Search Results

As promised, let’s dive into the new SentinelOne console and its features. Here's an overview of what the updated interface looks like: Dashboard The front-page dashboard in the new console is intuitive and visually appealing. While it doesn’t require much explanation, I highly encourage you to explore it . Even if you don’t end up using SentinelOne, experiencing this console once will showcase how flawlessly it operates—with proper configuration, of course. Purple AI Tab This tab is dedicated to Purple AI , a feature aimed at enhancing automation and operational efficiency. Alerts Tab In the updated console, t he Alerts  tab combines the previously separate Alerts  and Threats  tabs . You now get all alert details in one place, simplifying threat management. Exposure Tab The Exposure  tab now includes: ISPM (Identity Security Posture Management)  details under the Misconfiguration  section. Application vulnerabilities listed under the Vulnerabilities  section, providing a centralized view of risks. Event Search Tab This tab provides Deep Visibility , a feature carried over from the previous console, enabling you to dive deep into historical event data for advanced investigations. Inventory Tab Assets:  Displays endpoints with SentinelOne installed. Identity Endpoints:  If you’ve configured Active Directory (AD) as part of ISPM, domain controllers or identity endpoints should appear here. Applications:  Houses the application inventory, listing all apps detected within the environment. New Graph Query Feature A notable new addition is the ability to build custom graphs: Custom Queries:  Build your own queries for tailored insights. Query Builder Examples:  Use pre-designed examples as starting points. Library:  Access a library of prebuilt queries for quicker analysis. Activities Tab This tab contains the Activity Log , which records everything that happens in the console—a carryover from the previous logs feature. RemoteOps Tab This tab is similar to the Automation  feature from the older console, allowing remote operations and task execution. Agent Management Tab The Agent Management  tab replaces the old Sentinels  tab and provides similar functionalities, along with additional sub-tabs for more granular management. Reports and Policies Tabs The final two tabs: Reports:  For generating and viewing detailed reports. Policy and Settings:  Offers comprehensive configuration options for policies and other settings. Conclusion That wraps up the overview of the new SentinelOne console. It’s packed with updates and improved functionality. "Thanks for sticking with me on this journey through SentinelOne! It’s truly an incredible platform that combines power, simplicity, and innovation. Whether you're new to it or a seasoned user, SentinelOne has something to wow everyone. Stay tuned for more updates as we continue exploring its awesome features together!"

Hey there! If you’ve been following my articles, you might already know the answer to this question. But let me ask it again: If we have $MFT, why do we need $UsnJrnl? Understanding the Difference Between $MFT and $UsnJrnl $MFT vs. $UsnJrnl While the $MFT (Master File Table)  gives you a snapshot of the file system at specific points in time, the $UsnJrnl ($J)  keeps a detailed record of file system changes over time. Tracking Subtle Changes Example Exfiltration often involves small but significant actions—modifying, renaming, or deleting files. These actions may not always be captured by the $MFT, but $UsnJrnl logs them in detail, which is crucial for uncovering sophisticated exfiltration techniques. Example : Let’s say an attacker creates a ZIP file to exfiltrate data. The $MFT will log the creation of the ZIP file. The $UsnJrnl, however, will document every step: adding files to the ZIP, zipping the data, renaming the file, and moving it. ------------------------------------------------------------------------------------------------------------ This answers the initial question, but let’s raise a new one. What Happens When MFT Entries Are Reused? Here’s the scenario: A file is created, and its details are stored in the $MFT with a sequence number or file record. The file is deleted, and while $UsnJrnl logs this event, the $MFT entry becomes available for reuse. When a new file is created, it might reuse the same MFT sequence number or file record. As $UsnJrnl/$J doesn’t track full file paths but instead logs file names, entry numbers, and sequence numbers, a question arises: If a file's $MFT record is removed or reused by another file, how can you reconstruct the original file path using $MFT and $J? Screenshot of $J Forensic tools often correlate $UsnJrnl with $MFT to reconstruct file paths, but reused MFT entries can complicate this process. ------------------------------------------------------------------------------------------------------------ Okay, Lets give you practical example so u can understand easily Example: Recovering the Path Files Used: $MFT parsed file : mftOutput.csv $UsnJrnl parsed file: j Output.csv Observations: Lets choose a file name creds.txt.txt In the $UsnJrnl:$J file, creds.txt.txt was identified with: Entry Number:  1124 Sequence Number:  4 Update Reason:  File Delete | Close(This update reason means file was deleted correct and $mft file record available for reuse) Searching with file name in the $MFT file revealed no file with the name( creds.txt.txt) exits . Now Searching for Entry Number 1124  in the $MFT file revealed that the entry had been reused . The sequence numbers confirmed it had been overwritten four times, with the current file being log.old. This reuse makes it impossible to locate the deleted file's path directly in the $MFT. (Correct) ------------------------------------------------------------------------------------------------------------ Solution: Using CyberCX UsnJrnl Rewind Research and tools from CyberCX  come to the rescue. They d eveloped a script called UsnJrnl Rewind , which correlates $MFT and $UsnJrnl:$J data to reconstruct deleted file paths, *********even for entries that have been reused************. Steps to Use: Clone the tool from the GitHub repository: CyberCX UsnJrnl Rewind Set up the environment (e.g., WSL or Linux). Run the script with the $MFT and $UsnJrnl parsed files as inputs: python usnjrnl_rewind.py -m MFT_Output.csv -u UsnJrnl_Output.csv output-path The tool produces two outputs: NTFS.sqlite USNJRNL.fullpath ------------------------------------------------------------------------------------------------------------ Verifying the Results Open the USNJRNL.fullpath file to locate the path of creds.txt.txt. Additionally, you can trace the (File record) file's lifecycle: Sequence 1: Overflowset → Deleted Sequence 2: NewTextDocument.txt → Deleted Sequence 3: log.old~rf14 → Deleted Sequence 4: log → Currently active on the system. And there you have it! This research has taught us valuable insights into forensic investigations. With that, we wrap up this article. See you in the next one—until then, take care and goodbye! ----------------------------------------------Dean----------------------------------------------------

A few days ago, I received a request through my website from someone working on an incident response case. He mentioned a situation involving 20 endpoints and asked if there was a quicker way to identify lateral movement —specifically, whether users on those endpoints had attempted to log in to other systems and whether those attempts were successful. He was manually analyzing logs from all 20 endpoints , which was understandably time-consuming and inefficient. Around the same time, another cybersecurity professional with more t than 20 years of experience reached out, seeking an easy way to identify lateral movement and asking me to teach him how to analyze it. Frankly, I was surprised. With such extensive experience and a high-level role, I didn’t expect lateral movement analysis to be a pain point for him. This got me thinking: while most professionals understand what lateral movement is, identifying it during an investigation remains challenging. Lateral movement analysis requires a deep understanding of logs, artifacts, and various attack vectors, which can seem daunting, even for seasoned Incident Response (IR) and Digital Forensics & Incident Response (DFIR) practitioners. Inspired by these requests, I decided to simplify things with this article. Today, I'll discuss three tools that make lateral movement analysis much easier: Chainsaw Hayabusa LogParser If you're unfamiliar with these tools, I’ve already written detailed guides explaining how they work, which commands to use, and what to expect from them . You can check out the following posts: Hayabusa: A Powerful Log Analysis Tool for Forensics and Threat Hunting Chainsaw: Streamlining Log Analysis for Enhanced Security Insights Microsoft’s Log Parser (Bonus File Included) However, today we’ll focus solely on using these tools for lateral movement analysis . ------------------------------------------------------------------------------------------------------------- What Is Lateral Movement? I won’t delve too much into the basics since most of you already know what lateral movement is. If you don’t, I recommend checking out my articles: Understanding Lateral Movement in Cybersecurity . This articles *** covers everything you need to know about manually analyzing lateral movement, using registry , Event IDs, and filesystem****. It’s a great foundation to build your skills before diving into automated tools. ------------------------------------------------------------------------------------------------------------- Chainsaw: Simplifying Lateral Movement Analysis Let’s dive into the first tool, Chainsaw , and see how it simplifies log analysis for lateral movement. I’ll demonstrate how to run a single command in PowerShell and let Chainsaw do the heavy lifting. Command: PS E:\Log Analysis Tools\chainsaw_all_platforms+rules+examples\chainsaw> .\chainsaw_x86_64-pc-windows-msvc.exe hunt -r rules\ "E:\Output for testing\logs 123\log123" Chainsaw immediately starts hunting through the logs, isolating critical events that may indicate lateral movement. Below are some screenshots and insights from my analysis. Screenshot 1: User Remote Access Chainsaw identified that the user remotely accessed a system (XSPACE2197) using the IP 192.168.30.1. While this could be legitimate, you’d need to verify it by asking the user or checking the context. What’s impressive here is how easily Chainsaw pinpoints such activities, saving you time compared to manual log analysis. Screenshot 2: RDP Logoff Events Chainsaw highlights RDP logoff events. Although these don’t directly indicate lateral movement, they’re worth noting when attackers move between systems via RDP and log off after completing their actions. Screenshot 3: Potential RDP Attack In this example, Chainsaw identified events showing successful RDP logins, session connections, and disconnections. Here’s what stood out: The user is Jean-Luc, and the IP 192.168.30.1 suggests activity within a trusted network. While these behaviors may seem normal, it’s crucial to confirm whether this activity aligns with the user’s routine. Chainsaw’s ability to filter relevant data means you don’t need to sift through mountains of logs manually . It automates the heavy lifting, allowing you to focus on deeper investigation and validation. ------------------------------------------------------------------------------------------------------------- A Word of Caution While tools like Chainsaw automate much of the analysis, *** manual log analysis remains an essential skill for any cybersecurity professional **. Automated tools like Magnet Axiom and FTK are great, but understanding the underlying artifacts (e.g., $J, $MFT) and how to analyze them manually is what truly sets you apart as a forensic investigator ------------------------------------------------------------------------------------------------------------- Hayabusa Tool : Lateral Movement Analysis Made Easy Hayabusa has quickly become one of the most reliable tools in my log analysis arsenal . It’s versatile, efficient, and saves an incredible amount of time—especially when detecting lateral movement. Let’s dive into how you can leverage Hayabusa specifically for lateral movement detection. Highlights of Hayabusa in Action 1. When you feed your logs to Hayabusa, it doesn’t just dump all events on you . Instead, it filters and categorizes them into a manageable set of results . For instance: Input Logs : 12,776 events. Filtered Suspicious Events : 1,338 events. 