Complete Guide to SentinelOne EDR (Endpoint Detection and Response): Exploring the Console in Part 1

00:00

is Kinder with technology interpreters

00:02

and I want to welcome you to the first

00:03

part of a series on any point detection

00:06

and response I would even go as far as

00:08

say comprehensive class and so today

00:10

we're going to be showing you exactly

00:12

what the interface looks like and we're

00:14

going to go ahead and start here so this

00:15

is Sentinel one now Sentinel one is one

00:18

of the top endpoint detection and

00:19

response products in the world this is

00:21

what big companies use not necessarily

00:24

things that the names that you know so

00:26

if you don't know since the one

00:28

crowdstrike Trend Micro those type of

00:30

things you may want to become acquainted

00:31

with him because these are some of the

00:33

ones that the bigger corporations use

00:34

and so let's start off so the first

00:36

thing you want to look at is and I'm

00:37

going to be going with my notes Here is

00:39

let's talk about tenants so in the world

00:41

of bit you know cyber security and

00:44

what's called an mssp a managed security

00:46

service provider which is what I work

00:48

for we have many customers and so these

00:51

interfaces are our mssp console which

00:54

allows us to manage multiple customers

00:57

and the way that we go about changing or

00:59

this well actually let me playing this

01:01

structure here so to start off it starts

01:03

with global which means that I don't

01:05

have access to the global because I'm if

01:07

I were big enough I could buy this

01:08

directly from sent to the one but since

01:10

I'm a small company technology

01:12

interpreters I have to buy it through

01:14

another company that's big enough to buy

01:16

directly from Central one and they have

01:17

access to global so I'm actually able to

01:20

be a company that provides security to

01:23

other companies while being in the

01:25

console of a company that's selling to

01:28

other companies like me or the company I

01:30

work for that sells Security Services of

01:33

the company like a pyramid right so

01:35

anyway the way it works is the global

01:37

level which is going to be the aerate

01:39

advisors they're the company that I get

01:41

this from they have access to the global

01:43

level and these things propagate now so

01:45

they can put policy scripts all kind of

01:47

configuration in and it will apply to my

01:49

console and all my customers and the

01:52

same thing would apply to any other

01:54

customers that they have and all of

01:56

their customers okay my customers are

01:58

just the mentees in the program so

01:59

actually this not my primary job I do

02:02

teach on this console but this is purely

02:04

for me to have to show you what endpoint

02:07

detection that response really is so how

02:10

does this work let's say you got the

02:11

global level they have access to it and

02:13

then this is the account which is my

02:15

account and once again they have other

02:17

mssps like myself who have accounts in

02:20

there right and then under the accounts

02:22

you have the sites which is going to be

02:24

your say for instance if I had

02:25

individual customers what you see here I

02:27

got the other mentees here

02:30

I'm gonna go to this level right here so

02:31

you can kind of see so I've got the

02:33

other mentees listed right here and

02:35

these are their sites you say that's

02:37

where they're doing their practice and

02:38

stuff like that what people are in the

02:40

cyber security mentorship program all

02:42

right and so then we have that level and

02:44

we can go to technology interpreters and

02:46

then we have groups within the site so

02:48

once again I can have a monitoring group

02:50

where I put the stuff in here and the

02:52

policies assigned to this group don't

02:54

necessarily do anything but alert if

02:56

there's an attraction but I also can

02:58

have it where a sentinel one will

02:59

actually do something and take action

03:01

and if there is a detection we'll go

03:03

ahead kill quarantine remediate roll

03:04

back okay so now we're in the tenant

03:07

let's talk about the dashboard okay so

03:09

if you're on the left side menu here we

03:11

got a lot of stuff here okay so we're

03:13

going to go through each of these

03:14

individual items and we're going to tell

03:17

you a little bit about it so on the

03:18

dashboard you got the solved and

03:20

unsolved threats and medicated threats

03:22

right

03:23

so when there's an incident then uh you

03:27

you need to take action on it right and

03:30

once you complete whatever action you

03:31

did on the incident you can mark it as

03:33

