Severity: Info/Low/Medium/High/Critical
- MITRE Mapping: Select relevant technique
- Response Actions: Alert, Kill, Quarantine, etc.
Deploy to sites/groups

INVESTIGATION WORKFLOW

Using Storyline IDs

When you find suspicious activity, pivot to related events:

-- Find the Storyline ID from initial event
-- Then query all related events
StorylineId = "1234567890abcdef..."

Common Pivot Queries

-- From process to all child processes
SrcProcParentName = "suspicious.exe"
 
-- From file to creating process
FileFullName = "C:\\Users\\user\\malware.exe" AND EventType = "File Creation"
 
-- From network to process
DstIp = "192.168.100.100" AND EventType = "IP Connect"
 
-- From hash to all instances
FileSha256 = "abc123..."
 
-- From user to all activity
SrcProcUser ContainsCIS "compromised_user"
 
-- From endpoint to all events
AgentName = "INFECTED-PC"

Investigation Checklist

## Threat Investigation Checklist
 
Alert/Finding: _________________
Date/Time: _________________
Analyst: _________________
 
### Initial Triage
- [ ] Review alert details and severity
- [ ] Identify affected endpoint(s)
- [ ] Note initial IOCs (hash, IP, domain)
 
### Scope Assessment
- [ ] Search for IOCs across all endpoints
- [ ] Check for lateral movement indicators
- [ ] Identify affected users/accounts
- [ ] Determine data at risk
 
### Timeline Reconstruction
- [ ] Query Storyline for full context
- [ ] Document initial access vector
- [ ] Map attack progression
- [ ] Identify persistence mechanisms
 
### Evidence Collection
- [ ] Export relevant Deep Visibility data
- [ ] Fetch suspicious files for analysis
- [ ] Capture Remote Shell investigation
- [ ] Screenshot key findings
 
### Response Actions
- [ ] Isolate affected endpoints
- [ ] Kill malicious processes
- [ ] Quarantine malicious files
- [ ] Initiate rollback if needed
 
### Documentation
- [ ] Complete investigation notebook
- [ ] Create STAR rule for detection
- [ ] Update IOC list
- [ ] Prepare incident report

POWERSHELL API EXAMPLES

Query Deep Visibility via API

function Invoke-S1DeepVisibilityQuery {
    param(
        [Parameter(Mandatory=$true)]
        [string]$ApiToken,
 
        [Parameter(Mandatory=$true)]
        [string]$ConsoleUrl,
 
        [Parameter(Mandatory=$true)]
        [string]$Query,
 
        [string]$SiteId,
        [string]$FromDate = (Get-Date).AddDays(-1).ToString("yyyy-MM-ddTHH:mm:ss.fffZ"),
        [string]$ToDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ"),
        [int]$Limit = 1000
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $body = @{
        query = $Query
        fromDate = $FromDate
        toDate = $ToDate
        limit = $Limit
    }
 
    if ($SiteId) {
        $body.siteIds = @($SiteId)
    }
 
    $bodyJson = $body | ConvertTo-Json
 
    try {
        $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/dv/query" `
            -Method POST -Headers $headers -Body $bodyJson
 
        return $response.data
    }
    catch {
        Write-Error "Query failed: $($_.Exception.Message)"
        return $null
    }
}
 
# Example usage
$results = Invoke-S1DeepVisibilityQuery `
    -ApiToken "YOUR_API_TOKEN" `
    -ConsoleUrl "https://tenant.sentinelone.net" `
    -Query 'EventType = "Process Creation" AND SrcProcName = "powershell.exe" AND SrcProcCmdLine ContainsCIS "-enc"'
 
$results | Format-Table AgentName, SrcProcCmdLine -AutoSize

Scheduled Hunting Script

<#
.SYNOPSIS
    Automated threat hunting script for SentinelOne Deep Visibility
.DESCRIPTION
    Runs predefined hunting queries and exports results
#>
 
param(
    [Parameter(Mandatory=$true)]
    [string]$ApiToken,
 
    [Parameter(Mandatory=$true)]
    [string]$ConsoleUrl,
 
    [string]$OutputPath = "C:\ThreatHunting\Results"
)
 
$huntingQueries = @(
    @{
        Name = "Encoded_PowerShell"
        Query = 'EventType = "Process Creation" AND SrcProcName = "powershell.exe" AND SrcProcCmdLine ContainsCIS "-enc"'
        MITRE = "T1059.001"
    },
    @{
        Name = "LSASS_Access"
        Query = 'TgtProcName = "lsass.exe" AND EventType = "Open Remote Process Handle" AND SrcProcName Not In ("svchost.exe","lsm.exe","wmiprvse.exe")'
        MITRE = "T1003.001"
    },
    @{
        Name = "Scheduled_Task_Creation"
        Query = 'IndicatorName = "ScheduleTaskRegister" AND SrcProcParentName Not In ("services.exe","OfficeClickToRun.exe")'
        MITRE = "T1053.005"
    },
    @{
        Name = "Event_Log_Clearing"
        Query = '(TgtProcName = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR (SrcProcCmdLine ContainsCIS "Clear-EventLog")'
        MITRE = "T1070.001"
    },
    @{
        Name = "Web_Shell_Detection"
        Query = 'EventType = "File Creation" AND FileFullName ContainsCIS "inetpub\wwwroot" AND TgtFileExtension In Contains Anycase ("jsp","aspx","php")'
        MITRE = "T1505.003"
    }
)
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
# Ensure output directory exists
New-Item -Path $OutputPath -ItemType Directory -Force | Out-Null
 
$timestamp = Get-Date -Format "yyyyMMdd-HHmmss"
$summaryResults = @()
 
foreach ($hunt in $huntingQueries) {
    Write-Host "Running hunt: $($hunt.Name) [$($hunt.MITRE)]" -ForegroundColor Cyan
 
    $body = @{
        query = $hunt.Query
        fromDate = (Get-Date).AddDays(-1).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
        toDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
        limit = 10000
    } | ConvertTo-Json
 
    try {
        $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/dv/query" `
            -Method POST -Headers $headers -Body $body
 
