Skip to content

Hunt Lab - Training for SenseOn Platform users

Hunt Lab is SenseOn’s advanced query interface that enables security teams to analyse raw telemetry using flexible SQL-based queries. It supports deep investigations, proactive threat hunting, IT hygiene checks, and compliance reporting—all within the SenseOn platform.

Whether you’re responding to an incident or conducting routine threat hunts, Hunt Lab gives you direct access to the data you need.

This training is designed familiarise you with Hunt Lab and SQL, and help you write and use threat hunting queries.

Objectives

  • Test your knowledge and skills with different types of queries, progressively increasing in difficulty
  • Understand different operators and properly structuring queries.
  • Identify areas where you are having issues understanding or using certain functions
  • Learn about the Schema used by SenseOn
  • Learn how to adjust queries to make them more efficient
  • Grow confidence with more advanced SQL concepts, like Joins and Arrays
  • Achieve a knowledge base where self directed learning and query experimentation becomes easier

Handy Resources

Exercises

Part 1. Basic Query Structure

References:

The basic structure of all queries requires a SELECT statement to specify which columns you want the query to return, followed by a FROM statement, which specifies which table you want to get the data from.

Some queries also contain a WHERE clause, where you specify what values within the columns you want to return, along with operators. There are a vast number of different possibilities and operators that can be used.

In practice, all queries should have a LIMIT clause at the end, which specifies the maximum amount of records that will be returned. The default maximum without this is 10,000. This is far too many in nearly all situations as it’s extremely time consuming to manually check each row. Not specifying a LIMIT can often cause a query to use too much memory and will consequently fail.

1a. Selecting

We first use SELECT, FROM, WHERE, and LIMIT (in this order) to formulate our basic query.

HINTS: - Using a '*' after the SELECT clause will return all columns in the table. * You can use _time_observed >= toUnixTimestamp(subtractHours(now(), 24)) * 1000 to limit queries to the past 24 hours.

SELECT * FROM table_name WHERE * _time_observed >= toUnixTimestamp(subtractHours(now(), 24)) * 1000 LIMIT 1000

Write a query which returns 500 results, for all columns in from the endpoint_process table

Answer 
SELECT *
FROM endpoint_process
WHERE _time_observed >= toUnixTimestamp(subtractHours(now(), 24)) * 1000
LIMIT 500

Now refine that query. Modify it, so that it now only returns the _time_observed, _hostname, name, parent_name, and path columns.

Answer 
SELECT _time_observed, _hostname, name, parent_name, path
FROM endpoint_process
WHERE _time_observed >= toUnixTimestamp(subtractHours(now(), 24)) * 1000
LIMIT 500

1b. Ordering and returning unique values

To specify how the returned data should be ordered in a column, use ORDER BY before the LIMIT clause. You can also specify direction (asc or desc) after the column name.

SELECT *
FROM table_name
WHERE * _time_observed >= toUnixTimestamp(subtractHours(now(), 24)) * 1000
ORDER BY column_name desc # ORDER BY, add column name and direction
LIMIT 1000

Write a query that lists the host, name, path, and permissions of Chrome extensions. Limit it to 500 results, ordered by name

Hint: to find which Table might be most useful, use the right-hand Table Reference panel in Hunt Lab.

Hint - which table to use By searching 'Chrome' in Table Reference we can see the following table would be useful here: 
endpoint_chrome_extension
Answer It's handy to first 'get to know' the table, using a simple query to display everything: 
SELECT *
FROM endpoint_chrome_extension
LIMIT 10
We then build up the query, returning only the columns we want, in the order we want, limited to 500 results 
SELECT _hostname, _platform, name, path, permissions
FROM endpoint_chrome_extension
LIMIT 500
You could also add in columns platform and profile to this query, which return some more information which could be of interest.

You might have noticed there's lots of duplicate entries in the output from this query. This is because SELECT gets all entries. We can refine this by using distinct - which will return each unique value only once (regardless of how often it's in the table).

Using distinct, alter your Chrome Extensions query to show only unique values.

Answer Tip: After using 'distinct' you may now have fewer than 500 values returned. 
SELECT distinct _hostname, _platform, name, path, permissions
FROM endpoint_chrome_extension
LIMIT 500

1c. Renaming columns

We can use as to return more 'friendly' column names. We use this after the column names, enclosing the friendly name in "".

For example we could name the 'bruce_wayne' column to 'batman' using select bruce_wayne AS "Batman"

Now use as to name column _hostname into friendly name Device Hostname

Answer 
SELECT distinct _hostname as "Device Hostname", _platform, name, path, permissions
FROM endpoint_chrome_extension
LIMIT 500

Now, use friendly names for the other columns, and simplify the query so that it gives us a list of extensions and their permissions only - i.e. a list of all Chrome Extensions in use

Answer 
SELECT distinct name as "Extension Name", permissions as "Permissions Granted"
FROM endpoint_chrome_extension
LIMIT 500

Part 2. Basic Query Structure

(coming soon)