solved okay but until then it's listed

03:35

as unsolved in the console and I'm going

03:38

I'm going to go into details and other

03:39

parts of this series I'm going to go

03:40

into all the details about this infected

03:43

endpoints and healthy endpoints so once

03:45

again if your endpoint has some type of

03:47

detection or there's an incident or a

03:49

particular endpoint it is listed as

03:51

infected once it's mitigated it's listed

03:53

as healthy uh you got detection engines

03:56

we'll go into those those are part of

03:57

the policies but there is static

03:59

detection which detects files that are

04:01

on your machine you got other type of

04:03

like detection engines that detect

04:05

scripts that may be run that don't have

04:06

anything to do with files and stuff like

04:08

that so lots of different detection

04:10

engine and this is the artificial

04:12

intelligence behind it that actually

04:14

goes through and does things to actually

04:17

fix or remediate a detection and then

04:21

you got threat to our type which is over

04:23

here so threat to my type once again you

04:25

can have malware you can have

04:27

potentially on programs they're like

04:29

nine different or well probably not

04:31

maybe more than nine different

04:32

categories that sent to the one divides

04:35

these threats into okay also on the left

04:37

hand man you got the little magnifying

04:38

glass this is called Deep visibility and

04:41

so this is where it allows you to

04:42

basically do like when you're doing

04:44

either you're doing incident response to

04:46

follow up on something that's been

04:47

detected or maybe you're doing threat

04:49

hunting but the visibility allows you to

04:51

run queries and you see I don't have

04:53

access to this in this console I could

04:54

probably pay to have this feature added

04:56

but it allows you to do some really cool

04:58

stuff the reason that they don't enable

05:00

this because you could if you don't know

05:02

what you're doing and deep visibility

05:03

and I can get this enabled they already

05:04

told me I could and maybe it's something

05:06

I'll go into once we get further into

05:08

the series but if there's something

05:10

that's not necessarily

05:12

um you do a bad query you could

05:14

essentially lock up their whole console

05:16

and lock up the database and so they

05:18

only enable this feature for people who

05:20

are they certify that you've been

05:22

trained and know what you're doing

05:24

um the ranger product

05:26

this is used to identify devices that

05:29

connect to your network and identify

05:30

those that don't have symptom one agents

05:32

so this is a great way if I come in I

05:34

plug my computer into your network I

05:36

don't have a symptom one installed well

05:39

guess what this Ranger product will

05:41

detect it let me know I got a rogue on

05:43

my network and then we can reach out for

05:45

as far as the I.T Department the

05:47

security department whatever to get that

05:49

device protected Sentinels right here

05:51

these are going to be devices in the

05:53

console you still got this is my VM I'm

05:55

going to move I got an older laptop

05:56

that's a gaming laptop I'll move here

05:58

and we're just going to put all kind of

05:59

vulnerable soft vulnerable software on

06:01

it I'm going to use it for stuff in the

06:03

future videos and stuff like that to

06:04

show you the process of remediating

06:06

vulnerabilities and responding to

06:08

incidents and stuff like that so but

06:10

anyway this is where you see your

06:11

endpoints but it's also where you can do

06:13

your policies which is what determines

06:15

like we're going to go into all these

06:16

and explain all these These are

06:17

different type of engines that you can't

06:19

like that detect malware you got block

06:22

lists you can block things of course

06:24

exclusions this is like programs that

06:26

you may need need to run that you want

06:28

to like that we detect them and we don't

06:30

want Sentinel one to act on them Network

06:33

control is where we can integrate with

06:34

the firewalls take action based on the

06:36

firewall device control this allows us

06:38

to block USB devices and also Bluetooth

06:41

devices packages this is where we're

06:43

going to actually download The Sentinel

06:45

one software there's my site key I'm

06:48

probably gonna have to regenerate after

06:49

showing that but either way I can

06:51

regenerate that side key once again if

06:53

you install it using the site key then

06:55

it will put you in my tenant and all

06:57

that stuff and I'll just basically just

06:58

regenerate it just to stop that uh site

07:01

info of course this is all my

07:02

