Introduction
SentinelOne’s Deep Visibility is an automated Endpoint Detection and Response (EDR) technology that provides rich forensic data and can mitigate threats automatically, perform network isolation, and auto-immunize the endpoints against newly discovered threats. As a final safety measure, SentinelOne can even rollback an endpoint to its pre-infected state.
This extension requires a SentinelOne Deep Visibility API key, and the API URL specific to your instance. The extension is available on IP intelligence cards and hash intelligence cards.
Example Use Cases
Alert Triage
Recorded Future intelligence cards provide context around potential threats to your network. The the Intelligence Card Extension for SentinelOne marries the external threat intelligence with your internal telemetry for fast and informed decisions. If there are references to the IP or hash within your SentinelOne instance, the first 4 events will be returned to the extension. For example, you are looking at potentially malicious IP. Seeing many events of connections to the same IP may be cause for alarm. The extension allows you to see which hosts are connecting to the IP to identify if this is most likely an issue for 1 host or if there appears to be a more wide spread issue with more than 1 hosts connecting. The intent is to provide enough detail to make a quick decision of it you would like to investigate further.
Threat Hunting
Recorded Future intelligence cards provide context around potential threats to your network. If there are references to the IP or hash within your SentinelOne instance, the first 4 events will be returned to the extension. This provides enough context to facilitate the decision of if you would like to investigate further. With the Intelligence Card Extension for SentinelOne, you can seamless pivot to their platform to hunt through all of the matches seen in your environment in the last 30 days.
Supported Fields
The extension is available on IP intelligence cards and hash intelligence cards.The following fields are supported for enrichment from SentinelOne Deep Visibility:
- Event Summary
- Process Details
- Agent Information
- File Records
Examples:
Configuration
You must have commercial access to SentinelOne’s Deep Visibility to use this extension. Please also see the Getting Started With Intelligence Card Extensions page if you're interested in enabling this extension. Note that besides an API Token, you need to know the API URL specific to your instance of SentinelOne to activate this extension:
The Management_URL should be in the format "https://xxxxx.sentinelone.net"
Troubleshooting
Note that the SentinelOne API has rate limits; currently it is 1 call per minute. Multiple calls to the extension that exceed this rate limit will result in an error.