2. H ayabusa categorizes the events by their severity: Critical High Medium Low Each category is color-coded, making it visually intuitive to spot critical issues at a glance. Detecting Lateral Movement Hayabusa flagged potential lateral movement activities. Here’s how it looked: In the screenshots below, I’ve highlighted key areas you should focus on when looking for lateral movement indicators . While there are other important artifacts, such as service installations, I’m providing a basic overview of what to watch for when analyzing logs for lateral movement. At start we had 12,776 events after running hayabusa we only have hits—1339. If you take a look at the output in the command prompt, you might think, "This analysis isn't for me. How can I make this more manageable and effective?" Don’t worry—I’ve got you covered!. There’s a streamlined way to analyze this data, and I’ll show you exactly how to make sense of it more efficiently. Simplifying the Analysis Process Analyzing these hits manually through the command prompt can quickly become cumbersome. So, let me share a personal method I use to simplify the process: First, I extract all the data from Hayabusa into a CSV file , using the following command: PS E:\Log Analysis Tools\hayabusa-2.17.0-win-x64> .\hayabusa-2.17.0-win-x64.exe csv-timeline -d "E:\Output for testing\logs 123\log123" -o output.csv Next, I use Timeline Explorer to open the CSV file. It’s a fantastic tool for navigating through the extracted timeline data and helps you easily pinpoint areas of interest . Let’s say I want to focus on a specific lateral movement indicator, like "PSExec Lateral Movement." Simply search for it in the Excel file, and you’ll get the results—just like the screenshot below. Suppose I want to investigate "Logon (Network)" events. I can search for that in the CSV and quickly get all the details I need, including the type of logon, user, source computer, and source IP. The ease of this process cannot be overstated. Why Hayabusa Is My Tool of Choice If I had to choose one tool for Log Analysis, it would always be Hayabusa . Its seamless integration with timeline data and ability to quickly filter through vast amounts of log data makes it the best choice for me. Much like KAPE, Hayabusa has become an indispensable part of my inventory. I’ve been using it for the past three years, and it has come a long way, becoming more efficient and accurate with each iteration. A big thank you to Yamato Security Group in Japan for creating a tool that truly makes the work of forensic and IR professionals much easier. ------------------------------------------------------------------------------------------------------------- Log Parser: Building Precise Detection Queries Recently, I was reflecting on tools like Hayabusa  and Chainsaw  and wondered: "Is it possible to build custom queries with exceptions to make detections more precise?" While these tools are fantastic, they don’t offer much flexibility for creating or applying exceptions directly. That sparked a thought: why not explore Log Parser  for this purpose? Log Parser uses SQL-like language, which makes it different from other tools. It provides the flexibility to build highly tailored queries, including exceptions, which can significantly enhance detection precision. A Quick Note on Log Parser If you're unfamiliar with Log Parser, I’ve written a complete article detailing its features, commands, and use cases. The link is available at the top of this post—feel free to check it out! Objective: Detecting Lateral Movement For this experiment, I’ll focus on detecting lateral movement  using logs. The primary log source will be security.evtx. There are already commands created to run with logparser and these commands are attached in my article itself. Microsoft’s Log Parser (Bonus File Included) I felt the need to create new, customized ones. Let’s get started! Setup and Approach I’ve collected the logs from one endpoint into a single directory. We’ll primarily work with SQL queries to parse and analyze the data. Below is the commands I crafted as a starting point: (Worry not at end I will attach text file containing all the query so u can modify as per your need ) 1. Query to Detect RDP Logins (Event ID 4624) Purpose: RDP is frequently used for lateral movement by attackers to access remote systems. You can use Event ID 4624 (successful logon) to track RDP logins Usage: This query will show when a user logs in via Remote Desktop, which can be indicative of lateral movement across machines. 2. Query to Detect Lateral Movement via SMB (Event ID 5140) Purpose: Lateral movement often involves SMB (Server Message Block) to access shared resources across systems. Event ID 5140 indicates that a network share was accessed. Monitoring this can help detect unauthorized lateral movement attempts. Expected Output: The query will show network share access by users, which could be an indicator of lateral movement. 3. Query to Detect Credential Dumping Tools (Event ID 4688) Purpose: Malicious actors often use tools such as Mimikatz or LaZagne to dump credentials during lateral movement. Monitoring process creation events (Event ID 4688) for signs of such tools is important. Expected Output: This query will help detect the execution of credential dumping tools used for lateral movement. 4. Query to Detect Abnormal WMI Activity (Event ID 5858) Purpose: WMI (Windows Management Instrumentation) is commonly used by attackers for lateral movement. Event ID 5858 represents successful WMI operations. Monitoring this can help detect malicious use of WMI for lateral movement. Expected Output: This query will show WMI operations initiated by users, which could indicate lateral movement across systems. 5. Query to Detect Multiple Failed Logins (Event ID 4625) Purpose: When attackers attempt to move laterally, they often try brute-forcing credentials. Monitoring for multiple failed logon attempts can help detect these attempts. Expected Output: This query will show multiple failed logon attempts, which may indicate brute-force or credential stuffing attacks. 6. Logon and Logoff Activity (Event IDs 4624 and 4634) Purpose: These queries track user logons and logoffs, filtering by remote logon types like RDP (Logon Type 10), network logons (Logon Type 3), and other types like unlocking workstations or batch jobs. The goal is to detect unauthorized access or lateral movement, including identifying unusual source IPs and workstations. 7. Process Creation (Event ID 4688) : Purpose: This query identifies the creation of processes that may be indicative of malicious activity, such as cmd.exe, powershell.exe, wmic.exe, and net.exe. These processes are frequently used for lateral movement, privilege escalation, and other post-exploitation activities. Analyzing the associated command lines and parent processes can reveal suspicious actions. 8. Remote and Network Logons : Purpose: Remote and Network Logons : This query monitors network logons (such as those using SMB) and RDP logons (Logon Type 10). It helps track remote access, particularly focusing on user-driven activities and excluding system accounts. This is particularly useful for detecting lateral movement and unauthorized logins from unexpected locations. 9. Service Creation : Purpose: This query tracks suspicious service installations that could indicate malicious activity. For example, the creation of services associated with tools like PsExec, powershell.exe, and cmd.exe may point to attackers maintaining persistence or executing lateral movement within a network. While the rules mentioned earlier offer a great starting point for detecting suspicious behavior using LogParser, you can further fine-tune these queries to create more customized detections. As you can see, it’s quite simple to adapt and refine these rules to better fit your needs. With the combination of LogParser, process creation analysis, and remote logon detection, you have a powerful toolset to detect lateral movement in your environment. I've added the rules in a text file and attached it for you . You may notice that some rules appear to be duplicates . If these aren’t relevant to your needs, feel free to leave them out or modify them to suit other detections . I’ve provided them just for your reference— please don’t get upset with me!LOL Also, keep in mind that due to Windows updates, some rules might stop working after a few months . Make sure to double-check andtest the rules before running them against your logs. ------------------------------------------------------------------------------------------------------------- Managing Logs from Multiple Workstations Now, let’s take this to the next level. Imagine you have 10 workstations, each generating their own security logs, and you collect these logs into separate folders . Instead of manually running the same command for each folder, which can be time-consuming and inefficient, I’ve got a solution that will make your life easier. Here’s how it works: The script I’ve developed will automatically scan multiple folders or subdirectories in a specified root path. It will identify the Security.evtx logs within each folder, apply your customized detection rules, and generate the output, all with minimal effort on your part . This method streamlines the process and significantly reduces the complexity of manually executing commands for each log file. A Simple, Effective Approach This approach ensures that you can scale your detection efforts across many workstations without being bogged down by repetitive tasks. It’s quick, efficient, and easy to implement—exactly what you need when working with large datasets or multiple machines. ------------------------------------------------------------------------------------------------------------- Get Involved! If you have any queries, suggestions, or additional detection methods you'd like to share, feel free to reach out! I’m always looking for ways to improve and collaborate. Your ideas could be featured in a future post, and you’ll be credited as the creator! See you in the next one, where we’ll dive deeper into more exciting techniques and tools. Stay tuned! -------------------------------------------Dean-----------------------------------------------------

The Settings  section in the SentinelOne Console is your central hub for configuration and management. Here's a detailed breakdown of its features with examples and practical insights: 1. Configuration The Configuration  tab provides an overview of licenses and key settings. Licenses : See which features you have paid for, such as Remote Ops Forensic  or Network Discovery . Other Settings : Adjust session timeouts, password expiration policies, and more. 2. Notifications As the name suggests, this feature allows you to set up alerts. Example: You can configure an email notification to be sent whenever a threat is detected or if someone uninstalls an agent. Customizable Events : Alerts for detection, policy violations, and endpoint changes. 3. Users Here, you can create and manage users with specific roles. Example: SOC Team Role : Restrict permissions to prevent them from uninstalling agents. IR Team Role : Allow broader control, such as agent uninstallation. 4. Integrations This section enables the setup of third-party integrations for SMTP , Syslog , or SSO (Single Sign-On) . Features : View and edit integrations. Add or delete integrations to streamline your workflow with external tools. 5. Policy Override This feature lets you temporarily override security policies for specific endpoints. Real-Life Scenario : A new testing agent triggered false positives, quarantining files (e.g., Excel files). The SOC team was overwhelmed by the alerts. Solution: The policy was switched to "Detect Only" mode, stopping file quarantine. SentinelOne support provided a policy override , resolving the issue without reverting the agent. 6. Accounts Manage accounts for different clients, ensuring flexibility in a multi-client environment. 7. Sites Create and organize Sites  within your account hierarchy for better management. 8. Locations Dynamic Policy Application  adjusts protection based on network location. Example Features : Stricter policies on untrusted networks (e.g., public Wi-Fi). Define trusted networks by IP ranges, DNS servers, or gateway IPs. Pro Tip: SentinelOne’s flexibility in settings  allows organizations to adapt quickly to unique challenges, such as managing alerts, integrating external tools, or handling network-based policies. The Policy Override  feature, in particular, can be a lifesaver during unexpected situations like false positives. ------------------------------------------------------------------------------------------------------------- Wrapping Up SentinelOne: Transitioning to the Newer Console That’s a wrap for exploring SentinelOne’s older console! As a heads-up, SentinelOne has rolled out a newer console with updated features and a refreshed UI. While the newer version offers more functionalities, it might feel slightly more complex initially. My Advice: If you’re just starting out with SentinelOne: Begin with the older console : It’s simpler and provides a solid foundation. Transition to the newer console  once you’re comfortable. Stay Connected: Thanks for sticking around! If you found this guide helpful and want to stay updated: Bookmark this website  for easy access to more articles. Sign up for notifications  on my website to get updates on the latest guides, tips, and tutorials. More insights on SentinelOne’s newer console and advanced features are coming in the next article—stay tuned! 🚀

