⚡

CE S1 Assistant

So, Why Did I Build This?

Let me be real with you — I built this tool for myself. That’s it. No grand master plan, no startup pitch deck. Just a guy who got tired of the same problem every single time he opened SentinelOne Deep Visibility.

If you’ve ever used Deep Visibility, you know exactly what I’m talking about. You get an alert, you need to hunt across your endpoints fast, and you open that query box... and then you’re sitting there trying to remember the exact field name. Is it src.process.name or dns? Does the operator use contains or matches? One wrong character and your query returns absolutely nothing.

S1QL — SentinelOne’s query language — is powerful. Really powerful. But it’s also very specific. It takes months to get comfortable with the syntax, and even then you’re constantly checking the documentation for edge cases. I’d find myself spending more time formatting the query than actually thinking about the threat.

what if I could just describe what I’m looking for in plain English and get a production-ready query back? No syntax memorisation. No documentation diving. Just say what you need and get a query you can copy straight into the console.

-------------------------------------------------------------------------------------------------------------

What Is It, Exactly?

The CE S1 Assistant is a web-based tool that lives at

It does one job and it does it well: it helps security analysts write better SentinelOne Deep Visibility queries, faster.

It has three main modes for generating queries:

1. Natural Language to S1QL — You type what you want in plain English. The tool gives you a working S1QL query. Done.

2. Threat URL to IOC Hunt Query — You paste a threat intelligence article URL. The tool reads the entire article, pulls out every IOC it can find, and builds a multi-layered detection query automatically.

3. Direct IOC Input — You paste hashes, IPs, or domains directly. You get an exact-match detection query back.

On top of query generation, the tool also has a live threat intelligence dashboard that pulls from eight industry feeds — so you have context before you even start hunting. But let me walk you through each feature properly.

-------------------------------------------------------------------------------------------------------------

The Natural Language Query Generator

This is the main event. The feature I use the most, and honestly the reason the whole tool exists.

You type something like:

and the tool generates a complete, valid Powerquery with the correct field names, operators, filters, and output columns.

Or maybe you’re thinking bigger:

It handles that too. It knows what behaviours typically indicate ransomware — file encryption patterns, shadow copy deletion, ransom note creation — and builds a query that covers those angles.

It knows S1QL-specific operators. It understands platform differences — Windows paths vs macOS paths vs Linux paths. And it avoids the common PowerQuery pitfalls that trip people up.

You can also throw IOCs into the natural language input — it’ll combine them with your behavioural description and give you a single query that covers everything. Super useful when you have partial intelligence and a hunch.

-------------------------------------------------------------------------------------------------------------

Threat URL to IOC Hunt Query

This is the feature that I’m honestly most proud of, and I think it’s what sets this tool apart from anything else out there.

A new threat report drops — maybe from CISA, maybe from a vendor blog, maybe from a researcher on Twitter. You read through it, you manually copy the IOCs into a spreadsheet, you format them into S1QL queries, you double-check the syntax... and 45 minutes later you finally have something you can run.

The tool fetches the article, reads every section including tables, code blocks, appendices, and footnotes, and extracts every confirmed IOC it can find:

• SHA256, SHA1,

• MD5 hashes

• IP addresses — C2 servers

• download servers.

• Domains and URLs.

• Malware-specific file paths.

• Process names and command line patterns.

• Even registry keys for Windows persistence.

Then it builds a multi-layered IOC hunt query covering all detection angles: process hashes, file hashes, network connections, DNS requests, URL access, file path creation, and command line execution. Each block is commented so you know exactly what each section is catching.

I tested it against the SparkRAT threat intelligence report from hunt.io, and the results were impressive — it correctly extracted 3 SHA256 hashes, 4 C2 IPs, 18 C2 domains, 6 malware-specific file paths, 4 process names, and 2 command line IOCs.

It built a production-ready 7-block detection query with zero manual input from me.

