Article HTML content
Procedure
SentinelOne Assessment & Recommendations
1 Purpose and Scope
1.1 Purpose
We gathered best practices for policy management from SentinelOne experts and from our wide global install base. Best practices depend on why, how, and when you use policies.
Important! Manual judgment is required, based on your organization's culture, requirements, regulation compliance, and other proprietary factors. Keep in mind your Risk Level Management processes, as you balance your policies between security automation and performance.
1.2 Scope
SentinelOne Singularity platform is an industry-first data lake that seamlessly fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform. With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time, autonomous security layer across all enterprise assets.
1.3 Required items
1.3.1 Information
For this project, we require all company’s sites which is XXXX default site. In addition to that, we require information about all sub-groups which are part of it.
1.3.2 Access
Before performing the detailed analysis, we require the dashboard access which is https://usea1-014.sentinelone.net Also, User account with Admin credentials to access all Console features and actions in the assigned scope.
2 Best practices
2.1 Site/Group
2.1.1 Policy mode
Best Practices for Policy Mode Settings
A Common Use Case:
- The majority of endpoints get the default Protect/Detect policy.
- The server that manages the assembly line gets a Detect/Detect policy.
- A small group of endpoints that test the latest version of the Agent get a Protect/Protect policy for a limited time, to benchmark the false-positive ratio.
2.1.1.1 Policy Engines
Actions that were available in earlier versions in Network > Advanced or Sentinels > Advanced are now in Sentinels > Actions. In the Actions list, users see the options available for their role and the selected endpoints.
Tip: Use the search at the top of the list to find an option quickly.
These features require Advanced Mode to be enabled:
- Change the Protect Level in Sentinels > Policy.
By default, when you set a policy to Protect, the Agents run Kill and Quarantine automatically. In Advanced Mode, you can change automatic mitigation to include Remediate or Remediate and Rollback. This option only shows if Threats or Suspicious are set to Protect.
- Enable or disable the Detect Interactive Threat engine in Sentinels > Policy.
This engine is part of the Behavioral AI and focuses on insider threats (for example, an authenticated user runs malicious actions from a CMD or PowerShell command line). This engine detects malicious commands in interactive sessions.
Detect Interactive Threat is disabled by default. To protect your endpoints from malicious commands that are entered in a CLI, enable this engine. But, if you enable this engine for endpoints of active end users of CLIs, you may expect a number of false positives. (Windows only)
- Change the Management URL in Settings > Configuration > Management URL.
See and edit the URL of the Management Console. This is necessary for notifications and SSO. It must be the real URL of your management instance.
To enable Advanced mode:
- In the sidebar, click -> Settings.
Configuration opens.
- Enable Advanced Mode.
2.1.1.2 Engines
Use Static AI and Reputation to monitor files written to disk. Also, monitor behavior and detect malicious activity when process initiates.
Note: Only “Application Control (Containers only)” should be unchecked by default as it works for Container applications only. Other than that, put it as a checked.
2.1.1.3 Containment
This option allows you to share new threat intelligence to protectively block threats. As all the assets are connected through cloud, agents share the information to centralized control and system and from that it’s manageable easily. For the highest level of security, check disconnect from the network option. By enabling this option, if threat detects, agent will be isolated from the network and won’t be able to communicate with others. Once, the analyst verifies it and eradicate it then it will be able to communicate.
2.1.1.4 Advanced
Provides an alert if suspicious activity detects. Also, if the agent is deactivated for certain amount of days, it will decommission it.
2.1.1.5 Agent configuration
Scan the agents, allow to scan endpoint, gather user logs, create snapshots and anti-tamper functionality. Recommendation: Enable all.
2.1.1.6 Deep visibility configuration
Deep visibility is really important field. It collects the data and provides us for the further analysis.
2.1.1.7 Remote Shell
To connect through the remote connection to an agent. It enables the powershell to remote computer.
2.1.2 Blacklist
If SentinelOne has detected a threat and you want to protect your organization from it then you can Blacklist it. So, in future similar threat will be directly taken care by SentinelOne.
