FAQ - SentinelOne (2024)

SentinelOne is regularly apprised by industry-leading analyst firms and independent 3rd party testing such as:

• Gartner Best Endpoint Detection and Response (EDR) Solutions as Reviewed by Customers
• Gartner named SentinelOne as a Leader in the Magic Quadrant for Endpoint Protection Platforms
• MITRE Engenuity ATT&CK Carbanak and FIN7 results show SentinelOne leading all other cybersecurity vendors with 100% visibility, no missed detections and required no configuration changes.
• MITRE Engenuity ATT&CK APT29 (2019) report:
  • SentinelOne Singularity Platform had the highest number of combined high-quality detections and the highest number of automated correlations.
  • SentinelOne had the highest number of tool-only detections and the highest number of human/MDR detections.

Analysts are drowning in data and simply aren’t able to keep up with sophisticated attack vectors. SentinelOne helps turn data into stories, so analysts can focus on the alerts that matter most.

SentinelOne provides a range of products and services to protect organizations against cyber threats. The SentinelOne security platform, named Singularity XDR, is designed to protect against various threats, including malware, ransomware, and other advanced persistent threats (APTs). It uses machine learning and other advanced analytics techniques to analyze real-time security data and identify patterns and behaviors that may indicate a security threat. When a threat is detected, the platform can automatically trigger a response, such as quarantining a device or issuing an alert to security personnel. Our main products are designed to protect the three security surfaces attackers are targetting today: Endpoint, Cloud, and Identity.

Endpoint:Our main product is a security platform that combines endpoint protection, EDR (Endpoint Detection and Response), and automated threat response capabilities into a single solution.

Cloud: SentinelOne offers a range of products and services designed to protect organizations against cyber threats in the cloud. he SentinelOne security platform, named Singularity XDR, includes features specifically designed to protect cloud environments, such as:

1. Cloud-Native Endpoint Protection: SentinelOne’s endpoint protection capabilities are built to protect cloud environments, including public, private, and hybrid clouds. The platform uses machine learning and other advanced analytics techniques to detect and block malicious activity in real time.
2. Cloud-Native EDR (Endpoint Detection and Response): SentinelOne’s EDR capabilities are designed to detect and respond to threats in cloud environments. The platform includes features such as cloud forensics, cloud incident response, and cloud threat hunting, which allow security teams to investigate and mitigate threats in the cloud.
3. Automated Threat Response: SentinelOne’s automated threat response capabilities are designed to respond automatically to threats in cloud environments. This includes features such as cloud containment, which allows security teams to isolate and contain infected devices in the cloud, and cloud remediation, which will enable teams to restore cloud environments to a known-good state automatically.

Our security platform is designed to be cloud-agnostic so that it can be deployed in any cloud environment, including public clouds.

Identity: SentinelOne offers a range of products and services to protect organizations against identity-related cyber threats. SentinelOne’s security platform includes IAM protection capabilities to detect and respond to identity and access management threats. This includes identity-based threat hunting, which allows security teams to investigate and mitigate threats related to user identities and access controls.

In addition to its security platform, SentinelOne also offers MDR and professional services, such as threat hunting and incident response, to help organizations respond to and recover from cyber-attacks. The company’s products and services primarily target enterprise-level organizations, including government agencies and Fortune 500 companies.

SentinelOne participates in a variety of testing and has won awards. Here is a list of recent third party tests and awards:

• MITRE ATT&CK APT29 report: Highest number of combined high-quality detections and the highest number of automated correlations, highest number of tool-only detections and the highest number of human/MDR detections
• The first and only next-gen cybersecurity solution to receive VB100 certification from Virus Bulletin. The VB100 certification is a well-respected recognition in the anti-virus and malware communities due to its stringent testing requirements.
• Gartner Best Endpoint Detection and Response (EDR) Solutions as Reviewed by Customers
• Gartner Best Endpoint Protection Platforms (EPP) as Reviewed by Customers
• Passmark’s January 2019 performance test compares SentinelOne to several legacy AV products. Testing showed that SentinelOne performs better than other vendors when the agent is under heavy load. During normal user workload, customers typically see less than 5% CPU load.

SentinelOne, a cybersecurity software company, was founded in 2013 and is headquartered in Mountain View, California. The company has a rich history of innovation and growth, marked by significant milestones and achievements.

In its founding year, SentinelOne raised $2.5M in seed funding, and by 2014, it had opened its first US office in Mountain View, CA. The company made its first sale that year, marking the beginning of its journey in disrupting the industry and legacy antivirus with AI/ML prevention.

In 2015, SentinelOne introduced the first endpoint security solution using behavioral AI, a significant step in reinventing endpoint security. The company continued to grow, securing Series B funding of $25M in 2016 and expanding its business to EMEA. That same year, SentinelOne was named a Visionary in Gartner’s 2016 Magic Quadrant for Endpoint Protection Platforms.

The company’s growth continued in the following years, with significant funding rounds, product advancements, and business expansions. In 2020, SentinelOne became a unicorn company, and by 2021, it had the highest-valued cybersecurity IPO in history.

Today, SentinelOne’s Singularity platform offers customers security effectiveness, ease-of-use, and global scalability to meet today’s threats head-on. The company continues to innovate and expand, securing identity data and the cloud market, and remains committed to its mission of delivering advanced cybersecurity solutions.

SentinelOne is a pioneering force in the realm of autonomous cybersecurity. Our mission is to defeat every cyber attack, every second of every day. We understand that the landscape of cybersecurity is constantly evolving, and threats are becoming increasingly advanced, leveraging the power of automation. While some may wait and react, we at SentinelOne choose to innovate.

Our Singularity Platform is designed to instantly defend against cyberattacks, performing at a faster speed, greater scale, and higher accuracy than any single human or even a crowd could achieve. If our technology seems like something from the future, that’s because it is. We are committed to staying a step ahead of attackers by continuously evolving our technology and expertise.

