Stats
Actions
Available In
Tags
Plugin
s1-secops-skills
Generate Hyperautomation workflows, author and run PowerQuery threat hunting queries, interact with the Singularity Data Lake API, and deploy packaged SDL solutions—all from a single Claude conversation for SentinelOne SecOps environments.
What's Inside
Skills4
hyperautomation
/hyperautomation
Use this skill whenever a user wants to create, design, build, generate, write, or export a SentinelOne Hyperautomation workflow in JSON format. Triggers include: any mention of "Hyperautomation", "workflow", "automation", "SOAR", "playbook", "alert response", "trigger", "scheduled workflow", "webhook workflow", or any request to automate a SentinelOne-related security task. Also triggers when the user asks to import, export, test, validate, or submit a workflow to a SentinelOne console via API. Always use this skill for any task involving SentinelOne workflow JSON — even if phrased casually (e.g., "build me a thing that disables a user when an alert fires"). When in doubt about whether this skill applies, use it.
powerquery
/powerquery
Use any time the user wants to author, debug, optimize, explain, or run a SentinelOne PowerQuery (PQ) — Deep Visibility / Event Search queries, XDR/EDR threat hunting, investigations, STAR / Custom Detection rule bodies, PowerQuery Alerts, or Singularity Data Lake dashboard panels. Trigger on PowerQuery, PQ, pq, query, Event Search, Deep Visibility, S1QL, SDL, STAR rule, Custom Detection rule, PowerQuery Alert; on queries using fields like `event.type`, `src.process.*`, `tgt.file.*`, `indicator.*`, `agent.uuid`; on pipes like `| group`, `| filter`, `| let`, `| join`, `| parse`, `| columns`, `| compare`, `| top`, `| union`, `| lookup`, `| savelookup`, `| dataset`. Also trigger when asked to hunt a TTP, IOC, behavior, or alert pattern on a SentinelOne tenant — even casually ("find powershell reaching out to the internet", "write a detection for lsass access"). Explicitly NOT Microsoft Power Query / M / Excel and NOT Splunk SPL — this is SentinelOne's pipeline query language for security telemetry.
sdl-api
/sdl-api
Use whenever the user wants to read data and manage configuration through the SentinelOne Singularity Data Lake (SDL) API — run queries or manage configuration files (parsers, dashboards, alerts, lookups, datatables) on a Scalyr/SDL/XDR tenant. Trigger on "SDL", "SDL API", "Singularity Data Lake", "Scalyr", "DataSet", "xdr.us1.sentinelone.net" or any "*.sentinelone.net/api/*" URL, and on the method names "query", "powerQuery", "facetQuery", "timeseriesQuery", "numericQuery", "getFile", "putFile", "listFiles". Also trigger on tasks like "run a powerQuery", "list configuration files", "edit my parser via API", "deploy a dashboard JSON", "compute the rate of failures over time", or anything involving Log Read / Configuration Read / Configuration Write SDL keys, Bearer-token auth, or the S1-Scope header. Wraps every SDL method with a Python client and CLI.
sdl-solutions
/sdl-solutions
Deploy packaged, repeatable SentinelOne Singularity Data Lake (SDL) solutions into a site from one prompt. Use when the user wants to onboard, deploy, or roll out a whole SDL solution. Catalog: (1) data source onboarding (raw to OCSF, enrichment, dashboard, MITRE detections, threat response); (2) asset enrichment from the Asset Inventory; (3) UEBA behavioral anomaly detection (per action/principal z-score: SPIKE/DROP/SILENT/NEW); (4) per-device ingest health monitoring (7-day baseline: spike/drop/lag/silence/parser drift); (5) scheduled detection exclusions, suppress known-good noise in a scheduled PowerQuery detection over a third-party source via a CSV exclusion list (assets by IP/CIDR/host or custom domains/users/values) and a lookup anti-join, with an effectiveness dashboard. Triggers: 'onboard a new source', 'deploy UEBA/asset enrichment/ingest health', 'add a detection exclusion for a source', 'exclude these assets/domains from a detection'. NOT for one-off queries or standalone parser authoring.
Stats
Version1.2.2
Released
LanguageLua
Stars51
Forks29
MaintenanceExcellent
LicenseAGPL-3.0
Last Commit
Added
Available In
Tags
Technologies
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
