Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for SentinelOne

SentinelOne
SentinelOne icon

Coralogix Extension For SentinelOne Includes:

Alerts - 31

Stay on top of SentinelOne key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Critical Severity Alert

This alert detects all SentinelOne logs that have critical severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'description', 'category', 'classification', 'deviceaddress', 'ip' in the log if these fields are present (can change per log). Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

High Severity Alert

This alert detects all SentinelOne logs that have high severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'description', 'category', 'classification', 'deviceaddress', 'ip' in the log if these fields are present (can change per log). Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

Medium Severity Alert

This alert detects all SentinelOne logs that have medium severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'description', 'category', 'classification', 'deviceaddress', 'ip' in the log if these fields are present (can change per log). Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

Low Severity Alert

This alert detects all SentinelOne logs that have low severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'description', 'category', 'classification', 'deviceaddress', 'ip' in the log if these fields are present (can change per log). Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

No logs from SentinelOne

This rule detects if there are no logs in the last 24 hours for SentinelOne in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Quarantine Failed

The "Quarantine Failed" alert in EDR signifies that an EDR system or security software has attempted to isolate or quarantine a potentially malicious or compromised endpoint (such as a computer or device), but this isolation process was unsuccessful. This alert is a critical indicator of a security breach or a failure in the endpoint's security defenses. It suggests that an attempted quarantine action was either not completed or was circumvented by a threat actor, allowing the potential threat to persist within the network. Impact If SentinelOne identifies a file as malicious but fails to quarantine it, there's a risk of executing that application on the host, potentially compromising the host system's security. Mitigation The file should be checked and manually quarantined if found malicious. MITRE Tactic:TA0002 MITRE Technique: T1083

User Network Quarantine/Unquarantine Container

This alert detects the below actions performed on container. 1105 User Network Quarantine Container 1100 User Network Quarantine Container 1102 User Network Quarantine Container 1104 User Network Unquarantine Container 1101 User Network Unquarantine Container 1103 User Network Unquarantine Container

User Deleted AD configuration

This alert detects the AD configuration deletion on the S1 portal. Impact All the SSO users may not be able to login on the portal. Mitigation Activity should be validated MITRE Tactic: TA0040 MITRE Technique: T1531

Deep Visibility Settings Modified

This alert detects the changes for deep visibility settings which offers a comprehensive view of your endpoints using a search interface that allows you to see the entire context in a straightforward way. Impact Changing the deep visibility configs can impact the overall EDR solution functioning Mitigation Ensure that the settings are verified to align with the organization's policy. MITRE Tactic: TA0005 MITRE Technique: T1562

Imp Site Chang Detected

This alert detects in case of below actions- 5020 Site Created 5026 Site Duplicated 5022 Site Deleted 5029 Site Deleted Because Account Deleted 5023 Site Expired 5028 Site Expired Because Account Expired 5025 Site Marked As Expired 5021 Site Modified 5027 Site Token Regenerated 5024 Site Policy Reverted Impact Depends on the actions Mitigation Depends on the actions

Snapshots Settings Modified

This alert detects the the modification done to snapshot settings. Impact It can impact the system snapshot taken for recovery in case of compromise. Mitigation Ensure that the settings are verified to align with the organization's policy. MITRE Tactic: TA0005 MITRE Technique: T1110

Imp Script Actions Detected

This alert detects the important script related actions like- 7600-User Submitted Script Execution For Review 3618-Script Action Initiated 7604-User Disabled Run Script Guardrails Impact Depends on the actions Mitigation Depends on the actions

Mitigation Policy Modified

This alert detects the changes in mitigation policy Impact Policy is responsible for threat mitigation actions. Mitigation Policy should be validated to adhere proper changes. MITRE Tactic: TA0005 MITRE Technique:T1562

User Deleted

The alert detects the sentinelone user account deletion Impact Deletion of a user account can disrupt access to resources, applications, or data associated with that account, affecting day-to-day operations. Mitigation Implement a robust process for user account creation, maintenance, and deletion, adhering to established policies and procedures. MITRE Tactic: TA0005 MITRE Technique: T1070

Auto-Upgrade Policy Disabled/Deleted

This alert will detect the disabling or deletion of the agent auto upgrade policy. Impact Disabling the auto upgrade policy will keep the agent on the older version of the s1 agent which might be susceptible some vulnerabilities. Mitigation Enabled the agent upgrade policy MITRE Tactic: TA0006 MITRE Technique: T1110

Anti Tampering Modified

This alert detects the changes for anti tampering settings. Anti tampering is used for protecting the unauthorised uninstallation of the agent. Impact Changing anti-tampering measures can be an attempt to evade detection or bypass security controls. Mitigation Enforce strict change control policies, requiring proper authorization and documentation for any modifications to anti-tampering measures. MITRE Tactic: TA0005 MITRE Technique: T1562

User Deleted Hash Exclusion

This alert detects the has exclusion in the IOCs list. Impact Tactic: Deleting or excluding files might have an impact on availability or integrity, potentially causing disruption or loss of critical data. Mitigation The removal of the hash should be internally validated as it will impact the functioning of the application whitelisted. MITRE Tactic: TA0040 MITRE Technique: T1562

Unquarantine Performed

This alert detects when an unquarantined is performed for a file Impact If a user unquarantine a malicious file then the system might get compromised after the file execution. Mitigation It is recommended to review the unquarantined file by checking its hash on OSINT tools MITRE Tactic: TA0002 MITRE Technique: T1562

