S1 Series 1: Getting Started with SentinelOne – Console Setup, Dashboards, and Ranger

Overview

This is the first post of several in the S1 series. I wanted to write these in a way where you can get up to speed in S1 as quickly as possible. In today’s post, we’ll walk through the essentials of getting SentinelOne up and running, customizing the console to maximize visibility, and implementing the Ranger feature for network-wide device management. This isn’t your typical setup guide. We’re diving straight into actionable configurations so you can start seeing real value out of SentinelOne. Let’s get started.

Initial Console Setup: The Basics

SentinelOne provides an EDR platform designed to monitor, detect, and respond to threats at the endpoint level. If you’re new to the console or need a refresher, here’s a straightforward guide to configuring the basics:

• Hierarchy Setup: SentinelOne is organized hierarchically. If you’re an MSSP (Managed Security Service Provider), you’ll likely have a “parent” console that manages multiple tenants (your customers). Here’s a quick breakdown:
  • Account Level: Your main console view where you manage customers and settings.
  • Customer Tenant: Separate workspaces for each customer to maintain segmented security.
  • Sites and Groups: Within each tenant, sites and groups allow you to further divide endpoints by geographic location, department, or function.
• Creating Groups: SentinelOne groups are where endpoint policies are applied. Set these up to streamline management.
  • Use Cases:
    • Default Group for baseline protections.
    • High-Sensitivity Group for endpoints needing stricter policies (e.g., finance systems).
  • Tip: If you’re unsure of the best grouping method, start with a basic division by site and gradually refine as your needs evolve.

Customizing the Dashboard: Real-Time Visibility

The dashboard is where you’ll get a pulse on your endpoint landscape. SentinelOne allows drag-and-drop widget customization, so you can shape the dashboard to deliver the most relevant data for your team. Here’s how to set it up effectively:

• Select Key Metrics: Choose widgets that provide immediate insight into endpoint health and threat data. Here are the top ones to include:
  • Active Threats: Shows current threats that require action.
  • Mitigated Threats: Tracks resolved incidents to help you assess recent activity.
  • Endpoint Health: Monitors endpoints for connectivity issues or configuration errors.
• Customize Widget Display:
  • Scope Filtering: Filter widgets by groups, sites, or tenant levels. This is particularly useful if you’re managing a large number of endpoints across various customers.
  • Interactive Graphs: Choose from bar, pie, or line charts to visually track trends over time. For example, set “Threats by Detection Engine” to a bar chart to quickly identify which detection types are most active.
• Set Refresh Intervals: Dashboard data can refresh at intervals of your choice. For active environments, set frequent intervals (e.g., 5-10 minutes) to keep the data accurate and up-to-date.

Introduction to Ranger: SentinelOne’s Asset Discovery Tool

Ranger is a built-in network discovery tool that identifies unmanaged or rogue devices across your network, giving you immediate insights into potential blind spots. Here’s how it works:

• Discovery Mode: Ranger uses several techniques to identify devices:
  • SSDP (Simple Service Discovery Protocol): Common for detecting devices in networked environments, like IoT devices.
  • ARP (Address Resolution Protocol): Maps IP addresses to MAC addresses on the network, helping identify unknown devices.
  • Ping Sweeps and mDNS: Helps locate devices by actively probing for responses from networked equipment.
• Setting Up Ranger:
  • Enable Ranger at the Site or Tenant Level: Go into the Ranger settings under the Policies tab in your console. Enabling Ranger at the top level will ensure detection across all endpoints within that scope.
  • Configure Detection Intervals: Define how often Ranger should scan for devices. A daily or weekly scan might be enough for static environments, while highly dynamic networks may benefit from more frequent checks.
  • Grouping and Reporting: Ranger allows grouping based on detected device types (e.g., Windows, Linux, macOS) for easy filtering.
• Filtering Rogue Devices:
  • View Rogue OS Types: Filter by OS to quickly identify unfamiliar operating systems in your environment.
  • Apply Device Management Actions: Tag suspicious devices for follow-up or add them to containment groups if they’re verified as threats.

Practical Tips for Getting the Most Out of Ranger

Ranger isn’t just a passive asset discovery tool—it’s the first layer of network-wide device hygiene. Here are some advanced tips to ensure you’re getting maximum visibility and control:

• Automate Rogue Device Tagging: Use automation rules to tag new devices immediately upon detection. For instance, flag any devices running outdated OS versions for closer monitoring.
• Define Rogue Device Policies: Consider creating policies that restrict network access for unknown devices. Ranger allows configuration to trigger alerts whenever a rogue device joins the network, giving you the option to respond immediately.

Final Thoughts

Setting up SentinelOne with a tailored dashboard and enabling Ranger for network-wide visibility gets you started on the right path. Next, we’ll explore endpoint management with Sentinels and dive into configuring policies to help protect every corner of your network. By focusing on these key setup steps, you’ll establish a security baseline that’s built for visibility, fast response, and effective threat management.