Our core values revolve around dependability, integrity, passion for team success, unwavering purpose, determination, and kindness. We believe in driving team success and collaboration across SentinelOne, and we always consider how our actions will affect others. We are passionate about what we do and are committed to pushing the boundaries of technology.

At SentinelOne, we are dedicated to protecting and securing the core pillars of modern infrastructure: data and the systems that store, process, and share information. We serve over 10,000 customers, including 4 of the Fortune 10, hundreds of the Global 2000, prominent governments, healthcare providers, and educational institutions. We are proud to be trusted by these organizations to bring their defenses into the future, offering more capability with less complexity.

In summary, SentinelOne is not just a cybersecurity company. We are a team of innovators and problem-solvers, dedicated to safeguarding the world’s data and systems against ever-evolving cyber threats.

SentinelOne primarily serves a wide range of industries with its autonomous cybersecurity solutions. These industries include but are not limited to:

1. Banking and Financial Services: SentinelOne provides robust security solutions to these sectors, helping them pioneer the integration of strong security cultures. The company’s solutions facilitate proactive risk management and collaborative efforts to enhance the security posture of the entire sector.
2. Healthcare: SentinelOne offers tailored cybersecurity solutions to address unique challenges in the healthcare sector, particularly in safeguarding sensitive patient data.
3. Public Sector: SentinelOne’s solutions are also applicable to various government agencies at the national, provincial/state, or local level. This includes educational institutions and quasi-public sector entities such as transit authorities, banks, or utilities, depending on whether the laws of that quasi-public sector entity consider it a government entity for the purpose of cybersecurity.
4. Digital Industries: As evidenced by the company’s work with Siemens USA, SentinelOne also serves digital industries, providing solutions for cloud security and more.

Please note that SentinelOne’s autonomous cybersecurity solutions are versatile and can be tailored to meet the specific needs of various other industries as well.

1. Energy: SentinelOne provides cybersecurity solutions tailored to the unique needs of the energy sector.
2. Federal Government: SentinelOne offers robust security solutions to various federal government agencies. The solutions are designed to meet the stringent security requirements of these entities.
3. Finance: As mentioned earlier, SentinelOne provides robust security solutions to the finance sector, helping them pioneer the integration of strong security cultures. The company’s solutions facilitate proactive risk management and collaborative efforts to enhance the security posture of the entire sector.
4. Healthcare: SentinelOne offers tailored cybersecurity solutions to address unique challenges in the healthcare sector, particularly in safeguarding sensitive patient data.
5. Higher Education: SentinelOne provides cybersecurity solutions to higher education institutions, helping them protect sensitive data and maintain compliance with various regulations.
6. K-12 Education: SentinelOne also serves K-12 education institutions, providing them with the necessary tools to protect their networks and data from various cyber threats.
7. Manufacturing: SentinelOne offers cybersecurity solutions tailored to the unique needs of the manufacturing sector.
8. Retail: SentinelOne provides robust security solutions to the retail sector, helping them protect sensitive customer data and maintain compliance with various regulations.

SentinelOne and Crowdstrike are considered the two leading EDR/EPP solutions on the market. SentinelOne is superior to Crowdstrike and has outperformed it in recent, independent evaluations. See this detailed comparison page of SentinelOne vs CrowdStrike.

SentinelOne offers an autonomous, single-agent EPP+EDR solution with Best-in-industry coverage across Linux, MacOS, and Windows operating systems. SentinelOne also offers an optional MDR service called Vigilance; Unlike CrowdStrike, SentinelOne does not rely on human analysts or Cloud connectivity for its best-in-class detection and response capabilities. Instead, it utilizes an Active EDR agent that carries out pre- and on-execution analysis on device to detect and protect endpoints autonomously from both known and unknown threats.

SentinelOne has been recognized by several leading industry analysts and peer review platforms.

Gartner has acknowledged SentinelOne’s strengths in its Magic Quadrant report, and the company has received exceedingly favorable feedback on Gartner Peer Insights, with the most recent reviews updated in summer of 2023.

SentinelOne has also been recognized for its leadership position in the MITRE ATT&CK evaluations. The company has participated in four evaluations to date, demonstrating its robust cybersecurity capabilities.

Forrester has named SentinelOne as a “Strong Performer” in its Managed Detection and Response (MDR) report, highlighting the company’s strong platform, product effectiveness, and excellent managed security services provider relationships.

For more details about SentinelOne security compliance, please refer to SentinelOne Security Statement.

The best endpoint protection is achieved by combining static and behavioral AI within one autonomous agent defending the endpoint against file-based malware, fileless attacks, evil scripts, and memory exploits whether that endpoint is online or offline.

The SentinelOne Endpoint Protection Platform was evaluated by MITRE’s ATT&CK Round 2, April 21, 2020. It had the lowest number of missed detections, and achieved the highest number of combined high-quality detections and the highest number of correlated detections. Importantly, SentinelOne does not rely on human-powered analysis and defeats attacks using an autonomous Active EDR approach.

Endpoint security, or endpoint protection, is the process of protecting user endpoints (a device connected to a network to communicate) from threats such as malware, ransomware, and zero-days. The connection of endpoint devices to corporate networks creates attack paths for security threats of all kinds. This could mean exposing important financial information about an organization or leaking personal information about customers that thought they were secure.

Endpoint Security platforms qualify as Antivirus. For organizations looking to run “antivirus,” SentinelOne fulfills this requirement and so much more with fully-fledged prevention, detection, and response across endpoint, cloud, container, mobile IoT, data, and more.

Yet, Antivirus is an antiquated, legacy technology that relies on malware file signatures. SentinelOne’s autonomous platform does not use traditional antivirus signatures to spot malicious attacks. Instead, we use a combination of static machine learning analysis and dynamic behavioral analysis to protect systems. All files are evaluated in real-time before they execute and as they execute. Because SentinelOne technology does not use signatures, customers do not have to worry about network-intensive updates or local system I/O intensive daily disk scans.

