PowerQuery overview https://community.sentinelone.

com/s/article/000006597

Home (/s/) Knowledge Base (/s/knowledge-base) Support Groups (/s/group/CollaborationGroup/00Bw0000006x�JEAQ)

SEARCH SENTINELONE

Search...

All Categories (/s/knowledge-base)

Getting Started
> Singularity Data Lake (SDL) (/s/topic/0TO69000000as1TGAQ)

Release Notes & Requirements > Query Language (/s/topic/0TO69000000as2kGAA)

> Powerqueries (/s/topic/0TO69000000as5AGAQ)
Setting Up The Management Console > PowerQuery overview (/s/article/000006597)

Working With The Management Console

Article Detail (?tabse… Attachments (?tabset…
Working With The Agent

Singularity Endpoint Security

PowerQuery overview
Singularity Exposure Management
Last Updated: Jul 14, 2025

Singularity Cloud Security

Use Event Search PowerQueries as an advanced tool to create complex

Singularity Data Lake (SDL)
queries with multiple commands.
Getting Started with SDL
PowerQuery places certain limits on the memory that can be used when
The Singularity Data Lake UI carrying out a search. To learn more see, default quotas in SDL (https://
Query Language community.sentinelone.com/s/article/000011279).
Query Language - General Best practices for when to use PowerQuery
Event Search Query Fields
• You know exactly what you are looking for and do not want extra
Powerqueries rows, columns, or data.
OCSF Schema - System Activity
PowerQueries return only the data requested and do not
OCSF Schema - Findings automatically add related �elds. If you do not know all of the
OCSF Schema - Identity & Access Management �elds you must see, use Event Search queries instead.
OCSF Schema - Network Activity
• You want to use grouping functions in your query.
OCSF Schema - Discovery

OCSF Schema - Application Activity • You want to use statistics as part of the query, to �nd anomalies.
OCSF Schema for Uni�ed Alert Management

Data Ingestion • You want to correlate multiple events with the join command.

Parsing And Processing Logs

From Visibility Enhanced, click Search > Power Queries.
SDL API

SentinelOne Collector

How-Tos

Cloud Funnel

1 of 5 7/23/25, 21:31
PowerQuery overview https://community.sentinelone.com/s/article/000006597

Purple AI

Singularity Identity Security

Singularity Threat Services

Singularity Marketplace

Singularity Hyperautomation

Support & Professional Services 1. All queries begin with a standard filter expression to search for
matching events. Additional commands, each starting with a pipe
character ( | ), allow you to process the data in matching events. To
insert line breaks, press Return or Enter. Click Search to execute
your query, or press Shift-Return or Shift-Enter.

As you type, the Search Helper will show you a list of suggestions.
Getting Started

Release Notes & Requirements  Tip

Setting Up The Management Console Sometimes it's easiest to begin in Event Search to
construct the initial filter expression. Then, switch
to PowerQuery to copy over your �lter.
Working With The Management Console

Working With The Agent

2. This is the time range of your search. By default, the last four hours
show. Click the button to change the time range.
Singularity Endpoint Security
You can select a number to quickly search a preset range, or enter a
Singularity Exposure Management custom range.

You can enter a time (For example, 14:30 or 5:05 AM ), a date

Singularity Cloud Security
( May 23 ), or date and time ( 5/14/2016 2:00 PM ), using a wide
Singularity Data Lake (SDL) variety of formats. Shortcuts like 5d / 5h / 5m / 5s indicate �ve
days/hours/minutes/seconds. The End time assumes NOW , so
Getting Started with SDL entering 5m for the Start time and hitting Enter will search the last
The Singularity Data Lake UI �ve minutes. Using the + shortcut for the End time, for example
Query Language +24h or +1d , will search from the Start time to one-day later.

Query Language - General See the Date and Time Reference (https://
Event Search Query Fields community.sentinelone.com/s/article/000006625) for a complete
list of options.
Powerqueries

OCSF Schema - System Activity The Start time is inclusive: the End time is exclusive.