SentinelOne’s DFIR capabilities are a standout feature, making it a must-have tool for forensic analysts. Let me walk you through how this tool becomes a forensic heaven for DFIR professionals . ------------------------------------------------------------------------------------------------------------- Why SentinelOne Excels in DFIR Imagine you’ve identified an alert—perhaps a hack tool followed by lateral movement. After isolating the endpoint, the question arises: What’s next? Deep Analysis Options : Logs from SentinelOne’s console provide immediate insights. Use Deep Visibility  to explore connections and processes. Advanced Forensics :Beyond log analysis, SentinelOne allows you to collect: Entire disk images. Crucial forensic artifacts like $MFT , $J , Prefetch and more. This flexibility elevates it above other tools, providing unparalleled forensic depth. ------------------------------------------------------------------------------------------------------------- I won’t go into details about what the $MFT (Master File Table), $J, Prefetch, Timeline, how to parse it. For an in-depth understanding, you can explore the dedicated Articles available on my website under the "Courses" tab. Website Link:- https://www.cyberengage.org/courses-1 ------------------------------------------------------------------------------------------------------------- As mentioned earlier, I promised to explain how to collect and review logs before diving into in-depth forensic analysis. Let’s go over the process for gathering logs. Collect Logs Fetching Logs from the Console : Navigate to Endpoints  in SentinelOne. Select the endpoint you want to investigate. Click Actions , then select Fetch Logs . Where to Find Logs : Wait 5–10 minutes for the logs to upload. Go to the Activity Tab  to download the logs. What’s Inside the Logs? When you extract the ZIP file, you’ll find the following: Sentinel Agent Logs : Contain information about the endpoint's activities. Platform Folder : EventViewer Folder : Includes key logs like: Application System Security Hardware Event Kernel Event Note : SentinelOne does not pull all logs—it focuses on these critical ones. Misc Folder : Misc  folder contains a wealth of valuable information for Incident Response (IR) professionals. While SentinelOne does not fetch all logs via Event Viewer, the data within the Misc folder can compensate with its extensive details . ------------------------------------------------------------------------------------------------------------- That's all for logs. I won't delve into log analysis here. If you're interested, I have detailed articles on log analysis using different tools available under the Tool Hub  section of my website. These resources will guide you analyzing logs effectively. ------------------------------------------------------------------------------------------------------------- Now, let’s move on to automation . In the Automation  section , you'll find three tabs: Remote Ops , Task Management , and Tasks . Let’s begin with Remote Ops  to give you a clear understanding of how it works and its relation to the other two tabs. Remote Ops Creating a New Operation: Start by clicking the + Create New  button. Selecting an Option: You'll be prompted to choose between uploading a custom script or creating a forensic profile. Let’s explore the Forensic Profile  option first. Creating a Forensic Profile: You can collect various artifacts, such as registry data, event logs, and even memory dumps. The platform supports creating forensic profiles for Windows , Linux , and Mac  endpoints, which is incredibly versatile. Once you’ve saved your forensic profile, you’ll see it listed as created and ready for use. Example outputs for forensic profiles: Windows : Select and gather registry hives, event logs, and memory images. Linux : Collect configuration files, log files, and process information. Mac : Retrieve system logs, kernel events, and user profiles. Uploading Custom Scripts: If you already have specific scripts prepared (e.g., using tools like KAPE), you can upload them here for execution. I’ll provide more details about using custom scripts like KAPE later, but for now, let’s focus on running the forensic profile to demonstrate the output. Let’s dive into the steps for running a forensic collection, one of my favorite features of SentinelOne. Here’s how it works: Steps to Run the Forensic Collection Start the Collection: Go to the Sentinels Tab  in the console. Select the endpoint you want to investigate. Click on Actions , then Search for Forensic Collection . Choose the forensic profile you created earlier and hit Run Collection . Monitor the Task: Head over to the Task Tab  to track the status. Initially, it will show as Pending , but within 2–3 minutes, it will switch to In Progress . Once the collection is complete, you’ll see it listed under the Completed  section. Download the Results: Click on Download Files  to grab the collected data. Typically, the entire process takes just 10–15 minutes. That’s incredibly fast for a forensic workflow! What Do You Get in the Output? When the process completes, you’ll get a wide range of valuable forensic artifacts, including: $MFT  (Master File Table) $J (Journal) UserAssist (recent applications used) Prefetch Files PowerShell History In short, you’re handed a complete forensic package— raw and parsed data that’s ready for analysis. ------------------------------------------------------------------------------------------------------------- Why I Love This Feature Here’s why I think SentinelOne excels in forensic collection: You get original, unparsed artifacts  like $MFT and $J , which you can analyze deeply. It also provides parsed data in JSON format , which is great for users who prefer structured outputs. You’re not limited to Windows —this works seamlessly for Linux and macOS too. My Personal Take While I appreciate the JSON files SentinelOne generates, I’ll admit they’re not my favorite format to work with. JSON can be challenging to analyze directly, so I usually stick to my trusted tools like Timeline Explorer  and KAPE  for parsing and analysis. For instance, I’ll take the original $MFT file and parse it using KAPE, which makes the data much easier to work with. Similarly, for jumplists and shellbags, I prefer analyzing them manually after extraction. That said, this feature is a game-changer  for anyone comfortable with JSON or text-based formats. If you’re like me and have your favorite tools, you can still extract the raw data and analyze it your way. ------------------------------------------------------------------------------------------------------------- Running a Script in SentinelOne: Step-by-Step Now that we’ve covered forensic profiles, let’s move on to running scripts on endpoints. For this example, we’ll use the PSRecon.ps1  script , which is freely available on GitHub: PSRecon on GitHub . Running scripts through SentinelOne is incredibly straightforward. Here’s how you can do it: Uploading the Script Upload the Script: Navigate to the Automation Tab . Click + Create New  and select Upload New Script . Give your script a name (e.g., "PSRecon Script") and upload the script file. Confirm Upload: Once uploaded, you’ll see the script listed in your repository, ready to be executed. Running the Script on an Endpoint Initiate the Script Execution: Go to the Sentinels Tab  and select the target endpoint. Click on Actions , then Search for Run Script . Choose the uploaded script from the list. Select Output Location: Specify where you want the output to be saved. I recommend always selecting Sentinel One Cloud for easier access and retrieval. Tracking and Retrieving Output Monitor the Task: Head to the Task Tab  to check the status of the script. Initially, it will show as Pending , then move to In Progress . Retrieve the Output: Once completed, you’ll find the task listed under the Completed  section. Simply download the output files. The Result And that’s it! Within minutes, you’ll have the output generated by your script. For PSRecon, this means detailed system information neatly organized for analysis. Why This is Amazing Running scripts like this through SentinelOne is incredibly efficient: No need for direct access to the endpoint. Simple, centralized execution. Automated output retrieval. It’s a game-changer for incident response and forensic investigations. Whether you’re running PSRecon or any other script, SentinelOne makes it a breeze. ------------------------------------------------------------------------------------------------------------- Using KAPE with SentinelOne: Step-by-Step Guide One of my favorite features of SentinelOne is how seamlessly it integrates with tools like KAPE (Kroll Artifact Parser and Extractor). Let’s dive into how to set this up, whether or not you have an SFTP server for artifact storage. Overview In SentinelOne, to run KAPE, you need: A script  to invoke KAPE. KAPE itself, zipped with the required script.**********(Very Important)***** Two Scenarios Without an SFTP Server: Artifacts are stored locally on the endpoint, and y ou’ll need the client to share the output manually. With an SFTP Server: Artifacts are uploaded directly to the SFTP server for easy access. Scenario 1: Without SFTP Server Script 1: run.ps1 This script invokes another script (NoSFTPserver.ps1) from the SentinelOne environment. Script 2: invoke.ps1 This script runs KAPE, specifying the collection and output paths. What It Does: Runs KAPE using the specified compound or target. Saves the collected artifacts as a .zip file in C:\output. Prepare KAPE Package Place invoke.ps1 inside the KAPE folder. Zip the entire KAPE folder, including the script. Upload the Scripts Go to SentinelOne → Automation → RemoteOps → Upload Script . Upload the run.ps1 script. Run the Script Navigate to Sentinels → Endpoints . Select the target endpoint. Go to Actions → Run Script . Select the run.ps1 script and execute it. Artifact Retrieval: The artifacts will be saved in C:\output. (Client Endpoint) Ask the client to share these files with you for analysis. Scenario 2: With SFTP Server If you have an SFTP server, you only need to modify the invoke.ps1 script t o include the SFTP upload parameters. Modified invoke.ps1 Script Add below parameters in Script: Additional Parameters: --scs [server]: SFTP server address. --scp 22: Port (default is 22 for SFTP). --scu [user]: Username. --scpw [pwd]: Password. ------------------------------------------------------------------------------------------------------------- Why This Is Great Ease of Use:  Uploading and running scripts in SentinelOne is straightforward and efficient. Flexibility:  Works for Windows, macOS, and Linux endpoints. Customizable:  You can use or modify scripts as needed for your specific requirements. If you want to learn more about KAPE itself, including its detailed functionality, check out my articles under the Tool Hub  tab on my website. https://www.cyberengage.org/services-9 ------------------------------------------------------------------------------------------------------------- Automation with SentinelOne: Streamlining Artifact Collection After a Malicious Alert Imagine this scenario: an attack is detected on a server  protected by SentinelOne. With prepared automation , you don't waste a single moment. As soon as the malicious alert is triggered, SentinelOne automatically executes a script like PSRecon  or KAPE  