Skip to content

Hunt Lab Overview

Hunt Lab is SenseOn’s advanced query interface that enables security teams to analyse raw telemetry using flexible SQL-based queries. It supports deep investigations, proactive threat hunting, IT hygiene checks, and compliance reporting, all within the SenseOn platform.

Whether you’re responding to an incident or conducting routine threat hunts, Hunt Lab gives you direct access to the data you need.

What You Can Do with Hunt Lab

  • Investigate threats and anomalies using custom queries
  • Hunt for indicators of compromise (IOCs) and emerging patterns
  • Audit endpoint configurations and software versions
  • Validate compliance with internal policies and external frameworks

Key Features

1. SQL Query Interface

Use SQL to query raw telemetry data collected by SenseOn: - Write custom queries using the built-in editor (powered by Monaco Editor, the same editor used in VS Code) - Reference tables and columns via the schema guide - Filter by host, timestamp, event type, and more - Syntax highlighting, bracket matching, and keyboard shortcuts are supported throughout

2. Query Execution Modes

Hunt Lab supports three execution modes depending on your data source and performance requirements:

Mode When to use
Standard query General-purpose queries against the SenseOn telemetry store (ClickHouse). Results are returned asynchronously, the platform queues the query and returns results when complete.
Synchronous query Use when you need results immediately and your query is expected to return quickly. The request blocks until the result is ready. Suitable for small, targeted lookups.
MySQL query Use to query data sources backed by MySQL rather than ClickHouse. Available for specific data sets, check the schema guide to confirm which tables use this mode.

💡 Query queuing: Standard queries are placed in a queue when the platform is under heavy load. You can see queue position and estimated wait time in the query status bar.

3. CHSQL Query Language

Hunt Lab uses CHSQL, a SQL dialect built on ClickHouse SQL with SenseOn-specific extensions. Key points:

  • CHSQL queries are read-only. No INSERT, UPDATE, or DELETE operations are permitted.
  • The CHSQL parser validates your query before submission and will highlight syntax errors inline in the editor.
  • Date and time functions follow ClickHouse conventions. See the Hunt Lab Training series for examples.
  • Use toDateTime() and toDate() for timestamp comparisons rather than string literals.

4. Pre-Built Query Library

Quickly get started with templates for: - Investigations: Pivot from known suspicious behaviour - Threat Hunting: Scan for common TTPs or anomalies - IT Hygiene: Identify outdated software, missing patches, or protocol misuse - GRC: Check control coverage and monitor regulatory adherence

5. Hunter: AI query assistant

Hunt Lab's AI chat is powered by Hunter, one of the specialist agents coordinated by Horus, SenseOn's AI orchestrator. Hunter hunts across your telemetry and helps you build queries so you can move from a question to results without memorising the schema.

Hunter can:

  • Write CHSQL from a plain-language request: describe what you want to find and Hunter drafts the query.
  • Debug and explain queries: paste a query that isn't returning what you expect and Hunter explains the issue or rewrites it.
  • Suggest tables and columns: point you to the right telemetry tables for your investigation.
  • Interpret results: summarise what a result set is telling you and suggest follow-up pivots.

How to access: open Hunt Lab and start a conversation in the in-product chat. Hunter understands the query you are working on, so you can ask follow-up questions in context.

Example prompts:

  • "Show me PowerShell processes that spawned a network connection in the last 24 hours."
  • "Why is this query returning no rows?"
  • "Which table has DNS request telemetry?"

ℹ Hunter is not the human support chat. For help from the SenseOn SOC team, use the support chat described in Support. That connects you to a person, not the AI assistant.

6. Structured Output

Query results are returned in an easy-to-read table: - View directly in the platform - Export to CSV for sharing, archiving, or reporting