In simple terms, an endpoint is one end of a communications channel. It refers to parts of a network that don’t simply relay communications along its channels or switch those communications from one channel to another. An endpoint is the place where communications originate, and where they are received—in essence, any device that can be connected to a network.

Examples of endpoint devices include:

• Desktops
• Laptops
• Mobile devices
• Tablets
• Smartwatches
• Internet of Things (IoT) devices
• Point-of-Sale (POS) systems
• Medical devices
• Digital printers
• Servers

From a computer security perspective, “endpoint” will most likely refer to a desktop or laptop. Servers and VMs fall into cloud workload protection, while mobile devices (phones, tablets, Chromebooks, etc.) fall into a specialized category of mobile threat defense. Ceating and implementing security software on mobile devices is hugely different when compared to traditional endpoints.

As technology continues to advance, there are more mobile devices being used for business and personal use. Smartphones, smart watches, tablets, etc., all help businesses run more efficiently. But, they can also open you up to potential security threats at the same time.

Endpoints are now the true perimeter of an enterprise, which means they’ve become the forefront of security.

SentinelOne platform uses a patented technology to keep enterprises safe from cyber threats. Implementing a multi vector approach, including pre-execution Static AI technologies that replace Anti Virus application.

SentinelOne also uses on-execution Behavioral AI technologies that detect anomalous actions in real time, including fileless attacks, exploits, bad macros, evil scripts, cryptominers, ransomware and other attacks.

Delivered in milliseconds to shutdown attacks and reducing dwell time to near zero, SentinelOne response features include alert, kill, quarantine, remediate unwanted changes, Windows rollback to recover data, network containment, remote shell and more.

The SentinelOne Singularity platform offers a range of advanced features designed to provide robust cybersecurity solutions. Here are some of the top features:

1. Threat Hunting: The platform includes features like Storyline™, which automates the task of event correlation. This allows analysts to quickly identify the root cause of an issue.
2. Automated Response: SentinelOne’s platform is designed to reduce the dwell time of an attack to near zero by offering automated response features. These include alerting, killing processes, quarantining files, and even rolling back an attack to restore data.
3. Integration: SentinelOne integrates advanced features into a single platform, offering a robust, future-proof solution that goes beyond the capabilities of traditional antivirus software.
4. Behavioral AI: In 2015, SentinelOne introduced the first endpoint security solution using behavioral AI, a significant step in reinventing endpoint security.
5. Security Effectiveness: The Singularity platform offers customers security effectiveness, ease-of-use, and global scalability to meet today’s threats head-on.
6. Real-time Defense: The Singularity Platform is designed to instantly defend against cyberattacks, performing at a faster speed, greater scale, and higher accuracy than any single human or even a crowd could achieve.
7. Compliance: For more details about SentinelOne security compliance, please refer toSentinelOne Security Statement.
8. Cloud Security: The platform provides endpoint protection, incident response tools, cloud security, identity detection and response, insider threat detection and decoys, attack surface management, security data analytics, and tools for threat management and threat hunting.

SentinelOne stands out from traditional antivirus software in multiple dimensions, offering a more comprehensive and intelligent approach to endpoint security. Here’s how:

1. AI-Driven Technology: Unlike traditional antivirus software that relies on static signatures, SentinelOne employs advanced AI algorithms to detect and neutralize threats in real time. This includes Static AI for pre-execution and Behavioral AI for on-execution, covering many attack vectors.
2. Multi-Vector Approach: SentinelOne provides a holistic security solution that extends beyond just endpoints. It covers containers, cloud workloads, and IoT devices, offering a unified platform for diverse enterprise needs.
3. Automated Response: SentinelOne’s platform is designed to reduce the dwell time of an attack to near zero by offering automated response features like alerting, killing processes, quarantining files, and even rolling back an attack to restore data.
4. MITRE ATT&CK® Framework: SentinelOne maps its threat detection and response to the MITRE ATT&CK® framework, providing context and tactical guidance that is aligned with industry standards.
5. Threat Hunting: With features like Storyline™, SentinelOne automates the tedious task of event correlation, allowing analysts to quickly identify the root cause of an issue.
6. User Reviews: SentinelOne has been highly rated by its users and has received accolades from industry analysts, further validating its effectiveness compared to traditional antivirus solutions.

By integrating these advanced features into a single platform, SentinelOne offers a robust, future-proof solution that goes well beyond the capabilities of traditional antivirus software.

The SentinelOne agent is designed to work online or offline. The agent on the endpoint performs static and dynamic behavioral analysis pre- and on-execution.

These two methods are the principal prevention and detection methods in use and do not require internet connectivity. However, when the agent is online, in addition to the local checks, it may also send a query to the SentinelOne cloud for further checking.

SentinelOne is designed to prevent all kinds of attacks, including those from malware. SentinelOne’s Endpoint Prevention (EPP) component uses StaticAI Prevention to analyze (online or offline) executable files pre-execution; this replaces the need for traditional signatures, which are easily bypassed, require constant updating and require resource-intensive scans on the device.

The SentinelOne engine also performs analysis of PDF, Microsoft OLE documents (legacy MS Office) and MS Office XML formats (modern MS Office) as well as other kinds of files that may contain executable code. The goal of StaticAI in the product is to detect commodity and some novel malware with a compact, on-agent machine learning model that serves as a substitute for the large signature databases used in legacy AV products.

SentinelOne machine learning algorithms are not configurable.

Customers can not customize the artificial intelligence machine learning algorithm, and there is no need to “train” the AI within your environment.

Instead, the SentinelOne data science team trains our AI / ML models in our development lab to help improve detection and protection, as well as reduce the false positive rate. These new models are periodically introduced as part of agent code updates.

