SentinelOne(P5- Incidents): A Practical Guide/An Practical Training

When it comes to cybersecurity, Incidents in SentinelOne is where most of the action happens. This is the go-to place for SOC analysts, alert monitoring teams, and even DFIR (Digital Forensics and Incident Response) professionals like me to analyze and respond to alerts.

Let’s break it down step by step.

------------------------------------------------------------------------------------------------------------

Hierarchy in SentinelOne: A Quick Refresher

Before diving in, remember the hierarchy structure in SentinelOne that governs what alerts you can see. It works just like we discussed in other articles:

1. Group Level: You only see alerts related to endpoints within that group.

2. Site Level: You see alerts for all groups under that site.

3. Account Level: You see alerts across all sites and groups under your organization.

   
   

Example

Imagine a company named ABC:

• ABC has two sites: London and Melbourne.

• London contains two groups: CD and FS.

• Melbourne contains two groups: EF and GS.

If you’re working at:

• Group Level (EF): You’ll see alerts only for endpoints in EF:Global > ABC > Melbourne > EF

• Site Level (Melbourne): You’ll see alerts for EF and GS:Global > ABC > Melbourne

• Account Level (ABC): You’ll see alerts for all endpoints across both sites (London and Melbourne):Global > ABC

------------------------------------------------------------------------------------------------------------

At the top of the tab, you'll find a filtering section that allows you to apply various filters to refine your view based on specific criteria. Additionally, there is a free-text search option for quick and flexible searching. These features are straightforward and intuitive, requiring no detailed explanation.

------------------------------------------------------------------------------------------------------------

Incidents Tab Overview

When you open the Incidents tab, you’ll notice two key sections:

1. Threats

2. Alerts

Let’s explore each of these tabs.

------------------------------------------------------------------------------------------------------------

Before diving deeper, I often encounter a common question:

My response is simple yet important to understand—SentinelOne operates based on its advanced engine, leveraging behavioral analysis and TTPs (Tactics, Techniques, and Procedures).

In such cases, certain indicators trigger detections, and SentinelOne flags the file. At this point, it’s up to the analyst or security team to review the detection and determine whether it’s a false positive. If it is, exclusions can be applied.

It’s important to highlight that the detection itself doesn’t mean the tool is flawed—quite the contrary. SentinelOne is exceptionally capable and highly effective.

So, if a legitimate file gets quarantined, don’t rush to criticize SentinelOne or any EDR solution. Instead, consider whether the detection process is being utilized and understood properly. The tool isn’t at fault; it’s a matter of knowing how to leverage its capabilities.

------------------------------------------------------------------------------------------------------------

Threats Tab

The Threats tab displays alerts triggered by SentinelOne’s engines. These engines analyze endpoint behavior to detect malicious activity or anomalies. Alerts here are based on predefined policies.

(We have talked about engines in out Sentinels article Do check it out: Link below)

https://www.cyberengage.org/post/navigating-sentinel-one-p4-sentinels-a-practical-guide

Key Features:

• If a file or activity violates a policy or is deemed malicious, it generates an alert under the Threats tab.

• SentinelOne uses static and dynamic detection types to evaluate threat

Static Detection

Static detection means the file was flagged before execution—based on its hash, signature, or other static indicators.

What to Expect in Static Alerts:

1. Overview Tab: Summarizes the alert and provides details like file path, hash, and who initiated the quarantine action.

2. Explorer Tab: Empty for static alerts because the file hasn’t executed yet.

   

3. Timeline Tab: Displays event details, such as who resolved the alert or issued quarantine commands.

   

Analysis Tips for Static Alerts:

• Check the hash/Path and verify if the file is signed.

• Use Deep Visibility (if enabled) for further investigation.

Dynamic Detection

Dynamic detection occurs when a file or process exhibits suspicious behavior during execution. SentinelOne identifies this activity and triggers an alert.

What to Expect in Dynamic Alerts:

1. Overview Tab: Lists basic alert information.

   

Explorer Tab:

If you check the Explorer Tab in the dynamic alert interface, you'll notice it provides comprehensive details presented visually, such as execution graphs (as shown in the screenshot) and detailed insights into indicators, processes, files, and related events.

