SentinelOne Core Workshop - Guide

Information in this training manual, including any URL or other Internet website, is subject to
change without prior notice.
Unless otherwise noted, the companies, organizations, products, email addresses, people,
places, and events depicted herein are fictitious, and no association with any real company,
organization, product, email address, person, places, or events is intended or should be
inferred. Complying with all copyright laws is the responsibility of the user.
No part of this document may be reproduced, stored in, or introduced into a retrieval system,
or transmitted in any form or by any means (electronic, mechanical, photocopying, recording,
or otherwise), or for any purpose, without the express written permission of SentinelOne.
SentinelOne may have trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement
from SentinelOne the furnishing of this document does not give you any license to these
trademarks, copyrights, or other intellectual property.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Copyright © 2020 SentinelOne. All rights reserved.
July 25, 2020.
SentinelOne
605 Fairchild Dr
Mountain View, CA 94043
www.sentinelone.com
i
TABLE OF CONTENTS
Module 1 - Introduction
Module Objectives ...................................................................................... 1-1
Introductions............................................................................................... 1-2
Course Outline ............................................................................................ 1-3
What is SentinelOne? ................................................................................. 1-6
SentinelOne Core ........................................................................................ 1-7
SentinelOne Control ................................................................................... 1-8
SentinelOne Complete ................................................................................ 1-9
Overall Strengths ...................................................................................... 1-10
Underlying Technology ............................................................................. 1-11
SentinelOne Ranger .................................................................................. 1-13
SentinelOne Vigilance ............................................................................... 1-14
SentinelOne Resources ............................................................................. 1-15
Module Review ......................................................................................... 1-16
Review Questions and Group Discussion ................................................. 1-17
Module 2 – Management Console Overview

SentinelOne Hierarchy ................................................................................ 2-2
Management Console Views ...................................................................... 2-3
Selecting a Scope ........................................................................................ 2-4
Dashboard ................................................................................................... 2-6
Visibility ....................................................................................................... 2-7
Ranger ......................................................................................................... 2-8
Sentinels ...................................................................................................... 2-9
Policy .................................................................................................... 2-11
Endpoints .............................................................................................. 2-12
Blacklist ................................................................................................ 2-14
Exclusions ............................................................................................ 2-15
Firewall Control ................................................................................... 2-16
Device Control ...................................................................................... 2-17
Packages ............................................................................................... 2-18
Account/Site/Group Info ...................................................................... 2-19
Group Ranking ...................................................................................... 2-20
Incidents.................................................................................................... 2-21
Incident Details ..................................................................................... 2-22
Applications .............................................................................................. 2-23
Activity ...................................................................................................... 2-25
Reports ...................................................................................................... 2-28
Settings...................................................................................................... 2-29
Configuration ........................................................................................ 2-30
ii
Notifications ......................................................................................... 2-32
Users ..................................................................................................... 2-33
Integrations .......................................................................................... 2-34
Policy Override ..................................................................................... 2-35
Sites ...................................................................................................... 2-36
Module Review ......................................................................................... 2-38
Review Questions ..................................................................................... 2-39
Module 3 – SentinelOne Administration

Management Console Dashboard .............................................................. 3-2
Working With Widgets ........................................................................... 3-3
Policy Settings ............................................................................................. 3-7
Policy Mode Options .............................................................................. 3-8
Policy Engine Behavior ........................................................................... 3-9
Policy Engines ....................................................................................... 3-11
Containment ......................................................................................... 3-13
Advanced .............................................................................................. 3-14
Agent Configuration ............................................................................. 3-15
Deep Visibility Configuration ............................................................... 3-16
Remote Shell ........................................................................................ 3-18
Configuration Settings .............................................................................. 3-21
Configuring Session Timeout ................................................................ 3-21
Two-Factor Authentication .................................................................. 3-21
Advanced Mode ................................................................................... 3-22
Managing Sites .......................................................................................... 3-23
Creating a New Site .............................................................................. 3-24
Deleting a Site....................................................................................... 3-27
Managing Groups...................................................................................... 3-28
Creating a Group .................................................................................. 3-29
Editing a Group ..................................................................................... 3-31
Deleting a Group .................................................................................. 3-32
Ranking Dynamic Groups ..................................................................... 3-33
User Management .................................................................................... 3-34
User Roles ............................................................................................. 3-34
Creating a New User ............................................................................. 3-38
Editing User Details .............................................................................. 3-40
Managing Agents ...................................................................................... 3-45
Installing an Agent on a Windows Endpoint ........................................ 3-46
Installing an Agent on macOS Prior to 10.13 ....................................... 3-48
Installing an Agent on macOS 10.13 and Higher ................................. 3-49
Installing an Agent on Linux Endpoints ............................................... 3-51
Uploading a Package for Agent Installation or Upgrade ..................... 3-52
Upgrading a Selected List of Agents ..................................................... 3-54
iii
Pending Action ..................................................................................... 3-55
Managing Endpoints ................................................................................. 3-58
Endpoint Filter ...................................................................................... 3-58
Actions .................................................................................................. 3-62
Endpoint Details Pane .......................................................................... 3-65
Moving an Agents ................................................................................. 3-66
Uninstalling Agents from the Management Console .......................... 3-68
Decommission an Agent ....................................................................... 3-71
Agent Migration Between Management Consoles .............................. 3-72
Sending Console Messages to Endpoints ................................................. 3-75
Integrating SMTP Servers.......................................................................... 3-76
Configuring Email Notifications ................................................................ 3-78
Integrating Syslog Servers ......................................................................... 3-80
Configuring Syslog Notifications ............................................................... 3-82
Device Control .......................................................................................... 3-83
Device Control Settings ........................................................................ 3-84
Device Control Rules and Rule Order ................................................... 3-87
Creating Device Control Rules .............................................................. 3-90
Enable, Disable or Edit a Rule ............................................................... 3-93
Change the Order of a Rule ................................................................. 3-95
Moving and Copying Rules ................................................................... 3-96
Reviewing Device Control Activity Logs ............................................... 3-98
Creating Device Control Rules from Events ....................................... 3-100
SentinelOne Firewall Control .................................................................. 3-103
Firewall Control Settings .................................................................... 3-104
Creating and Editing Firewall Rules .................................................... 3-106
Enable, Disable or Edit a Rule............................................................. 3-111
Firewall Rules and Rule Order ............................................................ 3-113
Moving and Copying Rules ................................................................. 3-115
Importing and Exporting Firewall Rules ............................................. 3-118
Reviewing Firewall Control Activity Logs ........................................... 3-121
Location Aware Firewall ..................................................................... 3-123
Configuring Locations ............................................................................. 3-124
Getting Logs for Support ......................................................................... 3-137
Module Review ....................................................................................... 3-140
Review Questions ................................................................................... 3-141
Module 4 – SentinelOne Investigator

Managing the Blacklist ................................................................................ 4-2
Adding a Hash to the Blacklist ................................................................ 4-3
Managing Exclusions ................................................................................... 4-5
Creating a Hash Exclusion ...................................................................... 4-6
Creating a Path Exclusion ....................................................................... 4-7
iv
Path Exclusion Details............................................................................. 4-8
Path Exclusion Mode .............................................................................. 4-9
Best Practices for Path Exclusions ........................................................ 4-11
Path Exclusions to Avoid ...................................................................... 4-12
Excluding a Signer Identity (Certificate) ............................................... 4-15
Excluding a File Type ............................................................................ 4-17
Excluding a Browser ............................................................................. 4-18
Agent Support for Exclusions ............................................................... 4-19
Analyzing Threats ...................................................................................... 4-20
Threat Management ............................................................................ 4-21
Forensic Analysis of Threats ................................................................. 4-29
Incident Details – Page Settings ........................................................... 4-31
Incident Details – Overview Tab........................................................... 4-32
Incident Details - Header ................................................................. 4-32
Incident Details - Summary.............................................................. 4-34
Incident Details – Threat Information ............................................. 4-35
Incident Details – Endpoint Details.................................................. 4-36
Incident Details – Threat Indicators................................................. 4-37
Incident Details – Notes ................................................................... 4-38
Incident Details – Explore Tab .............................................................. 4-39
Incident Details – Timeline Tab ............................................................ 4-44
Timeline – Filters .............................................................................. 4-45
Timeline – Export Events Log ........................................................... 4-45
Mitigation Actions ..................................................................................... 4-47
On-Demand File Fetch .............................................................................. 4-51
Full Disk Scan............................................................................................. 4-54
Application Risk Management .................................................................. 4-57
SentinelOne Remote Shell ........................................................................ 4-61
Module Review ......................................................................................... 4-64
Module 5 – SentinelOne Deep Visibility/Threat Hunting

What is Threat Hunting ............................................................................... 5-2
Storyline ...................................................................................................... 5-4
Configuring Deep Visibility Data Collection ................................................ 5-6
How to Use Deep Visibility.......................................................................... 5-8
Deep Visibility Query Syntax ................................................................ 5-10
Deep Visibility Query Fields .................................................................. 5-10
Deep Visibility Query Keywords and Operators ................................... 5-22
View Query Results in a Table or Tree View ............................................. 5-23
Threat Hunting Query ............................................................................... 5-26
Decoding Command Line Arguments with Base 64.................................. 5-28
Taking Action from the Visibility Page ...................................................... 5-30
v
Deep Visibility Use Cases .......................................................................... 5-31
Hunting for Living Off the Land Attacks ............................................... 5-31
Hunting Abnormal Scheduled Task Creation ....................................... 5-32
Hunting IOCs based on a Known Starting Point ................................... 5-33
Hunting Abnormal Behavior on an Endpoint ....................................... 5-37
Hunting Abnormal Behavior by Known Characteristic......................... 5-38
Searching for Behavioral Indicators .......................................................... 5-39
Responding to Incidents with Deep Visibility ........................................... 5-41
Saving Threat Hunting Queries and Watchlists ........................................ 5-43
Working with Saved Deep Visibility Queries ............................................ 5-45
Managing the Browser Extension ............................................................ 5-47
Supported File Types for Deep Visibility .................................................. 5-48
List of Indicator Names and Categories .................................................... 5-49
Queries for Mitre Techniques ................................................................... 5-60
Module Review ......................................................................................... 5-65
Module 6 – SentinelOne Reports

Insight Reports ............................................................................................ 6-2
Creating Reports ..................................................................................... 6-3
Editing Reports ....................................................................................... 6-5
Deleting Reports ..................................................................................... 6-6
Downloading a Report ................................................................................ 6-7
Module Review ........................................................................................... 6-8
Review Questions ....................................................................................... 6-9
vi
Introduction
MODULE 1
Introduction
Welcome to the SentinelOne Core Workshop. In this course, you will learn the skills necessary
to effectively use the SentinelOne platform for endpoint protection. In this module, we will
cover:
• Introductions
• Course Outline
• What is SentinelOne
• SentinelOne Versions
• SentinelOne Strengths
• Underlying Technology
• SentinelOne Ranger
• SentinelOne Vigilance
• SentinelOne Resources
© SentinelOne 1-1
Introduction
Introductions
Notes:
© SentinelOne 1-2
Introduction
Course Outline
Module 1 – Introduction
• Introductions
• Course Outline
• What is SentinelOne
• SentinelOne Versions
• SentinelOne Strengths
• Underlying Technology
• SentinelOne Architecture
• SentinelOne Ranger
• SentinelOne Vigilance
• SentinelOne Resources
Module 2 – SentinelOne Management Console Overview

• SentinelOne Hierarchy
• Management Console Views
• Scope
• Dashboard
• Deep Visibility
• Ranger
• Sentinels
• Endpoints
• Policy
• Blacklist
• Exclusions
• Firewall Control
• Device Control
• Packages
• Incidents (Threat Management)
• Applications
• Activity
• Reports
• Settings
• Configuration
• Notifications
• Users
• Integrations
• Policy Override
• Accounts
• Sites
• Locations
© SentinelOne 1-3
Introduction
Module 3 – SentinelOne Administration

• Management Console Dashboard
• Working with Widgets
• Policy Settings
• Configuration
• Managing Sites
• Managing Groups
• Managing Agents
• Installing Agents on Windows
• SCCM Deployment on Windows
• Installing on macOS Endpoints
• Installing on Linux Endpoints
• Updating Agents
• Pending Actions
• Managing Endpoints
• Action Selections
• Endpoint Details Window
• Moving Endpoints
• Uninstalling Agents
• Decommission an Agent
• Changing an Agent Configuration
• Console Messages
• Integration and Notifications
• Device Control
• Configuring Locations
• Obtaining Logs for Support
Module 4 – SentinelOne Investigator

• Managing Blacklists
• Managing Exclusions
• Hash
• Path
• Signer Identity
• File Type
• Browser
• Analyzing Threats
• Threat Management
• Incident Details
• Mitigation Actions
• On-Demand File Fetch
• Full Disk Scan
© SentinelOne 1-4
Introduction
• Application Risk Management

• Remote Shell
Module 5 – SentinelOne Deep Visibility

• Understanding Deep Visibility
• How to Use Deep Visibility
• Threat Hunting Query
• Take Action from the Visibility Page
• Deep Visibility Query Syntax
• Deep Visibility Use Cases
• Hunting Abnormal Behavior on an Endpoint
• Responding to Incidents with Deep Visibility
• Configuring Deep Visibility Data Collection
• Saving Threat Hunting Queries and Watchlists
• Working with Saved Deep Visibility Queries
• Query with Custom Time Range
• Managing the Browser Extension
• Supported File Types for Deep Visibility
Module 6 – Reports
• Creating Insight Reports
• Editing and Deleting Reports
• Downloading a Report
© SentinelOne 1-5
Introduction
What Is SentinelOne?
SentinelOne is an endpoint protection platform designed for enterprise organizations that gives
them visibility into their own network. It is a network security solution with a specific type of
computer network security approach known as endpoint security. The endpoint security
protection approach focuses on detecting and eliminating security and cyber threats.
SentinelOne contains a broad range of protection against different modes of security threats
and attacks. These include malware, ransomware, exploits, live or insider. The platform
provides remediation capability, which enables users to instantly mitigate the effects of any
cyber-attacks and restore the system, making it immune from such threats in the future.
SentinelOne moreover has the capability to detect threats in advance through the aid of its
machine learning and intelligent automation.
The most prominent feature of SentinelOne platform is using machine learning and Artificial
Intelligence to consistently protect critical endpoints from cyber-attacks. SentinelOne can
anticipate threats and attacks by deeply inspecting files, documents, emails, credentials,
browsers, payloads, and memory storage. It can automatically disconnect a device from a
network when it identifies a possible security threat or attack.
© SentinelOne 1-6
Introduction
SentinelOne Core
SentinelOne Core
SentinelOne Core delivers multi-layered AI-powered endpoint protection, with Static AI

pre-execution protection for known and unknown malware, and Behavioral AI agent-
side behavioral monitoring that covers any attack vector, including unknown exploits
and bypass attempts of traditional anti-virus. SentinelOne Core has all endpoint security
essential features in place, including prevention, detection, and response. It provides
prevention and detection of attacks across all major vectors, rapid elimination of threats
with fully automated, policy-driven response capabilities.
SentinelOne Core offers attack remediation, cleaning all artifacts of a malicious attempt,
including registry, scheduled tasks and more, while Rollback Revert returns an endpoint
its pre-infected state. Upon detection, SentinelOne can immediately stop lateral threat
spread cold by disconnecting the infected endpoint from the network while still
maintaining the agent’s connection to the management console.
© SentinelOne 1-7
Introduction
SentinelOne Control
SentinelOne Control
SentinelOne Control builds on all the features of SentinelOne Core and adds security
features, such as device control and endpoint firewall control. This includes:
• Device Control for policy-based control of all USD device peripherals

• Firewall Control for policy-based control of network connectivity to and from assets,
including location awareness
• Vulnerability Management, in addition to Application Inventory, for insight into
third-party apps that have known vulnerabilities mapped to the MITRE CVE database
• Full Remote Shell capability for direct endpoint access by incident responders and
forensics personnel
The innovative security solution offers broad protection against diverse modes of attack,
including:
• Malware Executables - Trojans, malware, worms, backdoors, payload-based Fileless -

Memory-only malware, no-disk-based indicators.
• Exploits Documents - Exploits rooted in Office documents, Adobe files, macros,
spear phishing emails Browser - Drive-by downloads, Flash, Java, Javascript, VBS,
IFrame/HTML5, plug-ins.
• Live/Insider Scripts - Powershell, WMI, PowerSploit, VBS Credentials - Mimikatz,
credentials scraping, tokens.
© SentinelOne 1-8
Introduction
SentinelOne Complete
SentinelOne Complete
SentinelOne Complete adds Deep Visibility EDR that provides actionable context in an
easy-to-use UI. SentinelOne Complete utilizes that same agent to provide enterprise
EDR visibility for Windows, Mac, and Linux and Kubernetes containers. No additional
installed code is necessary. Deep Visibility provides the SOC, Threat Hunters, and
Incident Responders with a full featured investigative tool. Deep Viz is easy to use and
the Storyline is the underlying tech that helps you understand root cause analysis in one
pivot saving you time and trial and error. S1 Complete provides 30 days of historical EDR
data out of the box and affordably scales to 365 days if you require it.
Deep Visibility also provides the ability to search by MITRE ATT&CK framework
techniques when an atomic IoC is unknown.
When you find something suspicious, simply mark the story as a threat and ActiveEDR
commands the agents to mitigate.
© SentinelOne 1-9
Introduction
Overall Strengths
SentinelOne’s strength comes from the combination of its many features:
• SentinelOne is a unified, purpose-built agent that supports all modern Windows

versions and back to XP, Linux, Apple macOS’s and VDI or Virtualization.
• Deploy management on multiple platforms: Cloud, GovCloud, on prem, or hybrid cloud.
• Protect online or offline.
• 300+ open APIs are the basis for integrations with other products.
• SentinelOne can be operated by security novices to sophisticated IR investigators.
• SentinelOne offers Vigilance MDR services for organizations that need the added
support.
• SentinelOne automates response and recovery to get users working again quickly.
© SentinelOne 1-10
Introduction
Underlying Technology
Prevent
Before a portable executable, PDF or Office doc runs in memory, we are going to
analysis it and see if it looks odd in any way. If it has the characteristics of what we
know is not good, we are going to quarantine it. Using a Static AI model, we’re able to
determine if a file is malicious pre-execution: our model yields extremely high efficacy
rates with very low false-positives, making SentinelOne one of the world’s leading
prevention first products all while being 100% signature free.
Detect
SentinelOne agents identify evil in real time even if there is no cloud connection.
Anything that starts to run on the machine is analyzed using SentinelOne’s proprietary
Behavioral AI engine. S1 tracks every process, application, and group in real time on the
endpoint and is able to pinpoint when an activity crosses a threshold from benign to
malicious. We’ve trained our behavioral models to understand and recognize every
process on the endpoint making our detection capability vector agnostic and wildly
effective for complex vectors like fileless attacks.
When code begins to run – this is where our Active EDR (automated threat hunting
mechanism) comes in. It will watch the action play out and determine if there is any
odd lateral movement, fileless attacks, exploits or bad scripts/macros. An example is
that you open it in MS Word and it spawns PowerShell and reaches out to the Internet
to download something. We are tracking everything that happens in the OS as a set of
stories. We continue watching the process to see if any malicious activity occurs.
© SentinelOne 1-11
Introduction
Respond
The agent responds to all threats at machine speed. The Behavioral engine is able to
automatically mitigate processes and remediate in real time. This is the core value of
ActiveEDR: SentinelOne agents operate like a SOC on each and every endpoint, working
for you. The Storyline ID is how SentinelOne automatically links all behaviors to their
root in real-time, building the complete storyline and automatically performing SOC
analysis so that cybersecurity staff can do and see more. If the file is found to be
malicious, we have a protective response, such as; Kill the process, Quarantine the file,
Cleanup from the attack, Rollback the system to a good known state. We can do things
like Disconnect from the network and use a Remote Shell.
Hunt
For those threats that we don’t catch, we have ActiveEDR Advanced, also known as
Deep Visibility/Threat Hunting capability. SentinelOne maintains the context for 90 days
of all this data so that threat hunting is far easier for novices and experts alike. With
SentinelOne’s ActiveEDR, analysts can spend more time hunting. Our Deep Visibility
Threat Hunting Module allows for the world’s pre-eminent security teams as well as
SMBs to utilize nuanced responses like full remote shell execution.
While all other EDR solutions transport all data in discrete forms to the cloud and then
assembles there - SentinelOne has a differentiated approach. The problem with how
others do this:
1. Network bandwidth consumption is high
2. Analysis is done ex-post-facto, not allowing active prevention and response - this
delay creates dwell time
3. SOC analysts have to assemble every story themselves
4. Alert fatigue is the byproduct
© SentinelOne 1-12
Introduction
SentinelOne Ranger
SentinelOne Ranger creates visibility into your network by using distributed passive and active
mapping techniques to discover running services, unmanaged endpoints, IoT devices, and
mobiles.
The number of devices running on networks is increasing as people bring their personal phones,
laptops, and smart devices into the workplace. Additionally, more and more Internet of Things
(IoT), Operational Technology (OT), and smart appliances are being added to the network. All
these devices are becoming increasingly intelligent and complex. This complexity can lead to
bugs, and bugs can lead to vulnerabilities. This means it’s increasingly important for network
administrators to have a way of keeping inventory of what’s on their network. Ranger
generates this inventory automatically and maintains itself over time.
Ranger also makes it easy to find unmanaged endpoints. You want to make sure every device
joining your network is protected, but this can be tricky with an increasing number of devices
and limited IT personnel. With Ranger, a list of unmanaged endpoints is just a few clicks away.
© SentinelOne 1-13
Introduction
SentinelOne Vigilance
Vigilance is SentinelOne’s Managed Detection and Response (MDR) service, provided by a

group of highly trained cyber-security analysts. It empowers IT/SOC teams by accelerating the
detection of, prioritization, and response to advanced cyber threats, thus reducing the risk of
missing a critical alert that needs attention. The Vigilance analysts assess all alerts, review raw
threat data, process operations, and network connections, and analyze samples, as needed.
• Accelerated time to protection: SentinelOne Vigilance adds an extra layer of protection to

your SentinelOne solution. It augments your team with SentinelOne Cyber Security Analysts,
who work with you to accelerate the detection, prioritization, and response to threats.
• Forensics and Threat Hunting: Taking advantage of the power of the SentinelOne
Endpoint Protection Platform, Cyber Security Analysts deliver on-demand sample
forensics, Post detection hunting in your environment (requires SentinelOne Complete
license), and detect security incidents.
• Augment your Security Team: SentinelOne Cyber Security Analysts run through
suspicious events in your SentinelOne console, conducting sample analysis as needed.
We augment your security team by determining if events are threats or benign. You
receive proactive notifications to keep you abreast of any critical events.
© SentinelOne 1-14
Introduction
SentinelOne Resources
© SentinelOne 1-15
Introduction
During this module, you were introduced to what SentinelOne is, the architecture and system
requirements.
© SentinelOne 1-16
Introduction
Module 1 Review Questions
1. What is EPP?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
2. What is EDR?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
3. Which SentinelOne Engine runs scans upon file execution, in addition to when files are
written to the disk looking for malicious files?
a. Deep File Inspection (DFI)
b. Reputation
c. Dynamic Behavioral Tracking (DBT)
d. Anti-Exploitation
Module 1 Group Discussion Questions
1. What types of attacks are you seeing on your network and the frequency in which they
occur?
2. Has your organization been the victim of cyber-attacks and describe the attacks?
© SentinelOne 1-17
Introduction
© SentinelOne 1-18
SentinelOne Management Console
MODULE 2
Management Console Overview
This module is intended to introduce users to the SentinelOne Console. In this module you will
review all of the SentinelOne views:
• SentinelOne Hierarchy • Incidents (Threat Management)
• Management Console Views • Applications
• Scope • Activity
• Dashboard • Reports
• Deep Visibility • Settings
• Ranger • Configuration
• Sentinels • Notifications
• Endpoints • Users
• Policy • Integrations
• Blacklist • Policy Override
• Exclusions • Accounts
• Firewall Control • Sites
• Device Control • Locations
• Packages
© SentinelOne 2-1
SentinelOne Hierarchy
Each Management Console user has an Access level, a boundary of influence, Global, Account,
or Site, for licenses, policies, blacklists, exclusions, packages, settings, reports, and other
features.
Each user also has a role which defines what they can do within the Access level.
Global The Global Scope manages the complete deployment of all Accounts, Sites and
Groups.
Account One or more logical segments with permissions to configure features for
specific Sites. Each Account can have multiple Sites. An Account can have
its own objects and settings and inherits from Global settings.
Site One or more physical or logical secured segments, each with its own
objects and settings, specific or inherited from Global or from the
Account. A Site can belong to only one Account and can have multiple
Groups.
Group One or more logical units of endpoints, for easier management, each with
its own objects and settings. A Group can belong to only one Site.
© SentinelOne 2-2
Management Console Views
Manage your SentinelOne Agents, threat mitigation, integrations, and other aspects of
your SentinelOne environment from the Management Console.
Open the different views of the Management Console from the sidebar.
• Scope – Open the Scope pane and select a Group, Site,

Account, or Global to manage it.
• Dashboard – See the status of endpoints and an overview

of threats.
• Visibility – Run Deep Visibility queries to see benign event

information and setup watchlists for threat hunting.
• Ranger – Provides full visibility of all devices connected to

the network.
• Sentinels – View Endpoints, exclusions, policies, device

control, firewall control, packages, blacklist and site info.
• Incidents – See all threats, detections and their status.

Open the incident details and respond to threats.
• Applications – Monitor applications installed on

endpoints.
• Activity – See and filter the full log of activities on the

network.
• Reports – Get on-time and scheduled reports for different

aspects of the environment.
• Settings – Configure the Management Console settings,

create users, manage Sites, and integrate third-party
servers.
© SentinelOne 2-3
Selecting a Scope
The Scope view allows users to manage and see the platform hierarchy.
The information in the Management Console changes; based on the selected scope and Admin
scope.
• As a Global Admin, you manage the Global deployment, the Accounts, the Sites in each
Account, Groups in each Site, and their security objects.
• As an Account Admin, you manage the Accounts, the Sites in each Account, Groups in
each Site, and their security objects. You can select and manage a specific Site or
Group.
• As a Site Admin you manage your Sites, their endpoints, and some of their security
objects. You can select and manage Groups in the Site.
© SentinelOne 2-4
Feature Site Admin Account Admin Global Admin

Use Dashboard view ✓ ✓ ✓
Use Network View ✓ ✓ ✓
Create Site user ✓ ✓ ✓
Create Account user ✓ ✓
Create Global User ✓
Define integrations and notifications ✓ ✓ ✓
Get a Site token ✓ ✓ ✓
Create a Site ✓ ✓
Delete a Site ✓ ✓ ✓
Change Site SKU ✓ ✓
Upload packages and set package Scope ✓ ✓
Upgrade Agents ✓ ✓ ✓
Move Agents between Groups ✓ ✓ ✓
Move Agents between Sites ✓ ✓ ✓
Uninstall Agent ✓ ✓ ✓
Actions on threats ✓ ✓ ✓
Generate Reports ✓ ✓ ✓
Create Group (static / dynamic) ✓ ✓ ✓
Actions on Groups ✓ ✓ ✓
Filter activities ✓ ✓ ✓
Change policy ✓ ✓ ✓
Policy override ✓
Blacklist and Exclusions ✓ ✓ ✓
Advanced mode ✓ ✓
Device Control and Firewall Control ✓ ✓ ✓
Applications ✓ ✓ ✓
Deep Visibility ✓ ✓ ✓
Remote Shell ✓ ✓ ✓
© SentinelOne 2-5
Dashboard
The Dashboard view of the SentinelOne Management Console is fully customizable and based
on the logged-on user. The Dashboard is made of different widgets, to quickly see the
information that is most relevant to you and your stakeholders. When you log in to the
Management Console from a different computer or browser, your personalized Dashboard
opens.
Users can choose from over 50 widgets related to Threats, Endpoints, Applications, and IoT
devices (Ranger).
© SentinelOne 2-6
Deep Visibility
The Visibility view option allows the user to run SentinelOne Deep Visibility queries. Deep
Visibility extends the ActiveEDR capabilities, with full visibility into endpoint data and threat
hunting. The kernel-based monitoring allows a near real-time search across endpoints for all
indicators of compromise (IOC). It gives security teams the ability to augment real-time threat
detection capabilities with a powerful threat hunting tool.
SentinelOne’s Storyline lets security analysts understand the full story of what happened on a
device, as each element of a story has the same exact Storyline.
All data transmissions are encrypted, compressed, and sent over HTTPS. Agent data is available
for up to three months. From the time that an event occurs, the data is available in the Deep
Visibility queries in minutes.
© SentinelOne 2-7
Ranger
SentinelOne Ranger gives full visibility of all devices connected to your network. Ranger scans
your corporate environment to identify and manage connected devices, even those not
protected by or supported by SentinelOne.
Ranger identifies devices as:

• Secured - End-user computer or laptop, or server, on which the SentinelOne Agent is
installed.
• Unsecured - Endpoint of supported hardware, running a supported OS, on which
the Agent is not yet installed.
• Unsupported - Hardware or software that are not compatible with the SentinelOne
Agent (such as mobile phones, Android tablets, and UNIX servers).
• Unknown - Device that is not secured, but we cannot determine if is supported by
the SentinelOne Agent or not.
Ranger benefits:
• Enterprise-wide visibility of connected devices.
• Intelligent and automatic scan management with minimal network traffic footprint.
• Simple map of unsecured endpoints on which to install the Agent.
• Enriched Threat Hunting with unsecured device information as part of an IOC
investigation.
• Network isolation for unwanted devices to reduce the attack surface.
• Easy deployment of Ranger as an integrated solution with SentinelOne Agent and
Management Console.
• Easy network scale with zero configuration to discover new networks and subnets.
© SentinelOne 2-8
Sentinels View
Based on the SKU and the Scope the user is in, the menu selections can vary. This is a listing of
the menu selections for Complete:
In the Sentinels View – Global level, users have access to the following tabs:
• Endpoints
• Policy
• Blacklist
• Exclusions
• Device Control
• Packages
In the Sentinels View – Account level, users have access to the following tabs:
• Endpoints
• Policy
• Blacklist
• Exclusions
• Device Control
• Packages
• Account Info
© SentinelOne 2-9
In the Sentinels View – Site level, users have access to the following tabs:
• Endpoints
• Policy
• Blacklist
• Exclusions
• Device Control
• Packages
• Site Info
• Group Ranking
In the Sentinels View – Group level, users have access to the following tabs:
• Endpoints
• Policy
• Blacklist
• Exclusions
• Device Control
• Group Info
© SentinelOne 2-10
Policy
A policy is a set of mitigation settings and configuration settings that define the behavior of
SentinelOne Agents on endpoints.
Policy Inheritance
• Each Account, Site, and Group can have their own policy, or they can inherit the policy
from the scopes above them.
• By default, each Account, Site, and Group inherits the Global policy. Global Users can
make changes to the Global policy. Users can make changes to the policy for entities in
their scope.
• For example, Groups inherit the policy defined for their Site. If the policy is not changed
for the Site, Groups inherit the Account or Global policy.
© SentinelOne 2-11
Endpoints
In the Sentinels > Endpoints view, you can:

• See your endpoints and their basic details.
• Filter and search to find endpoints.
• Organize endpoints into dynamic and static groups.
• Run Actions on endpoints.
• Select which columns show and sort the columns.
• You can customize the columns that show to see different characteristics of the
endpoints.
• Export all network endpoint information for each endpoint in the current filter (up to
20,000 endpoints) in CSV format.
By scrolling to the right on each row the following information about the endpoint is available:
• Endpoint Name - Name of the protected device
• Account - The Account that the endpoint belongs to
• Site - The Site that the endpoint belongs to
• Last Logged in User - Name of the user that logged in most recently
• Group - Group that the endpoint belongs to
• Domain - Network domain that the endpoint belongs to
• Console Visible IP - External IP address of the Agent
• Agent Version - Version of the installed Agent
• Subscribed on - First date and time that the agent connected to the management server
• Health status - Healthy or Infected
• Device type - Laptop, Desktop, Server
• OS - Operating System
• OS Version - Exact OS version, for example Windows 10 (14393)
• Architecture - 64 bit or 32 bit
• MAC address - Physical MAC address
• Management connectivity - Online or Offline
© SentinelOne 2-12
• Network Status - Is Disconnect from Network enabled or disabled

• Update status - Shows Up to date if the agent is using the latest version
• Scan Status - When the last scan was completed
• IP addresses - Internal IP addresses
• Pending requests - For example, pending uninstall requests
• Disk Encryption - On or Off
• Vulnerability Status - For Complete SKU only, shows if patches are required.
• Locations - Name of the location that shows wherever the location is used in the
Management Console.
© SentinelOne 2-13
Blacklist
SentinelOne Agents immediately identify files on the blacklist and block them from executing,
based on the policy. Files on the blacklist are defined by their SHA1 hash. Agents identify files
on the blacklist before they look at exclusions.
Blacklist Hierarchy
• Sites, Accounts, and Global can each have their own blacklist items.
• Each scope also inherits blacklist items from the scopes above it.
o An Account inherits all Global blacklist items.
o A Site inherits all blacklist items of its Account, and all Global blacklist items.
You can add a hash to the blacklist manually, or add it to the blacklist automatically after it
shows in your Management Console.
Best Practice: Always analyze a threat before you add the file to the blacklist.
Note: Items that you add to the blacklist do not automatically become resolved. When you
finish investigating and handling a threat or detection, mark it as resolved.
Scope of blacklist items:

• Blacklist items apply to the scope you are in when you create them.
• For example, if you add a file to the blacklist from a Site, it goes in the Site blacklist.
© SentinelOne 2-14
Exclusions
Agents sometimes mark benign items as potential threats. You can configure Exclusions to
make your Agents suppress alerts and mitigation for these items.
Exclusion Hierarchy
• Groups, Sites, Accounts, and Global can each have their own exclusions.
• Each scope also inherits exclusions from the scopes above it.
o An Account inherits the Global exclusions.
o A Site inherits the exclusions of its Account, and the Global exclusions.
o A Group inherits the exclusions of its Site, its Account, and the Global exclusions.
Important: If incorrect exclusions are created, the environment may be open to malware.
You can create these types of exclusions: hash, path, certificate signer, file type, and browser.
© SentinelOne 2-15
Firewall Control
Firewall Control lets you manage endpoint firewall settings from the SentinelOne Management
Console. Use Firewall Control to define which network traffic, applications, and connections are
allowed in and out of endpoints.
Firewall Control is supported with Windows Agents and macOS Agents.
It is part of the Complete bundle. If you have the Core bundle, you will not see Firewall Control
in your Management Console.
• Currently, Firewall Control cannot be set on an Account.

