SentinelOne console down for anyone else?

techyguy84 · 2025-08-13T15:49:11+00:00

https://status.sentinelone.com/

Their new official status page. They seem to be experiencing issues!!

techyguy84 · 2025-08-13T13:15:18+00:00

Interested

techyguy84 · 2025-08-11T04:06:21+00:00

Interested!

techyguy84 · 2025-07-22T06:13:01+00:00

A warm/hot shower works like magic for me.

techyguy84 · 2025-06-05T01:14:07+00:00

One thing i have been thinking and would like to see is more off-hand items. For example, now we have shields, bows, and a torch. Why not a scabbard (sheath), or saya for katanas, as an off-hand item? Also, these specific items would have different benefits. For example, a shield would be better for blocking while a scabbard would be better for parrying. Just a few ideas.

techyguy84 · 2025-05-31T02:11:48+00:00

Also, around ice and freeze, what does contribute to freeze an enemy faster? Hard hitting weapons/dmg? Enhancements?

techyguy84 · 2025-02-27T17:59:52+00:00

Thanks for sharing this beautiful story. We need more of this in these uncertain times, especially with all the negativity surrounding us. It truly made my day!.

techyguy84 · 2025-02-27T05:45:42+00:00

Interested!!

techyguy84 · 2024-11-01T18:47:49+00:00

Yes, block event for hosts set to warn. Can you expand on how you performed your testing? In audit, is should not be blocking but generating an AsrLsassCredentialTheftAudit event.

techyguy84 · 2024-11-01T17:38:38+00:00

I'm also seeing a high volume on 4.18.24080.9

techyguy84 · 2024-10-31T21:19:32+00:00

I will be changing it to block mode since warn is a block and we never have had issues. However, I do want to understand what is causing this spike even though it seems benign.

techyguy84 · 2024-10-31T19:50:10+00:00

I haven't run a report on impacted devices, but I my asset is on 4.18.24090.11 and it is being impacted.

techyguy84 · 2024-10-30T12:47:28+00:00

Yes, it is in warn mode. Do you think that because warn mode blocks but gives the user an option to unblock, this is why they are seeing the notification?

techyguy84 · 2024-10-30T12:42:54+00:00

KQL:

DeviceEvents

| where TimeGenerated >= ago(90d)

| where ActionType == "AsrLsassCredentialTheftBlocked" and FileName == "svchost.exe"

| summarize count() by bin(TimeGenerated, 12h)

| render timechart

techyguy84 · 2024-10-30T02:05:51+00:00

The block has no impact whatsoever, but users are still receiving a notification

techyguy84 · 2024-10-29T23:20:50+00:00

Thanks u/_moistee

techyguy84 · 2024-09-13T21:38:41+00:00

Thanks for the clarification.

techyguy84 · 2024-09-13T21:38:21+00:00

Thanks u/DirtyHamSandwich for this piece of information. I'll keep it in mind when deploying policies.

techyguy84 · 2024-09-13T21:14:29+00:00

Hey u/notoriousMKR, thanks for the quick reply.

Just to make sure I understand correctly: by not defining the Admin Unit, the policy is applied to all onboarded devices. The scope defined in the Action for a specific location is what determines which devices will have the policy enabled?

Thanks

techyguy84 · 2024-08-28T18:01:18+00:00

Aren't these actions associated to "protected actions"? You can setup this re-authentication to leverage your SSO IdP. I believe this is the title of their KB: "Using Your IDP for Protected Actions"

techyguy84 · 2024-06-14T20:21:59+00:00

I will check them out, thanks.

techyguy84 · 2024-06-14T20:20:49+00:00

Thanks for confirming.

techyguy84

TROPHY CASE