Professional Documents
Culture Documents
Unless otherwise noted, the companies, organizations, products, email addresses, people,
places, and events depicted herein are fictitious, and no association with any real company,
organization, product, email address, person, places, or events is intended or should be
inferred. Complying with all copyright laws is the responsibility of the user.
No part of this document may be reproduced, stored in, or introduced into a retrieval system,
or transmitted in any form or by any means (electronic, mechanical, photocopying, recording,
or otherwise), or for any purpose, without the express written permission of SentinelOne.
SentinelOne may have trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement
from SentinelOne the furnishing of this document does not give you any license to these
trademarks, copyrights, or other intellectual property.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
SentinelOne
605 Fairchild Dr
Mountain View, CA 94043
www.sentinelone.com
i
TABLE OF CONTENTS
Module 1 - Introduction
Module Objectives ...................................................................................... 1-1
Introductions............................................................................................... 1-2
Course Outline ............................................................................................ 1-3
What is SentinelOne? ................................................................................. 1-6
SentinelOne Core ........................................................................................ 1-7
SentinelOne Control ................................................................................... 1-8
SentinelOne Complete ................................................................................ 1-9
Overall Strengths ...................................................................................... 1-10
Underlying Technology ............................................................................. 1-11
SentinelOne Ranger .................................................................................. 1-13
SentinelOne Vigilance ............................................................................... 1-14
SentinelOne Resources ............................................................................. 1-15
Module Review ......................................................................................... 1-16
Review Questions and Group Discussion ................................................. 1-17
iii
Pending Action ..................................................................................... 3-55
Managing Endpoints ................................................................................. 3-58
Endpoint Filter ...................................................................................... 3-58
Actions .................................................................................................. 3-62
Endpoint Details Pane .......................................................................... 3-65
Moving an Agents ................................................................................. 3-66
Uninstalling Agents from the Management Console .......................... 3-68
Decommission an Agent ....................................................................... 3-71
Agent Migration Between Management Consoles .............................. 3-72
Sending Console Messages to Endpoints ................................................. 3-75
Integrating SMTP Servers.......................................................................... 3-76
Configuring Email Notifications ................................................................ 3-78
Integrating Syslog Servers ......................................................................... 3-80
Configuring Syslog Notifications ............................................................... 3-82
Device Control .......................................................................................... 3-83
Device Control Settings ........................................................................ 3-84
Device Control Rules and Rule Order ................................................... 3-87
Creating Device Control Rules .............................................................. 3-90
Enable, Disable or Edit a Rule ............................................................... 3-93
Change the Order of a Rule ................................................................. 3-95
Moving and Copying Rules ................................................................... 3-96
Reviewing Device Control Activity Logs ............................................... 3-98
Creating Device Control Rules from Events ....................................... 3-100
SentinelOne Firewall Control .................................................................. 3-103
Firewall Control Settings .................................................................... 3-104
Creating and Editing Firewall Rules .................................................... 3-106
Enable, Disable or Edit a Rule............................................................. 3-111
Firewall Rules and Rule Order ............................................................ 3-113
Moving and Copying Rules ................................................................. 3-115
Importing and Exporting Firewall Rules ............................................. 3-118
Reviewing Firewall Control Activity Logs ........................................... 3-121
Location Aware Firewall ..................................................................... 3-123
Configuring Locations ............................................................................. 3-124
Getting Logs for Support ......................................................................... 3-137
Module Review ....................................................................................... 3-140
Review Questions ................................................................................... 3-141
iv
Path Exclusion Details............................................................................. 4-8
Path Exclusion Mode .............................................................................. 4-9
Best Practices for Path Exclusions ........................................................ 4-11
Path Exclusions to Avoid ...................................................................... 4-12
Excluding a Signer Identity (Certificate) ............................................... 4-15
Excluding a File Type ............................................................................ 4-17
Excluding a Browser ............................................................................. 4-18
Agent Support for Exclusions ............................................................... 4-19
Analyzing Threats ...................................................................................... 4-20
Threat Management ............................................................................ 4-21
Forensic Analysis of Threats ................................................................. 4-29
Incident Details – Page Settings ........................................................... 4-31
Incident Details – Overview Tab........................................................... 4-32
Incident Details - Header ................................................................. 4-32
Incident Details - Summary.............................................................. 4-34
Incident Details – Threat Information ............................................. 4-35
Incident Details – Endpoint Details.................................................. 4-36
Incident Details – Threat Indicators................................................. 4-37
Incident Details – Notes ................................................................... 4-38
Incident Details – Explore Tab .............................................................. 4-39
Incident Details – Timeline Tab ............................................................ 4-44
Timeline – Filters .............................................................................. 4-45
Timeline – Export Events Log ........................................................... 4-45
Mitigation Actions ..................................................................................... 4-47
On-Demand File Fetch .............................................................................. 4-51
Full Disk Scan............................................................................................. 4-54
Application Risk Management .................................................................. 4-57
SentinelOne Remote Shell ........................................................................ 4-61
Module Review ......................................................................................... 4-64
Review Questions ..................................................................................... 4-65
v
Deep Visibility Use Cases .......................................................................... 5-31
Hunting for Living Off the Land Attacks ............................................... 5-31
Hunting Abnormal Scheduled Task Creation ....................................... 5-32
Hunting IOCs based on a Known Starting Point ................................... 5-33
Hunting Abnormal Behavior on an Endpoint ....................................... 5-37
Hunting Abnormal Behavior by Known Characteristic......................... 5-38
Searching for Behavioral Indicators .......................................................... 5-39
Responding to Incidents with Deep Visibility ........................................... 5-41
Saving Threat Hunting Queries and Watchlists ........................................ 5-43
Working with Saved Deep Visibility Queries ............................................ 5-45
Managing the Browser Extension ............................................................ 5-47
Supported File Types for Deep Visibility .................................................. 5-48
List of Indicator Names and Categories .................................................... 5-49
Queries for Mitre Techniques ................................................................... 5-60
Module Review ......................................................................................... 5-65
Review Questions ..................................................................................... 5-67
vi
Introduction
MODULE 1
Introduction
Welcome to the SentinelOne Core Workshop. In this course, you will learn the skills necessary
to effectively use the SentinelOne platform for endpoint protection. In this module, we will
cover:
• Introductions
• Course Outline
• What is SentinelOne
• SentinelOne Versions
• SentinelOne Strengths
• Underlying Technology
• SentinelOne Ranger
• SentinelOne Vigilance
• SentinelOne Resources
© SentinelOne 1-1
Introduction
Introductions
Notes:
© SentinelOne 1-2
Introduction
Course Outline
Module 1 – Introduction
• Introductions
• Course Outline
• What is SentinelOne
• SentinelOne Versions
• SentinelOne Strengths
• Underlying Technology
• SentinelOne Architecture
• SentinelOne Ranger
• SentinelOne Vigilance
• SentinelOne Resources
© SentinelOne 1-3
Introduction
© SentinelOne 1-4
Introduction
Module 6 – Reports
• Creating Insight Reports
• Editing and Deleting Reports
• Downloading a Report
© SentinelOne 1-5
Introduction
What Is SentinelOne?
SentinelOne is an endpoint protection platform designed for enterprise organizations that gives
them visibility into their own network. It is a network security solution with a specific type of
computer network security approach known as endpoint security. The endpoint security
protection approach focuses on detecting and eliminating security and cyber threats.
SentinelOne contains a broad range of protection against different modes of security threats
and attacks. These include malware, ransomware, exploits, live or insider. The platform
provides remediation capability, which enables users to instantly mitigate the effects of any
cyber-attacks and restore the system, making it immune from such threats in the future.
SentinelOne moreover has the capability to detect threats in advance through the aid of its
machine learning and intelligent automation.
The most prominent feature of SentinelOne platform is using machine learning and Artificial
Intelligence to consistently protect critical endpoints from cyber-attacks. SentinelOne can
anticipate threats and attacks by deeply inspecting files, documents, emails, credentials,
browsers, payloads, and memory storage. It can automatically disconnect a device from a
network when it identifies a possible security threat or attack.
© SentinelOne 1-6
Introduction
SentinelOne Core
SentinelOne Core
SentinelOne Core offers attack remediation, cleaning all artifacts of a malicious attempt,
including registry, scheduled tasks and more, while Rollback Revert returns an endpoint
its pre-infected state. Upon detection, SentinelOne can immediately stop lateral threat
spread cold by disconnecting the infected endpoint from the network while still
maintaining the agent’s connection to the management console.
© SentinelOne 1-7
Introduction
SentinelOne Control
SentinelOne Control
SentinelOne Control builds on all the features of SentinelOne Core and adds security
features, such as device control and endpoint firewall control. This includes:
The innovative security solution offers broad protection against diverse modes of attack,
including:
© SentinelOne 1-8
Introduction
SentinelOne Complete
SentinelOne Complete
SentinelOne Complete adds Deep Visibility EDR that provides actionable context in an
easy-to-use UI. SentinelOne Complete utilizes that same agent to provide enterprise
EDR visibility for Windows, Mac, and Linux and Kubernetes containers. No additional
installed code is necessary. Deep Visibility provides the SOC, Threat Hunters, and
Incident Responders with a full featured investigative tool. Deep Viz is easy to use and
the Storyline is the underlying tech that helps you understand root cause analysis in one
pivot saving you time and trial and error. S1 Complete provides 30 days of historical EDR
data out of the box and affordably scales to 365 days if you require it.
Deep Visibility also provides the ability to search by MITRE ATT&CK framework
techniques when an atomic IoC is unknown.
When you find something suspicious, simply mark the story as a threat and ActiveEDR
commands the agents to mitigate.
© SentinelOne 1-9
Introduction
Overall Strengths
© SentinelOne 1-10
Introduction
Underlying Technology
Prevent
Before a portable executable, PDF or Office doc runs in memory, we are going to
analysis it and see if it looks odd in any way. If it has the characteristics of what we
know is not good, we are going to quarantine it. Using a Static AI model, we’re able to
determine if a file is malicious pre-execution: our model yields extremely high efficacy
rates with very low false-positives, making SentinelOne one of the world’s leading
prevention first products all while being 100% signature free.
Detect
SentinelOne agents identify evil in real time even if there is no cloud connection.
Anything that starts to run on the machine is analyzed using SentinelOne’s proprietary
Behavioral AI engine. S1 tracks every process, application, and group in real time on the
endpoint and is able to pinpoint when an activity crosses a threshold from benign to
malicious. We’ve trained our behavioral models to understand and recognize every
process on the endpoint making our detection capability vector agnostic and wildly
effective for complex vectors like fileless attacks.
When code begins to run – this is where our Active EDR (automated threat hunting
mechanism) comes in. It will watch the action play out and determine if there is any
odd lateral movement, fileless attacks, exploits or bad scripts/macros. An example is
that you open it in MS Word and it spawns PowerShell and reaches out to the Internet
to download something. We are tracking everything that happens in the OS as a set of
stories. We continue watching the process to see if any malicious activity occurs.
© SentinelOne 1-11
Introduction
Respond
The agent responds to all threats at machine speed. The Behavioral engine is able to
automatically mitigate processes and remediate in real time. This is the core value of
ActiveEDR: SentinelOne agents operate like a SOC on each and every endpoint, working
for you. The Storyline ID is how SentinelOne automatically links all behaviors to their
root in real-time, building the complete storyline and automatically performing SOC
analysis so that cybersecurity staff can do and see more. If the file is found to be
malicious, we have a protective response, such as; Kill the process, Quarantine the file,
Cleanup from the attack, Rollback the system to a good known state. We can do things
like Disconnect from the network and use a Remote Shell.
Hunt
For those threats that we don’t catch, we have ActiveEDR Advanced, also known as
Deep Visibility/Threat Hunting capability. SentinelOne maintains the context for 90 days
of all this data so that threat hunting is far easier for novices and experts alike. With
SentinelOne’s ActiveEDR, analysts can spend more time hunting. Our Deep Visibility
Threat Hunting Module allows for the world’s pre-eminent security teams as well as
SMBs to utilize nuanced responses like full remote shell execution.
While all other EDR solutions transport all data in discrete forms to the cloud and then
assembles there - SentinelOne has a differentiated approach. The problem with how
others do this:
1. Network bandwidth consumption is high
2. Analysis is done ex-post-facto, not allowing active prevention and response - this
delay creates dwell time
3. SOC analysts have to assemble every story themselves
4. Alert fatigue is the byproduct
© SentinelOne 1-12
Introduction
SentinelOne Ranger
SentinelOne Ranger creates visibility into your network by using distributed passive and active
mapping techniques to discover running services, unmanaged endpoints, IoT devices, and
mobiles.
The number of devices running on networks is increasing as people bring their personal phones,
laptops, and smart devices into the workplace. Additionally, more and more Internet of Things
(IoT), Operational Technology (OT), and smart appliances are being added to the network. All
these devices are becoming increasingly intelligent and complex. This complexity can lead to
bugs, and bugs can lead to vulnerabilities. This means it’s increasingly important for network
administrators to have a way of keeping inventory of what’s on their network. Ranger
generates this inventory automatically and maintains itself over time.
Ranger also makes it easy to find unmanaged endpoints. You want to make sure every device
joining your network is protected, but this can be tricky with an increasing number of devices
and limited IT personnel. With Ranger, a list of unmanaged endpoints is just a few clicks away.
© SentinelOne 1-13
Introduction
SentinelOne Vigilance
© SentinelOne 1-14
Introduction
SentinelOne Resources
© SentinelOne 1-15
Introduction
During this module, you were introduced to what SentinelOne is, the architecture and system
requirements.
© SentinelOne 1-16
Introduction
1. What is EPP?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
2. What is EDR?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
3. Which SentinelOne Engine runs scans upon file execution, in addition to when files are
written to the disk looking for malicious files?
a. Deep File Inspection (DFI)
b. Reputation
c. Dynamic Behavioral Tracking (DBT)
d. Anti-Exploitation
1. What types of attacks are you seeing on your network and the frequency in which they
occur?
2. Has your organization been the victim of cyber-attacks and describe the attacks?
© SentinelOne 1-17
Introduction
© SentinelOne 1-18
SentinelOne Management Console
MODULE 2
Management Console Overview
This module is intended to introduce users to the SentinelOne Console. In this module you will
review all of the SentinelOne views:
• SentinelOne Hierarchy • Incidents (Threat Management)
• Management Console Views • Applications
• Scope • Activity
• Dashboard • Reports
• Deep Visibility • Settings
• Ranger • Configuration
• Sentinels • Notifications
• Endpoints • Users
• Policy • Integrations
• Blacklist • Policy Override
• Exclusions • Accounts
• Firewall Control • Sites
• Device Control • Locations
• Packages
© SentinelOne 2-1
SentinelOne Management Console
SentinelOne Hierarchy
Each Management Console user has an Access level, a boundary of influence, Global, Account,
or Site, for licenses, policies, blacklists, exclusions, packages, settings, reports, and other
features.
Each user also has a role which defines what they can do within the Access level.
Global The Global Scope manages the complete deployment of all Accounts, Sites and
Groups.
Account One or more logical segments with permissions to configure features for
specific Sites. Each Account can have multiple Sites. An Account can have
its own objects and settings and inherits from Global settings.
Site One or more physical or logical secured segments, each with its own
objects and settings, specific or inherited from Global or from the
Account. A Site can belong to only one Account and can have multiple
Groups.
Group One or more logical units of endpoints, for easier management, each with
its own objects and settings. A Group can belong to only one Site.
© SentinelOne 2-2
SentinelOne Management Console
Manage your SentinelOne Agents, threat mitigation, integrations, and other aspects of
your SentinelOne environment from the Management Console.
Open the different views of the Management Console from the sidebar.
Selecting a Scope
The Scope view allows users to manage and see the platform hierarchy.
The information in the Management Console changes; based on the selected scope and Admin
scope.
• As a Global Admin, you manage the Global deployment, the Accounts, the Sites in each
Account, Groups in each Site, and their security objects.
• As an Account Admin, you manage the Accounts, the Sites in each Account, Groups in
each Site, and their security objects. You can select and manage a specific Site or
Group.
• As a Site Admin you manage your Sites, their endpoints, and some of their security
objects. You can select and manage Groups in the Site.
© SentinelOne 2-4
SentinelOne Management Console
Dashboard
The Dashboard view of the SentinelOne Management Console is fully customizable and based
on the logged-on user. The Dashboard is made of different widgets, to quickly see the
information that is most relevant to you and your stakeholders. When you log in to the
Management Console from a different computer or browser, your personalized Dashboard
opens.
Users can choose from over 50 widgets related to Threats, Endpoints, Applications, and IoT
devices (Ranger).
© SentinelOne 2-6
SentinelOne Management Console
Deep Visibility
The Visibility view option allows the user to run SentinelOne Deep Visibility queries. Deep
Visibility extends the ActiveEDR capabilities, with full visibility into endpoint data and threat
hunting. The kernel-based monitoring allows a near real-time search across endpoints for all
indicators of compromise (IOC). It gives security teams the ability to augment real-time threat
detection capabilities with a powerful threat hunting tool.
SentinelOne’s Storyline lets security analysts understand the full story of what happened on a
device, as each element of a story has the same exact Storyline.
All data transmissions are encrypted, compressed, and sent over HTTPS. Agent data is available
for up to three months. From the time that an event occurs, the data is available in the Deep
Visibility queries in minutes.
© SentinelOne 2-7
SentinelOne Management Console
Ranger
SentinelOne Ranger gives full visibility of all devices connected to your network. Ranger scans
your corporate environment to identify and manage connected devices, even those not
protected by or supported by SentinelOne.
Ranger benefits:
• Enterprise-wide visibility of connected devices.
• Intelligent and automatic scan management with minimal network traffic footprint.
• Simple map of unsecured endpoints on which to install the Agent.
• Enriched Threat Hunting with unsecured device information as part of an IOC
investigation.
• Network isolation for unwanted devices to reduce the attack surface.
• Easy deployment of Ranger as an integrated solution with SentinelOne Agent and
Management Console.
• Easy network scale with zero configuration to discover new networks and subnets.
© SentinelOne 2-8
SentinelOne Management Console
Sentinels View
Based on the SKU and the Scope the user is in, the menu selections can vary. This is a listing of
the menu selections for Complete:
In the Sentinels View – Global level, users have access to the following tabs:
• Endpoints
• Policy
• Blacklist
• Exclusions
• Firewall Control
• Device Control
• Packages
In the Sentinels View – Account level, users have access to the following tabs:
• Endpoints
• Policy
• Blacklist
• Exclusions
• Firewall Control
• Device Control
• Packages
• Account Info
© SentinelOne 2-9
SentinelOne Management Console
In the Sentinels View – Site level, users have access to the following tabs:
• Endpoints
• Policy
• Blacklist
• Exclusions
• Firewall Control
• Device Control
• Packages
• Site Info
• Group Ranking
In the Sentinels View – Group level, users have access to the following tabs:
• Endpoints
• Policy
• Blacklist
• Exclusions
• Firewall Control
• Device Control
• Group Info
© SentinelOne 2-10
SentinelOne Management Console
Policy
A policy is a set of mitigation settings and configuration settings that define the behavior of
SentinelOne Agents on endpoints.
Policy Inheritance
• Each Account, Site, and Group can have their own policy, or they can inherit the policy
from the scopes above them.
• By default, each Account, Site, and Group inherits the Global policy. Global Users can
make changes to the Global policy. Users can make changes to the policy for entities in
their scope.
• For example, Groups inherit the policy defined for their Site. If the policy is not changed
for the Site, Groups inherit the Account or Global policy.