• Firewall Control events do not have logs in the Management Console.
• There are no default rules. All traffic is allowed if you do not block it explicitly.
• In the Firewall Control settings, define the policy inheritance and turn Firewall Control
on or off.
• By default, Firewall Control is disabled at the Global level. When it is first enabled, all
Sites and Groups inherit the Firewall Control policy from the Global policy.
• By default, Agents have Firewall Control disabled, until they connect to a Site or Group
with an enabled Firewall Control policy.
Note: When you enable SentinelOne Firewall Control on Windows endpoints, rules from other
firewall solutions on the endpoint will become inactive.
When network traffic enters or leaves an endpoint, the SentinelOne Agent allows or blocks it
based on the Firewall Control policy. The Agent looks at the rules based on their order in the
Firewall Control policy, from the top to the bottom. When the Agent finds a rule that matches
the parameters of the traffic, that rule is applied. The Agent does not continue to the lower
rules in the list.
The Agent applies the rules in this order:

• Group rules from first to last.
• Site rules from first to last.
• Global rules from first to last.
New rules are added to the top of the relevant section of the Firewall Control policy.
© SentinelOne 2-16
Device Control
Device Control rules let you allow or block specific devices, or groups of devices, that connect to
endpoints, based on device identifiers. When the Management sends policy information
to Agents, it includes these rules.
When an external device connects to an endpoint, the SentinelOne Agent checks to see if it is
allowed to run by the Device Control policy. The Agent looks at the rules based on their order in
the Device Control policy, from the top to the bottom. When the Agent finds a rule that
matches the device identifiers of a connected device, that rule is applied. The Agent does not
continue to the lower rules in the list.
• If the matched rule has the Block Action, the Agent prevents the device from being
used.
• If the matched rule has the Allow Action, the device can be used.
© SentinelOne 2-17
Packages
SentinelOne updates your Management Console with the latest Agent packages. Download the
packages for the operating systems in your environment. You can use third-party tools to
deploy the package to all of your endpoints by platform. Or you can install Agents individually.
During installation of new Agents, you must assign Agents to a Site using the Site Token.
© SentinelOne 2-18
Account Info / Site Info / Group Info
Based on the Scope you are in, you can see the Account, Site or Group information.
Account Info displays:

• The number of licenses for Core and Complete
• The number of deployed agents for the account
• The expiration date of the account
Site Info displays:

• The creator of the Site
• The date the Site was created
• The number of licenses for the site
• The number of deployed agents on the site
• The expiration date of the site
• The Site Token for the Site
Group Info displays:

• The creator of the Group
• The date the Group was created
• A list of the agents in the group
• View or modify the Group’s policy
• View or modify the Group’s Exclusion list
• The Group Token for the Group
© SentinelOne 2-19
Group Ranking
Use Group Ranking to set the priority of Dynamic Groups for Agents. An Agent can belong to
only one Group. If the Agent matches multiple Dynamic Groups, it goes to the Group with the
highest rank.
If an endpoint is in a Static Group, and the filters of a Dynamic Group match it, the endpoint is
automatically moved to the Dynamic Group.
© SentinelOne 2-20
Incidents
The Threats page shows the threats and their current status. By selecting a threat, the user
moves to the Incidents Details page.
Incident Filters
The Threats table has many filters so the user can easily find the information needed.
© SentinelOne 2-21
Incidents Details
By selecting any line item in the grid from the Threats grid the user is directed to the Incidents
details window that shows detailed information and summary of the threat. The user can
review the threat in detail and take action on the Overview tab, see the events in a graphical
process tree in the Explore tab and in the Timeline tab, all information about the threat so the
user can understand what happened, when, and by whom.
© SentinelOne 2-22
Applications
SentinelOne Application Risk lets you monitor applications installed on endpoints, from your
SentinelOne Management Console.
Applications not updated with the latest patches are risky because they are vulnerable to
exploits. With SentinelOne Application Risk you can see all applications that need to be
patched, on all endpoints or on a specific endpoint. You can also see which endpoints have
applications that need to be patched, and you can export application data.
Note: Application Risk is part of Complete (not available with Core). If you have the Core
bundle, you will not see Application Risk in your Management Console.
© SentinelOne 2-23
Any applications identified as having a risk will be noted. To access the application details, click
on the row containing the alerted application.
More details can be obtained from the online CVE list by clicking on the cve.mitre link below
the application details.
© SentinelOne 2-24
Activity
From the Activity view, the user can see all activities that occurred on the network. There are
filter buttons located at the top of the page to see specific activities.
Filter Item Description

Malware • Not mitigated
• Mitigated
• Marked as benign
• Preemptively mitigated
• Cloud marked as threat
Mitigation • Shut down
• Network quarantine
• Kill
• Quarantine
• Unquarantine
• Remediate
• Rollback
© SentinelOne 2-25
Threat Management • Notes

• Incident Status
• Analyst verdict
• External ticket details
• Mark as threat
• Mark as suspicious
• Confidence Level Change
Exclusion • New/Edit Hash Exclusion
• New/Edit Blacklist
• Deleted Hash Blacklist
• Deleted Hash Exclusion
• Cloud Whitelist
• Cloud Blacklist
• New Modified Path Exclusions
• Deleted Path Exclusions
• New/Modified Signer Identity Exclusion
• Deleted Signer Identity Exclusion
• New/Modified File Type Exclusion
• Deleted File Type Exclusion
• New/Modified Browser Exclusion
• Deleted Browser Exclusion
Operations • Management updated
• Cloud intelligence
• User added
• User modified
• User deleted
• User verification
• User login/logout
• Agent updated
• Agent reset local config
• Agent moved between sites
• Agent moved to group
• Group administration
• Site administration
• Account administration
• Packages administration
• Device control
• Firewall control
• Remote shell
• Policy modification
• Locations
• Login Settings
• Ranger events
• File Upload events
© SentinelOne 2-26
Administrative • Agent subscribed

• Uninstall
• Log operations
• Fetch files operations
• Agent decommissioned
• Agent recommissioned
• Full disk scan
• Device control events
• Machine restarted
• System update
• Passphrase
• Move to another console
• Randomize UUID
Select Click Select to open the calendar. Select dates from the calendar
and, optionally, hours within the selected dates.
© SentinelOne 2-27
Reports
Create one-time or scheduled Insight reports to see high-level and detailed information on the
state of your endpoint security. Reports include statistics, trends, and summaries with easy to
read and actionable information about your network.
You can see reports in the Management Console and automatically send them by email to the
addresses that you enter.
Examples of available Insight reports:

• Application Insights
• Executive Insights
• Executive Insights by Group
• Mitigation and Response Insights
• Threat Insights
• Vigilance Insights
Reports can be downloaded in PDF or HTML format.
© SentinelOne 2-28
Settings
The settings page allows the user to:

• Configure the Management Console settings
• Configure Notifications
• Manage Users
• Setup Integrations with third-party servers
o SMTP
o Email
o SSO
• Create Policy Override configurations
• Manage Accounts
• Manage Sites
• Configure Locations for Firewall use
© SentinelOne 2-29
Configuration
The configuration page allows the administrator to set:

• Inactivity Timeout.
o If users are not active (do not move the mouse) for the configured time, they are
logged out of the Management Console. A message warns users before they are
logged out.
▪ The message shows for one minute. The user can click Keep Working to continue
the session.
▪ You can configure the timeout for a range of minutes between 5 and 600.
o Each Site has its own timeout settings. Sites do not automatically inherit these
settings from their Account.
• Session Timeout:
o The Session Timeout is measured in days. The range is from 1 to 30 days in
the Management Console.
o The default Session Timeout is 7 days.
▪ Users can open up to 30 concurrent sessions to the Management Console.
▪ Users with a role that is not Admin can open up to 2 concurrent sessions to
▪ Two-Factor Authentication
▪ This setting enables Two-Factor Authentication for entire scope.
© SentinelOne 2-30
• Advanced Mode
o This setting enables Advanced Mode for entire scope.
o These features require Advanced Mode to be enabled:
▪ Change the Protect Level in Sentinels > Policy.
o By default, when you set a policy to Protect, the Agents run Kill and
Quarantine automatically. In Advanced Mode, you can change automatic
mitigation to include Remediate or Remediate and Rollback. This option
only shows if Threats or Suspicious are set to Protect.
▪ Enable of disable the Detect Interactive Threat engine in Sentinels > Policy.
▪ Change the Management URL in Settings > Configuration > Management URL.
© SentinelOne 2-31
Notifications
Notifications allow the Site Admin to setup notifications that can be emailed and/or entered
into the Syslog. The type of notification entry will vary from Notification Types.
After you integrate an SMTP Server and/or a Syslog Server, you can configure which
SentinelOne activities trigger email notifications or Syslog messages.
In the view for one Account or Site, you can configure a server specifically for that scope. If a
scope does not have a specific configuration, it uses the Global Integration settings.
© SentinelOne 2-32
Users
Create Management Console users to let the security team log in to the Management Console
and manage endpoint security.
• To create users to manage all your Sites, you must have Global scope and Admin
permissions.
• To create users to manage Accounts, you must have Global Admin or Account Admin
permissions for this Account.
• To create users to manage a specific Site, you can have Global Admin, Account Admin,
or Site Admin permissions for this Site.
You can create users for Sites over which you have Admin permissions. For example, if the user
Alpha01 has Admin permissions for site X and Viewer permissions for site Y, Alpha01 can make
users for Site X but not for site Y.
• If you are the Global Admin, you can select Global, Account, or Site access for new user
accounts.
• If you are an Account Admin and you want to create a Site Admin or Site Viewer, you
must select the Account that holds the Sites. Then the Sites of that Account are in the
list.
Select each Account or Site over which the user will have permissions and then select the role:
Viewer or Admin.
© SentinelOne 2-33
Integrations
The Integration page configures settings for SMTP and Syslog.
You can configure these settings for Global (applies to all Sites), for a selected Account (applies
to its Sites), or for a selected Site.
Integration with Active Directory
Integration with Active Directory (AD) occurs automatically. You do not configure an AD Server.
When an Agent registers to the Management and when users log in or log out, the Agent sends
AD information to the Management Console. When an Agent is part of an AD, in the Endpoint
Details, there is an ACTIVE DIRECTORY tab.
© SentinelOne 2-34
Policy Override
In Advanced Mode, you can use Policy Override in the Management Console, to override a
default setting in the Agent configuration or policy. You can send a policy override to a group,
to a Site, or to Global.
The configuration changes require Global user permissions (or Support).
Note: Group policy overrides have priority above Site policy overrides, and Site policy overrides
have priority above Global policy overrides.
Note: Policy overrides are defined for a specific build number OR for ALL Agents. When you
upgrade or add Agents with a different build number, duplicate each policy override that is for
a specific version, or change the override to apply to all Agents.
© SentinelOne 2-35
Sites
See a full list of Sites in the environment, with SKU, total licenses and license in use, and Site
creation and expiration information.
Account and Global Admins can change the Site name, type, and license information.
© SentinelOne 2-36
Locations
Admins can configure customized sets of Agent Locations based on one or more endpoint
network parameters. Agents detect which location they are in and act accordingly.
Agents can be in multiple locations at the same time. The Agent location can affect which
Firewall Control rules an Agent uses, as each Firewall rule can be configured for a specific
location.
If an Agent that supports Locations does not detect that it is in a defined location, it uses the
Firewall rules assigned to the Fallback location.
Locations can be defined for a Site, Account or Globally.
© SentinelOne 2-37
Module Review
During this module, you were introduced to the SentinelOne Console. In this module you
reviewed all of the SentinelOne views and tabs:
• SentinelOne Hierarchy • •Incidents (Threat
Incidents (Threat
• Management Console Views Management)
Management)
• Scope • •Applications
Applications
• Dashboard • •Activity
Activity
• Deep Visibility • •Reports
Reports
• Ranger • •Settings
Settings
• Sentinels • Configuration
• Configuration
• Endpoints • Notifications
• Notifications
• Policy • Users
• Users
• Blacklist • Integrations
• Integrations
• Exclusions • Policy Override
• Policy Override
• Firewall Control • Accounts
• Accounts
• Device Control • Sites
• Sites
• Packages • Locations
• Locations
© SentinelOne 2-38
1. In which view of the Management Console can the investigator see all of the endpoints,
create exclusions and set device and firewall controls?
a. Dashboard
b. Sentinels
c. Analyze
d. Settings
2. What does the Visibility function allow the investigator to do?
________________________________________________________________________
________________________________________________________________________
3. In the Policy Settings > Policy Mode Options, which action setting will automatically
detect and mitigate a threat?
a. Mitigate
b. Kill
c. Detect
d. Protect
4. Which Policy Engine detects attacks initiated by remote devices?

a. Deep File Inspection (DFI)
b. Lateral Movement
c. Dynamic Behavioral Tracking (DBT)
d. Anti Exploitation
5. Files on the blacklist are defined by what?

a. SHA256
b. File Name
c. SHA1
d. File extension
6. Which view presents the detailed forensic information and summary of the threat?
a. Sentinels
b. Analyze
c. Visibility
d. Application
© SentinelOne 2-39
© SentinelOne 2-40
SentinelOne Administration
MODULE 3
This module is intended to introduce administrators to the functionality in SentinelOne. In this

module you will review all of the SentinelOne administration features:
• Management Console Dashboard • Managing Endpoints

• Working with Widgets • Action Selections
• Policy Settings • Endpoint Details Window
• Configuration • Moving Endpoints
• Managing Sites • Uninstalling Agents
• Managing Groups • Decommission an Agent
• Managing Agents • Changing an Agent Configuration
• Installing Agents on Windows • Console Messages
• Installing on macOS Endpoints • Integration and Notifications
• Installing on Linux Endpoints • Device Control
• Updating Agents • Firewall Control
• Pending Actions • Configuring Locations
© SentinelOne 3-1
Management Console Dashboard
The Dashboard view is fully customizable and based on the logged-on user. The Dashboard is
made of widgets, to quickly see the information that is most relevant to you and your
stakeholders. When you log in to the Management Console from a different computer or
browser, your personalized Dashboard opens.
Users can choose from over 50 widgets related to Threats, Endpoints, Applications, and IoT
devices (Ranger).
Each widget is fully customizable. Select the:

• Information to show: Category and Widget
• Scope (Group, Site, Account)
• Time Frame (relevant for some widgets)
• Refresh Interval
• Chart Type (format)
You can drag and drop the widgets to move and resize them.
Click on a detail in a widget to jump to the live information in your Management Console.
© SentinelOne 3-2
Working With Widgets
Function Option Selections
Located in the upper left of the Dashboard page is a set of three function option buttons:
Adds a widget
Clears the board of all existing widgets

Options to:
Restore Default Dashboard
Upload
Download
Creating a Widget
To create a new Dashboard Widget:

1. Click the Add widget icon in the upper right
The New Widget window opens.
© SentinelOne 3-3
2. Choose a category from the Categories list. Each category has specific widgets that are
appropriate for the category.
3. In Scope, select the Account, Site, or Group that the widget applies to. Information
from this scope is included in the widget chart.
4. In Widget, choose the information to show.
The options depend on the category selected.
5. Optional: In Title, you can edit the display name that shows above the widget.
6. In Time Frame, choose the range of time that is included in the widget chart.
7. In Refresh Interval, select how often the chart will refresh. Each time it refreshes, the
Management gathers the relevant information.
8. In Chart Type, select the format in which the information is shown. When you select an
option, the icon shows a model of how it looks.
9. Click Save.
Edit a Widget
You can change all attributes of a widget when you edit it.
1. Click the ellipsis (...) in a widget and the menu dialog window opens.
2. Select Edit.
3. In the Edit Widget window, change attributes of the widget.
4. Click Save.
Duplicate a Widget
To create a new widget based on an existing one:

1. Click the ellipsis (...) in a widget and the menu dialog window opens.
© SentinelOne 3-4
2. Select Duplicate.
An identical widget opens in the Dashboard.
3. Edit the new widget:
a. Click the three dots (ellipsis) on the new widget and select Edit.
b. In the Edit Widget window, change attributes of the widget.
c. Click Save.
Sharing a Pre-Made Dashboard
You can download your Dashboard as a JSON file and send it to other users to upload and use.
• For example, Account Admins can send their Site Admins a suggested Dashboard.
When necessary, the scope of the widgets change automatically to the scope of the user that
uploads it. For example:
• An Account admin has a Threat Status widget for a whole Account and sends that
Dashboard to a Site admin. The Site admin sees the same Threat Status widget but with
a Site scope.
• If a Dashboard includes a widget for a specific Group, it will not change automatically to
a broader scope when a Site admin uploads it.
Download the Dashboard
1. On the top right of the Dashboard, click the ellipsis (...).
2. From the menu that opens, select Download.

The Dashboard downloads to your default browser as a JSON file. By default, the
filename is dashboard_new.json.
3. Optional: Rename the file.
4. Send the file to other users.
© SentinelOne 3-5
Upload the Custom Dashboard
To use a saved Dashboard:

1. On the top right of the Dashboard, click the ellipsis (...).
2. From the menu that opens, select Upload.

3. In the OS windows that open, select the dashboard JSON file to use.
The uploaded Dashboard widgets show in your Dashboard.
To create a heading or text bar in the Dashboard:

1. In a New Widget or Edit Widget window, select Miscellaneous.
Free Text is selected as the default Widget.

2. In Title, enter the text to show.
3. Optional: Change the properties of the text and its background.
4. Click Save.
© SentinelOne 3-6
Policy Settings
A policy is a set of mitigation settings and configuration settings that define the behavior of
SentinelOne Agents on endpoints. A policy can be set for any Scope.
Policy Inheritance
• By default, Accounts inherit their policy from the Global policy. Global Admins can make
changes to the Global policy. Admins can make changes to the policy for entities in their
scope.
• Each Account, Site, and Group can have their own policy, or they can inherit the policy
from scopes above them.
• Sites inherit the policy defined for their Account. If the policy is not changed for the
Account, Sites inherit the Global policy.
• Groups inherit the policy defined for their Site. If the policy is not changed for the Site,
Groups inherit the Account or Global policy.
© SentinelOne 3-7
Policy Settings
Policy Mode Options
The mitigation settings in the Policy mode options define the Agent behavior for:
• Threats - Detections that are malicious are based on high confidence of the SentinelOne
policy engines.
• Suspicious - Detections that might be malicious but require more analysis are based on
SentinelOne policy engines.
Policy Mode Settings Description

Threats Protect Automatically kills and quarantines malware and sends
Mitigated Threat alerts (recommended).
If Threats are set to Protect, the levels are:
• Kill & Quarantine
• Remediate
• Rollback
Detect Send threat alerts only.
Suspicious Protect Automatically kills and quarantines files and sends
Mitigated Threat alerts.
Detect Sends Suspicious alerts only.
Important: By default, when you set a policy to Protect, the Agents run Kill and Quarantine
automatically. In Advanced Mode, you can change automatic mitigation to include Remediate
or Remediate and Rollback. This option only shows if Threats or Suspicious are set to Protect.
© SentinelOne 3-8
Policy Engine Behavior
The modes of SentinelOne Policy engine behavior are:

• On Write - Use Static AI and Reputation engines to monitor files written to disk.
• On Execute - Monitor behavior and detect malicious activity when a process initiates.
It is recommended that you use all of SentinelOne Policy Engines to maximize security. If necessary, you
can disable the On Write or On Execute modes to use only part of the SentinelOne functionality.
Note: The Advanced Mode must be turned on in Configuration.
Disabling on Write
IMPORTANT: This configuration is not recommended as it disables all Static AI detection

and decreases security.
Behavior:
• If you disable On Write, no action occurs when a file is copied to disk.
• No file reputation check when a file is written to the disk (the file reputation check is
active on file execution).
• Deep File Inspection Static AI is disabled.
• Full Disk Scan is supported. The required service is active only during the scan.
© SentinelOne 3-9
Disabling on Execute
IMPORTANT: This configuration is not recommended as it disables all behavioral detection

and decreases security.
Use Cases:
• For systems where saving resources is critical and the attack surface is controlled,
for example, when there is limited internet access.
• For endpoints with limited disk space or memory requirements, like thin agents, or
ATMs.
Behavior:
If you disable On Execute, the Behavioral AI engines do not monitor On Execute
behavior. The engines can be completely disabled (do not consume resources), or
suppressed (monitor without alerts and consume some resources).
To completely disable Behavioral AI engines - You must disable On Execute mode from
the policy before it is ever enabled (immediately after installation, before reboot).
If the On Execute mode was already on - If you disable On Execute mode in the policy
after the first reboot, the Behavioral AI engines are active but suppressed. The Agents
do not act on Behavioral AI detections or generate alerts, but the activity consumes
some resources.
Note: If you enable the On-Execute engines at any time, all endpoints will be prompted
to reboot and show Pending Action status until they reboot.
Workflow to completely disable Behavioral AI engines:

To completely disable Behavioral AI engines, the first policy that the endpoints get must
already have On Execute disabled. You must plan for this before the Agent installation.
There are two main ways to accomplish this:
Disable On Execute in a Site's policy. When Agents connect to the Site for the first time
with the Site Token, they will get this policy. You can then move the endpoints that
need On-execute disabled to their own dynamic group and enable On Execute in the
Site's policy.
Disable On Execute mode in a dynamic group that you prepare in advance of the Agent
installation. When Agents connect to the Site that contains this group, they will get this
policy.
© SentinelOne 3-10
Policy Engines
Engine Name Description

Reputation An engine that uses the SentinelOne Cloud to make sure
that no known malicious files are written to the disk or
executed. This cannot be disabled.
DFI (Deep File A preventive Static AI engine that scans for malicious files
Inspection) written to the disk. It supports portable executable (PE)
files.
DFI - Suspicious A Static AI engine that scans for suspicious files written to
the disk. When in Protect mode, this engine is preventive. It
supports portable executable (PE) files.
DBT – Executables A Behavioral AI engine that implements advanced machine
(Dynamic learning tools. This engine detects malicious activities in
Behavioral real-time, when processes execute.
Tracking)
Documents, Scripts A Behavioral AI engine, focused on all types of documents
and scripts.
Lateral Movement A Behavioral AI engine that detects attacks initiated by
remote devices.
Anti Exploitation / A Behavioral AI engine, focused on exploits and all Fileless
Fileless attack attempts, such as web-related and command line
exploits.
© SentinelOne 3-11
Potentially A Static AI engine on MacOS devices that inspects

Unwanted applications that are not malicious, but are considered
Applications unsuitable for business networks.
Detect Interactive The Detect Interactive Threat engine is part of the
Threat Behavioral AI and focuses on insider threats (for example,
an authenticated user runs malicious actions from a CMD or
PowerShell command line). This engine detects malicious
commands in interactive sessions.
Intrusion Detection is disabled by default. To enable this

engine, go to Settings > Configuration and turn on
Advanced Mode.
If you want to protect your endpoints from malicious

commands that are entered in a CLI, enable this engine.
But, if you enable this engine for endpoints of active users
of CLIs, you may expect a number of false positives.
Policy Engines by OS
Name Windows macOS Linux

Reputation ✓ ✓ ✓
DFI (Deep File Inspection) ✓ ✓ ✓
DFI – Suspicious ✓
DBT – Executables ✓ ✓ ✓
Documents Scripts ✓
Lateral Movement ✓ ✓
Anti Exploitation / Fileless ✓ ✓
Detect Interactive Threat ✓
© SentinelOne 3-12
Policy – Containment
Option Setting Description

Containment - On Automatically blocks network connections from an
Disconnect from infected endpoint to make sure that the malware
Network does not spread. The connection between the
Agent and Management stays active. Also called
Network Quarantine.
Note: The default setting is off when Threats are set

to Detect. If Threats are set to Protect, the user has
the option of tuning this option on.
Note: When Disconnect from network is enabled in

the policy, endpoints are only disconnected if a
threat is found after the threat is executed.
Endpoints are not disconnected if a threat is
detected pre-execution (by the Reputation or DFI
engines) because the threat is not active.
Off Infected endpoints are not automatically
disconnected from the network. You can disconnect
them manually.
Containment - On Adds known hashes to the blacklist for all Sites that
Auto-immune from encounter them.
verified threats
Note: This is always On and cannot be turned Off.
© SentinelOne 3-13
Policy – Advanced
Option Setting Description

Agent notification On An alert opens on the endpoint computer for
on suspicious detected Suspicious Threats.
Off Alerts do not open on endpoint computers for
detected Suspicious Threats.
Auto Decommission On Removes Agents from the Management Console if
after xx days offline there is no communication with an Agent. The
Management automatically recommissions the
Agent after it starts to communicate again.
Days Click the number to change the number of days
offline before an offline Agent is decommissioned.
Important: If you set the Auto Decommission number of days to be too small, the number of
endpoints with Agents and the number of endpoints you see on the Management Console can
be significantly different and confusing. If you deploy virtual machines, set the number of days
to fit your environment and policy for persistency.
© SentinelOne 3-14
Policy – Agent Configuration
These actions are used to configure the Agent behavior on installation.
Setting Description Supported OS

Scan new Agents run a Full Disk Scan when they first connect Windows
Agents to the Management macOS
Linux
Agent UI Show the Agent tray icon, application, and alerts on Windows
endpoints. If disabled, end-users see no trace of the macOS
Agent.
Logging Save logs for troubleshooting and Support. Best Windows
practice is to leave this on.
Anti Tamper Do not allow end-users or malware to change, Windows
uninstall, or disable the Agent. Best practice is to macOS
leave this on.
Snapshots Keep VSS snapshots for rollback. If disabled, rollback Windows
is not available. Best practice is to leave this on.
© SentinelOne 3-15
Policy – Deep Visibility Configuration
The Deep Visibility settings can be different in the Global policy and in Site policies. In
the policy settings, you can refine the data sent for Threat Hunting.
In order to utilize Deep Visibility, you must enable Deep Visibility. If this is not selected, Deep
Visibility queries will have no results. Users can select the data to be sent for Threat Hunting.
Data Type Source Data Collected

• Name, ID, and time of the process and its
creator process
• Command-line arguments used by the
Process Processes created created process
• Executable full path and SHA1 of the
created process
Supported file types that Hash (MD5, SHA1, SHA256), full path, name of the
File were changed by an process that created or changed the file
event *See Support File Types below
URLs and URIs (string, source (winner or Chrome),
Sites visited in Safari, HTTP method, processes and creator processes,
URL Chrome, and Microsoft and (MS only) request and response. From wget,
browsers curl, and similar commands: DNS, IP addresses, and
(macOS only) URLs
Every connection, Query name, query result, processes, and creator
DNS including connections processes
to localhost
TCPv4 connection attempts (source IP address and
Outgoing network
IP port, destination IP address and port, protocol,
connections
processes and creator processes)
© SentinelOne 3-16
MacOS end user login and Username and login and logout time
Login
logout
Registry Registry Key events on Registry Key ID and name, logged in user, time of
Keys Windows endpoints event, process that caused the event
Scheduled Scheduled Task events on Task name, event type, logged in user, time of
Tasks Windows endpoints event, process that caused the event
Behavioral Indicators found by the Indicator Category, Indicator Description, Indicator
Indicators Agent Metadata, and Indicator Name
Module Hash, Module path, all endpoint info and
process information
DLL Module DLL Modules are loaded
Load to an endpoint
Note: This is only visible if enabled by Support
because it can impact performance.
Windows Supported File Types:
Executables Scripts MS Word MS Excel MS PowerPoint Adobe

EXE PS1, DOC XLS PPT PDF
SCR PY, DOT XLM POT
DLL BAT DOCX XLSX PPS
SYS VBS, DOCM XLSM PPTX
COM WS, DOTX XLTX PPTM
MSI AU3 DOTM XLTM POTX
MSP CMD DOCB XLSB POTM
JAR INX XLA PPAM
ISU XLAM PPSX
RGS XLL PPSM
SCT XLW SLDX
PHP SLDM
macOS – Mach-O
Linux - ELF
© SentinelOne 3-17
Policy – Remote Shell
Remote Shell is a powerful way to respond remotely to events on endpoints. It lets you open
full shell capabilities - PowerShell on Windows and Bash on macOS - directly and securely from
Remote Shell use cases:

• Faster troubleshooting made possible by admins not needing to be in physical contact
with an endpoint device to solve problems.
• Increased support for remote users by removing the need for visits to IT departments.
• The ability to easily change local configuration without leaving the premises.
• Eliminating the need for memory dump and other advanced tools in deep forensic
investigation.
• Terminating undesired applications or processes running on endpoint devices.
• Initiating remote controls in a secure manner.
The shell process runs with local administrator user permissions. If different permissions are
necessary, you can authenticate with domain user credentials inside the Remote Shell session.
Agents apply all detection and protection logic on the Remote Shell activity.
Requirements to use Remote Shell

User Requirements:
• The user must have a role with the permission to use Remote Shell.
• The user must have Two-Factor Authentication configured.
• A Global user can enable Remote Shell for other users. An Account user can enable it
for Site users (but not for other Account users). All users with the correct
permissions can disable (and enable it again) in policies.
Site Requirements:
• Remote Shell requires the Complete SKU.
• When Remote Shell is enabled, Remote Shell shows in the Management Console.
• From the Remote Shell option in the policy, enable or disable the feature.
© SentinelOne 3-18
Remote Shell Session Requirements:

• One shell can be open on an endpoint. If a Remote Shell session is open, a different
user cannot open a session on the endpoint.
• To open a session, you must enter a 2FA code from the 2FA App on your phone.
• At the start of a session, you create a password. The transcript of the session is
encrypted with this password.
• Remote Shell sessions can be open on multiple endpoints at one time, but each
session must be opened separately on each endpoint.
Endpoint Requirements:
• The endpoint must have an OS and SentinelOne Agent version that support Remote
Shell.
• The Agent must be online and connected to the Management to open a Remote
Shell session.
• If the endpoint is in Network Quarantine (disconnected from network), some
commands will not work because the endpoint cannot access the network. If
necessary, reconnect the endpoint to the network.
• A session can be open or minimized on the endpoint.
o Only the users who runs the Remote Shell session can see the open or
minimized session. If a different admin tries to open a session for the same
endpoint, a message shows that a session is already open.
Note: On each OS, the Agent runs Remote Shell in a slightly different way.
• Windows: The Agent creates a temporary user, named SentinelRSHUser, in the
local Administrators group when Remote Shell is initiated. This user is deleted when
the session ends.
• macOS: The Agent creates a temporary user, named _sentinelshell, which is added
in sudoer when Remote shell is initiated. This user is deleted when the session ends.
• Linux: The Agent uses the endpoint root user to run Remote Shell. No special
settings are required.
© SentinelOne 3-19
Changing a Policy
When you change a policy, the changes are automatically pushed to the Sites and Groups that
use the policy.
You can set the policy for a Site or Group when you create it, and you can change the policy
after creation.
To change the policy for Global, Site, Account or Group:

1. On the sidebar, click Scope.
a. Select the Global, Site, Account or Group.
2. Go to Sentinels > Policy.
3. If the scope inherits its policy and you want it to have its own policy instead, click
Change Policy.
a. If the scope uses its own policy, it is open for changes. When you make a change,
the Save button shows.
4. Edit the policy settings.

5. Click Save.
6. In the window that opens, click Yes.
To revert to the default inherited policy:

1. On the sidebar, click Scope and select a scope.
2. On the Sentinels toolbar, click Policy.
3. Click Revert to default inherited policy.
4. In the window that opens, click Yes.
© SentinelOne 3-20
Configuration
The Management Configuration is based on the Scope.
Management Login Selections:
Selection Description
Inactivity Timeout Set the number of minutes before a user is logged
(minutes) out of an idle Console. Enter a value between 5 and
600.
Session Timeout (days) Set the number of days a user can bypass login when
they open the Console.
Two-Factor Authentication Force all users to login with 2FA increased security.
Use Google Authenticator, Duo or similar.
Advanced Mode Specific features require Advanced Mode to be
enabled:
• Change automatic mitigation actions to
include Remediate or Remediate and
Rollback.
• Enable or disable the Detect Interactive
Threat engine.
• Change the Management URL.
Management URL The Management URL field will only be available in
the Global Scope.
© SentinelOne 3-21
Advanced Mode
These features require Advanced Mode to be enabled:

• Change the Protect Level in Sentinels > Policy.
By default, when you set a policy to Protect, the Agents run Kill and Quarantine
automatically. In Advanced Mode, you can change automatic mitigation to include
Remediate or Remediate and Rollback. This option only shows if Threat or Suspicious
are set to Protect.
• Enable or disable the Detect Interactive Threat engine in Sentinels > Policy.
This engine is part of the Behavioral AI and focuses on insider threats (for example, an
authenticated user runs malicious actions from a CMD or PowerShell command line).
This engine detects malicious commands in interactive sessions.
Detect Interactive Threat is disabled by default. To protect your endpoints from
malicious commands that are entered in a CLI, enable this engine. But, if you enable this
engine for endpoints of active end users of CLIs, you may expect a number of false
positives. (Windows only)
• Change the Management URL in Settings > Configuration > Management URL.
See and edit the URL of the Management Console. This is necessary for notifications and
SSO. It must be the real URL of your management instance.
© SentinelOne 3-22
Managing Sites
SentinelOne lets you segment your organization in independent Sites. When you install an
Agent, it is configured for a specific Site. Each Site must have enough licenses for the Agents in
it.
Each Site belongs to an Account.

• All Sites in an Account must have different names.
• Sites can take licenses from their Account, and if a Site is deleted, its licenses go back to
the Account automatically.
To see license and basic Site information:
• In Sentinels > Site Info:
• You can edit the name of the Site.

• You can view:
o The Site ID.
o The number of licenses allocated to the Site.
o A list of Agents by clicking on View List.
o The Site expiration date.
o The Site Token.
© SentinelOne 3-23
Creating a New Site
There are two ways to create a site, in the Scope view and from Settings > Sites.
During Site creation you enter a name and license information and set the policy that the Site
uses.
To create a Site:
1. From the Scope pane, select an Account and click .
or
Go to Settings > Sites, click New Site.
2. Enter a Site Name.
3. Click Next.
© SentinelOne 3-24
4. In Site Type:
• Select the type of Site subscription:

o Paid - If you have a paid SentinelOne deployment.
o Trial- If you are using the Management Console as part of a trial or demo.
• License Type – Core or Complete
• Number of licenses - Enter the number of licenses purchased for the Site.
Each Agent automatically takes a license.
• Expiration date - Select the expiration date of the licenses.
• Click Next.
5. In Site Policy, the new Site automatically inherits the Account or Global policy and its
settings.
Optional: Click Change Policy to make changes to the policy settings for the site.
© SentinelOne 3-25
6. Click Create Site.