        $resultCount = $response.data.Count
 
        $summaryResults += [PSCustomObject]@{
            Hunt = $hunt.Name
            MITRE = $hunt.MITRE
            Results = $resultCount
            Status = if ($resultCount -gt 0) { "FINDINGS" } else { "Clear" }
        }
 
        if ($resultCount -gt 0) {
            Write-Host "  [!] Found $resultCount results" -ForegroundColor Yellow
 
            # Export results
            $outputFile = Join-Path $OutputPath "$($hunt.Name)_$timestamp.csv"
            $response.data | Export-Csv -Path $outputFile -NoTypeInformation
            Write-Host "  [+] Exported to: $outputFile" -ForegroundColor Green
        }
        else {
            Write-Host "  [OK] No findings" -ForegroundColor Green
        }
    }
    catch {
        Write-Host "  [ERROR] Query failed: $($_.Exception.Message)" -ForegroundColor Red
        $summaryResults += [PSCustomObject]@{
            Hunt = $hunt.Name
            MITRE = $hunt.MITRE
            Results = -1
            Status = "ERROR"
        }
    }
 
    Start-Sleep -Seconds 2  # Rate limiting
}
 
# Display summary
Write-Host "`n=== Hunting Summary ===" -ForegroundColor Cyan
$summaryResults | Format-Table -AutoSize
 
# Export summary
$summaryFile = Join-Path $OutputPath "HuntingSummary_$timestamp.csv"
$summaryResults | Export-Csv -Path $summaryFile -NoTypeInformation
Write-Host "Summary exported to: $summaryFile"
 
# Alert on findings
$findings = $summaryResults | Where-Object { $_.Status -eq "FINDINGS" }
if ($findings) {
    Write-Host "`n[ALERT] $($findings.Count) hunts returned findings - review required!" -ForegroundColor Red
}

TROUBLESHOOTING

Common Query Issues

Issue: Query returns no results

Verify time range covers expected activity
Check query syntax (case sensitivity matters for some fields)
Confirm Deep Visibility is enabled on target endpoints
Verify endpoint agents are connected

Issue: Query returns too many results

Add filters to narrow scope (SrcProcParentName Not In, etc.)
Filter by specific site or group
Reduce time range
Add exclusions for known-good activity

Issue: Query timeout

Reduce time range
Add more specific filters
Query specific site instead of account-wide
Use API with pagination for large result sets

Performance Tips

Start narrow, expand later - Begin with specific agent or short time range
Use indexed fields - EventType, ProcessName are optimized
Avoid wildcards at start - Contains "abc" is faster than RegExp ".*abc.*"
Filter early - Put most restrictive conditions first
Use Watchlists - Schedule recurring queries during off-hours

SOURCES

REVISION HISTORY

Version	Date	Author	Changes
1.0	2026-01-08	CosmicBytez	Initial creation

SCENARIO

Use this guide when:

Proactively hunting for threats across client environments
Investigating alerts and suspicious activity
Searching for Indicators of Compromise (IOCs)
Building custom detection rules (STAR)
Conducting forensic timeline analysis
Validating security controls effectiveness

Prerequisites:

SentinelOne Singularity Complete license
Deep Visibility enabled in policy
Console access with Viewer role or higher
Basic understanding of attack techniques

Reference Documentation:

REQUIREMENTS & ASSUMPTIONS

Technical Requirements

Requirement	Details
SKU	Singularity Complete or higher
Agent Version	4.2.x or newer recommended
Policy Setting	Deep Visibility: Enabled
Data Retention	14 days default (upgradeable to 30/90/365)
Console Role	Viewer, IR Team, or Admin

Data Collection Scope

Deep Visibility collects:

Process execution (creation, termination, command lines)
File operations (create, modify, delete, rename)
Network connections (TCP/UDP, DNS queries)
Registry changes (Windows)
Login events
Module/DLL loads
Scheduled tasks
Service operations
Cross-process operations (injection, handles)

S1QL QUERY LANGUAGE REFERENCE

Basic Syntax Structure

Field Operator "Value" AND/OR Field Operator "Value"

Common Fields

Process Fields

Field	Description	Example
`SrcProcName`	Source process name	`SrcProcName = "powershell.exe"`
`TgtProcName`	Target process name	`TgtProcName = "cmd.exe"`
`SrcProcCmdLine`	Source command line	`SrcProcCmdLine Contains "-enc"`
`TgtProcCmdLine`	Target command line	`TgtProcCmdLine Contains "/c"`
`SrcProcParentName`	Parent process name	`SrcProcParentName = "explorer.exe"`
`SrcProcImagePath`	Full process path	`SrcProcImagePath Contains "Temp"`
`TgtProcImagePath`	Target process path	`TgtProcImagePath Contains "System32"`
`SrcProcCmdScript`	Script content	`SrcProcCmdScript Contains "Invoke-"`
`SrcProcUser`	Process owner	`SrcProcUser Contains "SYSTEM"`
`ProcessIntegrityLevel`	Integrity level	`ProcessIntegrityLevel = "HIGH"`
`SrcProcVerifiedStatus`	Signature status	`SrcProcVerifiedStatus != "verified"`
`SrcProcPublisher`	Code signing publisher	`SrcProcPublisher != "MICROSOFT"`

File Fields

Field	Description	Example
`FileFullName`	Full file path	`FileFullName Contains "Startup"`
`FilePath`	Directory path	`FilePath Contains "Downloads"`
`FileName`	File name only	`FileName = "malware.exe"`
`TgtFileExtension`	File extension	`TgtFileExtension = "exe"`
`FileType`	File type	`FileType = "PE"`
`FileMD5`	MD5 hash	`FileMD5 = "abc123..."`
`FileSha1`	SHA1 hash	`FileSha1 = "def456..."`
`FileSha256`	SHA256 hash	`FileSha256 = "ghi789..."`
`FileIsExecutable`	Is executable	`FileIsExecutable = "true"`
`TgtFileIsExecutable`	Target is executable	`TgtFileIsExecutable = "true"`