© SentinelOne 2-11
SentinelOne Management Console
Endpoints
By scrolling to the right on each row the following information about the endpoint is available:
• Endpoint Name - Name of the protected device
• Account - The Account that the endpoint belongs to
• Site - The Site that the endpoint belongs to
• Last Logged in User - Name of the user that logged in most recently
• Group - Group that the endpoint belongs to
• Domain - Network domain that the endpoint belongs to
• Console Visible IP - External IP address of the Agent
• Agent Version - Version of the installed Agent
• Subscribed on - First date and time that the agent connected to the management server
• Health status - Healthy or Infected
• Device type - Laptop, Desktop, Server
• OS - Operating System
• OS Version - Exact OS version, for example Windows 10 (14393)
• Architecture - 64 bit or 32 bit
• MAC address - Physical MAC address
• Management connectivity - Online or Offline
© SentinelOne 2-12
SentinelOne Management Console
© SentinelOne 2-13
SentinelOne Management Console
Blacklist
SentinelOne Agents immediately identify files on the blacklist and block them from executing,
based on the policy. Files on the blacklist are defined by their SHA1 hash. Agents identify files
on the blacklist before they look at exclusions.
Blacklist Hierarchy
• Sites, Accounts, and Global can each have their own blacklist items.
• Each scope also inherits blacklist items from the scopes above it.
o An Account inherits all Global blacklist items.
o A Site inherits all blacklist items of its Account, and all Global blacklist items.
You can add a hash to the blacklist manually, or add it to the blacklist automatically after it
shows in your Management Console.
Best Practice: Always analyze a threat before you add the file to the blacklist.
Note: Items that you add to the blacklist do not automatically become resolved. When you
finish investigating and handling a threat or detection, mark it as resolved.
© SentinelOne 2-14
SentinelOne Management Console
Exclusions
Agents sometimes mark benign items as potential threats. You can configure Exclusions to
make your Agents suppress alerts and mitigation for these items.
Exclusion Hierarchy
• Groups, Sites, Accounts, and Global can each have their own exclusions.
• Each scope also inherits exclusions from the scopes above it.
o An Account inherits the Global exclusions.
o A Site inherits the exclusions of its Account, and the Global exclusions.
o A Group inherits the exclusions of its Site, its Account, and the Global exclusions.
Important: If incorrect exclusions are created, the environment may be open to malware.
You can create these types of exclusions: hash, path, certificate signer, file type, and browser.
© SentinelOne 2-15
SentinelOne Management Console
Firewall Control
Firewall Control lets you manage endpoint firewall settings from the SentinelOne Management
Console. Use Firewall Control to define which network traffic, applications, and connections are
allowed in and out of endpoints.
It is part of the Complete bundle. If you have the Core bundle, you will not see Firewall Control
in your Management Console.
Note: When you enable SentinelOne Firewall Control on Windows endpoints, rules from other
firewall solutions on the endpoint will become inactive.
When network traffic enters or leaves an endpoint, the SentinelOne Agent allows or blocks it
based on the Firewall Control policy. The Agent looks at the rules based on their order in the
Firewall Control policy, from the top to the bottom. When the Agent finds a rule that matches
the parameters of the traffic, that rule is applied. The Agent does not continue to the lower
rules in the list.
New rules are added to the top of the relevant section of the Firewall Control policy.
© SentinelOne 2-16
SentinelOne Management Console
Device Control
Device Control rules let you allow or block specific devices, or groups of devices, that connect to
endpoints, based on device identifiers. When the Management sends policy information
to Agents, it includes these rules.
When an external device connects to an endpoint, the SentinelOne Agent checks to see if it is
allowed to run by the Device Control policy. The Agent looks at the rules based on their order in
the Device Control policy, from the top to the bottom. When the Agent finds a rule that
matches the device identifiers of a connected device, that rule is applied. The Agent does not
continue to the lower rules in the list.
• If the matched rule has the Block Action, the Agent prevents the device from being
used.
• If the matched rule has the Allow Action, the device can be used.
© SentinelOne 2-17
SentinelOne Management Console
Packages
SentinelOne updates your Management Console with the latest Agent packages. Download the
packages for the operating systems in your environment. You can use third-party tools to
deploy the package to all of your endpoints by platform. Or you can install Agents individually.
During installation of new Agents, you must assign Agents to a Site using the Site Token.
© SentinelOne 2-18
SentinelOne Management Console
Based on the Scope you are in, you can see the Account, Site or Group information.
© SentinelOne 2-19
SentinelOne Management Console
Group Ranking
Use Group Ranking to set the priority of Dynamic Groups for Agents. An Agent can belong to
only one Group. If the Agent matches multiple Dynamic Groups, it goes to the Group with the
highest rank.
If an endpoint is in a Static Group, and the filters of a Dynamic Group match it, the endpoint is
automatically moved to the Dynamic Group.
© SentinelOne 2-20
SentinelOne Management Console
Incidents
The Threats page shows the threats and their current status. By selecting a threat, the user
moves to the Incidents Details page.
Incident Filters
The Threats table has many filters so the user can easily find the information needed.
© SentinelOne 2-21
SentinelOne Management Console
Incidents Details
By selecting any line item in the grid from the Threats grid the user is directed to the Incidents
details window that shows detailed information and summary of the threat. The user can
review the threat in detail and take action on the Overview tab, see the events in a graphical
process tree in the Explore tab and in the Timeline tab, all information about the threat so the
user can understand what happened, when, and by whom.
© SentinelOne 2-22
SentinelOne Management Console
Applications
SentinelOne Application Risk lets you monitor applications installed on endpoints, from your
SentinelOne Management Console.
Applications not updated with the latest patches are risky because they are vulnerable to
exploits. With SentinelOne Application Risk you can see all applications that need to be
patched, on all endpoints or on a specific endpoint. You can also see which endpoints have
applications that need to be patched, and you can export application data.
Note: Application Risk is part of Complete (not available with Core). If you have the Core
bundle, you will not see Application Risk in your Management Console.
© SentinelOne 2-23
SentinelOne Management Console
Any applications identified as having a risk will be noted. To access the application details, click
on the row containing the alerted application.
More details can be obtained from the online CVE list by clicking on the cve.mitre link below
the application details.
© SentinelOne 2-24
SentinelOne Management Console
Activity
From the Activity view, the user can see all activities that occurred on the network. There are
filter buttons located at the top of the page to see specific activities.
© SentinelOne 2-25
SentinelOne Management Console
© SentinelOne 2-26
SentinelOne Management Console
© SentinelOne 2-27
SentinelOne Management Console
Reports
Create one-time or scheduled Insight reports to see high-level and detailed information on the
state of your endpoint security. Reports include statistics, trends, and summaries with easy to
read and actionable information about your network.
You can see reports in the Management Console and automatically send them by email to the
addresses that you enter.
© SentinelOne 2-28
SentinelOne Management Console
Settings
© SentinelOne 2-29
SentinelOne Management Console
Configuration
• Session Timeout:
o The Session Timeout is measured in days. The range is from 1 to 30 days in
the Management Console.
o The default Session Timeout is 7 days.
▪ Users can open up to 30 concurrent sessions to the Management Console.
▪ Users with a role that is not Admin can open up to 2 concurrent sessions to
the Management Console.
▪ Two-Factor Authentication
▪ This setting enables Two-Factor Authentication for entire scope.
© SentinelOne 2-30
SentinelOne Management Console
• Advanced Mode
o This setting enables Advanced Mode for entire scope.
o These features require Advanced Mode to be enabled:
▪ Change the Protect Level in Sentinels > Policy.
o By default, when you set a policy to Protect, the Agents run Kill and
Quarantine automatically. In Advanced Mode, you can change automatic
mitigation to include Remediate or Remediate and Rollback. This option
only shows if Threats or Suspicious are set to Protect.
▪ Enable of disable the Detect Interactive Threat engine in Sentinels > Policy.
▪ Change the Management URL in Settings > Configuration > Management URL.
© SentinelOne 2-31
SentinelOne Management Console
Notifications
Notifications allow the Site Admin to setup notifications that can be emailed and/or entered
into the Syslog. The type of notification entry will vary from Notification Types.
After you integrate an SMTP Server and/or a Syslog Server, you can configure which
SentinelOne activities trigger email notifications or Syslog messages.
In the view for one Account or Site, you can configure a server specifically for that scope. If a
scope does not have a specific configuration, it uses the Global Integration settings.
© SentinelOne 2-32
SentinelOne Management Console
Users
Create Management Console users to let the security team log in to the Management Console
and manage endpoint security.
• To create users to manage all your Sites, you must have Global scope and Admin
permissions.
• To create users to manage Accounts, you must have Global Admin or Account Admin
permissions for this Account.
• To create users to manage a specific Site, you can have Global Admin, Account Admin,
or Site Admin permissions for this Site.
You can create users for Sites over which you have Admin permissions. For example, if the user
Alpha01 has Admin permissions for site X and Viewer permissions for site Y, Alpha01 can make
users for Site X but not for site Y.
• If you are the Global Admin, you can select Global, Account, or Site access for new user
accounts.
• If you are an Account Admin and you want to create a Site Admin or Site Viewer, you
must select the Account that holds the Sites. Then the Sites of that Account are in the
list.
Select each Account or Site over which the user will have permissions and then select the role:
Viewer or Admin.
© SentinelOne 2-33
SentinelOne Management Console
Integrations
You can configure these settings for Global (applies to all Sites), for a selected Account (applies
to its Sites), or for a selected Site.
Integration with Active Directory (AD) occurs automatically. You do not configure an AD Server.
When an Agent registers to the Management and when users log in or log out, the Agent sends
AD information to the Management Console. When an Agent is part of an AD, in the Endpoint
Details, there is an ACTIVE DIRECTORY tab.
© SentinelOne 2-34
SentinelOne Management Console
Policy Override
In Advanced Mode, you can use Policy Override in the Management Console, to override a
default setting in the Agent configuration or policy. You can send a policy override to a group,
to a Site, or to Global.
Note: Group policy overrides have priority above Site policy overrides, and Site policy overrides
have priority above Global policy overrides.
Note: Policy overrides are defined for a specific build number OR for ALL Agents. When you
upgrade or add Agents with a different build number, duplicate each policy override that is for
a specific version, or change the override to apply to all Agents.
© SentinelOne 2-35
SentinelOne Management Console
Sites
See a full list of Sites in the environment, with SKU, total licenses and license in use, and Site
creation and expiration information.
Account and Global Admins can change the Site name, type, and license information.
© SentinelOne 2-36
SentinelOne Management Console
Locations
Admins can configure customized sets of Agent Locations based on one or more endpoint
network parameters. Agents detect which location they are in and act accordingly.
Agents can be in multiple locations at the same time. The Agent location can affect which
Firewall Control rules an Agent uses, as each Firewall rule can be configured for a specific
location.
If an Agent that supports Locations does not detect that it is in a defined location, it uses the
Firewall rules assigned to the Fallback location.
© SentinelOne 2-37
SentinelOne Management Console
Module Review
During this module, you were introduced to the SentinelOne Console. In this module you
reviewed all of the SentinelOne views and tabs:
• SentinelOne Hierarchy • •Incidents (Threat
Incidents (Threat
• Management Console Views Management)
Management)
• Scope • •Applications
Applications
• Dashboard • •Activity
Activity
• Deep Visibility • •Reports
Reports
• Ranger • •Settings
Settings
• Sentinels • Configuration
• Configuration
• Endpoints • Notifications
• Notifications
• Policy • Users
• Users
• Blacklist • Integrations
• Integrations
• Exclusions • Policy Override
• Policy Override
• Firewall Control • Accounts
• Accounts
• Device Control • Sites
• Sites
• Packages • Locations
• Locations
© SentinelOne 2-38
SentinelOne Management Console
1. In which view of the Management Console can the investigator see all of the endpoints,
create exclusions and set device and firewall controls?
a. Dashboard
b. Sentinels
c. Analyze
d. Settings
________________________________________________________________________
________________________________________________________________________
3. In the Policy Settings > Policy Mode Options, which action setting will automatically
detect and mitigate a threat?
a. Mitigate
b. Kill
c. Detect
d. Protect
6. Which view presents the detailed forensic information and summary of the threat?
a. Sentinels
b. Analyze
c. Visibility
d. Application
© SentinelOne 2-39
SentinelOne Management Console
© SentinelOne 2-40
SentinelOne Administration
MODULE 3
SentinelOne Administration
© SentinelOne 3-1
SentinelOne Administration
The Dashboard view is fully customizable and based on the logged-on user. The Dashboard is
made of widgets, to quickly see the information that is most relevant to you and your
stakeholders. When you log in to the Management Console from a different computer or
browser, your personalized Dashboard opens.
Users can choose from over 50 widgets related to Threats, Endpoints, Applications, and IoT
devices (Ranger).
You can drag and drop the widgets to move and resize them.
Click on a detail in a widget to jump to the live information in your Management Console.
© SentinelOne 3-2
SentinelOne Administration
Located in the upper left of the Dashboard page is a set of three function option buttons:
Adds a widget
Creating a Widget
© SentinelOne 3-3
SentinelOne Administration
2. Choose a category from the Categories list. Each category has specific widgets that are
appropriate for the category.
3. In Scope, select the Account, Site, or Group that the widget applies to. Information
from this scope is included in the widget chart.
4. In Widget, choose the information to show.
The options depend on the category selected.
5. Optional: In Title, you can edit the display name that shows above the widget.
6. In Time Frame, choose the range of time that is included in the widget chart.
7. In Refresh Interval, select how often the chart will refresh. Each time it refreshes, the
Management gathers the relevant information.
8. In Chart Type, select the format in which the information is shown. When you select an
option, the icon shows a model of how it looks.
9. Click Save.
Edit a Widget
You can change all attributes of a widget when you edit it.
1. Click the ellipsis (...) in a widget and the menu dialog window opens.
2. Select Edit.
3. In the Edit Widget window, change attributes of the widget.
4. Click Save.
Duplicate a Widget
© SentinelOne 3-4
SentinelOne Administration
2. Select Duplicate.
An identical widget opens in the Dashboard.
3. Edit the new widget:
a. Click the three dots (ellipsis) on the new widget and select Edit.
b. In the Edit Widget window, change attributes of the widget.
c. Click Save.
You can download your Dashboard as a JSON file and send it to other users to upload and use.
• For example, Account Admins can send their Site Admins a suggested Dashboard.
When necessary, the scope of the widgets change automatically to the scope of the user that
uploads it. For example:
• An Account admin has a Threat Status widget for a whole Account and sends that
Dashboard to a Site admin. The Site admin sees the same Threat Status widget but with
a Site scope.
• If a Dashboard includes a widget for a specific Group, it will not change automatically to
a broader scope when a Site admin uploads it.
© SentinelOne 3-5
SentinelOne Administration
© SentinelOne 3-6
SentinelOne Administration
Policy Settings
A policy is a set of mitigation settings and configuration settings that define the behavior of
SentinelOne Agents on endpoints. A policy can be set for any Scope.
Policy Inheritance
• By default, Accounts inherit their policy from the Global policy. Global Admins can make
changes to the Global policy. Admins can make changes to the policy for entities in their
scope.
• Each Account, Site, and Group can have their own policy, or they can inherit the policy
from scopes above them.
• Sites inherit the policy defined for their Account. If the policy is not changed for the
Account, Sites inherit the Global policy.
• Groups inherit the policy defined for their Site. If the policy is not changed for the Site,
Groups inherit the Account or Global policy.
© SentinelOne 3-7
SentinelOne Administration
Policy Settings
The mitigation settings in the Policy mode options define the Agent behavior for:
• Threats - Detections that are malicious are based on high confidence of the SentinelOne
policy engines.
• Suspicious - Detections that might be malicious but require more analysis are based on
SentinelOne policy engines.
Important: By default, when you set a policy to Protect, the Agents run Kill and Quarantine
automatically. In Advanced Mode, you can change automatic mitigation to include Remediate
or Remediate and Rollback. This option only shows if Threats or Suspicious are set to Protect.
© SentinelOne 3-8
SentinelOne Administration
It is recommended that you use all of SentinelOne Policy Engines to maximize security. If necessary, you
can disable the On Write or On Execute modes to use only part of the SentinelOne functionality.
Disabling on Write
Behavior:
• If you disable On Write, no action occurs when a file is copied to disk.
• No file reputation check when a file is written to the disk (the file reputation check is
active on file execution).
• Deep File Inspection Static AI is disabled.
• Full Disk Scan is supported. The required service is active only during the scan.
© SentinelOne 3-9
SentinelOne Administration
Disabling on Execute
Use Cases:
• For systems where saving resources is critical and the attack surface is controlled,
for example, when there is limited internet access.
• For endpoints with limited disk space or memory requirements, like thin agents, or
ATMs.
Behavior:
If you disable On Execute, the Behavioral AI engines do not monitor On Execute
behavior. The engines can be completely disabled (do not consume resources), or
suppressed (monitor without alerts and consume some resources).
To completely disable Behavioral AI engines - You must disable On Execute mode from
the policy before it is ever enabled (immediately after installation, before reboot).
If the On Execute mode was already on - If you disable On Execute mode in the policy
after the first reboot, the Behavioral AI engines are active but suppressed. The Agents
do not act on Behavioral AI detections or generate alerts, but the activity consumes
some resources.
Note: If you enable the On-Execute engines at any time, all endpoints will be prompted
to reboot and show Pending Action status until they reboot.
Disable On Execute in a Site's policy. When Agents connect to the Site for the first time
with the Site Token, they will get this policy. You can then move the endpoints that
need On-execute disabled to their own dynamic group and enable On Execute in the
Site's policy.
Disable On Execute mode in a dynamic group that you prepare in advance of the Agent
installation. When Agents connect to the Site that contains this group, they will get this
policy.
© SentinelOne 3-10
SentinelOne Administration
Policy Engines
© SentinelOne 3-11
SentinelOne Administration
Policy Engines by OS
© SentinelOne 3-12
SentinelOne Administration
Policy – Containment
© SentinelOne 3-13
SentinelOne Administration
Policy – Advanced
Important: If you set the Auto Decommission number of days to be too small, the number of
endpoints with Agents and the number of endpoints you see on the Management Console can
be significantly different and confusing. If you deploy virtual machines, set the number of days
to fit your environment and policy for persistency.
© SentinelOne 3-14
SentinelOne Administration
© SentinelOne 3-15
SentinelOne Administration
The Deep Visibility settings can be different in the Global policy and in Site policies. In
the policy settings, you can refine the data sent for Threat Hunting.
In order to utilize Deep Visibility, you must enable Deep Visibility. If this is not selected, Deep
Visibility queries will have no results. Users can select the data to be sent for Threat Hunting.
Supported file types that Hash (MD5, SHA1, SHA256), full path, name of the
File were changed by an process that created or changed the file
event *See Support File Types below
URLs and URIs (string, source (winner or Chrome),
Sites visited in Safari, HTTP method, processes and creator processes,
URL Chrome, and Microsoft and (MS only) request and response. From wget,
browsers curl, and similar commands: DNS, IP addresses, and
(macOS only) URLs
Every connection, Query name, query result, processes, and creator
DNS including connections processes
to localhost
TCPv4 connection attempts (source IP address and
Outgoing network
IP port, destination IP address and port, protocol,
connections
processes and creator processes)
© SentinelOne 3-16
SentinelOne Administration
MacOS end user login and Username and login and logout time
Login
logout
Registry Registry Key events on Registry Key ID and name, logged in user, time of
Keys Windows endpoints event, process that caused the event
Scheduled Scheduled Task events on Task name, event type, logged in user, time of
Tasks Windows endpoints event, process that caused the event
Behavioral Indicators found by the Indicator Category, Indicator Description, Indicator
Indicators Agent Metadata, and Indicator Name
Module Hash, Module path, all endpoint info and
process information
DLL Module DLL Modules are loaded
Load to an endpoint
Note: This is only visible if enabled by Support
because it can impact performance.
macOS – Mach-O
Linux - ELF
© SentinelOne 3-17
SentinelOne Administration
Remote Shell is a powerful way to respond remotely to events on endpoints. It lets you open
full shell capabilities - PowerShell on Windows and Bash on macOS - directly and securely from
the Management Console.