7. The Summary page will report the site was created successfully.
a. Optional: Users can be added to the new site.
8. Click Done.
© SentinelOne 3-26
Deleting a Site
A Site can only be deleted if it does not contain Agents.
A Site Admin can delete a Site from the Settings > Sites page.
To delete a Site from the Sites page:

1. Go to Settings > Sites.
2. Select the Site to delete.

3. Click Actions and select Delete Site.
Note: If the Site contains Agents, the Delete option is not available.
4. In the warning message that opens, click DELETE.
© SentinelOne 3-27
Managing Groups
You can organize Agents of a Site in Groups to manage them easily and consistently. A Group
has one policy and shared exclusions. For example, you can create a Group of all endpoints of
one operating system version in order to update all the Agents in one command.
Agents belong to a specific Site. An Agent can be in one Group.
• Static Groups are based on manual selection. If an endpoint is in a Static Group, and the
filters of a Dynamic Group match it, the endpoint is automatically moved to the
Dynamic Group.
• Dynamic Groups are based on filters. Endpoints that match the criteria of the filters are
automatically added to the Group. If an Agent fits in more than one Dynamic Group, the
conflict is resolved by Group Ranking.
Best Practice: To create a Dynamic Group, first create and save a filter set.
There are two ways to create a Group:

• From the Scope view.
• From the Sentinels > Endpoints page.
© SentinelOne 3-28
To create a Group:
1. Go to Scope and select the Site, then click the .
or
Go to Sentinels > Endpoints.
a. Click Group > New Group.
2. The Add New Group wizard opens.
3. In Group Name, enter a descriptive name for the group. The name must be unique in
the Site. Click Next.
© SentinelOne 3-29
4. In Group Type, select Static Group or Dynamic Group.
5. If you select Dynamic Group, select the filter set. Click Next.
6. In Group Policy, you can change the inherited policy.

7. If the Site has a policy, the Group inherits the Site policy settings. If the Site uses the
Global default policy, the group inherits the Global policy settings.
8. If you want this group to have a different policy, click Change Policy, change the
settings, and click Save.
9. Click Create Group.
10. On the Add New Group Summary page, you have the option to add:
a. Devices
b. Exclusions
11. Click Done when complete.
© SentinelOne 3-30
Editing a Group
You can edit a Group from the Group Info page to change the name of the Group, view the
Agent List, change the Group’s Policy, review Exclusions or copy the Group Token.
To edit a Group:
1. Go to Scope and select a Group.
2. Go to Sentinels > Group Info.
3. The details of the Group show.

4. To change the Group name: click the edit icon.
a. Modify the name, then click Save.
5. To change the policy of the group: click Change under Group Policy.
6. To modify the exclusions of the Group: click View List under Exclusions.
© SentinelOne 3-31
Deleting a Group
You can delete Groups if you do not need them. If you delete a Dynamic Group, its Agents move
to the next Dynamic Group in the ranks. If the Agents do not fit a different Dynamic Group
filter, or if you delete a Static Group, the Agents move to the Default Group.
To delete a Group:
1. Go to Scope and select the Site.
2. Go to Sentinels > Endpoints.
3. Click Group > Delete Group.
4. In the Delete Group window, select a group.
5. Click Delete.
© SentinelOne 3-32
Ranking Dynamic Groups
Use Group Ranking to set the priority of Dynamic Groups for Agents. An Agent can belong to
only one Group. If the Agent matches multiple Dynamic Groups, it goes to the Group with the
highest rank.
If an endpoint is in a Static Group, and the filters of a Dynamic Group match it, the endpoint is
automatically moved to the Dynamic Group.
To change the priority of a Dynamic Group:

1. Click Scope and select a Site.
2. Go to Sentinels > Group Ranking.
3. Drag Groups up or down to change their priority.
4. Click Save.
Note: You can also edit the Group Policy and change the Group Info from here.
© SentinelOne 3-33
User Management
Create Management Console users allows your security team log in to the Management
Console and manage endpoint security.
• To create users to manage all your Sites, you must have Global scope and Admin
permissions.
• To create users to manage Accounts, you must have Global Admin or Account Admin
permissions for this Account.
• To create users to manage a specific Site, you can have Global Admin, Account Admin,
or Site Admin permissions for this Site.
• You can create users for Sites over which you have Admin permissions. For example, if
the user Alpha01 has Admin permissions for site X and Viewer permissions for site Y,
Alpha01 can make users for Site X but not for site Y.
User Roles
When you create a Management Console user you must select a role. Different roles grant
users’ different permissions to see specific windows, select specific actions, and use specific
features.
Predefined Roles are:
© SentinelOne 3-34
Role Endpoint Access
- Users with all access levels (Global, Account, and Site) can do this action.
- Only users with the Global or Account access level can do this action.
Action Admin IR Team SOC IT

Fetch Logs
Initiate Scan
Abort Scan
Disconnect from Network
Reconnect To Network
Update Software
Send Message
Shut Down
Decommission
Reboot
Uninstall
Approve Uninstall
Reject Uninstall
Move To Another Site
Configure Firewall Logging
Remote Shell
Clear Remote Shell Session
Purge Research Data
Purge Crash Dumps
Flush Events Queue
Reset Local Configuration
Restart Services
Mark As Up To Date
Protect
Unprotect
© SentinelOne 3-35

Revoke Token
Purge DB
Control Crash Dumps
Control Research Data
Events Throttling
Configuration
Migrate Agent (Console)
Randomize UUID
File Fetch
Show Applications
Show Passphrase
Search On Deep Visibility
View Threats
Edit Customer Identifier
View Ranger
Enable Ranger
Disable Ranger
© SentinelOne 3-36
Threat Actions
- Users with all access levels (Global, Account, and Site) can do this action.

Kill
Quarantine
Unquarantine
Remediate
Rollback
Disconnect From Network
Connect To Network
Export As CSV
Fetch Threat File
Mark As Threat
Mark As Benign
Mark As Resolved
Mark As Unresolved
Add To Blacklist
Edit Blacklist
Delete Blacklist
Create Exclusion
Edit Exclusion
Delete Exclusion
© SentinelOne 3-37
Creating a New User
1. Select a Scope.
a. If you are a Site or Account Admin, you must select one Site to open Settings.
b. If your Admin scope is for multiple Sites, you can manage users for all your Sites,
not only for the one you selected in Scope.
2. Go to Settings > Users.
3. Select Users.
4. Click New User.
Note: If the window shows only Full Name and Email, Onboarding is enabled for your
deployment. When the new user is created, the Console sends an email to the new user.
Onboarding is enabled by default on cloud-based management deployments.
5. Enter the user's Full Name and Email Address.

a. The email address becomes the username.
Note: If the window shows Password fields, Onboarding is disabled for your
deployment. This is the default configuration for On-Prem deployments.
b. Enter a Password for the user, and in Confirm Password, enter it again.
i. Passwords must:
1. Have 10 or more characters.
2. Contain 3 or more of these character types: Capital letters, lower
case letters, numbers, and special characters.
ii. NOT contain whitespace.
6. Click Next.
© SentinelOne 3-38
7. Select the Access Level.

a. If you are a Global Admin, you can select Global, Account, or Site. If you are an
Account Admin, you can select Account or Site. If you are a Site Admin, Site is
selected.
b. If you are an Account Admin and you want to create a Site Admin or Site Viewer,
you must select the Account that holds the Sites. Then the Sites of that Account
are in the list.
8. Select each Account or Site over which the user will have permissions and then select
the role from the pulldown list.
9. Click Create User.

a. The console will send an invitation to the email of the user.
10. Click Done in the Invite Sent window.
© SentinelOne 3-39
Editing User Details
You can update the User Details, and Role and Scope of a user. For example, you can give new
employees viewer permissions at first. When they are ready to join the Security Team and
manage the security of your environment, you can give them SOC permissions.
You must be an Account Admin to edit the user details for a Site Admin. Global Admins can edit
user details for Account Admins.
Note: Account admins can change the scope of other Account admins to demote them to Site
admins.
Note: Site Admins cannot enable Remote Shell for themselves or other users. Site Admins can
enable 2FA for themselves.
To edit details of a user:

1. Go to Scope and select a scope.
o If you are a Site or Account Admin, you must select one Site to open Settings.
o If your Admin scope is for multiple Sites, you can manage users for all your Sites,
not only for the one you selected in Scope.
3. Click Users.
4. Click a username.
5. In the Edit User window, click Options > Edit User Details.
© SentinelOne 3-40
6. In the window that opens, change the user's Full Name, Email Address, whether this
user requires Two-Factor Authentication (2FA), and whether this user can use Remote
Shell.
Note: If Remote Shell is not enabled for your Management, you cannot enable it for
users.
7. Click Save Changes.
© SentinelOne 3-41
Changing a User's Password
You must be an Account Admin to change the password for a Site Admin. Global Admins can
change the password for Account Admins.
Password requirements:
• 10 To 25 characters
• Contain 3 or more of these character types: Upper-case letters, lower case letters,
numbers, and special characters.
• No whitespace
To change the password for a user:

1 Go to Scope and select a scope.
2 Go to Settings > Users.
3 Click Users.
4 Click on a username.
5 In the Edit User window, click Options > Change Password.
© SentinelOne 3-42
6 In the window that opens, enter the New Password, and then again in Confirm
Password.
1. Click Save.
© SentinelOne 3-43
Deleting a Console User
To delete a console user:

o If you are a Site or Account Admin, you must select one Site to open Settings.
o Note: If your Admin scope is for multiple Sites, you can manage users for all
your Sites, not only for the one you selected in Scope.
o Select the user(s).
3. Click Delete Selection.
4. In the confirmation message, click Confirm.
© SentinelOne 3-44
Managing Agents
SentinelOne updates your Management Console with the latest Agent packages. Download
the packages for the operating systems in your environment. You can use third-party tools
to deploy the package to all of your endpoints by platform. Or you can install Agents
individually.
If you have an On-Prem Management, contact your partner or vendor for the Agent
packages that you need.
Note: Ensure the endpoint meets the System Requirements, including dependencies,
patches, and configuration changes for specific operating systems. If the system
requirements are not met, the installation will not complete.
Best Practice: Uninstall third-party anti-virus software before you install SentinelOne. Other
security software often prevents Agent installation or affects its performance. Install the
Agent as quickly as possible after you uninstall the other security.
To run SentinelOne with third-party anti-virus software, contact SentinelOne Support to

create the exclusions necessary for interoperability or see Interoperability on SentinelOne
Support – (https://support.sentinelone.com/hc/en-us/articles/360002679893).
During installation of new Agents, you must assign Agents to a Site using the Site Token or a
Group using the Group Token.
© SentinelOne 3-45
Installing the Agent on a Windows Endpoint
1. Select the site you want to install the endpoint into from Scope.
2. Download the latest Windows Installer package from Sentinels > Packages.
a. Make sure the scope of the package includes the Site that the Agent will go to.
Best Practice: Download the file to the local endpoint.
3. Copy the Site Token from the top of the Packages page.
Note: To install the endpoint directly into a Static Group, select the group and go to
Sentinels > Group Info and copy the Group Token from there.
4. To install with the interactive GUI wizard directly on the endpoint:
a. Run the installation package and enter the Site or Group Token when prompted
in the installation wizard.
5. Complete the installation:
a. The On Write mode, with Deep File Inspection and Reputation, is active
immediately.
b. The Dynamic Engines (Behavioral AI) mode becomes active after you or the end
user restart the endpoint. In the Management Console, the endpoint status
is Pending Reboot until it restarts.
© SentinelOne 3-46
To install silently without user interaction:
Run the installer in Windows CLI with switches for the token and quiet installation.
Example for EXE packages:

C:\Users\S1\Desktop\Sentinel\SentinelInstaller.exe /SITE_TOKEN=<string> /quiet
Example for MSI Packages:

C:\users\S1\Desktop\Sentinel\SentinelInstaller.msi SITE_TOKEN=<string> /quiet
Tip: Add /norestart to prevent a forced reboot.
Important for all endpoints: It is recommended that you enhance endpoint security with
protection against physical theft and hacking (such as unauthorized disk mount modification).
Enable full disk encryption, apply OS patches, and maintain measures according to your vendor
recommendations and corporate policies.
© SentinelOne 3-47
Installing on macOS Endpoints Prior to 10.13
Make sure you have all the requirements before you start the installation.
Installing the Agent on one macOS endpoint
1. In the Sentinels toolbar, click Packages.

2. Download the latest macOS Installer package.
3. Make sure the scope of the package includes the Site that the Agent will go to.
Best Practice: Download the file to the local endpoint.
4. Save the Site Token or Group Token in a plain text file in the same folder as the
SentinelOne Installer package. Name the file: com.sentinelone.registration-token
5. Run the installer: $ sudo /usr/sbin/installer -pkg Desktop/Sentinel*.pkg -target /
Or let the user install the Agent:
a. Give the Token string to the user (for example, send a message or email with the
token string).
b. Users run the installation package and enter the Token string when prompted in
the installation wizard.
6. Complete the installation.
Important for all endpoints: We recommend that you enhance endpoint security with
protection against physical theft and hacking (such as unauthorized disk mount modification).
Enable full disk encryption, apply OS patches, and maintain measures according to your vendor
© SentinelOne 3-48
Installing on macOS Endpoints 10.13 and Higher
The macOS 10.13 High Sierra (and later releases) makes sure that all installations are secure. It
limits installation to only applications that are approved by Apple. To make sure your computer
is protected and compliant with company policy, run these steps to complete installation of the
Agent.
If you see a message that says: "Please approve SentinelOne software in System Preferences",
skip to Step 3.
Installing the Agent on one macOS endpoint
1. Start the Agent installation with the PKG.

2. If you see the System Extension Blocked message, click OK.
3. On the local computer, open System Preferences.

4. Click Security & Privacy.
© SentinelOne 3-49
5. At System software from developer "Sentinel Labs Inc." was blocked from loading,
click Allow.
6. Click Close.
Troubleshooting - If you forgot to copy the Site or Group Token to the endpoint:
After Agent installation, get the Token from the Management Console.
Run:
sudo sentinelctl set registration-token <path-to-token>
OR
sudo sentinelctl set registration-token -- <token> --passphrase
<passphrase>
© SentinelOne 3-50
Installing an Agent on Linux Endpoints
Make sure you have all the requirements before you start the installation.
• Debian 9:
https://support.sentinelone.com/hc/en-us/articles/360005287854
Fedora:
• https://support.sentinelone.com/hc/en-us/articles/360005411233-Installing-Linux-
Agent-on-Fedora
Oracle:
• https://support.sentinelone.com/hc/en-us/articles/360007507034
For virtual environments where cloning is possible or required, see Duplicate UUID in Linux to
prevent or resolve issues of duplicate Linux Agent IDs on the SentinelOne Support page at
https://support.sentinelone.com/hc/en-us/articles/360006224434
To install the Agent on a Linux endpoint:
1. Go to Sentinels > Packages.

2. Download the latest Linux Installer package.
3. Make sure the scope of the package includes the Site that the Agent will go to.
a. Best Practice: Download the file to the local endpoint.
4. Make the BSX executable:
chmod +x path/SentinelAgent-version-Linux.bsx
5. Run the BSX installer.
Installation with a Site or Group token:

./SentinelAgent-version-Linux.bsx -s "string"
For example:
./SentinelAgent-2.6.1.1390-Linux.bsx -s
"eyJ1cmwiOiAiaHR0cHM6Ly9jZW50cmFscGFyay5zZW"
Installation with Site or Group Token and a proxy :

./SentinelAgent-version-Linux.bsx -s "string" -p "address:port"
For example:
./SentinelAgent-2.6.1.1390-Linux.bsx -s
"eyJ1cmwiOiAiaHR0cHM6Ly9jZW50cmFscGFyay5zZW" -p "192.0.2.5:80"
Important for all endpoints: To enhance endpoint security you should enable full disk
encryption, apply OS patches, and maintain measures according to your vendor
© SentinelOne 3-51
Uploading a Package for Agent Installation or Upgrade
To upload a new package, you must be a Global or Account Admin.
For a cloud-based Management, SentinelOne updates your Management Console with the
latest Agent versions.
For On-Prem environments, or if you need a package that is not in your Management
Console, you can request files from SentinelOne Support.
Upload the packages to the Management Console and then deploy the files to Agents.
IMPORTANT: If you install an Agent with the CLI, and then you upgrade from the
Management Console, the upgrade configuration is according to the policy to which the
Agent belongs. If the installer switches were different, they are overwritten with the policy
switches.
To upload an Agent Installer file to the Management Console:

1. Click Scope and select Global or a Site.
2. Go to Sentinels > Packages.
3. Click Upload Package.
4. The New Package window opens.
5. In Platform, select the OS of the package.

6. In Version, enter the version number in this format: x.x.x.x. For example, 3.2.4.54
7. If you do not enter 4 sections, a Wrong version number error shows.
8. In Status, enter GA, EA, or a different text that identifies the package status.
© SentinelOne 3-52
a. EA (Early Availability): EA releases give customers a chance to try out new

releases before they are publicly available. This allows SentinelOne to see how
the new release does in the real world and resolve any issues that arise before
the GA.
b. GA (General Availability): The release is ready for the public.
c. SP (Service Pack): A release on top of a GA version that fixes issues identified in
an EA or GA release.
9. In scope Level, select Global, Account, or Site.
10. If you select Account or Site, enter the names of the Accounts or Sites that can use the
package.
11. Click Upload Package to browse to the file.
12. Click Save.
© SentinelOne 3-53
Updating a Selected List of Agents
For a cloud-based Management, SentinelOne updates your Management Console with the
latest Agent versions.
For On-Prem environments, or if you need a package that is not in your Management Console,
you can request files from SentinelOne Support.
• Best Practice: Upgrade your SentinelOne Agents by group or filter results to the latest
Agent version for each OS.
• Priority of policy against local configuration: When you upgrade an Agent with these
steps, it gets the configuration of its policy. If you installed the Agent with CLI and
switches, the installation configuration is overwritten by the policy configuration.
• File maintenance: When you upgrade an Agent, the directories and files of the previous
version (\Program Files\Sentinel One\Sentinel One Agent\version) are maintained until
the next reboot.
Note: Windows Agents use Background Intelligent Transfer Service (BITS) to run upgrades when
the endpoint is idle, and stop upgrades when the endpoint needs network bandwidth for other
activities. Therefore, it can take a significant amount of time for the upgrade to complete.
To upgrade a selected list of Agents:

1. Go to Scope and select the Account, Site or Group.
3. Select the Endpoints to update.
a. Select a group or filter set, or select Agents manually.
4. Click Actions, and select Update Software.
5. In the Update Software window:

a. In Platform, select the OS of the Agents to update.
i. If all Agents have the same OS, this is selected automatically.
b. In Version, select an installer file for the upgrade. The files from Packages show.
6. Click Update Now.
© SentinelOne 3-54
Pending Action
Agents may require an action to become fully functional. You will receive a message showing a
pending action or request in the Sentinels view of the Management Console in the Endpoint
Details window.
To review what request is pending, you can click on the endpoint name to display the Endpoint
Details window.
Click on Details to see more information about the request.
© SentinelOne 3-55
To filter for all pending actions for endpoints:

1. Go to Scope and select the desired scope.
3. Click in the Filter pane.
The filtering categories and options show.
4. Pending actions is one of the default filter categories. Click one or more options to show
endpoints with those issues.
5. Optional: Click Save Filter to save the Filer Set or use it to create a Group.
From a Group or filter set, you can run actions on multiple endpoints, such as Reboot or
Shutdown. You can easily track the status of the endpoints to make sure that the
necessary actions are done.
Pending Action Descriptions
Reboot
• Explanation - A reboot is required to make the Agent fully functional. For example,
some policy override configuration changes can require a reboot.
• When a Windows Agent installs, some policy engines are active immediately and the On
Execute engines (Behavioral AI) become active after a reboot.
• Action required - Reboot the endpoint manually or:
o From the Management Console, select one endpoint, or all endpoints in a group
or filter set.
o Click Actions > Reboot.
Missing Permissions
• Explanation - The user permissions on the endpoint computer do not allow SentinelOne
Agent installation. For example, if you install an Agent on macOS 10.13 High Sierra and
higher, users must approve the kernel extension.
• Action required - For macOS 10.13 High Sierra and higher, see macOS and SentinelOne
Agent on the support page at https://support.sentinelone.com/hc/en-us/articles
/115005142105. For other operating systems, contact Technical Support.
© SentinelOne 3-56
Agent Suppressed
• Explanation - The Agent is running but not providing protection. This can happen if
kernel extension permission or any other vital resource is missing.
• Action required - See the Agent Requirements in the System Requirements in Module 1
for supported operating systems. Upgrade the Agent or the endpoint OS. Contact
SentinelOne Support if you cannot find the source of the problem.
Incompatible OS (macOS only)

• Explanation - The Agent does not support the Operating System installed. Usually this
happens when an endpoint's OS is upgraded to a version that the current Agent does
not support. The Agent will suppress itself.
• Action required - See the Agent Requirements in the System Requirements in Module 1
for supported operating systems. Upgrade the Agent or the endpoint OS. Contact
SentinelOne Support if you cannot find the source of the problem.
Unprotected (macOS only)

• Explanation - The Agent is unprotected because Anti-tampering is disabled or the OS
protection tools are off.
• Action required - Enable Anti-tampering for the Agent. Make sure that it is enabled in
the policy of the Agent. If it is already enabled in the policy, it is probably disabled in the
Agent's local configuration.
© SentinelOne 3-57
Managing Endpoints
Endpoints Filter
From the Sentinels > Endpoints page, you can search and filter to find endpoints that match
specific criteria. You can:
• For searching, you can include multiple strings and types in the same search.
• Use the results to run actions on matching Agents.
• Create a Dynamic group based on the filters (when one Site is selected).
• Save Filters as a Filter Set
You can search for the preset parameters by selecting the filter from the Free text search
pulldown and then type in your search.
The preset parameters are:

• Visible IP
• Computer Name
• Local IP
• MAC Address
• Last Logged In User
• OS Version
© SentinelOne 3-58
• UUID
• AD Any String
• AD User DN
• AD User Groups
• AD User Or Their Groups
• AD Machine DN
• AD Machine Groups
• AD Machine Or Its Groups
• All
Examples of filters:
• A filter for infected endpoints, to isolate them and mitigate issues.
• A filter for Agents that have pending actions.
• A filter for endpoints of an operating system, to track compliance and OS upgrades.
To create a Sentinels filter:

2. On the sidebar, click Sentinels > Endpoints.
3. Click Select Filters.
The filtering categories and options show. The number next to an option is the number
of matched endpoints.
© SentinelOne 3-59
4. Select values from the categories.

5. Use the filter results:
a. After you select one or more endpoints from the results, you can click Actions,
and select an action to do.
b. To save a filter set, click Save Filter.
Filters can be used when you create a Dynamic group.

Note: If you create filters to make a Dynamic group, you cannot use these filter
categories:
• Network status • Management connectivity
• Pending uninstall • Health status
• Pending actions • Group
• Update status • Last online
• Scan status
To load a filter set:

1. In Sentinels click Load Filter.
2. Select a saved filter set.
© SentinelOne 3-60
To update a filter set:

1. In Sentinels, load the filter you want to update.
a. The “Selected set options’ pulldown appears.
2. Make you changes to the filter set.
3. Click Selected set options.
4. From the pulldown, select Update Set.
To edit the name of the filter set or delete a filter set:

1. In Sentinels, load the filter you want to delete.
a. The “Selected set options’ pulldown appears.
2. From the pulldown, select Edit Set Name or Delete Set.
© SentinelOne 3-61
Actions Selections
Users have the ability to select an endpoint and perform specific operations. There are two
ways to access the actions on an endpoint.
• The first is from Sentinels > Endpoints, select an endpoint and click Actions.
• The second option is to click on an endpoint to display the Endpoint Details window and
click Actions.
To Select an Action from Sentinels > Endpoints:

1. Check the box next to the endpoint and then select Actions.
Action options are:
Option Description
Download logs of Agent operations, to send to Support. For
Fetch Logs
Windows, you can also get endpoint logs.
Initiate Scan Run Full Disk Scan
Abort Scan Stop a Full Disk Scan
(Also known as Network Quarantine or Network Isolation)
The Agent can communicate only with the Management
Disconnect from Network
Console. The endpoint cannot communicate with other
components on the network.
Reconnect to Network Undo the Disconnect from Network action.
Update Agent Update the Agent.
Send Message Send a message to the endpoints.
Shut Down Shut down the endpoint from the Console.
Decommission Remove the endpoint from the Console.
Reboot Reboot the endpoint.
Reload modules
• Static
Reload (Windows) • Log
• Agent
• Monitor
Uninstall Uninstall the Agent.
© SentinelOne 3-62
If a user tries to uninstall the Agent from an endpoint, an

Approve Uninstall uninstall request is sent to the Management. This action
approves the request.
Reject Uninstall Reject the end-user request to uninstall the Agent.
Account users can move Agents from one Site to a different
Move to Another Site
Site, where both Sites are in the access scope of the user.
Configuring Firewall Logging Set if blocked traffic events are logged.
Open a Remote Shell on the selected endpoint (only one at
Remote Shell
a time).
Clear Remote Shell Session Manually force a Remote Shell session to close.
After SentinelOne Research experts resolve an issue such as
Purge Research Data a False Positive, you can clean the heavy logs from
your Management.
After SentinelOne Technical Support resolves your issue,
Purge Crash Dumps they might recommend that you clean the heavy logs from
your Management.
Delete all notifications waiting to be sent. SentinelOne
Technical Support might recommend this action if you set
Flush Events Queue too many alerts to SMS, if you change the Syslog server, if
Support actions handled notifications and they are no
longer relevant, or other.
Change the configuration of the selected Agents to the
Reset Local Configuration
default policy.
Restart Services Restart the Agent services.
Mark this endpoint Up To Date if the Agent version running
on the endpoint is the latest, but this endpoint is shown on
Mark As Up To Date the Dashboard as Out of date. This issue might occur if
Agents that were sent a new version did not yet report
Management.
If an Unprotect command was used, this configures the
Protect selected Agents to block configuration changes and
uninstallation.
Unprotect Forces the Agent to allow configuration changes.
Forces the Agent token to expire, which causes the Agent to
Revoke Token
register again and get a new configuration immediately.
Do not use this without SentinelOne Technical Support! This
Purge DB
is a debug command that can corrupt the database.
© SentinelOne 3-63
To troubleshoot the Agent with SentinelOne Technical

Support:
In the window that opens, control if the selected
Control Crash Dumps Agents upload (Send) crash dumps to your instance in the
Cloud, delete the dumps without upload (default), or if
the Agents send crash dumps for a given number of seconds
(Expiration).
To SentinelOne expert investigation on specific detections:
In the window that opens, control if the selected Agents
Control Research Data upload (Send) verbose detection data to your instance in
the Cloud, delete data that you uploaded before, or upload
data for a given number of seconds (Expiration).
When SentinelOne Technical Support requires a clean, lite
environment to troubleshoot an issue, they may
recommend that you turn on this option for a limited time.
In the window that opens, control if the selected Agents
Event Throttling
send events (threat alerts, on-access, system trace) to
the Management, if they stop events (they still send Keep-
Alive), or if they stop for a given number of seconds
(Expiration).
Edit the JSON configuration of the Agent.
Important: Do not do this without SentinelOne Technical
Configuration
Support!
Changes are applied on the next keep alive message.
Migrate Agent Move the Agent to a different Management Console.
Randomize UUID Reset the Agent UUID to handle duplicates.
File Fetch Download threat files.
Show Applications Open the Applications page for the Agent.
Get the passphrase of the Agent for API or sentinelctl
Show Passphrase
commands.
Search on Deep Visibility Open Deep Visibility with the Agent UUID in the query.
View Threats Open the Incidents page with the Agent UUID in the filter.
Edit Customer Identifier Edit your custom string for the endpoint.
Enable this Agent to be selected as an active scanner for
Enable Ranger
Ranger.
Disable Ranger Make sure this Agent is not an active scanner.
© SentinelOne 3-64
Endpoint Details Window
The Endpoint Details window will provide additional information.
• Endpoint name
• OS version
• When the endpoint was last active
• Disk encryption present
• Health Status
• UUID
• Last logged on user
• Console connectivity (Online or Offline)
• Agent version
• Network status
• Scan status
• Domain
• Memory
• Subscribed on
• CPU
• Console visibility IP
• Core count
• IP Address
• Location
• Network Adapters
• Type
• IP
• Mac Address
You can then select the appropriate action by selecting the Actions pulldown.
© SentinelOne 3-65
Move an Agent to a Different Site
Agents are assigned to a Site when they are first installed with a Site Token.
Account and Global Admins can move Agents from one Site to a different Site. Agents go to the
Default Group in the new Site.
You can select endpoints from different Sites to move.
To move an Agent to a different Site:

a. Select one or more endpoints from the list.
3. Click Actions and select Move to Another Site.
4. In the list of Sites that opens, select the new Site for the Agents.
5. Click Move Agents.
6. Select Action Approved and click Move Agents.
© SentinelOne 3-66
Moving Agents between Static Groups
You can add Agents to a Static Group and remove Agents from a Static Group. You can move an
Agent from one Static Group to a different Static Group.
If you remove an Agent from a Static Group and do not put it in a different Group, it
automatically moves to the Default Group.
You cannot manually add or remove Agents to or from Dynamic Groups.
To move Agents from one Static Group to a different Static Group:

1. Go to Scope and select a Group.
3. Select Agents of the Site that are not assigned to Dynamic Groups.
4. Click Group and then select Move to Group.
5. Select a different Group for the Agents.
6. Click Save.
© SentinelOne 3-67
Uninstalling Agents from the Management Console
You can uninstall Agents from the Management Console.
From the Management Console, you can select one or more endpoints for the action, or you
can select all of a Group or filter set. You cannot select all endpoints shown if they are not in a
Group or filter set.
To uninstall Agents from the Management Console:

1. Go to Scope and select an Account, Site or Group.
a. Select one endpoint OR all endpoints in a Group or filter set.
3. Click Actions > Uninstall.
4. In the confirmation window that opens, select Action approved and then click Uninstall.
5. To make sure that all remnants of the Agent are removed, reboot the endpoints after
Agent uninstallation.
© SentinelOne 3-68
Manual Uninstall Requests
If a user tries to uninstall the SentinelOne Agent from an endpoint, an uninstall request is sent
to the Management Console. The request must be approved in the Console. After you approve
a request, users see a message that the request was approved. They can restart to complete
the Agent uninstallation.
You should not approve these requests until:

• You understand the reason for the request
• You agree with the request
• You have alternative security for the endpoint until you install the Agent again
Online Uninstall request:

1. The user will attempt to uninstall the SentinelOne agent by selecting Control Panel >
Add or Remove Programs > SentinelOne Agent.
2. When they click Uninstall, the Agent Uninstall window opens.
3. The user will select Online, if the Agent is connected to the Management Console, or
Offline, if it is not connected.
4. When the user clicks Uninstall, a request is sent to the Management Console. The user
will receive the following message:
© SentinelOne 3-69
5. The Management Console will receive a Pending uninstall action request in the Network
view:
6. The admin can click Select Filters.

7. Click Pending Uninstall – Yes.
8. Select the endpoints to uninstall.
9. Click Actions > Approve Uninstall.
A confirmation message shows.
10. Click Approve.
11. The Agent is removed (reboot required).
If the Agent was offline, the user must enter the Verification Key (passphrase) in the Uninstall
window.
• In the Endpoint Details window of the endpoint, click Actions > Show Passphrase.
• Copy the output and give it to the user.
To see uninstallation requests and activity:

• In the sidebar, click Activity
• In Activity Filters, click Administrative > Uninstall to see all uninstallation activity and
requests.
© SentinelOne 3-70
Decommission an Agent
If a user is scheduled for time off, or a device is scheduled for maintenance, you can
decommission the Agent. This removes the Agent from the Management Console. When the
Agent communicates with the Management again, the Management recommissions it and
returns it to the Management Console.
From the Management Console, you can select one or more endpoints for the action, or you
can select all of a Group or filter set. You cannot select all endpoints shown if they are not in a
Group or filter set.
To decommission an Agent:
a. Select the endpoint or endpoints that are offline.
3. Click Actions > Decommission.
4. In the confirmation window that opens, select Action approved. Click Decommission.
© SentinelOne 3-71
Agent Migration between Management Consoles

From Windows Agents and macOS Agents, you can move Agents between different
Management Console instances.
Specifications
• You must be a Global Admin of the Agent's old Site and a Site Admin for the new Site.
• When you run the operation, you enter the Site Token for the new Site.
• An Agent will try to connect to the new Management Console for 3 minutes. If the
Agent cannot connect, it stays in the original Management Console.
• Local configuration files are kept with the Agent. New management assets take affect
after the next keep alive communication with the new Management Console.
• Resolve all threats on Agents before you migrate them.
• The management will NOT migrate these endpoints:
o Endpoints that do not meet the requirements to support migration (unsupported
version of OS).
o Endpoint with unresolved threats.
To migrate an Agent:
1. In a Management Console with Advanced mode enabled, go to Sentinels > Endpoints.
2. Select endpoints.
a. From the Management Console, you can select one or more endpoints for the
action, or you can select all of a Group or filter set. You cannot select all
endpoints shown if they are not in a Group or filter set.
b. If you select an endpoint that cannot be migrated, the endpoint is skipped, but
the operation still runs on supported endpoints.
3. Click Action and select Migrate Agent.
© SentinelOne 3-72
4. A window opens with instructions. Copy the Site token for the target Site from the
Sentinels > Packages page and paste it in the window.
5. You must be in the Site scope to see the Site Token.
6. Click Move.
7. Select Approve and click OK.
To see Agent migration status in the Sentinels view:

• In Sentinels > Endpoints, use the filters or the columns to see the Console Migration
Status of endpoints.
• In the Network filters scroll right to see the Console Migration Status.
© SentinelOne 3-73
• Expand Columns to select the Console Migration Status column, or to make sure it is
selected.
• If necessary, scroll right in the Endpoints page to see the column.

• The potential values are:
o N/A - No migration command was sent.
o Pending - The Agent is trying to migrate. After a maximum of four minutes, the
status will change to Migrated or Failed.
o Migrated - The Agent moved successfully to the new Management Console. Its
shows as Offline in the original Management Console.
o Failed - The Agent failed to move and stays in the original Management Console.
To see Agent migration activities in the Activity log:

• You can filter for these activities in the Activity log.
© SentinelOne 3-74
Sending Console Messages to Endpoints
Best practice: If the endpoint is a user computer, let the user know you will remotely run
commands on the computer.
To send a message to users through the Management Console:

• Go to Sentinels > Endpoints.
o Select one or more endpoints.
• Click Actions and then select Send Message.
o In the window that opens, enter your message and then click Broadcast.
o Note: You are limited to 140 characters.
• In the confirmation window, click Broadcast again.
The message will appear on the endpoint desktop
© SentinelOne 3-75
Integrating SMTP Servers
Configure integration with your SMTP server, to let the Management send alerts to security
personnel and stakeholders.
scope does not have a specific configuration, it uses the Global Integration settings. After you
complete the SMTP integration, configure notifications.
To configure integration with SMTP:

Note: If you are a Site Admin, you must select one Site to open Settings.
2. On the sidebar, click Settings.
3. In the Settings toolbar, click Integrations.
SMTP opens by default.
4. For Accounts and Sites: By default, the Global settings are inherited. Click Change to edit
them.
© SentinelOne 3-76
If the Account or Site has different settings from the Global settings, you can click
Revert to default inherited SMTP to use the Global settings.
5. Enter the data of your SMTP email server.
6. SMTP Server Integration
Field Description
Host Hostname and listening port of the SMTP server (valid for selected
Encryption).
No-reply email Optional. Enter a no-reply email address to be the sender of Management
Console notifications
Username / Enter the username and password of the system administrator with
authorization to access the SMTP server.
Password
7. In Encryption, select SSL, TLS, or Turn off encryption.