SentinelOne can detect in-memory attacks.

SentinelOne is integrated with hardware-based Intel® Threat Detection Technology (Intel TDT) for accelerated Memory Scanning capabilities.

SentinelOne is primarily SaaS based. We offer our customers a choice between managing the service as a cloud hosted on Amazon AWS or as an on-premise virtual appliance. However, SentinelOne agent prevention, detection, and response logic is performed locally on the agent, meaning our agents and detection capability are not cloud-reliant.

Unlike other vendors, the agent does not have to upload data to the cloud to look for indicators of attack (IoA), nor does it need to send code to a cloud sandbox for dynamic analysis.

Other vendors’ cloud-centric approaches introduce a large time gap between infection, cloud detection and response time, at which point an infection may have spread or attackers may have already achieved their objectives.

Yes, SentinelOne does offer solutions for mobile devices. The SentinelOne Mobile Agent is supported from Mobile Management version 4.41.4 and requires an Add-on License. The onboarding of the Mobile Agent on all devices is done with an activation link or a domain name login. For Android devices, certain permissions are required for some network threats, such as Unsecured WiFi.

The SentinelOne Mobile Agent can be auto-activated on iOS or Android with an activation link from a Local Device Groups tab on the Devices page from the v4 Console. This feature is available for any Mobile Device Management (MDM) that supports a device identifier as a variable.

SentinelOne Mobile Threat Defense detects and mitigates when a malicious actor tries to attack a mobile device. It gives full visibility and mitigation for advanced, real-time, known and unknown threats on mobile devices. It integrates with MDM applications to let the MDM mitigate automatically, as configured by the MDM Security Administrator.

For iOS, this feature requires iOS 12 or later, Console Release 4.32 or later and SentinelOne Mobile Agent Release 4.18 or later. For Android, this feature requires Console Release 4.37 or later and SentinelOne Mobile Agent Release 4.21 or later.

Please note that SentinelOne Mobile is not a replacement for your existing MDM solution. It is complementary and provides threat detection and prevention for mobile devices.

For more detailed information on SentinelOne’s solutions for mobile devices, you can visit the following resources:

1. For a guide on Mobile App Activation, you can visit this Support page.
2. For an overview of Mobile Threat Protection, you can refer to this Support page.

Yes, SentinelOne can indeed help with securing remote work environments. SentinelOne’s Singularity platform provides a comprehensive security solution that extends beyond just endpoints. It covers containers, cloud workloads, and IoT devices, offering a unified platform for diverse enterprise needs. This is particularly beneficial for remote work environments where diverse devices and platforms are often in use.

One of the key features that SentinelOne offers for remote work security is the Remote Shell. This is a powerful troubleshooting tool that allows you to open full shell capabilities – PowerShell on Windows and Bash on macOS and Linux – directly and securely from the Management Console. This feature enables faster troubleshooting without physical contact with an endpoint, increased support for remote end users without visits to IT, and easy changes to local configurations for remote endpoints.

Furthermore, SentinelOne’s automated response features like alerting, killing processes, quarantining files, and even rolling back an attack to restore data can significantly reduce the dwell time of an attack to near zero. This is particularly beneficial in a remote work environment where immediate physical intervention is not possible.

In summary, SentinelOne provides a robust, future-proof solution that goes well beyond the capabilities of traditional antivirus software, making it a strong choice for securing remote work environments.

Yes, SentinelOne does offer protection against insider threats. Our approach to insider threat detection is multifaceted, combining technical and behavioral indicators. On the technical side, SentinelOne looks for unusual or excessive access to files, irregular data transfers, and anomalies in log-in patterns. On the behavioral side, changes in work habits, frequent job changes, and signs of disgruntlement can also be indicators of an insider threat.

To mitigate insider threats, SentinelOne recommends implementing a robust access control policy, conducting regular training and awareness programs, and creating a culture of trust and transparency. The company’s Singularity XDR platform is equipped with advanced analytics to detect abnormal behavior that may indicate an insider threat, providing real-time alerts that allow for quick response to potential threats.

Furthermore, SentinelOne has expanded its Singularity Marketplace with new integrations that enhance its Security Orchestration, Automation, and Response (SOAR) capabilities, insider threat protection, automated prioritization, and end-user training capabilities.

In conclusion, SentinelOne offers a comprehensive approach to insider threat protection, combining advanced technology, robust policies, and a strong security culture.

SentinelOne ensures the security of IoT devices through a combination of its Endpoint Protection Platform (EPP) and its Singularity platform.

The EPP is designed to detect, prevent, and respond to advanced cyber threats. It provides continuous monitoring, identifying and mitigating risks introduced by unmonitored IoT devices. This solution is particularly useful as IoT devices are often a common attack vector in endpoint security. By providing visibility into security gaps, SentinelOne’s EPP saves organizations from needing to invest in additional scanning services. It has proven to be effective in eliminating threats rapidly with very little administrative overhead.

SentinelOne’s Singularity platform extends the security coverage beyond just endpoints. It covers containers, cloud workloads, and IoT devices, offering a unified platform for diverse enterprise needs. This platform uses behavioral AI, a significant step in reinventing endpoint security, to provide robust security solutions.

In addition, SentinelOne has partnered with Armis, a leading agentless device security platform. This partnership allows SentinelOne to share metadata for managed and unmanaged devices, providing additional context to the triage process and accelerating the time to remediate threats.

Lastly, SentinelOne’s Ranger network quarantine feature can block your managed devices from communicating with unmanaged devices or those not capable of taking an agent, further enhancing the security of IoT devices.

In summary, SentinelOne ensures the security of IoT devices through a combination of continuous monitoring, AI-driven threat detection, and strategic partnerships.