to collect forensic artifacts. The Power of Automation in Incident Response Key Benefits Time Efficiency:  No manual intervention is required to initiate artifact collection. Complete Artifact Coverage:  Immediate collection ensures no critical data is lost or overwritten. Faster Analysis:  You get the artifacts right away for deeper investigation. Customizable Workflows:  You can configure scripts tailored to your investigation needs. Setting Up Automation in SentinelOne Step 1: Go to the Marketplace Navigate to the SentinelOne Marketplace  in the console. Search for the Remote Ops Automation  package. Click Install. Step 2: Configure the Automation Trigger Define when the automation should run . Example: Trigger the automation when an alert is marked as “True Positive.” Select the script (ID)  to be executed. You can use the psrecon.ps1(ID)  script (or any custom script). Step 3: Specify the Output Location Output to be available in the Activity Tab  of the SentinelOne console. Scripts can save the output locally (endpoint) or transfer it to an SFTP server, depending on your script configuration. (Like Kape) Example: PSRecon Automation How It Works Malicious Alert Detected:  SentinelOne flags a suspicious activity. (Analyst Determined it is true positive and marked the threat true positive) Automation Triggered:  Your PSRecon script automatically runs on the affected endpoint. Artifacts Collected:  All artifacts (like registry, event logs, and more) are gathered without delay. Output Location:   Download the artifacts from the Activity Tab  of the console or SFTP server Results After automation: Artifacts are readily available:  Download them directly from the Activity Tab . Faster Analysis:  The immediate availability of artifacts speeds up the forensic process, letting you focus on understanding and mitigating the attack. ------------------------------------------------------------------------------------------------------------- Why SentinelOne is Amazing The seamless integration of automation with tool s makes SentinelOne a game-changer. I nstead of wasting time setting up manual artifact collection, everything happens instantly and efficiently. With SentinelOne, incident response is not just about detection; it's about taking immediate action to gather critical evidence and enabling rapid analysis. See how awesome this is? Automation + Artifact Collection = Total Control! ------------------------------------------------------------------------------------------------------------- Stay tuned for the next article, where we’ll dive into last article —a truly exciting topic! Until then, keep learning and growing. See you soon! 😊 -------------------------------------------------------------------------------------------------------------

As we close the chapter on another year, it’s time to look ahead with excitement, hope, and optimism. The New Year is not just a date on the calendar—it's a fresh start, a blank page waiting to be filled with new memories, challenges, and achievements. Whether you’re looking forward to personal growth, professional success, or simply enjoying the little moments, this time of year offers a perfect opportunity to reflect, reset, and reimagine what’s possible. Looking Forward: The Future is Bright The New Year is a canvas, and you hold the brush. The opportunities are limitless, and with the right mindset, every day can bring new possibilities. It's an exciting time to dream big and chase those dreams with passion and perseverance. No matter where you are in your journey, the New Year gives us all the chance to begin again. Remember, success isn't defined by perfection but by progress. Small steps taken consistently will lead to significant change over time. So, let’s embrace the unknown and welcome 2025 with open arms and hearts full of hope. A Message of Gratitude to My Readers As we step into this new chapter, I want to take a moment to express our heartfelt gratitude for your continued support. Your engagement, feedback, and trust have made this past year truly special. I am excited to continue this journey with you in the New Year and are committed to bringing you even more valuable content, inspiration, and updates. Here’s to another year of growth, connection, and shared success! Wishing you a joyful, prosperous, and fulfilling New Year. May 2025 bring you closer to your dreams and fill your life with happiness and love. Happy New Year!

Let’s dive into two key sections of SentinelOne’s console: the Activity Tab  and the Reports Tab . Activity Tab: The Console’s Audit Log Think of the Activity Tab  as a comprehensive logbook for the management console. It records every action and change made, providing a clear audit trail of events. Here’s what it does: User Actions : Tracks which users logged into the console and when. Records actions like changes made to endpoints, policy modifications, exclusions added, and blocklists updated. Log Fetching : When you fetch logs from endpoints, the Activity Tab  becomes your go-to place. The logs are delivered in a ZIP format, making it easy to analyze them offline. In simple terms, the A ctivity Tab  serves as the management console’s audit logs , giving you transparency over everything happening in the console. Pro Tip: fetching endpoint logs will be covered in more depth in the upcoming article on automation, just remember this tab is where the results will land. Reports Tab: Scheduled or On-Demand Reporting The Reports Tab  is designed for generating insights in either a scheduled or on-demand manner. Scheduled Reports : Set it up to generate recurring reports for routine analysis. One-Time Reports : Create reports as needed for specific purposes or investigations. The screenshot above gives a glimpse of the kind of reports you can generate. Honest Opinion : Personally, I’ve found SentinelOne’s reports to be less impressive compared to its other features. That said, reports are subjective—you might find them useful depending on your specific needs. So, I encourage you to explore this feature and decide if it suits your workflow. That’s all for now on the Activity  and Reports  tabs. These tools may seem straightforward, but they hold valuable information for both forensic and operational tasks. Stay tuned for the next article, where we’ll dive into logs and automation—a truly exciting topic! Until then, keep learning and growing. See you soon! 😊

Before diving into the new chapter on Applications , I want to highlight Identity . While these features are undoubtedly promising, I haven’t yet configured or tested . Rest assured, as soon as I get the opportunity to explore them, I’ll provide a detailed explanation. ----------------------------------------------------------------------------------------------------------- If you ask me What is Identity Security Posture Management (ISPM)? Identity Security Posture Management (ISPM) is a proactive framework designed to secure an organization’s digital identities. By managing privileges, authentication methods, and access rights, ISPM minimizes identity-related risks such as breaches and unauthorized access. Why is ISPM Critical? Identity-focused threats : Most breaches stem from compromised identities. ISPM addresses risks like stolen credentials, privilege misuse, and insider threats. Prevention over reaction : Proactively secures identities, reducing the likelihood of breaches. Core Components of ISPM Identity and Access Management (IAM) : Controls access to resources based on roles and contexts. Privileged Access Management (PAM) : Enforces least privilege and audits privileged sessions. Identity Governance and Administration (IGA) : Automates identity life cycles, ensuring compliance and preventing unauthorized access. Identity Analytics and Risk Intelligence (IARI) : Detects abnormal access behaviors using analytics and machine learning. Configuring ISPM To implement ISPM in Sentinel One, you need to configure an application: Step 1: Register an Application in Azure Follow the detailed guide below to configure your app in Azure Active Directory. https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate Output Example Once configured, the system can provide detailed insights. For instance: Identify vulnerable objects  (e.g., domain controllers, unwanted shares, or stored sensitive files). Detailed information such as: Object Type:  (e.g., file, server, account). Name:  The specific resource at risk. SAM Account Name:  The security account manager (SAM) identifier. Additional Insights For each vulnerability, the system offers recommendations on how to resolve it effectively. Why ISPM Is Awesome By integrating ISPM, organizations can proactively address identity vulnerabilities, automate risk detection, and strengthen their security posture effortlessly. ------------------------------------------------------------------------------------------------------------- let’s move on to next Applications  featur e—a cornerstone of SentinelOne’s capabilities. The Application Management  feature in SentinelOne gives you a clear and detailed view of all third-party applications on your endpoints, along with the risks they pose. In This tab you mostly get 3 features: Application Inventory SentinelOne scans your endpoints and compiles a list of all detected third-party applications, showing you their publishers and versions (when available). Here’s how the scanning works for different platforms: Windows : Reads application data from the registry. macOS : Uses Spotlight’s indexed data. Linux : Checks installed software via DPKG and RPM packages. You can either: Manually Scan : Click Actions > Scan Now  to start scanning anytime. Automate Scanning : Enable automatic scans to keep the inventory up to date. Want more details about an application? Click on it to see the endpoints it’s installed on. Tracking Risks Use the Risks  page to see a centralized list of risks tied to applications and their versions. Drill down into specific details, like: The endpoints running a vulnerable application. CVEs (Common Vulnerabilities and Exposures) linked to a specific app. Scan Policies Scanning for vulnerabilities is off by default . You’ll need to enable it in the Scan Policy  settings. Once enabled, you can run manual or automatic scans. Scanning Options : Vulnerability and Application Scans : Detect new software or endpoints, update daily vulnerability data, and dynamically map CVEs. Extensive Scans : Check for missing patches and OS vulnerabilities (requires a Vulnerability Management Add-On). ------------------------------------------------------------------------------------------------------------- Wrapping Up the Applications Feature In essence, the Applications  feature in SentinelOne acts as a streamlined tool for managing software within your environment. While it functions somewhat similarly to vulnerability scanning, its true value lies in providing an overview of application deployment and potential risks. Here’s why it’s worth using: Visibility into Installed Applications: It lets you easily identify which applications are installed across your endpoints, saving time when performing assessments. Vulnerability Insights: A significant use case is tracking vulnerabilities linked to specific applications. For instance, if a critical vulnerability emerges, you can quickly determine how many endpoints are running the affected software. Post-Attack Analysis: After an attack, this feature can help assess the scope of potential application-based exploitation, aiding in understanding and mitigating the damage. While its utility might feel more "standard" compared to some of SentinelOne's advanced capabilities. I find this feature particularly helpful in vulnerability management and incident response. It simplifies identifying application-related risks, helping you prioritize and act swiftly in critical scenarios. I’ll pause here for now as Application tab, as it’s time to work on another article! Until then, keep performing scan and learning. See you soon! 😊 Happy Scanning application! 🚀

