100+ Free SentinelOne THP Practice Questions

Explanation: SentinelOne's six-step threat hunting methodology begins with hypothesis formation. A hunter constructs an educated guess—often driven by threat intel, MITRE ATT&CK TTPs, or baseline anomalies—before issuing any Deep Visibility queries. This structured approach prevents aimless data dredging and focuses analyst effort on high-value investigative paths.

Explanation: Deep Visibility is SentinelOne's EDR data collection and querying engine. It continuously records granular OS-level events—process creation, network connections, file system changes, registry modifications, DNS lookups, and more—and stores them in the Singularity Data Lake, making this telemetry searchable for threat hunters via the console or API.

Explanation: This PowerQuery pipes process events through a filter selecting PowerShell as the source process name with a non-null NetworkUrl, then groups results by the destination URL. The goal is to surface all unique external hosts that PowerShell processes contacted—a classic hunt for C2 beaconing or data exfiltration via PowerShell. The `group by` aggregation collapses duplicate connections to the same host for easier analysis.

Explanation: SentinelOne's patented Storyline™ technology automatically assigns a Storyline ID (STID) to correlate all events—process creations, file writes, network connections, registry changes—that belong to the same attack chain. A hunter can filter Deep Visibility by a single STID to instantly retrieve the full attack narrative without manually piecing together parent-child process relationships.

Explanation: STAR rules can be configured with automated response actions including killing the matching process, quarantining the network at the endpoint level, or remediating/rolling back changes. These actions are executed by the SentinelOne agent on the endpoint when the STAR rule's telemetry match occurs, enabling machine-speed response without analyst approval for each event.

Explanation: MITRE ATT&CK T1059.001 is 'Command and Scripting Interpreter: PowerShell'. Alerts tagged with this technique indicate PowerShell was used as an execution mechanism. In Deep Visibility, the hunter should pivot to process events where SrcProcName or TgtFilePath involves PowerShell, examining command-line arguments, parent processes, and any subsequent network or file activity.

Explanation: In SentinelOne PowerQuery, the pipe (`|`) is used to chain commands—similar to Unix shell pipes. The results from one stage flow into the next, enabling hunters to filter, transform, group, sort, or summarize data in a multi-step pipeline. For example: `| from process | where SrcProcName = 'cmd.exe' | group by SrcProcCmdLine | sort count desc`.

Explanation: Regular, periodic outbound connections to a fixed external IP on a common post-exploitation port (4444 is the default Metasploit reverse shell port) is the classic signature of C2 beaconing. Threat hunters look for this IOA (Indicator of Attack) by grouping network events by destination IP and calculating connection intervals, using Deep Visibility aggregations to surface suspicious periodicity.

Explanation: STAR (Storyline Active Response) allows hunters to convert a Deep Visibility query directly into a persistent detection rule. The rule continuously evaluates incoming telemetry from the Singularity Data Lake against the query logic, firing near-real-time alerts and optionally automated response actions across the entire managed fleet whenever the condition is matched.

Explanation: In SentinelOne Deep Visibility, process creation events capture parent-child relationships. `SrcProcName` is the parent (source) process name and `TgtFilePath` or `TgtProcName` is the child process being spawned. Filtering on `SrcProcName = 'cmd.exe'` with a target of 'net.exe' surfaces all instances where the command shell spawned the net utility, a common lateral movement and reconnaissance pattern (T1087, T1018).