SentinelOne offers a variety of reporting features to provide detailed insights and data about your security posture. Here are some key aspects:

1. Endpoint Information: SentinelOne reports can include information about the endpoints registered in the SentinelOne console. This can help you correlate which endpoints had threats, which threats are not mitigated, and new endpoints that had the agent installed.
2. Customization: There is a feature request in progress to allow more customization within the Application Insights reports. This would enable reporting based on specific OS versions or applications and choosing specific data the report will show.
3. Vulnerability Reporting: Another feature request in progress is for reporting on vulnerabilities in the reports section of the console, as well as notifications for new vulnerabilities found on endpoints.
4. Automated Reports: SentinelOne also has the capability to automatically generate and send reports, such as the Ranger AD report.

Please note that the availability of these features may depend on your specific SentinelOne plan and configuration. For more detailed information or specific requests, it’s recommended to contact SentinelOne Support or your Technical Account Manager.

Yes, SentinelOne does offer forensics capabilities through its product, RemoteOps Forensics. This is a digital forensics product integrated into the Singularity Platform. It allows for the collection and analysis of forensics artifacts during incident investigation.

With RemoteOps Forensics, analysts can easily run Digital Forensics and Incident Response (DFIR) activities at scale, regardless of complexity. It offers automatic collection of forensic information, such as metadata or data artifacts that can span multiple sources, and the auto-parsing of artifacts. Analysts can also manually trigger forensics collection and customize which data is collected.

The product is designed to make incident investigation more efficient by combining forensics data with real-time telemetry. This allows analysts to understand security incidents better. Through correlation and analysis, analysts can uncover hidden indicators of compromise, identify advanced attack patterns, and understand the tactics, techniques, and procedures employed by threat actors.

Please note that this feature requires the Singularity™ Complete with the RemoteOps Forensics Add-on license.

SentinelOne has a comprehensive approach to handling false positives. Here are the key points:

1. Behavioral Analysis: SentinelOne uses a Behavioral engine, an AI engine that implements advanced algorithms to detect malicious activities in real-time. If a trusted utility, file, process, or application is marked as suspicious or blocked as malicious, SentinelOne recommends analyzing the behavior to determine the truth.
2. Exclusions: If a false positive is identified, SentinelOne allows you to create exclusions. However, caution is advised when creating exclusions as a wrong exclusion can open your environment to malware. It’s recommended to consult with SentinelOne Support before using Interoperability or Performance exclusions.
3. Incident Analysis: SentinelOne provides detailed information about each incident, including the SentinelOne AI Confidence Level, Network History, and Indicators. This information can be used to understand why a file or behavior was detected as malicious.
4. False Positive Submission: If you believe a detection is a false positive, you can submit it for review. SentinelOne provides detailed instructions on how to submit a false positive or false negative for different operating systems.
5. Tuning: SentinelOne also provides guidance on tuning your security solution to reduce false positives. This includes understanding the detection engine logic, selecting the best-suited exclusion to suppress the false positive, and keeping the scope of exclusions narrow to minimize risk.

Remember, if you’re unsure about a detection, it’s always best to consult with SentinelOne Support for initial guidance. For in-depth threat analysis, our Vigilance team is at your service.

Yes, SentinelOne has the capability to detect and prevent supply chain attacks. This is achieved through a combination of advanced features and technologies.

One of the key features is the use of advanced AI algorithms to detect and neutralize threats in real-time. This includes Static AI for pre-execution and Behavioral AI for on-execution, covering many attack vectors. SentinelOne’s platform is designed to reduce the dwell time of an attack to near zero by offering automated response features like alerting, killing processes, quarantining files, and even rolling back an attack to restore data.

In terms of supply chain attacks specifically, SentinelOne has demonstrated its effectiveness in real-world scenarios. For instance, it detected an ongoing supply chain attack targeting customers of the VoIP IPBX software development company, 3CX. The trojanized installers were prevented from running and led to an immediate default quarantine.

Furthermore, SentinelOne’s platform maps its threat detection and response to the MITRE ATT&CK® framework, providing context and tactical guidance that is aligned with industry standards. This includes the ability to detect and respond to supply chain attacks.

In addition, SentinelOne recommends performing due diligence on all suppliers and partners to ensure that they have good security practices in place, regularly auditing and reviewing the security of the supply chain, and implementing robust security controls throughout the organization.

In summary, SentinelOne’s advanced AI-driven technology, automated response features, and adherence to industry standards, combined with recommended best practices, provide a robust defense against supply chain attacks.

SentinelOne provides robust protection against malware and ransomware attacks through a combination of advanced technologies and proactive measures.

For malware protection, SentinelOne uses a variety of tactics, techniques, and procedures (TTPs) to detect and combat cyber threats. The system is capable of detecting specific malware based on its publicly available hash or sample. SentinelOne is also preparing to release agent version 23.1, which will auto-scan thumb drives, providing an additional layer of protection against malware threats.

In terms of ransomware protection, SentinelOne offers a unique warranty that guarantees no ransomware attack on Windows Agents will go undetected and cause irreparable damage. This warranty requires specific SentinelOne deployment and policy configurations on every endpoint, as well as certain operating system configurations. If a ransomware attack is detected, the system requires the threats to be added to the blocklist and remediated within one hour of infection notification.

It’s important to note that SentinelOne’s protection mechanisms are continually evolving to combat the ever-changing landscape of cyber threats. If you have specific questions about SentinelOne’s capabilities or need further information, I recommend reaching out to SentinelOne Support or your Technical Account Manager.

SentinelOne’s AI technology adapts to new and emerging threats through a combination of advanced AI algorithms, a multi-vector approach, and alignment with the MITRE ATT&CK® framework.

