S1 Series 3: Incident Management and Threat Response with SentinelOne

Published by Matt Clemons on

Overview

In this post, we’ll explore Incident Management and Threat Response workflows in SentinelOne. Here’s where the SentinelOne platform truly shines, offering a comprehensive toolset for managing incidents from detection through resolution. We’ll dive into the Incidents Tab, explain critical response actions, and touch on threat analysis tools like VirusTotal to ensure your team can efficiently respond to and neutralize threats.

1. Navigating the Incidents Tab

The Incidents Tab is SentinelOne’s control center for tracking threats across endpoints. It’s organized to quickly display key information about each incident, including threat type, originating process, and response history. Here’s a breakdown of what to look for:

  • Threat Details: Each entry shows specific details about the threat. Device name, originating process, detection engine, and detection method (static or dynamic).
  • Severity Level: Incidents are categorized by severity, allowing you to prioritize based on criticality.
  • Incident Timeline: For each threat, you’ll see a timeline showing when it was detected, what actions were taken, and who initiated them.

Tip: Use filters in the Incidents Tab to display specific threat types, dates, or affected endpoints. This lets you zero in on high-priority threats or analyze trends over time.

2. Key Response Actions

SentinelOne provides four core response actions to manage incidents effectively. Understanding when and how to use each action can make a critical difference in your response strategy.

Core Response Actions

  1. Kill: Stops the malicious process immediately without altering the file itself. This is useful when you need to quickly halt suspicious activity before deeper analysis.
  2. Quarantine: Moves the file to a secure location on the endpoint, isolating it from the rest of the system. This ensures the file cannot interact with other processes or files.
  3. Remediate: Deletes all malicious files and any system changes (like registry entries) made by the threat. Remediation is a thorough cleanup method, making it ideal for confirmed threats.
  4. Rollback: Reverts the endpoint to a prior state using SentinelOne’s Volume Shadow Copy integration. Rollback can be particularly useful in ransomware cases, as it restores the system to a point before the infection.

Usage Guide: For endpoints with critical data, use Quarantine and Rollback together to neutralize the threat and restore data integrity. For low-severity threats, start with Kill to evaluate the file further before proceeding with deeper actions.

3. Step-by-Step Workflow: Managing an Incident

Let’s walk through a standard incident management workflow, using SentinelOne’s tools to move from detection to resolution.

Step 1: Initial Assessment

  1. Review Incident Details: In the Incidents Tab, select the specific threat entry to review detailed information.
    • Look for the originating process to understand how the threat entered the system.
    • Check the detection engine (e.g., Static AI or Behavioral AI) to assess the threat type and origin.
  2. Evaluate Threat Severity: Based on the severity level, determine the appropriate response speed and depth.
    • High-Severity: Prioritize immediate containment actions.
    • Low-Severity: Monitor and assess before deciding on further action.

Step 2: Threat Analysis with VirusTotal

To gain further insight into the threat, use the integrated VirusTotal feature to assess known threat intelligence.

  1. Open VirusTotal: From the threat entry, click on the VirusTotal link.
  2. Analyze Threat Indicators:
    • Community Insights: Review comments from the security community for additional context.
    • Detection Rate: Look at the number of engines detecting the file as malicious; this can indicate whether it’s a known threat or something more novel.

Tip: Use VirusTotal’s classification to decide on the next response action. High detection rates and suspicious comments indicate a stronger case for immediate remediation.

Step 3: Selecting Response Actions

With the assessment complete, move forward with the appropriate response action.

  1. Kill or Quarantine: If the threat is actively running, select Kill to stop it. If additional containment is needed, use Quarantine to isolate the file.
  2. Remediate: For confirmed threats, initiate remediation to clean up any associated files, registry changes, or system alterations.
  3. Rollback: If the threat has altered system files or encrypted data, use Rollback to restore the system state prior to infection.

Step 4: Documenting and Closing the Incident

  1. Add Notes: Document the steps taken, any observations, and final resolution in the incident entry. This ensures your team has a clear audit trail and helps refine future response workflows.
  2. Mark as Resolved: Once the threat is neutralized, mark the incident as resolved and save all entries.
  3. Blacklist (Optional): If the threat is likely to recur, add it to the blacklist to automatically prevent future occurrences across all endpoints.

Best Practice: Always include as much detail as possible in your notes. Incident documentation is critical for tracking repeat threat patterns and supports future training.

4. Setting Up Alerts and Notifications for Proactive Monitoring

To improve response times, configure SentinelOne to alert your team as soon as specific incidents occur.

Recommended Alerts

  • High-Risk Threats: Configure alerts for any high-severity threats detected in critical environments.
  • Containment Actions: Set alerts for actions like Quarantine or Rollback on endpoints within sensitive groups.
  • Unresolved Threats: Enable notifications for threats that remain unresolved for a specified period (e.g., more than 1 hour), indicating a need for follow-up.

By customizing your alerts, you can maintain visibility on critical incidents and take action faster.

Final Thoughts

Effective incident management is essential for a secure and resilient endpoint environment. By leveraging SentinelOne’s Incidents Tab, core response actions, and integrated VirusTotal analysis, you can efficiently handle threats and prevent escalation. This proactive approach ensures your team can handle new threats as they arise and document resolutions for continuous improvement.

In the next post, we’ll dive deeper into SentinelOne’s advanced detection engines and automation capabilities, exploring how you can use these tools to streamline threat detection and improve response times even further.

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

CISSP Equations

I have trouble remembering all of these, so I’m stashing them here. 1. Risk Management Equations 2. System Reliability and Maintenance Metrics 3. Cryptography and Access Control Calculations 4. Probability and Bayesian Analysis 5. Quantitative Read more…

Security

IR 1: Introduction to Incident Handling

Introduction In incident response, following a structured approach is fundamental to maintaining clarity, control, and precision. This post covers the essential concepts in incident handling, breaking down the life cycle stages and key operations within Read more…

Security

Detection Engineering 5: Taking Action

The goal of detection engineering isn’t just to identify potential threats but to take meaningful action based on those findings. After documenting and analyzing your results, it is time to determine which findings require escalation, Read more…