Complete Guide to SentinelOne EDR (Endpoint Detection and Response): Exploring the Console in Part 1
Summary
TLDRThe video script offers an in-depth introduction to SentinelOne, a leading endpoint detection and response (EDR) solution used by major corporations. The presenter, from a managed security service provider (MSSP), explains the hierarchical structure of SentinelOne's console, which includes global, account, and site levels. The script delves into various features such as threat detection, remediation actions, and policy configurations. It also touches on advanced capabilities like Deep Visibility for incident response and threat hunting, as well as the Ranger product for network device identification. The presenter highlights the importance of threat and alert management, the use of AI engines, and the integration with Active Directory through Ranger AD. Additionally, the script covers application vulnerability scanning, inventory management, and the significance of the activity log for auditing purposes. The video concludes with a teaser for further detailed exploration of these features in subsequent videos, inviting viewers to subscribe for more comprehensive EDR insights.
Takeaways
- 📊 Sentinel One is a top-tier endpoint detection and response (EDR) product used by large corporations.
- 👥 The platform operates on a tenant structure with levels including Global, Account, Site, and Groups, catering to various customer sizes and needs.
- 🏢 For small businesses like Technology Interpreters, access to Sentinel One is typically through a Managed Security Service Provider (MSSP) that has direct access to Global settings.
- 🔍 The dashboard provides insights into solved and unsolved threats, medicated threats, and the status of endpoints as either infected or healthy.
- 🛠️ Detection engines are a core part of the policy, with various types for detecting files, scripts, and other potential threats.
- 🧐 Deep Visibility is a powerful feature for incident response and threat hunting, but it's restricted to prevent misuse that could lock up the console or database.
- 🚀 The Ranger product identifies devices on the network, especially those without Sentinel One agents, aiding in the detection of rogue devices.
- 🛡️ Policies within the platform determine the actions taken on threats, including blocking, quarantining, remediating, and rolling back changes.
- 🔑 The Site Key is used for software installation, linking devices to a specific tenant within the platform.
- 📋 Identity features, such as Ranger AD and Threat Strike, protect against threats targeting Active Directory and lateral movement within a network.
- 📊 The Application section offers vulnerability scanning, providing risk assessments and inventory details of installed applications and their versions.
Q & A
What is Sentinel One and why is it significant in the cybersecurity industry?
-Sentinel One is a top endpoint detection and response product used by many large companies and managed security service providers (MSSPs). It is significant because it offers comprehensive security solutions, including threat detection, mitigation, and response capabilities.
What is the role of a managed security service provider (MSSP) in the context of Sentinel One?
-An MSSP is a company that manages multiple customers' security needs through a centralized console. They purchase Sentinel One services from a company with access to the global level of Sentinel One and then provide security services to their own customers, acting as an intermediary.
How does the tenant structure work in Sentinel One?
-The tenant structure in Sentinel One starts with the global level, which is managed by the company providing the service. Under the global level, there are accounts, which belong to MSSPs or individual customers. Under accounts, there are sites, which represent individual customer environments or practice areas. Within sites, there can be groups that allow for specific policy assignments and monitoring.
What is Deep Visibility and why is it a valuable feature in Sentinel One?
-Deep Visibility is a feature in Sentinel One that allows users to run queries for incident response or threat hunting. It provides detailed insights into network activities and is valuable because it can help detect and respond to threats more effectively. However, it's only enabled for users who have been trained and certified to use it, to prevent misuse that could lock up the console or database.
What are detection engines in Sentinel One, and how do they contribute to threat detection?
-Detection engines in Sentinel One are components of the security policies that detect various types of threats. They include static detection for files on the machine and other engines that detect scripts or other non-file based threats. These engines are powered by artificial intelligence, which helps in the remediation process of detected threats.
How does the threat intelligence in Sentinel One categorize different types of threats?
-Sentinel One divides threats into different categories, which can include various types of malware and potentially unwanted programs. The specific number of categories may vary, but the system is designed to provide detailed classification to help with the detection and response to threats.
What is the Sentinel One Ranger product, and how does it help in network security?
-The Ranger product is used to identify devices that connect to a network and detect those without Sentinel One agents installed. It helps in network security by alerting the IT or security department about unmanaged devices, potentially identifying rogue devices on the network that need to be protected.