2.1.3 Exclusions
When you use two antivirus agents or you run some binaries and SentinelOne interrupts this legitimate process, you need to exclude it from SentinelOne scanning.
When you make a path exclusion, we highly recommend that you add the exclusion to the smallest relevant scope of endpoints - a specific group. For example, do not add exclusions to the default policy of the default group. Create a group of endpoints that use the application to exclude.
Exclusion rules for Windows:
- The path can start with the drive letter. If the drive is not included, the exclusion applies to all drives. For example:
- C:\calc.exe excludes CALC on the root of the C drive.
- calc.exe excludes CALC on all directories and drives.
- If you select Include Subfolders, the path must end with a backslash (\).
- DO NOT USE a wildcard as the drive directory ( *: or ?: ).
For example, do NOT use *:\Program Files or ?:\Program Files in an exclusion path. Instead, use *\Program Files to exclude Program Files on all drives.
You CAN use the wildcard * to refer to any character or characters, or the metacharacter ? to refer to one character that is NOT a drive letter.
- Examples with wildcard * to refer to any character or characters:
C:\c*c.exe excludes files that start with “c” and end with “c.exe” on all directories and drives. This includes CALC.EXE, CAMC.EXE, CHARLIE.DOC.EXE
Example to exclude the Archives folder in a nested directory: C:\*\Archives\
Example to exclude Go2Meeting for all users: C:\Users\*\AppData\Local\GoToMeeting\*\g2mlauncher.exe
- Example with metacharacter ? to refer to one character:
You CAN use: C:\test?\ to exclude C:\test1\ and C:\testf\.
Example to exclude a temp directory in all drives: harddiskvolume?\temp\
DO NOT USE ? as the drive letter. For example, do NOT use ?:\test1\ in an exclusion path.
Exclusion rules for Linux and macOS:
- The path must be absolute: start with a forward slash ( / - ASCII char 47).
- The path must not have a space in the start or end.
- If you select Include Subfolders, the path must end with a forward slash.
- The 4.x versions of the Linux Agent only apply Performance Focus or Performance Focus - Extended modes. If you select a different exclusion mode, the Agent defaults to Suppressed All."
- Linux - Wildcards are not supported in Linux Agent versions 2.6 and earlier. They are supported in 3.0 and later, in the same manner as with the Windows Agent.
- macOS - The * wildcard is supported in path exclusions.
For example:
- /Users/*/Applications/.app/ excludes all users and app subfolders
- /Users/?*/Desktop/.app/ excludes all users and app subfolders and their subfolders
- /Users//Desktop/.app/* excludes all files in this path.
2.1.4 Not Recommended Exclusion
You may have noticed that with the continuous improvements, your antivirus exclusions also need to be kept up to date. I hope this will provide you with important antivirus exclusions you could consider implementing within a Current Branch environment.
The list below shows items that you must NOT exclude with SentinelOne exclusions. If you create an exclusion for any of these items, you open your environment to security risk. This list is based on the experience of Technical Support and will be updated by our Support team.
If you have an interoperability or false positive issue that you require help to resolve, please open a ticket with SentinelOne Support.
NOT Recommended Exclusions.
Signer identity exclusion for all Microsoft applications.
Signer identity exclusion for all Adobe applications.
