SentinelOne Security Operations Center User Guideline (S1)

Source: https://www.sentinelone.com/brand/

Acknowledge

The cyber security industry growing year by year. The new technologies replacing the oldest one in the field. Beside that attack vectors and attack types are changing. The organizations are struggling with the new attack techniques and facing with huge risk and loss. For the enterprise protection, the EDR/XDR/MDR Technologies getting their position in the organization endpoints. There are always methodology to bypass EDRs. So you cannot rely on the EDRs however, it is still powerful tool against to threats. I would like to inspect SentinelOne in this article. Let’s take a look what is SentinelOne and how it’s works.

Contents

1. Sentinelone

1.1 General Information

1.2 Technical Features

1.3 Feature

1.3.1 Threat Detection

1.3.2 Threat Hunting

1.3.3 AI — Assisted Prevention

1.3.4 Automated Response

1.4 Agents

1.5 Site

1.5.1 Network Control

1.6 Exclusions

1.7 Device Control

1.8 Endpoints

1.8.1 Packages

1.8.2 Upgrade Policy

1.8.3 Account Info

1.8.4 Site Info

1.9 Incidents

1.9.1 Storyline feature

1.9.2 Application

1.9.3 Activity

1.9.4 Reports

1.9.5 Automation

1.10 Settings

1.10.1 Configuration

1.11 Notification

1.12 Users

1.13 Integration

1.14 Accounts

1.15 Sites

1.16 Location

General information about SentinelOne

Comprehensive security measures are those that provide edge-to-edge protection for assets within an enterprise’s IT architecture.

SentinelOne is an example of a comprehensive enterprise security platform that provides threat detection, hunting, and response features that enable organizations to discover vulnerabilities and protect IT operations. SentinelOne integrates static artificial intelligence (AI) to provide real-time endpoint protection and reduce false-positives that derail investigations or make threat detection a capital-intensive process.

The platform includes:

• Threat Detection
• Threat Hunting
• AI-Assisted Prevention
• Automated Response

Technical Features

• Sentineone can detect encoded malicious unknown binary even if change the most known mimikatz file and echo.
• SentinelOne able to block USB devices.
• There is threat hunting ability.
• There is lolbin queries.
• Cloud based client management (With GPO).
• Support availability 7/24
• The licensing method is per client on cloud
• Remote Shell (2FA)
• App inventory
• It supports macOS.
• Supporting YARA rules.
• SIEM configuration with syslog, cef, cef2.

Capabilities of Sentinelone

Threat Detection:

Detecting threats in real-time supports immediate response that mitigates discovered threats before they harm IT ecosystems. SentinelOne uses a patented Behavioral AI feature to recognize malicious actions and patterns. Threat detection is applied to detect file-less, zero-day, and nation-grade attacks. The integration of AI ensures threats are discovered in in a timely manner which reduces the effects of ransomware and phishing attacks.

Threat Hunting:

Organizations should make it a goal to have a proactive process to discovering threats rather than a reactive one. Proactive threat hunting ensures attacks are sought out before they reach an enterprise network or infrastructure. SentinelOne delivers quick query times, and advanced actions when threat hunting. The advanced actions include pre-indexed forensic context to understand the motive behind attacks, full-native remote shell, and more.

AI — Asissted Prevention:

SentinelOne integrates Static AI on endpoints to prevent attacks in real-time. The integration of AI ensures threats are quickly culled and dealt with before they can affect network systems. The SentinelOne prevention model can be more efficient than legacy antivirus solutions as it produces low false positives while focusing on preventing real threats.

Automated Response:

SentinelOne makes use of ActiveEDR to respond to issues within a network. ActiveEDR integrates behavioral AI and is capable of surgically reversing and removing malicious activities. Organizations can automate the response process to ensure it occurs in real-time. The AI-assisted response

Agents

Sentinelone supports MacOS, Linux, Windows environments. To produce agent for each platform please follow the steps below:

1. Please go to the Sentinels tab.

2. On the sentinels tab, click packages.

You can see the demonstration of how to download agents for each platform. The number “1” shows the location of the agents. By the clicking number “2” which is written there all platform types will provide you operation systems environment you want to deploy the agent. The last one, number “3” will be the latest version of agents at the top.

3. Click the icon on the left side and agent will be start downloading.

(The icon on the left side)

Site

The site is actually a feature produced to open a discriminating tracking area for the company or companies. For example, a site called “XYZ” can be opened to track “XYZ” users and servers. A separate second site may be opened for the “ABC” site.

When you open a new site, there will be created “Default site” as named by default. In the default side the new groups can be created by the purpose. For each group, you can define specifics policies.

The site token at bottom of the picture will be required during the installation process. However, in here must be careful. If you want to install all agent into the “Default site” you can share the “Default site’s token”.

In this case there are only one account you can create, and you can divide the license amount with the other sites. In our example there are two sites as “XYZ” and “ABC”.

Network Control:

The default firewall policy settings have been successfully integrated to the Sentinelone for the “Account”. To find Sentinelone firewall policy and to make change please follow the instructions below:

1. Please go to the main directory of “XYZ”.

(XYZ given as an example company name.)

2. Please click the firewall and after by click Network Control.

3. To add new rule, please click “new rule”.

4. To make changes configuration in existing rule, please click to the related rule and go to the actions.

Exclusions

Exclusions provide to make exclusion for the specific processes or applications. To make an exclusion please follow to instruction below:

1. Please go to the “Sentinels” tab and click to the “Exclusion” option.

2. Please click to the “New Exclusion” and specify the exclusion which needed to be added.

Device Control

The device control tab is the place where you can set rules such as “Usb or Bluetooth connection” blocks.