The shell process runs with local administrator user permissions. If different permissions are
necessary, you can authenticate with domain user credentials inside the Remote Shell session.
Agents apply all detection and protection logic on the Remote Shell activity.
Site Requirements:
• Remote Shell requires the Complete SKU.
• When Remote Shell is enabled, Remote Shell shows in the Management Console.
• From the Remote Shell option in the policy, enable or disable the feature.
© SentinelOne 3-18
SentinelOne Administration
Endpoint Requirements:
• The endpoint must have an OS and SentinelOne Agent version that support Remote
Shell.
• The Agent must be online and connected to the Management to open a Remote
Shell session.
• If the endpoint is in Network Quarantine (disconnected from network), some
commands will not work because the endpoint cannot access the network. If
necessary, reconnect the endpoint to the network.
• A session can be open or minimized on the endpoint.
o Only the users who runs the Remote Shell session can see the open or
minimized session. If a different admin tries to open a session for the same
endpoint, a message shows that a session is already open.
Note: On each OS, the Agent runs Remote Shell in a slightly different way.
• Windows: The Agent creates a temporary user, named SentinelRSHUser, in the
local Administrators group when Remote Shell is initiated. This user is deleted when
the session ends.
• macOS: The Agent creates a temporary user, named _sentinelshell, which is added
in sudoer when Remote shell is initiated. This user is deleted when the session ends.
• Linux: The Agent uses the endpoint root user to run Remote Shell. No special
settings are required.
© SentinelOne 3-19
SentinelOne Administration
Changing a Policy
When you change a policy, the changes are automatically pushed to the Sites and Groups that
use the policy.
You can set the policy for a Site or Group when you create it, and you can change the policy
after creation.
3. If the scope inherits its policy and you want it to have its own policy instead, click
Change Policy.
a. If the scope uses its own policy, it is open for changes. When you make a change,
the Save button shows.
© SentinelOne 3-20
SentinelOne Administration
Configuration
Selection Description
Inactivity Timeout Set the number of minutes before a user is logged
(minutes) out of an idle Console. Enter a value between 5 and
600.
Session Timeout (days) Set the number of days a user can bypass login when
they open the Console.
Two-Factor Authentication Force all users to login with 2FA increased security.
Use Google Authenticator, Duo or similar.
Advanced Mode Specific features require Advanced Mode to be
enabled:
• Change automatic mitigation actions to
include Remediate or Remediate and
Rollback.
• Enable or disable the Detect Interactive
Threat engine.
• Change the Management URL.
Management URL The Management URL field will only be available in
the Global Scope.
© SentinelOne 3-21
SentinelOne Administration
Advanced Mode
By default, when you set a policy to Protect, the Agents run Kill and Quarantine
automatically. In Advanced Mode, you can change automatic mitigation to include
Remediate or Remediate and Rollback. This option only shows if Threat or Suspicious
are set to Protect.
• Enable or disable the Detect Interactive Threat engine in Sentinels > Policy.
This engine is part of the Behavioral AI and focuses on insider threats (for example, an
authenticated user runs malicious actions from a CMD or PowerShell command line).
This engine detects malicious commands in interactive sessions.
Detect Interactive Threat is disabled by default. To protect your endpoints from
malicious commands that are entered in a CLI, enable this engine. But, if you enable this
engine for endpoints of active end users of CLIs, you may expect a number of false
positives. (Windows only)
• Change the Management URL in Settings > Configuration > Management URL.
See and edit the URL of the Management Console. This is necessary for notifications and
SSO. It must be the real URL of your management instance.
© SentinelOne 3-22
SentinelOne Administration
Managing Sites
SentinelOne lets you segment your organization in independent Sites. When you install an
Agent, it is configured for a specific Site. Each Site must have enough licenses for the Agents in
it.
© SentinelOne 3-23
SentinelOne Administration
There are two ways to create a site, in the Scope view and from Settings > Sites.
During Site creation you enter a name and license information and set the policy that the Site
uses.
To create a Site:
1. From the Scope pane, select an Account and click .
or
Go to Settings > Sites, click New Site.
2. Enter a Site Name.
3. Click Next.
© SentinelOne 3-24
SentinelOne Administration
4. In Site Type:
5. In Site Policy, the new Site automatically inherits the Account or Global policy and its
settings.
Optional: Click Change Policy to make changes to the policy settings for the site.
© SentinelOne 3-25
SentinelOne Administration
© SentinelOne 3-26
SentinelOne Administration
Deleting a Site
A Site Admin can delete a Site from the Settings > Sites page.
© SentinelOne 3-27
SentinelOne Administration
Managing Groups
You can organize Agents of a Site in Groups to manage them easily and consistently. A Group
has one policy and shared exclusions. For example, you can create a Group of all endpoints of
one operating system version in order to update all the Agents in one command.
• Static Groups are based on manual selection. If an endpoint is in a Static Group, and the
filters of a Dynamic Group match it, the endpoint is automatically moved to the
Dynamic Group.
• Dynamic Groups are based on filters. Endpoints that match the criteria of the filters are
automatically added to the Group. If an Agent fits in more than one Dynamic Group, the
conflict is resolved by Group Ranking.
Best Practice: To create a Dynamic Group, first create and save a filter set.
© SentinelOne 3-28
SentinelOne Administration
To create a Group:
1. Go to Scope and select the Site, then click the .
or
Go to Sentinels > Endpoints.
a. Click Group > New Group.
3. In Group Name, enter a descriptive name for the group. The name must be unique in
the Site. Click Next.
© SentinelOne 3-29
SentinelOne Administration
5. If you select Dynamic Group, select the filter set. Click Next.
10. On the Add New Group Summary page, you have the option to add:
a. Devices
b. Exclusions
11. Click Done when complete.
© SentinelOne 3-30
SentinelOne Administration
Editing a Group
You can edit a Group from the Group Info page to change the name of the Group, view the
Agent List, change the Group’s Policy, review Exclusions or copy the Group Token.
To edit a Group:
1. Go to Scope and select a Group.
2. Go to Sentinels > Group Info.
5. To change the policy of the group: click Change under Group Policy.
6. To modify the exclusions of the Group: click View List under Exclusions.
© SentinelOne 3-31
SentinelOne Administration
Deleting a Group
You can delete Groups if you do not need them. If you delete a Dynamic Group, its Agents move
to the next Dynamic Group in the ranks. If the Agents do not fit a different Dynamic Group
filter, or if you delete a Static Group, the Agents move to the Default Group.
To delete a Group:
1. Go to Scope and select the Site.
2. Go to Sentinels > Endpoints.
3. Click Group > Delete Group.
5. Click Delete.
© SentinelOne 3-32
SentinelOne Administration
Use Group Ranking to set the priority of Dynamic Groups for Agents. An Agent can belong to
only one Group. If the Agent matches multiple Dynamic Groups, it goes to the Group with the
highest rank.
If an endpoint is in a Static Group, and the filters of a Dynamic Group match it, the endpoint is
automatically moved to the Dynamic Group.
Note: You can also edit the Group Policy and change the Group Info from here.
© SentinelOne 3-33
SentinelOne Administration
User Management
Create Management Console users allows your security team log in to the Management
Console and manage endpoint security.
• To create users to manage all your Sites, you must have Global scope and Admin
permissions.
• To create users to manage Accounts, you must have Global Admin or Account Admin
permissions for this Account.
• To create users to manage a specific Site, you can have Global Admin, Account Admin,
or Site Admin permissions for this Site.
• You can create users for Sites over which you have Admin permissions. For example, if
the user Alpha01 has Admin permissions for site X and Viewer permissions for site Y,
Alpha01 can make users for Site X but not for site Y.
User Roles
When you create a Management Console user you must select a role. Different roles grant
users’ different permissions to see specific windows, select specific actions, and use specific
features.
© SentinelOne 3-34
SentinelOne Administration
- Users with all access levels (Global, Account, and Site) can do this action.
- Only users with the Global or Account access level can do this action.
© SentinelOne 3-35
SentinelOne Administration
© SentinelOne 3-36
SentinelOne Administration
Threat Actions
- Users with all access levels (Global, Account, and Site) can do this action.
© SentinelOne 3-37
SentinelOne Administration
1. Select a Scope.
a. If you are a Site or Account Admin, you must select one Site to open Settings.
b. If your Admin scope is for multiple Sites, you can manage users for all your Sites,
not only for the one you selected in Scope.
2. Go to Settings > Users.
3. Select Users.
4. Click New User.
Note: If the window shows only Full Name and Email, Onboarding is enabled for your
deployment. When the new user is created, the Console sends an email to the new user.
Onboarding is enabled by default on cloud-based management deployments.
© SentinelOne 3-38
SentinelOne Administration
© SentinelOne 3-39
SentinelOne Administration
You can update the User Details, and Role and Scope of a user. For example, you can give new
employees viewer permissions at first. When they are ready to join the Security Team and
manage the security of your environment, you can give them SOC permissions.
You must be an Account Admin to edit the user details for a Site Admin. Global Admins can edit
user details for Account Admins.
Note: Account admins can change the scope of other Account admins to demote them to Site
admins.
Note: Site Admins cannot enable Remote Shell for themselves or other users. Site Admins can
enable 2FA for themselves.
© SentinelOne 3-40
SentinelOne Administration
6. In the window that opens, change the user's Full Name, Email Address, whether this
user requires Two-Factor Authentication (2FA), and whether this user can use Remote
Shell.
Note: If Remote Shell is not enabled for your Management, you cannot enable it for
users.
© SentinelOne 3-41
SentinelOne Administration
You must be an Account Admin to change the password for a Site Admin. Global Admins can
change the password for Account Admins.
Password requirements:
• 10 To 25 characters
• Contain 3 or more of these character types: Upper-case letters, lower case letters,
numbers, and special characters.
• No whitespace
© SentinelOne 3-42
SentinelOne Administration
6 In the window that opens, enter the New Password, and then again in Confirm
Password.
1. Click Save.
© SentinelOne 3-43
SentinelOne Administration
© SentinelOne 3-44
SentinelOne Administration
Managing Agents
SentinelOne updates your Management Console with the latest Agent packages. Download
the packages for the operating systems in your environment. You can use third-party tools
to deploy the package to all of your endpoints by platform. Or you can install Agents
individually.
If you have an On-Prem Management, contact your partner or vendor for the Agent
packages that you need.
Note: Ensure the endpoint meets the System Requirements, including dependencies,
patches, and configuration changes for specific operating systems. If the system
requirements are not met, the installation will not complete.
Best Practice: Uninstall third-party anti-virus software before you install SentinelOne. Other
security software often prevents Agent installation or affects its performance. Install the
Agent as quickly as possible after you uninstall the other security.
During installation of new Agents, you must assign Agents to a Site using the Site Token or a
Group using the Group Token.
© SentinelOne 3-45
SentinelOne Administration
1. Select the site you want to install the endpoint into from Scope.
2. Download the latest Windows Installer package from Sentinels > Packages.
a. Make sure the scope of the package includes the Site that the Agent will go to.
Best Practice: Download the file to the local endpoint.
3. Copy the Site Token from the top of the Packages page.
Note: To install the endpoint directly into a Static Group, select the group and go to
Sentinels > Group Info and copy the Group Token from there.
4. To install with the interactive GUI wizard directly on the endpoint:
a. Run the installation package and enter the Site or Group Token when prompted
in the installation wizard.
5. Complete the installation:
a. The On Write mode, with Deep File Inspection and Reputation, is active
immediately.
b. The Dynamic Engines (Behavioral AI) mode becomes active after you or the end
user restart the endpoint. In the Management Console, the endpoint status
is Pending Reboot until it restarts.
© SentinelOne 3-46
SentinelOne Administration
Run the installer in Windows CLI with switches for the token and quiet installation.
Important for all endpoints: It is recommended that you enhance endpoint security with
protection against physical theft and hacking (such as unauthorized disk mount modification).
Enable full disk encryption, apply OS patches, and maintain measures according to your vendor
recommendations and corporate policies.
© SentinelOne 3-47
SentinelOne Administration
Make sure you have all the requirements before you start the installation.
Important for all endpoints: We recommend that you enhance endpoint security with
protection against physical theft and hacking (such as unauthorized disk mount modification).
Enable full disk encryption, apply OS patches, and maintain measures according to your vendor
recommendations and corporate policies.
© SentinelOne 3-48
SentinelOne Administration
The macOS 10.13 High Sierra (and later releases) makes sure that all installations are secure. It
limits installation to only applications that are approved by Apple. To make sure your computer
is protected and compliant with company policy, run these steps to complete installation of the
Agent.
If you see a message that says: "Please approve SentinelOne software in System Preferences",
skip to Step 3.
© SentinelOne 3-49
SentinelOne Administration
5. At System software from developer "Sentinel Labs Inc." was blocked from loading,
click Allow.
6. Click Close.
Troubleshooting - If you forgot to copy the Site or Group Token to the endpoint:
After Agent installation, get the Token from the Management Console.
Run:
sudo sentinelctl set registration-token <path-to-token>
OR
sudo sentinelctl set registration-token -- <token> --passphrase
<passphrase>
© SentinelOne 3-50
SentinelOne Administration
Make sure you have all the requirements before you start the installation.
• Debian 9:
https://support.sentinelone.com/hc/en-us/articles/360005287854
Fedora:
• https://support.sentinelone.com/hc/en-us/articles/360005411233-Installing-Linux-
Agent-on-Fedora
Oracle:
• https://support.sentinelone.com/hc/en-us/articles/360007507034
For virtual environments where cloning is possible or required, see Duplicate UUID in Linux to
prevent or resolve issues of duplicate Linux Agent IDs on the SentinelOne Support page at
https://support.sentinelone.com/hc/en-us/articles/360006224434
For example:
./SentinelAgent-2.6.1.1390-Linux.bsx -s
"eyJ1cmwiOiAiaHR0cHM6Ly9jZW50cmFscGFyay5zZW"
For example:
./SentinelAgent-2.6.1.1390-Linux.bsx -s
"eyJ1cmwiOiAiaHR0cHM6Ly9jZW50cmFscGFyay5zZW" -p "192.0.2.5:80"
Important for all endpoints: To enhance endpoint security you should enable full disk
encryption, apply OS patches, and maintain measures according to your vendor
recommendations and corporate policies.
© SentinelOne 3-51
SentinelOne Administration
For a cloud-based Management, SentinelOne updates your Management Console with the
latest Agent versions.
For On-Prem environments, or if you need a package that is not in your Management
Console, you can request files from SentinelOne Support.
Upload the packages to the Management Console and then deploy the files to Agents.
IMPORTANT: If you install an Agent with the CLI, and then you upgrade from the
Management Console, the upgrade configuration is according to the policy to which the
Agent belongs. If the installer switches were different, they are overwritten with the policy
switches.
© SentinelOne 3-52
SentinelOne Administration
© SentinelOne 3-53
SentinelOne Administration
For a cloud-based Management, SentinelOne updates your Management Console with the
latest Agent versions.
For On-Prem environments, or if you need a package that is not in your Management Console,
you can request files from SentinelOne Support.
• Best Practice: Upgrade your SentinelOne Agents by group or filter results to the latest
Agent version for each OS.
• Priority of policy against local configuration: When you upgrade an Agent with these
steps, it gets the configuration of its policy. If you installed the Agent with CLI and
switches, the installation configuration is overwritten by the policy configuration.
• File maintenance: When you upgrade an Agent, the directories and files of the previous
version (\Program Files\Sentinel One\Sentinel One Agent\version) are maintained until
the next reboot.
Note: Windows Agents use Background Intelligent Transfer Service (BITS) to run upgrades when
the endpoint is idle, and stop upgrades when the endpoint needs network bandwidth for other
activities. Therefore, it can take a significant amount of time for the upgrade to complete.
© SentinelOne 3-54
SentinelOne Administration
Pending Action
Agents may require an action to become fully functional. You will receive a message showing a
pending action or request in the Sentinels view of the Management Console in the Endpoint
Details window.
To review what request is pending, you can click on the endpoint name to display the Endpoint
Details window.
© SentinelOne 3-55
SentinelOne Administration
4. Pending actions is one of the default filter categories. Click one or more options to show
endpoints with those issues.
5. Optional: Click Save Filter to save the Filer Set or use it to create a Group.
From a Group or filter set, you can run actions on multiple endpoints, such as Reboot or
Shutdown. You can easily track the status of the endpoints to make sure that the
necessary actions are done.
Reboot
• Explanation - A reboot is required to make the Agent fully functional. For example,
some policy override configuration changes can require a reboot.
• When a Windows Agent installs, some policy engines are active immediately and the On
Execute engines (Behavioral AI) become active after a reboot.
• Action required - Reboot the endpoint manually or:
o From the Management Console, select one endpoint, or all endpoints in a group
or filter set.
o Click Actions > Reboot.
Missing Permissions
• Explanation - The user permissions on the endpoint computer do not allow SentinelOne
Agent installation. For example, if you install an Agent on macOS 10.13 High Sierra and
higher, users must approve the kernel extension.
• Action required - For macOS 10.13 High Sierra and higher, see macOS and SentinelOne
Agent on the support page at https://support.sentinelone.com/hc/en-us/articles
/115005142105. For other operating systems, contact Technical Support.
© SentinelOne 3-56
SentinelOne Administration
Agent Suppressed
• Explanation - The Agent is running but not providing protection. This can happen if
kernel extension permission or any other vital resource is missing.
• Action required - See the Agent Requirements in the System Requirements in Module 1
for supported operating systems. Upgrade the Agent or the endpoint OS. Contact
SentinelOne Support if you cannot find the source of the problem.
© SentinelOne 3-57
SentinelOne Administration
Managing Endpoints
Endpoints Filter
From the Sentinels > Endpoints page, you can search and filter to find endpoints that match
specific criteria. You can:
• For searching, you can include multiple strings and types in the same search.
• Use the results to run actions on matching Agents.
• Create a Dynamic group based on the filters (when one Site is selected).
• Save Filters as a Filter Set
You can search for the preset parameters by selecting the filter from the Free text search
pulldown and then type in your search.
© SentinelOne 3-58
SentinelOne Administration
• UUID
• AD Any String
• AD User DN
• AD User Groups
• AD User Or Their Groups
• AD Machine DN
• AD Machine Groups
• AD Machine Or Its Groups
• All
Examples of filters:
• A filter for infected endpoints, to isolate them and mitigate issues.
• A filter for Agents that have pending actions.
• A filter for endpoints of an operating system, to track compliance and OS upgrades.
The filtering categories and options show. The number next to an option is the number
of matched endpoints.
© SentinelOne 3-59
SentinelOne Administration
© SentinelOne 3-60
SentinelOne Administration
© SentinelOne 3-61
SentinelOne Administration
Actions Selections
Users have the ability to select an endpoint and perform specific operations. There are two
ways to access the actions on an endpoint.
• The first is from Sentinels > Endpoints, select an endpoint and click Actions.
• The second option is to click on an endpoint to display the Endpoint Details window and
click Actions.
Option Description
Download logs of Agent operations, to send to Support. For
Fetch Logs
Windows, you can also get endpoint logs.