When it comes to cybersecurity, Incidents  in SentinelOne is where most of the action happens. This is the go-to place for SOC analysts , alert monitoring teams , and even DFIR (Digital Forensics and Incident Response) professionals  like me to analyze and respond to alerts. Let’s break it down step by step. ------------------------------------------------------------------------------------------------------------ Hierarchy in SentinelOne: A Quick Refresher Before diving in, remember the hierarchy structure  in SentinelOne that governs what alerts you can see. It works just like we discussed in other articles: Group Level : You only see alerts related to endpoints within that group. Site Level : You see alerts for all groups under that site. Account Level : You see alerts across all sites and groups under your organization. Example Imagine a company named ABC : ABC  has two sites: London and Melbourne. London  contains two groups: CD  and FS . Melbourne  contains two groups: EF  and GS . If you’re working at: Group Level (EF) : You’ll see alerts only for endpoints in EF : Global > ABC > Melbourne > EF Site Level (Melbourne) : You’ll see alerts for EF  and GS : Global > ABC > Melbourne Account Level (ABC) : You’ll see alerts for all endpoints across both sites (London and Melbourne): Global > ABC Easy, right? This hierarchy is key to understanding where to find and analyze alerts. ------------------------------------------------------------------------------------------------------------ At the top of the tab, you'll find a filtering section  that allows you to apply various filters to refine your view based on specific criteria. Additionally, there is a free-text search option  for quick and flexible searching. These features are straightforward and intuitive, requiring no detailed explanation. ------------------------------------------------------------------------------------------------------------ Incidents Tab Overview When you open the Incidents  tab, you’ll notice two key sections: Threats Alerts Let’s explore each of these tabs. ------------------------------------------------------------------------------------------------------------ Before diving deeper, I often encounter a common question: "If the file is legitimate and the hash is clean, why does SentinelOne flag it?"   My response is simple yet important to understand—SentinelOne operates based on its advanced engine, leveraging behavioral analysis and TTPs (Tactics, Techniques, and Procedures). In such cases, c ertain indicators trigger detections, and SentinelOne flags the file . At this point, it’s up to the a nalyst or security team to review the detection and determine whether it’s a false positive . If it is, exclusions can be applied. It’s important to highlight that the detection itself doesn’t mean the tool is flawed —quite the contrary. SentinelOne is exceptionally capable and highly effective. However, misunderstandings often arise when users lack knowledge of its functionality. So, i f a legitimate file gets quarantined, don’t rush to criticize SentinelOne or any EDR solution. Instead, consider whether the detection process is being utilized and understood properly. The tool isn’t at fault; it’s a matter of knowing how to leverage its capabilities. SentinelOne is an outstanding solution—it just requires proper expertise to harness its full potential. ------------------------------------------------------------------------------------------------------------ Threats Tab The Threats tab  displays alerts triggered by SentinelOne’s engines . These engines analyze endpoint behavior to detect malicious activity or anomalies. Alerts here are based on predefined policies. (We have talked about engines in out Sentinels article Do check it out: Link below) https://www.cyberengage.org/post/navigating-sentinel-one-p4-sentinels-a-practical-guide Key Features: If a file or activity violates a policy or is deemed malicious, it generates an alert under the Threats tab . SentinelOne uses static  and dynamic detection types to evaluate threat Static Detection Static detection means the file was flagged before execution —based on its hash , signature , or other static indicators . What to Expect in Static Alerts: Overview Tab : Summarizes the alert and provides details like file path, hash, and who initiated the quarantine action. Explorer Tab : Empty for static alerts because the file hasn’t executed yet. Timeline Tab : Displays event details, such as who resolved the alert or issued quarantine commands. Analysis Tips for Static Alerts: Check the hash/Path  and verify if the file is signed. Use Deep Visibility  (if enabled) for further investigation. Dynamic Detection Dynamic detection occurs when a file or process exhibits suspicious behavior during execution. SentinelOne identifies this activity and triggers an alert. What to Expect in Dynamic Alerts: Overview Tab : Lists basic alert information. Explorer Tab : If you check the Explorer Tab  in the dynamic alert interface, you'll notice it provides comprehensive details presented visually, such as execution graphs (as shown in the screenshot) and detailed insights into indicators, processes, files, and related events. Files: This section includes information about all file-related activities, such as scheduled tasks, prefetch data, and other details related to the Windows file system. It gives a granular view of actions performed on or by filess Processes: A Story in Motion When analyzing processes, I like to think of them as storytellers . They reveal how an event unfolded, step by step. Let’s take an example from the screenshot. Here’s what I see: A cmd  command was executed. That command triggered a batch script (hidden in this instance). The script initiated the FreeFileSync application. The process continued until SentinelOne flagged the activity. Since SentinelOne detected something suspicious or potentially malicious, it intervened, stopping further execution. This proactive response is the reason the malicious process couldn't proceed further. Additional Details You Can Derive Dynamic alerts also provide: ( Here in above screenshot these are not available) Registry Information : Key registry changes associated with the event. Network Actions : Information about network activity, such as the destination IP, port details, and more. ------------------------------------------------------------------------------------------------------------ Looking Ahead This overview gives you a strong foundation for understanding the Threats Tab  and analyzing alerts effectively. While I haven't included specifics about registry or network action in this example (as this series doesn’t yet focus on alert analysis). let me know if you'd like a deeper dive into those aspects. If there's interest, I’d be happy to create a similar series dedicated to alert analysis ! ------------------------------------------------------------------------------------------------------------ Alerts Tab Overview The Alerts Tab  is your central hub for monitoring all alerts generated based on the rules you’ve created in the backend. Here's how it works: Alert Generation : If you’ve set up a rule to block specific files , any detection matching that rule will result in the file being blocked, and you’ll see an alert in the Alerts Tab . If the rule is set to detect-only mode, the s ystem will flag the file as detected without blocking it and still generate an alert for your review. Taking Action : Once an alert is triggered and appears in the Alerts Tab , you can decide what action to take directly from the backend. For example, as shown in the screenshot, you can block, isolate, or further investigate the detected threat. Pro Tip: Use STAR Custom Rules From the very beginning, I’ve emphasized the importance of STAR Custom Rules . These rules allow you to go beyond just responding to SentinelOne's out-of-the-box detections . By building your own comprehensive detection rules, you can: Tailor detections to your organization’s unique needs. Proactively identify threats specific to your environment. Gain maximum value from SentinelOne by leveraging its full potential. ------------------------------------------------------------------------------------------------------------ Important Points About Handling Alerts in SentinelOne Why Some Alerts Aren’t Quarantined : Occasionally, you may notice alerts that are under protect policy which should have triggered a quarantine action but didn’t . This can happen due to several reasons, such as: The endpoint was offline when the alert occurred. Network connectivity issues prevented the quarantine command from being executed. In such cases, if you determine the file is malicious, ensure you manually issue the quarantine command from the backend . Always verify the action has been applied successfully. Handling False Positives and File Recovery : If SentinelOne mistakenly quarantines a legitimate file due to a false positive , it’s possible to r ecover the file using the unquarantine  command . However, there are critical steps to follow: Whitelist First : B efore unquarantining, add the file to the whitelist using its hash or path. This prevents the same file from being flagged and quarantined again. Check File Integrity : Be cautious; in some cases, quarantined files may become corrupted during the process . If the file is critical, test its integrity immediately after recovery to ensure it’s usable. About un- quarantined failed, I was facing the issue earlier but now its sorted out so i think we are good this not happening but tip are above first whitelist than un-quarantined best method The Importance of Indicators in SentinelOne : SentinelOne’s Indicators  are a crucial aspect of threat analysis. Unlike some tools where indicators are merely informational, in SentinelOne, they often provide actionable insights. For example, if an alert doesn’t seem overtly malicious but includes an indicator like Pass-the-Hash Attack , treat it seriously. Fetch additional logs, analyze thoroughly, and escalate if necessary. Indicators can reveal subtle or advanced malicious activity that might otherwise be missed. Pro Tip : Trust the indicators and investigate thoroughly, even when the rest of the alert looks benign. From experience, indicators in SentinelOne often lead to uncovering hidden or sophisticated threats. ------------------------------------------------------------------------------------------------------------ I’ll pause here for now as Incident tab, as it’s time to work on another article! Until then, keep hunting and learning. See you soon! 😊 Happy Hunting! 🚀

Welcome back to the SentinelOne journey! Today, we’re diving into the Sentinels Tab , one of the most critical components of the SentinelOne console. This is the workspace where administrators spend most of their time managing endpoints, configuring policies, and ensuring their organization stays secure. I'll walk you through the key features and functionalities, share some practical examples, and sprinkle in some of my personal tips to make your experience even smoother. ------------------------------------------------------------------------------------------------------------- The Top Strip: Where It All Begins Endpoints This is where it all starts. The E ndpoints  section displays all the devices with SentinelOne agents installed . From here, you can monitor and manage every endpoint in your environment. Once an agent is installed, the console provides a treasure trove of information: (Below features and action are limited there more than task u can perform so do check it out. I have given only few) Application inventory Cloud connectivity details Agent version Last reboot time Visible IPs What Can You Do? SentinelOne allows administrators to perform various actions on endpoints, such as: Rebooting Devices Updating the Agent Running Scans Disconnecting/Reconnecting to the Network Troubleshooting Issues Cool Features I Love Permission Alerts :If the agent is not installed correctly (e.g., on macOS, where you need to grant full-disk access), the console flags this issue directly on the Endpoints Page , helping you fix it quickly. Uninstallation Requests and Tamper Protection : SentinelOne’s anti-tamper  feature ensures that agents cannot be uninstalled without proper authorization. If anti-tamper  is off , an admin or executable can uninstall the agent. If anti-tamper  is on , no one—not even admins—can uninstall the agent unless a request is raised. Pro Tip: Always reject uninstallation requests unless absolutely necessary. Filtering Endpoints What if you’re managing thousands of endpoints? Do you have to check each one manually?Absolutely not! SentinelOne provides filters  to help you zero in on endpoints with specific issues or pending actions. If I get the opportunity and there’s enough interest, I’d be happy to create a detailed article o n each filter available in SentinelOne’s Endpoint  section . This would include an in-depth exploration of the various capabilities and functionalities related to endpoint management. For