Network Fields

Field	Description	Example
`DstIp`	Destination IP	`DstIp = "192.168.1.100"`
`SrcIp`	Source IP	`SrcIp = "10.0.0.5"`
`DstPort`	Destination port	`DstPort = 443`
`SrcPort`	Source port	`SrcPort = 54321`
`NetConnStatus`	Connection status	`NetConnStatus = "SUCCESS"`
`DnsRequest`	DNS query	`DnsRequest Contains "evil.com"`
`DnsResponse`	DNS response	`DnsResponse = "1.2.3.4"`

Registry Fields (Windows)

Field	Description	Example
`RegistryKeyPath`	Registry key path	`RegistryKeyPath Contains "Run"`
`RegistryPath`	Full registry path	`RegistryPath Contains "CurrentVersion"`
`RegistryValue`	Registry value data	`RegistryValue Contains ".exe"`

Event Fields

Field	Description	Example
`EventType`	Type of event	`EventType = "Process Creation"`
`EventTime`	Event timestamp	Used for time filtering
`AgentName`	Endpoint hostname	`AgentName = "WORKSTATION-01"`
`AgentOS`	Operating system	`AgentOS = "windows"`
`SiteName`	Site name	`SiteName = "Production"`
`StorylineId`	Storyline identifier	`StorylineId = "ABC123..."`
`IndicatorName`	Indicator type	`IndicatorName = "ScheduleTaskRegister"`

Event Types

-- Process Events
EventType = "Process Creation"
EventType = "Process Termination"
EventType = "Process Modified"
EventType = "Duplicate Process Handle"
EventType = "Open Remote Process Handle"
 
-- File Events
EventType = "File Creation"
EventType = "File Modification"
EventType = "File Deletion"
EventType = "File Rename"
EventType = "File Scan"
 
-- Network Events
EventType = "IP Connect"
EventType = "IP Listen"
EventType = "DNS Resolved"
EventType = "DNS Unresolved"
 
-- Registry Events (Windows)
EventType = "Registry Key Create"
EventType = "Registry Key Delete"
EventType = "Registry Value Create"
EventType = "Registry Value Modified"
EventType = "Registry Value Delete"
 
-- Other Events
EventType = "Module Load"
EventType = "Scheduled Task"
EventType = "Driver Load"
EventType = "Login"
EventType = "Logout"

Operators

Operator	Description	Example
`=`	Equals	`ProcessName = "cmd.exe"`
`!=`	Not equals	`ProcessName != "explorer.exe"`
`Contains`	Contains (case-sensitive)	`CmdLine Contains "password"`
`ContainsCIS`	Contains (case-insensitive)	`CmdLine ContainsCIS "PASSWORD"`
`Does Not ContainCIS`	Does not contain	`Path Does Not ContainCIS "System32"`
`In`	In list	`Name In ("cmd.exe","powershell.exe")`
`In Contains`	In list (partial match)	`CmdLine In Contains ("net","user")`
`In Contains Anycase`	In list (case-insensitive)	`Name In Contains Anycase ("CMD","PS")`
`Not In`	Not in list	`Name Not In ("svchost.exe")`
`RegExp`	Regular expression	`CmdLine RegExp "^.*\.exe$"`
`StartswithCIS`	Starts with	`Path StartswithCIS "C:\Users"`
`EndswithCIS`	Ends with	`Name EndswithCIS ".dll"`
`Is Empty`	Field is empty	`DstIp Is Empty`
`Is Not Empty`	Field has value	`DstIp Is Not Empty`

Logical Operators

-- AND: Both conditions must be true
EventType = "Process Creation" AND ProcessName = "cmd.exe"
 
-- OR: Either condition can be true
ProcessName = "cmd.exe" OR ProcessName = "powershell.exe"
 
-- Grouping with parentheses
(ProcessName = "cmd.exe" OR ProcessName = "powershell.exe") AND UserName = "SYSTEM"

Time Filtering

Time is filtered via the console UI (last 1 hour, 24 hours, 7 days, 14 days, or custom range).

Accessing Deep Visibility

Log in to SentinelOne Console
Navigate to Visibility → Deep Visibility
Select scope:
- Account (all sites)
- Specific Site
- Specific Group
- Specific Agent
Set time range (default: last 24 hours)
Enter query or use query builder

Query Builder Interface

┌─────────────────────────────────────────────────────────────────┐
│ Deep Visibility                                    [Time: 24h ▼]│
├─────────────────────────────────────────────────────────────────┤
│ Scope: Account ▼  |  Site: All ▼  |  Group: All ▼              │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Query: EventType = "Process Creation" AND SrcProcName =    │ │
│ │        "powershell.exe"                                     │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ [Run Query]  [Save to Watchlist]  [Create STAR Rule]           │
├─────────────────────────────────────────────────────────────────┤
│ Results: 1,234 events                                           │
│ ┌────────┬────────────┬────────────┬──────────────────────────┐ │
│ │ Time   │ Agent      │ Process    │ Command Line             │ │
│ ├────────┼────────────┼────────────┼──────────────────────────┤ │
│ │ 10:15  │ WKS-001    │ powershell │ powershell.exe -enc ...  │ │
│ │ 10:14  │ WKS-002    │ powershell │ powershell.exe -file ... │ │
│ └────────┴────────────┴────────────┴──────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘

Query Autocomplete

The console provides:

Field name suggestions
Operator suggestions
Value completion (for known values)
Syntax validation

THREAT HUNTING METHODOLOGY

Six-Step Hunting Process

┌─────────────────────────────────────────────────────────────────┐
│                    THREAT HUNTING WORKFLOW                       │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  1. HYPOTHESIS    →   2. DATA COLLECTION   →   3. ANALYSIS     │
│  "What am I           "Query Deep              "Review results  │
│   looking for?"        Visibility"              for anomalies"  │
│                                                                 │
│  4. INVESTIGATION →   5. RESPONSE          →   6. DOCUMENTATION│
│  "Pivot on             "Contain, remediate,    "Record findings │
│   findings"             improve defenses"       and queries"    │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Hunting Approaches