8. Click Test.
9. If the test passed, click SAVE.
© SentinelOne 3-77
Configuring Email Notifications
After you integrate an SMTP Server, configure which SentinelOne activities trigger email
notifications, and who gets the notifications
To configure email notifications:

Note: If you are a Site Admin, you must select one Site to open Settings.
3. In the Settings toolbar, click Notifications.
4. Click a Notification Type, for example, Administrative or Malware.
5. In the Email column, select which activities will trigger messages.

6. In the Notification Types list, click Recipients.
© SentinelOne 3-78
7. Click New recipient to add each new email address.
© SentinelOne 3-79
Integrating Syslog Servers
You can integrate your Syslog server to collect SentinelOne logs. Before you begin, ask the
system administrator who configured or maintains the Syslog server if authentication
certificates are used. If so, you need access to those certificates. Then configure your Syslog
server integration with SentinelOne, with the steps here. When these steps are done, you can
select events to be logged.
To integrate your Syslog server:

Note: If you are a Site or Account Admin, you must select one Site to open Settings.
3. In the Settings toolbar, click Integrations.
4. Click SYSLOG.
5. Click Enable SYSLOG.

6. In Host, enter the hostname and port of your syslog server.
7. To use SSL or TLS channel authentication and privacy, click Use SSL secure connection.
Note: If you do not select this, UDP is used.
© SentinelOne 3-80
8. In Certificate, you can upload server and client certificates to verify client/server
authorization between the SentinelOne Management (client) and the syslog server
(server). These options only show if Use SSL secure connection is selected. Passphrase
certificates are not supported. Make sure you know how the Syslog server is configured,
and that you have the correct certificates from that configuration.
• Server certificate - Select and upload a certificate to verify the syslog server identity.
• Client certificate - Select and upload a certificate to verify the SentinelOne
Management as a client of the syslog server. Use a certificate file with a client key. A
Client certificate is necessary if the server requires client authentication.
• Client key - Select and upload the client key of a client/server key pair. A Client key is
necessary, along with a Client certificate, if the server requires client authentication.
9. In Formatting, select the format for the logs: CEF, CEF2, STIX, IOC, RFC-5424. For syslog
format, select RFC-5424.
10. Click TEST.
11. If the test passed, click SAVE.
© SentinelOne 3-81
Configuring Syslog Notifications

After you integrate a Syslog Server, configure which SentinelOne activities trigger Syslog
messages.
To configure Syslog notifications:

Note: If you are a Site or Account Admin, you must select one Site to open Settings.
3. In the Settings toolbar, click Notifications.
4. Click a Notification Type, for example, Administrative or Malware.
5. In the Syslog column, select which activities will trigger messages.

6. Click Save.
© SentinelOne 3-82
Device Control
Device Control lets you control which external devices are allowed to be used with endpoints in
your organization. Use Device Control to:
• Block external devices that are not required from connecting your Endpoints, to limit
data leaks.
• Strictly control allowed devices to prevent malicious content that can enter your
network through external devices and Bluetooth connections.
Device Control policy can be Global, for a Site, or for a Group. Groups and Sites can inherit
policies or have their own.
Define the policy in the Management Console in Sentinels > Device Control.
From Management Console you can also manage Bluetooth devices. This is supported with
Windows and macOS Agents version 3.2 and higher.
Rules for Bluetooth are supported on Windows 10 and Windows Server 2012, 2016, and 2019.
The Device Control Policy includes Settings and Rules:

• Settings: Turn Device Control on or off, define the inheritance settings, and select the
Activity log settings. Define some settings for Bluetooth devices.
• Rules: Create and organize rules to allow or block connection of specific devices, or
groups of devices, to endpoints, based on the device identifiers.
© SentinelOne 3-83
Device Control Settings
In the Device Control settings, define the policy inheritance, turn Device Control on or off, and
select which device events are reported to the Activity log. The same settings apply to Windows
and macOS endpoints.
By default, Device Control is disabled at the Global and Site level. When it is first enabled, all
Sites and Groups inherit the Firewall Control policy from the Global or Site policy.
By default, Agents have Device Control disabled, until they connect to a Site or Group with an
enabled Device Control policy.
To configure Device Control settings:

1. On the sidebar, select a Scope.
2. On the sidebar, click Sentinels.
3. On the Sentinels toolbar, click Device Control.
4. Click the Settings icon.
5. Click Enable Device Control at the bottom of the Device Settings dialog box, if it is not
enabled.
6. For a Site or Group: Use the toggle to turn Inherit rules and settings from Global - On or
Off.
© SentinelOne 3-84
Note: If inheritance is On, the other settings are disabled because they are inherited. If
you turn Off inheritance, the other settings become enabled.
To configure Device Control settings:

5. Click Enable Device Control at the bottom of the Device Settings dialog box, if it is not
enabled.
6. For a Site or Group: Use the toggle to turn Inherit rules and settings from Global - On or
Off.
7. Select which device events are reported to the Activity log:
• USB & Bluetooth: Report allowed connections in Activity log - Creates logs
when devices are connected and when disconnected (by default, this is not
selected).
• USB & Bluetooth: Report blocked connections in Activity log - Creates a log
when a device is blocked.
• USB Report connected device with Read-Only permissions in Activity log -
Creates a log event when a device with read-only permissions is connected.
• Bluetooth: Disable RFCOMM (Windows only) - Use this setting to disable or
enable the RFComm profile. Bluetooth RFCOMM can be blocked or allowed only
for ALL Bluetooth devices. It cannot be blocked or allowed for specific devices.
• USB: Disable Read-Only permission enforcement on Agents. Agents will
translate Read-Only rules as Read-Write - Use this setting to change the
behavior of all read-only rules to allow both read and write. This setting is useful
if read-only permission settings are causing issues with your system. The actual
definition of the read-only rules do not change.
Note: Device Control rules that block or allow Bluetooth devices do not impact the
RFComm functionality.
© SentinelOne 3-85
8. Optional: You can click Disable Device Control. This disables the feature for your current
scope and all Sites and Groups that inherit Device Control settings from this scope.
• For a Site or Group, you must turn Off inheritance before you can disable Device
Control.
• Existing rules remain in the policy but become inactive. When you enable Device
Control again, the rules will become active with their latest Enabled or Disabled
state
Device Control Policy Inheritance:

• To make a Site inherit rules and settings from Global:
o Turn On Inherits rules and settings from Global (on by default).
o The Site uses the Global settings and the Global rules.
o You can add Site rules.
• To give a Site its own policy:
o Turn Off Inherits rules and settings from Global.
o The Site uses the settings that you configure.
o The Site uses only Site rules.
• To make a Group inherit rules and settings from a Site that inherits from the Global
settings (the Site has inheritance turned on):
o The Group uses Global settings, and Global and Site rules.
o You can add Group rules.
• To make a Group inherit rules and settings from a Site that has its own policy (the Site
has inheritance turned off):
o Turn On Inherits rules and settings from Site (on by default).
o The Group uses the Site settings and the Site rules.
• To give a Group its own policy:
o Turn Off Inherits rules and settings from Site.
o The group uses the settings you configure.
o The Group uses only Group rules.
© SentinelOne 3-86
Device Control Rules and Rule Order

Device Control lets you control which external devices are allowed to be used with endpoints in
your organization. Use Device Control to:
• Block external devices that are not required from connecting your Endpoints, to limit
data leaks.
• Strictly control allowed devices to prevent malicious content that can enter your
network through external devices and Bluetooth connections.
When an external device connects to an endpoint, the SentinelOne Agent checks if it is allowed
to run by the Device Control policy. The Agent looks at the rules based on their order in the
Device Control policy, from the top to the bottom. When the Agent finds a rule that matches
the device identifiers of a connected device, that rule is applied. The Agent does not continue
to the lower rules in the list.
• If the matched rule has the Block Action, the Agent prevents the device from being
used.
• If the matched rule has the Allow Action, the device can be used.
Device Control policy can be Global, for a Site, or for a Group. Groups and Sites can inherit

1. Group rules from first to last.
2. Site rules from first to last.
3. Global rules from first to last.
New rules are added to the top of the relevant section of the Device Control policy.
Define the policy in the Management Console in Sentinels > Device Control.
© SentinelOne 3-87
Compatibility and Limitations
• Some Bluetooth settings apply to Windows Agents only.

• Bluetooth Device Control on macOS requires Agent version 3.2 or later.
• USB Allow Read Only on macOS is only for mass storage devices.
By default, Device Control is disabled at the Global and Site level. When it is first enabled,
all Sites and Groups inherit the Firewall Control policy from the Global or Site policy.
By default, Agents have Device Control disabled, until they connect to a Site or Group with an
enabled Device Control policy.
Filters
Click Select filters to filter the rules by rule attributes. Select the attributes to filter for or use
the free text search.
© SentinelOne 3-88
Creating and Editing Device Control Rules
Create and edit rules for a specific scope to allow or block devices, based on device identifiers.
When you create a rule, it applies to the current scope of the Sentinels view.
Note:
• On Windows, if a device is already connected to an endpoint, new rules and rule
changes do not affect it. Rules will apply the next time the device connects to the
endpoint.
• On macOS, changes apply to devices that are already connected to an endpoint.
Notes on Rules for Bluetooth
• Rules for the Bluetooth interface are based on Bluetooth device attributes
• On Windows, Bluetooth RFCOMM can be blocked or allowed only for ALL Bluetooth
devices. It cannot be blocked or allowed for specific devices. For example, if you block a
device but allow RFCOMM profile, connections from that device that use the RFCOMM
profile will be allowed.
• On Windows, explicit rules for Bluetooth LE (Low Energy) devices based on Hardware
attributes or Device version are not supported. You can Block all LE devices from
connecting to endpoints by setting a rule to block all devices with Interface, Bluetooth.
• For Windows Bluetooth rules to take effect, the device and endpoint must be paired
after the SentinelOne Agent that supports Bluetooth is installed or upgraded. If the
endpoint and device were already paired before the Agent supported Bluetooth, reboot
the endpoint to activate the rule, or re-pair the endpoint and device.
© SentinelOne 3-89
Creating Device Control Rules
To create a rule for USB Devices:

4. Click New rule.
5. In the window that opens, enter the details of the rule:

• Rule name - Enter a descriptive name for the rule. The rule name must be
unique from other rule names in the scope. Up to 50 characters.
• Interface - USB.
• Rule Type - Select the criteria for the rule.
• Scope - This is taken automatically from the current scope of the Sentinels view.
• Action - Select Allow or Block to define if Agents block or allow use of devices
that match the rule parameters.
6. Click Continue.
© SentinelOne 3-90
7. In the dialog window that opens, define the specifics of the device identifiers.
a. For example, if you selected USB Interface, and Class as the Rule Type, select the
class, such as Video or Mass Storage.
8. Click Save Rule.
To create a rule for Bluetooth Devices:

4. Click New rule.
© SentinelOne 3-91

unique from other rule names in the scope. Up to 50 characters.
• Interface – Select either Hardware Identifiers or Bluetooth Version.
• Rule Type - Select the criteria for the rule.
• Scope - This is taken automatically from the current scope of the Sentinels view.
• Action - Select Allow or Block to define if Agents block or allow use of devices
that match the rule parameters.
6. Click Continue.
7. Based on Interface selection:
a. For Hardware Identifiers, you need to identify:
i. Vender ID
ii. Product ID
iii. Class
iv. Minor Classes
b. For Bluetooth Version, you need to select the version.
8. Click Save Rule.
© SentinelOne 3-92
Enable, Disable or Edit a Rule
If a rule is Disabled, it is never active but shows in the policy with the Disabled Status.
If a rule is Enabled, it is active if Device Control is enabled. If Device Control is disabled for the
rule's scope, the rule keeps the Status Enabled but is not active. It will become active
automatically if Device Control is enabled.
To enable or disable a rule:

3. Select a rule and click Actions.
4. Or click on a rule.
5. In the Rule Details window, click Actions.
6. Click Enable or Disable.
© SentinelOne 3-93
To edit a rule:
3. Click a rule.
4. In the Rule Details window, click Edit.
5. Make changes in the Rule Details.
6. Click Save changes.
Note: When you edit a rule, you cannot change the Rule Type or Interface.
© SentinelOne 3-94
Change the Order of Rules
You can change the order of rules in your Admin scope. Account and Site Admins can change
the order of rules for the Sites and Groups in their scope.
To change the order of the rules:

1. On the sidebar, click Scope and select a Scope.
4. Select a rule set: USB or Bluetooth rules.
5. Click Reorder rules.
6. In the window that opens, drag and drop rules, or in the Order column, click the number
of the rule and enter a new number.
7. Click Save.
© SentinelOne 3-95
Moving and Copying Device Control Rules

You can copy a Device Control rule to use it in multiple Sites or groups. For example:
• You have a rule for Site A: Copy it to Site B, or copy it to one Group of Site B.
• You have a rule in Group X, which is in Site A: Copy it to two other Groups in Site A.
You can move Device Control rules to change their scope. For example:
• You made a Group rule for one Group and want to change it to be a Site rule.
• You made a rule for Site A and want it to apply to Site B instead.
To move Device Control rules between Sites or groups:

4. Select a rule or multiple rules.
5. Click Actions and select Move.
6. Select the destination for the rule.

7. Click Move Rule.
© SentinelOne 3-96
To copy Device Control rules:

5. Click Actions and select Copy.
6. In the Copy Rules window:

a. In the SITES column, select a Site.
b. In the GROUPS column, select All Groups, or one or more specific groups.
7. Click Done.
© SentinelOne 3-97
Reviewing Device Control Activity Logs
Review all Device Control logs in the Activity view. The results shown are based on your current
scope.
• Changes to rules and settings show under Operations > Device Control.
• Blocked, Connected, and Disconnected device events show under Administrative >
Device Control events.
o Connected and Disconnected device events show if Report approved device
events to activity log is selected in the Device Control settings.
o Blocked device events show if Report blocked device events to activity log is
selected in the Device Control settings.
o If necessary, you can create a new rule from a blocked device event to allow a
device.
• Move the cursor over a Blocked, Connected, or Disconnected device event to open the
Event Details, which contains:
o A summary of the event.
o The date and time of the event.
o The endpoint name and logged in user.
o All of the device identifier details: Class, Interface, Vendor ID, Product ID, Serial
ID (if relevant), Device Name.
To see changes to Device Control rules and settings:

2. On the sidebar, click Activity.
3. In Operations, click the down arrow to open the options.
4. Scroll down and select Device Control.
© SentinelOne 3-98
To see all reported Device Control events:

3. In Administrative, click the down arrow to open the options.
4. Scroll down and select Device Control events.
5. Move the cursor over an event and click > Event details to see the details of the event
and the device identifiers.
If the device was blocked, an option shows to Allow Device. Optional: Click Allow Device to
create a new rule that allows device identifiers of this device.
© SentinelOne 3-99
Creating Device Control Rules from Events

From a blocked Device Control event in the Activity view, you can create a rule to allow a
specific device that was blocked for end-users. If a device connected successfully, no rule
options are available from the event.
When an end-user inserts a device that is blocked by Device Control, a message shows on the
endpoint. Users cannot create requests automatically from these messages. This is to prevent
an overload of requests for Security Admins.
For example, you have a Site rule that blocks the video class of USB devices. However, your
Marketing Department needs to use this type of device to record marketing videos. You can
open a blocked Device Control event from the Activity log and make a new rule to allow the
devices that they need.
The new rule can be very specific, to allow only a specific vendor or product, based on the
details recorded in the logged event.
By default, the scope of the new rule is the endpoint's group. After you create the rule, you can
move or copy it to change its scope.
Note: If a device is already connected to an endpoint, new rules and rule changes do not affect
it. To make a new or changed rule take effect on a device, remove the device and then re-
connect it.
To create a Device Control rule from the Activity log:

3. In Administrative, click the down arrow to open the options.
4. Scroll down and select Device Control events.
© SentinelOne 3-100
5. Move the cursor over a blocked event and click > Event details.
6. In the Event details window, click Allow Device to open a new rule.
7. In the New Rule window, enter the Rule Name.
8. The rule is automatically based on the most specific identifiers available for the device.
a. If the device has a Serial ID (generally for mass storage devices), the rule is based
on the Serial ID.
b. For most other devices, the rule is based on the Product ID and Vendor ID.
c. If you want to change the Rule to include a wider range of devices, change the
Rule Type.
9. Click Continue.
10. Enter missing information, if necessary.
11. Click Save rule.
SentinelOne Firewall Control

Firewall Control lets you manage endpoint firewall settings from your SentinelOne
Management Console. Use Firewall Control to define which network traffic, applications, and
connections are allowed in and out of endpoints.
It is part of the Complete bundle. If you have the Core bundle, you will not see Firewall Control
in your Management Console.
Firewall Control policy can be Global, for the selected Site or Group. Each scope can inherit
Define the policy in the Management Console in Sentinels > Firewall Control. The Firewall
Control policy includes Settings and Rules:
• Settings: Turn Firewall Control on or off and define the inheritance settings. The same
settings apply to Windows and macOS endpoints.
• Rules: Create and organize rules to allow or block network traffic. There are different
sets of rules for Windows and macOS endpoints.
Changes to the Firewall Control policy show in Activity > Operations > Firewall Control.
Notes for this release:

• Firewall Control events do not have logs in the Management Console.
• There are no default rules. All traffic is allowed if you do not block it explicitly.
Firewall Control Settings
In the Firewall Control settings, you can define the policy inheritance and turn Firewall Control
on or off.
By default, Firewall Control is disabled at the Global level. When it is first enabled, all Sites and
Groups inherit the Firewall Control policy from the Global policy.
By default, Agents have Firewall Control disabled, until they connect to a Site or Group with an
enabled Firewall Control policy.
To configure Firewall Control settings:

3. On the Sentinels toolbar, click Firewall Control.
5. Click Enable Firewall Control, if it is not enabled.
6. For a Site or Group: Use the toggle to turn the inheritance On or Off.
7. Optional: You can click Disable Firewall Control. This disables the feature for your
current scope and all Sites and groups that inherit Firewall Control settings from this
scope.
• For a Site or Group, you must turn Off inheritance before you can disable Firewall
Control.
• Existing rules remain in the policy but become inactive. When you enable Firewall
Control again, the rules will become active with their latest Enabled or Disabled
state.
Firewall Control Policy Inheritance:
To make a Site inherit rules and settings from Global:

• Turn On Inherits rules and settings from Global (on by default).
o The Site uses the Global settings and the Global rules.
o You can add Site rules.
• To give a Site its own policy:
o Turn Off Inherits rules and settings from Global.
o The Site uses the settings that you configure.
o The Site uses only Site rules.
• To make a Group inherit rules and settings from a Site that inherits from the Global
settings:
o The Group uses Global settings, and Global and Site rules.
• To make a Group inherit rules and settings from a Site that has its own policy:
o Turn On Inherits rules and settings from Site (on by default).
o The Group uses the Site settings and the Site rules.
• To give a Group its own policy:
o Turn Off Inherits rules and settings from Site.
o The group uses the settings you configure.
o The Group uses only Group rules.
Creating and Editing Firewall Rules
Create rules for a specific scope and OS to allow or block network traffic.
• When you create a rule, it applies to the current scope of the Sentinels view.
• For network traffic to match a rule, all parameters of the rule must match the traffic.
Attribute Description
Rule Name A descriptive name of the rule. It must be a different name from
other rules in the scope
Protocol An IP protocol the rule applies to. All standard protocols are
supported.
Select one protocol from the list.
Any - Protocol is not defined
Application An application the rule applies to, in a specific location on the
endpoint. The rules only apply to the application if it is in the defined
location.
Enter the full path name, including the application.
Any - Protocol is not defined.
Direction Inbound - The rule applies to traffic that is received on an endpoint.
Outbound - The rules apply to traffic that leaves an endpoint.
Any - The rule applies to inbound and outbound traffic.
Optional: Define the Local host.
Optional: Define the Remote host.
Local host Enter the local IP address or range of addresses for endpoints that
the rule applies to. For Inbound traffic, the local host is the
destination. For Outbound traffic, the local host is the source. IPv4 or
IPv6.
Any - Local host is not defined.
Address - Enter an IP Address.
CIDR - Enter an IP range with CIDR format.
Range - Enter an IP Address range start and end.
Local port The local port or range of ports that the rule applies to.
Any - Local port is not defined.
Single string - Enter a port number
Range - Enter a port number range start and end.
Remote host Define a remote host as the source for Inbound traffic or the
destination for Outbound traffic. IPv4 or IPv6.
Any - Remote host is not defined.
Address - Enter an IP Address.
CIDR - Enter an IP range in CIDR notation.
Range - Enter an IP Address range start and end.
Report port The remote port or range of ports that the rule applies to.
Any - Remote port is not defined.
Single string - Enter a port number
Range - Enter a port number range start and end.
Action Define if Agents Block or Allow IP packets that match the rule
parameters.
Status State of the rule:
Enabled - Active if Firewall Control is enabled.
Disabled - Not active.
• The default for each parameter is Any, which means that no restrictions are defined.
• You can create one cleanup rule, with the Action of Allow or Block and with no other
parameters defined explicitly. Make this the default rule at the end of your rule list.
Traffic that does not match other rules first will match this rule. If you do not have a
clean-up rule to match all traffic, the default Firewall Control behavior is to allow traffic
that is not explicitly blocked.
• For all other rules, you can leave all parameters as Any, except one parameter that you
choose to define explicitly.
To create a rule:

4. Click New rule.

different from other rule names in the scope.
• OS Type - Select the OS for the rule: Windows, macOS or Linux.
• Tag - Optional: Enter tags that you can search for in the rule base.
• Action - Select Allow or Block to define if Agents block or allow network traffic
that matches the rule parameters.
6. Click Continue.
7. In the window that opens, define the parameters of the rule.
• Click + to expand each parameter.

• Click Close to minimize a parameter.
• Press Tab to move to the next parameter.
Parameters that are not explicitly defined are set to the default value, which is Any.
8. By default, a rule is NOT active until you enable it. Click Enable rule immediately after
saving to create the rule in Enabled state, then click Save rule.
Edit a Firewall Rule

3. Click a rule.
4. In the Rule Details window, click Edit.
5. Make changes in the Rule Details, or click Continue to open the next page of the Rule
Details and change the rule parameters.
6. Click Save changes.
To Enable or Disable a Firewall Rule
• If a rule is Disabled, it is never active but shows in the policy with the Disabled Status.
• If a rule is Enabled, it is active if Firewall Control is enabled. If Firewall Control is disabled
for the rule's scope, the rule keeps the Status Enabled but is not active. It will become
active automatically if Firewall Control is enabled.

3. Select a rule and click Actions.
Or
4. Click a rule.
5. In the Rule Details window, click Options.
6. Click Enable or Disable.
Firewall Control Rules and Rule Order
Firewall Control rules let you allow or block network traffic, based on the traffic identifiers
reported by the operating system. There are different rules for Windows endpoints and for
macOS endpoints. When the Management sends policy information to Agents, it includes these
rules.
When network traffic enters or leaves an endpoint, the SentinelOne Agent allows or blocks it
based on the Firewall Control policy. The Agent looks at the rules based on their order in the
Firewall Control policy, from the top to the bottom. When the Agent finds a rule that matches
the parameters of the traffic, that rule is applied. The Agent does not continue to the lower
rules in the list. If the matched rule has the Block Action, the Agent blocks the traffic. If the
matched rule has the Allow Action, the traffic can pass.
The rules that apply to your current scope show in Sentinels > Firewall Control.
Click Select filters to filter the rules by rule attributes. Select the attributes to filter for or use
the free text search.

1. Group rules from first to last.
2. Site rules from first to last.
3. Account rules from first to last.
4. Global rules from first to last.
New rules are added to the top of the relevant section of the Firewall Control policy.
To change the order of the rules:
You can change the order of rules in your Admin scope. Account and Site Admins can change
the order of rules for the Sites and Groups in their scope.
4. Click Reorder rules.

a. In the window that opens, drag and drop rules, or in the Order column, click the
number of the rule and enter a new number.
5. Click Save.
Moving and Copying Firewall Rules
You can copy a Firewall Control rule to use it in multiple Sites or groups. For example:
• You have a rule for Site A: Copy it to use it in all of Site B or copy to one Group of Site B.
• You have a rule in Group X, which is in Site A: Copy it to two other Groups in Site A.
You can move Firewall Control rules to change their scope. For example:
• You made a Group rule for one Group and want to change it to be a Site rule.
• You made a rule for Site A and want it to apply to Site B instead.
To move Firewall Control rules between Sites or Groups:

5. Click Actions and select Move.
6. Select the destination for the rule.
7. Click Move Rule.
To copy Firewall Control rules between Sites or Groups:

5. Click Actions and select Copy.
6. In the Copy Rules window:

a. In the SITES column, select a site.
b. In the GROUPS column, select All Groups, or one or more specific groups.
7. Click Done.
Importing and Exporting Firewall Rules

You can export Firewall Control rules from one Site and import them to another Site or a Group.
You can also export rules from one SentinelOne deployment and import them into a different
SentinelOne deployment.
When you import rules, all rules are imported to the current scope. For example, if you are in a
Site that inherits the Global Firewall Control, policy, and you export the Firewall Control rules
and import them to a different Site: All Global and Site rules become Site rules in the Site to
which you imported.
To export Firewall Control rules from the Management Console:
You can export rules to a .json file. All rules for your current scope are exported. This includes
Global rules that might apply to the scope, even if you do not have permissions to edit them.

4. Click the Export rules icon.
5. The exported rules download in a .json file to the default Downloads folder of the
computer from which you clicked Export rules.
To import Firewall Control rules:

4. Click the Import rules icon.
5. In the Import Rules window, click Choose file to upload.

6. Browse to the file location and click Open.
7. In the Import Rules window, click Approve.
Firewall Control and OS Security
In Windows Security Center, SentinelOne Firewall Control is registered in two Network Firewall
categories:
• NET_FW_RULE_CATEGORY_FIREWALL,
• NET_FW_RULE_CATEGORY_BOOT
The SentinelOne EPP registers as Virus protection.
SentinelOne Firewall Control does not register in these categories:

• NET_FW_RULE_CATEGORY_STEALTH
• NET_FW_RULE_CATEGORY_CONSEC
Windows Firewall can be registered in the other two categories.
SentinelOne Firewall Control on Mac
In macOS SentinelOne is not registered as a firewall product. Firewall Control works in parallel
to the macOS firewall, which can block unwanted Applications. If there is a conflict between the
macOS firewall and the SentinelOne firewall, the SentinelOne firewall rules have priority.
Reviewing Device Control Activity Logs
See Firewall Control events in Activity and read the local log file, written in clear text, for
Firewall Control events of an endpoint with Firewall Control enabled. Enable the logs for
specific endpoints, one Agent at a time.
Note: Each Agent with Firewall Control Event Logging enabled keeps five log files, for a total of
100 MB maximum. The logs cycle older lines to maintain the size threshold.
Important: Before you begin, make sure the Group and Site of the Agent has Firewall Control
enabled.
To see Firewall Control in Activity:

3. On the Operations menu, click Firewall control.
The Activity Log shows events such as: The management user name updated Firewall Control
settings in group or site. Modified the settings parameter from value to value.
To read Firewall Control logs:

1. On the Windows endpoint, run: cd C:\ProgramData\Sentinel\logs
2. Find the logs with: visible
3. For example: SentinelOne_visible_0.log
You can open the Firewall Control logs in the text editor of your choice.
You can also send Firewall Control events to your syslog server. Select activities in Settings >
Notifications > Firewall Control.
Location Aware Firewall

Admins can configure customized sets of Agent Locations based on one or more endpoint
network parameters. Agents detect which location they are in and act accordingly.
Agents can be in multiple locations at the same time.
Agent location can affect which Firewall Control rules an Agent uses, as each Firewall rule can
be configured for a specific location.
Locations can be defined for a Site, Account, or Globally.
Define a location with one or more of these network identifiers:

• IP Address - Do the endpoint's IP addresses match the defined IP addresses?
• DNS Server - Do the endpoint's DNS servers match the defined DNS servers?
• DNS Resolution - Can the endpoint resolve the defined DNS hostnames?
• Network Interface - Is the endpoint's current internet connection wired or wireless?
• SentinelOne Connection - Is the endpoint currently connected to a SentinelOne server?
• Registry Key - Does the defined registry exist on the endpoint?
Define how each location is determined:

• All parameters are true
• At least one parameter is true
• No defined parameters are true
Configuring Locations
See the locations for a scope and configure new locations in Settings > Locations.
For each location define one or more parameters, and the relationship between them: If all,
one, or no parameters must be true for an endpoint to be in the location.
To define a new location:

3. On the Settings toolbar, click Locations.
4. Click New Location.
5. In the General page of the new location, define:

a. Location Name - Name of the location that shows wherever the location is used
in the Management Console.
b. Description - A more complete description that shows in the Locations page.
Add here information about the location that is important for Admins to know.
c. An endpoint is in this location if: Select what is necessary for an endpoint to be
considered in this location.
d. At least one parameter is true - The endpoint must match one or more of the
network identifiers that you defined for this location.
For example: If you defined an IP Address range and a DNS server, the endpoint
is in this location if the DNS Server matches the endpoint but the IP address does
not.
e. All parameters are true - The endpoint must match all of the network identifiers
that you defined for this location.
is in this location if its IP address is in the defined range AND the DNS server
matches.
f. No parameters are true - The endpoint must NOT match any network identifiers
that you defined for this location.
is in this location if its IP address is not in the range AND it does not have a
matching DNS server.
6. Select a parameter from the list and define it.
7. Define more parameters, if necessary.

8. If you edit a parameter:
a. Select the parameter and at the top of the Edit Location dialog, an endpoint is in
this location if: At least one parameter is true, click Change.
9. Click Save.
The defined location shows in the Locations list.
Defining Specific Location Parameters
You can define multiple parameters for each location.
IP Address
• Do the endpoint's IP addresses match the defined IP addresses?
• The endpoint compares all of its active IP addresses to the IP addresses, Ranges, and
CIDRs defined for the location.
• For example, if the location's setting is, All of the endpoint's IP addresses match the
defined IPs, every active IP address on the endpoint must be mapped to at least one of
the IP addresses in the location's definition.
• Addresses can be IPv4 or IPv6. You can add up to five address fields.
1. Click Add more.
2. In Type, select Address, CIDR, or Range.
3. Enter the information in the field or fields shown.

4. To add another IP Address, CIDR, or Range, click Add more.
5. Select if one, all, or none of the endpoint's IP addresses need to match the defined IP or
IPs.
DNS Server
• Do the endpoint's DNS servers match the defined DNS servers?
• The endpoint compares all of its configured DNS servers to those defined for the
location.
• Addresses can be IPv4 or IPv6. You can add up to five address fields.
1. Click Add more.

2. In Type, select Address, CIDR, or Range.
3. Enter the information in the field or fields shown.

4. To add another IP Address, CIDR, or Range, click Add more.
5. Select if one, all, or none of the endpoint's DNS Servers need to match the defined DNS
Server or Servers.
DNS Resolution
• Can the endpoint resolve the defined DNS host names?
• The endpoint checks if it can resolve the provided Host name, by doing a DNS query
using OS services.
• The Host name must be in FQDN format. The Resolved IP can be IPv4 or IPv6. You can
add up to five Host name and IP pairs.
1. Click Add more.

2. Enter a Host name and a Resolved IP that the host name should resolve to.
3. To add another Host name and a Resolved IP, click Add more.
4. Select if endpoints must be able to resolve one, all, or none of the defined DNS
hostnames.
Network Interface
• Is the endpoint's current internet connection wired or wireless?
Note: If one of the connected interfaces is wireless, the endpoint is considered

connected with wireless
• A connection is considered Wireless if:

• Windows Agents - At least one NDIS Interface Type is one of:
IF_TYPE_PROP_WIRELESS_P2, IF_TYPE_PROP_DOCS_WIRELESS_MACLAYE,
IF_TYPE_PROP_DOCS_WIRELESS_DOWNSTREAM,
IF_TYPE_PROP_DOCS_WIRELESS_UPSTREA, IF_TYPE_IEEE80211, IF_TYPE_WWANPP,
IF_TYPE_WWANPP2
• macOS Agents - At least one NDIS Interface Type is one of:
kSCNetworkInterfaceTypeIEEE80211, kSCNetworkInterfaceTypeWWAN,
kSCNetworkInterfaceTypeBluetooth
1. Move the toggle to turn on the Network Interface setting.
2. Select Wireless or Wired.

Note: If one of the connected interfaces is wireless, the endpoint is considered
connected with wireless
SentinelOne Connection
Is the endpoint currently connected to a SentinelOne server?
1. Move the toggle to turn on the SentinelOne Management setting.
2. Select Connected or Disconnected.
Registry Key
Does the defined registry exist on the endpoint in HKEY_LOCAL_MACHINE\SOFTWARE?
If you enter a key that is in a different location, the location will not be saved.
1. In Key name, enter a Registry Key that must exist or not exist in the endpoint's registry,
HKEY_LOCAL_MACHINE\SOFTWARE.
2. Optional: In Value name, enter a value that the key must have.
3. Optional: In Data, enter data that the key must contain.
Using Locations in Firewall Rules
From the Management console, you can create a Location aware Firewall policy. Define
customized sets of Agent Locations based on one or more endpoint network parameters, and
use the Locations in Firewall rules.
By default, SentinelOne Firewall Control rules apply in All locations. To create a location aware
Firewall policy, configure Agent Locations in Settings > Locations and create Firewall rules that
apply for different locations.
Important: Agents earlier than version 3.2 do not support Locations in Firewall Rules. When
Firewall Control is enabled, Windows and macOS Agents only apply Firewall rules that are set
for All locations.
Notes:
• Agents use the Firewall Control rules for all the Locations that they match, based on the
priority of the Firewall rules.
• After you configure locations in Firewall rules, make sure the order of the rules still
meets your needs.
• Make sure to define some rules for the Fallback location, or for All locations.
To add locations to a Firewall rule:

3. Click Firewall Control.
4. Click New rule or double-click an existing rule to edit it.

5. In the Rule parameters, click + next to Locations to expand it.
6. Uncheck the All option to select one or more specific Locations for the rule.
7. Start to type a Location name to see the defined locations that match. Select a Location.
8. Optional: Select more Locations.

