Scribd
Upload
147 views3 pages

PowerQuery Expression Syntax

SentinelOne PowerQuery

Uploaded by

churchbus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
147 views3 pages

PowerQuery Expression Syntax

SentinelOne PowerQuery

Uploaded by

churchbus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

PowerQuery expression syntax https://community.sentinelone.

com/s/article/000006600

Home (/s/) Knowledge Base (/s/knowledge-base) Support Groups (/s/group/CollaborationGroup/00Bw0000006x�JEAQ)

SEARCH SENTINELONE

Search...

All Categories (/s/knowledge-base)


Getting Started
> Singularity Data Lake (SDL) (/s/topic/0TO69000000as1TGAQ)

Release Notes & Requirements > Query Language (/s/topic/0TO69000000as2kGAA)


> Powerqueries (/s/topic/0TO69000000as5AGAQ)
Setting Up The Management Console > PowerQuery expression syntax (/s/article/000006600)

Working With The Management Console


Article Detail (?tabse… Attachments (?tabset…
Working With The Agent

Singularity Endpoint Security


PowerQuery expression syntax
Singularity Exposure Management
Last Updated: Mar 16, 2025

Singularity Cloud Security


Most commands contain expressions that specify �elds, values, and
Singularity Data Lake (SDL) computations. For example:

Getting Started with SDL • src.process.childProcCount > 0 (at least one child

The Singularity Data Lake UI


process).

Query Language
• tgt.file.path contains 'temp' (target �le paths that
Query Language - General contain 'temp', case-insensitive).
Event Search Query Fields

Powerqueries • avg(tgt.file.size) (the average target �le size).

OCSF Schema - System Activity


Examples for Log Analytics:
OCSF Schema - Findings
• severity > 4 (values in the severity �eld that are greater
OCSF Schema - Identity & Access Management
than 4).
OCSF Schema - Network Activity

OCSF Schema - Discovery • machine contains 'staging' (values in the machine �eld
OCSF Schema - Application Activity that contain 'staging').

OCSF Schema for Uni�ed Alert Management


• mean(latency) (apply the mean aggregation function to
Data Ingestion
values in the latency �eld).
Parsing And Processing Logs

SDL API Supported syntax:


SentinelOne Collector • Boolean constants (true, false)
How-Tos

Cloud Funnel • Numeric constants (3.14, -9, 6.02e+23)

1 of 3 7/23/25, 21:31
PowerQuery expression syntax https://community.sentinelone.com/s/article/000006600

• String constants, using single- or double-quotes ("hello",


Purple AI
'goodbye') and escaped quotes ("nested \"quote\"")

Singularity Identity Security


• Arithmetic operators: +, -, *, /, %, and negation ( -x )

Singularity Threat Services


• Comparison operators: <, <=, >, >=, ==, !=
Singularity Marketplace
• Boolean operators: &&, ||, !, AND, OR, NOT
Singularity Hyperautomation
• Ternary operator: test ? value-if-true : value-if-
Support & Professional Services false

• Search operator: expression contains "search-term" .


You can set multiple search-terms: expression contains
('search-term-1', 'search-term-2', 'search-
term-3') . An event matches on any search-term. Single or
Getting Started
double quotes are valid.

Release Notes & Requirements


• Regular expression operator: expression matches
"regex" . You can set multiple regex-terms: expression
Setting Up The Management Console
matches ('regex-1', 'regex-2', 'regex-3') . An
Working With The Management Console
event matches on any regex-term. Single or double quotes are
valid. You must double escape regex elements, for example
Working With The Agent message matches "\\d+" . See Regex (https://
community.sentinelone.com/s/article/000006624)for more.
Singularity Endpoint Security
• Case sensitive search: expression contains:matchcase
Singularity Exposure Management "Search-term" or expression matches:matchcase
"Regex"
Singularity Cloud Security
• Parenthesis
Singularity Data Lake (SDL)

• Identi�ers (for example event.id (http://event.id) , or


Getting Started with SDL
indicator.category )
The Singularity Data Lake UI

Query Language • Functions (for example sqrt(x) ); see Function Reference (/s/
Query Language - General article/000006612#UUID-5861e993-6612-
Event Search Query Fields bf3c-1a2e-0ca933369d08).

Powerqueries
Identi�ers can have hyphens, e.g. k8s-controller . To force the
OCSF Schema - System Activity
hyphen to be interpreted as subtraction, insert spaces: k8s -
OCSF Schema - Findings controller . To use other punctuation characters in an identi�er, or
OCSF Schema - Identity & Access Management to avoid warnings due to the use of a hyphen, precede the character
with a backslash, e.g. field\#name .
OCSF Schema - Network Activity

OCSF Schema - Discovery Identi�ers can also have colons. To use a colon as part of the ?: (ternary)
operator, surround it with spaces.
OCSF Schema - Application Activity

OCSF Schema for Uni�ed Alert Management The let , parse , lookup , columns , and group commands
create new �elds that can be used by subsequent commands. For
Data Ingestion
instance, let kbPerSec = size / time creates a new �eld
Parsing And Processing Logs
kbPerSec . let , parse , and lookup add �elds; group and
SDL API columns create entirely new records. Thus, after a group or
SentinelOne Collector columns command, you can only use �elds which were de�ned by
How-Tos that command.

Cloud Funnel If a query uses a �eld which is not present in an event, the missing �eld
will be given the value null .
Purple AI
The boolean || or OR operator returns the �rst truthy value:

2 of 3 7/23/25, 21:31
PowerQuery expression syntax https://community.sentinelone.com/s/article/000006600

Singularity Identity Security | union


(| limit 1| columns A="", B='foo', C='bar'),
(| limit 1| columns A=0, B='foo', C='bar'),
Singularity Threat Services
(| limit 1| columns A=null, B='foo', C='bar'),
(| limit 1| columns A=false, B='foo', C='bar'),
Singularity Marketplace (| limit 1| columns A=NaN, B='foo', C='bar')
| let x = (A || B || C)
Singularity Hyperautomation

A B C X
Support & Professional Services

- foo bar foo

0 foo bar foo

- foo bar foo

false foo bar foo

- foo bar foo

Was this ar�cle helpful? Yes No

Related Articles

Operators
(/s/article/000006620)

Operators
(/s/article/000006259)

PowerQuery advanced notes


(/s/article/000006615)

Operator Comparison: Event Search and Deep Visibility


(/s/article/000006621)

Timeshift Operator
(/s/article/000006457)

(https://twitter.com/SentinelOne) (https:// 444 Castro Street Suite 400 Mountain View, CA 94041
www.linkedin.com/company/sentinelone/) (https:// +1-855-868-3733
www.facebook.com/SentinelOne/) (https://www.youtube.com/ [email protected] (mailto:[email protected])
c/Sentinelone-inc)

©2025 SentinelOne, Con�dential and All Rights Reserved


Privacy Policy (https://www.sentinelone.com/legal/privacy-policy/)
Support Terms (https://www.sentinelone.com/legal/support-terms/)
Customer Community Terms of Use (https://www.sentinelone.com/
legal/customer-community-terms-of-use/)

3 of 3 7/23/25, 21:31

You might also like