OCSF Schema - Findings 3. Select a view for your event data:

OCSF Schema - Identity & Access Management • XDR - The query results show structured security data
OCSF Schema - Network Activity collected by SentinelOne Agents and integrated sources.
OCSF Schema - Discovery
• EDR - The query results show structured security data
OCSF Schema - Application Activity
collected by SentinelOne Agents.
OCSF Schema for Uni�ed Alert Management

Data Ingestion • All Data - The query results show data collected by

Parsing And Processing Logs SentinelOne Agents, the SentinelOne Collector, and
integrated data sources.
SDL API

SentinelOne Collector
4. If your user has a Global or Multi-Account scope, click the Cross-
How-Tos Scope Selector to select Accounts for search.
Cloud Funnel
At the top of the window is the Account you are currently linked to.
Purple AI You are searching data from this Account. Select speci�c Teams
(Accounts) to include in the query, or select All to include all

2 of 5 7/23/25, 21:31
PowerQuery overview https://community.sentinelone.com/s/article/000006597

Accounts.
Singularity Identity Security
To exclude the Account you are currently linked to, switch Teams
Singularity Threat Services from the User Menu (https://community.sentinelone.com/s/
article/000006500).
Singularity Marketplace

Singularity Hyperautomation  Note

Cross team search selections are retained when sharing

Support & Professional Services
links. We recommend minimizing the scope of teams
when sharing, to ensure your colleagues can view the
results.

5. Help is immediately available:

• Click a command to see the syntax and an example.

• Tips for Getting Started with PowerQueries.

• An example PowerQuery.

• Click Help to go the the PowerQueries Help page.

6. The results of your query show as a Table by default. Select Line,

Bar/Column, or Pie/Donut to graph your PowerQuery. See
PowerQueries Graphs (https://community.sentinelone.com/s/
article/000006614) for more information on this feature.

7. Click Save to display save actions for your current search:

• Save Search - Opens a dialog box that lets you save the active
query to either your personal or team's list of saved searches;
your list is selected by default. Saved searches are available
from The Search Library (https://community.sentinelone.com/
s/article/000006479).

• Save to Dashboard - Add this search to an existing dashboard,

or start a new dashboard with this search.

• Download - Download up to 10,000 lines of the current

search results as a plain text, CSV, JSON or Markdown �le.

8. Click Share to select a way to share your search:

• Copy Link - Creates and copies a link to your search. Absolute

times replace relative times. For example, instead of the
searching the previous hour, the link is from 8 a.m. to 9 a.m.

3 of 5 7/23/25, 21:31
PowerQuery overview https://community.sentinelone.com/s/article/000006597

• Copy to Clipboard - Copy the query results to your clipboard

in plain text, JSON, CSV, or Markdown format.

• Save to Shared Searches: The Save Shared Search window

lets you save your query to your personal search menu, or the
menu of everyone in the currently-selected Account. Saved
searches are available from The Search Library. (https://
community.sentinelone.com/s/article/000006479)

9. Click to open the Search Library (https://

community.sentinelone.com/s/article/000006479), which
centralizes your recent, saved, shared, and SentinelOne queries.

Tips for creating queries

• To open endpoint cards from the results, and run actions on

endpoints from a PowerQuery, use a �lter for agent.uuid in
the query. This also applies to process uid such as src, target,
parent, and so on.

• Use the schema-based auto-complete suggestions to help you

enter your query.

• Enter a pipe "|" to add a command and show the available

commands.

• Use the �lter command to add the events to search for.

• Queries do not show as valid or invalid in the query builder. There

are many options and variations for PowerQuery notation.

• Enter # to use prede�ned shortcut �elds in EDR and XDR

searches. Shortcut �elds search all �eldnames that contain that
property, without speci�c attributes such as src or tgt.

Note: Shortcut �elds are supported in PowerQueries for �eld

names but not for commands. Autocomplete shows the list of
shortcut �elds when they are supported.

◦ Supported: #ip = '192.0.2.0' | group

distinct = estimate_distinct(endpoint.name
(http://endpoint.name)) by endpoint.name
(http://endpoint.name)

◦ Not supported: #ip = '192.0.2.0' | group

distinct = estimate_distinct(#name) by
endpoint.name (http://endpoint.name)

4 of 5 7/23/25, 21:31
PowerQuery overview https://community.sentinelone.com/s/article/000006597

Was this ar�cle helpful? Yes No

Related Articles

Monitors Overview
(/s/article/000006756)

Unprotected Endpoints Discovery Overview

(/s/article/000006410)

Purple AI FAQ
(/s/article/000009325)

Purple AI overview
(/s/article/000009324)

Static AI in the Agent

(/s/article/000004912)

(https://twitter.com/SentinelOne) (https:// 444 Castro Street Suite 400 Mountain View, CA 94041
www.linkedin.com/company/sentinelone/) (https:// +1-855-868-3733
www.facebook.com/SentinelOne/) (https://www.youtube.com/ [email protected] (mailto:[email protected])
c/Sentinelone-inc)

©2025 SentinelOne, Con�dential and All Rights Reserved

Privacy Policy (https://www.sentinelone.com/legal/privacy-policy/)
Support Terms (https://www.sentinelone.com/legal/support-terms/)
Customer Community Terms of Use (https://www.sentinelone.com/
legal/customer-community-terms-of-use/)

5 of 5 7/23/25, 21:31