Initiate Scan Run Full Disk Scan
Abort Scan Stop a Full Disk Scan
(Also known as Network Quarantine or Network Isolation)
The Agent can communicate only with the Management
Disconnect from Network
Console. The endpoint cannot communicate with other
components on the network.
Reconnect to Network Undo the Disconnect from Network action.
Update Agent Update the Agent.
Send Message Send a message to the endpoints.
Shut Down Shut down the endpoint from the Console.
Decommission Remove the endpoint from the Console.
Reboot Reboot the endpoint.
Reload modules
• Static
Reload (Windows) • Log
• Agent
• Monitor
Uninstall Uninstall the Agent.
© SentinelOne 3-62
SentinelOne Administration
© SentinelOne 3-63
SentinelOne Administration
© SentinelOne 3-64
SentinelOne Administration
• Endpoint name
• OS version
• When the endpoint was last active
• Disk encryption present
• Health Status
• UUID
• Last logged on user
• Console connectivity (Online or Offline)
• Agent version
• Network status
• Scan status
• Domain
• Memory
• Subscribed on
• CPU
• Console visibility IP
• Core count
• IP Address
• Location
• Network Adapters
• Type
• IP
• Mac Address
You can then select the appropriate action by selecting the Actions pulldown.
© SentinelOne 3-65
SentinelOne Administration
Agents are assigned to a Site when they are first installed with a Site Token.
Account and Global Admins can move Agents from one Site to a different Site. Agents go to the
Default Group in the new Site.
4. In the list of Sites that opens, select the new Site for the Agents.
5. Click Move Agents.
6. Select Action Approved and click Move Agents.
© SentinelOne 3-66
SentinelOne Administration
You can add Agents to a Static Group and remove Agents from a Static Group. You can move an
Agent from one Static Group to a different Static Group.
If you remove an Agent from a Static Group and do not put it in a different Group, it
automatically moves to the Default Group.
© SentinelOne 3-67
SentinelOne Administration
From the Management Console, you can select one or more endpoints for the action, or you
can select all of a Group or filter set. You cannot select all endpoints shown if they are not in a
Group or filter set.
4. In the confirmation window that opens, select Action approved and then click Uninstall.
5. To make sure that all remnants of the Agent are removed, reboot the endpoints after
Agent uninstallation.
© SentinelOne 3-68
SentinelOne Administration
If a user tries to uninstall the SentinelOne Agent from an endpoint, an uninstall request is sent
to the Management Console. The request must be approved in the Console. After you approve
a request, users see a message that the request was approved. They can restart to complete
the Agent uninstallation.
4. When the user clicks Uninstall, a request is sent to the Management Console. The user
will receive the following message:
© SentinelOne 3-69
SentinelOne Administration
5. The Management Console will receive a Pending uninstall action request in the Network
view:
If the Agent was offline, the user must enter the Verification Key (passphrase) in the Uninstall
window.
• In the Endpoint Details window of the endpoint, click Actions > Show Passphrase.
• Copy the output and give it to the user.
© SentinelOne 3-70
SentinelOne Administration
Decommission an Agent
If a user is scheduled for time off, or a device is scheduled for maintenance, you can
decommission the Agent. This removes the Agent from the Management Console. When the
Agent communicates with the Management again, the Management recommissions it and
returns it to the Management Console.
From the Management Console, you can select one or more endpoints for the action, or you
can select all of a Group or filter set. You cannot select all endpoints shown if they are not in a
Group or filter set.
To decommission an Agent:
1. Go to Scope and select a scope.
2. Go to Sentinels > Endpoints.
a. Select the endpoint or endpoints that are offline.
3. Click Actions > Decommission.
4. In the confirmation window that opens, select Action approved. Click Decommission.
© SentinelOne 3-71
SentinelOne Administration
Specifications
• You must be a Global Admin of the Agent's old Site and a Site Admin for the new Site.
• When you run the operation, you enter the Site Token for the new Site.
• An Agent will try to connect to the new Management Console for 3 minutes. If the
Agent cannot connect, it stays in the original Management Console.
• Local configuration files are kept with the Agent. New management assets take affect
after the next keep alive communication with the new Management Console.
• Resolve all threats on Agents before you migrate them.
• The management will NOT migrate these endpoints:
o Endpoints that do not meet the requirements to support migration (unsupported
version of OS).
o Endpoint with unresolved threats.
To migrate an Agent:
1. In a Management Console with Advanced mode enabled, go to Sentinels > Endpoints.
2. Select endpoints.
a. From the Management Console, you can select one or more endpoints for the
action, or you can select all of a Group or filter set. You cannot select all
endpoints shown if they are not in a Group or filter set.
b. If you select an endpoint that cannot be migrated, the endpoint is skipped, but
the operation still runs on supported endpoints.
3. Click Action and select Migrate Agent.
© SentinelOne 3-72
SentinelOne Administration
4. A window opens with instructions. Copy the Site token for the target Site from the
Sentinels > Packages page and paste it in the window.
5. You must be in the Site scope to see the Site Token.
6. Click Move.
7. Select Approve and click OK.
© SentinelOne 3-73
SentinelOne Administration
• Expand Columns to select the Console Migration Status column, or to make sure it is
selected.
© SentinelOne 3-74
SentinelOne Administration
Best practice: If the endpoint is a user computer, let the user know you will remotely run
commands on the computer.
o In the window that opens, enter your message and then click Broadcast.
o Note: You are limited to 140 characters.
• In the confirmation window, click Broadcast again.
© SentinelOne 3-75
SentinelOne Administration
Configure integration with your SMTP server, to let the Management send alerts to security
personnel and stakeholders.
In the view for one Account or Site, you can configure a server specifically for that scope. If a
scope does not have a specific configuration, it uses the Global Integration settings. After you
complete the SMTP integration, configure notifications.
4. For Accounts and Sites: By default, the Global settings are inherited. Click Change to edit
them.
© SentinelOne 3-76
SentinelOne Administration
If the Account or Site has different settings from the Global settings, you can click
Revert to default inherited SMTP to use the Global settings.
Field Description
Host Hostname and listening port of the SMTP server (valid for selected
Encryption).
No-reply email Optional. Enter a no-reply email address to be the sender of Management
Console notifications
Username / Enter the username and password of the system administrator with
authorization to access the SMTP server.
Password
© SentinelOne 3-77
SentinelOne Administration
After you integrate an SMTP Server, configure which SentinelOne activities trigger email
notifications, and who gets the notifications
In the view for one Account or Site, you can configure a server specifically for that scope. If a
scope does not have a specific configuration, it uses the Global Integration settings.
© SentinelOne 3-78
SentinelOne Administration
© SentinelOne 3-79
SentinelOne Administration
You can integrate your Syslog server to collect SentinelOne logs. Before you begin, ask the
system administrator who configured or maintains the Syslog server if authentication
certificates are used. If so, you need access to those certificates. Then configure your Syslog
server integration with SentinelOne, with the steps here. When these steps are done, you can
select events to be logged.
In the view for one Account or Site, you can configure a server specifically for that scope. If a
scope does not have a specific configuration, it uses the Global Integration settings.
4. Click SYSLOG.
© SentinelOne 3-80
SentinelOne Administration
8. In Certificate, you can upload server and client certificates to verify client/server
authorization between the SentinelOne Management (client) and the syslog server
(server). These options only show if Use SSL secure connection is selected. Passphrase
certificates are not supported. Make sure you know how the Syslog server is configured,
and that you have the correct certificates from that configuration.
• Server certificate - Select and upload a certificate to verify the syslog server identity.
• Client certificate - Select and upload a certificate to verify the SentinelOne
Management as a client of the syslog server. Use a certificate file with a client key. A
Client certificate is necessary if the server requires client authentication.
• Client key - Select and upload the client key of a client/server key pair. A Client key is
necessary, along with a Client certificate, if the server requires client authentication.
9. In Formatting, select the format for the logs: CEF, CEF2, STIX, IOC, RFC-5424. For syslog
format, select RFC-5424.
10. Click TEST.
11. If the test passed, click SAVE.
© SentinelOne 3-81
SentinelOne Administration
In the view for one Account or Site, you can configure a server specifically for that scope. If a
scope does not have a specific configuration, it uses the Global Integration settings.
© SentinelOne 3-82
SentinelOne Administration
Device Control
Device Control lets you control which external devices are allowed to be used with endpoints in
your organization. Use Device Control to:
• Block external devices that are not required from connecting your Endpoints, to limit
data leaks.
• Strictly control allowed devices to prevent malicious content that can enter your
network through external devices and Bluetooth connections.
Device Control policy can be Global, for a Site, or for a Group. Groups and Sites can inherit
policies or have their own.
Define the policy in the Management Console in Sentinels > Device Control.
From Management Console you can also manage Bluetooth devices. This is supported with
Windows and macOS Agents version 3.2 and higher.
Rules for Bluetooth are supported on Windows 10 and Windows Server 2012, 2016, and 2019.
© SentinelOne 3-83
SentinelOne Administration
In the Device Control settings, define the policy inheritance, turn Device Control on or off, and
select which device events are reported to the Activity log. The same settings apply to Windows
and macOS endpoints.
By default, Device Control is disabled at the Global and Site level. When it is first enabled, all
Sites and Groups inherit the Firewall Control policy from the Global or Site policy.
By default, Agents have Device Control disabled, until they connect to a Site or Group with an
enabled Device Control policy.
5. Click Enable Device Control at the bottom of the Device Settings dialog box, if it is not
enabled.
6. For a Site or Group: Use the toggle to turn Inherit rules and settings from Global - On or
Off.
© SentinelOne 3-84
SentinelOne Administration
Note: If inheritance is On, the other settings are disabled because they are inherited. If
you turn Off inheritance, the other settings become enabled.
Note: Device Control rules that block or allow Bluetooth devices do not impact the
RFComm functionality.
© SentinelOne 3-85
SentinelOne Administration
8. Optional: You can click Disable Device Control. This disables the feature for your current
scope and all Sites and Groups that inherit Device Control settings from this scope.
• For a Site or Group, you must turn Off inheritance before you can disable Device
Control.
• Existing rules remain in the policy but become inactive. When you enable Device
Control again, the rules will become active with their latest Enabled or Disabled
state
© SentinelOne 3-86
SentinelOne Administration
When an external device connects to an endpoint, the SentinelOne Agent checks if it is allowed
to run by the Device Control policy. The Agent looks at the rules based on their order in the
Device Control policy, from the top to the bottom. When the Agent finds a rule that matches
the device identifiers of a connected device, that rule is applied. The Agent does not continue
to the lower rules in the list.
• If the matched rule has the Block Action, the Agent prevents the device from being
used.
• If the matched rule has the Allow Action, the device can be used.
Device Control policy can be Global, for a Site, or for a Group. Groups and Sites can inherit
policies or have their own.
New rules are added to the top of the relevant section of the Device Control policy.
Define the policy in the Management Console in Sentinels > Device Control.
© SentinelOne 3-87
SentinelOne Administration
By default, Device Control is disabled at the Global and Site level. When it is first enabled,
all Sites and Groups inherit the Firewall Control policy from the Global or Site policy.
By default, Agents have Device Control disabled, until they connect to a Site or Group with an
enabled Device Control policy.
Filters
Click Select filters to filter the rules by rule attributes. Select the attributes to filter for or use
the free text search.
© SentinelOne 3-88
SentinelOne Administration
Create and edit rules for a specific scope to allow or block devices, based on device identifiers.
When you create a rule, it applies to the current scope of the Sentinels view.
Note:
• On Windows, if a device is already connected to an endpoint, new rules and rule
changes do not affect it. Rules will apply the next time the device connects to the
endpoint.
• On macOS, changes apply to devices that are already connected to an endpoint.
• Rules for the Bluetooth interface are based on Bluetooth device attributes
• On Windows, Bluetooth RFCOMM can be blocked or allowed only for ALL Bluetooth
devices. It cannot be blocked or allowed for specific devices. For example, if you block a
device but allow RFCOMM profile, connections from that device that use the RFCOMM
profile will be allowed.
• On Windows, explicit rules for Bluetooth LE (Low Energy) devices based on Hardware
attributes or Device version are not supported. You can Block all LE devices from
connecting to endpoints by setting a rule to block all devices with Interface, Bluetooth.
• For Windows Bluetooth rules to take effect, the device and endpoint must be paired
after the SentinelOne Agent that supports Bluetooth is installed or upgraded. If the
endpoint and device were already paired before the Agent supported Bluetooth, reboot
the endpoint to activate the rule, or re-pair the endpoint and device.
© SentinelOne 3-89
SentinelOne Administration
© SentinelOne 3-90
SentinelOne Administration
7. In the dialog window that opens, define the specifics of the device identifiers.
a. For example, if you selected USB Interface, and Class as the Rule Type, select the
class, such as Video or Mass Storage.
© SentinelOne 3-91
SentinelOne Administration
© SentinelOne 3-92
SentinelOne Administration
If a rule is Disabled, it is never active but shows in the policy with the Disabled Status.
If a rule is Enabled, it is active if Device Control is enabled. If Device Control is disabled for the
rule's scope, the rule keeps the Status Enabled but is not active. It will become active
automatically if Device Control is enabled.
4. Or click on a rule.
5. In the Rule Details window, click Actions.
© SentinelOne 3-93
SentinelOne Administration
To edit a rule:
1. On the sidebar, click Sentinels.
2. On the Sentinels toolbar, click Device Control.
3. Click a rule.
4. In the Rule Details window, click Edit.
Note: When you edit a rule, you cannot change the Rule Type or Interface.
© SentinelOne 3-94
SentinelOne Administration
You can change the order of rules in your Admin scope. Account and Site Admins can change
the order of rules for the Sites and Groups in their scope.
6. In the window that opens, drag and drop rules, or in the Order column, click the number
of the rule and enter a new number.
7. Click Save.
© SentinelOne 3-95
SentinelOne Administration
You can move Device Control rules to change their scope. For example:
• You made a Group rule for one Group and want to change it to be a Site rule.
• You made a rule for Site A and want it to apply to Site B instead.
© SentinelOne 3-96
SentinelOne Administration
7. Click Done.
© SentinelOne 3-97
SentinelOne Administration
Review all Device Control logs in the Activity view. The results shown are based on your current
scope.
• Changes to rules and settings show under Operations > Device Control.
• Blocked, Connected, and Disconnected device events show under Administrative >
Device Control events.
o Connected and Disconnected device events show if Report approved device
events to activity log is selected in the Device Control settings.
o Blocked device events show if Report blocked device events to activity log is
selected in the Device Control settings.
o If necessary, you can create a new rule from a blocked device event to allow a
device.
• Move the cursor over a Blocked, Connected, or Disconnected device event to open the
Event Details, which contains:
o A summary of the event.
o The date and time of the event.
o The endpoint name and logged in user.
o All of the device identifier details: Class, Interface, Vendor ID, Product ID, Serial
ID (if relevant), Device Name.
© SentinelOne 3-98
SentinelOne Administration
5. Move the cursor over an event and click > Event details to see the details of the event
and the device identifiers.
If the device was blocked, an option shows to Allow Device. Optional: Click Allow Device to
create a new rule that allows device identifiers of this device.
© SentinelOne 3-99
SentinelOne Administration
When an end-user inserts a device that is blocked by Device Control, a message shows on the
endpoint. Users cannot create requests automatically from these messages. This is to prevent
an overload of requests for Security Admins.
For example, you have a Site rule that blocks the video class of USB devices. However, your
Marketing Department needs to use this type of device to record marketing videos. You can
open a blocked Device Control event from the Activity log and make a new rule to allow the
devices that they need.
The new rule can be very specific, to allow only a specific vendor or product, based on the
details recorded in the logged event.
By default, the scope of the new rule is the endpoint's group. After you create the rule, you can
move or copy it to change its scope.
Note: If a device is already connected to an endpoint, new rules and rule changes do not affect
it. To make a new or changed rule take effect on a device, remove the device and then re-
connect it.
© SentinelOne 3-100
SentinelOne Administration
5. Move the cursor over a blocked event and click > Event details.
6. In the Event details window, click Allow Device to open a new rule.
© SentinelOne 3-101
SentinelOne Administration
8. The rule is automatically based on the most specific identifiers available for the device.
a. If the device has a Serial ID (generally for mass storage devices), the rule is based
on the Serial ID.
b. For most other devices, the rule is based on the Product ID and Vendor ID.
c. If you want to change the Rule to include a wider range of devices, change the
Rule Type.
9. Click Continue.
10. Enter missing information, if necessary.
© SentinelOne 3-102
SentinelOne Administration
It is part of the Complete bundle. If you have the Core bundle, you will not see Firewall Control
in your Management Console.
Firewall Control policy can be Global, for the selected Site or Group. Each scope can inherit
policies or have their own.
Define the policy in the Management Console in Sentinels > Firewall Control. The Firewall
Control policy includes Settings and Rules:
• Settings: Turn Firewall Control on or off and define the inheritance settings. The same
settings apply to Windows and macOS endpoints.
• Rules: Create and organize rules to allow or block network traffic. There are different
sets of rules for Windows and macOS endpoints.
Changes to the Firewall Control policy show in Activity > Operations > Firewall Control.
Note: When you enable SentinelOne Firewall Control on Windows endpoints, rules from other
firewall solutions on the endpoint will become inactive.
© SentinelOne 3-103
SentinelOne Administration
In the Firewall Control settings, you can define the policy inheritance and turn Firewall Control
on or off.
By default, Firewall Control is disabled at the Global level. When it is first enabled, all Sites and
Groups inherit the Firewall Control policy from the Global policy.
By default, Agents have Firewall Control disabled, until they connect to a Site or Group with an
enabled Firewall Control policy.
Note: When you enable SentinelOne Firewall Control on Windows endpoints, rules from other
firewall solutions on the endpoint will become inactive.
6. For a Site or Group: Use the toggle to turn the inheritance On or Off.
© SentinelOne 3-104
SentinelOne Administration
7. Optional: You can click Disable Firewall Control. This disables the feature for your
current scope and all Sites and groups that inherit Firewall Control settings from this
scope.
• For a Site or Group, you must turn Off inheritance before you can disable Firewall
Control.
• Existing rules remain in the policy but become inactive. When you enable Firewall
Control again, the rules will become active with their latest Enabled or Disabled
state.
© SentinelOne 3-105
SentinelOne Administration
Create rules for a specific scope and OS to allow or block network traffic.
• When you create a rule, it applies to the current scope of the Sentinels view.
• For network traffic to match a rule, all parameters of the rule must match the traffic.
Attribute Description
Rule Name A descriptive name of the rule. It must be a different name from
other rules in the scope
Protocol An IP protocol the rule applies to. All standard protocols are
supported.
Select one protocol from the list.
Any - Protocol is not defined
Application An application the rule applies to, in a specific location on the
endpoint. The rules only apply to the application if it is in the defined
location.
Enter the full path name, including the application.
Any - Protocol is not defined.
Direction Inbound - The rule applies to traffic that is received on an endpoint.
Outbound - The rules apply to traffic that leaves an endpoint.
Any - The rule applies to inbound and outbound traffic.
Optional: Define the Local host.
Optional: Define the Remote host.
Local host Enter the local IP address or range of addresses for endpoints that
the rule applies to. For Inbound traffic, the local host is the
destination. For Outbound traffic, the local host is the source. IPv4 or
IPv6.
Any - Local host is not defined.
Address - Enter an IP Address.
CIDR - Enter an IP range with CIDR format.
Range - Enter an IP Address range start and end.
Local port The local port or range of ports that the rule applies to.
Any - Local port is not defined.
Single string - Enter a port number
Range - Enter a port number range start and end.
Remote host Define a remote host as the source for Inbound traffic or the
destination for Outbound traffic. IPv4 or IPv6.
Any - Remote host is not defined.
