SentinelOne(P4- Sentinels): A Practical Guide/An Practical Training

Welcome back to the SentinelOne journey! Today, we’re diving into the Sentinels Tab, one of the most critical components of the SentinelOne console.

This is the workspace where administrators spend most of their time managing endpoints, configuring policies, and ensuring their organization stays secure. I'll walk you through the key features and functionalities, share some practical examples, and sprinkle in some of my personal tips to make your experience even smoother.

-------------------------------------------------------------------------------------------------------------

The Top Strip: Where It All Begins

1. Endpoints

   This is where it all starts. The Endpoints section displays all the devices with SentinelOne agents installed.

   

   From here, you can monitor and manage every endpoint in your environment. Once an agent is installed, the console provides a treasure trove of information: (Below features and action are limited there more than task u can perform so do check it out. I have given only few)

   • Application inventory

   • Cloud connectivity details

   • Agent version

   • Last reboot time

   • Visible IPs

   What Can You Do?

   SentinelOne allows administrators to perform various actions on endpoints, such as:

   • Rebooting Devices

   • Updating the Agent

   • Running Scans

   • Disconnecting/Reconnecting to the Network

   • Troubleshooting Issues

     
     

   Cool Features I Love

   1. Permission Alerts:If the agent is not installed correctly (e.g., on macOS, where you need to grant full-disk access), the console flags this issue directly on the Endpoints Page, helping you fix it quickly.

      

   2. Uninstallation Requests and Tamper Protection: SentinelOne’s anti-tamper feature ensures that agents cannot be uninstalled without proper authorization.

      

      1. If anti-tamper is off, an admin or executable can uninstall the agent.

      2. If anti-tamper is on, no one—not even admins—can uninstall the agent unless a request is raised.

         

         Pro Tip: Always reject uninstallation requests unless absolutely necessary.

      
      

   Filtering Endpoints

   What if you’re managing thousands of endpoints? Do you have to check each one manually?Absolutely not! SentinelOne provides filters to help you zero in on endpoints with specific issues or pending actions.

   

-------------------------------------------------------------------------------------------------------------

Next: Identity Policy

This is a relatively new feature, and I haven’t tested it extensively yet. But here’s what I know so far:

Singularity™ Identity Detection & Response

This feature defends your Active Directory (AD), Entra ID (formerly Azure AD), and domain-joined assets against credential misuse and privilege escalation.

Core Features:

1. Active Directory Defense

   • Detects attacks targeting AD and Entra ID from managed, unmanaged, or IoT devices.

   • Protects privileged credentials by hiding them from attackers and replacing them with decoys.

2. Lateral Movement Prevention

   • Uses cloaking technology to make lateral movement exceedingly difficult for attackers.

   • Identifies and blocks misconfigurations in Access Control Lists (ACLs).

3. Visibility and Control

   • Visualizes paths attackers might use to advance their attacks.

   • Maps exposed assets, orphaned credentials, and policy violations.

   
   

This feature integrates seamlessly with Zero Trust strategies and is designed to reduce identity-based attack surfaces.

-------------------------------------------------------------------------------------------------------------

Next: Tags: Custom Labels for Endpoints

Tags are a simple but powerful way to organize and filter endpoints. Each tag consists of a key and value pair, allowing you to:

• Create Dynamic Groups

• Build Dashboard Widgets

Scope of Tags

• Tags created at the Account level are available across all Sites and Groups under that account.

• Tags created at the Site level are restricted to that specific site.

-------------------------------------------------------------------------------------------------------------

Next: Unprotected Endpoints and Cloud Rogues

Unprotected Endpoints

This feature highlights endpoints that are not protected by SentinelOne agents. It’s part of the Network Discovery feature, which I’ve covered in a separate article. You can check it out Link below:

https://www.cyberengage.org/post/sentinel-one-p3-network-discovery-a-practical-guide

Cloud Rogues

This new feature is part of SentinelOne’s Cloud Workload Security (CWS) I haven’t tested it extensively yet. But here’s what I know. It continuously monitors your cloud environment (e.g., AWS) to:

• Inventory unprotected virtual machines (VMs).

• Identify newly created VMs in real time.

Administrators can then deploy the SentinelOne CWS agent on these unprotected machines. Currently, Cloud Rogues supports Amazon EC2 and related services (ECS, EKS), with plans to expand to other CSPs like Azure and Google Cloud.