1. Advanced AI Algorithms: SentinelOne employs advanced AI algorithms to detect and neutralize threats in real-time. This includes Static AI for pre-execution and Behavioral AI for on-execution, covering many attack vectors. The AI technology is designed to instantly defend against cyberattacks, performing at a faster speed, greater scale, and higher accuracy than any single human or even a crowd could achieve.
2. Multi-Vector Approach: SentinelOne provides a holistic security solution that extends beyond just endpoints. It covers containers, cloud workloads, and IoT devices, offering a unified platform for alerting, killing processes, quarantining files, and even rolling back an attack to restore data.
3. MITRE ATT&CK® Framework: SentinelOne maps its threat detection and response to the MITRE ATT&CK® framework, providing context and tactical guidance that is aligned with industry standards.
4. Adaptation to AI Threats: SentinelOne is aware of the potential threats posed by AI-powered tools like BlackMamba and has strategies in place to counter such threats. While AI can make malware more sophisticated, it also leaves traces that can be detected. SentinelOne’s AI-based solutions can already detect and prevent such malware.
5. Cloud Security: SentinelOne’s AI-powered platform supports cloud security strategies by leveraging technologies like user and entity behavior analytics (UEBA), threat intelligence, and real-time monitoring to detect anomalous behavior, potential threats, and security incidents in cloud environments.
6. Continuous Innovation: SentinelOne continues to innovate and expand, securing identity data and the cloud market, and remains committed to its mission of delivering advanced cybersecurity solutions. The company is committed to staying a step ahead of attackers by continuously evolving its technology and expertise.

In summary, SentinelOne’s AI technology is designed to adapt and respond to new and emerging threats by leveraging advanced AI algorithms, a multi-vector approach, and alignment with industry standards, while also continuously innovating to stay ahead of potential threats.

Yes, SentinelOne does offer firewall protection. This feature is supported from Management version Liberty and Agent versions: Windows 2.8, macOS 2.7, and Linux 3.0. The SentinelOne Firewall allows you to manage endpoint firewall settings from your SentinelOne Management Console. You can define which network traffic is allowed in and out of endpoints.

When the SentinelOne Firewall is enabled on Windows endpoints, it becomes the active firewall, taking control but not changing rules from other firewall solutions on the endpoint. There are no default rules, meaning all traffic is allowed if you do not block it explicitly.

You can create tags that represent Firewall policies and add rules to these tags. These tags function as a policy – a set of rules in a specific order. You can manage inheritance with granular inheritance modes, and rules can be fully inherited, not inherited, or inherited based on tags. Firewall On or Off status is separated from rule inheritance.

The Firewall also allows you to apply rules based on an endpoint’s location. This feature, known as Location Awareness, was available in earlier versions but disabled by default. It is now enabled for all environments.

Please note that increasing the number of supported FQDN rules is not in the short-term roadmap, but it is considered for a later time. Also, there is no option to block traffic by category. You can use URLs and FQDNs in rules.

For more detailed information, you can refer to the following articles: Overview of Firewall Control, Firewall Control FAQ, and Firewall Control and Windows OS.

SentinelOne is designed to be compatible with a wide range of enterprise devices, making it a versatile solution for your organization’s security needs. Here’s a brief overview of the system requirements:

Windows: SentinelOne supports Windows from Agent version 3.0+. Note that certain CPU micro-architectures such ARM CPUs.

macOS: SentinelOne supports macOS from Agent version 3.0+. Importantly, SentinelOne macOS Agent version 21.5+ is supported on Apple M1 chipsets.

Linux: SentinelOne supports Linux from Agent version 3.0+. The Linux Agent for ARM is supported for Linux servers deployed on AWS EC2 instances powered by Graviton2 and Graviton3 ARM processors.

General Requirements: SentinelOne can be managed through a Cloud-Based Console hosted on a Cloud Service Provider. If the endpoint is removed from the organization network, it must connect to the Management through a VPN. If the endpoint is on the same network as the Management, a VPN connection is not required.

Please note that these are general requirements and there might be additional prerequisites depending on your specific setup. For more detailed and updated information, please refer to the official SentinelOne support documents here.

The SentinelOne agent does not slow down the endpoint on which it is installed. Our agent is designed to have as little impact on the end user as possible while still providing effective protection both online and offline.

In contrast to other anti-malware products that require constant “.dat” file signature updates and daily disk scans, our agent instead uses static file AI and behavioral AI which saves on CPU, memory and disk I/O. End users have better computer performance as a result. System resource consumption will vary depending on system workload.

You do not need a large security staff to install and maintain SentinelOne.

Our customers typically dedicate one full-time equivalent person for every 100,000 nodes under management. This may vary depending on the requirements of the organization. This estimate may also increase or decrease depending on the quantity of security alerts within the environment.

SentinelOne’s optional Vigilance service can augment your team with SentinelOne Cyber Security Analysts who work with you to accelerate the detection, prioritization, and response to threats. Customers that choose to work with Vigilance will expaerience a significant reduction in the number of hours per week required from their own staff.

Deploying SentinelOne in an enterprise environment involves several best practices, as outlined in the documents found:

1. Multi-Vector Approach: SentinelOne provides a holistic security solution that extends beyond just endpoints. It covers containers, cloud workloads, and IoT devices, offering a unified platform for diverse enterprise needs.
2. Compatibility: SentinelOne is designed to be compatible with a wide range of enterprise devices, making it a versatile solution for your organization’s security needs.
3. Securing Remote Work Environments: SentinelOne’s Singularity platform provides a comprehensive security solution that extends beyond just endpoints. This is particularly beneficial for remote work environments where diverse devices and platforms are often in use.
4. Deployment Stages: The main stages are onboarding, deployment, and ongoing post-deployment. Onboarding can be done in one call, or more than one call, or in an on-site workshop. A deployment can be three to eight weeks (depends on sizing and IT availability) and includes a gradual Agent deployment.
5. Guided Onboarding: The SentinelOne Guided Onboarding (GO) service is a consultative and advisory service designed to maximize your success with the SentinelOne portfolio of products and services.
6. Project Planning: The SentinelOne project team will collaborate with your resources to develop an overall project plan, schedule, deployment plan, and success criteria in alignment with established best practices and lessons learned over years of deploying SentinelOne solutions.