9. After you add the desired Location or Locations, click Done.
10. Click Save rule.
Viewing an Endpoint's Location
See the detected location of each endpoint in the Sentinels view. You can filter endpoints by
location.
A Locations column is available. Scroll right to see it, or open the Columns list to select the
columns to show in your Sentinels view.
Tip: You can drag and drop the columns in the Sentinels to change the order and customize
your view.
Each endpoint's location shows in the Endpoint Details.
Agent Calculation of its Location
• Each Agent gets the list of locations defined for its Site and Account and the Global
locations.
• Agents can be in multiple locations at the same time.
• Agents use the Firewall Control rules for all the Locations that they match, based on the
priority of the Firewall rules.
• If an Agent that supports Locations does not detect that it is in a defined location, it uses
the Firewall rules assigned to the Fallback location.
An Agent recalculates its location when:

• A location is added or deleted from the Locations list in the Management.
• An Agent connects to or disconnects from the SentinelOne Management.
• The endpoint restarts.
• The Agent reloads.
• The endpoint's list of active network interfaces changes.
• One of the endpoint's IP addresses is updated.
• A Registry Key that is included in a location's definition changes (Windows only).
Delete a location
• You cannot delete a location if it is used in a Firewall rule.

• If a location is used in one or more Firewall rules, the deletion fails.
• You can delete a location if Agents are in the location.
• The Agents will move to a different defined location or to the Fallback location.
1. In the Locations list, select a location.

2. Click Actions > Delete.
Obtaining Logs for Support
If SentinelOne Support asks for logs from Agents, use one of these procedures. The logs show
Agent operations. The logs are encrypted and only Support can read them.
You can get logs from the Management Console or manually from an Agent.
Two ways of obtaining logs from an Agent from the Management Console:
2. Option One:
a. Select the Agent.
b. Click Actions > Fetch Logs.
3. Option Two:
a. Click the Agent.
b. Endpoint Details loads.
c. Click ACTIONS and then click Fetch Logs.
4. Select Agent logs or Endpoint logs (Windows Only).

Note: You can select both.
5. Click Fetch Logs.
To get logs for multiple Agents from the Management Console:

2. Select the Agents.
3. Click ACTIONS and select Fetch Logs.
To download the fetched logs:
If you have an On-Prem Management Console, download the log file and send it to Support. If
you have a cloud-based Management Console, Support can get your fetched logs from the
Cloud.
1. In the sidebar, click Activity.

2. In the ACTIVITY view, click Administrative and select Log operations.
The results show entries with this syntax: Agent <name> successfully uploaded
<file>.tar.gz
3. Select an entry and click (Download).
Manual Log Collection
• Windows Agents: In C:\ProgramData\Sentinel\logs, zip the BINLOG files
• macOS Agents logs: Use sentinelctl: sudo sentinelctl log report and get the log files on
the desktop.
• Linux Agents: Run sudo /etc/init.d/sentineld fetch_logs and see the location of the log
files in the output.
• Management logs: Run sudo /sentinel/webservice/scripts/sentinel.sh logreport and see

the location of the log files in the output.
SentinelOne Remote Shell
Module Review
In this module, you were introduced to the administration functionality in SentinelOne. Users
In this module you reviewed the SentinelOne administration features:
• Management Console Dashboard • Managing Endpoints

• Working with Widgets • Action Selections
• Policy Settings • Endpoint Details Window
• Configuration • Moving Endpoints
• Managing Sites • Uninstalling Agents
• Managing Groups • Decommission an Agent
• Managing Agents • Changing an Agent Configuration
• Installing Agents on Windows • Console Messages
• Installing on macOS Endpoints • Integration and Notifications
• Installing on Linux Endpoints • Device Control
• Updating Agents • Firewall Control
• Pending Actions • Configuring Locations
1. Which user account allows you to manage the complete deployment of all Accounts,
Sites, endpoints, and security objects?
a. Site Admin
b. Global Admin
c. Account Admin
d. Application Admin
2. Which is a correct statement regarding the scope hierarchy?

a. Application > Global > Site > Group
b. Global > Site > Account > Group
c. Global > Account > Site > Group
d. Account > Global > Site > Group
3. What are the two types of Groups?
a. ______________________
b. ______________________
4. What Operating System does SentinelOne not work with?

a. Android
b. Macintosh
c. Windows
d. Linux
5. When installing a Windows agent on an endpoint, what two things are needed?
a. Install package and the API key
b. Install package and the Site Token
c. Install package and the Windows install code
d. Install package only is needed
6. True of False. When moving agents between sites, the Administrator can only complete
the process manually. They must uninstall the agent from the endpoint and reinstall
with the proper site token to the new site.
a. ________________
7. If a user is scheduled for time off, a device is scheduled for maintenance or the endpoint
has not contacted the console for the set amount of time, the agent can be removed
from the console until it returns or communicates again with the Management Console.
What is this functionality called?
a. Uninstall > Reinstall
b. Decommission > Recommission
c. Disable > Enable
d. Restrict > Allow
8. System Rollback is available on which operating system?
a. _______________________
9. By default, when you set a policy to Protect, the Agents can automatically complete the
following tasks? (Select all that is correct)
a. Kill & Quarantine
b. Remediate & Rollback
c. Disconnect from the Network
d. All of the above
10. Which is NOT an Exclusion type:

a. Hash
b. Path
c. MAC Address
d. File Type
SentinelOne Investigator
MODULE 4
This module is intended to introduce incident response concepts for Investigators using
SentinelOne. In this module you will review the following SentinelOne features:
• Hash
• Path
• Signer Identity
• File Type
• Browser
• Full Disk Scan
• Remote Shell
© SentinelOne 4-1
Managing the Blacklist

SentinelOne Agents immediately identify files on the blacklist and block them from executing,
based on the policy. Files on the blacklist are defined by their SHA1 hash. Agents identify files on
the blacklist before they look at exclusions.
Blacklist Hierarchy
• Sites, Accounts, and Global can each have their own blacklist items.
• Each scope also inherits blacklist items from the scopes above it.
o An Account inherits all Global blacklist items.
o A Site inherits all blacklist items of its Account, and all Global blacklist items.
To see blacklist items:

3. On the Sentinels toolbar, click Blacklist.
4. You see the blacklist of the selected scope. For example, if you are a Site Admin, you see
the blacklist items of your Site.
5. To see blacklist items that are inherited from the Account and the Global blacklist, click
Include global list results.
© SentinelOne 4-2
Adding a Hash to the Blacklist Manually
To add a file to the blacklist before it enters your network:

3. On the Sentinels toolbar, click Blacklist.
4. Click Add new.
5. In the window that opens:
a. In OS, select the OS that this file will be blocked on.

b. In SHA1, enter the SHA1 hash.
c. In Description, enter a phrase to make it easy for you and other console users to
identify this file.
6. Click Save.
© SentinelOne 4-3
Hashes Added Automatically
The Blacklist will automatically add any files that are reported to be Malicious Threat.
File hashes can be added manually during review
Best Practice: Always analyze a threat before you add the file to the blacklist.
Note: Items that you add to the blacklist do not automatically become resolved. When you finish
investigating and handling a threat or detection, mark it as resolved.
Scope of blacklist items:

• Blacklist items apply to the scope you are in when you create them.
• For example, if you add a file to the blacklist from a Site, it goes in the Site blacklist.
© SentinelOne 4-4
Managing Exclusions
Agents sometimes mark benign items as potential threats. You can configure Exclusions to make
your Agents suppress alerts and mitigation for these items.
Exclusion Hierarchy
• Groups, Sites, Accounts, and Global can each have their own exclusions.
• Each scope also inherits exclusions from the scopes above it.
o An Account inherits the Global exclusions.
o A Site inherits the exclusions of its Account, and the Global exclusions.
o A Group inherits the exclusions of its Site, its Account, and the Global exclusions.
To see exclusions:
3. On the Sentinels toolbar, click Exclusions.
4. The exclusions are of the selected scope. For example, if you are a Site Admin, and you
do not select a specific Group in the scope, you see the exclusions of your Site.
5. To see exclusions that are inherited from the Account and the Global exclusions, click
Include global list results.
Important: Be careful! If you create incorrect exclusions, you can open your environment to
malware.
Exclusions are created based on:

• Hash
• Path
• Signer Identity
• File Type
• Browser
© SentinelOne 4-5
Creating Exclusions
Hash Exclusions
To add a Hash exclusion manually:

1. Select the Scope.
2. Go to Sentinels > Exclusions.
3. In Exclusion Types, click Hash.
4. Click New exclusion.
Note: You only see the exclusions for the selected exclusion type. For example, If Hash is
selected, only path exclusions show in the exclusion list. File Type exclusions are not
visible at the same time.
5. In the New Exclusion window:

6. Select the OS.
7. Enter the SHA1 hash.
8. In Description, enter a phrase to make it easy for you and other console users to identify
this exclusion.
9. Click Save or Save and add another.
© SentinelOne 4-6
Path Exclusion
malware.
To add a path exclusion:

1. In Exclusion Types, click Path.
2. Click New exclusion.

a. Select the OS.
b. Enter the Path. (See below for more details)
i. After you enter a path, you see As File or As Folder next to the path.
1. As File - Only the single file is excluded (default).
2. As Folder - The whole folder at the path is excluded.
3. Click Change to switch between them.
c. If you select As Folder, you can select Include Subfolders. This adds all the
subfolders to the exclusion.
d. For Exclusions Mode, click More options. (See below for more details)
e. Enter a Description.
f. Click Save or Save and add another.
© SentinelOne 4-7
Path Exclusion Details
Exclusion Rules for Windows:
• The path can start with the drive letter. If the drive is not included, the exclusion applies
to all drives. For example:
o C:\calc.exe excludes CALC on the root of the C drive.
o calc.exe excludes CALC on all directories and drives.
• If you select Include Subfolders, the path must end with a backslash (\).
• DO NOT USE a wildcard as the drive directory ( *: or ?: ).
o For example, do NOT use *:\Program Files or ?:\Program Files in an exclusion
path. Instead, use *\Program Files to exclude Program Files on all drives.
o You CAN use the wildcard * to refer to any character or characters, or the
metacharacter? to refer to one character that is NOT a drive letter.
o Examples with wildcard * to refer to any character or characters:
▪ C:\c*c.exe excludes files that start with “c” and end with “c.exe” on all
directories and drives. This includes CALC.EXE, CAMC.EXE,
CHARLIE.DOC.EXE
▪ Example to exclude the Archives folder in a nested directory:
C:\*\Archives\
▪ Example to exclude Go2Meeting for all users:
C:\Users\*\AppData\Local\GoToMeeting\*\g2mlauncher.exe
o Example with metacharacter? to refer to one character:
▪ You CAN use: C:\test?\ to exclude C:\test1\ and C:\testf\.
▪ Example to exclude a temp directory in all drives:
harddiskvolume?\temp\
▪ DO NOT USE? as the drive letter. For example, do NOT use ?:\test1\ in an
exclusion path.
Exclusion rules for Linux and macOS:
• The path must be absolute: start with a forward slash ( / - ASCII char 47).
• The path must not contain a space in the beginning or end.
• If you select Include Subfolders, the path must end with a forward slash.
• Linux - Wildcards are not supported in Linux Agent versions 2.6 and earlier. They are
supported in 3.0 and later, in the same manner as with the Windows Agent.
• macOS - The * wildcard is supported in path exclusions.
o For example:
▪ /Users/*/Applications/<NAME>.app/ excludes all users and app
subfolders
▪ /Users/?*/Desktop/<NAME>.app/ excludes all users and app subfolders
and their subfolders
▪ /Users/<USER>/Desktop/<NAME>.app/* excludes all files in this path.
© SentinelOne 4-8
Exclusion Mode
Use default Path exclusions if you have false positive detections, and you want to suppress
alerts from a file path or folder. When you exclude files or folders with default path
exclusions, Agents monitor them but suppress alerts and do not mitigate.
• This exclusion type is supported for Windows, macOS, and Linux Agents.
• When you create an exclusion directly from a detection and select File path, this
is the type of exclusion created.
• Default path exclusions are called Suppress Alerts exclusions.
Caution: Make sure the detection that the exclusion is based on is a false positive.
Legitimate threats in the path will not be mitigated.
Suppress Alerts (default Path exclusion)

• Do not display alerts or mitigate detections on the excluded processes.
• Note: If the root of a threat group is suppressed, alerts for the child processes are
also suppressed.
• Usage example: Stop false positives from a specific file or process.
• Caution: Make sure the detection that the exclusion is based on is a false positive.
Legitimate threats in the path will not be mitigated.
© SentinelOne 4-9
Interoperability
• Reduce the monitoring level on the excluded processes.
• Note: This exclusion stops the Agent from injecting the Agent DLL to processes in the
path. This reduces Agent interaction with these processes. The Agent continues to
monitor and use kernel events.
• Usage example: To solve interoperability issues related to the Agent code injection
into other applications.
• Caution: This lowers protection as it reduces events that the Agent monitors.
Interoperability – Extended
• Reduce the monitoring level on the excluded processes and their child-processes
(Same as the Interoperability option but includes child-processes.)
• Usage example: To solve interoperability issues related to the Agent code injection
into other applications, when the Interoperability option did not resolve the issue.
Performance Focus
• Disable monitoring of the excluded processes.
• Note: It stops the Agent from injecting the Agent DLL to processes in the path and
stops monitoring most kernel events. Agents do not use OS events that are generated
by or for the excluded process.
• Usage example: To solve issues where a specific application generates many events
(like file operation, registry, process, logs and memory) and causes a high CPU
utilization on the endpoint, due to Agent event analysis.
• Caution: This lowers protection significantly as the Agent does not monitor the
excluded processes.
Performance Focus – Extended

• Disable monitoring of the excluded processes and their child-processes. (Same as the
Performance Focus but includes child processes.)
• Usage example: To solve issues where a specific application generates many events
due to Agent event analysis, when the Performance Focus option did not resolve the
issue.
For Interoperability and Performance Focus exclusions: For processes that cannot be restarted,
such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove
an exclusion. For processes that can be restarted, such as a browser, you can restart the process
to apply or remove an exclusion.
Best Practice: It is recommended that you restart all affected endpoints to apply or remove an
Interoperability or Performance Focus exclusion.
© SentinelOne 4-10
Best Practices for Path Exclusions
When you make a path exclusion, it is highly recommended that you add the exclusion to the
smallest relevant scope of endpoints - a specific group. For example, do not add exclusions to the
default policy of the default group. Create a group of endpoints that use the application to
exclude.
These rules apply to path (file and folder) exclusions for all versions:
 You cannot put more than one exclusion path in one exclusion. AND, OR are not
supported in exclusions.
 If you can exclude a hash, it is safest. Be aware that it will exclude only the specific version
of a process and not all processes of this name.
 If you can exclude specific files rather than a path, that is safer. If an exploit inserts
malware to an excluded path, we cannot protect the endpoints.
 Environment variables are not supported. For example: Change: %appdata% To:
C:\Users\Bob\AppData\Roaming\
Or use the * wildcard to match all users: C:\Users\*\AppData\Roaming\
 Regular expressions are not supported.
 For Interoperability and Performance Focus exclusions: For processes that cannot be
restarted, such as System processes or Anti-virus processes, you must reboot endpoints
to apply or remove an exclusion. For processes that can be restarted, such as a browser,
you can restart the process to apply or remove an exclusion.
 It is recommended that you restart all affected endpoints to apply or remove an
Interoperability or Performance Focus exclusion.
 If you make an exclusion for an AppStacked application or snapvolume, use the folder
SVROOT for the mount. For example: Change: C:\Program Files (x86)\Click\check.exe To:
*\SVROOT\Program Files (x86)\Click\check.exe to exclude
C:\snapvolumes\{GUID}\SVROOT\Program Files (x86)\Click\check.exe
 Exclusions for Windows and macOS are NOT case sensitive. Exclusions for Linux are case
sensitive.
© SentinelOne 4-11
Exclusions to Avoid
Signer identity exclusion for all Microsoft applications

Signer identity exclusion for all Adobe applications
<Drive letter>:\
<Drive letter>:\*.*
<Drive letter>:\*\
<Drive letter>:\Windows\spool\
C:\*\Java\
C:\cygwin\
C:\cygwin64\
C:\Java\
C:\jboss-eap-6.4\
C:\Program Files (x86)\
C:\Program Files (x86)\Adobe\
C:\Program Files (x86)\Google\
C:\Program Files (x86)\Google\Chrome\
C:\Program Files (x86)\Internet Explorer\
C:\Program Files (x86)\Java\
C:\Program Files (x86)\Java\jre<version number>\
C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2launcher.exe
C:\Program Files (x86)\Java\jre6\bin\
C:\Program Files (x86)\Microsoft Office\
C:\Program Files (x86)\Microsoft Office\Office<version number>\
C:\Program Files (x86)\Microsoft Office\root\Office16\
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.exe
C:\Program Files(x86)\Java\
C:\Program Files\
C:\Program Files\Adobe\
C:\Program Files\Adobe\Acrobat Reader DC\
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\cygwin\
C:\Program Files\cygwin64\
C:\Program Files\Git\perl.exe
C:\Program Files\Git\usr\bin\perl.exe
C:\Program Files\Internet Explorer\
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\
C:\Program Files\Java\*\bin\javac.exe
C:\Program Files\Microsoft Office\Office16\
C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
© SentinelOne 4-12
C:\Program Files\Tripwire\TE\Agent\jre\bin\java.exe
C:\Tomcat7\
C:\tomcat7_2\bin\tomcat7.exe
C:\tomcat7.0\
C:\tomcat7\bin\tomcat7.exe
C:\Users\*\Cygwin\Bin\
C:\Windows\
C:\Windows\*\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\explorer.exe\
C:\Windows\py.exe
C:\Windows\setup.exe
C:\Windows\system32\
C:\Windows\System32\smss.exe
C:\Windows\system32\conhost.exe
C:\windows\system32\consent.exe
C:\Windows\System32\cscript.exe
C:\Windows\system32\csrss.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\explorer.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\lsalso.exe
C:\WINDOWS\system32\lsass.exe
C:\Windows\System32\lsm.exe
C:\windows\system32\mmc.exe
C:\Windows\System32\netsh.exe
C:\Windows\System32\Ntoskrnl.exe
C:\Windows\System32\rundll32.exe
C:\windows\system32\services.exe
C:\Windows\System32\sihost.exe
C:\Windows\system32\smss.exe
C:\Windows\System32\snmp.exe
C:\Windows\System32\splwow64.exe
C:\Windows\System32\Spool\
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\sysvol\
C:\Windows\System32\taskeng.exe
C:\Windows\System32\taskhostex.exe
C:\Windows\System32\Taskmgr.exe
C:\Windows\system32\userinit.exe
© SentinelOne 4-13
C:\Windows\System32\vbscript.dll
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WBEM\
C:\Windows\System32\wbem\WmiApSrv.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\System32\WindowsPowerShell\
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
C:\Windows\System32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Micros
oftEdgeCP.exe
C:\Windows\SYSVOL\
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\wbem\
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Windows\Temp\
C:\Windows\winexesvc.exe
acrord32.exe
java.exe
LogonUI.exe
vssadmin.exe
_mprosrv.exe
*.dll
*.exe
*.pdf
*/python<version number>
*/ruby
*\*apache-maven*\
*\bin\java.exe
\adobe\
\Device\HarddiskVolume*\
© SentinelOne 4-14
Excluding a Signer Identity (Certificate)
You can exclude files and software that are signed by a trusted source, with a certificate that is
verified by the endpoint OS. Agents monitor events associated with the certificate signer but do
not mitigate the signed items.
Important: Do NOT create Signer Identity exclusions for all Microsoft or Adobe applications. This
will significantly decrease your organization's security. If you are getting false alerts for a specific
application, contact SentinelOne Technical Support to find a narrower exclusion to resolve the
issue.
malware.
To exclude items signed by a trusted source:

1. In Incidents, select the threat.
2. In the Threat Details > Information, click on the Signer Identity and click Copy.

5. On the Sentinels toolbar, click Exclusions.
6. Click Signer Identity.
7. Click New Exclusion.
© SentinelOne 4-15
a. Select the OS.

b. Type or Paste in the Certificate ID.
i. Wildcards are not supported.
c. Enter a Description.
d. Click Save or Save and add another.
© SentinelOne 4-16
Excluding a File Type
You can exclude files of a given type from automatic mitigation. This exclusion type is supported
for Windows Agents.
To exclude a file type:

1. In Exclusion Types, click File Type.
a. Select the OS.

b. In File Type, add the file type extension.
i. Wildcards are allowed. For example, use PPT for PowerPoint files. PP* will
exclude PPT, PPTX, PPTM, PPSX, PPSM, PPS, PPAM, PPA files.
c. In Description, explain the reason for the exclusion.
© SentinelOne 4-17
Excluding a Browser
Threats that come from a browser show as Exploit attempts in the Management Console. If an
end-user browses to a site that hosts web exploits, which can introduce malware into your
environment, the Agent detects a web exploit. It mitigates the browser session based on the
policy and shows the threat in the system tray and Management Console.
In rare cases, to gain use of the browser, you can exclude the browser from active scanning.
This is supported for Windows Agents.
Important: This can leave your system vulnerable to web exploits.
To exclude a browser:
2. Click Sentinels.
3. Click Exclusions.
4. In Exclusion Types, click Browser.
a. For the OS, it is Windows only.

b. For the Browser, select a browser from the pulldown.
c. In Description, add text describing the exclusion.
© SentinelOne 4-18
Agent Support for Exclusions
Windows 2.8 + macOS 2.5 -

Exclusions Mode and macOS 4.1 + macOS 4.0 Linux (all)
Suppress Alerts Yes Yes Yes
Suppress Alerts - DFI engine Yes N/A Yes
Suppress Alerts- Dynamic AI engine Yes N/A Yes
Interoperability Yes No. Becomes No

Performance
Interoperability - extended Focus
Performance Focus Yes Yes Yes (from 4.0)
Performance Focus - extended Yes No. Becomes Yes (from 4.0)*

Performance
Focus
 On Linux endpoints, when Performance Focus-extended exclusions are used, the

Agent does not monitor File Events on the specified path. This is different behavior than
this type of exclusion on the Windows Agent.
o Usage example: To solve issues where a specific application generates many
events due to Agent event analysis, when the Performance Focus option did not
resolve the issue.
© SentinelOne 4-19
Analyzing Threats
A manual incident response plan usually requires a lot of time and resources. Gather data to
define what is "good" and what is "unwanted" or "threatening". Identify events when you can or
by signature. Notify the security team. Contain the infection. Investigate the attack to understand
its severity and behavior. Remove all files that the attack installed, and recover files that it
changed, if possible. Update reports of known malware and analyze how to respond faster next
time.
SentinelOne significantly improves this workflow with a simple dashboard that identifies security
incidents with its Dynamic Detection Engine and Static Detection Engine.
When a threat exists, it shows in Threats by Status and is included in the information shown
throughout the Management Console.
How is a Threat generated?
• The SentinelOne Agent engines detect suspicious or malicious activity.

• A user marks events as suspicious or malicious in the API, SentinelCTL, or in Deep
Visibility.
The Agent can detect only, or also mitigate threats automatically, based on the Policy
settings configured for the Agent.
© SentinelOne 4-20
Threat Management
The Threats page shows the threats and their current status. By selecting a threat, the user
moves to the Incident Details page.
Incident Filters
The Threats table has many filters so the user can easily find the information needed.
Filter Valid Values
Free text search Search for: Endpoint name, file path, filename, file extension,
hash and username
Threat mitigation status Not Mitigated, Mitigated, Marked as benign
Confidence level Malicious, Suspicious, N/A
© SentinelOne 4-21
Filter Valid Values
Analyst verdict Suspicious, True positive, False positive, Undefined
Incident status Resolved, In progress, Unresolved
Pending actions Yes, No
Action failed Yes, No
Reboot required Yes, No
OS Windows, macOS, Linux, Windows Legacy
OS version Various OS versions
Engine Agent engines that detected the threat.
Classification Category of threat – See Classifications below
Initiated by How the threat was generated: Agent policy, Deep Visibility
command, Full Disk Scan, Local Agent command, Management
console
Endpoint connectivity Offline, Online
Mitigated preemptively Yes, No
Note exists Yes, No
External ticket exists Yes, No. Refers to tickets added by Vigilance or users through API.
© SentinelOne 4-22
Detection Engines
Engine Description
Reputation An engine that uses the SentinelOne Cloud and user-defined

Blacklist to make sure that no known malicious files are written
to the disk or executed.
SentinelOne Cloud An engine that blocks hashes that the SentinelOne Cloud
defines as malicious. This makes sure that no known malicious
files are written to the disk or executed.
User-Defined Blacklist An engine that blocks hashes that your team defines as
malicious for your environment.
On-Write DFI A Static AI engine that scans for malicious files written to the
disk. It supports portable executable (PE) files.
On-Write DFI Suspicious A Static AI engine that scans for suspicious files written to the
disk. It supports portable executable (PE) files.
Documents, Scripts A Behavioral AI engine that focuses on all types of documents

and scripts.
DBT - Executables A Behavioral AI engine that implements advanced machine

learning tools. This engine detects malicious activities in real-
time, when processes execute.
Potentially Unwanted A Static AI engine on macOS devices that inspects applications

Applications that are not malicious, but are considered unsuitable for
business networks.
Lateral Movement A Behavioral AI engine that detects attacks initiated by remote

devices.
Anti Exploitation / Fileless A Behavioral AI engine, focused on exploits and all fileless
attack attempts, such as web-related and command line
exploits.
Manual Detection All Storylines that your team, Vigilance, or SentinelOne Support
mark as threats with the “Mark as threat” action or from
sentinelctl are classified under this engine.
Intrusion Detection A Behavioral AI engine that detects malicious commands in

interactive sessions. This engine detects interactive threats that
© SentinelOne 4-23
focus on insider threats (for example, an authenticated user

runs malicious actions from a CMD or PowerShell command
line).
Remote Shell All threats that are generated during a remote shell session are
classified under this engine.
Classifications
One detection can have different classifications. To make it simpler to analyze and respond,
SentinelOne shows the classification that is most important or most reliable.
Prioritization of Classifications by detection:

• The Agent detecting engine gives the first classification.
• If the Deep File Inspection (DFI) of the Static AI can better define the threat, the
classification is updated.
• If the detection is fileless or its behavior matches threat indicators, the classification is
updated.
• If the detection is known to Cloud Intelligence Service, this is the most reliable
classification and has the highest priority.
Classification Static indicators:
DFI indicators of ransomware, determined

Ransomware
by SentinelOne extensive machine learning.
(Potentially Unwanted Application) On Windows, Deep File

Inspection matches risky code, such as an unknown Windows
PUA macro script or non-English characters without a declaration of a
different source language. On macOS, the application is set by
the user or SOC as a PUA or PUP.
The detection creates a service, is known dinkumware, has an

Trojan abnormal entry point or image base, or calls DNS-CAT in a
suspicious manner.
DFI indicators of Adware, determined by SentinelOne extensive

Adware
machine learning.
Worm The detection includes or calls a process to spread itself.
© SentinelOne 4-24
The detection uses stealth techniques (such as hiding dot-net or

high entropy), shows abnormalities (such as abnormal size,
Virus
section counts, entry points, or stubs), or its general exceptions
indicate it is a virus.
Downloader The detection downloads content without user requests.
The detection uses NirSoft or DFI indicates changes to system

Hacktool
software
Backdoor The detection has a DOS header matching backdoor code.
DFI indicators of browser exploits, determined by SentinelOne

Exploit
extensive machine learning.
DFI indicators of unnecessary access enablement to system areas

Rootkit
that should not be accessed.
Infostealer DFI indicators of keylogging, or the detection runs MimiKatz.
DFI indicators of possible CLSID registry key highjacking to create

Spyware
scheduled tasks that run processes or DLLs.
DFI indicators of browser exploits, determined by SentinelOne

Browser
extensive machine learning.
The detection code has suspicious calls to MKBundle installations

or packer commands, will install python and scripts, has an
Packed
abnormal section with full permissions, runs VBA commands, or
runs 7zip or RAR.
The detected file has abnormal section headers or high section

entropy, uses stealth techniques (such as Anti-VM IDs, fake
Malware
Microsoft certificates, XOR APIs), behaves as a debugger or
system service without an explicit declaration.
Dialer DFI indicators of unauthorized connection creation.
Network The detection uses or calls Netcat without user authorization.
© SentinelOne 4-25
Interactive The detection creates or calls a process that creates a shell with
shell unauthorized access.
Lateral DFI indicators of suspicious network or data access from the

Movement detection.
Blacklisted, reputation or signature, and arbiter are classified as

OSX.Malware
malware on macOS endpoints.
All detections, including blacklisted, are classified as malware on

Linux.Malware
Linux endpoints.
The detection is whitelisted in the Cloud Intelligence Service. You

will see this classification if a detection was determined to be
Benign malicious by an engine or Static AI, or is part of a threat group,
but its hash is known to be benign by SentinelOne or by your
users.
The detection installs processes or executables in suspicious

Installer
locations.
If a detection fits a number of classifications, the Management Console shows only one.
Prioritization of Classifications with the same level of detection:
• Benign • Hacktool
• Malware • Browser
• Trojan • Dialer
• Virus • Installer
• Exploit • Packed
• Worm • Network
• Rootkit • Spyware
• Infostealer • Adware
• Downloader • PUA
• Backdoor
© SentinelOne 4-26
Threat Status
Marked as Benign - The threat as marked as benign (the Analyst Verdict is False
Positive).
Mitigated -The Quarantine mitigation action completed successfully. The same status
shows if Remediate or Rollback also completed.
Not Mitigated - No mitigation actions were completed, or the threat was killed but no
other action was done.
How is the Confidence Level decided?
The AI Confidence Level is set automatically by the SentinelOne Agent AI. Users cannot
change this.
You can use the Analyst Verdict setting to select your own conclusion about the threat.
The Confidence Levels are:

• Malicious -The Agent AI is very confident that the threat is malicious
• Suspicious - The Agent AI found traits that are suspicious, but not enough to mark it
as malicious.
• N/A - Detections marked by users as threats.
What does the Mitigation Action Status show?
Each mitigation action that is initiated shows its status. The status shows in the Forensics
page, in Threats and throughout the Management Console.
For supported Agents, you can download the complete Mitigation Report from the Timeline
tab of the Incident details. This shows the details of mitigation actions that are not pending,
including what exactly was done and to which files or processes.
These are the statuses that each mitigation action can have:
• Pending – The action initiated and is waiting for a response from the Agent.
• Success Pending Reboot - A reboot is required to complete the mitigation action

because one or more activities on a file or process cannot complete. The endpoint
shows that it requires a restart. This status only shows for Agent versions that fully
support Threat Management and Mitigation reports.
• Success – The action completed successfully on all files or processes.
© SentinelOne 4-27
• Failed – One or more activities failed. This does not mean everything failed. You see
the Mitigation Report for more details.
Note: Older Agents do not report a status for the Unquarantine command. The status
of Unquarantine for older Agents will show Sent without more information.
How is the Analyst Verdict decided?
• The Analyst Verdict is set by users. Use it to record decisions made by the security
analysts for each threat: True Positive, Suspicious, False Positive, Undefined.
• Each threat starts as Undefined.
• Before you can change a threat's Incident Status to Resolved, it must have an Analyst
Verdict set (not Undefined). When you run a mitigation action, you are prompted to
set the Analyst Verdict.
• You can change the Analyst Verdict at any time.
What does the Incident Status show?
Use the Incident Status to track the progress in handling each threat. In Threats, filter the
threats by their Incident Status, for example, to only see threats that are In-progress or
Unresolved.
• Unresolved - Each threat starts as unresolved.

• In-Progress - Mark a threat as In-Progress if you are working on it.
• Resolved - Mark a threat as Resolved if the threat has been taken care of.
Before you can change a threat's Incident Status to Resolved, it must have an
Analyst Verdict set (not Undefined).
© SentinelOne 4-28
Forensic Analysis of Threats
The analyst can determine what the threat attempted to do on the Incidents Details page.
To see threat details:

1. On the Dashboard.
2. In the Threats by Status widget, select Not Mitigated.
3. You will be forwarded to the Incidents > Threats page.
© SentinelOne 4-29
4. In the results, click a threat to view the Incident Details.
© SentinelOne 4-30
Incident Details Page Settings
Each Management Console user can change the view that first opens in the Incident details and
the time zone of threat information. The settings stay for that user until they are changed.
Changes are per user and not related to scope or a specific threat.
To change the default view:

1. In the Incident Details Page, click Settings .
2. Default Tab
a. Select the name of the tab to be the default Forensics view.
3. Time Zone
a. Select the time zone used for the Forensics report.
4. Click Apply.
© SentinelOne 4-31
Incidents Details – Overview Tab
Incident Details Header
• Overview, Explore, Timeline Tabs – The Incidents Threat Page contains 3 tabs along the
top:
o The Overview tab – View the details of the threat.
o The Explore tab – View all events of the threat in a graphical process tree and a
table view,
o The Timeline tab – The timeline gathers all information about the threat,
endpoint, and hash in order to understand what happened, when, and by whom.
• Threat Status - See if mitigation actions were taken or if it is still not mitigated.
• AI Confidence Level - Note if the threat is Malicious or Suspicious.
o The Level can be N/A if the detection was marked by a user as a threat.
• Analyst Verdict - Each threat starts as Undefined.
o If a different verdict shows, see the Timeline for a summary of all actions taken on
the threat and all notes recorded.
• Mitigation Actions Taken - See which mitigation actions were done and their status. See
if actions are required to compete mitigation. For example:
o A threat is mitigated but only killed and quarantined. Complete the analysis to see
if more mitigation is required.
o All mitigation actions are Pending. All mitigation actions are Pending because
the Management is waiting for a response from the Agent. If the endpoint is
online, it will respond soon. If the endpoint is offline, it can take a while.
o If the endpoint must reboot to complete the mitigation, the status shows Pending
Reboot and a message shows under the header. Click Reboot Now to reboot the
endpoint and complete the mitigation.
• See the Incident Status.

o Each threat starts as Unresolved.
o If it is In-Progress, someone is working on it already.
See the Timeline for a summary of all actions taken on the threat and all notes
recorded.
o If it is Resolved, you can move on to a different threat.
• See the Timeline for a summary of all actions taken on the threat and all notes recorded.
© SentinelOne 4-32
• See the date and time of the incident:

o Identified Time - When the Agent identified the activity as a threat
o Reporting Time - When the threat showed in the Management Console or sent
alerts.
If the Reporting time is very different than the identified time, the endpoint was probably
offline at detection time, and did not report to the Management until it was online.
Taking Action
To take an action against a threat and/or disconnect an endpoint from the network, select
Actions in the upper right of the header.
Actions that can be taken:

• Mitigation Action
• Add to Blacklist
• Add to Exclusions
• Unquarantine
• Disconnect
Disconnect an Endpoint from the network
• Connect or Disconnect - Puts an endpoint in network quarantine, or restores a

disconnected endpoint. If you think that the threat might attack other endpoints or
communicate with the external network, you can quarantine the endpoint from the
network. This can be an effective first response before you run other mitigation.
On the Sentinels > Endpoints page, under the Network Status column, you can see if the
endpoint is Connected or Disconnected.
© SentinelOne 4-33
Incident Details - Summary
The Network History pane helps you understand where the threat has been found and if
someone already analyzed it.
Best Practice: If you see that the threat was first seen previously, and it appears multiple times,
click the link on the number of times. All instances of the threat open in a Threats table. See
which actions were done and which Analyst Verdict other analysts gave it already.
The details show for your whole access level, even if you had a narrower scope open in
the Management Console. For example, you have access to a Site but were looking
at Threats with a Group scope selected: You will see network history information for a threat in
the whole Site.
• See the first and last time the threat was seen in your scope.
• See how many times the threat was detected and on how many different endpoints.
Note: Threats are grouped by hash. Fileless threat always show as one time per endpoint
because they do not have a hash.
• See the scope distribution - how many Accounts, Sites, and Groups have this incident.
• To get a deeper analysis of where a hash or file was seen in your scope, click Hunt Now to
run a query in Deep Visibility.
For Fileless threats, a query for the Storyline will run in Deep Visibility.
© SentinelOne 4-34
Incident Details – Threat Information
In the Threat Information pane, you see all details of the threat: Path, Command line arguments,
Process user, Publisher name, Signer identity (certification ID), Signature verification, Originating
process, SHA1 hash, Initiated by (how the threat was generated), Detecting engine, Classification,
File size, Storyline, and Threat ID.
Tip: Click a detail to open a quick actions menu and see what you can do with it. For Example:
• Click the hash and see options to search for it in Recorded Future, Open in Virus Total, or
copy the hash.
• Click Storyline to open the full chain of events in Deep Visibility.
• To copy all threat data to clipboard, click Copy.