1. IOC-Based Hunting

Search for known malicious indicators:

-- Search for known malicious hash
FileSha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
 
-- Search for known C2 domain
DnsRequest ContainsCIS "malicious-domain.com"
 
-- Search for known C2 IP
DstIp = "192.168.100.100"

2. TTP-Based Hunting

Search for attack techniques regardless of specific tools:

-- Hunt for encoded PowerShell (T1059.001)
EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
SrcProcCmdLine ContainsCIS "-enc"
 
-- Hunt for credential dumping (T1003)
TgtProcName = "lsass.exe" AND
EventType = "Open Remote Process Handle"

3. Anomaly-Based Hunting

Search for unusual behavior patterns:

-- Unusual parent-child process relationship
SrcProcName = "excel.exe" AND
TgtProcName In ("cmd.exe", "powershell.exe", "wscript.exe")
 
-- Process running from unusual location
EventType = "Process Creation" AND
TgtProcImagePath ContainsCIS "\Users\" AND
TgtProcImagePath ContainsCIS "\AppData\" AND
TgtFileIsExecutable = "true"

4. Baseline Deviation Hunting

Compare current activity against known-good baselines:

-- New scheduled tasks (compare against baseline)
IndicatorName = "ScheduleTaskRegister" AND
SrcProcParentName Not In ("services.exe", "svchost.exe", "OfficeClickToRun.exe")
 
-- Unusual outbound connections
EventType = "IP Connect" AND
DstPort Not In (80, 443, 53, 123) AND
SrcProcName Not In ("chrome.exe", "firefox.exe", "msedge.exe")

MITRE ATT&CK HUNTING QUERIES

Initial Access (TA0001)

T1566.001 - Spearphishing Attachment

-- Office spawning suspicious child processes
(SrcProcName In ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe") AND
TgtProcName In ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe"))

T1566.002 - Spearphishing Link

-- Browser spawning suspicious processes
(SrcProcName In ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe") AND
TgtProcName In ("cmd.exe", "powershell.exe", "mshta.exe", "wscript.exe"))

Execution (TA0002)

T1059.001 - PowerShell

-- Encoded PowerShell commands
EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
(SrcProcCmdLine ContainsCIS "-enc" OR
 SrcProcCmdLine ContainsCIS "-encodedcommand" OR
 SrcProcCmdLine ContainsCIS "frombase64string")
 
-- PowerShell download cradles
EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
(SrcProcCmdLine ContainsCIS "downloadstring" OR
 SrcProcCmdLine ContainsCIS "downloadfile" OR
 SrcProcCmdLine ContainsCIS "invoke-webrequest" OR
 SrcProcCmdLine ContainsCIS "wget" OR
 SrcProcCmdLine ContainsCIS "curl" OR
 SrcProcCmdLine ContainsCIS "iwr")
 
-- PowerShell executing from unusual locations
EventType = "Process Creation" AND
SrcProcName = "powershell.exe" AND
SrcProcImagePath Does Not ContainCIS "System32" AND
SrcProcImagePath Does Not ContainCIS "SysWOW64"

T1059.003 - Windows Command Shell

-- CMD with suspicious commands
EventType = "Process Creation" AND
TgtProcName = "cmd.exe" AND
(TgtProcCmdLine ContainsCIS "/c " OR TgtProcCmdLine ContainsCIS "/k ") AND
(TgtProcCmdLine In Contains Anycase ("whoami", "net user", "net localgroup",
 "systeminfo", "tasklist", "ipconfig", "netstat", "reg query"))

T1059.005 - Visual Basic Script

-- WScript/CScript execution
EventType = "Process Creation" AND
TgtProcName In ("wscript.exe", "cscript.exe") AND
(TgtProcCmdLine ContainsCIS ".vbs" OR TgtProcCmdLine ContainsCIS ".js")

T1047 - Windows Management Instrumentation

-- WMIC process creation
TgtProcName = "wmic.exe" AND
TgtProcCmdLine ContainsCIS "process call create"
 
-- WMIC remote execution
TgtProcName = "wmic.exe" AND
TgtProcCmdLine ContainsCIS "/node:"

T1053.005 - Scheduled Task

-- Schtasks creation
(TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create") OR
(SrcProcCmdLine ContainsCIS "New-ScheduledTask" OR
 SrcProcCmdScript ContainsCIS "New-ScheduledTask")
 
-- Via Indicator
IndicatorName = "ScheduleTaskRegister" AND
SrcProcParentName Not In ("services.exe", "OfficeClickToRun.exe", "svchost.exe")

Persistence (TA0003)

T1547.001 - Registry Run Keys

-- Run key modifications
(RegistryKeyPath ContainsCIS "Windows\\CurrentVersion\\Run" AND
EventType In ("Registry Key Create", "Registry Value Create", "Registry Value Modified")) AND
SrcProcParentName Not In ("smss.exe", "svchost.exe", "SetupHost.exe", "msiexec.exe")
 
-- Startup folder file creation
FileFullName ContainsCIS "Programs\\Startup" AND
TgtFileExtension In Contains ("exe", "vbs", "bat", "cmd", "ps1", "lnk") AND
EventType = "File Creation"

T1053.005 - Scheduled Tasks (Persistence)

IndicatorName = "ScheduleTaskRegister" AND
SrcProcParentName Not In ("Integrator.exe", "OfficeClickToRun.exe", "services.exe",
"OneDriveSetup.exe", "Ccm32BitLauncher.exe", "WmiPrvSE.exe")

T1543.003 - Windows Service

-- Service creation via sc.exe
TgtProcName = "sc.exe" AND
TgtProcCmdLine Contains "binPath="
 
-- Service creation via PowerShell
SrcProcCmdLine ContainsCIS "New-Service" OR
SrcProcCmdScript ContainsCIS "New-Service"