-------------------------------------------------------------------------------------------------------------

Next: Policies: The Backbone of SentinelOne

The Policy section is arguably the most critical part of the SentinelOne console. Understanding how policies work—and the hierarchy they follow—is essential for effective configuration.

Hierarchy Recap

• Changes made at the Account level are inherited by all Sites and Groups.

• Changes made at the Site level are inherited by Groups under that Site.

• Group-level changes do not affect the broader Site or Account.

Scenario Example:

• Default Policy: If you’ve just set up a new SentinelOne console or server, enable inheritance for smooth policy implementation across all sites/groups.

  

• Custom Policies: If a client has two sites, e.g., London and US, requiring different policies, make changes at the Site level. For example, create one policy for London and another for the US by editing the specific site's configuration.

Policy Modes

Policies in SentinelOne operate in two modes:

1. Detect Mode:

   • Identifies threats but takes no action. No files are quarantined, killed, or remediated.

2. Protect Mode:

   • Automatically responds to threats based on your chosen Protect Level.

   
   

Protection Actions Explained:

• Kill: Stops all processes related to the threat.

• Quarantine: Moves the threat and any associated files to a secure, encrypted location.

• Remediate: Deletes all files and system changes caused by the threat. It also executes Kill and Quarantine if they were not completed earlier.

  • Important: With Remediate, files are deleted and cannot be unquarantined.

• Rollback (Windows only): Uses Volume Shadow Copy Service (VSS) to restore the system to a previous snapshot, reversing ransomware damage.

  • Sequence: Remediation must complete successfully before rollback can occur.

  
  

Macro Mitigation

This feature allows you to mitigate malicious macros within Excel files. However, SentinelOne can be noisy in this regard, and enabling this feature might render Excel files unusable. It’s recommended to handle this cautiously, For me quarantining Excel files is more useful instead of outright deleting macros because u can get excel back but no macro if deleted.

Containment

When enabled alongside Protect Mode, this feature isolates the endpoint if a threat is detected. It works in conjunction with the chosen Protection Level (e.g., Remediate).

Example:- Protect Mode with Protection Level: Remediate

When the policy is set to Protect and the Protection Level is configured as Remediate, the following actions are triggered for any detected threat:

1. Automatic Remediation:

   • The malicious file is identified and automatically remediated by deleting the file and undoing its changes on the system.

   • Any associated processes are terminated to ensure the threat is neutralized.

2. Endpoint Containment (if enabled):

   • The affected endpoint is isolated from the network to prevent further spread or lateral movement of the threat.

   • This is especially useful for ransomware scenarios, as it stops the attack in its tracks.

   
   

Caution: False Positives

While such automation is extremely helpful, there are risks to consider:

• Like any security tool, SentinelOne can occasionally misidentify legitimate files as malicious (false positives).

• If a legitimate business-critical file is mistakenly remediated, it may cause operational disruptions.

Robust Detection via Multiple Engines

SentinelOne employs a multi-layered detection mechanism to handle modern threats, including zero-day attacks. Even if one engine misses a threat, others are designed to catch it. Here are the primary engines:

1. Reputation Engine:

   • Matches file hashes against known malicious and trusted files from global databases.

2. Static AI:

   • Examines file characteristics without execution to identify threats.

3. Behavioral AI:

   • Monitors runtime activities to detect anomalous or malicious behaviors.

4. Anti-Exploitation/Fileless Protection:

   • Focuses on memory-based and script-based attacks.

5. Lateral Movement Detection:

   • Identifies attempts to spread across the network.

6. Identity Detection (Singularity™):

   • Guards against identity-based attacks on Active Directory environments.

   
   

Each engine contributes to a robust defense system, ensuring minimal gaps in threat detection.

Each toggle on this screen is self-explanatory, providing descriptions for its function.

Deep Visibility & Identity Settings

These configurations below relate to SentinelOne’s Identity Policy. Administrators can choose pre-configured settings or customize them based on their specific environment's needs. This flexibility allows for precise control over how identity-related threats and anomalies are managed

Binary Vault

This feature automatically uploads executable files to SentinelOne’s cloud for analysis

• Malicious files are retained for one year.

• Benign files are retained for 30 days.

Remote Ops Scripts

This setting lets administrators define scripts to be executed remotely on endpoints. While the specifics can be customized now, I'll provide more details later in upcoming articles.

Decommission & Remote Shell

These features provide advanced administrative capabilities:

• Decommission: Safely removes endpoints from SentinelOne management when they are offline from particular days you selected.