Please remember that you need to make a configuration for each “Account, site or groups”. Also, you can specify usb or Bluetooth blocks/allows as specific content. In example, you can block the USB by Vendor Specific.

Endpoints

Packages:

The tab where the SentinelOne packages can be found for the hosts. In this part the important details are “Availability Level”. There are “GA and EA”. GA means “Generally Available”. EA means, “Early Access”. For the reliable agent, we recommend the GA for the end-users. However, to test the new agents “EA” can be deployed.

Agents are containing “DEB, MSI, EXE, RPM, GZ, DEB, PKG” extensions to use all platforms effectively.

Upgrade Policy:

In the upgrade policy tab, you can manage when your maintenance your agents and also it gives to ability to schedule all the updates by weekly or the specific times that you want to update agents.

Account Information:

Shows information about the account.

Site Info:

Site info contains the information related your site such as licences, site ID, total agents, create date, expiration date, singularity platform settings and site token.

Incidents

The part of analyst can see and search the incidents that happened. In this section, SoC analyst can go further and deeper investigation about the alerts by extending the related incident tab. Shown below:

Here there are several indicators that shows the details related alert. If you click “View Threat Details” it will open a new and more detailed tab that related incident.

Here on the top of the tab, you will be able to see “threat status, AI Confidence Level, Analyst Verdict, Identified Time and Reporting Time”. This part shows us this threat not mitigated yet and AI Confidence Level says “Suspicious” this mean it is not sure that is malicious or not malicious yet”. SentinelOne informing analyst in this case for further investigation. In here security analyst should get a decision about the incident. SentinelOne providing information about “Network History”. It includes information such as first-last seen, how many times it hits to the endpoints and how many end-points affected from that and also gives account, site and group information. Under of this there is Threat File Name part. This part shows us information about the malicious/suspicious file. Also, there is an option to download related malicious/suspicious file for analyse.

Details about threats.

Details about engine.

Details about endpoint.

Indicators

Storyline Feature

The Storyline ID is an ID given to a group of related events in this model. When you find an abnormal event that seems relevant, use the Storyline ID to quickly find all related processes, files, threads, events and other data with a single query.

As a threat hunter, this is the best tool in the SentinelOne product. This feature gives you ability to do rapid and point-based information. The SentinelOne creates a unique id for each incident. By clicking to it or clicking to the “deep visibility” the analyst gets more visibility about related incident.

The feature provides to analyst more visibility and more rapidity to response related incident and get in action.

With the specified search parameters, the analyst can go deeper in their investigation and can find more useful IoCs for their investigations.

However, there are some cases that SentinelOne not creating storylines. If it detects with a static engine, it will not create a storyline because file does not work and events will not occur in the operating system in the back.

Application:

In the application tab shown below, the analyst or admin can see the application that are installed and out-dated programs on the end-points.

In this tab, there is export option to create a useful report for out-dated apps.

Activity:

Activity tab basically shows each event happened in the created system (on the hosts with the agent). In addition to this, analyst can track downloaded threat file situation here. If SentinelOne is integrated with the Sandbox, the report will be visible here after completed the analysis.

Reports:

The tab that can create a report on Sentinelone.

This tab gives two type report options to create as PDF and HTML. By clicking to create a report, there will be pop up on the screen shown below:

In here you can create a new report as scheduled or one-time report by the specific time that you specify. Report content can be various by your desire and needs.

You can send the report to the specific email.

Automation:

In the automation tab, admin can create automated tasks etc. to automate the daily operations by needs. Right of the TASKS option there is Script Library. However, to use this feature, you need to contact with the SentinelOne support or service provider.

Settings:

The settings tab is one of the most important tabs in SentinelOne product. It includes 8 different options to manage and configure the product itself.

Configurations:

Here, you can manage configuration such as inactivity timeout, session timeout etc. In addition to that you can find Sentinel One’s early access program for each operation systems.

Under of the early access program, you will be able to find “Available Licenses” section which is another important field in settings. In here, you can see the product’s license number, add-ons and settings.

Notification

Here you can manage notification that you want to get from the product in different fields. For each feature that SentinelOne provides, you can get notification by your needs. You can get E-mail and Syslog notifications.

Users

This is the most important part of settings. In this tab you can create and configure new user and roles. By clicking “Actions” you can create a new user, copy of the current users, delete users, reset their 2FA and send verification mail.

By clicking the “Roles” you will be able to find action button. By clicking the button, you can create a new role or duplicate the current ones, or delete a role.

• Admin: All Console features and actions in the assigned scope.
• C-Level: Creates, edits, and deletes reports and sees full Console.
• IR Team: Analysis and responds to incidents with Deep Visibility and creates incident response and root cause analysis reports.
• IT: Manages endpoints, scopes, exclusions, blacklists, and some settings, such as: Notifications, Device Control, Firewall Control.
• SOC: analysis and responds to threats with full mitigation and remediation permissions.
• Viewer: Read-only access to Console features and data in the assigned scope.

Integration

This tab provides you integration operations. You can use SMTP, SYSLOG, SSO integrations in here.

Accounts:

In here if you manage more than one account. This tab shows you the accounts that you have in one page and its details.

Sites:

This one shows you sides that you create and manage currently and details about each site.

Location:

It is a tab where end-points can be limited by firewall policies, whether they are in corporate VPN or not, and they can be allowed to access URL, IP, DNS requested by these security department. At the same time, features such as network segmentation can be used actively here.

This article be like technical user guide, however I hope you like the information and topics that I covered in this post. :)

Contacts:

Linkedin: https://www.linkedin.com/in/ata-%C5%9Fahan-erdemir-55113297/

Twitter: https://twitter.com/AtaErdemir