T1505.003 - Web Shell

-- Web shell file creation
EventType = "File Creation" AND
FileFullName ContainsCIS "inetpub\\wwwroot" AND
TgtFileExtension In Contains Anycase ("jsp", "aspx", "php", "asp") AND
SrcProcName Not In ("explorer.exe", "msdeploy.exe", "w3wp.exe")

T1546.003 - WMI Event Subscription

SrcProcCmdLine ContainsCIS "New-CimInstance -Namespace root/subscription" OR
SrcProcCmdScript ContainsCIS "New-CimInstance -Namespace root/subscription" OR
SrcProcCmdLine ContainsCIS "__EventFilter" OR
SrcProcCmdLine ContainsCIS "CommandLineEventConsumer"

T1037.001 - Logon Scripts

SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR
(RegistryKeyPath ContainsCIS "UserInitMprLogonScript" AND
 EventType = "Registry Value Create")

Privilege Escalation (TA0004)

T1548.002 - UAC Bypass

-- Common UAC bypass registry keys
(SrcProcCmdLine ContainsCIS "ms-settings\\shell\\open\\command" OR
SrcProcCmdLine ContainsCIS "mscfile\\shell\\open\\command") OR
-- CMSTPLUA COM bypass
(TgtProcDisplayName = "COM Surrogate" AND
TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}")

T1134 - Access Token Manipulation

-- Token impersonation indicators
SrcProcCmdLine ContainsCIS "ImpersonateLoggedOnUser" OR
SrcProcCmdScript ContainsCIS "ImpersonateLoggedOnUser" OR
SrcProcCmdLine ContainsCIS "DuplicateTokenEx" OR
SrcProcCmdScript ContainsCIS "DuplicateTokenEx"

Defense Evasion (TA0005)

T1070.001 - Clear Windows Event Logs

-- Event log clearing
(TgtProcName = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR
((SrcProcCmdLine ContainsCIS "Clear-EventLog" OR
  SrcProcCmdScript ContainsCIS "Clear-EventLog") AND
 SrcProcParentName Not In ("WmiPrvSE.exe", "svchost.exe"))

T1562.001 - Disable Security Tools

-- Disable Defender
TgtProcCmdLine ContainsCIS "Set-MpPreference" AND
TgtProcCmdLine ContainsCIS "DisableRealtimeMonitoring"
 
-- Disable Sysmon
(TgtProcName = "fltmc.exe" AND TgtProcCmdLine ContainsCIS "unload SysmonDrv") OR
(TgtProcName = "sysmon.exe" AND TgtProcCmdLine ContainsCIS "-u")
 
-- AMSI bypass
SrcProcCmdLine ContainsCIS "AmsiUtils" AND SrcProcCmdLine ContainsCIS "amsiInitFailed" OR
SrcProcCmdScript ContainsCIS "AmsiUtils" AND SrcProcCmdScript ContainsCIS "amsiInitFailed"

T1562.004 - Disable System Firewall

-- Disable Windows Firewall
TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "state off"
 
-- Add firewall rules
TgtProcName = "netsh.exe" AND
TgtProcCmdLine ContainsCIS "add rule" AND
TgtProcCmdLine ContainsCIS "dir=in"

T1218.005 - Mshta

-- Mshta spawning processes or loading remote content
(SrcProcName = "mshta.exe" AND EventType = "Open Remote Process Handle") OR
(SrcProcName = "mshta.exe" AND
 SrcProcCmdLine RegExp "https?:\\/\\/(www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b")

T1218.011 - Rundll32

-- Rundll32 with suspicious arguments
TgtProcName = "rundll32.exe" AND
(TgtProcCmdLine ContainsCIS "javascript:" OR
 TgtProcCmdLine ContainsCIS "vbscript:" OR
 TgtProcCmdLine ContainsCIS "shell32.dll,Control_RunDLL" OR
 TgtProcCmdLine ContainsCIS ",#")

T1055 - Process Injection

-- MavInject usage
TgtProcName = "mavinject.exe" AND
TgtProcCmdLine ContainsCIS "/injectrunning" AND
SrcProcName Not In ("AppVClient.exe") AND
SrcProcParentName Not In ("smss.exe")
 
-- Process hollowing indicators
SrcProcCmdScript ContainsCIS "Start-Hollow" OR
TgtProcCmdLine ContainsCIS "Start-Hollow"

T1197 - BITS Jobs

-- BITS download
((TgtProcName In Contains Anycase ("bitsadmin.exe", "desktopimgdownldr.exe") AND
  TgtProcCmdLine RegExp "https?:\\/\\/") OR
 (TgtProcName = "powershell.exe" AND TgtProcCmdLine ContainsCIS "Start-BitsTransfer")) AND
SrcProcParentName Not In ("services.exe", "smss.exe", "wininit.exe")

Credential Access (TA0006)

T1003.001 - LSASS Memory

-- LSASS access
TgtProcName = "lsass.exe" AND
EventType = "Open Remote Process Handle" AND
SrcProcName Not In ("svchost.exe", "lsm.exe", "wmiprvse.exe", "taskmgr.exe",
"procexp64.exe", "procexp.exe", "MsMpEng.exe")
 
-- Mimikatz indicators
TgtProcCmdLine In Contains Anycase ("sekurlsa::", "lsadump::", "kerberos::",
"privilege::debug", "token::elevate")

T1003.002 - SAM Database

-- SAM/SYSTEM registry access
(TgtProcCmdLine ContainsCIS "reg save" AND
 TgtProcCmdLine In Contains Anycase ("sam", "system", "security")) OR
(SrcProcCmdLine ContainsCIS "Copy-Item" AND
 SrcProcCmdLine ContainsCIS "config\\SAM")

T1558.003 - Kerberoasting

-- Kerberoast indicators
SrcProcCmdLine ContainsCIS "Invoke-Kerberoast" OR
SrcProcCmdScript ContainsCIS "Invoke-Kerberoast" OR
(TgtProcCmdLine ContainsCIS "setspn" AND TgtProcCmdLine ContainsCIS "-Q")