information my account information

07:03

probably should show that you're gonna

07:05

have to cut that out the video and group

07:06

ranking so anyway that's all of that so

07:09

let's go next uh that covers that's

07:12

incident this is where we have detection

07:15

so I'm going to go up a level and so we

07:17

had a few devices and they kind of you

07:18

saw we ran icar and some of the desktop

07:21

devices and stuff like that that we um

07:24

that we had detections on but anyway

07:26

this is this is where we go and we have

07:28

basically threats and alerts so threats

07:31

once again those those AI engines that's

07:34

where threats come from alerts are we

07:36

able to set up certain type of

07:37

conditions and if things meet certain

07:40

alert conditions and once again this

07:41

feature that I don't have currently

07:43

enabled with my agreement with the uh

07:45

the company but something happens and

07:47

then it will generate alert but alert is

07:50

not a threat okay

07:52

threat is really what you're going to be

07:53

like mostly focused on alerts are kind

07:56

of more like proactive detection to kind

07:57

of like building some additional things

07:59

in addition to the automatic or the AI

08:01

engines and stuff like that that detect

08:03

threats

08:05

um let's see in addition to that I think

08:08

that's good there we're gonna go right

08:10

here identity all right so identity

08:12

uh oh by the way it says on the threats

08:15

I did make a note here that for the

08:16

alert uh you create basically you know

08:19

you create what's called Power

08:20

Expressions to kind of Define things

08:23

that will generate these alerts so

08:24

basically you kind of Define certain

08:25

criteria using this kind of query

08:28

language and this it will generate

08:29

alerts on this I don't have this

08:31

identity feature but in in this feature

08:34

you have what's called Ranger ad which

08:36

reviews active director if you know

08:37

active directory when you log into a

08:39

Windows on a corporate network of

08:40

usually a major company you have to

08:43

authenticate put your credentials in and

08:45

stuff like that and typically they're

08:46

Microsoft shop and they have active

08:48

directory which is where your

08:49

credentials are housed and stuff like

08:50

that and basically you have to log in

08:52

well this Ranger 80 product looks for

08:55

indicators of compromise uh or any type

08:57

of exposure related to active directory

08:59

it has what's called 80 secure EP which

09:02

replaces real active director access so

09:05

the thing is if I get on your network

09:06

there are different kind of hacks right

09:07

that attack uh active directory right I

09:11

can't think of the name of it but you

09:12

put in a chat y'all know the name of it

09:14

uh but anyway you can't attack after

09:15

directory and then what this does

09:18

instead of you like being able to

09:19

identify real computers and accounts it

09:22

basically replaces those with fake

09:24

accounts and fake assets or computer

09:26

names to kind of throw an adversary off

09:28

which basically increases the likelihood

09:31

that they're going to get detected okay

09:32

you also have what's called Ranger ad

09:35

protect which detects Kerberos which is

09:37

uh basically kerberosis a lot of times

09:39

this way it's it's a way where you're

09:41

like accessing file shares and make sure

09:43

I correct me on this because Kerberos

09:45

really confusing

09:47

I've dug into Kerberos and stuff like

09:48

that but when you're basically doing

09:50

file share Kirby roast is what uh does

09:52

these exchanges that prevents you from

09:54

having to do all this like logging in

09:56

constantly when you're accessing fire

09:58

like file shares and stuff like that and

10:00

so it exchanges credentials in a way

10:02

using Kerberos and Kerberos tickets but

10:05

there's this process called Kerber

10:06

roasting that allows you to be able to

10:08

like hack Kerberos okay it's not easy I

10:10

tried it okay not easy but anyway Ranger

10:13

ad protect actually detects those type

10:15

of detections you have what's called

10:17

threat strike which detects lateral

10:20

movement basically moving from one

10:22

machine to another to attack it and I

10:25

just realized I don't even have a webcam

10:26

I just type just talking away here and

10:28

no webcam and then also you have uh

10:31

what's this what else we got detect or

10:34

deflect which basically when an

10:36

untrusted endpoint gets on the network

10:38

it raises a an alert

10:40

um so great way of detecting stuff that

10:43

may be wrote

10:44

so it basically says raise the event

10:46

when untrusted endpoints access

10:48