now, let’s proceed and focus on the key aspects without diving into extensive details. ------------------------------------------------------------------------------------------------------------- Next: Identity Policy This is a relatively new feature, and I haven’t tested it extensively yet. But here’s what I know so far: Singularity™ Identity Detection & Response This feature defends your Active Directory (AD), Entra ID (formerly Azure AD), and domain-joined assets against credential misuse and privilege escalation. Core Features: Active Directory Defense Detects attacks targeting AD and Entra ID from managed, unmanaged, or IoT devices. Protects privileged credential s by hiding them from attackers and replacing them with decoys. Lateral Movement Prevention Uses cloaking technology to make lateral movement exceedingly difficult for attackers. Identifies and blocks misconfigurations in Access Control Lists (ACLs). Visibility and Control Visualizes paths attackers might use to advance their attacks. Maps exposed assets, orphaned credentials, and policy violations. This feature integrates seamlessly with Zero Trust strategies and is designed to reduce identity-based attack surfaces. ------------------------------------------------------------------------------------------------------------- Next: Tags: Custom Labels for Endpoints Tags are a simple but powerful way to organize and filter endpoints. Each tag consists of a key and value pair, allowing you to: Create Dynamic Groups Build Dashboard Widgets Scope of Tags Tags created at the Account level  are available across all Sites and Groups under that account. Tags created at the Site level  are restricted to that specific site. ------------------------------------------------------------------------------------------------------------- Next: Unprotected Endpoints and Cloud Rogues Unprotected Endpoints This feature highlights endpoints that are not protected by SentinelOne agents. It’s part of the Network Discovery  feature, which I’ve covered in a separate article. You can check it out Link below: https://www.cyberengage.org/post/sentinel-one-p3-network-discovery-a-practical-guide Cloud Rogues This new feature is part of SentinelOne’s Cloud Workload Security (CWS) I haven’t tested it extensively yet. But here’s what I know . It continuously monitors your cloud environment (e.g., AWS) to : Inventory unprotected virtual machines (VMs). Identify newly created VMs in real time. Administrators can then deploy the SentinelOne CWS agent on these unprotected machines. Currently, Cloud Rogues  supports Amazon EC2 and related services (ECS, EKS), with plans to expand to other CSPs like Azure and Google Cloud. I’m sharing this article for you to check out: Feature Spotlight: Auto-Discover Unprotected Amazon EC2 Instances with Cloud Rogues . If I get the chance to test this feature in the future, I’ll provide an update. Similarly, if you’ve already tested it or have any feedback, feel free to share it with me. I’d be happy to incorporate your insights into this article to make it even more comprehensive. ------------------------------------------------------------------------------------------------------------- Next: Policies: The Backbone of SentinelOne The Policy  section is arguably the most critical part of the SentinelOne console. Understanding how policies work—and the hierarchy they follow—is essential for effective configuration . Hierarchy Recap Changes made at the Account level  are inherited by all Sites and Groups. Changes made at the Site level  are inherited by Groups under that Site. Group-level changes do not affect the broader Site or Account. Scenario Example: Default Policy:  If you’ve just set up a new SentinelOne console or server, e nable inheritance  for smooth policy implementation across all sites/groups. Custom Policies:  If a client has two sites, e.g., London and US, requiring different policies, make changes at the Site  level. For example, create one policy for London and another for the US by editing the specific site's configuration. Policy Modes Policies in SentinelOne operate in two modes: Detect Mode: Identifies threats but takes no action. No files are quarantined, killed, or remediated. Protect Mode: Automatically responds to threats based on your chosen Protect Level . Protection Actions Explained: Kill:  Stops all processes related to the threat. Quarantine:   Moves the threat and any associated files to a secure, encrypted location. Remediate :  Deletes all files and system changes caused by the threat . It also executes Kill  and Quarantine  if they were not completed earlier. Important:   With Remediate, files are deleted and cannot be unquarantined. Rollback (Windows only) :  Uses Volume Shadow Copy Service (VSS)  to restore the system to a previous snapshot, reversing ransomware damage. Sequence:  Remediation must complete successfully before rollback can occur. Snapshots are automatically created every four hours, making rollback a powerful feature for disaster recovery. Pro Tip : Rollback is invaluable for ransomware recovery. SentinelOne creates snapshots every four hours by default. Macro Mitigation This feature allows you to mitigate malicious macros within Excel files. However, SentinelOne can be noisy in this regard, and enabling this feature might render Excel files unusable . It’s recommended to handle this cautiously, For me quarantining Excel files is more useful instead of outright deleting macros because u can get excel back but no macro if deleted. Containment When enabled alongside Protect Mode , this feature isolates the endpoint if a threat is detected. It works in conjunction with the chosen Protection Level  (e.g., Remediate). Example:- Protect Mode with Protection Level: Remediate When the policy is set to Protect  and the Protection Level  is configured as Remediate , the following actions are triggered for any detected threat: Automatic Remediation: The malicious file is identified and automatically remediated by deleting the file and undoing its changes on the system. Any associated processes are terminated to ensure the threat is neutralized. Endpoint Containment (if enabled): The affected endpoint is isolated from the network to prevent further spread or lateral movement of the threat. This is especially useful for ransomware scenarios, as it stops the attack in its tracks. Caution: False Positives While such automation is extremely helpful, there are risks to consider: Like any security tool, SentinelOne can occasionally misidentify legitimate files as malicious ( false positives ). If a legitimate business-critical file is mistakenly remediated, it may cause operational disruptions. Robust Detection via Multiple Engines SentinelOne employs a multi-layered detection mechanism to handle modern threats, including zero-day attacks . Even if one engine misses a threat, others are designed to catch it. Here are the primary engines: Reputation Engine: Matches file hashes against known malicious and trusted files from global databases. Static AI: Examines file characteristics without execution to identify threats. Behavioral AI: Monitors runtime activities to detect anomalous or malicious behaviors. Anti-Exploitation/Fileless Protection: Focuses on memory-based and script-based attacks. Lateral Movement Detection: Identifies attempts to spread across the network. Identity Detection (Singularity™): Guards against identity-based attacks on Active Directory environments. Each engine contributes to a robust defense system, ensuring minimal gaps in threat detection. Moving on second part of policy Each toggle on this screen is self-explanatory, providing descriptions for its function. Deep Visibility & Identity Settings These configurations below relate to SentinelOne’s Identity Policy . Administrators can choose pre-configured settings or customize them based on their specific environment's needs . This flexibility allows for precise control over how identity-related threats and anomalies are managed Binary Vault This feature automatically uploads executable files to SentinelOne’s cloud for analysis Malicious files are retained for one year. Benign files are retained for 30 days. Remote Ops Scripts This setting lets administrators define scripts to be executed remotely on endpoints. While the specifics can be customized now, I'll provide more details later in upcoming articles. Decommission & Remote Shell These features provide advanced administrative capabilities: Decommission:   Safely removes endpoints from SentinelOne management when they are offline from particular days you selected. Remote Shell:  Enables secure remote access to an endpoint for troubleshooting or manual remediation. ------------------------------------------------------------------------------------------------------------- Next: The Star of the Show: Custom Rules Creating custom rules in SentinelOne is like crafting the perfect weapon for your defense arsenal. This is where you take control —a level of customization no AI-generated rule can match. Why? Because your organization’s threats and environment are unique. What to Know About Custom Rules: Hierarchy is key: Rules can only be created at Account Level  or Site Level . A Site-level rule  applies to all groups under it , while an Account-level rule  cascades down to all sites and groups. There’s no Group-level rule  creation—remember that! Policy-based actions: For example, i f a malicious file is detected, you can configure rule to take action like terminate , quarantine , or even notify  the team. For the Techies: Let’s say you’re hunting PowerShell behavior. A deep visibility query might look like this: This query checks for PowerShell making outbound connections to public IPs. Once tested in Deep Visibility , you can create a star custom rule using this same query to generate alerts or take action whenever it triggers. For Non-Technical Users: No worries— SentinelOne’s Purple AI assistant  can simplify the query for you . Paste the query into Deep Visibility, test it, and use it in your rule. No coding degree needed!. ------------------------------------------------------------------------------------------------------------- Next : Blocklist: The Gatekeeper This tab is straightforward—you can block malicious SHA1 hashes . However, no MD5 or SHA256 hashes  are allowed, nor paths. Frustrating? Not really! Use star custom rules to block paths or filenames. Flexibility is the game here. ------------------------------------------------------------------------------------------------------------- Next: Exclusions: Be Cautious! Exclusions are where things get tricky. Think of it like this: every exclusion is a gate you open for potential attackers .  