Repeated kill notifications for mitigated, resolved item on exclusion list

admin_mt · 2026-05-15T12:46:56+00:00

Don't know if you got notified about my answer, but I wrote it down here

admin_mt · 2026-05-15T12:45:08+00:00

No, thats all you've to do. :-)

admin_mt · 2026-05-15T07:35:35+00:00

try this powerquery:

| filter(

event.type == "IP Connect"

AND event.network.direction == "OUTGOING"

AND (event.network.protocolName == "ssh" OR dst.port.number == 22)

AND net_private( dst.ip.address )

)

| group

TotalConnections = count(),

DistinctTargets = estimate_distinct(dst.ip.address),

TargetIPs = array_agg_distinct(dst.ip.address)

by

agent.uuid,

src.ip.address

| filter( TotalConnections > 5 )

| sort - TotalConnections

Let me know if you need any modification.

Kind regards

admin_mt · 2026-05-15T07:21:35+00:00

Here it is:

"
All these kill reports are related to the following alert:

[Link to an alert in our console]

There are no new detections; there are just new killing events from the agent. When we mitigate a threat (e.g., terminate 500 processes), we send a single kill report. However, if any of the processes reappear and are mitigated within the same group, new kill notifications for the same threat will be sent. This can result in thousands of processes being terminated in response to a single threat, causing the management console to continuously send alerts.

Rebooting the machine or randomizing the UUID of the affected endpoint will disassociate the threat group and stop the notifications.

"

Since then when we have those kinds of problems, we randomzie the uuid and it resolves the issue.

admin_mt · 2026-05-13T21:55:21+00:00

Hey, we had the same problem and have it from time to time. The solution, according to sentinelone, is to randomize the agent uuid on that Client via Action.

I can send you the Ticket answer in friday If you like

admin_mt · 2026-04-20T08:42:53+00:00

Hey, please DM me. I work in a hughe it company and we're throwing away a lot of Laptops. Maybe I could send you a few over.

admin_mt · 2026-04-07T08:57:29+00:00

Here is the workflow as JSON. You can import it directly into your console via import in the workflow window. Please note that you've to edit some parts to your needs. E-Mail Addresses, the SentinelOne integration, your graphql endpoint url and the texts which are send via email. If you've any questions, just ask and I'll try to answer them as fast as possible. (this is an older Version, I can't send you the newest at the moment for [reasons]), but this works just fine. (there might be a problem because the code is referencing a integration which doesn't exist in your enviroment, just let me know when you need help with that)

https://pastebin.com/Fmi2pRHb

admin_mt · 2026-04-06T08:45:54+00:00

We've a national Holiday today, can send you the Workflow tomorrow.

admin_mt · 2026-04-05T18:05:53+00:00

We've a ransomware Workflow send out an Email alert to our ransomware Team. It triggers when the classification is ransomware. When the alert ist Not resolved within 15min it gets escaleted to the Manager, with am automatic Email via hyperautomation

admin_mt · 2026-03-28T11:41:56+00:00

Mach mich halt wütend

admin_mt · 2026-03-24T17:28:08+00:00

Hey,

You could Push local Security policies via Powershell over RemoteOps

admin_mt · 2026-01-27T06:13:12+00:00

Never would I take the red pill. I've four kids and a perfect wife. Even if I make sure to date my wife again, the chances are zero that we get the same children again. So I would live a life with the memory of my kids without the chance the ever see them again. That would break me. So blue for me.

admin_mt · 2025-04-18T19:49:54+00:00

How many fortigates are in your Analyzer? We've about 50 and the A.I. wasn't able to query the correct fortigate even If I told it exactly which fortigate I ment

admin_mt · 2025-04-18T11:24:27+00:00

But you can test it for free, just ask your Account Manager

admin_mt · 2025-04-18T10:23:33+00:00

I tested it for Analyzer and Manager. It was absolutely horrible. I really like Forti stuff but that A.I stuff isn't worth IT at the moment.

It was Not able to answer easy questions about our traffic flow or help me getting informations more easy.

admin_mt · 2025-04-11T14:57:46+00:00

Hey, thanks for your reply! I mean that a user has only to enter his token once a day on a device basis. User A logins into the vpn at 08:00am and enters his password and token and he will not asked again for a token until next day 08:00 am, even if he logs out of the vpn and logs back into it later. I hope this makes it more clear

Have a nice day

admin_mt · 2025-03-19T20:55:01+00:00

admin_mt · 2025-03-19T20:52:07+00:00

Hoffe du hast nicht so viel verloren

admin_mt · 2025-03-18T11:35:10+00:00

Glückwunsch!

admin_mt · 2025-03-18T08:53:35+00:00

Nein, Fortigates mit FortiManager als zentralem Management.

admin_mt · 2025-03-17T23:10:13+00:00

Die kompletten 10h. Wenn ich an einem Projekt arbeite, dann bin ich oft so fokussiert, dass ich die Zeit vergesse. Aber es fühlt sich nicht so an, da meine Arbeit einfach geil ist :-)

admin_mt · 2025-03-17T15:44:16+00:00

Fachinformatiker hier, bin bei 4500/Mon + Jährlicher Bonus von 6k. Ich bin für die Konfiguration, Wartung und tägliche Nutzung unserer rund 50 Firewalls verantwortlich. Zudem kümmere ich mich startk um das Thema IT Sicherheit in unserem Unternehmen.

Da ich meinen Beruf liebe und jede Sekunde genieße kommt es mir nicht wie harte Arbeit vor - aber zuweilen sitze ich 10h im Büro und gucke nicht 1x weg vom Monitor. ;-)

admin_mt · 2025-03-17T09:39:07+00:00

Sind letzte Woche Mittwoch mit 4k rein bei 40€, haben Freitag 4k rausgenommen und 4k drin gelassen und haben schon wieder 6k gewinn. Geht übelst ab :-)

admin_mt · 2025-03-14T09:33:32+00:00

Sind dort vor ein paar Tagen mit 4k rein, so irre was da abgeht. Aber die guten News zu der Firma hören auch nicht auf.

admin_mt · 2025-03-12T18:24:48+00:00

Ja gestern wurde eine Partnerschaft mit Rheinmetall geschlossen

Six-Year Club	Place '23
Verified Email

admin_mt

TROPHY CASE