• To download the threat file click Fetch Threat File, for example, to test it in a sandbox.
© SentinelOne 4-35
Incident Details – Endpoint Details
On the Endpoint Details pane, you can see the current status, whether online or offline, if the
Network status is Enabled (connected) or Disabled (disconnected from the network), the Agent's
scope, version, UUID, and policy, and the endpoint's IP addresses and domain.
• Click the endpoint name to open a quick actions menu. From here you can run actions,
based on your role and permissions:
o Open Endpoint – Opens the Endpoint Details dialog window.
o Open in Deep Visibility – Open the endpoint's activities in Deep Visibility.
o Remote Shell - Open a Remote Shell session directly with the endpoint.
o Show threats on the Threats page - Opens the threat page filtered for all threats
on the endpoint.
o Disconnect from Network - Puts an endpoint in network quarantine.
If an endpoint is disconnected, the option shows Reconnect.
o Fetch Logs – Retrieves the log files from the endpoint.
o Copy - Copies the endpoint name for you to paste elsewhere.
© SentinelOne 4-36
Incident Details – Threat Indicators
The indicators show what behavior the engine detected that marked the incident as malicious or
suspicious.
Indicators for Behavioral AI detections include references to the Mitre Attack Matrix, and use the
Mitre methodology and terminology for easy cross-reference. Click a link to learn about the TTP
on the MITRE website.
© SentinelOne 4-37
Incident Details – Notes
You can add notes to threats to describe actions you took on the threat and why, or to record
relevant information. Link in the notes are clickable. For example, add a link to an external ticket.
All users with permissions to see the threat can add notes, but only the author of a note
can Edit or Delete it.
Note: In Settings > Notifications > Threat Management, you can select Notes to send
notifications when notes are added to threats, edited, or deleted.
To add Notes:
1. In the Forensics Page, Threat Indicators pane, click Notes.
2. Click Add new.
3. Enter your notes and click Send.
© SentinelOne 4-38
Incident Details – Explore Tab
To see all events of a dynamic threat (detected by a Behavioral AI engine) in a graphical process
tree and a table view, open the Explore tab.
For static threats, where a file did not run, or was stopped before it ran, the tab shows No
Processes found for this threat.
To use the Process tree:

• If available, click the plus sign (+) in a node to see its children, or Load more to see more
nodes.
• Drag and drop the tree.
• Zoom in and out. Click Full Screen Mode to see only the tree in your browser window.
• In the Processes menu on the left, select a process to view in the tree. By default, the root
process is shown. Click Search Processes to search for a specific process in the storyline.
• Click a node to see its details in the Process Summary on the right.
• When you select a node, see where it falls in the timeline below.
The events table is also filtered to show events related to that node.
© SentinelOne 4-39
A table of events related to the threat shows below the process tree and timeline. The table has
tabs for different event types: File, Network Actions, Processes, Indicators, and Registry.
Note: For threats, only events related to the malicious Storyline are shown. Deep Visibility
collects a different and wider set of information for all events. If you search for the same Storyline
in Deep Visibility, you will get more events. In Deep Visibility you can also show multiple
Storylines in the process tree.
To use the events table:

• The All Events tab shows all of the different events combined in one list, sorted by time
in ascending order. Use this to understand the order of events in a tabular view.
• Each event shows up to six attributes that are the most important one for that event type.
Note that each event shows different attributes in this view.
• To only see events of a certain category, such as Process events, click that tab.
• When a node is selected in the tree, the events table is filtered to show events for that
node. A smaller number of events shows in the tabs. Click Clear Filter to show the events
for the whole storyline.
• The table shows up to 100,000 events per threat. If the threat has more than this number
of events, a message shows Partial Story.
• It is recommended that you use the default columns and order for each tab. You can
click Columns to select which to show or drag and drop columns in the table to change
their order.
© SentinelOne 4-40
To see the root of the Storyline in the tree and in the table:
• Under the timeline, click Go to root.
The root process of the storyline is selected in the process tree, and the events in the table
are filtered for that process.
To export the current view of the Process table:

1. In the Incident Details of a threat, click the Explore tab.
2. Click Export
The Process table is downloaded as a .csv file.
Events recorded for Threats

Category Event Win OS macOS OS Linux OS
Network Actions TCP Connect ✓ ✓

TCP listens ✓
Process Process Creation ✓ ✓ ✓
Process Modification
DNS DNS Request ✓
Files File Creation ✓ ✓ ✓

File Deletion ✓ ✓
File Modification ✓
File Rename ✓
© SentinelOne 4-41
Registry Events (Windows only)

Event Name Activity Description
Registry Action Antivirus Override
Registry Action Offline mode
Registry Action Registry tools
Registry Action Task Manager
Registry Action Firewall Exception
Registry Action Hidden Files
Registry Action Security Center Alerts
Registry Action Safe Mode
Registry Action ActiveX
Registry Action Application
Registry Action Autorun
Registry Action Browser Objects
Registry Action Netsh Event Tracing
Registry Action Uninstaller
Registry Action Firewall Status
© SentinelOne 4-42
Indicator Events (Windows only)

Event Type Indicator Name Indicator Description
Behavioral Indicators Suspicious WMI Query Not available
Behavioral Indicators WMI - Security Not available
Behavioral Indicators Service Create Name of the service
Behavioral Indicators Preload Injection Not available
Behavioral Indicators Keylogger Install Not available
Behavioral Indicators Keylogger Information Usage type
Behavioral Indicators Remote Code Execution Not available
Behavioral Indicators Forbidden Process Not available
Behavioral Indicators Library Injection Not available
Behavioral Indicators Code Injection Not available
Behavioral Indicators Library Load Library path
Behavioral Indicators Modified Host File Not available
Active Content Information (Windows only)
Active Content represents the data that changed within a process, usually when the process
loaded a new file or changed the command line.
• Contains Active Content? Yes|No
• Active Content File ID
• Active Content Hash
• Active Content Path
© SentinelOne 4-43
Incident Details – Timeline
The timeline gathers all information about the threat, endpoint, and hash so you can understand
what happened, when, and by whom. It includes:
• Threat status changes, mitigation actions, status changes, analyst verdict changes, and
notes.
• Endpoint-related activities from the detection time until the threat is marked as benign,
mitigated, or resolved.
• Exclusion and blacklist entries related to the hash of the threat, that are created in the
endpoint's scope (the Group, Site, or Account of the endpoint, or at the Global scope).
The timeline can start before the detection time. For example, if someone added this hash to the
blacklist and then the threat was detected based on the user-defined blacklist engine.
© SentinelOne 4-44
Using the Timeline Filter:

• By default, all activities show. Click Filters to see the filters available and select which
events to include.
• When you scroll down, use the purple arrow to jump back to the top.
• If a new event occurs while you are viewing the timeline, a New events button shows.
Click it to jump to the new events.
• Click the magnifying glass to search all events for a string. This includes names in
the Management Console and free text.
• To use the timeline details for a deeper analysis outside of the Management Console, you
can export the activities in the timeline.
To export the Timeline log of events:
The events that are open are exported. For example, if you filtered for Endpoint, only events on
the endpoint will be in the export file.
1. In the Incident Details of a threat, click the Timeline tab.

2. Click Export .
The Timeline is downloaded as a .csv file. The file is saved to your computer with the threat
name and date.
To create a Mitigation Report from the Timeline:

The Mitigation Report gives you detailed information for each mitigation action taken on a
threat.
1. In the Incident Details of a threat, click the Timeline tab.

2. Optional: Click Filters and select Mitigation, to see only mitigation activities.
3. A download icon shows next to mitigation activities for Agents of supported versions.
Click the icon next to a mitigation activity.
© SentinelOne 4-45
The report downloads to your browser as a .csv file.
© SentinelOne 4-46
Mitigation Actions
Actions against threats can be taken in two ways:

• Threat Incident Details page
• Threats page
From either location, you can:

• Run mitigation actions or other threat actions.
• See which mitigation actions were run and their status.
The Agent mitigates threats automatically based on the AI Confidence level if the policy is set
to Protect. If the policy is set to Detect, threats are not mitigated automatically.
Mitigation actions by operating system:

Action Windows macOS Linux & CWPP Windows Legacy
Kill ✓ ✓ ✓ ✓
Quarantine ✓ ✓ ✓ ✓
Remediate ✓ ✓ ✓
Rollback ✓
Unquarantine ✓ ✓ ✓ ✓
Note: For static threats on all Operating Systems, only Kill and Quarantine are available. This is
because static threats do not change or create processes.
© SentinelOne 4-47
For true positive threats:
Before you run mitigation actions:

• Decide if you will mitigate only the specific threat or all threats in your scope (if others
exist).
• Decide if you want to block this threat automatically in the future by adding it to the
blacklist and in which scope.
(All of these options are available from the Mitigation action window.)
Mitigation of a Threat
o Kill - Stops all processes related to the threat.

o Quarantine - Moves the threat and executables it created or changed to a
confined path, and encrypts them.
o Remediate - Deletes all files and system changes created by the threat.
If you select Remediate, Kill and Quarantine run also, if they were not completed
already,
o Rollback - (Windows only) Restores the endpoint to a saved VSS snapshot,
undoing the changes made by the process and its associated assets. This option is
best for ransomware mitigation and disaster recovery.
• Mark as Resolved – Changes the Incident Status to Resolved.

• Add To Blacklist - To automate threat handling, the Agent adds the detection to the
Blacklist on the Management for the current scope. This changes the Analyst Verdict of
the threat to True Positive. If this threat is detected on a different endpoint in your
deployment, the Agent blocks the detection immediately.
o A description is added automatically to the blacklist entry to help you understand
the source of items on the Blacklist page. It is editable and contains a link to the
threat.
• Add an Additional Note - Adds a note to the Notes section of the Incident details.
© SentinelOne 4-48
You can add the same note to multiple threats in these ways:
o If you add a Note from the Mitigation Action window and select Apply to all of
instances of this threat, the same note is added to all of the instances.
o If you select multiple threats in the Threats table and select Threat
Actions > Add a Note, the same note is added to all selected threats.
After selecting a mitigation action, the Agent sends the status of the action to the Management
Console.
Statuses that each mitigation action can have:

• Pending - The action initiated and is waiting for a response from the Agent.
• Success Pending Reboot - A reboot is required to complete the mitigation action because
one or more activities on a file or process cannot complete. The endpoint shows that it
requires a restart. This status only shows for Agent versions that fully support Threat
Management and Mitigation reports.
For example, a file that is being used by other processes so the Agent cannot quarantine it.
The Agent will try to complete the mitigation action after reboot and will send an updated
report.
• Success or - The action completed successfully on all files or processes.

• Partial Success or - The action successfully completed on some files or processes.
• Sometimes a mitigation action cannot complete on all items. The mitigation status
shows when a mitigation action completed successfully on some files or processes
but not all, instead of showing Failed. You can see how many items completed and
how many did not.
• Failed - One or more activities failed. This does not mean everything failed. It is
recommended that you see the Mitigation Report for more details.
From the Incident details header, you can see more information about the Mitigation Actions
taken and how many files were effected. If an action requires a reboot, that shows in the status.
Move the cursor over a Mitigation action. The tooltip shows a summary of what was done. For
example, Remediated 10 threat changes successfully.
© SentinelOne 4-49
If the mitigation action was successful on some items but not all, the numbers show. For
example, Rolled back 66/67 threat changes successfully.
If no counters show for supported Agents, it means there was nothing for the Agent to act on. A
success sign shows.
Mitigation CSV Report
You can download the Mitigation CSV Report from the Incident details header of a threat.
Move the cursor over a Mitigation action taken and then click Download CSV Report.
For false positive threats:
If you think that a threat is not really a threat, mark the Analyst Verdict as False Positive. This
changes the Status of the threat to Marked as Benign.
• Decide if only this specific instance is benign or if you want to create an exclusion for all
instances in your scope.
• If you create an exclusion, you can choose the type (from those available) and scope in
the New Exclusion window that opens.
© SentinelOne 4-50
On-Demand File Fetch
On-Demand file fetch lets you download files from an endpoint to the Sentinel Management
Console. There are two types of On-Demand file fetch:
• Threat File Fetch - Get the file or files that are root of the threat (Win 2.9 +| macOS 3.0+
| Linux 3.4+).
Note: Threat File Fetch will be covered in the Incident Details section.
• Multi File Fetch - Get multiple files that you specify (Win 2.9 +| macOS 2.6+).
Multi-File Fetch
You can download multiple files that you specify from SentinelOne endpoints to the Management
Console. Use this to analyze malware or for other operational needs.
For regulation compliance, this feature is disabled by default. To enable it, contact SentinelOne
Support.
Specifications:
• You can get up to ten files at one time, with a 10 MB maximum size for each file.
• You can only get files by explicit, full pathnames. You cannot use: Wildcards, environment
variables, non-regular files (such as /dev/*), or sensitive files (such as SSH private keys).
• To minimize risk, run the Fetch File action on a single endpoint that you select manually
from the Management Console.
• Fetched files are automatically deleted from the Management after 72 hours and are not
available for download from the Management Console after that time.
© SentinelOne 4-51
To run Multi Fetch File action on an endpoint:

2. Click an endpoint name from the list to open its Endpoint Details dialog window.
3. Click Actions > File Fetch.
4. In the Fetch Files window, enter the File Path for the files to download.
• Format for macOS - in the file path, use spaces and not backslashes.
• Correct path example - /Users/Sierra/Desktop/files to send
• Format for Windows - Use paths that follow Windows filename limitations. Do
NOT include characters / : * ? " <> |.
• Correct path example - C:\Users\Desktop\files to send
• Invalid path example - C:\Users\Desktop\"?"
5. Click Add. You can add multiple file paths.
6. In Password, enter a password.
Remember the password - you will use it to open the zip file after you download it from
the Management Console. To set the password, use 10 or more characters with a mix of
upper and lower case letters, numbers, and symbols.
7. Click Submit.
• The files are fetched from the endpoint, archived as a zip file, and encrypted with
the password you entered.
8. Click OK.
© SentinelOne 4-52
To download the files from the Management Console:

2. Filter for Fetch file operations: Click Administrative and select Fetch file operations.
3. When the files are ready to download, an activity shows:

a. Agent successfully uploaded a threat file.
b. Click the item to download the file.
4. The zip file downloads to the default Downloads folder on the console computer.
5. When you extract the files, you are prompted for a password. Enter the password that
you created when you initiated the threat file download and click OK.
Contents of the zip file
The downloaded zip file has the fetched file or files and a metadata file, manifest.json, which
shows for each file:
• The NT file path.
• The SHA-1 and SHA-256 hash
• Error messages related to the fetch operation.
o Examples of errors: No such file or directory, for an invalid path, or <invalid> for a
file type that is not allowed.
If you try to download a file after it was deleted from the Management, a message shows that it
was deleted. Run the Fetch File action again to get the file.
© SentinelOne 4-53
Full Disk Scan
Agents can run Full Disk Scan when an Agent is installed and by demand. It finds dormant
suspicious activity, threats, and compliance violations that are then mitigated according to the
policy.
Files included in the scan:

• The local file system of each endpoint. Full Disk Scan does not inspect network drives,
which would require user credentials.
• Full Disk Scan inspects file headers. It looks at all EXEs, DLLs, SYS files, and more, on the
fixed drives of the local system.
• The Agent scans files copied from an external drive to a local disk, or files run from an
external drive. It does not scan or mitigate external drives.
• The Agent does not collect PII data from files.
• For folders and files that are included in Exclusions in the Agent policy, there is no
mitigation.
Note: Full Disk Scan does not work based on hashes, and therefore it does not check each file
against the blacklist. If a file is determined as suspicious by the Static-AI (DFI) engine, then the
Agent calculates its hash and checks the blacklist to see if the hash exists there. If a file is
executed, all aspects of the process are inspected, including hash-based analysis and checking if
the file is on the blacklist.
Full Disk Scan can run when the endpoint is offline, but when it is connected to the Management,
it can use the most updated Cloud data to improve detection.
To start a Full Disk Scan from the Management Console:

3. In the Sentinels view, select one or more endpoints.
© SentinelOne 4-54
4. Click Actions, and select Initiate Scan.
5. In the window that shows, click OK.
To stop a scan:
1. In the Sentinels view, select the Agents.
2. Click Actions and select Abort Scan.
© SentinelOne 4-55
Reviewing Full Disk Scan Status and Results
From the Management Console you can easily output all of the details for selected endpoints,
including their scan status. An Export option shows in the Network view. It exports all network
endpoint information for each endpoint in the current filter (up to 20,000 endpoints) in CSV
format.
To see the status of a scan:

1. In the Management Console, click Sentinels.
2. In the Network view, see the Scan Status column. It shows one of these statuses:
• Completed - Completed successfully with the date and time the scan finished.
• In progress - The scan is running.
• Aborted - The scan did not finish.
• N/A - The Agent did not have a full disk scan.
If the Scan Status column is not visible:

1. In the Management Console, click Sentinels
2. Above the filter results, click Select Columns.
3. Scroll down to Scan Status and select it.
© SentinelOne 4-56
Application Risk Management
SentinelOne Application Risk lets you monitor applications installed on endpoints, from your
SentinelOne Management Console.
Applications not updated with the latest patches are risky because they are vulnerable to
exploits. With SentinelOne Application Risk you can see all applications that need to be patched,
on all endpoints or on a specific endpoint. You can also see which endpoints have applications
that need to be patched, and you can export application data.
Application Risk is part of the Complete SKU (not available with Core). If you have the Core
bundle, you will not see Application Risk in your Management Console.
To view all risky applications on all endpoints:

2. On the sidebar, click Applications.
3. The APPLICATIONS page shows all applications installed on all endpoints.
Value Description
Name Name of the installed application in the current scope (Global, Site, or Group).
Click the application name to open the APPLICATION DETAILS. If the
application is not up to date, click the link to open the vulnerability ID on the
MITRE CVE site. From there you can patch the application, if a patch is
available.
Endpoint Name of the endpoint. Click the endpoint link to open the ENDPOINT DETAILS.
© SentinelOne 4-57
Value Description
Risk The risk level of the applications.
• Low: CVSS score from 0.1 to 3.9
• Medium: CVSS score from 4.0 to 6.9
• High: CVSS score from 7.0 to 8.9
• Critical: CVSS score from 9.0 to 10.0
• No risk: The application poses no risk to the endpoint.
Installed The day and time (DD/MM/YYYY HH:MM:SS) that the application was last
Date installed or updated.
Version The version number of the application.
Publisher The publisher of the application (Microsoft, Apple, etc.)
Size The size of the application.
4. Optional: Click Select filters to expand the filter options.
5. To view applications by risk level, you can use the risk level filter bar above the application
list.
© SentinelOne 4-58
Managing Risky Applications Installed on One Endpoint
To view risky applications installed on one endpoint:

1. On the Management Console, click Sentinels.
2. Select an endpoint you want to analyze.
3. The ENDPOINT DETAILS window opens.
4. In the Endpoint Details window, click Actions > Show Applications.

5. To filter the applications list by risk level, select the risk levels you want to see.
• Low: CVSS score from 0.1 to 3.9

• Medium: CVSS score from 4.0 to 6.9
• High: CVSS score from 7.0 to 8.9
• Critical: CVSS score from 9.0 to 10.0
• No known risk: The application poses no risk to the endpoint.
© SentinelOne 4-59
Export Application Data
To export application data:

2. On the sidebar, click Applications.
3. Click Export. A CSV file downloads containing the application data that appears on the
screen.
4. The data exported to the Application Risk CSV file: Application ID, Name, Version,
Publisher, OS, Installed, Size, Signed, Risk, Machine Type, Agent UUID, Agent name, Agent
version, and CVE IDs.
© SentinelOne 4-60
SentinelOne Remote Shell
Remote Shell is a powerful way to respond remotely to events on endpoints. It lets you open full
shell capabilities - PowerShell on Windows and Bash on macOS - directly and securely from the
Management Console.
This lets you troubleshoot end-user issues from wherever you can access your Management
Console.
Remote Shell use cases:

• Faster troubleshooting made possible by admins not needing to be in physical contact
with an endpoint device to solve problems.
• Increased support for remote users by removing the need for visits to IT departments.
• The ability to easily change local configuration without leaving the premises.
• Eliminating the need for memory dump and other advanced tools in deep forensic
investigation.
• Terminating undesired applications or processes running on endpoint devices.
• Initiating remote controls in a secure manner.
The shell process runs with local administrator user permissions. If different permissions are
necessary, you can authenticate with domain user credentials inside the Remote Shell session.
Agents apply all detection and protection logic on the Remote Shell activity.
Requirements to use Remote Shell:

To make sure that Remote Shell is used securely and only for the intended purposes, there are
many requirements for the feature.
© SentinelOne 4-61
User Requirements:
• The user must be an Admin, not a Viewer, and have explicit permission to use Remote
Shell. Enable Remote Shell in the user settings.
• The user must have Two-Factor Authentication configured.

• You can enable Two-Factor Authentication for a specific user or for a scope.
• A Global or Account Admin can enable Remote Shell for a user.
Site Requirements:
• Remote Shell requires the Complete SKU and is enabled by default in Sites with the
Complete SKU.
• When Remote Shell is enabled for a Site, Remote Shell shows in the Management
Console.
• From the Remote Shell option in the policy, enable or disable the feature.
© SentinelOne 4-62
Remote Shell Session Requirements:

• One shell can be open on an endpoint. If a Remote Shell session is open, a different user
cannot open a session on the endpoint.
• To open a session, you must enter a 2FA code from the 2FA App on your phone.
• At the start of a session, you create a password. The transcript of the session is encrypted
with this password.
• Remote Shell sessions can be open on multiple endpoints at one time, but each session
must be opened separately on each endpoint.
Endpoint Requirements:
• The endpoint must have an OS and SentinelOne Agent version that support Remote Shell.
• The endpoint must have default settings for local Administrators users. The Agent creates
a new user in the local Administrators group, and it requires default permissions.
• The Agent must be online and connected to the Management to open a Remote Shell
session.
• If the endpoint is in Network Quarantine (disconnected from network), some commands
will not work because the endpoint cannot access the network. If necessary, reconnect
the endpoint to the network.
• A session can be open or minimized on the endpoint.
• Only the admin who runs the Remote Shell session can see the open or minimized session.
If a different admin tries to open a session for the same endpoint, a message shows that
a session is already open.
© SentinelOne 4-63
Module Review
In this module, we introduced the incident response concepts for Investigators using
SentinelOne. In this module we reviewed the following SentinelOne features:
• Hash
• Path
• Signer Identity
• File Type
• Browser
• Full Disk Scan
• Remote Shell
© SentinelOne 4-64
1. When a threat is detected, the best practice is to do this function first?

a. Shut the system down
b. Remediate the threat
c. Rollback the system
d. Disconnect from the network
2. On the Incidents Details view, where can you view if the threat tried to change the
registry, change or remove specific files?
a. Endpoint Network Connection
b. Attack Overview
c. Timeline
d. Classification
3. The Agent mitigates threats automatically, if its policy is set to:

a. Remediate
b. Protect
c. Detect
d. Activate
4. To clean up the Dashboard and Incidents > Threat view, after the threat has been
mitigated, you must do what?
a. Mark detections as Resolved
b. Mark detections as Benign
c. Mark detections as No Threat
d. Delete the detection entry from the Dashboard
5. What function finds dormant suspicious activity, threats, and compliance violations that
are then mitigated according to the policy?
a. Reinstall an updated agent
b. Run a full disk scan from the Management Console
c. Run the AV function in the Analyze view of the Management Console
d. Must be run manually from the endpoint with an AV product
6. What is true about Full Disk Scans?

a. Full Disk Scan does not work based on hashes
b. If a file is determined as suspicious by the Static-AI (DFI) engine, then the Agent
calculates its hash and checks the blacklist to see if the hash exists there
c. If a file is executed, all aspects of the process are inspected, including hash-based
analysis and checking if the file is on the blacklist
d. All of the above
© SentinelOne 4-65
7. True or False. Full Disk Scans can only be run if the endpoint is online?
a. ________________
8. What is the best practice for Path Exclusions?

a. Apply the exclusion to the smallest relevant scope of endpoints - a specific group
b. Apply the exclusion to the entire drive to stop false positives
c. Apply the exclusion to the entire site to ensure all users are not blocked access
d. Path exclusions should be avoided if possible
9. What is the best remediation step to use against a Windows endpoint that has been
infected with ransomware?
a. Kill
b. Quarantine
c. Remediate
d. Rollback
10. In order to use Remote Shell, the user account must be configured with what?
a. Single Sign On
b. Two-Factor Authentication
c. Both SSO and 2FA
d. Only Global Admin accounts can use Remote Shell
© SentinelOne 4-66
SentinelOne Deep Visibility/Threat Hunting
MODULE 5
SentinelOne Deep Visibility
This module will cover the SentinelOne Deep Visibility functionality and how it can be used for
Threat Hunting. In this module you will review:
• Understanding Deep Visibility • Configuring Deep Visibility Data

• How to Use Deep Visibility Collection
• Threat Hunting Query • Saving Threat Hunting Queries and
• Take Action from the Visibility Page Watchlists
• Deep Visibility Query Syntax • Working with Saved Deep Visibility
• Deep Visibility Use Cases Queries
• Hunting Abnormal Behavior on an • Query with Custom Time Range
Endpoint • Managing the Browser Extension
• Responding to Incidents with Deep • Supported File Types for Deep Visibility
Visibility
© SentinelOne 5-1
What is Threat Hunting?
Threat hunting is a proactive approach to cybersecurity, that supplements automated tools with
searches across your environment for:
• Known indicators of compromise.
• Behavior and tactics that attackers use.
Threat hunting lets you find suspicious behavior in its early stages before it becomes an attack
that will generate alerts. It supplements the automated rules of detection tools, which require a
high level of confidence that behavior is suspicious before an alert is generated. Effective threat
hunting is done by a security team with expert understanding of:
• What is normal in your environment: the architecture, systems, applications, and
networks that are expected. A highly technical understanding of expected behavior is
necessary to uncover unexpected behavior and outliers.
• The tactics, techniques, and procedures (TTPs) that attackers use (such as Lateral
Movement or Command and Control).
• The most likely vulnerable points in your environment.
• Reliable streams of information for recent and common indicators of compromise.
SentinelOne Deep Visibility extends the ActiveEDR capabilities, with full visibility into endpoint
data and threat hunting. It gives security teams the ability to augment real-time threat detection
capabilities with a powerful threat hunting tool. Deep Visibility query results show detailed
information from the SentinelOne Agents. Attributes in the query results include: Endpoint, User,
Site ID, Path, Process ID, Process Name, SHA1 hash, SHA256 hash, MD5, command line argument,
and Storyline.
© SentinelOne 5-2
Deep Visibility scope:

• Global Admin: See, query, and act on data from the Global All Sites, or filter for data from
a specific site.
• Global Viewer: See data from the Global All Sites or from a specific site.
• Site Admin: See, query, and act on data from the multiple sites for which the username
has permissions.
• Site Viewer: No permissions on Deep Visibility.
© SentinelOne 5-3
Storyline
When you run a Deep Visibility query, each item in the results has a Storyline, which automatically
correlates all related objects (processes, files, threads, events, and more) of a threat. This lets
you quickly understand the data relationships: the root cause behind a threat with all of its
context, relationships, and activities. When you find an abnormal event that seems relevant, use
the Storyline to find all related events.
Storyline lets security analysts understand the full story of what happened on an endpoint. Use
it to hunt easily, see the full chain of events, and save time for your security teams.
With the autonomous agent, it collects processes, files, threads, events, and more and creates a
matrix for each monitored event. Events are correlated their relationships of all processes, files
and events that are created, changed or deleted. Data is grouped by; source, target and behavior.
Groupings are used in the threat storyline.
All data transmissions are encrypted, compressed, and sent over HTTPS. Agent data is available
to you, and only you, for up to three months. From the time that an event occurs, the data is
available in the Deep Visibility queries in minutes.
© SentinelOne 5-4
Storyline Workflow
How it works:
• The user opens a web browser and downloads a file.
• The agent builds a group of events.
• As the malware runs, the AI recognizes malicious activity.
• The agent groups the source file and its targets and actions (such as a registry change).
• The agent runs automatic protection (if configured) and kills the process and
quarantines malicious files.
• With the group, the agent has an ID for automatic hunting of related events.
• With one Storyline ID the agent remediates all malicious creations.
© SentinelOne 5-5
Configuring Deep Visibility Data Collection
Deep Visibility is part of the SentinelOne Complete bundle and requires an extra license. If you
do not see the options described here, contact SentinelOne to get the required licenses.
Enable Deep Visibility in the policy. The Deep Visibility settings can be different in the Global
policy and in Site policies. In the policy settings, you can refine the data sent for Threat Hunting.
To enable Deep Visibility:

1. Go to Sentinels > Policy.
2. Go to Deep Visibility Configuration:
a. Select Enable Deep Visibility.

Note: If this is not selected, Deep Visibility queries will have no results.
b. Select the data types to be sent for Threat Hunting. You must keep Process
selected.
3. Click Save.
Data Type Source Data Collected

Process Processes created • Name, ID, and time of the
process and its creator
process
• Command-line arguments
used by the created process
• Executable full path and SHA1
of the created process
File Supported file types that are Hash (MD5, SHA1, SHA256), full
created, changed or deleted path, name of the process that
by an event created or changed the file
© SentinelOne 5-6
URL Sites visited in Safari, Chrome URLs and URIs (string, source
and Microsoft browsers (wininet or Chrome), HTTP method,
processes and creator processes, and
(MS only) request and response.
From wget, curl, and similar
commands: DNS, IP addresses, and
(macOS only) URLs
DNS Every connection, including Query name, query result, processes,
connections to localhost and creator processes
IP Outgoing network TCPv4 connection attempts (source
connections IP address and port, destination IP
address and port, protocol,
processes and creator processes)
Login macOS end user login and Username and login and logout time
logout
Registry Keys Registry Key events on Registry Key ID and name, logged in
Windows endpoints user, time of event, process that
caused the event
Scheduled Scheduled Task event on Task name, event type, logged in
Tasks Windows endpoints user, time of event, process that
caused the event
Full Disk Scan Files scanned by the Full Disk Files with extensions that are
Scan supported by the DFI engine
Behavioral Indicators found by the Agent Indicator Category, Indicator
Indicators Description, Indicator Metadata, and
Indicator Name
DLL Module DLL Modules are loaded to an Module Hash, Module path, all
Load endpoint endpoint info and process
information
Note: This is only visible if enabled by

Support because it can impact
performance.
© SentinelOne 5-7
How to Use Deep Visibility
Run Threat Hunting queries and use Deep Visibility in the Visibility view of the Management
Console.
Deep Visibility queries use a SentinelOne S1QL proprietary language, similar to SQL.
• Queries are case-sensitive.

• Queries run in exact mode. Only the event type in the query shows in the results. For
example, if you search for DNS Requests, you see DNS events. If you search for Modified
files, you see File events.
If you are a Global Admin or a Multi-Site Admin, in the Global view, you see query results
combined for all of your Sites.
The Deep Visibility workflow depends on your specific needs. This is an overview of different
actions you can do in the Visibility view.
Running a Deep Visibility query:
1. In Visibility, select Events or Processes.