Address - Enter an IP Address.
CIDR - Enter an IP range in CIDR notation.
Range - Enter an IP Address range start and end.
© SentinelOne 3-106
SentinelOne Administration
Report port The remote port or range of ports that the rule applies to.
Any - Remote port is not defined.
Single string - Enter a port number
Range - Enter a port number range start and end.
Action Define if Agents Block or Allow IP packets that match the rule
parameters.
Status State of the rule:
Enabled - Active if Firewall Control is enabled.
Disabled - Not active.
• The default for each parameter is Any, which means that no restrictions are defined.
• You can create one cleanup rule, with the Action of Allow or Block and with no other
parameters defined explicitly. Make this the default rule at the end of your rule list.
Traffic that does not match other rules first will match this rule. If you do not have a
clean-up rule to match all traffic, the default Firewall Control behavior is to allow traffic
that is not explicitly blocked.
• For all other rules, you can leave all parameters as Any, except one parameter that you
choose to define explicitly.
To create a rule:
© SentinelOne 3-107
SentinelOne Administration
• Rule name - Enter a descriptive name for the rule. The rule name must be
different from other rule names in the scope.
• OS Type - Select the OS for the rule: Windows, macOS or Linux.
• Tag - Optional: Enter tags that you can search for in the rule base.
• Action - Select Allow or Block to define if Agents block or allow network traffic
that matches the rule parameters.
6. Click Continue.
7. In the window that opens, define the parameters of the rule.
3. Click a rule.
5. Make changes in the Rule Details, or click Continue to open the next page of the Rule
Details and change the rule parameters.
© SentinelOne 3-109
SentinelOne Administration
© SentinelOne 3-110
SentinelOne Administration
• If a rule is Disabled, it is never active but shows in the policy with the Disabled Status.
• If a rule is Enabled, it is active if Firewall Control is enabled. If Firewall Control is disabled
for the rule's scope, the rule keeps the Status Enabled but is not active. It will become
active automatically if Firewall Control is enabled.
Or
4. Click a rule.
© SentinelOne 3-111
SentinelOne Administration
© SentinelOne 3-112
SentinelOne Administration
Firewall Control rules let you allow or block network traffic, based on the traffic identifiers
reported by the operating system. There are different rules for Windows endpoints and for
macOS endpoints. When the Management sends policy information to Agents, it includes these
rules.
When network traffic enters or leaves an endpoint, the SentinelOne Agent allows or blocks it
based on the Firewall Control policy. The Agent looks at the rules based on their order in the
Firewall Control policy, from the top to the bottom. When the Agent finds a rule that matches
the parameters of the traffic, that rule is applied. The Agent does not continue to the lower
rules in the list. If the matched rule has the Block Action, the Agent blocks the traffic. If the
matched rule has the Allow Action, the traffic can pass.
The rules that apply to your current scope show in Sentinels > Firewall Control.
Click Select filters to filter the rules by rule attributes. Select the attributes to filter for or use
the free text search.
New rules are added to the top of the relevant section of the Firewall Control policy.
© SentinelOne 3-113
SentinelOne Administration
You can change the order of rules in your Admin scope. Account and Site Admins can change
the order of rules for the Sites and Groups in their scope.
1. On the sidebar, click Scope and select a scope.
2. On the sidebar, click Sentinels.
3. On the Sentinels toolbar, click Firewall Control.
© SentinelOne 3-114
SentinelOne Administration
You can copy a Firewall Control rule to use it in multiple Sites or groups. For example:
• You have a rule for Site A: Copy it to use it in all of Site B or copy to one Group of Site B.
• You have a rule in Group X, which is in Site A: Copy it to two other Groups in Site A.
You can move Firewall Control rules to change their scope. For example:
• You made a Group rule for one Group and want to change it to be a Site rule.
• You made a rule for Site A and want it to apply to Site B instead.
© SentinelOne 3-115
SentinelOne Administration
© SentinelOne 3-116
SentinelOne Administration
7. Click Done.
© SentinelOne 3-117
SentinelOne Administration
When you import rules, all rules are imported to the current scope. For example, if you are in a
Site that inherits the Global Firewall Control, policy, and you export the Firewall Control rules
and import them to a different Site: All Global and Site rules become Site rules in the Site to
which you imported.
You can export rules to a .json file. All rules for your current scope are exported. This includes
Global rules that might apply to the scope, even if you do not have permissions to edit them.
5. The exported rules download in a .json file to the default Downloads folder of the
computer from which you clicked Export rules.
© SentinelOne 3-118
SentinelOne Administration
© SentinelOne 3-119
SentinelOne Administration
In Windows Security Center, SentinelOne Firewall Control is registered in two Network Firewall
categories:
• NET_FW_RULE_CATEGORY_FIREWALL,
• NET_FW_RULE_CATEGORY_BOOT
Note: When you enable SentinelOne Firewall Control on Windows endpoints, rules from other
firewall solutions on the endpoint will become inactive.
In macOS SentinelOne is not registered as a firewall product. Firewall Control works in parallel
to the macOS firewall, which can block unwanted Applications. If there is a conflict between the
macOS firewall and the SentinelOne firewall, the SentinelOne firewall rules have priority.
© SentinelOne 3-120
SentinelOne Administration
See Firewall Control events in Activity and read the local log file, written in clear text, for
Firewall Control events of an endpoint with Firewall Control enabled. Enable the logs for
specific endpoints, one Agent at a time.
Note: Each Agent with Firewall Control Event Logging enabled keeps five log files, for a total of
100 MB maximum. The logs cycle older lines to maintain the size threshold.
Important: Before you begin, make sure the Group and Site of the Agent has Firewall Control
enabled.
The Activity Log shows events such as: The management user name updated Firewall Control
settings in group or site. Modified the settings parameter from value to value.
© SentinelOne 3-121
SentinelOne Administration
You can open the Firewall Control logs in the text editor of your choice.
You can also send Firewall Control events to your syslog server. Select activities in Settings >
Notifications > Firewall Control.
© SentinelOne 3-122
SentinelOne Administration
Agent location can affect which Firewall Control rules an Agent uses, as each Firewall rule can
be configured for a specific location.
If an Agent that supports Locations does not detect that it is in a defined location, it uses the
Firewall rules assigned to the Fallback location.
© SentinelOne 3-123
SentinelOne Administration
Configuring Locations
See the locations for a scope and configure new locations in Settings > Locations.
For each location define one or more parameters, and the relationship between them: If all,
one, or no parameters must be true for an endpoint to be in the location.
© SentinelOne 3-124
SentinelOne Administration
9. Click Save.
The defined location shows in the Locations list.
© SentinelOne 3-125
SentinelOne Administration
IP Address
• Do the endpoint's IP addresses match the defined IP addresses?
• The endpoint compares all of its active IP addresses to the IP addresses, Ranges, and
CIDRs defined for the location.
• For example, if the location's setting is, All of the endpoint's IP addresses match the
defined IPs, every active IP address on the endpoint must be mapped to at least one of
the IP addresses in the location's definition.
• Addresses can be IPv4 or IPv6. You can add up to five address fields.
© SentinelOne 3-126
SentinelOne Administration
DNS Server
• Do the endpoint's DNS servers match the defined DNS servers?
• The endpoint compares all of its configured DNS servers to those defined for the
location.
• Addresses can be IPv4 or IPv6. You can add up to five address fields.
© SentinelOne 3-127
SentinelOne Administration
DNS Resolution
• Can the endpoint resolve the defined DNS host names?
• The endpoint checks if it can resolve the provided Host name, by doing a DNS query
using OS services.
• The Host name must be in FQDN format. The Resolved IP can be IPv4 or IPv6. You can
add up to five Host name and IP pairs.
3. To add another Host name and a Resolved IP, click Add more.
4. Select if endpoints must be able to resolve one, all, or none of the defined DNS
hostnames.
© SentinelOne 3-128
SentinelOne Administration
Network Interface
• Is the endpoint's current internet connection wired or wireless?
© SentinelOne 3-129
SentinelOne Administration
SentinelOne Connection
© SentinelOne 3-130
SentinelOne Administration
Registry Key
If you enter a key that is in a different location, the location will not be saved.
1. In Key name, enter a Registry Key that must exist or not exist in the endpoint's registry,
HKEY_LOCAL_MACHINE\SOFTWARE.
2. Optional: In Value name, enter a value that the key must have.
© SentinelOne 3-131
SentinelOne Administration
From the Management console, you can create a Location aware Firewall policy. Define
customized sets of Agent Locations based on one or more endpoint network parameters, and
use the Locations in Firewall rules.
By default, SentinelOne Firewall Control rules apply in All locations. To create a location aware
Firewall policy, configure Agent Locations in Settings > Locations and create Firewall rules that
apply for different locations.
Important: Agents earlier than version 3.2 do not support Locations in Firewall Rules. When
Firewall Control is enabled, Windows and macOS Agents only apply Firewall rules that are set
for All locations.
If an Agent that supports Locations does not detect that it is in a defined location, it uses the
Firewall rules assigned to the Fallback location.
Notes:
• Agents use the Firewall Control rules for all the Locations that they match, based on the
priority of the Firewall rules.
• After you configure locations in Firewall rules, make sure the order of the rules still
meets your needs.
• Make sure to define some rules for the Fallback location, or for All locations.
© SentinelOne 3-132
SentinelOne Administration
6. Uncheck the All option to select one or more specific Locations for the rule.
7. Start to type a Location name to see the defined locations that match. Select a Location.
© SentinelOne 3-133
SentinelOne Administration
© SentinelOne 3-134
SentinelOne Administration
See the detected location of each endpoint in the Sentinels view. You can filter endpoints by
location.
A Locations column is available. Scroll right to see it, or open the Columns list to select the
columns to show in your Sentinels view.
Tip: You can drag and drop the columns in the Sentinels to change the order and customize
your view.
© SentinelOne 3-135
SentinelOne Administration
• Each Agent gets the list of locations defined for its Site and Account and the Global
locations.
• Agents use the Firewall Control rules for all the Locations that they match, based on the
priority of the Firewall rules.
• If an Agent that supports Locations does not detect that it is in a defined location, it uses
the Firewall rules assigned to the Fallback location.
Delete a location
© SentinelOne 3-136
SentinelOne Administration
If SentinelOne Support asks for logs from Agents, use one of these procedures. The logs show
Agent operations. The logs are encrypted and only Support can read them.
You can get logs from the Management Console or manually from an Agent.
Two ways of obtaining logs from an Agent from the Management Console:
1. On the sidebar, click Sentinels.
2. Option One:
a. Select the Agent.
b. Click Actions > Fetch Logs.
3. Option Two:
a. Click the Agent.
b. Endpoint Details loads.
c. Click ACTIONS and then click Fetch Logs.
© SentinelOne 3-137
SentinelOne Administration
If you have an On-Prem Management Console, download the log file and send it to Support. If
you have a cloud-based Management Console, Support can get your fetched logs from the
Cloud.
The results show entries with this syntax: Agent <name> successfully uploaded
<file>.tar.gz
© SentinelOne 3-138
SentinelOne Administration
• macOS Agents logs: Use sentinelctl: sudo sentinelctl log report and get the log files on
the desktop.
• Linux Agents: Run sudo /etc/init.d/sentineld fetch_logs and see the location of the log
files in the output.
© SentinelOne 3-139
SentinelOne Administration
Module Review
In this module, you were introduced to the administration functionality in SentinelOne. Users
In this module you reviewed the SentinelOne administration features:
© SentinelOne 3-140
SentinelOne Administration
1. Which user account allows you to manage the complete deployment of all Accounts,
Sites, endpoints, and security objects?
a. Site Admin
b. Global Admin
c. Account Admin
d. Application Admin
a. ______________________
b. ______________________
5. When installing a Windows agent on an endpoint, what two things are needed?
a. Install package and the API key
b. Install package and the Site Token
c. Install package and the Windows install code
d. Install package only is needed
6. True of False. When moving agents between sites, the Administrator can only complete
the process manually. They must uninstall the agent from the endpoint and reinstall
with the proper site token to the new site.
a. ________________
© SentinelOne 3-141
SentinelOne Administration
7. If a user is scheduled for time off, a device is scheduled for maintenance or the endpoint
has not contacted the console for the set amount of time, the agent can be removed
from the console until it returns or communicates again with the Management Console.
What is this functionality called?
a. Uninstall > Reinstall
b. Decommission > Recommission
c. Disable > Enable
d. Restrict > Allow
a. _______________________
9. By default, when you set a policy to Protect, the Agents can automatically complete the
following tasks? (Select all that is correct)
a. Kill & Quarantine
b. Remediate & Rollback
c. Disconnect from the Network
d. All of the above
© SentinelOne 3-142
SentinelOne Investigator
MODULE 4
SentinelOne Investigator
This module is intended to introduce incident response concepts for Investigators using
SentinelOne. In this module you will review the following SentinelOne features:
• Managing Blacklists
• Managing Exclusions
• Hash
• Path
• Signer Identity
• File Type
• Browser
• Analyzing Threats
• Threat Management
• Incident Details
• Mitigation Actions
• On-Demand File Fetch
• Full Disk Scan
• Application Risk Management
• Remote Shell
© SentinelOne 4-1
SentinelOne Investigator
Blacklist Hierarchy
• Sites, Accounts, and Global can each have their own blacklist items.
• Each scope also inherits blacklist items from the scopes above it.
o An Account inherits all Global blacklist items.
o A Site inherits all blacklist items of its Account, and all Global blacklist items.
4. You see the blacklist of the selected scope. For example, if you are a Site Admin, you see
the blacklist items of your Site.
5. To see blacklist items that are inherited from the Account and the Global blacklist, click
Include global list results.
© SentinelOne 4-2
SentinelOne Investigator
© SentinelOne 4-3
SentinelOne Investigator
The Blacklist will automatically add any files that are reported to be Malicious Threat.
Best Practice: Always analyze a threat before you add the file to the blacklist.
Note: Items that you add to the blacklist do not automatically become resolved. When you finish
investigating and handling a threat or detection, mark it as resolved.
© SentinelOne 4-4
SentinelOne Investigator
Managing Exclusions
Agents sometimes mark benign items as potential threats. You can configure Exclusions to make
your Agents suppress alerts and mitigation for these items.
Exclusion Hierarchy
• Groups, Sites, Accounts, and Global can each have their own exclusions.
• Each scope also inherits exclusions from the scopes above it.
o An Account inherits the Global exclusions.
o A Site inherits the exclusions of its Account, and the Global exclusions.
o A Group inherits the exclusions of its Site, its Account, and the Global exclusions.
To see exclusions:
1. On the sidebar, select a Scope.
2. On the sidebar, click Sentinels.
3. On the Sentinels toolbar, click Exclusions.
4. The exclusions are of the selected scope. For example, if you are a Site Admin, and you
do not select a specific Group in the scope, you see the exclusions of your Site.
5. To see exclusions that are inherited from the Account and the Global exclusions, click
Include global list results.
Important: Be careful! If you create incorrect exclusions, you can open your environment to
malware.
© SentinelOne 4-5
SentinelOne Investigator
Creating Exclusions
Hash Exclusions
Note: You only see the exclusions for the selected exclusion type. For example, If Hash is
selected, only path exclusions show in the exclusion list. File Type exclusions are not
visible at the same time.
© SentinelOne 4-6
SentinelOne Investigator
Path Exclusion
Important: Be careful! If you create incorrect exclusions, you can open your environment to
malware.
© SentinelOne 4-7
SentinelOne Investigator
• The path can start with the drive letter. If the drive is not included, the exclusion applies
to all drives. For example:
o C:\calc.exe excludes CALC on the root of the C drive.
o calc.exe excludes CALC on all directories and drives.
• If you select Include Subfolders, the path must end with a backslash (\).
• DO NOT USE a wildcard as the drive directory ( *: or ?: ).
o For example, do NOT use *:\Program Files or ?:\Program Files in an exclusion
path. Instead, use *\Program Files to exclude Program Files on all drives.
o You CAN use the wildcard * to refer to any character or characters, or the
metacharacter? to refer to one character that is NOT a drive letter.
o Examples with wildcard * to refer to any character or characters:
▪ C:\c*c.exe excludes files that start with “c” and end with “c.exe” on all
directories and drives. This includes CALC.EXE, CAMC.EXE,
CHARLIE.DOC.EXE
▪ Example to exclude the Archives folder in a nested directory:
C:\*\Archives\
▪ Example to exclude Go2Meeting for all users:
C:\Users\*\AppData\Local\GoToMeeting\*\g2mlauncher.exe
o Example with metacharacter? to refer to one character:
▪ You CAN use: C:\test?\ to exclude C:\test1\ and C:\testf\.
▪ Example to exclude a temp directory in all drives:
harddiskvolume?\temp\
▪ DO NOT USE? as the drive letter. For example, do NOT use ?:\test1\ in an
exclusion path.
• The path must be absolute: start with a forward slash ( / - ASCII char 47).
• The path must not contain a space in the beginning or end.
• If you select Include Subfolders, the path must end with a forward slash.
• Linux - Wildcards are not supported in Linux Agent versions 2.6 and earlier. They are
supported in 3.0 and later, in the same manner as with the Windows Agent.
• macOS - The * wildcard is supported in path exclusions.
o For example:
▪ /Users/*/Applications/<NAME>.app/ excludes all users and app
subfolders
▪ /Users/?*/Desktop/<NAME>.app/ excludes all users and app subfolders
and their subfolders
▪ /Users/<USER>/Desktop/<NAME>.app/* excludes all files in this path.
© SentinelOne 4-8
SentinelOne Investigator
Exclusion Mode
Use default Path exclusions if you have false positive detections, and you want to suppress
alerts from a file path or folder. When you exclude files or folders with default path
exclusions, Agents monitor them but suppress alerts and do not mitigate.
• This exclusion type is supported for Windows, macOS, and Linux Agents.
• When you create an exclusion directly from a detection and select File path, this
is the type of exclusion created.
• Default path exclusions are called Suppress Alerts exclusions.
Caution: Make sure the detection that the exclusion is based on is a false positive.
Legitimate threats in the path will not be mitigated.
© SentinelOne 4-9
SentinelOne Investigator
Interoperability
• Reduce the monitoring level on the excluded processes.
• Note: This exclusion stops the Agent from injecting the Agent DLL to processes in the
path. This reduces Agent interaction with these processes. The Agent continues to
monitor and use kernel events.
• Usage example: To solve interoperability issues related to the Agent code injection
into other applications.
• Caution: This lowers protection as it reduces events that the Agent monitors.
Interoperability – Extended
• Reduce the monitoring level on the excluded processes and their child-processes
(Same as the Interoperability option but includes child-processes.)
• Usage example: To solve interoperability issues related to the Agent code injection
into other applications, when the Interoperability option did not resolve the issue.
Performance Focus
• Disable monitoring of the excluded processes.
• Note: It stops the Agent from injecting the Agent DLL to processes in the path and
stops monitoring most kernel events. Agents do not use OS events that are generated
by or for the excluded process.
• Usage example: To solve issues where a specific application generates many events
(like file operation, registry, process, logs and memory) and causes a high CPU
utilization on the endpoint, due to Agent event analysis.
• Caution: This lowers protection significantly as the Agent does not monitor the
excluded processes.
For Interoperability and Performance Focus exclusions: For processes that cannot be restarted,
such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove
an exclusion. For processes that can be restarted, such as a browser, you can restart the process
to apply or remove an exclusion.
Best Practice: It is recommended that you restart all affected endpoints to apply or remove an
Interoperability or Performance Focus exclusion.