· Signer identity exclusion for all Microsoft applications
· Signer identity exclusion for all Adobe applications
· Drive letter:\
· Drive letter:\*.*
· Drive letter:\*\
· Drive letter:\Windows\spool\
· C:\*\Java\
· C:\cygwin\
· C:\cygwin64\
· C:\Java\
· C:\jboss-eap-6.4\
· C:\Program Files (x86)\
· C:\Program Files (x86)\Adobe\
· C:\Program Files (x86)\Google\
· C:\Program Files (x86)\Google\Chrome\
· C:\Program Files (x86)\Internet Explorer\
· C:\Program Files (x86)\Java\
· C:\Program Files (x86)\Java\jre version number\
· C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2launcher.exe
· C:\Program Files (x86)\Java\jre6\bin\
· C:\Program Files (x86)\Microsoft Office\
· C:\Program Files (x86)\Microsoft Office\Office version number\
· C:\Program Files (x86)\Microsoft Office\root\Office16\
· C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.exe
· C:\Program Files(x86)\Java\
· C:\Program Files\
· C:\Program Files\Adobe\
· C:\Program Files\Adobe\Acrobat Reader DC\
· C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
· C:\Program Files\cygwin\
· C:\Program Files\cygwin64\
· C:\Program Files\Git\perl.exe
· C:\Program Files\Git\usr\bin\perl.exe
· C:\Program Files\Internet Explorer\
· C:\Program Files\Internet Explorer\iexplore.exe
· C:\Program Files\Java\
· C:\Program Files\Java\*\bin\javac.exe
· C:\Program Files\Microsoft Office\Office16\
· C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
· C:\Program Files\Tripwire\TE\Agent\jre\bin\java.exe
· C:\Tomcat7\
· C:\tomcat7_2\bin\tomcat7.exe
· C:\tomcat7.0\
· C:\tomcat7\bin\tomcat7.exe
· C:\Users\*\Cygwin\Bin\
· C:\Windows\
· C:\Windows\*\WindowsPowerShell\v1.0\powershell.exe
· C:\Windows\explorer.exe\
· C:\Windows\py.exe
· C:\Windows\setup.exe
· C:\Windows\system32\
· C:\Windows\System32\smss.exe
· C:\Windows\system32\conhost.exe
· C:\windows\system32\consent.exe
· C:\Windows\System32\cscript.exe
· C:\Windows\system32\csrss.exe
· C:\Windows\System32\dllhost.exe
· C:\Windows\System32\dwm.exe
· C:\Windows\System32\explorer.exe
· C:\Windows\System32\LogonUI.exe
· C:\Windows\System32\lsalso.exe
· C:\WINDOWS\system32\lsass.exe
· C:\Windows\System32\lsm.exe
· C:\windows\system32\mmc.exe
· C:\Windows\System32\netsh.exe
· C:\Windows\System32\Ntoskrnl.exe
· C:\Windows\System32\rundll32.exe
· C:\windows\system32\services.exe
· C:\Windows\System32\sihost.exe
· C:\Windows\system32\smss.exe
· C:\Windows\System32\snmp.exe
· C:\Windows\System32\splwow64.exe
· C:\Windows\System32\Spool\
· C:\Windows\System32\spoolsv.exe
· C:\Windows\System32\svchost.exe
· C:\Windows\System32\sysvol\
· C:\Windows\System32\taskeng.exe
· C:\Windows\System32\taskhostex.exe
· C:\Windows\System32\Taskmgr.exe
· C:\Windows\system32\userinit.exe
· C:\Windows\System32\vbscript.dll
· C:\Windows\system32\vssvc.exe
· C:\Windows\System32\WBEM\
· C:\Windows\System32\wbem\WmiApSrv.exe
· C:\Windows\System32\wbem\WmiPrvSE.exe
· C:\Windows\System32\WindowsPowerShell\
· C:\Windows\System32\WindowsPowerShell\v1.0\
· C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
· C:\Windows\System32\wininit.exe
· C:\Windows\system32\winlogon.exe
· C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\
· C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
· C:\Windows\SYSVOL\
· C:\Windows\SysWOW64\
· C:\Windows\SysWOW64\dllhost.exe
· C:\Windows\SysWOW64\wbem\
· C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
· C:\Windows\Temp\
· C:\Windows\winexesvc.exe
· acrord32.exe
· java.exe
· LogonUI.exe
· taskhostw.exe
· vssadmin.exe
· _mprosrv.exe
· *.dll
· *.exe
· */pythonversion number
· */ruby
· *\*apache-maven*\
· *\bin\java.exe
· \adobe\
· \Device\HarddiskVolume*\
If your organization is additionally using any other Applications or Any other Software then please look into this link. [https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/configuration-manager-current-branch-antivirus-exclusions/ba-p/884831]
Else, you can search for “antivirus exclusion for {software name}”.
