{"id":30893670,"url":"https://github.com/lascc/sentinelone-userscript","last_synced_at":"2026-05-27T17:00:38.793Z","repository":{"id":313054084,"uuid":"1029241345","full_name":"LasCC/SentinelOne-Userscript","owner":"LasCC","description":"A userscript that enhances the SentinelOne PowerQuery interface with a custom threat hunting button that follow the website UI / UX design interface.","archived":false,"fork":false,"pushed_at":"2026-05-20T15:24:33.000Z","size":350,"stargazers_count":11,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-05-20T20:40:23.159Z","etag":null,"topics":["detection","detection-engineering","detection-rules","sentinelone","sentinelone-powerquery","sentinelone-threat-hunting","threat-hunting","threathunting","userscript"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LasCC.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-30T18:26:03.000Z","updated_at":"2026-05-20T15:29:02.000Z","dependencies_parsed_at":"2025-09-03T17:35:56.022Z","dependency_job_id":"766af9c0-8b3d-497e-a081-e0a09f5fe665","html_url":"https://github.com/LasCC/SentinelOne-Userscript","commit_stats":null,"previous_names":["lascc/sentinelone-userscript"],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/LasCC/SentinelOne-Userscript","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LasCC%2FSentinelOne-Userscript","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LasCC%2FSentinelOne-Userscript/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LasCC%2FSentinelOne-Userscript/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LasCC%2FSentinelOne-Userscript/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LasCC","download_url":"https://codeload.github.com/LasCC/SentinelOne-Userscript/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LasCC%2FSentinelOne-Userscript/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33575520,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-27T02:00:06.184Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["detection","detection-engineering","detection-rules","sentinelone","sentinelone-powerquery","sentinelone-threat-hunting","threat-hunting","threathunting","userscript"],"created_at":"2025-09-08T20:46:01.185Z","updated_at":"2026-05-27T17:00:38.781Z","avatar_url":"https://github.com/LasCC.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Microsoft Sentinel \u0026 Defender Userscript](https://img.shields.io/badge/Also%20available-Microsoft%20Sentinel%20%26%20Defender%20Userscript-0078D4?style=for-the-badge\u0026logo=microsoft)](https://github.com/LasCC/MicrosoftSentinel-Userscript)\r\n\r\n# SentinelOne PowerQuery Custom Menu - Userscript\r\n\r\nA userscript that enhances the SentinelOne PowerQuery interface with a custom threat hunting button that follow the website UI / UX design interface.\r\n\r\n![Demo Overview](demo/overview.png)\r\n\r\n## Features\r\n\r\n- **Custom Hunting Queries Menu**: Access a curated collection of threat hunting queries organized by category\r\n- **Query Pinning**: Pin frequently used queries for quick access\r\n- **Search \\\u0026 Filter**: Search through queries by name or description\r\n- **Cell Copy Buttons**: One-click copy functionality for **each** query result cell\r\n- **Compact UI**: Clean, organized interface that integrates seamlessly with SentinelOne\r\n\r\n![Demo Overview](demo/pin_query.png)\r\n\r\n## Installation\r\n\r\n1. Install a userscript manager like [Tampermonkey](https://www.tampermonkey.net/) or [Greasemonkey](https://www.greasespot.net/)\r\n2. Click [here](https://raw.githubusercontent.com/LasCC/SentinelOne-Userscript/refs/heads/master/userscript.js) to install the script\r\n3. The script will automatically load when you visit SentinelOne PowerQuery pages\r\n\r\nAfter the first installation there will be a Tampermonkey popup asking to allow the fetch to grab all the detection rules. You need to click the button \"Always allow domain\".\r\n\r\n![Demo Overview](demo/popup_setup.png)\r\n\r\n## Default Rules\r\n\r\nBy default, the script comes with a comprehensive set of pre-configured threat hunting rules covering various categories such as:\r\n\r\n- Installation \\\u0026 Persistence\r\n- Process Execution\r\n- Network Activity\r\n- Registry Modifications\r\n- File System Activity\r\n- And more...\r\n\r\n## Customizing the Rules Source\r\n\r\nYou can modify the script to use your own custom rules by changing the `QUERIES_URL` constant. Here's how:\r\n\r\n```diff\r\n- const QUERIES_URL = \"https://raw.githubusercontent.com/LasCC/SentinelOne-Userscript/refs/heads/master/s1_powerquery_hunting.json\";\r\n+ const QUERIES_URL = \"https://your-domain.com/path/to/your/custom-rules.json\";\r\n```\r\n\r\n## Rules Format\r\n\r\nThe JSON file should contain an array of rule objects with the following structure:\r\n\r\n```json\r\n[\r\n    {\r\n        \"category\": \"Installation \u0026 Persistence\",\r\n        \"name\": \"EpiBrowser and OneStart installation\",\r\n        \"query\": \"your rule (json encoded)\"\r\n    },\r\n]\r\n```\r\n\r\n\r\n### Required Fields\r\n\r\n- **category**: The category name for organizing queries (e.g., \"Network Activity\", \"Process Execution\")\r\n- **name**: Display name for the query\r\n- **query**: The actual detection query\r\n\r\n\r\n## Usage\r\n\r\n1. Navigate to any SentinelOne PowerQuery page (`*.sentinelone.net/query*`)\r\n2. Look for the \"Hunting Queries\" button in the toolbar\r\n3. Click to open the dropdown menu with all available queries\r\n4. Use the search bar to find specific queries\r\n5. Filter by category using the tabs\r\n6. Click on any query to execute it immediately\r\n7. Use the star icon to pin/unpin frequently used queries\r\n\r\n## Browser Compatibility\r\n\r\n- Chrome/Chromium-based browsers with Tampermonkey\r\n- Firefox with Greasemonkey or Tampermonkey\r\n\r\n## Contributing\r\n\r\nFeel free to contribute additional hunting queries, bug fixes, or feature improvements by submitting pull requests to the [GitHub repository](https://github.com/LasCC/SentinelOne-Userscript).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flascc%2Fsentinelone-userscript","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flascc%2Fsentinelone-userscript","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flascc%2Fsentinelone-userscript/lists"}