S1 Series 2: Managing Endpoints with Sentinels and Policy Configuration

Published by Matt Clemons on

Overview

In this post, we’ll focus on two critical components of SentinelOne: Sentinels and Policy Configuration. Sentinels manage your endpoints, allowing you to take actions like quarantine, remote shell access, and file retrieval. We’ll also cover setting up robust policies, including Detect and Protect modes, so your endpoints remain secure. This is where you’ll get hands on with endpoint management and set up automated responses for different threat levels.

Managing Endpoints with Sentinels

The Sentinels feature in SentinelOne is essentially your command center for individual endpoints. It allows you to take action on endpoints as threats are detected or as specific responses are needed.

Key Features of Sentinels

  • Endpoint Isolation: Instantly disconnect a compromised device from the network, isolating it from all other devices. SentinelOne maintains a connection to the endpoint, allowing continued management despite the isolation.
  • Remote Shell Access: Initiate a remote shell session on any endpoint to investigate and respond directly. This includes Powershell or ShellScript capabilities, which is highly useful for deep dive investigations.
  • File Retrieval: Retrieve files directly from endpoints for further analysis. This is particularly useful if you need to analyze suspicious files in a controlled environment or submit them to third party analysis tools.
  • Containment Actions: Define containment actions such as “Kill,” “Quarantine,” and “Rollback” (we’ll dive into these in Policy Configuration) to manage threats across multiple endpoints.

Common Actions to Use

  • Quarantine: Moves a detected threat to a secure location on the endpoint, preventing any further interaction with the infected file or process.
  • Kill Process: Ends any suspicious process immediately, stopping the activity without moving the file.
  • Rollback: Reverts the endpoint to a previous state using SentinelOne’s Volume Shadow Copy integration, effectively erasing changes made by malware.

Tip: Use endpoint tagging to categorize devices by criticality or department, allowing quick identification and filtering when taking group based actions.

Policy Configuration: Building a Secure Endpoint Strategy

Now that you have a grasp of endpoint actions, let’s move to Policy Configuration. Policies determine how SentinelOne reacts to threats, whether that’s simply detecting them or actively protecting the endpoint. Effective policy setup ensures appropriate responses based on the environment’s needs.

Understanding Policy Modes

  • Detect Mode: This is a passive mode where threats are only identified and logged, but no action is automatically taken. It’s useful for onboarding new devices or monitoring low impact systems.
  • Protect Mode: In Protect mode, SentinelOne will take automatic actions to neutralize threats. You can set Protect mode to include actions like Kill, Quarantine, Remediate, and Roll Back based on threat type.
    • Use Case: Protect mode is ideal for critical systems where any identified threat should be neutralized immediately.

Key Actions in Protect Mode

SentinelOne’s Protect mode includes four main actions to manage threats effectively:

  • Kill: Stops the malicious process, preventing it from further action.
  • Quarantine: Isolates the threat so it cannot spread or affect other files.
  • Remediate: Cleans up all files and system changes associated with the threat, including deleting registry entries or other affected configurations.
  • Rollback: Utilizes snapshots to revert the endpoint to a previous state, removing any changes caused by the malware.

These actions are customizable, allowing you to fine tune how SentinelOne responds to various threat levels or types. For example, you might configure SentinelOne to automatically quarantine high risk threats but only alert on low risk threats.

Setting Up Policies for Different Endpoint Groups

To manage endpoints effectively, create policies based on endpoint criticality, function, or department. Here’s how:

  • High Sensitivity Group: For finance or executive endpoints, set Protect mode with Kill, Quarantine, and Remediate actions enabled to respond aggressively to any threat.
  • Standard Group: For general workforce systems, use Detect mode initially, logging any suspicious activity for review. When the device is confirmed safe, you can switch it to Protect mode.
  • Testing/Development Group: For devices in dev environments, configure policies to only detect and log threats, allowing your team to work without interruptions but still record potential threats for investigation.

Tip: Assign groups based on real operational needs, so policies are applied strategically across various teams or departments. This ensures critical systems have strong protections while other environments remain accessible.

Additional Considerations: Containment and Alerting

SentinelOne provides additional containment features and alerting capabilities within its policy settings, giving you full control over response configurations.

  • Automatic Containment: Enable automatic containment so that any endpoint detecting a serious threat is immediately isolated from the network. This keeps threats from spreading to other devices while still allowing SentinelOne console access for investigation.
  • Threat Based Alerting: Customize alerts to notify your team based on threat types or response actions taken. For example, set alerts to trigger only when SentinelOne takes a Quarantine or Rollback action on a high priority endpoint.
    • Recommended Alerts:
      • “High Risk Threat Detected” for high priority alerts
      • “Quarantine Executed” for containment visibility
      • “Remediation Failed” to catch any potential gaps in response

Tip: Automate notifications to your SOC or SIEM for continuous monitoring of critical threat responses. This can significantly enhance response speed by alerting your security team as soon as an action is taken.

Final Thoughts

Effective endpoint management in SentinelOne begins with an organized policy structure and continues with clear actions to address threats. Configuring your Sentinels with tailored policies lets you handle threats across various environments seamlessly, from automated actions on critical endpoints to monitoring only setups for development devices.With your Sentinels and policies configured, your endpoint management is off to a solid start. In the next post, we’ll explore incident management and threat response workflows to keep your response times efficient and your threat tracking accurate.

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

CISSP Equations

I have trouble remembering all of these, so I’m stashing them here. 1. Risk Management Equations 2. System Reliability and Maintenance Metrics 3. Cryptography and Access Control Calculations 4. Probability and Bayesian Analysis 5. Quantitative Read more…

Security

IR 1: Introduction to Incident Handling

Introduction In incident response, following a structured approach is fundamental to maintaining clarity, control, and precision. This post covers the essential concepts in incident handling, breaking down the life cycle stages and key operations within Read more…

Security

Detection Engineering 5: Taking Action

The goal of detection engineering isn’t just to identify potential threats but to take meaningful action based on those findings. After documenting and analyzing your results, it is time to determine which findings require escalation, Read more…