• Remote Shell: Enables secure remote access to an endpoint for troubleshooting or manual remediation.

-------------------------------------------------------------------------------------------------------------

Next: The Star of the Show: Custom Rules

Creating custom rules in SentinelOne is like crafting the perfect weapon for your defense arsenal. This is where you take control—a level of customization no AI-generated rule can match. Why? Because your organization’s threats and environment are unique.

What to Know About Custom Rules:

1. Hierarchy is key:

   • Rules can only be created at Account Level or Site Level.

   • A Site-level rule applies to all groups under it, while an Account-level rule cascades down to all sites and groups.

   • There’s no Group-level rule creation—remember that!

   
   

2. Policy-based actions:

   • For example, if a malicious file is detected, you can configure rule to take action like terminate, quarantine, or even notify the team.

     

For the Techies:

Let’s say you’re hunting PowerShell behavior. A deep visibility query might look like this:

This query checks for PowerShell making outbound connections to public IPs. Once tested in Deep Visibility,

For Non-Technical Users:

No worries—SentinelOne’s Purple AI assistant can simplify the query for you. Paste the query into Deep Visibility, test it, and use it in your rule. No coding degree needed!.

-------------------------------------------------------------------------------------------------------------

Next : Blocklist: The Gatekeeper

This tab is straightforward—you can block malicious SHA1 hashes. However, no MD5 or SHA256 hashes are allowed, nor paths.

Not really! Use star custom rules to block paths or filenames. Flexibility is the game here.

-------------------------------------------------------------------------------------------------------------

Next: Exclusions: Be Cautious!

Exclusions are where things get tricky. Think of it like this: every exclusion is a gate you open for potential attackers. Always:

• Start with hash-based exclusions before moving to path-based ones.

• Avoid broad exclusions like file types or browser categories. (Very Important)

Pro Tip:To exclude a specific file across all drives, use:

\Device\HarddiskVolume*\<filename>\<file>.exe

It’s better than manually excluding each drive path!

Sentinel one gives you control how you want to perform exclusion or i will say choose the sensitivity of exclusion

Another thing to keep in mind is

Extended Exclusions and Reboot Requirement:

• For exclusions like interoperability-extended or performance focus-extended, a system reboot is required to apply changes.

It’s important to note that exclusions in SentinelOne follow a hierarchy and do not support endpoint-based exclusions directly. Exclusions can only be applied at the following levels:

1. Account Level: Exclusions are applied across all sites and groups under the account.

2. Site Level: Exclusions are applied to all groups within the specific site.

3. Group Level: Exclusions are applied to all endpoints within the specific group.

   
   

Because endpoint-level exclusions are not supported, it is not possible to configure exclusions for a specific endpoint.

Solution

If you need to apply exclusions for a single endpoint, here's a workaround:

• Create a new group: Move the specific endpoint into a new group.

• Apply exclusions at the group level: Configure the exclusion for that group, ensuring that only the selected endpoint is affected.

This approach helps achieve endpoint-level exclusions indirectly, while maintaining compliance with SentinelOne's exclusion hierarchy.

-------------------------------------------------------------------------------------------------------------

Next is : Network Control: Firewall and Network Quarantine

SentinelOne's firewall gives you fine-grained control over network traffic.

1. If your organization is already using a robust primary firewall (e.g., Palo Alto, Fortinet, etc.)as primary network firewall , And windows have there inbuilt firewall called windows defender firewall. there may not be a strong need to enable SentinelOne's firewall. As SentinelOne is primarily an EDR/XDR solution, enabling its firewall could add unnecessary complexity to your setup.

   
   

   • Enabling SentinelOne’s firewall takes precedence over Windows Defender Firewall, as it is integrated into the SentinelOne Agent.

   • Managing both the SentinelOne firewall and your primary firewall can become cumbersome, especially if you lack resources for proper configuration and monitoring.

     
     

   Recommendation: If your organization is already managing firewalls effectively, it’s better to disable the SentinelOne firewall to avoid increasing the administrative workload.

   

   For some case u do not want to listen to me and want to enable firewall. Than thing you should keep in mind in traffic flow:

   
   

   When traffic enters or exits an endpoint, the SentinelOne Agent enforces rules as per the configured Firewall Policy:

   • The rules are applied in top-down order, meaning the first matching rule determines the action.

   • Block Action: The traffic is blocked immediately.

