SentinelOne Training | Part 1 - Complete Overview

Introduction

This tutorial provides a comprehensive overview of the SentinelOne Managed Security Service Provider (MSSP) console, focusing on its features and functionalities. SentinelOne is a leading endpoint detection and response (EDR) solution used by large organizations to protect their networks and devices. This guide is designed to help users understand how to navigate and utilize the MSSP console effectively.

Step 1: Understanding the MSSP Structure

• Global Level: This is the highest tier where larger organizations can directly purchase SentinelOne services. MSSPs like Technology Interpreters operate at this level through partnerships with global providers.
• Account Level: Each MSSP has its own account within the global structure, allowing them to manage multiple clients.
• Site Level: Under each account, individual sites represent different clients or customer environments.
• Group Level: Within each site, groups can be established for monitoring and applying security policies.

Step 2: Navigating the Dashboard

• Access the dashboard to view key metrics:
  • Solved and Unsolved Threats: Track incidents that have been addressed or are still open.
  • Infected and Healthy Endpoints: Monitor the status of endpoints; infected endpoints need attention, while healthy ones are secure.
• Detection Engines: Learn about the various detection methods, including:
  • Static detection for file-based threats.
  • Behavioral detection for script-based threats.

Step 3: Utilizing Deep Visibility

• Deep Visibility allows for incident response and threat hunting.
• Be cautious when using this feature, as improper queries can lock up the console.
• Consider training before utilizing this advanced feature.

Step 4: Managing Endpoints

• Use the Ranger Product to identify devices on your network lacking SentinelOne agents.
• Monitor devices and implement necessary actions for any rogue devices detected.

Step 5: Configuring Policies and Alerts

• Policies determine how SentinelOne responds to threats:
  • Create policies for monitoring or active response (e.g., quarantine, remediation).
• Set up Alerts using Power Expressions to define conditions for proactive threat detection.

Step 6: Exploring Threat Management Features

• Understand the different threat types categorized by SentinelOne, such as malware and potentially unwanted programs.
• Use the Threat Path feature to visualize potential lateral movement paths an adversary might exploit.

Step 7: Conducting Vulnerability Scans

• Use the Applications section to conduct vulnerability scans on installed software.
• Monitor the Risk Section to identify vulnerabilities based on the Common Vulnerability Scoring System (CVSS).

Step 8: Reviewing Activity Logs

• Access the Activity section to examine an audit log of actions taken within the console.
• This is crucial for tracking user actions and identifying potential unauthorized access.

Step 9: Reporting and Automation

• Generate reports on security metrics and incidents for analysis and compliance.
• Explore automation features for running scripts that can remediate vulnerabilities across multiple devices.

Step 10: Configuring Notifications

• Set up notifications for different security events via email or syslog.
• Customize your notification settings to ensure the right personnel are alerted to potential threats.

Conclusion

This tutorial outlines the essential features and functionalities of the SentinelOne MSSP console. By following these steps, users can effectively navigate the platform, manage security for multiple clients, and respond to threats. For further learning, consider delving into specific features in more detail in future tutorials. Stay tuned for the next part of the SentinelOne training series for deeper insights into each function.