2.1.5 Device control
Device Control policy can be Global, for a Site, or for a Group. Groups and Sites can inherit policies or have their own.
Define the policy in the Management Console in Sentinels > Device Control.
From Management Console version Eiffel, you can manage external USB devices with Windows and macOS Agents. From Management Console version Grand Canyon, you can also manage Bluetooth devices. This is supported with Windows and macOS Agents version 3.2 and higher.
Rules for Bluetooth are supported on Windows 10 and Windows Server 2012, 2016, and 2019.
The USB Allow Read Only feature is available with Management version Houston for Windows and macOS Agents version 3.4 and higher.
Important:
Important Recommendations for Device Control with Bluetooth: If you plan to have one or more active Device Control rules with Bluetooth, we highly recommend that all Windows Agents in the Site are upgraded to version 3.1.3 or higher. In Windows Agents below that version, Bluetooth rules might unexpectedly impact rules for USB interface.
If you cannot upgrade all Agents to version 3.1.3 or higher, we recommend that you make a dynamic group for Agents that support Bluetooth, version 3.2.0 and higher, and make a separate Device Control policy with Bluetooth rules for that Group only.
The Device Control Policy includes Settings and Rules:
- Settings: Turn Device Control on or off, define the inheritance settings, and select the Activity log settings. Define some settings for Bluetooth devices.
- Rules: Create and organize rules to allow or block connection of specific devices, or groups of devices, to endpoints, based on the device identifiers.
2.1.6 Network control
One of the basic mitigation actions for an infected endpoint is to Disconnect it from the Network and put it in Network Quarantine. This makes sure that a threat cannot attack other endpoints or communicate with the external network from the infected endpoint.
Until version Liberty, when an endpoint is disconnected, it can only communicate with the Management Console.
From version Liberty SP3, you can configure rules to allow specific network traffic to communicate with quarantined endpoints for investigation and incident response.
For example, allow remote access from specific IP addresses to the infected endpoints. Or allow the endpoints to send data to a specific server.
Both Firewall and Network Quarantine are now under Network Control because they control the network traffic that goes to and from endpoints. They are operative based on the Network Status of each endpoint.
- Network Status - Connected: The endpoint is connected to the network or can connect normally. Relevant Firewall rules apply. (Firewall requires the Control SKU).
- Network Status - Disconnected: The endpoint is disconnected from the network due to mitigation. Network Quarantine rules apply.(Network Quarantine rules are included in the Core SKU).
- Note- Firewall and Network Quarantine have parallel settings and rules, and both are managed with tags, but their settings, rules, and tags are completely independent.
A scope's Firewall settings have no impact on its Network Quarantine settings and its Network Quarantine settings have no impact on its Firewall settings.
Configurable Network Quarantine Information in the Management Console
In Sentinels > Endpoints there is a filter for Network quarantine control enabled. Select View More Filters to see it.
For each endpoint, you can see Configurable Network Quarantine Enabled or Disabled in the Endpoint Details.
See Network Quarantine operations done by user in the Activity log under Operations.
Enable notifications for Network Quarantine in Settings > Notifications under Firewall Control.
Creating & Editing Network Quarantine Rules
By default, when an endpoint is in network quarantine, all incoming and outgoing traffic is blocked, except for SentinelOne Agent to Management communication. Use Network Quarantine rules to allow specific traffic for incident investigation and resolution.
Note:
Firewall and Network Quarantine have parallel settings and rules, and both are managed with tags, but their settings, rules, and tags are completely independent.
A scope's Firewall settings have no impact on its Network Quarantine settings and its Network Quarantine settings have no impact on its Firewall settings.
When you create a rule, it applies to the selected scope of the Management Console. When you create a rule with tags, all scopes that subscribe to those tags will get the rule.
For network traffic to match a rule, all parameters of the rule must match the traffic.
The default for each parameter is Any, which means that no restrictions are defined.