2. Select or enter a field, operator, and value.
Note: As you enter a query, a prompt opens with valid values for the current part of a
well-formatted query.
3. The query shows a red icon when the query is not complete or valid and a green icon
when it is valid.
© SentinelOne 5-8
4. If you want the query to use multiple phrases, select AND or OR.
Note: You can use AND or OR up to ten times for each query.
5. Select a time frame for the query from the list.
Note: Query results show in chronological order. There is a limit of 20,000 results for
each query. If you see that the count is 20,000, the query reached the limit. Narrow the
scope of the search to get complete results.
• Open up to 15 tabs at one time, with different queries in each. The tabs are named
automatically for easy reference. You can edit the tab names.
• Select a time frame for the query.
© SentinelOne 5-9
• You can run a Sub-query on the data that has already been pulled from the SentinelOne
Cloud. Each main query can have one Sub-query. Use this to refine your query quickly.
© SentinelOne 5-10
Deep Visibility Query Syntax
Syntax Notes
• Values are in quotes: "

• Queries with different logical operators: Group each query in parentheses ( )
The parentheses are a syntax sign. Do not use them to make a query easier to read.
• Date and time format: dd.mm.yyyy hh:mm

• Case: Values are case-sensitive
• Delimiter: Default delimiter between multiple values is comma (,) with an optional space
• Valid syntax icon: Invalid syntax shows a red X icon in the query field, valid shows a green
icon.
Deep Visibility Query Fields

Field Valid Values
• String
• alphanumeric
• File ID of content run from within a different process
(Active content).
ActiveContentFileId
• Example: ActiveContentFileId Contains "678"
• Example matches all file IDs of active content files
that contain "678".
• String
• alphanumeric
• Hash of content run from within a different process
ActiveContentHash (Active content).
• Example: ActiveContentHash Is Not Empty
• Example matches all active content that has a hash.
• String
• alphanumeric
• Filepath where an active content file or command
ran.
ActiveContentPath
• Example: ActiveContentPath Contains "/hard"
• Example matches all active content that ran from a
filepath that contains "/hard".
© SentinelOne 5-11
• Signed or Unsigned
• The status of an active content file: signed or
unsigned.
ActiveContentSignedStatus • Example: ActiveContentSignedStatus = "unsigned"
• Example matches all active content files with
unsigned certificates.
• CLI or FILE
• The type of active content run - CLI or a file.
• Example: ActiveContentType = "FILE" AND
ActiveContentType ActiveContentPath Contains "user"
• Example matches all active content files that ran
from a filepath that contains "user".
• String
• Hostname of endpoint on which Agent is installed.
• Example: AgentName NOT IN ("GW","gateway")
AgentName • Example matches endpoints with hostnames that do
not include "GW" or "gateway", such as:
"DefaultGW" or "gateway1".
• String
• windows, osx, linux
AgentOS • Example: AgentOS="osx"
• Example matches endpoints running macOS.
• String
• Alphanumeric
• Example: AgentUUID !=
AgentUUID 11111a2222b3333333cde444455555fff66666gg
• Example matches endpoints with a specific
AgentUUID.
• String
• Version number of SentinelOne Agent.
AgentVersion • Example: AgentVersion CONTAINS "2.6"
• Example matches endpoints with an Agent version
number that contains "2.6".
© SentinelOne 5-12
• String
• Network event. SUCCESS, FAILURE, BLOCKED,
UNKNOWN
• Example: ConnectionStatus Does Not Contain
ConnectionStatus
"SUCCESS"
• Example matches endpoints whose TCP connection
status was unsuccessful.
• String
• DNS name.
DNSRequest • Example: DNSRequest CONTAINS "cdn.onenote"
• Example matches DNS requests to cdn.onenote.
• String
• IP address, DNS, type, or similar data from a DNS
response.
• Example: DNSResponse IS NOT EMPTY AND AgentOS
DNSResponse
= "linux"
• Example matches non-empty DNS responses to Linux
endpoints.
• String
• IP address of the destination.
DstIP • Example: DstIP = "192.0.2.1"
• Example matches items arriving to this IP.
• Numeric
• Port number of destination.
• Example: DstPort = 80
DstPort
• Example matches items arriving to any host over this
port.
• Event Type from the Deep Visibility Event Types

• Filters query results by the specified Event Type.
• Example: AgentOS = "windows" AND EventType =
EventType "File Modification"
• Example matches only file modification events on
Windows endpoints.
• DateTime
FileCreatedAt
• Date and time of file creation.
© SentinelOne 5-13
• Example: FileCreatedAt BETWEEN "17.11.2018

00:00" AND "18.11.2018 23:59"
• Example matches files created after midnight,
November 17, and before November 18, one minute
to midnight.
• String
• Path and filename.
FileFullName • Example: FileFullName CONTAINS ".pdf"
• Example matches PDF files.
• String
• Unique ID of the file.
FileID • Example: FileId = "F32D8A2B-E426-4258-A65C-
819415D897EF"
• String
• MD5 signature.
• Example: FileMD5 CONTAINS "1bc29b36f623"
FileMD5
• Example matches files with an MD5 that has this
string in it.
• DateTime
• Date and time of file change.
• Example: FileModifyAt > "22.10.2018 00:00"
FileModifyAt
• Example matches files changed before this date and
time.
• Number and unit of measurement

• Size of the file. Can search for MB or KB. In the event
attributes, file size shows in bytes.
FileSize
• Example: FileSize > "1MB"
• Example matches files larger than 1 megabyte.
• String
• SHA1 signature.
FileSHA1 • Example: FileSHA1 IN ( "415ab40ae9","888" )
• Example matches files with a SHA1 with one of these
partial strings.
© SentinelOne 5-14
• String
• SHA256 signature.
FileSHA256
• Example: FileSHA256 IS NOT EMPTY
• Example matches files with a SHA256 signature.
• String
• File extension.
FileType
• Example:FileType = "png"
• Example matches all PNG files.
• String
• Category of content or behavior that signals
malicious intent.
IndicatorCategory • Example: indicatorCategory = "Injection”
• Example matches events in the Injection category.
• String
• Readable text that explains what the indicator
means.
• Example: indicatorDescription contains "T1084"
IndicatorDescription
• Example matches detections with of Mitre T1084:
Application has registered itself to become
persistent via service. MITRE: Persistence {T1084}.
• String
• Readable text of more data, such as service names or
pathnames.
IndicatorMetadata
• Example: indicatorMetadata contains "KeyName"
• Example matches events that contain "KeyName".
• String
• Name of content or behavior that signals malicious
intent.
IndicatorName • Example: indicatorName = "SuspiciousLibraryLoad"
• Example matches events that contain
SuspiciousLibraryLoad.
• String
LoginsBaseType
• console, remote, shell
© SentinelOne 5-15
• Example: LoginsBaseType = "shell"

• Example matches Remote Shell Login and Logout
events.
• String
• Example: LoginsUserName = "kevinoui"
LogsinsUserName • Example matches Login and Logout events for the
user 'kevinoui'
• String
• GET, POST, PUT, DELETE
NetworkMethod • Example: NetworkMethod = "POST"
• Example matches POST events.
• String
• Complete URL.
• Example: NetworkUrl CONTAINS
NetworkUrl "https://outlook.office365.com"
• Example matches Networking to this URL or its
subdomains.
• Object Type from the Deep Visibility Object Types

• Filters query results by the specified Object Type.
ObjectType • Example: ObjectType = "scheduled_task"
• Example matches all scheduled task Object Types.
• String
• Name of file before rename.
• Example: OldFileName Contains "king"
OldFileName
• Example matches event with Event Type "File
Rename" (and shows current name).
• String
• SHA1 of file before it was changed.
OldFileSHA1 • Example: OldFileSHA1 Is Not Empty
• Example matches files that were renamed.
• Numeric
• Process ID (usually copied from main query to new
PID
tab).
• Example: PID <= "500" OR PID >= "900"
© SentinelOne 5-16
• Example matches PIDs between 500 and 900.
• Numeric
• ID of process that created a new process.
• Example: ParentPID > "1"
ParentPID
• Example matches PIDs greater than 1 that created a
child process.
• String
• Name of process that spawned a child process.
ParentProcessName
• Example: ParentProcessName Is Not Empty
• Example matches process creation events.
• DateTime
• Time parent process started to run.
• Example: ParentProcessName Contains "system"
AND ParentProcessStartTime > "Jul 22, 2019
ParentProcessStartTime
00:00:33"
• Example matches processes such as "system_profile"
that triggered a process creation event after half-
past midnight on July 22.
• String
• Unique ID of parent process.
• Example: ParentProcessUniqueKey Contains
ParentProcessUniqueKey
"6EDC55FB"
• Example matches processes that spawned off this
process.
• String
• Command arguments sent with a process.
• Example: ProcessCmd ~ "delete %systemdrive%"
ProcessCmd
• Example matches processes that send a command to
delete the system drive.
• String
ProcessDisplayName • Display name of process.
• Example: ProcessDisplayName Contains "Update"
© SentinelOne 5-17
• Example matches processes with "Update" in the

display name, such as the "upfc.exe" process with
the display name: "Updateability From SCM".
• String
• Pathname of running process.
• Example: ProcessImagePath CONTAINS "\Hard"
ProcessImagePath
• Example matches processes running in the hard
drive (or other folder that starts with "Hard").
• String
• SHA1 signature of running process.
• Example: ProcessImageSha1Hash IS_EMPTY
ProcessImageSha1Hash
• Example matches running processes that do not
have a SHA1 signature.
• String
• SYSTEM (operating system processes), HIGH
(administrators), MEDIUM (non-administrators),
ProcessIntegrityLevel LOW (temporary Internet files), UNTRUSTED
• Example: ProcessIntegrityLevel = "HIGH"
• Example matches cleaners, system tasks, and other
processes triggered by admin-level users and scripts.
• String
• Name of process.
ProcessName • Example: ProcessName IS NOT EMPTY AND DstPort
= "443"
• Example matches Any process going to port 443.
• Numeric
• ID of the terminal (cmd, shell, or other terminal)
ProcessSessionId session on which the process ran.
• Example: ProcessSessionId > "1"
• DateTime
• Time process started to run.
ProcessStartTime
• Example: ProcessStartTime BETWEEN "22.10.2018
00:00" AND "22.10.2018 05:00"
© SentinelOne 5-18
• Example matches processes that started in this

range.
• String
• SYS_WIN32, SYS_WSL, SUBSYSTEM_UNKNOWN
ProcessSubSystem
• Example: ProcessSubSystem =
"SUBSYSTEM_UNKNOWN"
• String
• Unique ID of process.
• Example: ProcessUniqueKey = "482B618E-9AEF-
ProcessUniqueKey
4791-AA4B-04DC6B52D421"
• Example matches instances of this process.
• String
• Publisher string.
Publisher • Example: Publisher =
"<Type=Apple/ID=com.apple.syncdefaultsd>"
• String
• Registry Key Unique ID generated by the SentinelOne
Agent for Windows endpoints
RegistryID • Example: RegistryId Contains "3344"
• Example matches events for registry value created,
modified, or deleted, filtered.
• String
• Full path location of the Registry Key entry
• Example: RegistryPath Is Not Empty
RegistryPath
• Example matches events for registry value created,
modified, or deleted.
• Numeric
• PID after relinked
• Example: Rpid = "1048"
Rpid
• Example matches events for file creation and file
rename, filtered for this ID.
• String
SignatureSignedInvalidReason • SignedNotVerified, PathNotFound, I/O error., Other,
Expired, Code signing encountered an incorrect
© SentinelOne 5-19
certificate chain length, invalid Info.plist (plist or

signature have been modified)
• Example: SignatureSignedInvalidReason Is Not
Empty
• Example matches files with unverified signatures.
• String
• Identity of file signer.
Signer • Example: Signer Is Empty
• Example matches unsigned file events.
• String
• SentinelOne Site token.
SiteId • Example: SiteId ~ "63517"
• Example matches the site with this partial ID string.
• String
• SentinelOne Site name.
• Example: SiteName NOT IN ( "corp","acme" )
SiteName
• Example matches all sites that do not have "corp" or
"acme" in their names.
• String
• IP address of traffic source
SrcIP • Example: SrcIP CONTAINS "10"
• Example matches a source IP that includes "10".
• Numeric
• Port number of traffic source.
SrcPort • Example: SrcPort != "9" AND SrcIP CONTAINS "10"
• Example matches port not “9” and includes "10".
• String
• Name of a scheduled task, as generated by the Host.
TaskName • Example: TaskName Is Not Empty
• Example matches Task events.
• String
TaskPath • Full path location of a scheduled task.
• Example: TaskPath Contains "Google"
© SentinelOne 5-20
• Example matches processes started from a Google

path, such as C:\Program
Files\Google\Update\GoogleUpdate.exe.
• String
• Thread ID
Tid • Example: Tid = "5340"
• Example matches file events with this thread ID.
• String
• ID of all objects associated with a SentinelOne
detection.
• Example: Storyline = "D7E32540-15AB-4916-8A55-
Storyline
A80E956FC5CC"
• Example matches all events and processes grouped
with this detection.
• String
• Name of endpoint user.
• Example: User CONTAINS "users"
User
• Example matches items with a username that
includes "users".
© SentinelOne 5-21
Deep Visibility Query Keywords and Operators
Operator Valid for Field Types Matches:

AND All Two true expressions
OR All One or both of two expressions
= Numeric, String Exact match
!= Numeric, String Items that do not have this string or number
< Numeric, DateTime Less than this number or earlier than this date
Equal to or less than this number, or on this date or
<= Numeric, DateTime
earlier
> Numeric, DateTime Greater than this number or later than this date
Equal to or greater than this number, or on this
>= Numeric, DateTime
date or later
~ String Partial string
BETWEEN Numeric, DateTime Range of start AND end
CONTAINS String Partial string
DOES NOT
String Items that do not have this partial string
CONTAIN
IN String Items that have one or more of these strings
IS EMPTY String Null
IS NOT
String Items that have a value for this string
EMPTY
NOT IN String Items that do not have any of these strings
RegExp String Regular Expression, POSIX extended syntax
ContainsCIS String Case-insensitive partial string
Does Not Items that do not have this partial string, case-
String
ContainCIS insensitive
StartsWith String Items that start with this partial string
Items that start with this partial string, case-
StartsWithCIS String
insensitive
EndsWith String Items that end with this partial string
Items that end with this partial string, case-
EndsWithCIS String
insensitive
© SentinelOne 5-22
View Query Results in a Table or Tree View
You can view Deep Visibility query results in the default table view, or in the process tree view.
Click Change to table view or Change to tree view.
Table View
• Event queries show only the results for the event type. For example, if you search for
DNS Requests, you see DNS events. If you search for Modified files, you see File events.
• Use "!=" in queries to see exact results without selected values. For example, DstPort !=
"80" to find port traffic not on port 80.
• Click in a row to expand it and see details inline. You can expand multiple rows.
• Click next to a column header to see the column filter. Click it to select the values to show
or to search in the column.
© SentinelOne 5-23
Tree View
1. Click the Tree view and run a query.
2. Select an endpoint and process.
© SentinelOne 5-24
3. To see details of a process, click a node and then click Process Summary.
4. To see exactly when the chain of events starts and ends, see the timeline. The timeline
shows the selected node as a point.
5. To see different parts of the tree, click and drag. You can also scroll up and down, zoom,
and see the tree in full screen.
© SentinelOne 5-25
Threat Hunting Query
• The query results include detailed information gathered from the SentinelOne Agents.
Attributes in the query results include: Endpoint, User, Site ID, Path, Process ID, Process
Name, SHA1 hash, SHA256 hash, MD5, command line argument, and Storyline.
• Select an attribute to open a floating menu bar.
• Use this to:

• Build a new Main Query in a new tab.
• Build a new Main Query in the current tab.
• Add the attribute to the Main Query in the current tab.
• Add the attribute to a Sub Query that will run on the data that has already been pulled
from the SentinelOne Cloud in the Main Query.
• Use the Storyline, a group of related events, based on the intelligent event query engine,
to see only the information related to the specific event group.
© SentinelOne 5-26
• Copy attributes to your clipboard.
• Sort columns and look for outliers.
• Jump directly to a related threat from Deep Visibility.

• A new Related to Threat column shows in the Deep Visibility results table. Scroll right to
see it.
• If a Deep Visibility event is related to a detected threat, click True to go directly to the
Forensics details of the threat in the Management Console. If there is no related threat,
False shows.
© SentinelOne 5-27
Decoding Command Line Arguments with Base 64
Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII
string format by translating it into a radix-64 representation.
When you run a Deep Visibility/Threat Hunting and identify command line arguments encoded
in Base 64, the platform will allow for the decryption of the data.
1. In the attributes of an event, click Show More, usually next to a Command Line
argument.
2. In the window that opens, select encoded text with a cursor and click Decode Text -
Base 64.
© SentinelOne 5-28
3. The decoded text shows in the window and the data can be copied to the clipboard.
© SentinelOne 5-29
Taking Action from the Visibility Page
• Select an event and click Actions. The options depend on the event type. They include:
• Select an event and click Actions. The options depend on the event type. They include:
o Fetch Logs - When you click this, the Agent collects relevant logs.
To get the logs, click Activity > Administrative > Log operations. When the logs are
on the Management Console, the download button will be available.
o Disconnect From Network - The Agent can communicate only with the Management
Console. The endpoint cannot communicate with other components on the network.
o Mark As Threat - Creates an active threat alert on the Dashboard for all processes
with the same Storyline, adds the processes to the blacklist, and the Agent mitigates
according to the Policy.
o Mark As Suspicious - Creates a suspicious alert on the Dashboard for all processes
with the same Storyline, and the Agent mitigates according to the Policy. This option
is available from Iguazu and later.
o Add To Blacklist - Adds the SHA1 hash of the event to a blacklist. After you click Add
To Blacklist, select whether to add the hash to the Global, Account, or Site blacklist.
• Click an endpoint name to open its details and run more Actions.
© SentinelOne 5-30
Deep Visibility Use Cases
Each use case uses Deep Visibility to find the context around a piece of information or event.
There are many potential ways to follow through with a hunt, but each example shows one way.
Hunting for Living Off the Land Attacks
Use Case: Attackers often use legitimate endpoint processes to evade detection while they
carry out malicious tasks. Let's see if your environment shows an indication of this compromise.
Example - searching for processes that create new users:
1. In the sidebar, click Visibility.

2. Select Processes.
3. In the query pane, select ProcessCmd.
4. In the list of valid operators that shows, scroll down and click RegExp.
5. In the given quotes, enter: net\s+user(?:(?!\s+/add)(?:.|\n))*\s+/add
Note: This regular expression will find net users added by a process.
6. In the date range drop-down, click a date range or a Custom Range.

7. If you create a custom range, click Apply.
8. Run the Query.
© SentinelOne 5-31
Hunting for Abnormal Scheduled Task Creation
Use Case: Attacks often create a scheduled task. If a malicious process can get into this service,
it can be used for persistence, to run a lateral movement attack during work hours with
privileges, or other techniques.
Example - searching for abnormally-created scheduled tasks:

2. Create the query to search for abnormal schtasks processes:
a. In the Events or Processes drop-down, click Processes.
b. Click ProcessCmd.
c. Click RegExp.
d. In the given quotes, enter: schtasks
e. Press space and then click AND.
f. Click ProcessName.
g. Click !=
h. In the given quotes add this string: Manages scheduled tasks
OR: Click IndicatorName, = and in the quotes enter this string: ScheduleTaskRegister
3. Select a time frame for the query.

4. Run the query.
5. To see all the processes, files, and events around that technique, click the blue circle of
the Storyline and run a new query.
© SentinelOne 5-32
Hunting IOCs based on a Known Starting Point
Use case: I read about a malicious URL or hash and want to see if it is present in my environment.
Example: Searching for "pastebin":

2. Run a query:
3. NetworkUrl CONTAINS "pastebin"
4. Select a time frame for the query.
5. Press enter from the query field or click the search icon.
Note: The query results open in chronological order.
© SentinelOne 5-33
6. Click next to the column header to open the column filter.
7. See which endpoints are involved. Select an endpoint to investigate further.
© SentinelOne 5-34
8. Go to the Processes and expand the entry to see details.
9. Click the parent process ID to open a floating menu.
© SentinelOne 5-35
10. Select New Main Query to start a new query for this command. Or select Add to Main
Query.
11. Click Search to run the updated query.

12. See the Storyline in the results and add it to the query
13. Continue to look for the context around the data.
© SentinelOne 5-36
Hunting Abnormal Behavior on an Endpoint
Use case: You get a report of an IOC on an endpoint at a certain time. You want to understand
the flow of events.
Example: Searching for all events on an endpoint around a certain time:

2. Run a query for all events on an endpoint:
AgentName = "WIN-RN0R67KDEB1"
3. Select a date range or create a Custom Range for the query.

4. Press enter from the query field or click Search.
The query results open in chronological order.
5. Look for abnormalities, such as processes running out of non-standard folders and files
written to nonstandard locations, and use them as pivot points.
6. When you find an abnormal event that seems relevant, use the Storyline to find all related
events.
© SentinelOne 5-37
Hunting Abnormal Behavior by Known Characteristic
Use Case: You get a notification on a new campaign from a security blog. It is a collection of newly
discovered malware that comes from a Microsoft Office document (doc, xls, ppt). The
manipulated document opens a PowerShell that collects local data and sends it to one of many
servers.
Example: Searching for all events on an endpoint around a certain time:

1. On the sidebar, click Visibility.
2. In the query, select IndicatorDescription and then Contains. In the quotes, enter:
“T1173"
Note: This Mitre attack technique is the same as creating the more complex query:
ParentProcessName Contains ( "Microsoft Word" , "Microsoft Excel" , "Microsoft

Outlook" , "Microsoft Powerpoint" ) AND ProcessName In
("powershell.exe","cmd.exe","python.exe")
3. Select AND.
4. Select NetworkDirection and =. In the quotes, enter “POST”.
5. Click Save New Query.
6. If you get a notification of matching behavior, you will get the IP address of the server. If
it is a safe server, and the user of the endpoint is simply running a Word doc with
macros, you can update the query with: AND NetworkURL != "safe IP".
If it is not a safe server, in Visibility, click a result row of the endpoint and then click
Actions > Disconnect from Network.
7. Open the details of the row. Click the open blue circle of document hash and run it as a
new query.
8. See which endpoints on your organization have this behavior. Remediate the detection
for all these endpoints.
9. Add the document hash to the blacklist.
© SentinelOne 5-38
Searching for Behavioral Indicators
The ability to search for Mitre techniques in EDR vendors is a growing trend. Threat Hunting
teams across security vectors require a correlation between their environments and Mitre
knowledge. SentinelOne leverages our Dynamic Behavioral engine to show the behavior of
processes in the endpoints. To make it easier and faster for you to use this knowledge, we map
our behavioral indicators to the Mitre ATT&CK framework. You can create queries out-of-the-box
and search for Mitre attack characteristics across your scope of endpoints. With other EDR
vendors, you would have to create a multitude of complex hunting queries to cover all the
findings of Mitre. With SentinelOne, all you need is the Mitre ID or another string in the
description, the category, the name, or metadata.
For example, in SentinelOne Deep Visibility, use this query to find any process or event with
behavioral characteristics of the attack technique known as Process Injection:
IndicatorDescription Contains "T1055"
With a different vendor, you will need to create a complex regular expression query, and run it
many times with changes for known characteristic tweaks. If you look at Mitre's page for T1055,
you notice that you will need a different query for macOS, Linux, and Windows. Then there are
more than 50 examples of malware and compromised utilities. You would need a query for each.
To see Mitre-Behavior Indicator mapped results:
• Click the Indicators tab in the Visibility page to see the indicator data.
• Click a row to see more details. The Indicator Description includes a link to that
technique's Mitre page.
© SentinelOne 5-39
To enable the Agent to send behavioral indicator data:
Click Policy > Deep Visibility Configuration > Behavioral Indicators.
© SentinelOne 5-40
Responding to Incidents with Deep Visibility
Use case: You mitigated a threat in your environment. Now you want to see if that IOC is
anywhere else in the network.
Example: Investigate and Respond to a Threat with Deep Visibility:

1. In the Management Console, click a threat.
2. Copy a detail from the threat. For example, a SHA1 hash.
4. In the query field, enter a query to search for the copied detail. For example, search for a
hash:
FileSHA1 = "b12ac564d0f19fae735fec94b1bfef8c7d5f0729"
5. See in the results which endpoints were involved. In this case, only one.
© SentinelOne 5-41
6. Expand an event and click next to the Storyline to open the floating menu.
7. In the sub-menu, select Add to Main Query.
8. Click Search to run the query.

9. Continue to look for abnormalities, such as processes running out of non-standard folders
and files written to nonstandard locations, and use them as pivot points.
© SentinelOne 5-42
Saving Threat Hunting Queries and Watchlists
After you create Threat Hunting queries, you can save the queries to use again. You can run saved
queries manually or set queries to run on a scheduled basis and send notifications to an Admin.
To create Threat Hunting watchlists, create queries that run periodically and send notifications
when they find results that match. The admin that receives the notifications must have
permissions to see the search in the Management Console.
To save a query:
2. Run a query.
4. In the window that opens, in Set name, enter a name for the query.
5. Click Save.
© SentinelOne 5-43
To configure a query to run periodically and send notifications:

2. Run a query.
4. In the window that opens, in Set name, enter a name for the query.
5. Enable Notifications.
6. In Timing rate, select the frequency at which the query will run.
7. In Notification recipients, enter the email addresses of admins to get notifications.
Notifications are only sent if there are results that match the query. Admins must have
Management Console permissions to see the results.
8. Click Save.
© SentinelOne 5-44
Working with Saved Deep Visibility Queries
After a Deep Visibility query is saved, you can run it, change its name and notification settings,
and delete it.
To run a saved query manually:

2. Click Load Query.
3. Optional: Use the Search field to search by the name of the saved query.
4. Select a query.
It runs and the results open in the Visibility view.
© SentinelOne 5-45
To change or delete a saved query:

2. Click Load Query.
3. Select a query.
4. It runs and the results open in the Visibility view.
5. Click Loaded Query Options.
• To edit the query: Select Details and Edit.

• To delete the query from the saved list: Select Delete Query.
© SentinelOne 5-46
Managing the Browser Extension
Deep Visibility collects URL data from an extension that is installed on Safari and Chrome, and
from Internet Explorer and Edge without an extension.
The way to install and uninstall the browser extension depends on the endpoint OS and Agent
version.
In MacOS Agents:
• The Deep Visibility browser extensions for Safari and Chrome are controlled by the policy
of the Agents.
• The behavior is slightly different in Safari and in Chrome.
o The Safari extension is enabled or disabled on endpoints.
o The Chrome extension is installed or uninstalled on endpoints.
The Agent enables or installs the extension if the policy is changed to enable Deep Visibility >
URL. The Agent disables or uninstalls the extension if the URL option is disabled.
In Windows Agents:
• The Chrome browser extension is installed or uninstalled on Agents based on the policy
of the Agents.
o The Agent installs the extension if the policy is changed to enable Deep Visibility
> URL. The Agent uninstalls the extension if the URL option is disabled.
o Internet Explorer and Edge do not have a browser extension, but they also work
with Deep Visibility based on the settings configured in the policy.
© SentinelOne 5-47
Supported File Types for Deep Visibility
Important: Deep Visibility abilities, especially supported file types, evolve with SentinelOne
development. Make sure to read the latest release notes for new support and for limitations.
Windows Supported File Types:
macOS Supported File Type: Mach-O
Linux Support File Type: ELF
© SentinelOne 5-48
List of Indicator Names and Categories
Use items from the Indicator Category listed here to perform IndicatorCategory queries on the
on the Visibility page.
Use items from the Indicator Name listed here to perform IndicatorName queries on the
Visibility page.
Use items from the Indicator Description listed here to perform IndicatorDescription queries on
the Visibility page.
Important: The Visibility search is case-sensitive.
Engine Indicator Category Indicator Name Indicator Description

Windows Boot Configuration KMCIdisabled Ability to load unverified drivers
Dynamic Update was enabled. MITRE: Persistence
{T1215, T1050}
Windows Exploitation StackPivot Altered process code flow to
Dynamic enable running of malicious code
(StackPivot behavior). MITRE:
Execution {T1203}
Windows Persistence SuspiciousPersistence Application has registered itself
Dynamic to become persistent
Windows Persistence WMI Application has registered itself
Dynamic to become persistent via WMI.
MITRE: Persistence {T1084}
Windows Persistence SuspiciousPersistence Application has registered itself
Dynamic to become persistent
Windows Privilege Escalation UACBypass Attempt to bypass UAC (User
Dynamic Account Control). MITRE:
Privilege Escalation {T1088},
Defense Evasion {T1088}
Windows Privilege Escalation NamedPipeImpersonation Attempt to escalate System
Dynamic privileges via Meterpreter.
MITRE: Privilege Escalation
Windows Privilege Escalation NamedPipeImpersonation Attempt to escalate System
Dynamic privileges via Meterpreter.
MITRE: Privilege Escalation
Windows Persistence StickyKeys Backdoor was created on the
Dynamic machine. MITRE: Persistence
{T1015}
Windows Ransomware RansomwareBehavior Behaves like ransomware. MITRE:
Dynamic Execution
© SentinelOne 5-49

Dynamic Execution
Dynamic Execution
Windows Infostealer Mimikatz Behaves like Mimikatz. MITRE:
Dynamic Credential Access {T1098, T1145,
T1081}
Windows Exploitation SandboxEscape Breakout from Internet Explorer
Dynamic sandbox. MITRE: Execution
Windows Exploitation SuspiciousVBScript Breakout from Internet Explorer
Dynamic sandbox. MITRE: Execution
Windows Injection SuspiciousInjection Code injection to other process
Dynamic memory space via Reflection.
MITRE: Defense Evasion {T1055}
Windows Exploitation SuspiciousDocument Document behaves abnormally.
Dynamic MITRE: Execution {T1064}
Windows Exploitation Metasploit Execution of a metasploit stager.
Windows Injection SuspiciousInjection Code injection to a remote
Dynamic process. MITRE: Defense Evasion
{T1055}
Windows Malware SuspiciousScript Executed suspicious shell
Dynamic command. MITRE: Execution
{T1064}
Windows Malware SuspiciousJava Exploit attempt on Java. MITRE:
Dynamic Execution {T1203)
Windows Evasion RegHiddenValue Hiding registry key. MITRE:
Dynamic Defense Evasion {T1112}
Windows Evasion ProcessModification Internal process resource was
Dynamic manipulated in memory. MITRE:
Defense Evasion
Windows Privilege Escalation ExploitPrivesc Local privilege escalation exploit.
Dynamic MITRE: Privilege Escalation
{T1068}
Windows Injection SuspiciousInjection Code injection to a remote
{T1055}
Windows Infostealer MITB Man in the browser attack.
Dynamic MITRE: Collection {T1185}
Windows Infostealer MITMProxy Man in the middle attack. MITRE:
Dynamic Credential Access {T1040}
Windows Post Exploitation Meterpreter Metasploit's Meterpreter
Dynamic behavior was identified. MITRE:
Execution {T1064}
Windows Post Exploitation Koadic PowerShell post-exploitation
Dynamic script was executed. MITRE:
Execution {T1064, T1086}
Windows Post Exploitation MaliciousPowershell PowerShell post-exploitation
© SentinelOne 5-50

Windows Evasion AvoidMitagtionAttempt Process characteristics were
Dynamic changed suspiciously. MITRE:
Persistence, Defense Evasion
Windows Evasion AvoidMitagtionAttempt Process characteristics were
Dynamic changed suspiciously. MITRE:
Persistence, Defense Evasion
Windows Evasion AvoidMitagtionAttempt Process tried to bypass Anti-Virus
Dynamic hooks. MITRE: Defense Evasion.
Windows Infostealer SensitiveMemoryAccess Read sensitive information from
Dynamic LSASS. MITRE: Credential Access
{T1003}
Windows Evasion HidingTracks Hiding tracks of execution.
Dynamic MITRE: Defense Evasion {T1158},
Persistence {T1158}
Windows Infostealer AccessSyskey Sensitive user information was
Dynamic queried. MITRE: Credential
Access {T1003}
Windows Exploitation SandboxEscape Shellcode execution was
Dynamic detected. MITRE: Execution
Windows Exploitation SuspiciousShellcode Shellcode execution was
Dynamic detected. MITRE: Execution
Windows Evasion Doppelganger Attempt to evade monitoring
Dynamic using the "Doppelganger"
technique. MITRE: Defense
Evasion {T1186}
Windows Evasion ProcessHollowing Attempt to evade monitoring
Dynamic using the "Process hollowing"
technique. MITRE: Defense
Evasion {T1093}
Windows Injection SuspiciousInjection Unusual code injection to a
Dynamic remote process. MITRE: Defense
Evasion {T1055}, Privilege
Escalation {T1055}
Windows Injection SuspiciousInjection Unusual code injection to a
Dynamic remote process. MITRE: Defense
Escalation {T1055}
Windows Post Exploitation SuspiciousDriverLoad Unverified driver was loaded.
Dynamic MITRE: Persistence {T1215}
Windows Boot Configuration WriteToMBR Write action to protected section
Dynamic Update of the operating system. MITRE:
Persistence {T1067}
© SentinelOne 5-51
Windows Exploitation SensitiveMemoryAccess Write action to LSASS process.