What is the purpose of the Application feature in Sentinel One, and how does it assist with vulnerability management?
-The Application feature in Sentinel One provides a vulnerability scan by using the agent on the machine to assess the software installed. It compares the software against the Common Vulnerability Scoring System (CVSS) to determine the severity of any vulnerabilities found. This helps with vulnerability management by identifying risks and assisting in the remediation process without the need for additional tools like Tenable.
What is the Activity Log in Sentinel One, and why is it important for monitoring console actions?
-The Activity Log in Sentinel One records all actions and events that occur within the console. It is important for monitoring because it allows administrators to track and audit all activities, such as logins, remote access, scans, and device decommissioning. This can help in identifying unauthorized access or actions and ensures transparency in the console usage.
How does the automation feature in Sentinel One benefit administrators in managing large groups of machines?
-The automation feature in Sentinel One allows administrators to run pre-defined scripts, such as PowerShell or shell scripts, on large groups of machines. This can be used for tasks like fixing issues, remediating vulnerabilities, or performing other maintenance tasks. It benefits administrators by streamlining and automating repetitive tasks, saving time and reducing the potential for human error.
What is a policy override in Sentinel One, and when might it be necessary to use it?
-A policy override in Sentinel One is a more advanced method of instructing the AI detection engine to ignore specific parameters, such as processes, hashes, executables, or file types. It might be necessary when standard exclusions do not suffice, and a more detailed instruction is required to prevent the engine from acting on certain items or conditions.
Outlines
😀 Introduction to Endpoint Detection and Response with SentinelOne
The video script introduces the viewer to endpoint detection and response (EDR), focusing on SentinelOne, a leading EDR product used by major corporations. The speaker, from Technology Interpreters, explains the interface and the concept of tenants in cybersecurity, particularly within a managed security service provider (MSSP) environment. The explanation covers the hierarchy from global level settings down to individual customer sites, and how policies and actions can be applied across this hierarchy. The dashboard is also introduced, highlighting features such as solved and unsolved threats, detection engines, and threat categorization.
🔍 Deep Visibility and Network Security with Ranger
The speaker delves into the capabilities of SentinelOne's Deep Visibility feature, which allows for incident response and threat hunting through query-based investigations. However, this feature is only enabled for trained professionals to prevent misuse. The Ranger product is introduced as a tool for network device identification and protection against unagented devices. The script also covers the use of SentinelOne for policy management, vulnerability scanning, and incident response, emphasizing the product's adaptability for different needs, such as blocking USB or Bluetooth devices and integrating with firewalls.
🛡️ Advanced Threat Detection and Response Features
The paragraph outlines various advanced features of SentinelOne, including threat detection through AI engines, alert generation based on Power Expressions, and identity protection with Ranger AD. It discusses the protection against Kerberos attacks, detection of lateral movement with ThreatStrike, and the ability to raise alerts for untrusted endpoints. Additionally, the ThreatPath feature is introduced, which helps analyze and display potential lateral movement paths that adversaries could exploit. The Applications section is highlighted for its vulnerability scanning capabilities, comparing software against the Common Vulnerability Scoring System (CVSS) to determine risks.
📚 Console Activity Logging, Reporting, and Automation
The final paragraph covers the activity logging within the SentinelOne console, which serves as an audit log for all actions taken within the system. It discusses the generation of reports based on various metrics and the automation features that allow for remote operation tasks through scripts. These tasks can be used for remediation of vulnerabilities or other fixes across multiple machines. The settings section is briefly mentioned, where notifications, user access, and integrations such as SMTP, syslog, and single sign-on can be configured. The speaker concludes by encouraging viewers to subscribe for more in-depth coverage of endpoint detection and response.
Mindmap
Keywords
💡Endpoint Detection and Response (EDR)
💡Managed Security Service Provider (MSSP)
💡Tenant
💡Threat Hunting
💡Detection Engines
💡Policy Scripts
💡Vulnerability Management
💡Active Directory
💡Kerberos
💡Automation
💡Alerts and Notifications
Highlights
Sentinel One is a top endpoint detection and response product used by big companies.
The presenter works for a managed security service provider (MSSP) and explains the multi-tenant structure of Sentinel One.