forbidden network access so I guess if

10:50

it's something on your network that you

10:52

know you can kind of designate this

10:54

shouldn't have access to you at a

10:55

computer that's trying to access it then

10:57

this feature will then kind of like act

11:00

on that okay and that's uh that's going

11:02

and then also you got threat path which

11:04

basically is a great a pretty cool

11:06

feature I'm actually probably going to

11:07

recommend this as a potential uh

11:11

solution for one of my customers uh for

11:13

a remain company I work for because the

11:16

thing is it basically it's able to

11:18

analyze it and it kind of like shows the

11:21

path that you could take to move

11:22

laterally before somebody some adversary

11:24

actually exploits it okay and so then

11:27

that's all that and then we get down to

11:30

What's called the applications okay

11:32

applications which is right here and

11:34

this is cool I love application because

11:36

you get a bonus here so the thing is

11:38

application actually gives us a many

11:41

vulnerability scan so they're able to

11:43

system sensor it has the agent on the

11:45

machine

11:47

and so what it's doing is actually this

11:49

risk section it's actually started to do

11:51

very much what like tenable and

11:53

qualities doing which is being able to

11:55

read the software compare that against

11:57

the CVSs to determine if there are

11:59

vulnerabilities uh and I think it was

12:01

cbss common vulnerability scoring system

12:04

which is what uh the kind of like

12:07

it's the governing body that basically

12:09

determines whether this vulnerability is

12:11

critical or high medium low and stuff

12:13

like that it's the scoring system for

12:14

that so anyway they're able to access

12:16

that compare it with the software that

12:18

they're already seeing on your machine

12:19

which they already have agent and then

12:20

they're able to give you a risk and

12:22

basically giving you kind of like a a

12:24

scaled down vulnerability scan which is

12:26

good when you're actually using these to

12:28

remediate uh me working with the mentees

12:31

we're using these to remediate

12:32

vulnerabilities on our scene and not

12:34

having to buy tenable and I actually

12:35

have customers who actually are trying

12:38

to rely on this and as an alternative to

12:42

attainable for vulnerability scans we

12:44

got inventory this is basically telling

12:46

me all the applications and their

12:48

versions the stuff that's installed on

12:49

my machine and then we have policies

12:51

right here and what you can do is you

12:53

can do an extensive scan which is

12:55

basically to me it seems like it just

12:57

increases the Fidelity of the the

13:00

vulnerability scan this year and this

13:01

confirms it like it's literally saying

13:02

vulnerability scan so your risk is a

13:05

vulnerability scan that sent to the one

13:07

has been included once again when

13:09

inventors they're probably going to

13:09

break it onto a new product and charge

13:11

you extra for it okay so man a lot going

13:14

on activity activity this is where

13:16

anything that happens in a console

13:17

dishes your audit log this is like

13:19

anything that you want to know if I log

13:21

in if I remote into somebody's machine

13:23

but you can do through Sentinel one I'll

13:24

be showing you that feature in upcoming

13:26

videos login log out the whole night I

13:29

shouldn't initiate a scan a decommission

13:31

or basically there's a device that's

13:33

been gone it's never going to check in

13:34

again I decommissioned it which flagged

13:36

it so it doesn't show up in the

13:37

interface all these things show up right

13:39

here in this activity log okay so this

13:42

is this is my bread and butter when I'm

13:44

trying to see what I was doing like if I

13:46

want to see if somebody's in here I feel

13:47

like oh somebody feel like somebody

13:49

might have logged in and done something

13:50

they want to but it's going to be right

13:51

here in this activity law so love that

13:55

let's see what else we got we got

13:57

reports ports are straightforward you

13:59

can generate PDF reports some different

14:01

metrics and stuff like that we'll dig

14:03

into reporting automation automation is

14:05

cool because first of all you got this

14:07

remote Ops task I look I was even look

14:10

digging the doc into the documentation

14:12

don't necessarily know the tasks are

14:13

maybe it's because I don't have any

14:14

remote Ops created but the company that

14:17

owns this they have a lot I'm going to

14:18

show this because these are their

14:19

scripts I don't want to expose that to

14:21

everybody on YouTube you know what I'm

14:23