Tip: Make rules specific. Most traffic should still be blocked. Change Any to a specific value whenever possible.
Traffic that does not match the Network Quarantine Allow rules is blocked by default. No clean-up rule is necessary.
An error shows if you try to create a rule that already exists in the scope or that contradicts a rule in the scope.
2.1.7 Upgrades
Keeping your SentinelOne Agent up to date is the single most important task of protecting your system against new malicious threats. Updated Agents ensure your environment benefits from the newest features and detection capabilities we offer our customers.
This Best Practice Guide helps you create an Agent Update Plan. The main focus is to ensure that SentinelOne new Agents are well-adapted to your unique environment and all enhanced protection mechanisms are well-tuned for your workflows.
- Step 1: Preliminary Tests
Upgrade Early Adapters - a few, non-mission-critical endpoints - to test the new version.
Important for macOS upgrades: When a new macOS release is available, do NOT upgrade the endpoints with a pre-public release. When the GA release is available from Apple, do not upgrade until SentinelOne releases a macOS Agent version that supports the new OS. See the macOS Upgrade Playbook.
- Step 2: Gradual Production Upgrade
Upgrade 10% to 15% of the endpoints.
- Step 3: Complete Upgrade
Upgrade all Agents.
- What to Expect
The upgraded Agent replaces the current running Agent. During and after the upgrade, you can expect:
On the Management Console
- The Agent may be offline for several seconds during the upgrade. Expect the Agent to come online after the upgrade is successfully completed.
- Expect to see the new version updated for the endpoint when the upgrade is successfully completed.
- Monitor ‘out of date’ machines on the Management Console, to track endpoints that failed to upgrade.
Locally on the endpoint
- Expect the SentinelOne system tray icon to disappear for a few seconds until the upgrade completes.
- The new version appears on the Agent window.
- For Windows Agents, There is a new path, unique for the new version:
"c:\Program Files\SentinelOne\Sentinel Agent x.x.x.xxxx"
where x.x.x.xxxx is the new version format - All Agent services are running:
- Upgrading Offline Agents
When you push an update from the Management Console to an offline Agent, the command is postponed until the next time the Agent is online. Agents will get the upgrade command and will start the upgrade process. We recommend that you send upgrade commands based on network groups and not on online/offline criteria.
2.1.8 Agent Upgrades – Manage Bandwidth
From version Liberty SP5, the Management Console can manage your bandwidth while you upgrade when you set the maximum concurrent downloads per scope. This limits the number of endpoints allowed to download Agent upgrade packages at the same time.
This lets you:
- Easily protect your bandwidth for physical sites when downloading the Agent package before upgrading. Set a limit on how many Agents can download the package per scope. For example, set different limits for different Sites.
- Set multi-hierarchy concurrency limits for complex networks. Set a limit on how many Agents can download upgrade packages in scopes of different levels. For example, set one limit for an Account and set different limits for each Site or Group in that Account.
- Reduce the number of upgrade cycles. Previously, even though you could send one command to upgrade all Agents, users often did not due to concerns about bandwidth issues. Now you can first set a limit of how many Agents are allowed to download packages at one time, and then upgrade all Agents with one command, without worry about bandwidth issues.
You can set a different limit for each Account, Site, and Group. The total number of downloads allowed in child scopes cannot be more than are allowed in their parent scope. For example, if a Site can have 100 concurrent downloads, the downloads allowed in the Site's Groups cannot total more than 100.
You can set a tighter limit per scope. For example, you can set a limit of 50 downloads at a time for the entire account and for a specific scope set a maximum of 5 downloads at a time.
Note: The Maintenance Settings feature for upgrades will be available in an upcoming release.
To limit the number of downloads allowed at the same time:
- In the sidebar, Scope and select a scope.
- In the Sentinels toolbar, Go to Scope and click Upgrades.
- If you see Inherited from parent then all Agents in this Scope have the same concurrent download limit as its parent Scope. To change the upgrade schedule for this Scope, click Change.
- In the Maximum Concurrent Downloads area, edit the Maximum Concurrent downloads for this Scope number.