Different levels of access in Sentinel One include global, account, site, and group levels.
Policy scripts and configurations can be applied from the global level down to individual customers.
The dashboard provides an overview of solved and unsolved threats, medicated threats, and infected versus healthy endpoints.
Detection engines are a part of the policies and include static detection and script detection.
AI is used to remediate detections and threats are categorized into different types.
Deep Visibility feature allows for advanced querying and incident response, but requires training due to its complexity.
Ranger product identifies devices on the network, especially those without Sentinel One agents.
The presenter discusses the process of remediating vulnerabilities and responding to incidents using Sentinel One.
Policies can include block lists, exclusions, and network control for integrated firewall actions.
Site key is used for installing Sentinel One and associating devices with a specific tenant.
Incident response involves handling threats and alerts, with AI engines generating threats and alerts based on conditions.
Identity feature includes Ranger AD for detecting exposure related to Active Directory and protecting against Kerberos attacks.
Threat Path feature analyzes and shows the path an adversary could take to move laterally within a network.
Applications section provides vulnerability scans, inventory of installed software, and policy-based risk assessments.
Activity log tracks all actions within the console, useful for auditing and monitoring user behavior.
Reports section allows for the generation of PDF reports on various metrics.
Automation feature enables the running of scripts for remediation and vulnerability management.
Settings section includes notification configurations, user access, and integration options like SMTP, Syslog, and Single Sign-On.
Policy Override allows for detailed instructions to the AI engine to ignore specific parameters or processes.
Locations can be defined and parameterized for grouping devices and applying specific settings or actions.
Transcripts
is Kinder with technology interpreters
and I want to welcome you to the first
part of a series on any point detection
and response I would even go as far as
say comprehensive class and so today
we're going to be showing you exactly
what the interface looks like and we're
going to go ahead and start here so this
is Sentinel one now Sentinel one is one
of the top endpoint detection and
response products in the world this is
what big companies use not necessarily
things that the names that you know so
if you don't know since the one
crowdstrike Trend Micro those type of
things you may want to become acquainted
with him because these are some of the
ones that the bigger corporations use
and so let's start off so the first
thing you want to look at is and I'm
going to be going with my notes Here is
let's talk about tenants so in the world
of bit you know cyber security and
what's called an mssp a managed security
service provider which is what I work
for we have many customers and so these
interfaces are our mssp console which
allows us to manage multiple customers
and the way that we go about changing or
this well actually let me playing this
structure here so to start off it starts
with global which means that I don't
have access to the global because I'm if
I were big enough I could buy this
directly from sent to the one but since
I'm a small company technology
interpreters I have to buy it through
another company that's big enough to buy
directly from Central one and they have
access to global so I'm actually able to
be a company that provides security to
other companies while being in the
console of a company that's selling to
other companies like me or the company I
work for that sells Security Services of
the company like a pyramid right so
anyway the way it works is the global
level which is going to be the aerate
advisors they're the company that I get
this from they have access to the global
level and these things propagate now so
they can put policy scripts all kind of
configuration in and it will apply to my
console and all my customers and the
same thing would apply to any other
customers that they have and all of
their customers okay my customers are
just the mentees in the program so
actually this not my primary job I do
teach on this console but this is purely
for me to have to show you what endpoint
detection that response really is so how
does this work let's say you got the
global level they have access to it and
then this is the account which is my
account and once again they have other
mssps like myself who have accounts in
there right and then under the accounts
you have the sites which is going to be
your say for instance if I had
individual customers what you see here I
got the other mentees here
I'm gonna go to this level right here so
you can kind of see so I've got the
other mentees listed right here and
these are their sites you say that's
where they're doing their practice and
stuff like that what people are in the
cyber security mentorship program all
right and so then we have that level and
we can go to technology interpreters and
then we have groups within the site so
once again I can have a monitoring group
where I put the stuff in here and the
policies assigned to this group don't
necessarily do anything but alert if
there's an attraction but I also can
have it where a sentinel one will
actually do something and take action
and if there is a detection we'll go
ahead kill quarantine remediate roll
back okay so now we're in the tenant
let's talk about the dashboard okay so
