SentinelOne

With the SentinelOne integration, users  have the ability to interact with agents, threats, hashes, exclusions and blocklist items inside the SentinelOne platform. Utilizing these capabilities allows customers to determine whether threats are malicious or not. This gives the opportunity to run automated responses such as isolating an infected endpoint from the network. 

The following actions are available:

• Get Endpoint  - Retrieve an endpoint's details. An endpoint is referred to as an "agent" inside the SentinelOne platform.
• List Threats  - Return all threats that meet the filter criteria.
• List Endpoints- Return all agents that meet the filter criteria.
• Get Hash Reputation - Get the reputation of a hash, given the required SHA1.
• Create Blocked Item - Create a blocklist item for a SHA1 hash, for the scopes you enter in the filter fields. You can add the hash to multiple Groups, Sites, Accounts, and to the Global list.
• Delete Blocked Items - Delete items based on their hash IDs.
• Create Exclusion - Create Exclusions to make your Agents suppress alerts and mitigation for items that you consider to be benign or which you require for interoperability. 
• Update Exclusion - Update an exclusion's details.
• Delete Exclusions - Delete exclusions by referencing their exclusion IDs.

This app can be found in the ThreatConnect App Catalog under the name: SentinelOne

The Polarity - SentinelOne integration enables analysts to get their most of their SentinelOne EDR platform. By quickly searching indicators for the different endpoints they relate to and potential threats, analysts can fully understand their endpoints and how vulnerable they are. Analysts will also have the ability to edit policies, add or disconnect endpoints from their network if they are vulnerable, and add threats to blocklists.

Examples

IP Lookups

• Summary Tags: When running a search on an IP analysts will quickly be able to tell if it is associated with any endpoints, what the device is and if it is actively connected.
• Isolate/Disconnect: When drilling into the details of SentinelOne, analysts can quickly isolate or disconnect the device from the network if it is deemed that the action should be taken based on other contexts the analyst has.
• Indicator Details: If the analyst just wants to get additional context, then they can quickly find out when the device was last active, the health status, version of the device, user of the device and much more.

IP Lookups Continued

• Edit Policy: When clicking into the details of an IP address, analysts can also view and edit the Policy information associated with that device. If necessary they can edit all policy information ranging from the scope, the threat, protection levels and more. Allowing analysts to quickly make the correct decisions when they have all the context necessary.

Hash Lookups

• Summary Tags: When an analyst searches hashes in the SentinelOne integration they will quickly be able to understand the threat landscape of the hash. By understanding the number of threats, the threat classification and if it is malicious.
• Blocklist: When clicking into the details analysts can quickly add the file that the hash is associated with to the blocklist enabling them to halt any other users from executing the file.
• Threat Context: If the analyst just wants to see more information related to the hash then they can quickly find information on the path it occupies on the users machine, any actions taken against it previously, classification of threat, if any policies have been executed against it and what endpoints it effects.