© SentinelOne 4-10
SentinelOne Investigator
When you make a path exclusion, it is highly recommended that you add the exclusion to the
smallest relevant scope of endpoints - a specific group. For example, do not add exclusions to the
default policy of the default group. Create a group of endpoints that use the application to
exclude.
These rules apply to path (file and folder) exclusions for all versions:
You cannot put more than one exclusion path in one exclusion. AND, OR are not
supported in exclusions.
If you can exclude a hash, it is safest. Be aware that it will exclude only the specific version
of a process and not all processes of this name.
If you can exclude specific files rather than a path, that is safer. If an exploit inserts
malware to an excluded path, we cannot protect the endpoints.
Environment variables are not supported. For example: Change: %appdata% To:
C:\Users\Bob\AppData\Roaming\
Or use the * wildcard to match all users: C:\Users\*\AppData\Roaming\
Regular expressions are not supported.
For Interoperability and Performance Focus exclusions: For processes that cannot be
restarted, such as System processes or Anti-virus processes, you must reboot endpoints
to apply or remove an exclusion. For processes that can be restarted, such as a browser,
you can restart the process to apply or remove an exclusion.
It is recommended that you restart all affected endpoints to apply or remove an
Interoperability or Performance Focus exclusion.
If you make an exclusion for an AppStacked application or snapvolume, use the folder
SVROOT for the mount. For example: Change: C:\Program Files (x86)\Click\check.exe To:
*\SVROOT\Program Files (x86)\Click\check.exe to exclude
C:\snapvolumes\{GUID}\SVROOT\Program Files (x86)\Click\check.exe
Exclusions for Windows and macOS are NOT case sensitive. Exclusions for Linux are case
sensitive.
© SentinelOne 4-11
SentinelOne Investigator
Exclusions to Avoid
© SentinelOne 4-12
SentinelOne Investigator
C:\Program Files\Tripwire\TE\Agent\jre\bin\java.exe
C:\Tomcat7\
C:\tomcat7_2\bin\tomcat7.exe
C:\tomcat7.0\
C:\tomcat7\bin\tomcat7.exe
C:\Users\*\Cygwin\Bin\
C:\Windows\
C:\Windows\*\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\explorer.exe\
C:\Windows\py.exe
C:\Windows\setup.exe
C:\Windows\system32\
C:\Windows\System32\smss.exe
C:\Windows\system32\conhost.exe
C:\windows\system32\consent.exe
C:\Windows\System32\cscript.exe
C:\Windows\system32\csrss.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\explorer.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\lsalso.exe
C:\WINDOWS\system32\lsass.exe
C:\Windows\System32\lsm.exe
C:\windows\system32\mmc.exe
C:\Windows\System32\netsh.exe
C:\Windows\System32\Ntoskrnl.exe
C:\Windows\System32\rundll32.exe
C:\windows\system32\services.exe
C:\Windows\System32\sihost.exe
C:\Windows\system32\smss.exe
C:\Windows\System32\snmp.exe
C:\Windows\System32\splwow64.exe
C:\Windows\System32\Spool\
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\sysvol\
C:\Windows\System32\taskeng.exe
C:\Windows\System32\taskhostex.exe
C:\Windows\System32\Taskmgr.exe
C:\Windows\system32\userinit.exe
© SentinelOne 4-13
SentinelOne Investigator
C:\Windows\System32\vbscript.dll
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WBEM\
C:\Windows\System32\wbem\WmiApSrv.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\System32\WindowsPowerShell\
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
C:\Windows\System32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Micros
oftEdgeCP.exe
C:\Windows\SYSVOL\
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\wbem\
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Windows\Temp\
C:\Windows\winexesvc.exe
acrord32.exe
java.exe
LogonUI.exe
vssadmin.exe
_mprosrv.exe
*.dll
*.exe
*.pdf
*/python<version number>
*/ruby
*\*apache-maven*\
*\bin\java.exe
\adobe\
\Device\HarddiskVolume*\
© SentinelOne 4-14
SentinelOne Investigator
You can exclude files and software that are signed by a trusted source, with a certificate that is
verified by the endpoint OS. Agents monitor events associated with the certificate signer but do
not mitigate the signed items.
Important: Do NOT create Signer Identity exclusions for all Microsoft or Adobe applications. This
will significantly decrease your organization's security. If you are getting false alerts for a specific
application, contact SentinelOne Technical Support to find a narrower exclusion to resolve the
issue.
Important: Be careful! If you create incorrect exclusions, you can open your environment to
malware.
© SentinelOne 4-15
SentinelOne Investigator
© SentinelOne 4-16
SentinelOne Investigator
You can exclude files of a given type from automatic mitigation. This exclusion type is supported
for Windows Agents.
© SentinelOne 4-17
SentinelOne Investigator
Excluding a Browser
Threats that come from a browser show as Exploit attempts in the Management Console. If an
end-user browses to a site that hosts web exploits, which can introduce malware into your
environment, the Agent detects a web exploit. It mitigates the browser session based on the
policy and shows the threat in the system tray and Management Console.
In rare cases, to gain use of the browser, you can exclude the browser from active scanning.
To exclude a browser:
1. On the sidebar, select a Scope.
2. Click Sentinels.
3. Click Exclusions.
4. In Exclusion Types, click Browser.
5. Click New Exclusion.
© SentinelOne 4-18
SentinelOne Investigator
© SentinelOne 4-19
SentinelOne Investigator
Analyzing Threats
A manual incident response plan usually requires a lot of time and resources. Gather data to
define what is "good" and what is "unwanted" or "threatening". Identify events when you can or
by signature. Notify the security team. Contain the infection. Investigate the attack to understand
its severity and behavior. Remove all files that the attack installed, and recover files that it
changed, if possible. Update reports of known malware and analyze how to respond faster next
time.
SentinelOne significantly improves this workflow with a simple dashboard that identifies security
incidents with its Dynamic Detection Engine and Static Detection Engine.
When a threat exists, it shows in Threats by Status and is included in the information shown
throughout the Management Console.
How is a Threat generated?
The Agent can detect only, or also mitigate threats automatically, based on the Policy
settings configured for the Agent.
© SentinelOne 4-20
SentinelOne Investigator
Threat Management
The Threats page shows the threats and their current status. By selecting a threat, the user
moves to the Incident Details page.
Incident Filters
The Threats table has many filters so the user can easily find the information needed.
Free text search Search for: Endpoint name, file path, filename, file extension,
hash and username
© SentinelOne 4-21
SentinelOne Investigator
Initiated by How the threat was generated: Agent policy, Deep Visibility
command, Full Disk Scan, Local Agent command, Management
console
External ticket exists Yes, No. Refers to tickets added by Vigilance or users through API.
© SentinelOne 4-22
SentinelOne Investigator
Detection Engines
Engine Description
SentinelOne Cloud An engine that blocks hashes that the SentinelOne Cloud
defines as malicious. This makes sure that no known malicious
files are written to the disk or executed.
User-Defined Blacklist An engine that blocks hashes that your team defines as
malicious for your environment.
On-Write DFI A Static AI engine that scans for malicious files written to the
disk. It supports portable executable (PE) files.
On-Write DFI Suspicious A Static AI engine that scans for suspicious files written to the
disk. It supports portable executable (PE) files.
Anti Exploitation / Fileless A Behavioral AI engine, focused on exploits and all fileless
attack attempts, such as web-related and command line
exploits.
Manual Detection All Storylines that your team, Vigilance, or SentinelOne Support
mark as threats with the “Mark as threat” action or from
sentinelctl are classified under this engine.
© SentinelOne 4-23
SentinelOne Investigator
Remote Shell All threats that are generated during a remote shell session are
classified under this engine.
Classifications
One detection can have different classifications. To make it simpler to analyze and respond,
SentinelOne shows the classification that is most important or most reliable.
© SentinelOne 4-24
SentinelOne Investigator
© SentinelOne 4-25
SentinelOne Investigator
Interactive The detection creates or calls a process that creates a shell with
shell unauthorized access.
If a detection fits a number of classifications, the Management Console shows only one.
• Benign • Hacktool
• Malware • Browser
• Trojan • Dialer
• Virus • Installer
• Exploit • Packed
• Worm • Network
• Rootkit • Spyware
• Infostealer • Adware
• Downloader • PUA
• Backdoor
© SentinelOne 4-26
SentinelOne Investigator
Threat Status
Marked as Benign - The threat as marked as benign (the Analyst Verdict is False
Positive).
Mitigated -The Quarantine mitigation action completed successfully. The same status
shows if Remediate or Rollback also completed.
Not Mitigated - No mitigation actions were completed, or the threat was killed but no
other action was done.
The AI Confidence Level is set automatically by the SentinelOne Agent AI. Users cannot
change this.
You can use the Analyst Verdict setting to select your own conclusion about the threat.
• Suspicious - The Agent AI found traits that are suspicious, but not enough to mark it
as malicious.
• N/A - Detections marked by users as threats.
Each mitigation action that is initiated shows its status. The status shows in the Forensics
page, in Threats and throughout the Management Console.
For supported Agents, you can download the complete Mitigation Report from the Timeline
tab of the Incident details. This shows the details of mitigation actions that are not pending,
including what exactly was done and to which files or processes.
These are the statuses that each mitigation action can have:
• Pending – The action initiated and is waiting for a response from the Agent.
© SentinelOne 4-27
SentinelOne Investigator
• Failed – One or more activities failed. This does not mean everything failed. You see
the Mitigation Report for more details.
Note: Older Agents do not report a status for the Unquarantine command. The status
of Unquarantine for older Agents will show Sent without more information.
• The Analyst Verdict is set by users. Use it to record decisions made by the security
analysts for each threat: True Positive, Suspicious, False Positive, Undefined.
• Each threat starts as Undefined.
• Before you can change a threat's Incident Status to Resolved, it must have an Analyst
Verdict set (not Undefined). When you run a mitigation action, you are prompted to
set the Analyst Verdict.
• You can change the Analyst Verdict at any time.
Use the Incident Status to track the progress in handling each threat. In Threats, filter the
threats by their Incident Status, for example, to only see threats that are In-progress or
Unresolved.
© SentinelOne 4-28
SentinelOne Investigator
The analyst can determine what the threat attempted to do on the Incidents Details page.
© SentinelOne 4-29
SentinelOne Investigator
© SentinelOne 4-30
SentinelOne Investigator
Each Management Console user can change the view that first opens in the Incident details and
the time zone of threat information. The settings stay for that user until they are changed.
Changes are per user and not related to scope or a specific threat.
4. Click Apply.
© SentinelOne 4-31
SentinelOne Investigator
• Overview, Explore, Timeline Tabs – The Incidents Threat Page contains 3 tabs along the
top:
o The Overview tab – View the details of the threat.
o The Explore tab – View all events of the threat in a graphical process tree and a
table view,
o The Timeline tab – The timeline gathers all information about the threat,
endpoint, and hash in order to understand what happened, when, and by whom.
• Threat Status - See if mitigation actions were taken or if it is still not mitigated.
• AI Confidence Level - Note if the threat is Malicious or Suspicious.
o The Level can be N/A if the detection was marked by a user as a threat.
• Analyst Verdict - Each threat starts as Undefined.
o If a different verdict shows, see the Timeline for a summary of all actions taken on
the threat and all notes recorded.
• Mitigation Actions Taken - See which mitigation actions were done and their status. See
if actions are required to compete mitigation. For example:
o A threat is mitigated but only killed and quarantined. Complete the analysis to see
if more mitigation is required.
o All mitigation actions are Pending. All mitigation actions are Pending because
the Management is waiting for a response from the Agent. If the endpoint is
online, it will respond soon. If the endpoint is offline, it can take a while.
o If the endpoint must reboot to complete the mitigation, the status shows Pending
Reboot and a message shows under the header. Click Reboot Now to reboot the
endpoint and complete the mitigation.
© SentinelOne 4-32
SentinelOne Investigator
If the Reporting time is very different than the identified time, the endpoint was probably
offline at detection time, and did not report to the Management until it was online.
Taking Action
To take an action against a threat and/or disconnect an endpoint from the network, select
Actions in the upper right of the header.
On the Sentinels > Endpoints page, under the Network Status column, you can see if the
endpoint is Connected or Disconnected.
© SentinelOne 4-33
SentinelOne Investigator
The Network History pane helps you understand where the threat has been found and if
someone already analyzed it.
Best Practice: If you see that the threat was first seen previously, and it appears multiple times,
click the link on the number of times. All instances of the threat open in a Threats table. See
which actions were done and which Analyst Verdict other analysts gave it already.
The details show for your whole access level, even if you had a narrower scope open in
the Management Console. For example, you have access to a Site but were looking
at Threats with a Group scope selected: You will see network history information for a threat in
the whole Site.
• See the first and last time the threat was seen in your scope.
• See how many times the threat was detected and on how many different endpoints.
Note: Threats are grouped by hash. Fileless threat always show as one time per endpoint
because they do not have a hash.
• See the scope distribution - how many Accounts, Sites, and Groups have this incident.
• To get a deeper analysis of where a hash or file was seen in your scope, click Hunt Now to
run a query in Deep Visibility.
For Fileless threats, a query for the Storyline will run in Deep Visibility.
© SentinelOne 4-34
SentinelOne Investigator
In the Threat Information pane, you see all details of the threat: Path, Command line arguments,
Process user, Publisher name, Signer identity (certification ID), Signature verification, Originating
process, SHA1 hash, Initiated by (how the threat was generated), Detecting engine, Classification,
File size, Storyline, and Threat ID.
Tip: Click a detail to open a quick actions menu and see what you can do with it. For Example:
• Click the hash and see options to search for it in Recorded Future, Open in Virus Total, or
copy the hash.
© SentinelOne 4-35
SentinelOne Investigator
On the Endpoint Details pane, you can see the current status, whether online or offline, if the
Network status is Enabled (connected) or Disabled (disconnected from the network), the Agent's
scope, version, UUID, and policy, and the endpoint's IP addresses and domain.
• Click the endpoint name to open a quick actions menu. From here you can run actions,
based on your role and permissions:
o Open Endpoint – Opens the Endpoint Details dialog window.
o Open in Deep Visibility – Open the endpoint's activities in Deep Visibility.
o Remote Shell - Open a Remote Shell session directly with the endpoint.
o Show threats on the Threats page - Opens the threat page filtered for all threats
on the endpoint.
o Disconnect from Network - Puts an endpoint in network quarantine.
If an endpoint is disconnected, the option shows Reconnect.
o Fetch Logs – Retrieves the log files from the endpoint.
o Copy - Copies the endpoint name for you to paste elsewhere.
© SentinelOne 4-36
SentinelOne Investigator
The indicators show what behavior the engine detected that marked the incident as malicious or
suspicious.
Indicators for Behavioral AI detections include references to the Mitre Attack Matrix, and use the
Mitre methodology and terminology for easy cross-reference. Click a link to learn about the TTP
on the MITRE website.
© SentinelOne 4-37
SentinelOne Investigator
You can add notes to threats to describe actions you took on the threat and why, or to record
relevant information. Link in the notes are clickable. For example, add a link to an external ticket.
All users with permissions to see the threat can add notes, but only the author of a note
can Edit or Delete it.
Note: In Settings > Notifications > Threat Management, you can select Notes to send
notifications when notes are added to threats, edited, or deleted.
To add Notes:
1. In the Forensics Page, Threat Indicators pane, click Notes.
2. Click Add new.
3. Enter your notes and click Send.
© SentinelOne 4-38
SentinelOne Investigator
To see all events of a dynamic threat (detected by a Behavioral AI engine) in a graphical process
tree and a table view, open the Explore tab.
For static threats, where a file did not run, or was stopped before it ran, the tab shows No
Processes found for this threat.
© SentinelOne 4-39
SentinelOne Investigator
A table of events related to the threat shows below the process tree and timeline. The table has
tabs for different event types: File, Network Actions, Processes, Indicators, and Registry.
Note: For threats, only events related to the malicious Storyline are shown. Deep Visibility
collects a different and wider set of information for all events. If you search for the same Storyline
in Deep Visibility, you will get more events. In Deep Visibility you can also show multiple
Storylines in the process tree.
© SentinelOne 4-40
SentinelOne Investigator
To see the root of the Storyline in the tree and in the table:
• Under the timeline, click Go to root.
The root process of the storyline is selected in the process tree, and the events in the table
are filtered for that process.
Process Modification
© SentinelOne 4-41
SentinelOne Investigator
© SentinelOne 4-42
SentinelOne Investigator
Active Content represents the data that changed within a process, usually when the process
loaded a new file or changed the command line.
• Contains Active Content? Yes|No
• Active Content File ID
• Active Content Hash
• Active Content Path
© SentinelOne 4-43
SentinelOne Investigator
The timeline gathers all information about the threat, endpoint, and hash so you can understand
what happened, when, and by whom. It includes:
• Threat status changes, mitigation actions, status changes, analyst verdict changes, and
notes.
• Endpoint-related activities from the detection time until the threat is marked as benign,
mitigated, or resolved.
• Exclusion and blacklist entries related to the hash of the threat, that are created in the
endpoint's scope (the Group, Site, or Account of the endpoint, or at the Global scope).
The timeline can start before the detection time. For example, if someone added this hash to the
blacklist and then the threat was detected based on the user-defined blacklist engine.
© SentinelOne 4-44
SentinelOne Investigator
• When you scroll down, use the purple arrow to jump back to the top.
• If a new event occurs while you are viewing the timeline, a New events button shows.
Click it to jump to the new events.
• Click the magnifying glass to search all events for a string. This includes names in
the Management Console and free text.
• To use the timeline details for a deeper analysis outside of the Management Console, you
can export the activities in the timeline.
The events that are open are exported. For example, if you filtered for Endpoint, only events on
the endpoint will be in the export file.
The Timeline is downloaded as a .csv file. The file is saved to your computer with the threat
name and date.
3. A download icon shows next to mitigation activities for Agents of supported versions.
Click the icon next to a mitigation activity.
© SentinelOne 4-45
SentinelOne Investigator
© SentinelOne 4-46
SentinelOne Investigator
Mitigation Actions
The Agent mitigates threats automatically based on the AI Confidence level if the policy is set
to Protect. If the policy is set to Detect, threats are not mitigated automatically.
Note: For static threats on all Operating Systems, only Kill and Quarantine are available. This is
because static threats do not change or create processes.
© SentinelOne 4-47
SentinelOne Investigator
(All of these options are available from the Mitigation action window.)
Mitigation of a Threat
You can add the same note to multiple threats in these ways:
o If you add a Note from the Mitigation Action window and select Apply to all of
instances of this threat, the same note is added to all of the instances.
o If you select multiple threats in the Threats table and select Threat
Actions > Add a Note, the same note is added to all selected threats.
After selecting a mitigation action, the Agent sends the status of the action to the Management
Console.
For example, a file that is being used by other processes so the Agent cannot quarantine it.
The Agent will try to complete the mitigation action after reboot and will send an updated
report.
From the Incident details header, you can see more information about the Mitigation Actions
taken and how many files were effected. If an action requires a reboot, that shows in the status.
Move the cursor over a Mitigation action. The tooltip shows a summary of what was done. For
example, Remediated 10 threat changes successfully.
© SentinelOne 4-49
SentinelOne Investigator
If the mitigation action was successful on some items but not all, the numbers show. For
example, Rolled back 66/67 threat changes successfully.
If no counters show for supported Agents, it means there was nothing for the Agent to act on. A
success sign shows.
You can download the Mitigation CSV Report from the Incident details header of a threat.
Move the cursor over a Mitigation action taken and then click Download CSV Report.
If you think that a threat is not really a threat, mark the Analyst Verdict as False Positive. This
changes the Status of the threat to Marked as Benign.
• Decide if only this specific instance is benign or if you want to create an exclusion for all
instances in your scope.