T1552.001 - Credentials in Files

-- Searching for credential files
(TgtProcCmdLine ContainsCIS "findstr" OR TgtProcCmdLine ContainsCIS "Select-String") AND
TgtProcCmdLine In Contains Anycase ("password", "credential", "secret", "apikey", "token")

Discovery (TA0007)

T1087 - Account Discovery

-- Local account enumeration
TgtProcCmdLine In Contains Anycase ("net user", "net localgroup", "Get-LocalUser",
"Get-LocalGroupMember", "whoami /all")
 
-- Domain account enumeration
TgtProcCmdLine In Contains Anycase ("net group /domain", "Get-ADUser", "Get-ADGroup",
"Get-ADGroupMember", "dsquery")

T1082 - System Information Discovery

TgtProcCmdLine In Contains Anycase ("systeminfo", "hostname", "Get-ComputerInfo",
"wmic computersystem get", "wmic os get")

T1083 - File and Directory Discovery

TgtProcCmdLine In Contains Anycase ("dir /s", "Get-ChildItem -Recurse", "tree /f",
"find / -name", "ls -laR") AND
TgtProcCmdLine In Contains Anycase ("password", "credential", "config", "backup")

TgtProcCmdLine In Contains Anycase ("net share", "net view", "Get-SmbShare",
"Get-WmiObject Win32_Share")

Lateral Movement (TA0008)

T1550.002/003 - Pass the Hash / Pass the Ticket

-- Mimikatz PTH/PTT
TgtProcCmdLine In Contains Anycase ("sekurlsa::pth", "/ntlm:", "kerberos::ptt")

T1563.002 - RDP Hijacking

-- RDP session hijacking
SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:"

T1021.001 - Remote Desktop Protocol

-- Scripted RDP credential storage
TgtProcName = "cmdkey.exe" AND
TgtProcCmdLine ContainsCIS "/generic:TERMSRV" AND
TgtProcCmdLine ContainsCIS "/user:" AND
TgtProcCmdLine ContainsCIS "/pass:"

T1021.002 - SMB/Windows Admin Shares

-- Net use and PSDrive mapping
TgtProcCmdLine ContainsCIS "New-PSDrive" OR
(TgtProcName = "net.exe" AND TgtProcCmdLine ContainsCIS "use ")

T1021.006 - Windows Remote Management

-- WinRM/WMIC/PsExec lateral movement
(TgtProcCmdLine ContainsCIS "MMC20.application" AND
 TgtProcCmdLine ContainsCIS "ExecuteShellCommand") OR
(TgtProcName = "wmic.exe" AND TgtProcCmdLine ContainsCIS "/node:" AND
 TgtProcCmdLine ContainsCIS "process call create") OR
((SrcProcName ContainsCIS "psexec.exe" OR
  SrcProcDisplayName = "Execute processes remotely") AND DstIp Is Not Empty)

Collection (TA0009)

T1560.001 - Archive via Utility

-- Data staging via archive
TgtProcName In ("7z.exe", "7za.exe", "rar.exe", "zip.exe", "tar.exe") OR
(TgtProcName = "powershell.exe" AND
 TgtProcCmdLine ContainsCIS "Compress-Archive")

T1113 - Screen Capture

SrcProcCmdLine ContainsCIS "[System.Windows.Forms.Screen]" OR
SrcProcCmdScript ContainsCIS "[System.Windows.Forms.Screen]" OR
SrcProcCmdLine ContainsCIS "CopyFromScreen"

Exfiltration (TA0010)

T1048 - Exfiltration Over Alternative Protocol

-- DNS exfiltration (long subdomains)
EventType = "DNS Resolved" AND
DnsRequest RegExp "^[a-zA-Z0-9]{30,}\\."
 
-- Exfil over ICMP
TgtProcName = "ping.exe" AND
TgtProcCmdLine ContainsCIS "-l" AND
TgtProcCmdLine RegExp "-l [0-9]{4,}"

T1567 - Exfiltration to Cloud Storage

-- Uploads to file sharing services
DnsRequest In Contains Anycase ("dropbox.com", "drive.google.com", "onedrive.live.com",
"mega.nz", "sendspace.com", "wetransfer.com", "file.io") AND
SrcProcName Not In ("OneDrive.exe", "Dropbox.exe", "googledrivesync.exe")

Command and Control (TA0011)

T1071.001 - Web Protocols

-- Suspicious HTTP/HTTPS connections
EventType = "IP Connect" AND
DstPort In (80, 443, 8080, 8443) AND
SrcProcName Not In ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
"outlook.exe", "teams.exe", "slack.exe") AND
SrcProcVerifiedStatus != "verified"

T1071.004 - DNS

-- Suspicious DNS queries (potential C2 or tunneling)
EventType = "DNS Resolved" AND
(DnsRequest RegExp "^[a-zA-Z0-9-]{20,}\\." OR  -- Long subdomain
 DnsRequest RegExp "\\.(xyz|top|tk|ml|ga|cf|gq)$")  -- Suspicious TLDs

T1095 - Non-Application Layer Protocol

-- Connections on non-standard ports
EventType = "IP Connect" AND
DstPort Not In (20, 21, 22, 23, 25, 53, 80, 110, 123, 143, 443, 445, 993, 995,
3389, 5985, 5986) AND
NetConnStatus = "SUCCESS"

WATCHLISTS AND AUTOMATION

Creating Watchlists

Watchlists allow scheduled query execution with automatic alerting:

Run your query in Deep Visibility
Click Save to Watchlist
Configure:
- Name: Descriptive name
- Description: Purpose and expected results
- Schedule: Frequency (hourly, daily, weekly)
- Notification: Email or console alert

Recommended Watchlists

Watchlist Name	Query Focus	Schedule
Encoded PowerShell	T1059.001	Every 4 hours
LSASS Access	T1003.001	Every hour
Scheduled Task Creation	T1053.005	Every 4 hours
Event Log Clearing	T1070.001	Every hour
Unusual Outbound Connections	T1071	Daily
New Services Created	T1543.003	Every 4 hours
Web Shell Detection	T1505.003	Every hour
Lateral Movement Indicators	T1021	Every 2 hours

Converting to STAR Rules

High-confidence queries can become automated detection rules:

Run query in Deep Visibility
Click Create STAR Rule
Configure rule:
- Name: Detection rule name
- Severity: Info/Low/Medium/High/Critical
- MITRE Mapping: Select relevant technique
- Response Actions: Alert, Kill, Quarantine, etc.
Deploy to sites/groups

INVESTIGATION WORKFLOW

Using Storyline IDs

When you find suspicious activity, pivot to related events:

-- Find the Storyline ID from initial event
-- Then query all related events
StorylineId = "1234567890abcdef..."