-------------------------------------------------------------------------------------------------------------

The Threat Intelligence Dashboard

Before you hunt, you need context. What’s active right now? What CVEs are being exploited in the wild? What C2 infrastructure is live?

The CE S1 Assistant pulls live threat intelligence from eight industry sources and surfaces it right in the dashboard:

• CISA KEV for known exploited vulnerabilities,

• AlienVault OTX for community threat reports,

• MalwareBazaar for malware samples,

• ThreatFox for IOCs from active threat actors,

• Feodo Tracker for botnet C2 infrastructure,

• URLhaus for malicious URLs,

• MITRE ATT&CK for technique mapping,

• IPsum + C2-Tracker for high-confidence malicious IPs.

All feeds sync automatically every 24 hours, and you can trigger a manual sync any time.

The part I really like is that every threat entry in the dashboard has a one-click “Generate Query” button — so you see a threat, you click the button, and you’ve got a hunt query ready to go.

-------------------------------------------------------------------------------------------------------------

The Query Library — 70 Prebuilt Queries

Not every hunt starts from scratch. Sometimes you just need a solid starting point — a known-good query for a common scenario that you can tweak for your environment.

Windows stuff like credential access, lateral movement, and privilege escalation. macOS persistence via LaunchAgents, TCC bypass, keychain access. Linux cron persistence, reverse shells, rootkit indicators. Defence evasion techniques like PowerShell abuse, LOLBins, AMSI bypass. And exfiltration patterns like DNS exfil, cloud upload detection, and C2 beaconing.

Every query is categorised, tagged, and ready to copy.

-------------------------------------------------------------------------------------------------------------

Custom Rule Generator (STAR Rules)

Beyond ad-hoc hunting, SentinelOne has STAR rules — these are detection rules that run continuously and trigger responses in the console. you can also use them for hunting. They use a different syntax from Power Query, which means you need to learn yet another format.

You can give it IOCs directly to CE S1 Assistant and it’ll create a custom rule, or you can use the same output for Deep Visibility hunting — your choice.

-------------------------------------------------------------------------------------------------------------

Query History

Every query you generate gets saved to the history log with full context — the original input, the generated query, MITRE ATT&CK technique tags, severity rating, token usage, and estimated cost. You can review, copy, and reuse past queries without regenerating them. It’s one of those features that sounds small until you’ve been using the tool for a week and you’re constantly going back to previous queries.

-------------------------------------------------------------------------------------------------------------

Who Is This For?

Like I said — I built this for myself first. Every time I needed to write a query, I was tired of digging through documentation to find the right field format. Now I just describe what I want and get a query back.

But if you’re any of these people, it’ll probably help you too:

Experienced threat hunters — You know exactly what you’re looking for, but S1QL syntax slows you down. This lets you hunt at the speed of thought.

Junior SOC analysts — You understand threats conceptually, but you haven’t had time to master S1QL yet. Now you can generate queries on day one and learn from the output.

Incident responders — A new threat report drops and you need a detection query in minutes, not hours. Paste the URL, get the query, start hunting.

-------------------------------------------------------------------------------------------------------------

What’s Coming Next

I’m working on a query feedback system so analysts can report issues directly and I can fix things from the backend. There’s also a syntax validator in the works that will check query structure before you paste into SentinelOne. And I’m planning multi-instance sync so you can share query history and threat intel across deployments.

-------------------------------------------------------------------------------------------------------------

Want to Try It?

I’ll create an account for you so you can give it a spin. I’ve got a lot of friends who use SentinelOne, and anyone who wants to try it is welcome. No catch, no sales pitch.

-------------------------------------------------------------------------------------------------------------

About Cyberengage

So why name Cyberengage?

Honestly, it because of my website — I was solving a problem for myself and figured other people might find it useful too.

Cyberengage is my platform for practical knowledge. Not theoretical. Not 200-page whitepapers. Actual to information anyone can use to get start with Security today.

--------------------------------------------------Dean-----------------------------------------------