Remember, each deployment is unique and should be adapted to your specific needs. It’s always best to consult with SentinelOne Support for assistance during the deployment process.

Troubleshooting common issues in SentinelOne can vary depending on the specific problem you’re encountering. However, here are some general steps you can follow based on the documents found:

1. Identify the Issue: The first step in troubleshooting is to clearly identify the problem. Are you having trouble with installation, detection, or something else? Understanding the issue will help you find the right solution.
2. Check the Documentation: We provide extensive documentation on our website and community. This can be a great resource for finding solutions to common problems.
3. Contact Support: If you can’t find the solution in the documentation, the next step is to contact SentinelOne’s support team. They can provide expert assistance and guide you through the troubleshooting process.
4. Use the SentinelOne Console: The SentinelOne console provides a wealth of information about your system’s status and any threats it has detected. This can be a valuable tool for troubleshooting.
5. Update Your Software: If you’re having trouble with SentinelOne, it’s possible that you’re using an outdated version of the software. Check to see if there are any updates available and install them if necessary.
6. Reinstall the Software: If all else fails, you may need to uninstall and then reinstall SentinelOne. This can resolve issues caused by corrupted files or incorrect settings.

For more specific issues, you can reach out to support or use this guide:

• Guide for Troubleshooting and Opening a Support Ticket

Remember, it’s important to keep detailed notes of any issues you encounter, as well as the steps you take to resolve them. This can be helpful if you need to contact support or if you encounter the same issue in the future.

SentinelOne offers comprehensive customer support services to its customers. The support services are provided for the most current version of the SentinelOne solutions and the immediately preceding version. The support services include reasonable web, email, and phone support for both Standard and Enterprise Support Plans.

The support services are provided in English and include reasonable efforts to provide workarounds and resolutions. SentinelOne support personnel may interact with the customer’s solution instance, review application data within such instance, and exchange relevant information with the customer as needed to provide the support services.

If a customer has purchased the solutions and support services from SentinelOne through an authorized partner, they will be entitled to all the rights related to the support services purchased if they are the original purchaser of the covered solutions and have provided true, accurate, current, and complete information to SentinelOne or the partner.

Please note that the support services are expressly conditioned on the customer abiding by the terms of the SentinelOne Terms of Service. The support services are not cancellable during a subscription term.

For more detailed information, you can refer to the SentinelOne Support Terms available at this link.

Yes, SentinelOne offers a variety of training and educational resources for its customers. Here are some of the key resources available:

1. SentinelOne University: This is a platform that provides comprehensive training on SentinelOne’s products and services. You can access it directly from this link: SentinelOne University. If you need to register, you can email [emailprotected] for the proper access.
2. SentinelOne Community: This is a customer hub for discussion, insight, guidance, and collaboration. It includes a series of short, easy-to-consume videos and documentation designed to help new customers with their onboarding journey. You can self-register here or contact [emailprotected] with any questions or feedback.
3. Monthly Community Webinars: SentinelOne hosts monthly webinars with expert speakers and curated content about their products & services, best practices, demos, and more.
4. SentinelOne Training Calendar: This is a calendar that lists upcoming training classes. For information on purchasing and registering for training, you can visit www.sentinelone.com/training or email [emailprotected].
5. Guided Onboarding (GO) service: This is a consultative and advisory service designed to maximize your success with the SentinelOne portfolio of products and services.

Remember, for more detailed instructions on how to access these resources, you can refer to the SentinelOne Support portal or contact your Technical Account Manager.

Customers can report issues or bugs to SentinelOne through the SentinelOne Support. They can reach out via email to [emailprotected] as seen in the conversation history. Additionally, they can open a support ticket through the SentinelOne Support portal. It’s important to provide detailed information about the issue, including any relevant logs or screenshots, to help the support team diagnose and resolve the problem more efficiently. If the issue is related to a specific endpoint, gathering logs from the affected agent can be helpful.

For more detailed instructions on how to report issues or bugs, customers can refer to the SentinelOne Support portal or contact their Technical Account Manager. If the issue is related to licensing, customers should reach out to their account manager.

SentinelOne can integrate and enable interoperability with other endpoint solutions.

SentinelOne was designed as a complete AV replacement and a single EPP/EDR solution. Enterprises need fewer agents, not more. SentinelOne offers many features that enable customers to add our product in and then pull traditional AV out.

SentinelOne Singularity’s integration ecosystem lives on Singularity Marketplace – the one-stop-shop for integrations that extend the power of the Singularity XDR platform.

Singularity Marketplace is an app store of bite-sized, one-click applications to help enterprises unify prevention, detection, and response across attack surfaces. SentinelOne has partnered with leading security and IT solutions from vendors like Splunk, IBM, AT&T, Netskope, and Recorded Future to deliver a rich XDR ecosystem. Marketplace integrations span multiple security domains, including SIEM, threat intelligence, malware sandboxing, CASB, and more. Learn more about Singularity Marketplace and Technology Alliances at s1.ai/marketplace.

SentinelOne easily integrates with data analytics tools such as SIEMs, either through Syslog feeds or via our API. We offer several app-based SIEM integrations including Splunk, IBM Security QRadar, AT&T USM Anywhere, and more.

Additional information about SIEM integrations can be found on the Singularity Marketplace at s1.ai/marketplace

SentinelOne’s platform is “API first,” one of our main market differentiators.

API-first means our developers build new product function APIs before coding anything else. Most UI functions have a customer-facing API. Because there is so much overlap between the UI and the API, the SentinelOne solution can be run as a point product (via the UI), or it can be an important component within your security stack via the API.

SentinelOne offers an SDK to abstract API access with no additional cost.