Files:

This section includes information about all file-related activities, such as scheduled tasks, prefetch data, and other details related to the Windows file system. It gives a granular view of actions performed on or by filess

Processes: A Story in Motion

When analyzing processes, I like to think of them as storytellers. They reveal how an event unfolded, step by step. Let’s take an example from the screenshot.

Here’s what I see:

1. A cmd command was executed.

2. That command triggered a batch script (hidden in this instance).

3. The script initiated the FreeFileSync application.

4. The process continued until SentinelOne flagged the activity.

5. Since SentinelOne detected something suspicious or potentially malicious, it intervened, stopping further execution.

This proactive response is the reason the malicious process couldn't proceed further.

Additional Details You Can Derive

Dynamic alerts also provide: (Here in above screenshot these are not available)

• Registry Information: Key registry changes associated with the event.

• Network Actions: Information about network activity, such as the destination IP, port details, and more.

------------------------------------------------------------------------------------------------------------

This overview gives you a strong foundation for understanding the Threats Tab and analyzing alerts effectively. While I haven't included specifics about registry or network action in this example (as this series doesn’t yet focus on alert analysis).

------------------------------------------------------------------------------------------------------------

Alerts Tab Overview

The Alerts Tab is your central hub for monitoring all alerts generated based on the rules you’ve created in the backend. Here's how it works:

1. Alert Generation:

   If you’ve set up a rule to block specific files, any detection matching that rule will result in the file being blocked, and you’ll see an alert in the Alerts Tab. If the rule is set to detect-only mode, the system will flag the file as detected without blocking it and still generate an alert for your review.

2. Taking Action:

   Once an alert is triggered and appears in the Alerts Tab, you can decide what action to take directly from the backend. For example, as shown in the screenshot, you can block, isolate, or further investigate the detected threat.

   

Pro Tip: Use STAR Custom Rules

From the very beginning, I’ve emphasized the importance of STAR Custom Rules. These rules allow you to go beyond just responding to SentinelOne's out-of-the-box detections.

By building your own comprehensive detection rules, you can:

• Tailor detections to your organization’s unique needs.

• Proactively identify threats specific to your environment.

• Gain maximum value from SentinelOne by leveraging its full potential.

------------------------------------------------------------------------------------------------------------

Important Points About Handling Alerts in SentinelOne

• Why Some Alerts Aren’t Quarantined:

  Occasionally, you may notice alerts that are under protect policy which should have triggered a quarantine action but didn’t. This can happen due to several reasons, such as:

  
  

  • The endpoint was offline when the alert occurred.

  • Network connectivity issues prevented the quarantine command from being executed.

    
    

  In such cases, if you determine the file is malicious, ensure you manually issue the quarantine command from the backend. Always verify the action has been applied successfully.

  
  

• Handling False Positives and File Recovery:

  If SentinelOne mistakenly quarantines a legitimate file due to a false positive, it’s possible to recover the file using the unquarantine command. However, there are critical steps to follow:

  
  

  • Whitelist First: Before unquarantining, add the file to the whitelist using its hash or path. This prevents the same file from being flagged and quarantined again.

  • Check File Integrity: Be cautious; in some cases, quarantined files may become corrupted during the process. If the file is critical, test its integrity immediately after recovery to ensure it’s usable.

• The Importance of Indicators in SentinelOne:

  SentinelOne’s Indicators are a crucial aspect of threat analysis. Unlike some tools where indicators are merely informational, in SentinelOne, they often provide actionable insights.

  
  

  • For example, if an alert doesn’t seem overtly malicious but includes an indicator like Pass-the-Hash Attack, treat it seriously.

  • Fetch additional logs, analyze thoroughly, and escalate if necessary. Indicators can reveal subtle or advanced malicious activity that might otherwise be missed.
    

  Pro Tip: Trust the indicators and investigate thoroughly, even when the rest of the alert looks benign. From experience, indicators in SentinelOne often lead to uncovering hidden or sophisticated threats.

------------------------------------------------------------------------------------------------------------