if you're on the left side menu here we
got a lot of stuff here okay so we're
going to go through each of these
individual items and we're going to tell
you a little bit about it so on the
dashboard you got the solved and
unsolved threats and medicated threats
right
so when there's an incident then uh you
you need to take action on it right and
once you complete whatever action you
did on the incident you can mark it as
solved okay but until then it's listed
as unsolved in the console and I'm going
I'm going to go into details and other
parts of this series I'm going to go
into all the details about this infected
endpoints and healthy endpoints so once
again if your endpoint has some type of
detection or there's an incident or a
particular endpoint it is listed as
infected once it's mitigated it's listed
as healthy uh you got detection engines
we'll go into those those are part of
the policies but there is static
detection which detects files that are
on your machine you got other type of
like detection engines that detect
scripts that may be run that don't have
anything to do with files and stuff like
that so lots of different detection
engine and this is the artificial
intelligence behind it that actually
goes through and does things to actually
fix or remediate a detection and then
you got threat to our type which is over
here so threat to my type once again you
can have malware you can have
potentially on programs they're like
nine different or well probably not
maybe more than nine different
categories that sent to the one divides
these threats into okay also on the left
hand man you got the little magnifying
glass this is called Deep visibility and
so this is where it allows you to
basically do like when you're doing
either you're doing incident response to
follow up on something that's been
detected or maybe you're doing threat
hunting but the visibility allows you to
run queries and you see I don't have
access to this in this console I could
probably pay to have this feature added
but it allows you to do some really cool
stuff the reason that they don't enable
this because you could if you don't know
what you're doing and deep visibility
and I can get this enabled they already
told me I could and maybe it's something
I'll go into once we get further into
the series but if there's something
that's not necessarily
um you do a bad query you could
essentially lock up their whole console
and lock up the database and so they
only enable this feature for people who
are they certify that you've been
trained and know what you're doing
um the ranger product
this is used to identify devices that
connect to your network and identify
those that don't have symptom one agents
so this is a great way if I come in I
plug my computer into your network I
don't have a symptom one installed well
guess what this Ranger product will
detect it let me know I got a rogue on
my network and then we can reach out for
as far as the I.T Department the
security department whatever to get that
device protected Sentinels right here
these are going to be devices in the
console you still got this is my VM I'm
going to move I got an older laptop
that's a gaming laptop I'll move here
and we're just going to put all kind of
vulnerable soft vulnerable software on
it I'm going to use it for stuff in the
future videos and stuff like that to
show you the process of remediating
vulnerabilities and responding to
incidents and stuff like that so but
anyway this is where you see your
endpoints but it's also where you can do
your policies which is what determines
like we're going to go into all these
and explain all these These are
different type of engines that you can't
like that detect malware you got block
lists you can block things of course
exclusions this is like programs that
you may need need to run that you want
to like that we detect them and we don't
want Sentinel one to act on them Network
control is where we can integrate with
the firewalls take action based on the
firewall device control this allows us
to block USB devices and also Bluetooth
devices packages this is where we're
going to actually download The Sentinel
one software there's my site key I'm
probably gonna have to regenerate after
showing that but either way I can
regenerate that side key once again if
you install it using the site key then
it will put you in my tenant and all
that stuff and I'll just basically just
regenerate it just to stop that uh site
info of course this is all my
information my account information
probably should show that you're gonna
have to cut that out the video and group
ranking so anyway that's all of that so
let's go next uh that covers that's
incident this is where we have detection
so I'm going to go up a level and so we
had a few devices and they kind of you
saw we ran icar and some of the desktop
devices and stuff like that that we um
that we had detections on but anyway
this is this is where we go and we have
basically threats and alerts so threats
once again those those AI engines that's
where threats come from alerts are we
able to set up certain type of
conditions and if things meet certain
alert conditions and once again this
feature that I don't have currently
enabled with my agreement with the uh
the company but something happens and
then it will generate alert but alert is
not a threat okay
threat is really what you're going to be
like mostly focused on alerts are kind
of more like proactive detection to kind
of like building some additional things
in addition to the automatic or the AI
engines and stuff like that that detect
threats
um let's see in addition to that I think
that's good there we're gonna go right
