SentinelOne Deep Visibility

Image result for sentinelone logo

Introduction

SentinelOne’s Deep Visibility is an automated Endpoint Detection and Response (EDR) technology that provides rich forensic data and can mitigate threats automatically, perform network isolation, and auto-immunize the endpoints against newly discovered threats. As a final safety measure, SentinelOne can even rollback an endpoint to its pre-infected state. 

This extension requires a SentinelOne Deep Visibility API key, and the API URL specific to your instance. The extension is available on IP intelligence cards and hash intelligence cards. 

Example Use Cases

Alert Triage 

Recorded Future intelligence cards provide context around potential threats to your network. The the Intelligence Card Extension for SentinelOne marries the external threat intelligence with your internal telemetry for fast and informed decisions. If there are references to the IP or hash within your SentinelOne instance, the first 4 events will be returned to the extension. For example, you are looking at potentially malicious IP. Seeing many events of connections to the same IP may be cause for alarm. The extension allows you to see which hosts are connecting to the IP to identify if this is most likely an issue for 1 host or if there appears to be a more wide spread issue with more than 1 hosts connecting. The intent is to provide enough detail to make a quick decision of it you would like to investigate further. 

Threat Hunting 

Recorded Future intelligence cards provide context around potential threats to your network. If there are references to the IP or hash within your SentinelOne instance, the first 4 events will be returned to the extension. This provides enough context to facilitate the decision of if you would like to investigate further. With the Intelligence Card Extension for SentinelOne, you can seamless pivot to their platform to hunt through all of the matches seen in your environment in the last 30 days. 

Supported Fields

The extension is available on IP intelligence cards and hash intelligence cards.The following fields are supported for enrichment from SentinelOne Deep Visibility:

  • Event Summary
  • Process Details
  • Agent Information
  • File Records

Examples:

mceclip0.png

 

s1extension_ss.png

 

Configuration

You must have commercial access to SentinelOne’s Deep Visibility to use this extension.  Please also see the Getting Started With Intelligence Card Extensions page if you're interested in enabling this extension.  Note that besides an API Token, you need to know the API URL specific to your instance of SentinelOne to activate this extension:

mceclip0.png

The Management_URL should be in the format "https://xxxxx.sentinelone.net"

 

Troubleshooting

Note that the SentinelOne API has rate limits; currently it is 1 call per minute.  Multiple calls to the extension that exceed this rate limit will result in an error.

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
5 out of 5 found this helpful

Articles in this section

See more