• If you create an exclusion, you can choose the type (from those available) and scope in
the New Exclusion window that opens.
© SentinelOne 4-50
SentinelOne Investigator
On-Demand file fetch lets you download files from an endpoint to the Sentinel Management
Console. There are two types of On-Demand file fetch:
• Threat File Fetch - Get the file or files that are root of the threat (Win 2.9 +| macOS 3.0+
| Linux 3.4+).
Note: Threat File Fetch will be covered in the Incident Details section.
• Multi File Fetch - Get multiple files that you specify (Win 2.9 +| macOS 2.6+).
Multi-File Fetch
You can download multiple files that you specify from SentinelOne endpoints to the Management
Console. Use this to analyze malware or for other operational needs.
For regulation compliance, this feature is disabled by default. To enable it, contact SentinelOne
Support.
Specifications:
• You can get up to ten files at one time, with a 10 MB maximum size for each file.
• You can only get files by explicit, full pathnames. You cannot use: Wildcards, environment
variables, non-regular files (such as /dev/*), or sensitive files (such as SSH private keys).
• To minimize risk, run the Fetch File action on a single endpoint that you select manually
from the Management Console.
• Fetched files are automatically deleted from the Management after 72 hours and are not
available for download from the Management Console after that time.
© SentinelOne 4-51
SentinelOne Investigator
4. In the Fetch Files window, enter the File Path for the files to download.
• Format for macOS - in the file path, use spaces and not backslashes.
• Correct path example - /Users/Sierra/Desktop/files to send
• Format for Windows - Use paths that follow Windows filename limitations. Do
NOT include characters / : * ? " <> |.
• Correct path example - C:\Users\Desktop\files to send
• Invalid path example - C:\Users\Desktop\"?"
5. Click Add. You can add multiple file paths.
6. In Password, enter a password.
Remember the password - you will use it to open the zip file after you download it from
the Management Console. To set the password, use 10 or more characters with a mix of
upper and lower case letters, numbers, and symbols.
7. Click Submit.
• The files are fetched from the endpoint, archived as a zip file, and encrypted with
the password you entered.
8. Click OK.
© SentinelOne 4-52
SentinelOne Investigator
The downloaded zip file has the fetched file or files and a metadata file, manifest.json, which
shows for each file:
• The NT file path.
• The SHA-1 and SHA-256 hash
• Error messages related to the fetch operation.
o Examples of errors: No such file or directory, for an invalid path, or <invalid> for a
file type that is not allowed.
If you try to download a file after it was deleted from the Management, a message shows that it
was deleted. Run the Fetch File action again to get the file.
© SentinelOne 4-53
SentinelOne Investigator
Agents can run Full Disk Scan when an Agent is installed and by demand. It finds dormant
suspicious activity, threats, and compliance violations that are then mitigated according to the
policy.
Note: Full Disk Scan does not work based on hashes, and therefore it does not check each file
against the blacklist. If a file is determined as suspicious by the Static-AI (DFI) engine, then the
Agent calculates its hash and checks the blacklist to see if the hash exists there. If a file is
executed, all aspects of the process are inspected, including hash-based analysis and checking if
the file is on the blacklist.
Full Disk Scan can run when the endpoint is offline, but when it is connected to the Management,
it can use the most updated Cloud data to improve detection.
© SentinelOne 4-54
SentinelOne Investigator
To stop a scan:
1. In the Sentinels view, select the Agents.
2. Click Actions and select Abort Scan.
© SentinelOne 4-55
SentinelOne Investigator
From the Management Console you can easily output all of the details for selected endpoints,
including their scan status. An Export option shows in the Network view. It exports all network
endpoint information for each endpoint in the current filter (up to 20,000 endpoints) in CSV
format.
© SentinelOne 4-56
SentinelOne Investigator
SentinelOne Application Risk lets you monitor applications installed on endpoints, from your
SentinelOne Management Console.
Applications not updated with the latest patches are risky because they are vulnerable to
exploits. With SentinelOne Application Risk you can see all applications that need to be patched,
on all endpoints or on a specific endpoint. You can also see which endpoints have applications
that need to be patched, and you can export application data.
Application Risk is part of the Complete SKU (not available with Core). If you have the Core
bundle, you will not see Application Risk in your Management Console.
Value Description
Name Name of the installed application in the current scope (Global, Site, or Group).
Click the application name to open the APPLICATION DETAILS. If the
application is not up to date, click the link to open the vulnerability ID on the
MITRE CVE site. From there you can patch the application, if a patch is
available.
Endpoint Name of the endpoint. Click the endpoint link to open the ENDPOINT DETAILS.
© SentinelOne 4-57
SentinelOne Investigator
Value Description
Risk The risk level of the applications.
• Low: CVSS score from 0.1 to 3.9
• Medium: CVSS score from 4.0 to 6.9
• High: CVSS score from 7.0 to 8.9
• Critical: CVSS score from 9.0 to 10.0
• No risk: The application poses no risk to the endpoint.
Installed The day and time (DD/MM/YYYY HH:MM:SS) that the application was last
Date installed or updated.
Version The version number of the application.
Publisher The publisher of the application (Microsoft, Apple, etc.)
Size The size of the application.
5. To view applications by risk level, you can use the risk level filter bar above the application
list.
© SentinelOne 4-58
SentinelOne Investigator
© SentinelOne 4-59
SentinelOne Investigator
4. The data exported to the Application Risk CSV file: Application ID, Name, Version,
Publisher, OS, Installed, Size, Signed, Risk, Machine Type, Agent UUID, Agent name, Agent
version, and CVE IDs.
© SentinelOne 4-60
SentinelOne Investigator
Remote Shell is a powerful way to respond remotely to events on endpoints. It lets you open full
shell capabilities - PowerShell on Windows and Bash on macOS - directly and securely from the
Management Console.
This lets you troubleshoot end-user issues from wherever you can access your Management
Console.
The shell process runs with local administrator user permissions. If different permissions are
necessary, you can authenticate with domain user credentials inside the Remote Shell session.
Agents apply all detection and protection logic on the Remote Shell activity.
© SentinelOne 4-61
SentinelOne Investigator
User Requirements:
• The user must be an Admin, not a Viewer, and have explicit permission to use Remote
Shell. Enable Remote Shell in the user settings.
Site Requirements:
• Remote Shell requires the Complete SKU and is enabled by default in Sites with the
Complete SKU.
• When Remote Shell is enabled for a Site, Remote Shell shows in the Management
Console.
• From the Remote Shell option in the policy, enable or disable the feature.
© SentinelOne 4-62
SentinelOne Investigator
• At the start of a session, you create a password. The transcript of the session is encrypted
with this password.
• Remote Shell sessions can be open on multiple endpoints at one time, but each session
must be opened separately on each endpoint.
Endpoint Requirements:
• The endpoint must have an OS and SentinelOne Agent version that support Remote Shell.
• The endpoint must have default settings for local Administrators users. The Agent creates
a new user in the local Administrators group, and it requires default permissions.
• The Agent must be online and connected to the Management to open a Remote Shell
session.
• If the endpoint is in Network Quarantine (disconnected from network), some commands
will not work because the endpoint cannot access the network. If necessary, reconnect
the endpoint to the network.
• A session can be open or minimized on the endpoint.
• Only the admin who runs the Remote Shell session can see the open or minimized session.
If a different admin tries to open a session for the same endpoint, a message shows that
a session is already open.
© SentinelOne 4-63
SentinelOne Investigator
Module Review
In this module, we introduced the incident response concepts for Investigators using
SentinelOne. In this module we reviewed the following SentinelOne features:
• Managing Blacklists
• Managing Exclusions
• Hash
• Path
• Signer Identity
• File Type
• Browser
• Analyzing Threats
• Threat Management
• Incident Details
• Mitigation Actions
• On-Demand File Fetch
• Full Disk Scan
• Application Risk Management
• Remote Shell
© SentinelOne 4-64
SentinelOne Investigator
2. On the Incidents Details view, where can you view if the threat tried to change the
registry, change or remove specific files?
a. Endpoint Network Connection
b. Attack Overview
c. Timeline
d. Classification
4. To clean up the Dashboard and Incidents > Threat view, after the threat has been
mitigated, you must do what?
a. Mark detections as Resolved
b. Mark detections as Benign
c. Mark detections as No Threat
d. Delete the detection entry from the Dashboard
5. What function finds dormant suspicious activity, threats, and compliance violations that
are then mitigated according to the policy?
a. Reinstall an updated agent
b. Run a full disk scan from the Management Console
c. Run the AV function in the Analyze view of the Management Console
d. Must be run manually from the endpoint with an AV product
© SentinelOne 4-65
SentinelOne Investigator
7. True or False. Full Disk Scans can only be run if the endpoint is online?
a. ________________
9. What is the best remediation step to use against a Windows endpoint that has been
infected with ransomware?
a. Kill
b. Quarantine
c. Remediate
d. Rollback
10. In order to use Remote Shell, the user account must be configured with what?
a. Single Sign On
b. Two-Factor Authentication
c. Both SSO and 2FA
d. Only Global Admin accounts can use Remote Shell
© SentinelOne 4-66
SentinelOne Deep Visibility/Threat Hunting
MODULE 5
SentinelOne Deep Visibility
This module will cover the SentinelOne Deep Visibility functionality and how it can be used for
Threat Hunting. In this module you will review:
© SentinelOne 5-1
SentinelOne Deep Visibility/Threat Hunting
Threat hunting is a proactive approach to cybersecurity, that supplements automated tools with
searches across your environment for:
• Known indicators of compromise.
• Behavior and tactics that attackers use.
Threat hunting lets you find suspicious behavior in its early stages before it becomes an attack
that will generate alerts. It supplements the automated rules of detection tools, which require a
high level of confidence that behavior is suspicious before an alert is generated. Effective threat
hunting is done by a security team with expert understanding of:
• What is normal in your environment: the architecture, systems, applications, and
networks that are expected. A highly technical understanding of expected behavior is
necessary to uncover unexpected behavior and outliers.
• The tactics, techniques, and procedures (TTPs) that attackers use (such as Lateral
Movement or Command and Control).
• The most likely vulnerable points in your environment.
• Reliable streams of information for recent and common indicators of compromise.
SentinelOne Deep Visibility extends the ActiveEDR capabilities, with full visibility into endpoint
data and threat hunting. It gives security teams the ability to augment real-time threat detection
capabilities with a powerful threat hunting tool. Deep Visibility query results show detailed
information from the SentinelOne Agents. Attributes in the query results include: Endpoint, User,
Site ID, Path, Process ID, Process Name, SHA1 hash, SHA256 hash, MD5, command line argument,
and Storyline.
© SentinelOne 5-2
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-3
SentinelOne Deep Visibility/Threat Hunting
Storyline
When you run a Deep Visibility query, each item in the results has a Storyline, which automatically
correlates all related objects (processes, files, threads, events, and more) of a threat. This lets
you quickly understand the data relationships: the root cause behind a threat with all of its
context, relationships, and activities. When you find an abnormal event that seems relevant, use
the Storyline to find all related events.
Storyline lets security analysts understand the full story of what happened on an endpoint. Use
it to hunt easily, see the full chain of events, and save time for your security teams.
With the autonomous agent, it collects processes, files, threads, events, and more and creates a
matrix for each monitored event. Events are correlated their relationships of all processes, files
and events that are created, changed or deleted. Data is grouped by; source, target and behavior.
Groupings are used in the threat storyline.
All data transmissions are encrypted, compressed, and sent over HTTPS. Agent data is available
to you, and only you, for up to three months. From the time that an event occurs, the data is
available in the Deep Visibility queries in minutes.
© SentinelOne 5-4
SentinelOne Deep Visibility/Threat Hunting
Storyline Workflow
How it works:
• The user opens a web browser and downloads a file.
• The agent builds a group of events.
• As the malware runs, the AI recognizes malicious activity.
• The agent groups the source file and its targets and actions (such as a registry change).
• The agent runs automatic protection (if configured) and kills the process and
quarantines malicious files.
• With the group, the agent has an ID for automatic hunting of related events.
• With one Storyline ID the agent remediates all malicious creations.
© SentinelOne 5-5
SentinelOne Deep Visibility/Threat Hunting
Deep Visibility is part of the SentinelOne Complete bundle and requires an extra license. If you
do not see the options described here, contact SentinelOne to get the required licenses.
Enable Deep Visibility in the policy. The Deep Visibility settings can be different in the Global
policy and in Site policies. In the policy settings, you can refine the data sent for Threat Hunting.
File Supported file types that are Hash (MD5, SHA1, SHA256), full
created, changed or deleted path, name of the process that
by an event created or changed the file
© SentinelOne 5-6
SentinelOne Deep Visibility/Threat Hunting
URL Sites visited in Safari, Chrome URLs and URIs (string, source
and Microsoft browsers (wininet or Chrome), HTTP method,
processes and creator processes, and
(MS only) request and response.
From wget, curl, and similar
commands: DNS, IP addresses, and
(macOS only) URLs
DNS Every connection, including Query name, query result, processes,
connections to localhost and creator processes
IP Outgoing network TCPv4 connection attempts (source
connections IP address and port, destination IP
address and port, protocol,
processes and creator processes)
Login macOS end user login and Username and login and logout time
logout
Registry Keys Registry Key events on Registry Key ID and name, logged in
Windows endpoints user, time of event, process that
caused the event
Scheduled Scheduled Task event on Task name, event type, logged in
Tasks Windows endpoints user, time of event, process that
caused the event
Full Disk Scan Files scanned by the Full Disk Files with extensions that are
Scan supported by the DFI engine
Behavioral Indicators found by the Agent Indicator Category, Indicator
Indicators Description, Indicator Metadata, and
Indicator Name
DLL Module DLL Modules are loaded to an Module Hash, Module path, all
Load endpoint endpoint info and process
information
© SentinelOne 5-7
SentinelOne Deep Visibility/Threat Hunting
Run Threat Hunting queries and use Deep Visibility in the Visibility view of the Management
Console.
Deep Visibility queries use a SentinelOne S1QL proprietary language, similar to SQL.
If you are a Global Admin or a Multi-Site Admin, in the Global view, you see query results
combined for all of your Sites.
The Deep Visibility workflow depends on your specific needs. This is an overview of different
actions you can do in the Visibility view.
3. The query shows a red icon when the query is not complete or valid and a green icon
when it is valid.
© SentinelOne 5-8
SentinelOne Deep Visibility/Threat Hunting
4. If you want the query to use multiple phrases, select AND or OR.
Note: You can use AND or OR up to ten times for each query.
Note: Query results show in chronological order. There is a limit of 20,000 results for
each query. If you see that the count is 20,000, the query reached the limit. Narrow the
scope of the search to get complete results.
• Open up to 15 tabs at one time, with different queries in each. The tabs are named
automatically for easy reference. You can edit the tab names.
© SentinelOne 5-9
SentinelOne Deep Visibility/Threat Hunting
• You can run a Sub-query on the data that has already been pulled from the SentinelOne
Cloud. Each main query can have one Sub-query. Use this to refine your query quickly.
© SentinelOne 5-10
SentinelOne Deep Visibility/Threat Hunting
Syntax Notes
The parentheses are a syntax sign. Do not use them to make a query easier to read.
• String
• alphanumeric
• Hash of content run from within a different process
ActiveContentHash (Active content).
• Example: ActiveContentHash Is Not Empty
• Example matches all active content that has a hash.
• String
• alphanumeric
• Filepath where an active content file or command
ran.
ActiveContentPath
• Example: ActiveContentPath Contains "/hard"
• Example matches all active content that ran from a
filepath that contains "/hard".
© SentinelOne 5-11
SentinelOne Deep Visibility/Threat Hunting
• Signed or Unsigned
• The status of an active content file: signed or
unsigned.
ActiveContentSignedStatus • Example: ActiveContentSignedStatus = "unsigned"
• Example matches all active content files with
unsigned certificates.
• CLI or FILE
• The type of active content run - CLI or a file.
• Example: ActiveContentType = "FILE" AND
ActiveContentType ActiveContentPath Contains "user"
• Example matches all active content files that ran
from a filepath that contains "user".
• String
• Hostname of endpoint on which Agent is installed.
• Example: AgentName NOT IN ("GW","gateway")
AgentName • Example matches endpoints with hostnames that do
not include "GW" or "gateway", such as:
"DefaultGW" or "gateway1".
• String
• windows, osx, linux
AgentOS • Example: AgentOS="osx"
• Example matches endpoints running macOS.
• String
• Alphanumeric
• Example: AgentUUID !=
AgentUUID 11111a2222b3333333cde444455555fff66666gg
• Example matches endpoints with a specific
AgentUUID.
• String
• Version number of SentinelOne Agent.
AgentVersion • Example: AgentVersion CONTAINS "2.6"
• Example matches endpoints with an Agent version
number that contains "2.6".
© SentinelOne 5-12
SentinelOne Deep Visibility/Threat Hunting
• String
• Network event. SUCCESS, FAILURE, BLOCKED,
UNKNOWN
• Example: ConnectionStatus Does Not Contain
ConnectionStatus
"SUCCESS"
• Example matches endpoints whose TCP connection
status was unsuccessful.
• String
• DNS name.
DNSRequest • Example: DNSRequest CONTAINS "cdn.onenote"
• Example matches DNS requests to cdn.onenote.
• String
• IP address, DNS, type, or similar data from a DNS
response.
• Example: DNSResponse IS NOT EMPTY AND AgentOS
DNSResponse
= "linux"
• Example matches non-empty DNS responses to Linux
endpoints.
• String
• IP address of the destination.
DstIP • Example: DstIP = "192.0.2.1"
• Example matches items arriving to this IP.
• Numeric
• Port number of destination.
• Example: DstPort = 80
DstPort
• Example matches items arriving to any host over this
port.
• DateTime
FileCreatedAt
• Date and time of file creation.
© SentinelOne 5-13
SentinelOne Deep Visibility/Threat Hunting
• String
• Path and filename.
FileFullName • Example: FileFullName CONTAINS ".pdf"
• Example matches PDF files.
• String
• Unique ID of the file.
FileID • Example: FileId = "F32D8A2B-E426-4258-A65C-
819415D897EF"
• String
• MD5 signature.
• Example: FileMD5 CONTAINS "1bc29b36f623"
FileMD5
• Example matches files with an MD5 that has this
string in it.
• DateTime
• Date and time of file change.
• Example: FileModifyAt > "22.10.2018 00:00"
FileModifyAt
• Example matches files changed before this date and
time.
• String
• SHA1 signature.
FileSHA1 • Example: FileSHA1 IN ( "415ab40ae9","888" )
• Example matches files with a SHA1 with one of these
partial strings.
© SentinelOne 5-14
SentinelOne Deep Visibility/Threat Hunting
• String
• SHA256 signature.
FileSHA256
• Example: FileSHA256 IS NOT EMPTY
• Example matches files with a SHA256 signature.
• String
• File extension.
FileType
• Example:FileType = "png"
• Example matches all PNG files.
• String
• Category of content or behavior that signals
malicious intent.
IndicatorCategory • Example: indicatorCategory = "Injection”
• Example matches events in the Injection category.
• String
• Readable text that explains what the indicator
means.
• Example: indicatorDescription contains "T1084"
IndicatorDescription
• Example matches detections with of Mitre T1084:
Application has registered itself to become
persistent via service. MITRE: Persistence {T1084}.
• String
• Readable text of more data, such as service names or
pathnames.
IndicatorMetadata
• Example: indicatorMetadata contains "KeyName"
• Example matches events that contain "KeyName".
• String
• Name of content or behavior that signals malicious
intent.
IndicatorName • Example: indicatorName = "SuspiciousLibraryLoad"
• Example matches events that contain
SuspiciousLibraryLoad.