Common Pivot Queries

-- From process to all child processes
SrcProcParentName = "suspicious.exe"
 
-- From file to creating process
FileFullName = "C:\\Users\\user\\malware.exe" AND EventType = "File Creation"
 
-- From network to process
DstIp = "192.168.100.100" AND EventType = "IP Connect"
 
-- From hash to all instances
FileSha256 = "abc123..."
 
-- From user to all activity
SrcProcUser ContainsCIS "compromised_user"
 
-- From endpoint to all events
AgentName = "INFECTED-PC"

Investigation Checklist

## Threat Investigation Checklist
 
Alert/Finding: _________________
Date/Time: _________________
Analyst: _________________
 
### Initial Triage
- [ ] Review alert details and severity
- [ ] Identify affected endpoint(s)
- [ ] Note initial IOCs (hash, IP, domain)
 
### Scope Assessment
- [ ] Search for IOCs across all endpoints
- [ ] Check for lateral movement indicators
- [ ] Identify affected users/accounts
- [ ] Determine data at risk
 
### Timeline Reconstruction
- [ ] Query Storyline for full context
- [ ] Document initial access vector
- [ ] Map attack progression
- [ ] Identify persistence mechanisms
 
### Evidence Collection
- [ ] Export relevant Deep Visibility data
- [ ] Fetch suspicious files for analysis
- [ ] Capture Remote Shell investigation
- [ ] Screenshot key findings
 
### Response Actions
- [ ] Isolate affected endpoints
- [ ] Kill malicious processes
- [ ] Quarantine malicious files
- [ ] Initiate rollback if needed
 
### Documentation
- [ ] Complete investigation notebook
- [ ] Create STAR rule for detection
- [ ] Update IOC list
- [ ] Prepare incident report

POWERSHELL API EXAMPLES

Query Deep Visibility via API

function Invoke-S1DeepVisibilityQuery {
    param(
        [Parameter(Mandatory=$true)]
        [string]$ApiToken,
 
        [Parameter(Mandatory=$true)]
        [string]$ConsoleUrl,
 
        [Parameter(Mandatory=$true)]
        [string]$Query,
 
        [string]$SiteId,
        [string]$FromDate = (Get-Date).AddDays(-1).ToString("yyyy-MM-ddTHH:mm:ss.fffZ"),
        [string]$ToDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ"),
        [int]$Limit = 1000
    )
 
    $headers = @{
        "Authorization" = "ApiToken $ApiToken"
        "Content-Type" = "application/json"
    }
 
    $body = @{
        query = $Query
        fromDate = $FromDate
        toDate = $ToDate
        limit = $Limit
    }
 
    if ($SiteId) {
        $body.siteIds = @($SiteId)
    }
 
    $bodyJson = $body | ConvertTo-Json
 
    try {
        $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/dv/query" `
            -Method POST -Headers $headers -Body $bodyJson
 
        return $response.data
    }
    catch {
        Write-Error "Query failed: $($_.Exception.Message)"
        return $null
    }
}
 
# Example usage
$results = Invoke-S1DeepVisibilityQuery `
    -ApiToken "YOUR_API_TOKEN" `
    -ConsoleUrl "https://tenant.sentinelone.net" `
    -Query 'EventType = "Process Creation" AND SrcProcName = "powershell.exe" AND SrcProcCmdLine ContainsCIS "-enc"'
 
$results | Format-Table AgentName, SrcProcCmdLine -AutoSize

Scheduled Hunting Script

<#
.SYNOPSIS
    Automated threat hunting script for SentinelOne Deep Visibility
.DESCRIPTION
    Runs predefined hunting queries and exports results
#>
 
param(
    [Parameter(Mandatory=$true)]
    [string]$ApiToken,
 
    [Parameter(Mandatory=$true)]
    [string]$ConsoleUrl,
 
    [string]$OutputPath = "C:\ThreatHunting\Results"
)
 
$huntingQueries = @(
    @{
        Name = "Encoded_PowerShell"
        Query = 'EventType = "Process Creation" AND SrcProcName = "powershell.exe" AND SrcProcCmdLine ContainsCIS "-enc"'
        MITRE = "T1059.001"
    },
    @{
        Name = "LSASS_Access"
        Query = 'TgtProcName = "lsass.exe" AND EventType = "Open Remote Process Handle" AND SrcProcName Not In ("svchost.exe","lsm.exe","wmiprvse.exe")'
        MITRE = "T1003.001"
    },
    @{
        Name = "Scheduled_Task_Creation"
        Query = 'IndicatorName = "ScheduleTaskRegister" AND SrcProcParentName Not In ("services.exe","OfficeClickToRun.exe")'
        MITRE = "T1053.005"
    },
    @{
        Name = "Event_Log_Clearing"
        Query = '(TgtProcName = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR (SrcProcCmdLine ContainsCIS "Clear-EventLog")'
        MITRE = "T1070.001"
    },
    @{
        Name = "Web_Shell_Detection"
        Query = 'EventType = "File Creation" AND FileFullName ContainsCIS "inetpub\wwwroot" AND TgtFileExtension In Contains Anycase ("jsp","aspx","php")'
        MITRE = "T1505.003"
    }
)
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
# Ensure output directory exists
New-Item -Path $OutputPath -ItemType Directory -Force | Out-Null
 