The SentinelOne SDK, complete with documentation, is available to all SentinelOne customers directly from the Management console.

The work culture at SentinelOne is characterized by innovation, vigilance, and a forward-thinking approach. The company is committed to staying ahead of cybersecurity threats, which are constantly evolving. This commitment to innovation is reflected in the technology developed by SentinelOne, which is designed to be future-proof and capable of defending against cyberattacks at a faster speed, greater scale, and higher accuracy than possible from any single human or even a crowd.

In addition to this, SentinelOne fosters a culture of trust and transparency. The company values the collective vigilance and efforts of its employees, likening them to the citizens of a vibrant city responsible for its safety and prosperity. Those pursuing their careers in cybersecurity with SentinelOne play a crucial role in shaping this culture, setting clear expectations and standards, establishing robust policies, and promoting proactive approaches to potential threats.

Work-life balance is also an important aspect of the work culture at SentinelOne. The company supports its employees in achieving a blend of work and personal life, as evidenced by the experiences shared by some of the parents working at SentinelOne. They appreciate the trust and freedom given by the company to work around their family needs, and the culture of strong family ethics is highly valued.

In summary, the work culture at SentinelOne is one of innovation, trust, transparency, and work-life balance, all aimed at creating a resilient and robust security culture.

Yes, you can get a trial version of SentinelOne.

Request a free demo through this web page: https://www.sentinelone.com/request-demo/

SentinelOne Singularity Platform is a unique, next-gen cybersecurity platform. Singularity is an industry-first data lake that seamlessly fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform. With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time autonomous security layer across all enterprise assets.

Unlike other next-gen products, SentinelOne is the first security offering to expand from cloud-native yet autonomous protection to a full cybersecurity platform — with the same single codebase and deployment model — and the first to incorporate IoT and CWPP into an extended detection and response (XDR) platform.

Singularity provides an easy to manage platform that prevents, detects, responds, and hunts in the context of all enterprise assets, allowing organizations to see what has never been seen before and control the unknown. It is the only platform powered by AI that provides advanced threat hunting and complete visibility across every device, virtual or physical, on prem or in the cloud.

Vigilance is SentinelOne’s MDR (Managed Detection and Response) service – providing threat monitoring, hunting, and response, to its existing customers with a premium fee.

It provides a 24×7 Security Operations Centre (SOC) with expert analysts and researchers to give customers near real time threat monitoring, in-console threat annotations, and response to threats and suspicious events (on the premium tier).

You can learn more about SentinelOne Vigilance here.

SentinelOne Ranger is a rogue device discovery and containment technology.

It allows the discovery of unmanaged or “rogue” devices both passively and actively. Once discovered, Ranger can alert the security team to the presence of such devices and can protect managed devices like workstations and servers from the risk those unmanaged devices pose.

You can learn more about SentinelOne Rangerhere.

SentinelOne Ranger is a rogue device discovery and containment technology.

It allows the discovery of unmanaged or “rogue” devices both passively and actively. Once discovered, Ranger can alert the security team to the presence of such devices and can protect managed devices like workstations and servers from the risk those unmanaged devices pose.

You can learn more about SentinelOne Rangerhere.

SentinelOne Singularity Platform is a unique, next-gen cybersecurity platform. Singularity is an industry-first data lake that seamlessly fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform. With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time autonomous security layer across all enterprise assets.

Unlike other next-gen products, SentinelOne is the first security offering to expand from cloud-native yet autonomous protection to a full cybersecurity platform — with the same single codebase and deployment model — and the first to incorporate IoT and CWPP into an extended detection and response (XDR) platform.

Singularity provides an easy to manage platform that prevents, detects, responds, and hunts in the context of all enterprise assets, allowing organizations to see what has never been seen before and control the unknown. It is the only platform powered by AI that provides advanced threat hunting and complete visibility across every device, virtual or physical, on prem or in the cloud.

Yes, you can use SentinelOne for incident response.

SentinelOne’s Remediation and Rollback Response capabilities are an industry-unique capability, patented by the U.S. Patent and Trade Office. SentinelOne ActiveEDR tracks and monitors all processes that load directly into memory as a set of related “stories.”

The agent maintains a local history of these contextual process relationships and any related system modifications that are performed. By maintaining story context through the life of software execution, the agent can determine when processes turn malicious, then execute the response specified in the Management policy.

If the the policy calls for automatic remediation or if the administrator manually triggers remediation, the agent has the stored historical context related to the attack and uses that data to handle the threat and clean the system of unwanted malicious code artifacts. Essentially, the agent understands what has happened related to the attack and plays the attack in reverse to remove the unauthorized changes.

SentinelOne supports MITRE ATT&CK framework by leveraging our Dynamic Behavioral engine to show the behavior of processes on protected endpoints.

To make it easier and faster for you to use this knowledge, we map our behavioral indicators to the MITRE ATT&CK framework.

SentinelOne offers multiple responses to defeat ransomware, including:

• The ability to kill offending processes
• File and script quarantine
• Remediation (reversal) of unwanted changes
• Rollback of Windows systems to their prior state
• Auto or manual device network containment while preserving the administrator’s ability to maintain interaction with the endpoint via the console or our RESTful API.

SentinelOne is designed to protect enterprises from ransomware and other malware threats. SentinelOne recognizes the behaviors of ransomware and prevents it from encrypting files.

Additionally, SentinelOne is able to rollback Windows devices in the event that files are encrypted.

If SentinelOne is not able to recover encrypted files, we will pay $1,000 per encrypted machine, up to $1M.

The SentinelOne rollback feature can be initiated from the SentinelOne Management console to return a Windows endpoint to its former state prior to the execution of a malicious process, such as ransomware, with a single click.

This feature also defeats ransomware that targets the Windows Volume Shadow Copy Service (VSS) in an effort to prevent restoration from backup.