In this article, I’ll walk you through SentinelOne’s console, explaining how to navigate and utilize its powerful features. Think of this as part one of a series where we’ll dive deep into how SentinelOne works, what you can expect, and how it fits into forensic workflows. I’ll keep this as unbiased as possible, sharing my thoughts and experiences along the way.
-------------------------------------------------------------------------------------------------------------
Getting Started with the Console
When you first log in to the SentinelOne console, you’re greeted with a sleek, user-friendly interface. At the very top is the black strip, housing key navigation options and tools.
Let’s break this down:
Logo and Arrow :- To the left, you’ll see the logo followed by an arrow. Clicking this arrow opens up the hierarchical structure that SentinelOne uses to organize accounts, sites, and groups. Here’s a simplified example to understand how this works:
Global: If you’re an admin, this is your top level of access.
Accounts:
Let’s say you have a client named "ABC." You create an account under the global level for them(each client will get single account).
Example: Global/ABC
Sites:
Within that account, you can create sites based on locations or departments.(You can created multiple sites)
Example: Global/ABC/London or Global/ABC/US
Groups:
Finally, within each site, you can create groups for further segmentation.
Example: Global/ABC/London/Finance or Global/ABC/US/Sales
Hierarchy in Action:Changes applied at the account level cascade down to all sites and groups. Changes made at the site level only affect all groups within that site. Similarly, group-level changes don’t impact the broader site or account.
-------------------------------------------------------------------------------------------------------------
Singularity Marketplace
The next item on the black strip is the Singularity Marketplace. This is where SentinelOne shines in its ability to integrate logs and alerts from over 130 third-party tools—think AWS, Microsoft, GitHub, Palo Alto, Zscaler, Duo, and even tools like Recorded Future for threat enrichment.
The Backstory:This feature became possible after SentinelOne acquired Scalyr in 2021. Scalyr was a cloud-native data analytics platform designed to handle massive log data at high speed. With this integration, SentinelOne elevated its XDR platform, allowing you to analyze and act on data from multiple sources in real-time.
If you’re wondering whether you can integrate your tools into SentinelOne, the community portal has step-by-step guides for each integration. While I won’t dive into the "how-to" here, I recommend checking those out.
Spoiler alert: it’s pretty straightforward.
-------------------------------------------------------------------------------------------------------------
Cloud-Native Security
Another noteworthy feature on the top strip is Cloud-Native Security. This tool focuses on protecting cloud resources with features like:
Agentless Onboarding: Create an inventory of assets within minutes.
Verified Exploit Paths™: Simulate attacks to identify exploitable vulnerabilities.
Secrets Management: Detect hardcoded secrets (over 800 types!).
Real-Time Compliance: Monitor cloud compliance across frameworks like PCI-DSS, SOC2, HIPAA, and more.
While I won’t delve deep into this feature for now, it’s an excellent addition for teams managing hybrid infrastructures.
-------------------------------------------------------------------------------------------------------------
Help and API Documentation
Clicking on "Help" provides access to:
Offline Help: A repository of guides and documents (though these aren’t always up-to-date).
Customer Portal: The go-to for creating support tickets and accessing the most current documentation.
API Documentation: A treasure trove for automation enthusiasts. SentinelOne’s API allows you to:
Manage endpoints (e.g., quarantining devices).
Perform threat analysis and hunting.
Automate workflows like isolating infected endpoints or running scans.
Integrate with SIEMs and IT management platforms using RESTful APIs.
If you’re technically inclined, this is worth exploring. APIs are like the glue that can bind your security operations together.
-------------------------------------------------------------------------------------------------------------
MITRE Framework Integration
Next up is the MITRE Framework integration. SentinelOne maps detected threats to MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures). For each detection, you’ll see indicators and detailed insights, making it easier to understand the attack and respond effectively.
-------------------------------------------------------------------------------------------------------------
Understanding User Details, Time Settings, and Enhanced Deep Visibility in SentinelOne
User Account Overview
At the far right of the black navigation strip, you’ll find your user account details. This section includes the following:
Account Information:Displays your account name and the access level granted to you within SentinelOne (e.g., Administrator, Viewer).
Logout Option:A simple way to log out of your SentinelOne console for security purposes. Click the option labeled "Logout" (and yes, it does what it says!).
Customizing Time Settings
You can configure the time settings of your SentinelOne console to suit your preferences.Options include:
Local Browser Time: Matches the console’s time display to your local browser's time zone.
UTC: Displays all timestamps in Coordinated Universal Time for standardization across global operations.
Changing Themes
The SentinelOne console allows you to switch between themes for better usability:
Light Mode: A brighter interface suited for well-lit environments.
Dark Mode: A dimmed interface for better visibility in low-light environments, reducing strain on your eyes.
Deep Visibility: From Legacy (S1QL) to Enhanced (S2QL)
SentinelOne’s Deep Visibility feature empowers you with advanced threat-hunting capabilities. Initially based on S1QL, the platform has evolved to use the enhanced S2QL query language, which offers better efficiency and usability.
S1QL (Legacy): The older query system, which some users may still find familiar and easier to navigate.
S2QL (Enhanced): A modernized, streamlined query language for more powerful and intuitive threat hunting.
You can choose which query system to use based on your comfort level and needs. Later articles I will cover both the Legacy Console with Enhanced Deep Visibility, making it easier to understand the transition to the newer system.
Singularity Operations Center (SOC)
At the time of this blog’s creation, SentinelOne provides an option to toggle between the Legacy Console and the updated Singularity Operations Center.
Why Choose Legacy Console First?
I will starts with the Legacy Console setup to help you understand foundational concepts. Once that’s clear, we’ll explore the updated console for advanced operations. The choice of console is yours, but this approach ensures an incremental and thorough learning experience.
-------------------------------------------------------------------------------------------------------------
Left-Hand Navigation
We’ve explored the top black strip. In the next installment/articles, we’ll dive into the left-hand navigation bar, breaking down each section: for now check the screenshot below as welll as few main things)
Dashboard: Get a bird’s-eye view of your organization’s security posture.
Threats: Investigate and manage detected threats.
Activity: Monitor endpoint activity.
Policies: Create and manage security policies.
Reports: Generate detailed insights for compliance and review.
-------------------------------------------------------------------------------------------------------------
In the upcoming sections, we’ll dive into SentinelOne interface and explore its functionalities in detail. Stay tuned!
Akash Patel
Comments