Always: Start with hash-based exclusions  before moving to path-based ones . Avoid broad exclusions like file types or browser categories. (Very Important) Pro Tip: To exclude a specific file across all drives, use: \Device\HarddiskVolume*\\.exe It’s better than manually excluding each drive path! Sentinel one gives you control how you want to perform exclusion or i will say choose the sensitivity of exclusion Another thing to keep in mind is Extended Exclusions and Reboot Requirement: For exclusions like interoperability-extended  or performance focus-extended , a system reboot is required to apply changes. My recommendation always use suppress alert exclusion mode It’s important to note that exclusions in SentinelOne follow a hierarchy  and do not support endpoint-based exclusions  directly. Exclusions can only be applied at the following levels: Account Level:  Exclusions are applied across all sites and groups under the account. Site Level:  Exclusions are applied to all groups within the specific site. Group Level:  Exclusions are applied to all endpoints within the specific group. Because endpoint-level exclusions are not supported, it is not possible to configure exclusions for a specific endpoint. Solution If you need to apply exclusions for a single endpoint, here's a workaround: Create a new group : Move the specific endpoint into a new group. Apply exclusions at the group level : Configure the exclusion for that group, ensuring that only the selected endpoint is affected. This approach helps achieve endpoint-level exclusions indirectly, while maintaining compliance with SentinelOne's exclusion hierarchy. ------------------------------------------------------------------------------------------------------------- Next is : Network Control: Firewall and Network Quarantine SentinelOne's firewall gives you fine-grained control over network traffic . But should you enable it? Here’s my take: If your organization is already using a robust primary firewall (e.g., Palo Alto, Fortinet, etc.)as primary network firewall , And windows have there inbuilt firewall called windows defender firewal l. there may not be a strong need to enable SentinelOne's firewall. As SentinelOne is primarily an EDR/XDR  solution, enabling its firewall could add unnecessary complexity to your setup. Enabling SentinelOne’s firewall takes precedence over Windows Defender Firewall , as it is integrated into the SentinelOne Agent. Managing both the SentinelOne firewall and your primary firewall can become cumbersome, especially if you lack resources for proper configuration and monitoring. Recommendation : If your organization is already managing firewalls effectively, it’s better to disable the SentinelOne firewall  to avoid increasing the administrative workload. For some case u do not want to listen to me and want to enable firewall. Than thing you should keep in mind in traffic flow: When traffic enters or exits an endpoint, the SentinelOne Agent enforces rules as per the configured Firewall Policy : The rules are applied in top-down order , meaning the first matching rule determines the action. Block Action : The traffic is blocked immediately. Allow Action : The traffic is permitted to proceed. For quarantined devices, Network Quarantine Feature shines SentinelOne’s network quarantine  is an excellent feature that allows you to isolate a compromised device while still maintaining connectivity for administrative purposes. Pre-Configuration : It’s advisable to configure this feature during initial setup so it’s ready to use in case of an incident. Benefit : There’s no need to reconfigure in the future, making it highly effective for incident response. ------------------------------------------------------------------------------------------------------------- Next : Device Control: Lockdown Your Ports Imagine controlling who gets USB access like a tech-savvy bouncer at a club. The Device Control  feature in SentinelOne allows administrators t o manage and restrict device interfaces for enhanced endpoint security . Here’s a simplified explanation and example to clarify its functionality: 1. Configurable Interfaces You can define rules to allow or block interfaces  like: USB Thunderbolt Bluetooth 2. USB Configuration Example Let’s focus on USB as an example: Rule Creation : Rules can be created based on attributes like: Vendor ID Class Serial Number Actions Available : Allow and Write : Full access. Read Only : Restricts write access. Block : Completely disables access. 3. Additional Configurations Customizable Options : There are numerous USB-specific settings available for fine-tuned control. Rule Prioritization : Ensure rules are reordered to reflect organizational priorities , as rule order determines enforcement. ------------------------------------------------------------------------------------------------------------- Next is : Packages: The Building Blocks The Packages  section in SentinelOne is where you can download and deploy agents for endpoints across different operating systems, including Windows, macOS, Linux, and Linux Kubernetes. Here's an overview of key points and recommendations: 1. Available Packages You can access and download agent packages for: Windows : Available in .exe and .msi formats. Linux : Packages in .rpm and .deb formats. macOS Linux Kubernetes 2. Recommendations for Installation Windows : Prefer the .exe package for simplicity. Installation involves double-clicking the file and adding the token for configuration. .msi packages are also available but may require additional command-line parameters. Linux : Opt for the .deb package for easier installation and configuration , though .rpm is equally effective depending on your environment. Documentation : Refer to the Community Portal  or Customer Portal  for detailed installation guides specific to each OS. 3. Reboot Requirements Newer Agent Versions : Starting from version 23.3  and later, rebooting the endpoint after installation is no longer required. Older Agent Versions : A reboot may be necessary after installation. 4. Agent Updates Lifecycle Management : SentinelOne releases new agent versions every 3–6 months , depending on their update cycle. Keep an eye on end-of-life (EOL) or EOS (end of support)  for older packages on the Community Portal. Using outdated agents may compromise performance and security as they no longer receive updates. Manual Updates : Unlike some competitors like CrowdStrike, SentinelOne does not perform automatic agent updates . This manual process helps avoid issues like the infamous Blue Screen of Death  caused by rushed updates in some tools. Pro Tip : Regularly check the Community Portal  for announcements and update agents proactively to ensure you receive the latest security feeds and feature ------------------------------------------------------------------------------------------------------------- Next Is: Upgrade Policies: Set It and Forget It Use the Auto-Upgrade Policy  to keep agents updated without breaking a sweat (if you want i do not recommend ) . This ensures: Better security:  Newer agents are more resilient to threats. Improved functionality:  Who doesn’t like shiny new features?' ------------------------------------------------------------------------------------------------------------- The Final Tab: Site Info/Account/Group Info (Based on Level you are at) The last tab acts as your dashboard for account/site/group details. It also holds the token  for agent installation . Pro Tip:  Always double-check tokens before installation to avoid misalignment of endpoints. ------------------------------------------------------------------------------------------------------------- Parting Wisdom SentinelOne is like a Swiss Army knife—powerful, flexible, and capable of saving the day. But with great power comes great responsibility. Here’s my advice: Test before you deploy:  Whether it’s a custom rule or an exclusion, ensure it works in your test environment first. Document everything:  A well-documented setup makes troubleshooting and audits a breeze. Leverage support:  SentinelOne’s support team is quick and helpful—don’t hesitate to reach out. I hope this guide helps you . Remember, cybersecurity is not just a job—it’s a commitment to keeping the digital world safe. So go out there, configure those rules, lock down your endpoints, and be the superhero your organization needs! I’ll pause here for now as Sentinel tab, as it’s time to work on another article! Until then, keep hunting and learning. See you soon! 😊 Happy SentinelOne managing! 🚀

Welcome back to Part 3  of our exploration of SentinelOne’s powerful features! Today, let’s dive into one of the most fascinating and essential capabilities SentinelOne offers: Network Discovery  and its closely related counterpart, Unprotected Endpoint Discovery . These two features work hand-in-hand to provide unparalleled visibility and control over your network. So, let’s unpack this, step by step, as though we’re in a room filled with curious cybersecurity professionals. ------------------------------------------------------------------------------------------------------------- The Backdrop: Why Network Discovery Matters Imagine you’re the captain of a ship, navigating through uncharted waters. To ensure smooth sailing, you need a detailed map showing not just the known islands but also hidden reefs, shoals, and lurking hazards . That’s exactly what Network Discovery  does—it’s your map of the corporate network. With SentinelOne, Network Discovery scans your environment to identify every connected device, be it a server, endpoint, IoT device, or even an unknown gadget someone sneaked into the office. It doesn’t stop at identification; it categorizes devices into Secured , Unsecured , Unsupported , and Unknown , ensuring no stone is left unturned. ------------------------------------------------------------------------------------------------------------ What’s the Difference Between Network Discovery and Unprotected Endpoint Discovery ? This is a question many people ask, and it’s a good one. Here’s the gist: Unprotected Endpoint Discovery : Think of this as the “lite” version of Network Discovery. Its main focus is to scan and identify endpoints in your network that don’t have the SentinelOne agent installed. It’s quick, effective, and perfect for targeting vulnerable devices that need immediate attention. Network Discovery On the other hand, Network Discovery is the full package. It doesn’t just identify unprotected endpoints but also provides a comprehensive overview of every device in your network—including IoT devices, cameras, and more. It’s like having x-ray vision for your corporate environment. Here’s the kicker: Unprotected Endpoint Discovery doesn’t work unless Network Discovery is enabled. It’s like the foundation upon which the unprotected endpoint feature is built. ------------------------------------------------------------------------------------------------------------ Let’s Break It Down: The Device Categories Network Discovery classifies devices into four categories: Secured : Devices where the SentinelOne agent is installed and running. Unsecured : Devices that support the SentinelOne agent but don’t have it installed yet. Unsupported : Devices incompatible with the SentinelOne agent ( think mobile phones, tablets, or Unix systems) . Unknown : Devices where it’s unclear if they’re supported by SentinelOne, often requiring manual investigation. ------------------------------------------------------------------------------------------------------------ Walking Through the Tabs in Network Discovery 1. Devices Tab This is where the magic happens. The Devices Tab  lists all identified devices in your environment. Here’s an example: Imagine spotting an unsecured server . From this tab, you can do two critical things: Isolate the device : Cut it off from the network immediately to prevent potential threats. Deploy the SentinelOne agent : Right from this interface, provided you’ve configured your Deploy Key  (we’ll talk about this shortly). Even for unsupported devices, you can still review and isolate them. The level of control here is astounding. ------------------------------------------------------------------------------------------------------------ 2. Networks Tab This tab gives you a clear view of which endpoints are connected to which networks. It’s perfect for tracking activity and understanding how devices interact within your environment. ------------------------------------------------------------------------------------------------------------ 3. Settings Tab Configuration is key. The Settings Tab   allows you to fine-tune how Network Discovery operates. SentinelOne provides some excellent recommendations to get started: Minimum Agents in Corporate Networks: Set this threshold close to the smallest number of agents in your corporate network. Don’t go below five to avoid scanning public or home networks that might generate noise. Gradual Scanning : Start by manually scanning networks from the Networks page . Enable automatic scanning gradually to avoid overwhelming the system. Excluding Specific IPs or Ranges : You can exclude certain addresses, like honeypots, to focus on critical devices. Scan Only the Local Subnet : Begin with scans limited to the local subnet of the agent . Expand this gradually to include cross-subnet scanning as needed. Two settings might confuse some users, so let’s clarify them: Scan Only in Scanner’s Local Subnet : This limits the scan to devices within the scanner’s immediate network segment. Auto-enable Scan of Discovered Networks : If enabled, this automatically starts scanning any newly discovered networks—hands-free! ------------------------------------------------------------------------------------------------------------ 4. Deploy Keys Tab Before you can deploy agents to unprotected devices, you need to configure Deploy Keys . Think of this as a passkey that ensures a smooth installation process . If you ever face deployment issues, SentinelOne’s documentation is an excellent resource. ------------------------------------------------------------------------------------------------------------ Real-Life Use Case: Why It’s Awesome Let’s imagine your organization has 500 devices connected to its network. Among these, you discover: 450 secured devices. 30 unsecured endpoints, some of which are critical servers. 10 unknown devices, possibly rogue or unauthorized. From the Devices Tab , you isolate the unknown devices immediately. For the unsecured endpoints, you deploy the SentinelOne agent, ensuring they’re protected moving forward. All this happens within minutes, minimizing risk and maximizing efficiency. ------------------------------------------------------------------------------------------------------------ Final Thoughts SentinelOne’s Network Discovery and Unprotected Endpoint Discovery features are like having a superpower in your cybersecurity arsenal. They provide full visibility into your network, help you identify vulnerabilities, and empower you to act swiftly. With the ability to categorize devices, monitor networks, and deploy agents seamlessly, you’re always one step ahead of potential threats. Akash Patel