Policy Setting - Show Suspicious Activities Configuration Disabled

This alert detects the policy changes to disable the suspicious activities from the portal. Impact Disabling this feature will hide the suspicious activities from showing Mitigation Admin will miss all the suspicious activities. MITRE Tactic: TA0006 MITRE Technique: T1110

Service User Deleted

The alert detects the sentinelone service account deletion Impact Deleting service accounts without proper verification might inadvertently affect ongoing operations or integrations, leading to service disruptions or vulnerabilities. Mitigation Before deletion, conduct thorough reviews to ensure the account is no longer required and verify dependencies or integrations. MITRE Tactic: TA0005 MITRE Technique: T1070

Service User Created

The alert detects the sentinelone service account creation Impact Incorrectly configured service users could inadvertently grant excessive privileges, leading to privilege escalation risks. Mitigation Apply the principle of least privilege when creating service users to ensure they have only the necessary permissions. MITRE Tactic: TA0006 MITRE Technique: T1136

Remote Shell Settings Modified

This alert detects the changes done for remote shell settings. Impact This is important change as it controls the remote shell to the devices. Mitigation Ensure that the settings are verified to align with the organization's policy. MITRE Tactic: TA0004 MITRE Technique: T1069

User Marked CVE as False Positive on Application

This alert detects when a user CVE is marked as false positive on a specific application. Impact Marking an vulnerability on the app will stop the vulnerability trigger for the application Mitigation Ensure that the settings are verified to align with the organization's policy. MITRE Tactic: TA0005 MITRE Technique: T1070

Quarantine Network Settings Modified

This alert detects the configuration changes in Quarantine Network settings. Impact This policy applies when a device is network quarantined after malware/ransomware infection Mitigation Ensure that the settings are verified to align with the organization's policy. MITRE Tactic: TA0007 MITRE Technique: T1010

Global 2FA Modified

This rule triggers when 2FA settings modified at the global label. Impact Disabling 2FA increases the risk of account compromise. If passwords are compromised or stolen, there's no secondary authentication barrier to prevent unauthorized entry. Mitigation If 2FA was disabled unintentionally or in error, promptly re-enable it to restore the additional layer of security. MITRE Tactic: TA0005 MITRE Technique: T1556

Multiple Firewall Blocked Events Detected for a User

This alert will detect if there are multiple sentinelone firewall block events observed for a single user in short span of time. Impact - Persistent firewall blocks might suggest a user trying to access restricted areas or services, potentially violating company policies or compliance regulations. - Repeated firewall blocks for a user could indicate potential unauthorized or suspicious activities, raising security concerns about the user's actions or the security of their device Mitigation - Conduct a thorough investigation to determine the reason behind the firewall blocks. Analyze logs and security data to understand the nature of the blocked events. - Review firewall rules and access policies to ensure they align with the user's responsibilities and legitimate access requirements. Adjust policies if necessary to prevent unnecessary blocks. MITRE Tactic: TA0006 MITRE Technique: T1110

User Performed Multiple Attempts to Connect USB

This rule detects when there are multiple attempts by a user to connect the USB device into to a system. Impact The denial of USB device connection can be considered a defense mechanism aimed at blocking potential indicators of compromise or preventing unauthorized external devices from accessing the system. Mitigation The user should be approached for clarification. MITRE Tactic: TA0005 MITRE Technique: T1052

Multiple Login Failures For A Console User

This alert will detect if there are multiple login failures for a single user in short span of time. Impact This might be an indicator of bruteforce activity. Mitigation The activity should be investigated and checked with the user. Enforce 2FA if not enabled. MITRE Tactic: TA0006 MITRE Technique: T1110

Firewall Control Rules Created/Modified/Deleted

This alert detects when a sentinelone firewall rule is created/modified/deleted. Impact Increased Vulnerability: Unauthorized modifications or deletions of firewall rules can create security gaps, exposing the network to potential threats and unauthorized access. Disrupted Connectivity: Incorrect or deleted rules can lead to disruption in services or connectivity issues for legitimate users or services trying to access network resources. Compliance Risks: Changes to firewall rules might violate compliance requirements, leading to audit failures and potential regulatory penalties. Mitigation Ensure verification of the firewall rule and promptly revert it if unauthorized. MITRE Tactic: TA0005 MITRE Technique: T1562

Device Decommissioned

This alert triggers when sentinelone agent has been removed from a system. Impact Removal of EDR agent put the system on risk of -limited visibility into endpoint activities, making it harder to detect threats - overall weakened security posture, leaving endpoints more exposed to cyber threats Mitigation There could be valid reasons for removing the agent from the system, such as device decommissioning. It's essential to verify whether the system was supposed to have the EDR agent installed or not. MITRE Tactic: TA0005 MITRE Technique: T1562

Blocklist Hash Deleted

This alert triggers when a blacklisted hash is removed from the list. Impact SentinelOne has detected the deletion of a blocklist, which is designed to prevent the execution or access of known malicious files, applications on the endpoint. This action may have been initiated by a user or a malicious actor with unauthorized access. Mitigation Justification should be taken from the user for the hash deletion. MITRE Tactic: TA0005 MITRE Technique: T1070

Integration

Learn more about Coralogix's out-of-the-box integration with SentinelOne in our documentation.

Read More
Schedule Demo