- Click Save.
- Click Endpoints.
The list of endpoints in the selected scope opens.
- Select endpoints to upgrade.
- Click Actions and select Update Agent.
- Click Submit.
- Click Update Agent to confirm.
- In the sidebar, click Task Management.
You see the status of the upgrades and upgrade events.
The Endpoint details also shows the Upgrade status.
Recommended: Agent upgrade downloads agents from the cloud however, to upgrade all at a time uses a lot of bandwidth. By default, configuration is you can upgrade 1500 assets a time but highly recommend to only upgrade 500 agents at a time to get better visibility over task and lower bandwidth consumption.
2.2 Reports
As of now, only default reports are available.
If you are looking for the particular results then you can use the SentinelOne REST API. To Access it,
- Go to My User and generate the API token to authenticate and use computer programming language.
2.3 Settings
2.3.1 Configuration
It’s really important to check the 2 factor Authentication and Advanced Mode. Advanced mode allows you to Detect, Protect, Remediate, Kill & Quarantine & Rollback the threats and many more.
2.3.2 Notifications
To get an email for any suspicious activities we need to configure the notifications. Navigate through Settings -> Notification. To get notification, you need to add a recipient. Also, make sure that you check all options for Malware. Your organization always needs to stay up to date with all threats.
2.3.3 Users
Not everyone in an organization should have administration permissions to do every possible mitigation action in the Management Console. Some people, like SOC or IT should have partial permissions. RBAC includes several predefined roles, and each role has its own set of permissions.
From Management version Iguazu SP3, when you create a Management Console user you must select a role. Different roles grant users different permissions to see specific windows, select specific actions, and use specific features.
Predefined Roles
2.3.4 Integrations
There are 3 kinds of Integrations.
- SMTP
- SYSLOG
- SSO
SMTP Server Integration: SMTP server is configured with the default configurations in SentinelOne. It is not really necessary to update it.
SYSLOG: When you use the Security Operations Centre and would like to gather logs from the SentinelOne then you can configure it through SentinelOne dashboard.
Here, Formatting is a Syslog message formats. Please choose them accordingly. There is no harm in using the default formatter CEF or CEF2.
2.3.5 Policy override
Important:
· Change configuration with caution and with guidance from SentinelOne Support.
· Each Agent can apply only ONE policy override.
· Each override can have multiple configuration changes, and you can add more configuration changes to an override.
· Agents apply the override with the narrowest scope and version that matches them.
o If you have a policy override configuration for a specific Agent version, Agents with that version do NOT apply changes from a different override that is for ALL versions.
o If you have an override for the Global scope and an override for a Group scope, Agents in the Group apply the Group override and NOT the Global override.
To configure Policy Override for a group, Site, or all Agents:
1. Plan the configuration changes.
Important: All parts of the configuration that you do not enter in the window will be overwritten from the other configuration sources. Make sure to include all previous manual changes in the text you will enter.
Best Practice: See the configuration of an Agent before you change it and save it in a backup text file:
a. In Sentinels, select an Agent and click Actions > Configuration.
b. Copy the configuration to a text file and save it.
2. In the sidebar, click Settings.
3. In the Settings toolbar, click Policy Override.
4. Click New Configuration.
- Enter values for the configuration properties.
- In Configuration data, enter JSON to change the configuration.
{
"keepAliveFailCount": 3,
"keepAliveInterval": 3
}
If the parameters to change are in a hierarchy, make sure you include the parent key and enclose the child parameters and the parent properly:
{
"communicatorConfig": {
"forceProxy": true/false,
"telemetry": true/false
}
- Click Save.
2.3.6 Locations
See the locations for a scope and configure new locations in Settings > Locations.
To define a new location:
- In the sidebar, click Scope and select a scope.
- In the sidebar, click Settings.
- In the Settings toolbar, click Locations.
- Click New Location.
- In the General page of the new location, define:
· Location Name - Name of the location that shows wherever the location is used in the Management Console.