   • Allow Action: The traffic is permitted to proceed.

   
   

2. For quarantined devices, Network Quarantine Feature shines

   SentinelOne’s network quarantine is an excellent feature that allows you to isolate a compromised device while still maintaining connectivity for administrative purposes.

   
   

   Pre-Configuration: It’s advisable to configure this feature during initial setup so it’s ready to use in case of an incident.

   
   

   Benefit: There’s no need to reconfigure in the future, making it highly effective for incident response.

   
   
   
   

-------------------------------------------------------------------------------------------------------------

Next : Device Control: Lockdown Your Ports

Imagine controlling who gets USB access like a tech-savvy bouncer at a club.

The Device Control feature in SentinelOne allows administrators to manage and restrict device interfaces for enhanced endpoint security. Here’s a simplified explanation and example to clarify its functionality:

1. Configurable InterfacesYou can define rules to allow or block interfaces like:

• USB

• Thunderbolt

• Bluetooth

  

2. USB Configuration ExampleLet’s focus on USB as an example:

• Rule Creation: Rules can be created based on attributes like:

  • Vendor ID

  • Class

  • Serial Number

  

• Actions Available:

  • Allow and Write: Full access.

  • Read Only: Restricts write access.

  • Block: Completely disables access.

    
    

3. Additional Configurations

• Customizable Options: There are numerous USB-specific settings available for fine-tuned control.

• Rule Prioritization: Ensure rules are reordered to reflect organizational priorities, as rule order determines enforcement.

-------------------------------------------------------------------------------------------------------------

Next is : Packages: The Building Blocks

The Packages section in SentinelOne is where you can download and deploy agents for endpoints across different operating systems, including Windows, macOS, Linux, and Linux Kubernetes. Here's an overview of key points and recommendations:

1. Available Packages

You can access and download agent packages for:

• Windows: Available in .exe and .msi formats.

• Linux: Packages in .rpm and .deb formats.

• macOS

• Linux Kubernetes

  
  

2. Recommendations for Installation

• Windows:

  • Prefer the .exe package for simplicity.

  • Installation involves double-clicking the file and adding the token for configuration.

  • .msi packages are also available but may require additional command-line parameters.

• Linux:

  • Opt for the .deb package for easier installation and configuration, though .rpm is equally effective depending on your environment.

• Documentation:

  • Refer to the Community Portal or Customer Portal for detailed installation guides specific to each OS.

    
    

3. Reboot Requirements

• Newer Agent Versions: Starting from version 23.3 and later, rebooting the endpoint after installation is no longer required.

• Older Agent Versions: A reboot may be necessary after installation.

4. Agent Updates

• Lifecycle Management:

  • SentinelOne releases new agent versions every 3–6 months, depending on their update cycle.

  • Keep an eye on end-of-life (EOL) or EOS (end of support) for older packages on the Community Portal.

  • Using outdated agents may compromise performance and security as they no longer receive updates.

• Unlike some competitors like CrowdStrike, SentinelOne does not perform automatic agent updates.

• This manual process helps avoid issues like the infamous Blue Screen of Death caused by rushed updates in some tools.

  
  

-------------------------------------------------------------------------------------------------------------

Next Is: Upgrade Policies: Set It and Forget It

Use the Auto-Upgrade Policy to keep agents updated without breaking a sweat (if you want i do not recommend). This ensures:

1. Better security: Newer agents are more resilient to threats.

2. Improved functionality: Who doesn’t like shiny new features?'

-------------------------------------------------------------------------------------------------------------

The Final Tab: Site Info/Account/Group Info (Based on Level you are at)

The last tab acts as your dashboard for account/site/group details. It also holds the token for agent installation.

Pro Tip: Always double-check tokens before installation to avoid misalignment of endpoints.

-------------------------------------------------------------------------------------------------------------

Parting Wisdom

SentinelOne is like a Swiss Army knife—powerful, flexible, and capable of saving the day. But with great power comes great responsibility. Here’s my advice:

1. Test before you deploy: Whether it’s a custom rule or an exclusion, ensure it works in your test environment first.

2. Document everything: A well-documented setup makes troubleshooting and audits a breeze.

3. Leverage support: SentinelOne’s support team is quick and helpful—don’t hesitate to reach out.

   
   

I hope this guide helps you . Remember, cybersecurity is not just a job—it’s a commitment to keeping the digital world safe. So go out there, configure those rules, lock down your endpoints, and be the superhero your organization needs!