here identity all right so identity
uh oh by the way it says on the threats
I did make a note here that for the
alert uh you create basically you know
you create what's called Power
Expressions to kind of Define things
that will generate these alerts so
basically you kind of Define certain
criteria using this kind of query
language and this it will generate
alerts on this I don't have this
identity feature but in in this feature
you have what's called Ranger ad which
reviews active director if you know
active directory when you log into a
Windows on a corporate network of
usually a major company you have to
authenticate put your credentials in and
stuff like that and typically they're
Microsoft shop and they have active
directory which is where your
credentials are housed and stuff like
that and basically you have to log in
well this Ranger 80 product looks for
indicators of compromise uh or any type
of exposure related to active directory
it has what's called 80 secure EP which
replaces real active director access so
the thing is if I get on your network
there are different kind of hacks right
that attack uh active directory right I
can't think of the name of it but you
put in a chat y'all know the name of it
uh but anyway you can't attack after
directory and then what this does
instead of you like being able to
identify real computers and accounts it
basically replaces those with fake
accounts and fake assets or computer
names to kind of throw an adversary off
which basically increases the likelihood
that they're going to get detected okay
you also have what's called Ranger ad
protect which detects Kerberos which is
uh basically kerberosis a lot of times
this way it's it's a way where you're
like accessing file shares and make sure
I correct me on this because Kerberos
really confusing
I've dug into Kerberos and stuff like
that but when you're basically doing
file share Kirby roast is what uh does
these exchanges that prevents you from
having to do all this like logging in
constantly when you're accessing fire
like file shares and stuff like that and
so it exchanges credentials in a way
using Kerberos and Kerberos tickets but
there's this process called Kerber
roasting that allows you to be able to
like hack Kerberos okay it's not easy I
tried it okay not easy but anyway Ranger
ad protect actually detects those type
of detections you have what's called
threat strike which detects lateral
movement basically moving from one
machine to another to attack it and I
just realized I don't even have a webcam
I just type just talking away here and
no webcam and then also you have uh
what's this what else we got detect or
deflect which basically when an
untrusted endpoint gets on the network
it raises a an alert
um so great way of detecting stuff that
may be wrote
so it basically says raise the event
when untrusted endpoints access
forbidden network access so I guess if
it's something on your network that you
know you can kind of designate this
shouldn't have access to you at a
computer that's trying to access it then
this feature will then kind of like act
on that okay and that's uh that's going
and then also you got threat path which
basically is a great a pretty cool
feature I'm actually probably going to
recommend this as a potential uh
solution for one of my customers uh for
a remain company I work for because the
thing is it basically it's able to
analyze it and it kind of like shows the
path that you could take to move
laterally before somebody some adversary
actually exploits it okay and so then
that's all that and then we get down to
What's called the applications okay
applications which is right here and
this is cool I love application because
you get a bonus here so the thing is
application actually gives us a many
vulnerability scan so they're able to
system sensor it has the agent on the
machine
and so what it's doing is actually this
risk section it's actually started to do
very much what like tenable and
qualities doing which is being able to
read the software compare that against
the CVSs to determine if there are
vulnerabilities uh and I think it was
cbss common vulnerability scoring system
which is what uh the kind of like
it's the governing body that basically
determines whether this vulnerability is
critical or high medium low and stuff
like that it's the scoring system for
that so anyway they're able to access
that compare it with the software that
they're already seeing on your machine
which they already have agent and then
they're able to give you a risk and
basically giving you kind of like a a
scaled down vulnerability scan which is
good when you're actually using these to
remediate uh me working with the mentees
we're using these to remediate
vulnerabilities on our scene and not
having to buy tenable and I actually
have customers who actually are trying
to rely on this and as an alternative to
attainable for vulnerability scans we
got inventory this is basically telling
me all the applications and their
versions the stuff that's installed on
my machine and then we have policies
right here and what you can do is you
can do an extensive scan which is
basically to me it seems like it just
increases the Fidelity of the the
vulnerability scan this year and this
confirms it like it's literally saying
vulnerability scan so your risk is a
vulnerability scan that sent to the one
has been included once again when
inventors they're probably going to
break it onto a new product and charge
you extra for it okay so man a lot going
on activity activity this is where
anything that happens in a console
dishes your audit log this is like
anything that you want to know if I log
in if I remote into somebody's machine
