Table of Contents
Today, CyberMaxx is excited to announce the release of a new open-source tool built to solve a very real — and until now, very manual — challenge faced by cybersecurity professionals: SentinelOne DeepVis Query Language v1 to SentinelOne DeepVis Query Language v2 format.
Recently, SentinelOne has started notifying its customers that they are sunsetting Deep Visibility Query Language Version 1. This has a material impact on its users. Unfortunately, these aren’t one-to-one conversions. Field mappings change, operators evolve, entire logic structures shift. While there are some interesting quirks in the language, DVv1 was a powerful tool which helped make defenders more capable, companies safer, and overall limited impactful events to the users of the Endpoint Detection and Response software.
With this announcement, it became paramount to get ahead of the change at CyberMaxx. Not only for basic functionality, but also to understand the limitations of the new language, see if it alleviated issues with the older language, and verify that there are no gaps for migration.
The new language has several notable improvements as well as a few drawbacks. Firstly, when constructing large and complex queries, making exclusions on fields that are not present in all tables of the result set no longer causes issues. SentinelOne has adopted “dot notation,” which enhances the consistency of creating query parameters across multiple fields. Additionally, it appears that the character limit has been lifted or expanded. The drawbacks are relatively minor. Commenting and creating multi-line queries for better readability of larger, complex queries do not seem to function in the newer XDR platform. However, this can be easily remedied by using an IDE to craft the queries.
We hope that this tool is useful for others in the same situation as us. By scripting conversions, teams can alleviate stress and dramatically decrease the time spent manually rewriting queries which introduces human error and leads to detection gaps — exactly what practitioners are working to prevent.
Get the Tool
The tool is available now on GitHub/J0shNan with full documentation and examples. It’s completely free to use and open for contributions.
