Let’s dive into two key sections of SentinelOne’s console: the Activity Tab and the Reports Tab.
Activity Tab: The Console’s Audit Log
Think of the Activity Tab as a comprehensive logbook for the management console. It records every action and change made, providing a clear audit trail of events.
Here’s what it does:
User Actions:
Tracks which users logged into the console and when.
Records actions like changes made to endpoints, policy modifications, exclusions added, and blocklists updated.
Log Fetching:
When you fetch logs from endpoints, the Activity Tab becomes your go-to place.
The logs are delivered in a ZIP format, making it easy to analyze them offline.
In simple terms, the Activity Tab serves as the management console’s audit logs, giving you transparency over everything happening in the console.
Pro Tip: fetching endpoint logs will be covered in more depth in the upcoming article on automation, just remember this tab is where the results will land.
Reports Tab: Scheduled or On-Demand Reporting
The Reports Tab is designed for generating insights in either a scheduled or on-demand manner.
Scheduled Reports:
Set it up to generate recurring reports for routine analysis.
One-Time Reports:
Create reports as needed for specific purposes or investigations.
The screenshot above gives a glimpse of the kind of reports you can generate.
Honest Opinion:
Personally, I’ve found SentinelOne’s reports to be less impressive compared to its other features. That said, reports are subjective—you might find them useful depending on your specific needs. So, I encourage you to explore this feature and decide if it suits your workflow.
That’s all for now on the Activity and Reports tabs. These tools may seem straightforward, but they hold valuable information for both forensic and operational tasks.
Stay tuned for the next article, where we’ll dive into logs and automation—a truly exciting topic!
Until then, keep learning and growing. See you soon! 😊
Comentarios