saying but if you become one of their

14:24

customers you can see it you know what

14:25

I'm saying so anyway they got all these

14:28

different scripts that they're running

14:29

Powershell scripts shell scripts that

14:31

you can run on a large groups of

14:33

machines to either fix things remediate

14:36

vulnerabilities all kind of stuff really

14:37

cool glad to have this feature and plan

14:39

on using and this is a set of the remote

14:41

settings is where basically you can

14:43

include default credentials and stuff

14:45

like that and once again I don't have

14:46

permission based on my access and then

14:48

we get into the settings section okay

14:51

this is great because this is where I

14:53

want to go to click on a lot of these

14:54

but you can set up the notifications you

14:55

can go ahead and add the groups and you

14:57

can notify on different aspects and it's

14:59

a lot of options in the notifications

15:01

okay so and basically you can send the

15:04

notifications either via syslog or email

15:07

okay since all your email system is when

15:10

you send it to like a server that's

15:12

aggregating login information from lots

15:14

of other devices like it could be Splunk

15:16

it could be elastic it could be some

15:18

others and it's aggregating the

15:20

information and then it's presenting

15:21

that information in some way shape or

15:23

form that allows you to be able to like

15:25

kind of like sift through the

15:26

information to find something specific

15:29

so syslog and email alerts you put your

15:31

recipients in here then of course you

15:33

got I'm already no notification you got

15:35

users not going to click there because

15:36

this is where how the user set up who

15:38

are accessed to the console integration

15:40

we can do SMTP syslog and single sign-on

15:44

which is like logging it through an

15:45

identity and access provider like OCTA

15:47

or something like that so we can

15:49

configure that uh looks like that's just

15:51

there's just a lot of information I'll

15:52

click off of that policy override this

15:55

is how awful sometimes we have sent to

15:56

the one like not we can't put an

15:59

exclusion for a process that's like we

16:01

might we want Sentinel one not to act on

16:03

something and so what we would do is we

16:05

put an exclusion but if the exclusion

16:07

doesn't work then we sometimes have to

16:09

do a policy override which makes it

16:10

literally it's just kind of like code

16:12

that really gets very detailed and tells

16:14

the detection engines not to touch this

16:17

so it's like a Step Beyond an exclusion

16:20

exclusion is just saying a process or

16:22

ignore this hash or ignore this

16:25

executable or ignore this file type or

16:27

something like that a policy override is

16:29

literally telling the engine the AI

16:32

engine what to not touch what to not do

16:34

stand down on this particular feature or

16:37

this particular whatever search or

16:40

whatever parameter redefined okay

16:44

all right man it's a lie okay all right

16:46

so then we gotta count I'm not going to

16:48

click on accounts this basically shows

16:49

the accounts we got sites okay so we're

16:52

basically these are all the sites that

16:54

are in um

16:56

system one and these are the sites right

16:58

here okay so remember Global this is the

17:00

that my account and then these all the

17:03

sites uh for the people that are in the

17:05

mentor program and then also the one I'm

17:07

just using for testing and one I used to

17:08

manage my devices too

17:11

um let's see what else we got uh

17:13

locations

17:15

um locations we can basically we can go

17:17

into locations so it's pretty cool

17:19

because it allows us to Define certain

17:22

parameters So based on General like we

17:25

can put location name description IP

17:27

address DNS server DNS resolution

17:29

network interface system one connection

17:31

connected or not registry key uh and

17:34

then also let's see what was one network

17:35

interface wired or Wireless so we can

17:37

basically use these parameters to group

17:39

like different devices into a location

17:41

to act on them in a certain way

17:44

and uh that's it so that's a lot that's

17:49

a lot okay that I covered in a short

17:51

period of time 17 minutes of straight

17:53

talking but this is a good interview

17:56

this is just the overview we haven't

17:58

even dug into any of the features but if

17:59

this is helpful and you want to learn

18:01

endpoint detection and response

18:02

subscribe to my channel I'm about to

18:04

upload this video thanks for watching

18:06

don't forget to like And subscribe I

18:08

said that already and I'll see you on

18:09

the next video