• String
LoginsBaseType
• console, remote, shell
© SentinelOne 5-15
SentinelOne Deep Visibility/Threat Hunting
• String
• Example: LoginsUserName = "kevinoui"
LogsinsUserName • Example matches Login and Logout events for the
user 'kevinoui'
• String
• GET, POST, PUT, DELETE
NetworkMethod • Example: NetworkMethod = "POST"
• Example matches POST events.
• String
• Complete URL.
• Example: NetworkUrl CONTAINS
NetworkUrl "https://outlook.office365.com"
• Example matches Networking to this URL or its
subdomains.
• String
• Name of file before rename.
• Example: OldFileName Contains "king"
OldFileName
• Example matches event with Event Type "File
Rename" (and shows current name).
• String
• SHA1 of file before it was changed.
OldFileSHA1 • Example: OldFileSHA1 Is Not Empty
• Example matches files that were renamed.
• Numeric
• Process ID (usually copied from main query to new
PID
tab).
• Example: PID <= "500" OR PID >= "900"
© SentinelOne 5-16
SentinelOne Deep Visibility/Threat Hunting
• Numeric
• ID of process that created a new process.
• Example: ParentPID > "1"
ParentPID
• Example matches PIDs greater than 1 that created a
child process.
• String
• Name of process that spawned a child process.
ParentProcessName
• Example: ParentProcessName Is Not Empty
• Example matches process creation events.
• DateTime
• Time parent process started to run.
• Example: ParentProcessName Contains "system"
AND ParentProcessStartTime > "Jul 22, 2019
ParentProcessStartTime
00:00:33"
• Example matches processes such as "system_profile"
that triggered a process creation event after half-
past midnight on July 22.
• String
• Unique ID of parent process.
• Example: ParentProcessUniqueKey Contains
ParentProcessUniqueKey
"6EDC55FB"
• Example matches processes that spawned off this
process.
• String
• Command arguments sent with a process.
• Example: ProcessCmd ~ "delete %systemdrive%"
ProcessCmd
• Example matches processes that send a command to
delete the system drive.
• String
ProcessDisplayName • Display name of process.
• Example: ProcessDisplayName Contains "Update"
© SentinelOne 5-17
SentinelOne Deep Visibility/Threat Hunting
• String
• Pathname of running process.
• Example: ProcessImagePath CONTAINS "\Hard"
ProcessImagePath
• Example matches processes running in the hard
drive (or other folder that starts with "Hard").
• String
• SHA1 signature of running process.
• Example: ProcessImageSha1Hash IS_EMPTY
ProcessImageSha1Hash
• Example matches running processes that do not
have a SHA1 signature.
• String
• SYSTEM (operating system processes), HIGH
(administrators), MEDIUM (non-administrators),
ProcessIntegrityLevel LOW (temporary Internet files), UNTRUSTED
• Example: ProcessIntegrityLevel = "HIGH"
• Example matches cleaners, system tasks, and other
processes triggered by admin-level users and scripts.
• String
• Name of process.
ProcessName • Example: ProcessName IS NOT EMPTY AND DstPort
= "443"
• Example matches Any process going to port 443.
• Numeric
• ID of the terminal (cmd, shell, or other terminal)
ProcessSessionId session on which the process ran.
• Example: ProcessSessionId > "1"
• DateTime
• Time process started to run.
ProcessStartTime
• Example: ProcessStartTime BETWEEN "22.10.2018
00:00" AND "22.10.2018 05:00"
© SentinelOne 5-18
SentinelOne Deep Visibility/Threat Hunting
• String
• SYS_WIN32, SYS_WSL, SUBSYSTEM_UNKNOWN
ProcessSubSystem
• Example: ProcessSubSystem =
"SUBSYSTEM_UNKNOWN"
• String
• Unique ID of process.
• Example: ProcessUniqueKey = "482B618E-9AEF-
ProcessUniqueKey
4791-AA4B-04DC6B52D421"
• Example matches instances of this process.
• String
• Publisher string.
Publisher • Example: Publisher =
"<Type=Apple/ID=com.apple.syncdefaultsd>"
• String
• Registry Key Unique ID generated by the SentinelOne
Agent for Windows endpoints
RegistryID • Example: RegistryId Contains "3344"
• Example matches events for registry value created,
modified, or deleted, filtered.
• String
• Full path location of the Registry Key entry
• Example: RegistryPath Is Not Empty
RegistryPath
• Example matches events for registry value created,
modified, or deleted.
• Numeric
• PID after relinked
• Example: Rpid = "1048"
Rpid
• Example matches events for file creation and file
rename, filtered for this ID.
• String
SignatureSignedInvalidReason • SignedNotVerified, PathNotFound, I/O error., Other,
Expired, Code signing encountered an incorrect
© SentinelOne 5-19
SentinelOne Deep Visibility/Threat Hunting
• String
• Identity of file signer.
Signer • Example: Signer Is Empty
• Example matches unsigned file events.
• String
• SentinelOne Site token.
SiteId • Example: SiteId ~ "63517"
• Example matches the site with this partial ID string.
• String
• SentinelOne Site name.
• Example: SiteName NOT IN ( "corp","acme" )
SiteName
• Example matches all sites that do not have "corp" or
"acme" in their names.
• String
• IP address of traffic source
SrcIP • Example: SrcIP CONTAINS "10"
• Example matches a source IP that includes "10".
• Numeric
• Port number of traffic source.
SrcPort • Example: SrcPort != "9" AND SrcIP CONTAINS "10"
• Example matches port not “9” and includes "10".
• String
• Name of a scheduled task, as generated by the Host.
TaskName • Example: TaskName Is Not Empty
• Example matches Task events.
• String
TaskPath • Full path location of a scheduled task.
• Example: TaskPath Contains "Google"
© SentinelOne 5-20
SentinelOne Deep Visibility/Threat Hunting
• String
• Thread ID
Tid • Example: Tid = "5340"
• Example matches file events with this thread ID.
• String
• ID of all objects associated with a SentinelOne
detection.
• Example: Storyline = "D7E32540-15AB-4916-8A55-
Storyline
A80E956FC5CC"
• Example matches all events and processes grouped
with this detection.
• String
• Name of endpoint user.
• Example: User CONTAINS "users"
User
• Example matches items with a username that
includes "users".
© SentinelOne 5-21
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-22
SentinelOne Deep Visibility/Threat Hunting
You can view Deep Visibility query results in the default table view, or in the process tree view.
Table View
• Event queries show only the results for the event type. For example, if you search for
DNS Requests, you see DNS events. If you search for Modified files, you see File events.
• Use "!=" in queries to see exact results without selected values. For example, DstPort !=
"80" to find port traffic not on port 80.
• Click in a row to expand it and see details inline. You can expand multiple rows.
• Click next to a column header to see the column filter. Click it to select the values to show
or to search in the column.
© SentinelOne 5-23
SentinelOne Deep Visibility/Threat Hunting
Tree View
© SentinelOne 5-24
SentinelOne Deep Visibility/Threat Hunting
3. To see details of a process, click a node and then click Process Summary.
4. To see exactly when the chain of events starts and ends, see the timeline. The timeline
shows the selected node as a point.
5. To see different parts of the tree, click and drag. You can also scroll up and down, zoom,
and see the tree in full screen.
© SentinelOne 5-25
SentinelOne Deep Visibility/Threat Hunting
• The query results include detailed information gathered from the SentinelOne Agents.
Attributes in the query results include: Endpoint, User, Site ID, Path, Process ID, Process
Name, SHA1 hash, SHA256 hash, MD5, command line argument, and Storyline.
• Select an attribute to open a floating menu bar.
© SentinelOne 5-26
SentinelOne Deep Visibility/Threat Hunting
• If a Deep Visibility event is related to a detected threat, click True to go directly to the
Forensics details of the threat in the Management Console. If there is no related threat,
False shows.
© SentinelOne 5-27
SentinelOne Deep Visibility/Threat Hunting
Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII
string format by translating it into a radix-64 representation.
When you run a Deep Visibility/Threat Hunting and identify command line arguments encoded
in Base 64, the platform will allow for the decryption of the data.
1. In the attributes of an event, click Show More, usually next to a Command Line
argument.
2. In the window that opens, select encoded text with a cursor and click Decode Text -
Base 64.
© SentinelOne 5-28
SentinelOne Deep Visibility/Threat Hunting
3. The decoded text shows in the window and the data can be copied to the clipboard.
© SentinelOne 5-29
SentinelOne Deep Visibility/Threat Hunting
• Select an event and click Actions. The options depend on the event type. They include:
• Select an event and click Actions. The options depend on the event type. They include:
o Fetch Logs - When you click this, the Agent collects relevant logs.
To get the logs, click Activity > Administrative > Log operations. When the logs are
on the Management Console, the download button will be available.
o Disconnect From Network - The Agent can communicate only with the Management
Console. The endpoint cannot communicate with other components on the network.
o Mark As Threat - Creates an active threat alert on the Dashboard for all processes
with the same Storyline, adds the processes to the blacklist, and the Agent mitigates
according to the Policy.
o Mark As Suspicious - Creates a suspicious alert on the Dashboard for all processes
with the same Storyline, and the Agent mitigates according to the Policy. This option
is available from Iguazu and later.
o Add To Blacklist - Adds the SHA1 hash of the event to a blacklist. After you click Add
To Blacklist, select whether to add the hash to the Global, Account, or Site blacklist.
• Click an endpoint name to open its details and run more Actions.
© SentinelOne 5-30
SentinelOne Deep Visibility/Threat Hunting
Each use case uses Deep Visibility to find the context around a piece of information or event.
There are many potential ways to follow through with a hunt, but each example shows one way.
Use Case: Attackers often use legitimate endpoint processes to evade detection while they
carry out malicious tasks. Let's see if your environment shows an indication of this compromise.
© SentinelOne 5-31
SentinelOne Deep Visibility/Threat Hunting
Use Case: Attacks often create a scheduled task. If a malicious process can get into this service,
it can be used for persistence, to run a lateral movement attack during work hours with
privileges, or other techniques.
OR: Click IndicatorName, = and in the quotes enter this string: ScheduleTaskRegister
© SentinelOne 5-32
SentinelOne Deep Visibility/Threat Hunting
Use case: I read about a malicious URL or hash and want to see if it is present in my environment.
5. Press enter from the query field or click the search icon.
Note: The query results open in chronological order.
© SentinelOne 5-33
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-34
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-35
SentinelOne Deep Visibility/Threat Hunting
10. Select New Main Query to start a new query for this command. Or select Add to Main
Query.
© SentinelOne 5-36
SentinelOne Deep Visibility/Threat Hunting
Use case: You get a report of an IOC on an endpoint at a certain time. You want to understand
the flow of events.
5. Look for abnormalities, such as processes running out of non-standard folders and files
written to nonstandard locations, and use them as pivot points.
6. When you find an abnormal event that seems relevant, use the Storyline to find all related
events.
© SentinelOne 5-37
SentinelOne Deep Visibility/Threat Hunting
Use Case: You get a notification on a new campaign from a security blog. It is a collection of newly
discovered malware that comes from a Microsoft Office document (doc, xls, ppt). The
manipulated document opens a PowerShell that collects local data and sends it to one of many
servers.
Note: This Mitre attack technique is the same as creating the more complex query:
3. Select AND.
4. Select NetworkDirection and =. In the quotes, enter “POST”.
5. Click Save New Query.
6. If you get a notification of matching behavior, you will get the IP address of the server. If
it is a safe server, and the user of the endpoint is simply running a Word doc with
macros, you can update the query with: AND NetworkURL != "safe IP".
If it is not a safe server, in Visibility, click a result row of the endpoint and then click
Actions > Disconnect from Network.
7. Open the details of the row. Click the open blue circle of document hash and run it as a
new query.
8. See which endpoints on your organization have this behavior. Remediate the detection
for all these endpoints.
9. Add the document hash to the blacklist.
© SentinelOne 5-38
SentinelOne Deep Visibility/Threat Hunting
The ability to search for Mitre techniques in EDR vendors is a growing trend. Threat Hunting
teams across security vectors require a correlation between their environments and Mitre
knowledge. SentinelOne leverages our Dynamic Behavioral engine to show the behavior of
processes in the endpoints. To make it easier and faster for you to use this knowledge, we map
our behavioral indicators to the Mitre ATT&CK framework. You can create queries out-of-the-box
and search for Mitre attack characteristics across your scope of endpoints. With other EDR
vendors, you would have to create a multitude of complex hunting queries to cover all the
findings of Mitre. With SentinelOne, all you need is the Mitre ID or another string in the
description, the category, the name, or metadata.
For example, in SentinelOne Deep Visibility, use this query to find any process or event with
behavioral characteristics of the attack technique known as Process Injection:
With a different vendor, you will need to create a complex regular expression query, and run it
many times with changes for known characteristic tweaks. If you look at Mitre's page for T1055,
you notice that you will need a different query for macOS, Linux, and Windows. Then there are
more than 50 examples of malware and compromised utilities. You would need a query for each.
• Click the Indicators tab in the Visibility page to see the indicator data.
• Click a row to see more details. The Indicator Description includes a link to that
technique's Mitre page.
© SentinelOne 5-39
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-40
SentinelOne Deep Visibility/Threat Hunting
Use case: You mitigated a threat in your environment. Now you want to see if that IOC is
anywhere else in the network.
5. See in the results which endpoints were involved. In this case, only one.
© SentinelOne 5-41
SentinelOne Deep Visibility/Threat Hunting
6. Expand an event and click next to the Storyline to open the floating menu.
7. In the sub-menu, select Add to Main Query.
© SentinelOne 5-42
SentinelOne Deep Visibility/Threat Hunting
After you create Threat Hunting queries, you can save the queries to use again. You can run saved
queries manually or set queries to run on a scheduled basis and send notifications to an Admin.
To create Threat Hunting watchlists, create queries that run periodically and send notifications
when they find results that match. The admin that receives the notifications must have
permissions to see the search in the Management Console.
To save a query:
1. On the sidebar, click Visibility.
2. Run a query.
3. Click Save New Query.
4. In the window that opens, in Set name, enter a name for the query.
5. Click Save.
© SentinelOne 5-43
SentinelOne Deep Visibility/Threat Hunting
6. In Timing rate, select the frequency at which the query will run.
7. In Notification recipients, enter the email addresses of admins to get notifications.
Notifications are only sent if there are results that match the query. Admins must have
Management Console permissions to see the results.
8. Click Save.
© SentinelOne 5-44
SentinelOne Deep Visibility/Threat Hunting
After a Deep Visibility query is saved, you can run it, change its name and notification settings,
and delete it.
3. Optional: Use the Search field to search by the name of the saved query.
4. Select a query.
It runs and the results open in the Visibility view.
© SentinelOne 5-45
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-46
SentinelOne Deep Visibility/Threat Hunting
Deep Visibility collects URL data from an extension that is installed on Safari and Chrome, and
from Internet Explorer and Edge without an extension.
The way to install and uninstall the browser extension depends on the endpoint OS and Agent
version.
In MacOS Agents:
• The Deep Visibility browser extensions for Safari and Chrome are controlled by the policy
of the Agents.
• The behavior is slightly different in Safari and in Chrome.
o The Safari extension is enabled or disabled on endpoints.
o The Chrome extension is installed or uninstalled on endpoints.
The Agent enables or installs the extension if the policy is changed to enable Deep Visibility >
URL. The Agent disables or uninstalls the extension if the URL option is disabled.
In Windows Agents:
• The Chrome browser extension is installed or uninstalled on Agents based on the policy
of the Agents.
o The Agent installs the extension if the policy is changed to enable Deep Visibility
> URL. The Agent uninstalls the extension if the URL option is disabled.
o Internet Explorer and Edge do not have a browser extension, but they also work
with Deep Visibility based on the settings configured in the policy.
© SentinelOne 5-47
SentinelOne Deep Visibility/Threat Hunting
Important: Deep Visibility abilities, especially supported file types, evolve with SentinelOne
development. Make sure to read the latest release notes for new support and for limitations.
© SentinelOne 5-48
SentinelOne Deep Visibility/Threat Hunting
Use items from the Indicator Category listed here to perform IndicatorCategory queries on the
on the Visibility page.
Use items from the Indicator Name listed here to perform IndicatorName queries on the
Visibility page.
Use items from the Indicator Description listed here to perform IndicatorDescription queries on
the Visibility page.
© SentinelOne 5-49
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-50
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-51
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-52
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-53
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-54
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-55
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-56
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-57
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-58
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-59
SentinelOne Deep Visibility/Threat Hunting
SentinelOne integrates with Mitre. The Mitre technique ID is in the Forensics details and in Deep
Visibility. For each query in this table, you can run: IndicatorDescription Contains "TID". Here we
also show a more descriptive query, to help you understand the syntax.
© SentinelOne 5-60
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-61
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-62
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-63
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-64
SentinelOne Deep Visibility/Threat Hunting
Module Review
In this module, you were introduced to the SentinelOne Deep Visibility functionality and how it
can be used for Threat Hunting. In this module we reviewed:
© SentinelOne 5-65
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-66
SentinelOne Deep Visibility/Threat Hunting
4. True or False. You can save a query and schedule it to run periodically and send
notifications when results are found.
a. _____________________
© SentinelOne 5-67
SentinelOne Deep Visibility/Threat Hunting
© SentinelOne 5-68
SentinelOne Reports
MODULE 6
SentinelOne Reports
© SentinelOne 6-1
SentinelOne Reports
Insight Reports
You can create one-time or scheduled Insight reports to see high-level and detailed information
on the state of your endpoint security. Reports include statistics, trends, and summaries with
easy to read and actionable information about your network.
You can see reports in the Management Console and automatically send them by email to the
addresses that you enter.
Scope of reports:
The scope of the report is based on the Management Console view you are in when you create
the report.
• If you are in one Site, the scope of the report is that Site.
• If you are a Global Admin or an Admin of multiple Sites in the Global view, reports that
you create include information combined for all Sites in your scope.
• If you select a report for a specific group, for example, Executive Insights by Group, a
field shows to enter the Group Name.
© SentinelOne 6-2
SentinelOne Reports
Creating Reports
© SentinelOne 6-3
SentinelOne Reports
Note: To configure email recipients, set up SMTP in Settings > Integrations. Recipients
do not require Management Console privileges.
11. Click Create.
Note: Only reports that ran show in the table. You can see the list of future reports in
Load Report Task.
© SentinelOne 6-4
SentinelOne Reports
Editing Reports
3. Select a report task from the list. Search for part of the task name, if necessary.
The task shows in the Reports view and Actions for the task that are available.
4. Click Actions and select Edit or Delete.
© SentinelOne 6-5
SentinelOne Reports
Deleting Reports
You can delete a scheduled report so that that it does not create more reports, or change its
details. You can change a report's Name or Recipients. To change the type of report, frequency,
or scope, create a new Report Task and delete the old one.
You can delete created reports from the Management Console when you do not need them, or
save them in a different location.
© SentinelOne 6-6
SentinelOne Reports
Downloading a Report
From the Reports view, Admin and Viewer users can download all created reports for Sites in
their scope.
To get a report:
1. In the sidebar, click Reports.
2. In Reports, select the report that you want to see.
© SentinelOne 6-7
SentinelOne Reports
Module Review
© SentinelOne 6-8
SentinelOne Reports
1. Insight Reports contain which of the following information about the network?
a. Statistics
b. Trends
c. Summaries
d. Ranger Endpoints
5. What are the two report formats for the Raw Data Report?
a. PDF
b. JSON
c. RTF
d. CSV
© SentinelOne 6-9
SentinelOne Reports
© SentinelOne 6-10