Dynamic MITRE: Credential Access {T1098}
Windows Evasion HookRemovalAttempt A function was unhooked. MITRE:
Dynamic Defense Evasion
Windows Exploitation NullPageAllocation Altered process code flow to
Dynamic enable running of malicious code.
MITRE: Execution
Windows Exploitation StackProtectionModification Altered process code flow to
Dynamic enable running of malicious code.
MITRE: Execution
Windows Evasion AntiDebugging Anti-debug technique was used.
Dynamic MITRE: Defense Evasion
Windows Evasion AntiVm Anti-VM technique was used.
Windows Persistence WMI Application has registered itself
Dynamic to become persistent via WMI.
Windows Persistence DllHijack Application has registered itself
Dynamic to become persistent. MITRE:
Persistence
Windows Privilege Escalation TokenManipulation Authentication data
Dynamic manipulation. MITRE: Persistence
{T1131}
Windows Infostealer SuspiciousKeylogging Behaves like a keylogger. MITRE:
Dynamic Credential Access {T1056},
Collection {T1056}
Windows Infostealer SuspiciousKeylogging Behaves like a keylogger. MITRE:
Dynamic Credential Access {T1056},
Collection {T1056}
Windows Infostealer Behaves like a memory scraper.
Dynamic MITRE: Collection {T1005, T1119}
Windows Ransomware RansomwareBehavior Behaves like ransomware because
Dynamic of file operations. MITRE: Execution
Dynamic Execution
Windows Injection AtomBombing Code injection to other process
Dynamic memory space using the "Atom
bombing" technique. MITRE:
© SentinelOne 5-52
Defense Evasion {T1055}, Privilege

Escalation {T1055}
Windows Injection SuspiciousInjection Code migration into system process

Dynamic was detected. MITRE: Defense
Evasion {T1055}, Privilege Escalation
{T1055}
Windows Injection SuspiciousInjection Code was executed in a remote
{T1055}, Privilege Escalation {T1055}
Windows Exploitation SuspiciousDocument Document behaves abnormally.
Windows Injection SuspiciousInjection Code injection to a remote process.
Dynamic MITRE: Defense Evasion {T1055}
Windows Reconnaissance SuspiciousLdapQuery Domain information was gathered
Dynamic via LDAP query. MITRE: Discovery
{T1087, T1069}
Windows Exploitation KernelExploitAttempt Information gathered for kernel
Dynamic exploitation. MITRE: Discovery
{T1082}
Windows Evasion HeavensGate Manipulated code execution flow
Dynamic using the "Heaven's Gate"
technique. MITRE: Execution
Windows Exploitation ReverseShell Remote shell was opened. MITRE:
Dynamic Command and Control {T1071}
Windows Exploitation ReverseShell Remote shell was opened. MITRE:
Dynamic Command and Control {T1071}
Windows Exploitation SuspiciousShellcode Shellcode execution was detected.
Dynamic MITRE: Execution {T1106, T1064}
Windows Exploitation SuspiciousShellcode Shellcode execution from
Dynamic powershell was detected. MITRE:
Execution {T1086, T1106, T1064}
Windows Exploitation SandboxEscape Shellcode execution was detected.
Windows Injection SuspiciousLibraryLoad Suspicious library loaded into the
Dynamic process memory
Windows Evasion SuspiciousSMBTraffic Suspicious SMB activity was
Dynamic detected. MITRE: Discovery
{T1135}, Lateral Movement {T1077}
Windows Evasion SuspiciousDNSTraffic Suspicious DNS activity was
Dynamic detected MITRE: Command and
Control {T1071}
Windows Evasion AttemptToUseSyscallDirectly Attempt to evade monitoring.
Windows Infostealer BrowserInfoStealing Chrome's sensitive information was
Dynamic accessed. MITRE: Collection {T1213}
© SentinelOne 5-53
Windows Infostealer BrowserInfoStealing Firefox's sensitive information was

Windows Infostealer DumpSAM SAM database was exported.
Dynamic MITRE: Credential Dumping {T1003}
Windows Evasion ProcessModification Manipulated remote process
Dynamic structure. MITRE: Privilege
Escalation {T1179}
Windows Evasion ProcessModification Manipulated remote process
Dynamic structure. MITRE: Privilege
Escalation {T1179}
Windows Boot Configuration IntegrityCheckDisabled Disable kernel code integrity
Dynamic Update checks. MITRE: Defense Evasion
Windows Evasion DeleteWindowsBackupCat Process tampered the Windows
Dynamic Backup Catalog. MITRE: Defense
Evasion
Windows Exploitation ROP Altered process code flow to enable
Dynamic running malicious code. MITRE:
Execution
Windows Evasion HideRemoteProcessWindow Process tampered with Windows
Dynamic user interface
Windows Evasion EventViewerTampering Process tampered with the event
Dynamic viewer logs. MITRE: Defense
Evasion {T1089}
Windows Evasion EventViewerTampering Process deleted the Event Viewer
Dynamic logs. MITRE: Defense Evasion
{T1089}
Windows Persistence Autorun A file that enables automatic
Dynamic launching from external drive was
created. MITRE: Initial Access
{T1091}
Windows Evasion FakeFileName A file was created with an internal
Dynamic system name. MITRE: Persistence
Windows Evasion HookRemovalAttempt A function was unhooked. MITRE:
Windows Evasion Packer A Library was unpacked into its own
Dynamic memory space. MITRE: Defense
Evasion
Windows Injection LoadUnreleatedLibrary A library owned by one process was
Dynamic loaded to other process. MITRE:
Escalation {T1038}
Windows Evasion AddCertificate A new root certificate was added.
Windows Persistence UserAdd A new user account was added.
Windows Persistence DebuggerPersistence Application registered itself to
Dynamic become persistent. MITRE:
Persistence
Windows Persistence SafeModeConfigurationModificati Application registered itself to
Dynamic on become persistent in safe mode.
MITRE: Persistence
© SentinelOne 5-54
Windows Evasion SafeModeConfigurationModificati Application manipulated safe mode

Dynamic on configuration: MITRE: Persistence
Windows Evasion AddFirewallException Application added firewall rule to
Dynamic allow network traffic. MITRE:
Exfiltration {T1041}
Windows Injection SuspiciousProtectionModification Changed protection type of library
Dynamic in a remote process space. MITRE:
Privilege Escalation
Windows Evasion PreloadInjection Code injection to other process
Dynamic memory space. MITRE: Defense
Escalation {T1038}
Windows Injection RemoteInjection Code injection to a remote process.
Windows Evasion DisableSecurityCenterEvents Disabled security center
Dynamic notifications. MITRE: Defense
Evasion {T1089}
Windows Evasion HiddenFilesDisplayModification Disabled showing hidden files and
Dynamic folders. MITRE: Defense Evasion
Windows Infostealer EnableMemoryPlaintextPasswords The store of plaintext passwords in
Dynamic memory was disabled/enabled.
MITRE: Credential Access
Windows Injection RemoteInjection Code injection to a remote process.
Windows Privilege Escalation PrivilegedInstruction Execution of privileged instruction
Dynamic was identified. MITRE: Privilege
Escalation
Windows Evasion ModifyHostsFile Host file was modified. MITRE:
Windows Evasion InternetExplorerConfigurationMod Internet Explorer offline mode was
Dynamic ification disabled. MITRE: Defense Evasion
{T1089}
Windows Evasion InternetExplorerConfigurationMod Internet zone checks were disabled.
Dynamic ification MITRE: Defense Evasion {T1089}
Windows Injection RemoteLibraryInjection Library was injected to a remote
{T1055}, Privilege Escalation
{T1055}
Windows Evasion PreventProcessExection Prevented execution of a process.
Windows Evasion DisableTaskManager Prevented the Task Manager from
Dynamic starting. MITRE: Defense Evasion
Windows Evasion DisableRegistryTools Prevented Windows registry tools
Dynamic from starting. MITRE: Defense
Evasion
Windows Evasion DisablePasswordChange Prevented the operating system
Dynamic from changing account password
automatically. MITRE: Defense
Evasion {T1089}
Windows Evasion DisableFirewallStatusView Process disabled the firewall status
Dynamic in the registry. MITRE: Defense
Evasion {T1089}
© SentinelOne 5-55
Windows Evasion WriteToADS Process wrote to hidden file

Dynamic section. MITRE: Defense Evasion
{T1096}
Windows Evasion ASRViolation Suspicious library was loaded into
Dynamic process memory. MITRE: Defense
Escalation {T1038}
Windows Evasion SuspiciousRegistryValue Suspicious registry key was created.
Windows Reconnaissance SuspiciousWMIQuery Suspicious WMI query was
Dynamic identified. MITRE: Execution
{T1047}
Windows Evasion AntiVirusOverride Anti-Virus monitoring by Windows
Dynamic security center was overridden.
Windows Evasion SuspiciousChildRelation User process created a process
Dynamic solely used by the system. MITRE:
Execution
Windows Evasion DisableWindowsDefender Windows Defender was disabled.
Windows Injection LibraryRemoteWrite Write action to a loaded library
Dynamic space in a remote process. MITRE:
Escalation {T1055}
macOS General stackPivot Stack pivoting exploitation attempt.
macOS General hiddenStartup Process wrote a hidden file to
Dynamic achieve persistency. MITRE:
Persistence {T1158}
macOS General installMaliciousPlist Process attempted to write a
Dynamic known malicious plist as launchd
job. MITRE: Persistence {T1160}
macOS General modifyBrowser Process modified browser's
Dynamic executable. MITRE: Defense
Evasion {T1036}
macOS General modifySystem Process modified a system file.
macOS General persistenceLaunchdJob Process achieved persistency
Dynamic through launchd job. MITRE:
Persistence {T1160}
macOS General removeXprotect Process attempted to remove
Dynamic XProtect from the computer.
macOS General deceptionMacho Process attempted to write
Dynamic suspicious macho. MITRE: Remote
File Copy {T1105}
macOS General deceptionPlist Process dropped a hidden
Dynamic suspicious plist to achieve
persistency. MITRE: Persistence
{T1150}
© SentinelOne 5-56
macOS General knownMaliciousPlist Process wrote a plist with known

Dynamic malicious name.MITRE: Privilege
Escalation {T1150}, Persistency
{T1150}, Defense Evasion {T1036}
macOS General suspiciousPlist Process wrote a plist with
Dynamic suspicious contents. : MITRE:
Persistence {T1150}, Privilege
Escalation {T1150}
macOS General machoWrittenToTmp Process wrote a MachO to tmp
Dynamic path. MITRE: Remote File Copy
{T1105}
macOS General injection Process attempted to inject code to
Dynamic other process. MITRE: Privilege
Escalation {T1055}
macOS General launchDeceptionMacho Process attempted to execute
Dynamic suspicious MachO. MITRE:
Execution {T1203}
macOS General readPersonalBrowserData Process attempted to read private
Dynamic browsing data. MITRE: Credential
Access {T1081}
Windows Persistence ScheduleTaskRegister Application has registered itself to
Dynamic become persistent via scheduled
task. MITRE: Persistence {T1084}
Windows Persistence ServiceCreate Application has registered itself to
Dynamic become persistent via service.
Windows Persistence RegistryAutorun Application has registered itself to
Dynamic become persistent via an autorun.
Windows General A threat was detected using static
Dynamic analysis
Windows Persistence RegistryCOMObject Application has registered itself to
Dynamic become persistent via COM object.
Windows General CryptominerBehavior In-browser cryptominer was
Dynamic detected
Windows Post Exploitation HackTool Penetration framework in use
Dynamic
Windows Exploitation MaliciousRDPConnection Malicious RDP connection detected
Dynamic
Windows General CryptominerBehavior Cryptominer was detected
Dynamic
Windows General CryptominerBehavior Cryptominer was detected
Dynamic
Windows Privilege Escalation SuspiciousServiceCreation Suspicious creation of a service
Dynamic
Windows Privilege Escalation SuspiciousProcessAccess Privileged process was acceessed
Dynamic by a low privileges process.
Windows Privilege Escalation TokenManipulation Local privilege escalation using
Dynamic token manipulation MITRE:
Privilege Escalation {T1134}
© SentinelOne 5-57
Windows Injection DllHijack Application was hijacked with a

Dynamic suspicious DLL. MITRE: Persistence
{T1038}, Privilege Escalation
{T1038}, Defense Evasion {T1038}
Windows Post Exploitation SuspiciousDriverLoad Unverified driver was loaded.
Windows Malware SuspiciousProcessCreation Abnormal process creation. MITRE:
Dynamic Execution {T1064}
Windows Exploitation KernelExploitAttempt Kernel exploit attempt.MITRE:
Dynamic Defense Evasion {T1112}
Windows Evasion AntiVirusEvasion Process tried to bypass the
Dynamic SentinelOne agent. MITRE: Defense
Evasion {T1089}
Windows Evasion AntiVirusEvasion Process tried to bypass the
Dynamic SentinelOne agent. MITRE: Defense
Evasion {T1089}
Windows Post Exploitation ReverseShell Reverse shell behavior was
Dynamic identified. MITRE: Execution
{T1064}
Windows Privilege Escalation SuspiciousHardLink Suspicious hard link was created.
Dynamic MITRE:
Windows Infostealer SensitiveMemoryAccess Read sensitive information from
Dynamic LSASS. MITRE: Credential Access
{T1003}
Windows Infostealer ApplicationInfoStealing FileZilla's sensitive information was
Windows Infostealer ApplicationInfoStealing Opera's sensitive information was
Linux Dynamic Evasion HiddenFileExecution Execution of a hidden file. MITRE:
Hidden Files and Directories
{T1158}
Linux Dynamic Evasion Packer Obfuscated script execution.
MITRE: Scripting {T1064},
Deobfuscate/Decode Files or
Information {T1140}
Linux Dynamic Evasion ExecutionWithoutPermissions Using Dynamic Loader to execute a
binary
Linux Dynamic Evasion EventTampering Suspicious shell history log
modification. MITRE: Bash History
{T1139}
Linux Dynamic Persistence CronModification Suspicious Cron modification.
MITRE: Local Job Scheduling
{T1168}
Linux Dynamic General MaliciousDownload Download of a suspicious content.
MITRE: Download New Code at
Runtime {T1407}
© SentinelOne 5-58
Linux Dynamic Infostealer ReadShadow Suspicious access to credentials.

MITRE: Credential Dumping
{T1003}, Credentials in Files {T1081}
Linux Dynamic Persistence ModifyShadow Suspicious user credentials
modifications. MITRE: Valid
Accounts {T1078}
Linux Dynamic Exploitation ApacheSubshell Apache webshell command
execution. MITRE: Web Shell
{T1100}, Web Service {T1102}
Linux Dynamic Evasion HidingTracks Hiding tracks of execution. MITRE:
File Deletion {T1107}
Linux Dynamic Evasion DisablingSecurityTools Disabling Security Tools {T1089}
Linux Dynamic Infostealer ReadSSHKeys Suspicious access to credentials.
MITRE: Credential Dumping
{T1003}, Private Keys {T1145},
Credentials in Files {T1081}
Linux Dynamic Evasion ModifiedLogonInfo Suspicious access to logon info.
MITRE: Indicator Removal on Host
{T1070}
Linux Dynamic Persistence BashPersistence Bash persistence. MITRE:
.bash_profile and .bashrc {T1156}
Linux Dynamic Malware EvilGnome Trojan.Linux.EvilGnome.A
Linux Dynamic Evasion SuspiciousFileName Suspicious file name. MITRE: Space
after Filename {T1151}
Linux Dynamic Persistence SetSUID Set the setuid or setgid bits on a
file. MITRE: Setuid and Setgid
{T1166}
Linux Dynamic Evasion ModifyTimestamp File timestamp modification.
MITRE: Timestomp {T1099}
Linux Dynamic Evasion SuspiciousFileName Execution of a file with a suspicious
file name. MITRE: User Execution
{T1204}
Linux Dynamic Malware SuspiciousDelete Destroy data in a suspicious way.
MITRE: Data Destruction {T1485},
Disk Content Wipe {T1488}
Linux Dynamic Evasion WriteToSuspiciousLocation Create or write file in a known
suspicious location. MITRE: Data
Staged {T1074}
Linux Dynamic Evasion LogsModification Modify a sensitive log file. MITRE:
Indicator Removal on Host {T1070}
Linux Dynamic Persistence AutoStartPersistence Autostart persistence.
Linux Dynamic Persistence RegisterServicePersistence Create a service as a way to gain
persistence. MITRE: Systemd
Service {T1501}, Rootkit {T1014}
© SentinelOne 5-59
Queries for Mitre Techniques
SentinelOne integrates with Mitre. The Mitre technique ID is in the Forensics details and in Deep
Visibility. For each query in this table, you can run: IndicatorDescription Contains "TID". Here we
also show a more descriptive query, to help you understand the syntax.
Technique Description Queries

T1191 Detect Child Processes of CMSTP IndicatorDescription Contains "T1191"
ParentProcessName = "Microsoft Connection
Manager Profile Installer"
T1191 Detect UAC Bypass with CMSTP (Note: IndicatorDescription Contains "T1191"
Can trigger FPs when VPN is used) ProcessName="cmstp.exe"
T1223 Detect CHM files IndicatorDescription Contains "T1223"
ParentProcessName = "Microsoft® HTML Help
Executable" AND (ProcessName = "cmd.exe" OR
ProcessName = "powershell.exe")
T1173 Dynamic Data Exchange IndicatorDescription Contains "T1173"
ParentProcessName In ( "Microsoft Word" ,
"Microsoft Excel" , "Microsoft Outlook" , "Microsoft
Powerpoint" ) AND ProcessName In
("powershell.exe","cmd.exe","python.exe")
T1118 InstallUtil IndicatorDescription Contains "T1118"
ParentProcessName != "Windows® installer" AND
ProcessName = "InstallUtil.exe"
T1170 MSHTA IndicatorDescription Contains "T1170"
ProcessName = "mshta.exe" AND ( ProcessCMD
Contains "javascript" OR ProcessCMD Contains
"vbscript")
T1170 MSHTA IndicatorDescription Contains "T1170"
ParentProcessName = "Microsoft® HTML Help
Executable" AND ProcessName = "mshta.exe"
T1086 Powershell Downloadstring IndicatorDescription Contains "T1086"
ProcessName = "powershell.exe" AND ProcessCmd
Contains "DownloadString"
T1086 Powershell bypass IndicatorDescription Contains "T1086"
Contains "bypass"
T1086 Powershell suspicious commands IndicatorDescription Contains "T1086"
ProcessName RegExp "powershell" AND (
ProcessCmd Contains "Invoke-Expression" OR
ProcessCmd Contains "-encodedcommand" OR
ProcessCmd Contains "hidden" OR ProcessCmd
Contains "write-host" OR ProcessCmd Contains
"Get-NetIPConfiguration" )
T1086 Powershell runnning as system user IndicatorDescription Contains "T1086"
ProcessName RegExp "powershell" AND User
contains "SYSTEM"
T1086 Powershell Get Running Processes IndicatorDescription Contains "T1086"
ProcessCmd RegExp "powershell.exe echo Get-
Process"
© SentinelOne 5-60
T1086 Powershell IEX IndicatorDescription Contains "T1086"

Contains "IEX"
T1086 Powershell launch CMD IndicatorDescription Contains "T1086"
ProcessName="cmd.exe" AND
ParentProcessName="Windows PowerShell"
T1086 Powershell hidden IndicatorDescription Contains "T1086"
ProcessName = "powershell.exe" AND ProcessCMD
Contains "hidden"
T1085 Rundll32 launching Scripts IndicatorDescription Contains "T1085"
ProcessName = "rundll32" AND ( ProcessCMD
Contains "javascript" OR ProcessCMD Contains
"vbscript")
T1053 Execution of AT.exe IndicatorDescription Contains "T1053"
ProcessName ="at.exe"
T1053 Powershell Scheduled Tasks Created IndicatorDescription Contains "T1053"
ParentProcessName = "Windows PowerShell" AND
ProcessName = "Task Scheduler Configuration Tool"
T1053 Unusual Schedule Task Created IndicatorDescription Contains "T1053"
ProcessCmd RegExp "schtasks" AND ProcessName !=
"Manages scheduled tasks"
T1053 Creation of Scheduled Task IndicatorDescription Contains "T1053"
ProcessName = "schtasks.exe" AND ProcessCmd
Contains "Create "
T1035 Service Creation via SC IndicatorDescription Contains "T1035"
ProcessCmd Contains "sc create"
T1218 Msiexec executing dll IndicatorDescription Contains "T1218"
ProcessName = "msiexec.exe" AND ProcessCmd
Contains ".dll"
T1218 Mavinject detection IndicatorDescription Contains "T1218"
ProcessCmd Contains "INJECTRUNNING"
T1218 Odbcconf loading dll IndicatorDescription Contains "T1218"
ProcessName = "odbcconf.exe" AND ProcessCMD
Contains ".dll"
T1218 Execution of IndicatorDescription Contains "T1218"
SyncAppvPublishingServer.exe ProcessName = "SyncAppvPublishingServer.exe"
T1218 Register-CimProvider - Execute evil dll IndicatorDescription Contains "T1218"
ProcessName ="Register-CimProvider.exe" AND
ProcessCMD Contains ".dll"
T1127 Execution of Developer Tools IndicatorDescription Contains "T1127"
ProcessName IN ( "MSBuild.exe" , "dnx.exe" ,
"rcsi.exe" , "Windbg.exe" , "cdb.exe" , "tracker.exe"
)
T1047 WMIC NT Domain Object Query IndicatorDescription Contains "T1047"
ProcessCmd RegExp "wmic ntdomain"
T1047 WMIC Group List on Local System IndicatorDescription Contains "T1047"
ProcessCmd RegExp "wmic group list"
T1047 WMI possible RAnsomware IndicatorDescription Contains "T1047"
ProcessName = "WMIC.exe" AND ProcessCmd
Contains "shadowcopy delete"
© SentinelOne 5-61
T1047 Powershell or cscript starts WMIC IndicatorDescription Contains "T1047"

ParentProcessName IN ( "Windows PowerShell" ,
"Microsoft ® Console Based Script Host" ) AND
ProcessName = "WMIC.exe" AND ProcessCmd Does
Not Contain "SMS_Client"
T1047 Windows 10 Get Network Adaptor IndicatorDescription Contains "T1047"
Details ProcessCmd Contains "wmic nic"
T1033 Whoami IndicatorDescription Contains "T1033"
ProcessCmd Contains "whoami"
T1414 Powershell Get Clipboard Entry IndicatorDescription Contains "T1414"
ProcessCmd RegExp
"powershell\.exe\s+echo\s+Get\-
Process\s+\|\s+clip"
T1087 Query logged in Users IndicatorDescription Contains "T1087"
ProcessCmd Contains "quser"
T1087 Net User Domain IndicatorDescription Contains "T1087"
ProcessCmd RegExp
"net\s+user(?:(?!\s+/domain)(?:.|\n))*\s+/domain"
T1087 WMIC user account list IndicatorDescription Contains "T1087"
ProcessCmd Contains "wmic useraccount get" OR
ProcessCmd Contains "wmic useraccount list"
T1087 WMIC List built in System Accounts IndicatorDescription Contains "T1087"
ProcessCmd Contains "wmic sysaccount list"
T1087 Query Account & Password Policy IndicatorDescription Contains "T1087"
ProcessCmd Contains "net accounts"
T1087 Add user or Query local admin group IndicatorDescription Contains "T1087"
ProcessCmd Contains "net localgroup
administrators"
T1087 Query AD IndicatorDescription Contains "T1087"
ProcessCmd Contains "dsquery"
T1087 Net User - Query a User IndicatorDescription Contains "T1087"
ProcessCmd Contains "net user"
T1135 Query Network Shares IndicatorDescription Contains "T1135"
ProcessCmd Contains "net share"
T1057 Current Running Processes IndicatorDescription Contains "T1057"
ProcessCmd Contains "tasklist"
T1057 Powershell Get Running Processes IndicatorDescription Contains "t1057"
ProcessCmd Contains "powershell.exe echo Get-
Process"
T1117 regsvr32 and scrobj.dll register- IndicatorDescription Contains "T1117"
unregister dll ProcessCmd Contains "regsvr32" AND ProcessCmd
Contains "scrobj.dll"
T1117 regsvr32 suspicious downloads IndicatorDescription Contains "T1117"
ProcessName = "Microsoft(C) Register Server" AND
DstIP Is Not Empty
T1117 regsvr32 suspicious file modification IndicatorDescription Contains "T1117"
ProcessName = "Microsoft(C) Register Server" AND
FileModifyAt > "Mar 1, 2019 00:00:45"
T1117 regsvr32 Persistence IndicatorDescription Contains "T1117"
ProcessCmd Contains "regsvr32" AND ( RegistryPath
Contains "machine\software\classes" OR
ProcessCmd RegExp "schtasks\s+/create" )
© SentinelOne 5-62
T1082 System Info - windows IndicatorDescription Contains "T1082"

ProcessCmd Contains "systeminfo"
T1082 WMIC Process Get - Process data and sub IndicatorDescription Contains "T1082"
commands ProcessCmd RegExp "wmic\s+process\s+get"
T1082 WMIC qfe - Gather Windows Patch Data IndicatorDescription Contains "T1082"
ProcessCmd Contains "wmic qfe"
T1082 System Info and Network data gathering IndicatorDescription Contains "T1082"
ProcessCmd Contains "systeminfo" OR ProcessCmd
Contains "ver >" OR ProcessCmd RegExp
"type\s+%APPDATA%" OR ProcessCmd Contains
"ipconfig" OR ProcessCmd RegExp "net\s+view" OR
ProcessCmd Contains "arp -a" OR ProcessCmd
Contains "netstat"
T1136 Net User Add User IndicatorDescription Contains "T1136"
ProcessCmd RegExp
"net\s+user(?:(?!\s+/add)(?:.|\n))*\s+/add"
T1136 Add user to AD IndicatorDescription Contains "T1136"
ProcessCmd Contains "dsadd user"
T1136 Powershell add local user IndicatorDescription Contains "T1136"
ProcessCmd Contains "powershell.exe New-
LocalUser"
T1087 Qwinsta - Display information Terminal IndicatorDescription Contains "T1087"
Sessions ProcessCmd Contains "qwinsta"
T1089 netsh disable firewall IndicatorDescription Contains "T1089"
ProcessCmd Contains "netsh firewall" AND
ProcessCmd Contains "disable"
T1089 Clear Windows Event Logs Powershell or IndicatorDescription Contains "T1089"
Wevtutil ProcessCmd Contains "wevtutil cl system" OR
ProcessCmd Contains "Clear-EventLog"
T1089 Change firewall profile settings IndicatorDescription Contains "T1089"
ProcessCmd Contains "netsh advfirewall"
T1197 Bitsadmin suspicious commands IndicatorDescription Contains "T1197"
ProcessCmd Contains "bitsadmin" AND (
ProcessCmd Contains "transfer" OR ProcessCmd
Contains "download" OR ProcessCmd Contains
".ps1" OR ProcessCmd Contains "powershell" )
T1060 Registry Persistence IndicatorDescription Contains "T1060"
ProcessCmd Contains "reg add" AND ( ProcessCmd
Contains "Run" OR ProcessCmd Contains "Null" )
T1089 Kill Symantec IndicatorDescription Contains "T1089"
ProcessName="taskkill.exe" AND ProcessCmd
Contains "ccSvcHst.exe"
T1490 Delete Shadowcopy IndicatorDescription Contains "T1490"
ProcessCmd Contains "vssadmin.exe delete
shadows"
T1490 Delete Windows Backup Catalog IndicatorDescription Contains "T1490"
ProcessName = "wbadmin.exe" AND ProcessCmd
Contains "delete catalog"
T1105 Netcat usage IndicatorDescription Contains "T1490"
ProcessName In ("netcat.exe","nc.exe",ncat.exe")
© SentinelOne 5-63
T1093,T1055 Unusual ParentProcess for SMSS IndicatorDescription Contains "T1093" AND

ProcessName = "smss.exe" AND
parentProcessName Not In ( "NT Kernel & System" ,
"Windows Session Manager" )
T1093,T1055 Unusual Parent for CSRSS IndicatorDescription Contains "T1093" AND
ProcessName = "csrss.exe" AND parentProcessName
Not In ( "Windows Session Manager","Host Process
for Windows Services" )
© SentinelOne 5-64
Module Review
In this module, you were introduced to the SentinelOne Deep Visibility functionality and how it
can be used for Threat Hunting. In this module we reviewed:
• Understanding Deep Visibility • Configuring Deep Visibility Data

• How to Use Deep Visibility Collection
• Threat Hunting Query • Saving Threat Hunting Queries and
• Take Action from the Visibility Page Watchlists
• Deep Visibility Query Syntax • Working with Saved Deep Visibility
• Deep Visibility Use Cases Queries
• Hunting Abnormal Behavior on an • Query with Custom Time Range
Endpoint • Managing the Browser Extension
• Responding to Incidents with Deep • Supported File Types for Deep Visibility
Visibility
© SentinelOne 5-65
© SentinelOne 5-66
1. Visibility is only available in which version of SentinelOne?

a. Core
b. Complete
c. Control
d. Premium
2. Deep Visibility query results can be viewed in which two views?

a. Table View
b. Process Tree View
c. Alerts View
d. Remediation View
3. Which hash algorithm does Visibility support?

a. MD5
b. SHA1
c. SHA256
d. SHA1028
4. True or False. You can save a query and schedule it to run periodically and send
notifications when results are found.
a. _____________________
5. What must be turned on in Profiles in order for Visibility to work?

a. Enable Logging
b. Enable Deep Visibility
c. Enable Threat Hunting functionality
d. All of the above
6. What Macintosh OS file type is supported in Visibility?

a. OSX Extended
b. Mach-O
c. MFS
d. Apple App Extended
© SentinelOne 5-67
© SentinelOne 5-68
SentinelOne Reports
MODULE 6
SentinelOne Reports
This module is intended to introduce Incident Responders/Analyst’s to the report functionality in

SentinelOne. In this module you will review the following SentinelOne report features:

© SentinelOne 6-1
SentinelOne Reports
Insight Reports
You can create one-time or scheduled Insight reports to see high-level and detailed information
on the state of your endpoint security. Reports include statistics, trends, and summaries with
easy to read and actionable information about your network.
You can see reports in the Management Console and automatically send them by email to the
addresses that you enter.
Examples of available Insight reports:

• Application Executive Insights
• Executive Insights
• Executive Insights by Group
• Mitigation and Response Insights
• Threats Insights
• Vigilance Insights
Scope of reports:
The scope of the report is based on the Management Console view you are in when you create
the report.
• If you are in one Site, the scope of the report is that Site.
• If you are a Global Admin or an Admin of multiple Sites in the Global view, reports that
you create include information combined for all Sites in your scope.
• If you select a report for a specific group, for example, Executive Insights by Group, a
field shows to enter the Group Name.
© SentinelOne 6-2
SentinelOne Reports
Creating Reports
To create an Insight report:

1. In the sidebar, click Scope and select a scope.
2. In the sidebar, click Reports.
3. In Reports, click New Report Task.
The New Report Task window opens.
4. In Report name, enter a name for the report.

5. In Report content, select the report type.
6. If the report is for a specific entity in the Management Console, you are prompted to enter
the required information. For example, if you select Executive Insights by Group, you
must enter the Group Name, as shown in the Management Console.
7. In Frequency, select if the report is generated One time or on a Scheduled basis.
8. In Interval, select the time period that the report includes.
• For a One-time report:
• Select Last 30 Days - the report will include information for the preceding 30
days.
• Or
• Select Manual and then select a time period on the calendar.
• You cannot select dates in the future.
• For a Scheduled report:
• Select Weekly and choose a day of the week.
• For example, if you select a Weekly report to generate on Tuesday, a report
will be created on the next Tuesday, and then every Tuesday afterward.
• Or
• Select First of every month. The report will be generated on the first day of
the next month and each month afterward.
9. Click Next.
10. Optional: In Recipients, enter one or more email addresses to get the report. Separate
addresses with a comma.
© SentinelOne 6-3
SentinelOne Reports
Note: To configure email recipients, set up SMTP in Settings > Integrations. Recipients
do not require Management Console privileges.
11. Click Create.
Note: Only reports that ran show in the table. You can see the list of future reports in
Load Report Task.
© SentinelOne 6-4
SentinelOne Reports
Editing Reports
To edit or delete a scheduled report:

2. In Reports, click Load Report Task.
3. Select a report task from the list. Search for part of the task name, if necessary.
The task shows in the Reports view and Actions for the task that are available.
4. Click Actions and select Edit or Delete.
5. To delete the report task:

a. Click Delete.
A confirmation window opens.
b. Click Confirm.
6. To change the name or recipients of the report:
a. Click Edit.
The Edit Report Task window opens
b. Change the details.
c. Click Next.
d. Click Update.
© SentinelOne 6-5
SentinelOne Reports
Deleting Reports
You can delete a scheduled report so that that it does not create more reports, or change its
details. You can change a report's Name or Recipients. To change the type of report, frequency,
or scope, create a new Report Task and delete the old one.
You can delete created reports from the Management Console when you do not need them, or
save them in a different location.
To delete a created report:

2. Select the checkbox for the report you want to delete.
Note: You can select multiple reports to delete at the same time.
3. Click DELETE.
4. In the confirmation window that opens, click Confirm.
© SentinelOne 6-6
SentinelOne Reports
Downloading a Report
From the Reports view, Admin and Viewer users can download all created reports for Sites in
their scope.
To get a report:
2. In Reports, select the report that you want to see.
3. Click Download PDF or Download HTML.

The report is downloaded to the default Downloads folder.
© SentinelOne 6-7
SentinelOne Reports
Module Review
In this module we introduced Incident Responders/Analyst’s to the report functionality in

SentinelOne. In this module you reviewed the following SentinelOne report features:

© SentinelOne 6-8
SentinelOne Reports
1. Insight Reports contain which of the following information about the network?
a. Statistics
b. Trends
c. Summaries
d. Ranger Endpoints
2. The Insight report is based on what view?

a. The report is based on the endpoints you select during the report creation
b. The report is based on the scope you are in when you create the report
c. The report is based on the global endpoints only
d. The report is based on the site endpoints only
3. What are the two report formats?

a. DOCX
b. RTF
c. HTML
d. PDF
4. How do you save the Raw Data Report for a threat?

a. In Analyze > Forensic Details, select Raw Data Report and click Save
b. In Analyze > Forensic Details, select Raw Data Report and click Download
c. In Activity > Operations, select Raw Data Report and click Save
d. In Activity > Administrative, select Raw Data Report and click Download
5. What are the two report formats for the Raw Data Report?
a. PDF
b. JSON
c. RTF
d. CSV
© SentinelOne 6-9
SentinelOne Reports
© SentinelOne 6-10

SentinelOne Core Workshop - Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SentinelOne Core Workshop - Guide

Uploaded by

Copyright:

Available Formats

Information in this training manual, including any URL or other Internet website, is subject to

change without prior notice.

Copyright © 2020 SentinelOne. All rights reserved.

July 25, 2020.

Module 2 – Management Console Overview

Module 3 – SentinelOne Administration

Module 4 – SentinelOne Investigator

Module 5 – SentinelOne Deep Visibility/Threat Hunting

Module 6 – SentinelOne Reports

Module 2 – SentinelOne Management Console Overview

Module 3 – SentinelOne Administration

Module 4 – SentinelOne Investigator

• Application Risk Management

Module 5 – SentinelOne Deep Visibility

SentinelOne Core delivers multi-layered AI-powered endpoint protection, with Static AI

• Device Control for policy-based control of all USD device peripherals

• Malware Executables - Trojans, malware, worms, backdoors, payload-based Fileless -

SentinelOne’s strength comes from the combination of its many features:

• SentinelOne is a unified, purpose-built agent that supports all modern Windows

Vigilance is SentinelOne’s Managed Detection and Response (MDR) service, provided by a

• Accelerated time to protection: SentinelOne Vigilance adds an extra layer of protection to

Module 1 Review Questions

Module 1 Group Discussion Questions

Management Console Views

• Scope – Open the Scope pane and select a Group, Site,

• Dashboard – See the status of endpoints and an overview

• Visibility – Run Deep Visibility queries to see benign event

• Ranger – Provides full visibility of all devices connected to

• Sentinels – View Endpoints, exclusions, policies, device

• Incidents – See all threats, detections and their status.

• Applications – Monitor applications installed on

• Activity – See and filter the full log of activities on the

• Reports – Get on-time and scheduled reports for different

• Settings – Configure the Management Console settings,

Feature Site Admin Account Admin Global Admin

Ranger identifies devices as:

In the Sentinels > Endpoints view, you can:

• Network Status - Is Disconnect from Network enabled or disabled

Scope of blacklist items:

Firewall Control is supported with Windows Agents and macOS Agents.

• Currently, Firewall Control cannot be set on an Account.

The Agent applies the rules in this order:

Account Info / Site Info / Group Info

Account Info displays:

Site Info displays:

Group Info displays:

Filter Item Description

Threat Management • Notes

Administrative • Agent subscribed

Examples of available Insight reports:

Reports can be downloaded in PDF or HTML format.

The settings page allows the user to:

The configuration page allows the administrator to set:

The Integration page configures settings for SMTP and Syslog.

Integration with Active Directory

The configuration changes require Global user permissions (or Support).

Locations can be defined for a Site, Account or Globally.

Module 2 Review Questions

2. What does the Visibility function allow the investigator to do?

4. Which Policy Engine detects attacks initiated by remote devices?

5. Files on the blacklist are defined by what?

This module is intended to introduce administrators to the functionality in SentinelOne. In this

• Management Console Dashboard • Managing Endpoints

Management Console Dashboard