· Description - A more complete description that shows in the Locations page. Add here information about the location that is important for Users to know.
· An endpoint is in this location if: Select what is necessary for an endpoint to be considered in this location.
o At least one parameter is true - The endpoint must match one or more of the network identifiers that you defined for this location.
For example: If you defined an IP Address range and a DNS server, the endpoint is in this location if the DNS Server matches the endpoint but the IP address does not.
o All parameters are true - The endpoint must match all of the network identifiers that you defined for this location.
For example: If you defined an IP Address range and a DNS server, the endpoint is in this location if its IP address is in the defined range AND the DNS server matches.
o No parameters are true - The endpoint must NOT match any network identifiers that you defined for this location.
For example: If you defined an IP Address range and a DNS server, the endpoint is in this location if its IP address is not in the range AND it does not have a matching DNS server
Select a parameter from the list and define it.
Review the details of the defined location, make sure that the An endpoint is in this location if: setting is correct. To edit it, click Change or go to the General page.
For configuring it and for the better understanding, https://www.youtube.com/watch?v=5UH0gVDacq0&feature=emb_logo
2.3.7 SentinelOne Legacy System
Following Operating Systems are supported in Windows legacy systems:
- Windows XP SP3 or later (KB968730) 32/64-bit NTFS/FAT32
- Windows Server 2003 SP2 or later, or R2 SP2 or later, (KB968730) 32/64-bit
- Windows 2008 (Pre-R2)
- Windows Embedded POSReady 2009
2.3.8 SentinelOne Open Firewall Ports
Services & Ports - Ports for Cloud-Based Management Environment
To connect legacy agents on console, we need to allow the following IP on the firewall:
If your environment has servers or computers that are blocked from the Internet, open your firewall to your Management:
Ports for Integration Servers
Connection to other servers changes if the server is in the network or in a cloud, and if the servers are behind the firewall or in the DMZ.
Open Port TCP-443 on Endpoints for Deep Visibility
Open Port TCP-443 for On-Prem Management Server and Features
2.3.9 SentinelOne Installation on Citrix Server
Step 1:
- Open Control Panel
- Select Option: “Install application on Remote Desktop Server”
- Select the installation file
- Click Next
- At last close.
Step 2:
- Open CMD (Rus as administrator)
- Execute Command: “change user /install”
- Then run/execute the file.
o After executing the command, go to file explorer and select the exe/msi file you want to execute.
At last, Again run the command: “change user /execute
For reference: https://www.youtube.com/watch?v=StnRR3dtBmA
2.3.10 SentinelOne Installation on Linux Server
Please follow command line steps if GUI is not available:
Log in as a privileged user or run the command with sudo.
Wget BEB package: wget --no-check-certificate --header="Authorization: APITOKEN {Enter Your Authentication Token}" {https://Download URL} -O SentinelAgent_linux_vX_X_X_X.deb -c
o To get API token: Open your SentinelOne Console-Settings-Users-Click_Your_UserName-Options-Re/Generate API token and save it.
o For Package URL: Go to the SentinelOne Console-Sentinels Tab-Packages.
Install RPM or DPKG first.
o RPM: sudo rpm -i --nodigest package_pathname
o BEB: sudo dpkg -i package_pathname
Get site or Group token
o Sudo /opt/sentinelone/bin/sentinelctl management token set {__token__}
o For TOKEN: SentinelOne Console-> Scope -> Navigate to Group -> Group Info/Site Info
To activate
o Sudo /opt/sentinelone/bin/sentinelctl control start
For the Successful Installation: You will see Agent is Running.
For reference: https://www.youtube.com/watch?v=TfS_XSVEpCI&feature=emb_logo
3 Assessment/Recommendations
3.1 Groups
Best Practice Settings: Review Description
The naming convention for groups should be [computer|server]_[Windows|Linux|mac]_Description.
3.1.1 Sites and All Groups
Current Configuration:
Recommendations:
Containment should be enabled; it allows the endpoint to disconnect from network when compromised.