$timestamp = Get-Date -Format "yyyyMMdd-HHmmss"
$summaryResults = @()
 
foreach ($hunt in $huntingQueries) {
    Write-Host "Running hunt: $($hunt.Name) [$($hunt.MITRE)]" -ForegroundColor Cyan
 
    $body = @{
        query = $hunt.Query
        fromDate = (Get-Date).AddDays(-1).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
        toDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
        limit = 10000
    } | ConvertTo-Json
 
    try {
        $response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/dv/query" `
            -Method POST -Headers $headers -Body $body
 
        $resultCount = $response.data.Count
 
        $summaryResults += [PSCustomObject]@{
            Hunt = $hunt.Name
            MITRE = $hunt.MITRE
            Results = $resultCount
            Status = if ($resultCount -gt 0) { "FINDINGS" } else { "Clear" }
        }
 
        if ($resultCount -gt 0) {
            Write-Host "  [!] Found $resultCount results" -ForegroundColor Yellow
 
            # Export results
            $outputFile = Join-Path $OutputPath "$($hunt.Name)_$timestamp.csv"
            $response.data | Export-Csv -Path $outputFile -NoTypeInformation
            Write-Host "  [+] Exported to: $outputFile" -ForegroundColor Green
        }
        else {
            Write-Host "  [OK] No findings" -ForegroundColor Green
        }
    }
    catch {
        Write-Host "  [ERROR] Query failed: $($_.Exception.Message)" -ForegroundColor Red
        $summaryResults += [PSCustomObject]@{
            Hunt = $hunt.Name
            MITRE = $hunt.MITRE
            Results = -1
            Status = "ERROR"
        }
    }
 
    Start-Sleep -Seconds 2  # Rate limiting
}
 
# Display summary
Write-Host "`n=== Hunting Summary ===" -ForegroundColor Cyan
$summaryResults | Format-Table -AutoSize
 
# Export summary
$summaryFile = Join-Path $OutputPath "HuntingSummary_$timestamp.csv"
$summaryResults | Export-Csv -Path $summaryFile -NoTypeInformation
Write-Host "Summary exported to: $summaryFile"
 
# Alert on findings
$findings = $summaryResults | Where-Object { $_.Status -eq "FINDINGS" }
if ($findings) {
    Write-Host "`n[ALERT] $($findings.Count) hunts returned findings - review required!" -ForegroundColor Red
}

TROUBLESHOOTING

Common Query Issues

Issue: Query returns no results

Verify time range covers expected activity
Check query syntax (case sensitivity matters for some fields)
Confirm Deep Visibility is enabled on target endpoints
Verify endpoint agents are connected

Issue: Query returns too many results

Add filters to narrow scope (SrcProcParentName Not In, etc.)
Filter by specific site or group
Reduce time range
Add exclusions for known-good activity

Issue: Query timeout

Reduce time range
Add more specific filters
Query specific site instead of account-wide
Use API with pagination for large result sets

Performance Tips

Start narrow, expand later - Begin with specific agent or short time range
Use indexed fields - EventType, ProcessName are optimized
Avoid wildcards at start - Contains "abc" is faster than RegExp ".*abc.*"
Filter early - Put most restrictive conditions first
Use Watchlists - Schedule recurring queries during off-hours

SOURCES

REVISION HISTORY

Version	Date	Author	Changes
1.0	2026-01-08	CosmicBytez	Initial creation

SCENARIO

REQUIREMENTS & ASSUMPTIONS

Technical Requirements

Data Collection Scope

S1QL QUERY LANGUAGE REFERENCE

Basic Syntax Structure

Common Fields

Process Fields

File Fields

Network Fields

Registry Fields (Windows)

Event Fields

Event Types

Operators

Logical Operators

Time Filtering

CONSOLE NAVIGATION

Accessing Deep Visibility

Query Builder Interface

Query Autocomplete

THREAT HUNTING METHODOLOGY

Six-Step Hunting Process

Hunting Approaches

1. IOC-Based Hunting

2. TTP-Based Hunting

3. Anomaly-Based Hunting

4. Baseline Deviation Hunting

MITRE ATT&CK HUNTING QUERIES

Initial Access (TA0001)

T1566.001 - Spearphishing Attachment

T1566.002 - Spearphishing Link

Execution (TA0002)

T1059.001 - PowerShell

T1059.003 - Windows Command Shell

T1059.005 - Visual Basic Script

T1047 - Windows Management Instrumentation

T1053.005 - Scheduled Task

Persistence (TA0003)

T1547.001 - Registry Run Keys

T1053.005 - Scheduled Tasks (Persistence)

T1543.003 - Windows Service

T1505.003 - Web Shell

T1546.003 - WMI Event Subscription

T1037.001 - Logon Scripts

Privilege Escalation (TA0004)

T1548.002 - UAC Bypass

T1134 - Access Token Manipulation

Defense Evasion (TA0005)

T1070.001 - Clear Windows Event Logs

T1562.001 - Disable Security Tools

T1562.004 - Disable System Firewall

T1218.005 - Mshta

T1218.011 - Rundll32

T1055 - Process Injection

T1197 - BITS Jobs

Credential Access (TA0006)

T1003.001 - LSASS Memory

T1003.002 - SAM Database

T1558.003 - Kerberoasting

T1552.001 - Credentials in Files

Discovery (TA0007)

T1087 - Account Discovery

T1082 - System Information Discovery

T1083 - File and Directory Discovery

T1135 - Network Share Discovery

Lateral Movement (TA0008)

T1550.002/003 - Pass the Hash / Pass the Ticket

T1563.002 - RDP Hijacking

T1021.001 - Remote Desktop Protocol

T1021.002 - SMB/Windows Admin Shares

T1021.006 - Windows Remote Management

Collection (TA0009)

T1560.001 - Archive via Utility

T1113 - Screen Capture

Exfiltration (TA0010)

T1048 - Exfiltration Over Alternative Protocol

T1567 - Exfiltration to Cloud Storage

Command and Control (TA0011)

T1071.001 - Web Protocols

T1071.004 - DNS