Welcome back to the SentinelOne journey! As promised, we’re diving deep into the Deep Visibility  feature—a powerhouse for threat hunting and data analysis. Let me take you on a step-by-step walkthrough, starting with the Enhanced Deep Visibility , which is SentinelOne’s newer and improved version, and then comparing it with the Legacy Deep Visibility . I’ll show you how to unleash its potential for hunting threats effectively. Buckle up, and let’s get started! ------------------------------------------------------------------------------------------------------------- What Is Deep Visibility? Deep Visibility  is SentinelOne’s capability to collect and analyze data from endpoints and integrated sources, offering unmatched granularity for security investigations. It stores this data for up to 90 days  by default, allowing for retrospective analysis. If you’re serious about understanding threats in your network, this is where the magic happens. Before diving into the technical details, let’s clarify a few key concepts: Singularity™ Data Lake This advanced feature builds on Deep Visibility , creating a unified platform to manage and analyze all your data. It combines EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), and even non-security data . Key Features: Centralized Data : Consolidates security, environmental, and third-party data for seamless analysis. Enhanced Querying : Includes tools like PowerQueries  for advanced searches. Custom Views : Supports EDR, XDR, and "All Data" views for tailored investigations. Visualization : Offers customizable dashboards with graphs and JSON-based configurations. Quick Note : Some of these advanced features are add-ons. You may need to subscribe to them separately. ------------------------------------------------------------------------------------------------------------- Starting with Enhanced Deep Visibility Let’s move to the Enhanced version because it’s simpler, faster, and more efficient than the Legacy version. As we proceed, I’ll show you why it’s my preferred choice for threat hunting. 1. Understanding the Interface When you open Deep Visibility, you’ll notice three main views  at the top-left corner: EDR : Displays structured security data collected from SentinelOne agents. XDR : Merges EDR data with data from integrated third-party sources. All Data : Combines everything—security and environmental logs. Example Use Case: I f you’re hunting for incoming connections on a specific endpoint , you might start with the EDR  view to focus on structured security data , then move to XDR  for broader context. How to Query: endpoint.name = "EndpointName" AND event.network.direction = 'INCOMING' This query will list all incoming network events for the specified endpoint. Above one is simplest example i have given With SentinelOne deep visibility, you can monitor search for and investigate activities using indicators such as file hashes, file names, domains, or any other relevant parameters (I cannot name them all do check it out on your own) . These capabilities enable comprehensive threat detection and response, helping you quickly identify and address security risks. In the future, based on demand, I plan to create a detailed article that will provide in-depth guidance on crafting queries and maximizing the platform's potential. For now, this overview should serve as a sufficient introduction. ------------------------------------------------------------------------------------------------------------- 2. PowerQueries: The Game Changer What are PowerQueries? PowerQueries are SentinelOne’s advanced query-building tools for precise data retrieval . Think of them as the swiss-army knife for analysts. They’re designed for scenarios where regular Event Search might fall short. Why Use PowerQueries? Targeted Results : Fetch only the data you need. Event Correlation : Combine data from multiple sources for deeper insights. Statistical Analysis : Use grouping functions to spot anomalies. In my perspective, I see PowerQuery as a tool for crafting threat queries that provide structured, tabular outputs. This makes it especially useful for reporting and analysis. PowerQuery has broad applications, and I often view it as a versatile resource for security use cases. For example, I could use PowerQuery to identify failed login attempts or investigate whether a specific user has transferred data to a USB device . These examples demonstrate the potential of PowerQuery in simplifying complex investigations while maintaining precision and clarity. Example 1: Failed Login Attempts Example 2: USB Data Transfer Tip: If you’re not familiar with query writing, don’t worry. SentinelOne provides built-in tools and even a Purple AI assistant  (more on this later) to guide you. This is where PowerQuery  becomes invaluable. I t helps you focus on what you are looking for by streamlining data queries and presenting results effectively. In my view, PowerQuery can be utilized in numerous ways, though there might be additional applications I haven't explored yet— feel free to share your insights or suggestions in the comments. As for functionalities like saving or sharing searches, these are quite intuitive and self-explanatory, so I won’t elaborate on them here. Any searches you save can be easily accessed under the "Search" column. A screenshot is included below for better clarity. ------------------------------------------------------------------------------------------------------------- 3. Purple AI: Your Hunting Buddy Purple AI is SentinelOne’s answer to simplifying threat hunting. If writing queries isn’t your strong suit, this feature allows you to type commands in plain English. Purple AI then translates them into actionable queries. Example: Type: “Show all connections made by PowerShell to public IPs.” Purple AI generates the query and rule for you: click on open powerquery as per screenshot Using AI tools is certainly beneficial, but I strongly encourage you to learn how to create queries manually. While AI simplifies many tasks, not all organizations may buy built-in AI-driven query features . In such cases, your ability to craft queries independently will be essential and could prevent potential challenges . Moreover, creating your own queries allows for better customization and accuracy in your analysis. If you’d like, I can compile a list of sample queries to help you get started. Feel free to reach out via email or reply directly to this article, and I’d be happy to create detailed guides and examples for you. ------------------------------------------------------------------------------------------------------------- 4. Creating Custom Dashboards Dashboards in Enhanced Deep Visibility are a breeze and which is self-explanatory You can visualize trends, monitor system health, and even build reusable dashboards tailored to your needs. Pro Tip: Use the Dashboard Library Prebuilt dashboards make it easy to get started. From system health to incident trends, you’ll find templates for almost every use case. ------------------------------------------------------------------------------------------------------------- Next to the Dashboard section, you'll find the Star Custom Rules feature. We'll delve into this in detail in future articles, but in simple terms, it allows you to create custom detection rules . For example, as I’ve mentioned before, while SentinelOne’s AI detection is powerful, it's always best to supplement it by creating your own rules under Star Custom Rules for more precise detections. Moving on, near the Star Custom Rules , you’ll see the Docs  column. This section c ontains comprehensive documentation for various tasks, such as data ingestion, log parsing (e.g., logs from Zscaler or other tools), working with graphs, PowerQueries, and much more. It’s a valuable resource to explore and reference as needed. On the left-hand side of the Search  section , you'll find a tab called Logs . This is where you can view all the logs ingested from various tools . It provides insights into the volume of logs and their sources, making it easier to track and manage log data effectively. ------------------------------------------------------------------------------------------------------------- 5. Legacy Deep Visibility: Still Useful? While I’m a big fan of the Enhanced version, Legacy Deep Visibility has its own charm . Here’s where it shines: As shown in the screenshot, this is how the Legacy Console  appears. S1QL (SentinelOne Query Language):  Provides a structured way to query data, similar to S2QL. For example, I hunted for executions of rundll32 or regsvr32 scripts. When comparing the Legacy Console and the Enhanced Console, you’ll notice slight differences, particularly in the Command structure . Personally, I prefer the Enhanced version for its improved functionality, but the choice is yours. I recommend exploring resources like the following for detailed query references and cheat sheets: GitHub Repository for S1QL Queries SentinelOne Cheat Sheet These provide valuable insights into creating and running queries in the Legacy Console. However, I strongly advise against copying and pasting queries directly without understanding them. Always verify what a query does and ensure its relevance to your objective. The Legacy Console  has some notable missing features, such as Purple AI  and the Dashboard , which are present in the Enhanced Console. However, o ne feature exclusive to Legacy Deep Visibility  is the Threat Hunter Extension : Threat Hunter Extension Overview Hunter Extension:   A browser extension for quick IOC hunting . For example, you can copy a list of suspicious IPs from a webpage, and the extension automatically builds a query for them. Example: In simple terms, this browser extension allows you to copy IOCs (Indicators of Compromise) from websites. For instance, if a website contains 100 IOCs, the extension captures them all. You can then select and search them directly in the Legacy Deep Visibility  console , which generates a query and performs the hunt automatically. Unfortunately, this feature is not available in the Enhanced Console , making Legacy Deep Visibility  particularly powerful for IOC hunting in such scenarios. ------------------------------------------------------------------------------------------------------------- Threat Hunting in Deep Visibility Threat hunting in SentinelOne is where the tool truly shines. Here’s a simple workflow: Writing Custom Rules or Using Fields Let’s say you want to check incoming connections  on port 445 : If you’re unsure about the syntax, use the Fields  section to build your query visually. Select the port, direction, and select include in search(This will create an query for you automatically). or else For more complex searches, like detecting PowerShell connections to public IPs, let Purple AI and PowerQuery handle it. (If u have this enabled) ------------------------------------------------------------------------------------------------------------- Conclusion SentinelOne’s Deep Visibility is a treasure trove for security professionals. Whether you’re using the Enhanced version for its intuitive interface or the Legacy version for its robust features like the Hunter extension, there’s something for everyone. Final Advice: Explore PowerQueries ; they’re your best friend for precision. Leverage Purple AI  if you’re new to threat hunting. Build and customize dashboards to streamline your workflows. If using Legacy, check out the Hunter extension for quick IOC hunting. SentinelOne offers immense depth. If you want me to write a detailed guide on query writing or any specific feature, let me know in the comments or drop me an email.' Until next time, happy hunting! 🛡️ Akash Patel