In Protect mode, SentinelOne will not corrupt or shut Down the Servers. They are lightweight processes and protect you from Malware, Virus and Ransomware threats. By proper configurations, you can save your environment from the malicious threats. Also, keep in mind that Detect mode will just detect the threat but if no actions are going to be taken then it will harm your network.
3.1.2 Blacklist
Recommend: Please use the proper description for each hash to get better understanding about the file. Also, Add BlackList when the threat is true positive, or Analyst identify the threat as a true positive.
No groups have manual Blacklist hashes
3.1.3 Exclusions
Note: While working with exclusion, make sure that team member doesn’t include following commands from it. Review
Currently, there are exclusions applied in following groups:
1. Servers_Linux
a. The exclusions are related to the legitimate file hashes. Please have a look if they are supposed to be correct.
2. All Groups
a. The exclusions are related to the legitimate file hashes. Please have a look if they are supposed to be correct.
3.Default Group
For Applying default exclusions, Open SentinelOne web console-> Sentinels -> Exclusion -> New Exclusion -> Add from Exclusion Catalog.
Recommendations:
Currently hashes are configured as exclusion which is optimal option.
Exclusions should as minimally scoped as possible to let SentinelOne scan all the processes.
3.1.4 Device control
Please double check the following results especially for USB & BLUETOOTH. Because, if the company has a policy that doesn’t allow installing USB and Bluetooth then it’s fine otherwise it adds a lot of noise in Activities tab.
3.1.5 Network control
3.1.6 Upgrades
Agent upgrade downloads agents from the cloud however, to upgrade all at a time uses a lot of bandwidth. By default, configuration is you can upgrade 1500 assets a time but highly recommend to only upgrade 300 agents at a time to get better visibility over task and lower bandwidth consumption.
3.2 Settings
3.2.1 Configuration
Best Practice:
Require 2 factor authentication is enabled.
3.2.2 Notifications
All email notifications have been enabled.
Recommendations:
3.2.3 Users
3.3 Applications
The applications state all the applications that have different severity levels and should be regularly monitored.
Recommendations:
Please check at the critical applications. If not regularly updated they can have some vulnerabilities which can be exploited.
3.4 Activity
The activity is to check the activities done by SentinelOne Agents and the Console management users. You can track the events, collect endpoint logs that are generated and filter the activities according to your need by selecting options from dropdown in the tabs.
3.5 Reports
There are no reports configured yet but you can configure different types of report according to your need from the limited options.
Types of Report options available:
3.6 Integrations
3.6.1 SMTP
Recommendations:
· In Settings>Integrations>SMTP, please configure SMTP to receive the alerts directly to your inbox.
​
4 References
· https://support.sentinelone.com/hc/en-us/articles/360008709014-Best-Practices-for-Exclusions
· https://support.sentinelone.com/hc/en-us/articles/360007532894
· https://support.sentinelone.com/hc/en-us/articles/360056646274-Phase-3-Mass-Deployment
· For more features, review https://youtu.be/mnFI2ujbtoc.
· https://support.sentinelone.com/hc/en-us/articles/360000334613-Upgrading-Agents-Best-Practices
· https://support.sentinelone.com/hc/en-us/articles/115005654289-Policy-Mode-Best-Practices
· https://support.sentinelone.com/hc/en-us/articles/360002679893-SentinelOne-Interoperability
· https://support.sentinelone.com/hc/en-us/articles/360056646254-Phase-1-Part-2-Active-Preparation
· https://www.sentinelone.com/blog/intel-inside-sentinelone-cryptominer-detection/
Approvals
Revision log history
Related Articles
Test Article 2
Test Article 2updated article
LIA 18 Participants | CACWT CACWT Navigation Guide Purpose : To show LIA participants how to navigate CACWT for their training series. CACWT is being used as a communication tool, a place to share resources, and will be where to access the end of ...How is this?
LIA 18 Participants | CACWT CACWT Navigation Guide Purpose : To show LIA participants how to navigate CACWT for their training series. CACWT is being used as a communication tool, a place to share resources, and will be where to access the end of ...