but you can do through Sentinel one I'll
be showing you that feature in upcoming
videos login log out the whole night I
shouldn't initiate a scan a decommission
or basically there's a device that's
been gone it's never going to check in
again I decommissioned it which flagged
it so it doesn't show up in the
interface all these things show up right
here in this activity log okay so this
is this is my bread and butter when I'm
trying to see what I was doing like if I
want to see if somebody's in here I feel
like oh somebody feel like somebody
might have logged in and done something
they want to but it's going to be right
here in this activity law so love that
let's see what else we got we got
reports ports are straightforward you
can generate PDF reports some different
metrics and stuff like that we'll dig
into reporting automation automation is
cool because first of all you got this
remote Ops task I look I was even look
digging the doc into the documentation
don't necessarily know the tasks are
maybe it's because I don't have any
remote Ops created but the company that
owns this they have a lot I'm going to
show this because these are their
scripts I don't want to expose that to
everybody on YouTube you know what I'm
saying but if you become one of their
customers you can see it you know what
I'm saying so anyway they got all these
different scripts that they're running
Powershell scripts shell scripts that
you can run on a large groups of
machines to either fix things remediate
vulnerabilities all kind of stuff really
cool glad to have this feature and plan
on using and this is a set of the remote
settings is where basically you can
include default credentials and stuff
like that and once again I don't have
permission based on my access and then
we get into the settings section okay
this is great because this is where I
want to go to click on a lot of these
but you can set up the notifications you
can go ahead and add the groups and you
can notify on different aspects and it's
a lot of options in the notifications
okay so and basically you can send the
notifications either via syslog or email
okay since all your email system is when
you send it to like a server that's
aggregating login information from lots
of other devices like it could be Splunk
it could be elastic it could be some
others and it's aggregating the
information and then it's presenting
that information in some way shape or
form that allows you to be able to like
kind of like sift through the
information to find something specific
so syslog and email alerts you put your
recipients in here then of course you
got I'm already no notification you got
users not going to click there because
this is where how the user set up who
are accessed to the console integration
we can do SMTP syslog and single sign-on
which is like logging it through an
identity and access provider like OCTA
or something like that so we can
configure that uh looks like that's just
there's just a lot of information I'll
click off of that policy override this
is how awful sometimes we have sent to
the one like not we can't put an
exclusion for a process that's like we
might we want Sentinel one not to act on
something and so what we would do is we
put an exclusion but if the exclusion
doesn't work then we sometimes have to
do a policy override which makes it
literally it's just kind of like code
that really gets very detailed and tells
the detection engines not to touch this
so it's like a Step Beyond an exclusion
exclusion is just saying a process or
ignore this hash or ignore this
executable or ignore this file type or
something like that a policy override is
literally telling the engine the AI
engine what to not touch what to not do
stand down on this particular feature or
this particular whatever search or
whatever parameter redefined okay
all right man it's a lie okay all right
so then we gotta count I'm not going to
click on accounts this basically shows
the accounts we got sites okay so we're
basically these are all the sites that
are in um
system one and these are the sites right
here okay so remember Global this is the
that my account and then these all the
sites uh for the people that are in the
mentor program and then also the one I'm
just using for testing and one I used to
manage my devices too
um let's see what else we got uh
locations
um locations we can basically we can go
into locations so it's pretty cool
because it allows us to Define certain
parameters So based on General like we
can put location name description IP
address DNS server DNS resolution
network interface system one connection
connected or not registry key uh and
then also let's see what was one network
interface wired or Wireless so we can
basically use these parameters to group
like different devices into a location
to act on them in a certain way
and uh that's it so that's a lot that's
a lot okay that I covered in a short
period of time 17 minutes of straight
talking but this is a good interview
this is just the overview we haven't
even dug into any of the features but if
this is helpful and you want to learn
endpoint detection and response
subscribe to my channel I'm about to
upload this video thanks for watching
don't forget to like And subscribe I
said that already and I'll see you on
the next video
Browse More Related Video
The Future of AI is now built into your PC with Ryzen AI
How to Remediate a macOS Security Incident
Incident Response - CompTIA Security+ SY0-701 - 4.8
Battery Management System Development in Simulink
Byte 1 - Credit Card - New Applications
How To Use New Google Gemini (Gemini AI Tutorial) Complete Guide With Tips and Tricks
5.0 / 5 (0 votes)