from_sentinelone_data_lake

Retrieves PowerQuery results from SentinelOne Singularity Data Lake.

from_sentinelone_data_lake url:string, token=string, query=string,
                           [start=time, end=time]

Description

The from_sentinelone_data_lake operator queries the SentinelOne Data Lake PowerQuery API to retrieve security events based on a custom query.

The operator sends a single request to the /api/powerQuery endpoint with your query and optional time range filters, then parses the tabular response into events that can be processed by your pipeline.

url: string

The base URL for your SentinelOne Data Lake instance.

Must be an https:// URL.

Ensure you’re using the correct regional endpoint for your SentinelOne instance (e.g., https://xdr.eu1.sentinelone.net for EU).

token = string

The API token to use for authorization.

It is recommended to use the secret() function to securely reference credentials:

query = string

The PowerQuery query string to execute against the Data Lake.

PowerQuery is SentinelOne’s query language for searching and analyzing data in the Data Lake. Refer to the SentinelOne PowerQuery documentation for query syntax details.

start = time (optional)

The start time for the query time range.

When specified, only events with timestamps at or after this time will be returned.

end = time (optional)

The end time for the query time range.

When specified, only events with timestamps before this time will be returned.

raw = bool (optional)

Whether to skip parsing strings as typed data.

Defaults to false.

Examples

Query threat events from the last 24 hours

from_sentinelone_data_lake "https://xdr.eu1.sentinelone.net",
  token=secret("sentinelone-token"),
  query="severity > 3 | columns id"

Query specific fields with time range filters

from_sentinelone_data_lake "https://xdr.eu1.sentinelone.net",
  token=secret("sentinelone-token"),
  query="severity > 3 | columns id",
  start=now()-10d,
  end=now()-3d

See Also

to_sentinelone_data_lake