The dashboard is very simple, but if you were running SentinelOne on a large network you could easily be overwhelmed with events. For example, a single, mostly clean endpoint could generate dozens of behaviors within a few days. Unlike its competitors’ dashboards, not many elements are actionable or clickable directly.
When SentinelOne finds a piece of malware, it will tell you where it was first seen on your network, and the reputation of the attack vector from dozens of security services. If you want to add feeds, you will have to hire the company to add them as customization, although the company plans on exposing its API to this feature in the second half of the year.
In addition, it connects to VirusTotal where you can view the hash and other metadata of the exploit. And like other products in this review, it offers a graphical “story line” of the attack where you can see which infected processes it used to find its way into your endpoints. Threat information can be downloaded in one of several common formats, including CEF, STIX, and OpenIOC.Additional reports can be downloaded in either JSON or CSV files on the Analyze menu page.
At the top right part of each screen is a simple traffic light icon that changes color when the tool finds an active threat (red) or has mitigated it (yellow). Chances are if you are running an active network it might always be showing a yellow signal.
Its settings sheet has a simple collection of on/off switches to enable cloud-based machine intelligence, whether to turn on its “learning mode” to establish a series of baseline operations. There are other automated actions in the settings screen such as to send alerts, kill a process, disconnect a PC from the network, manually remediate a PC to delete files, rollback to previous versions of files prior to malware execution such as ransomware or quarantine something.
Its network containment feature with a toggle switch has two settings: one is auto-immune, where agents can share new intelligence to proactivity block threats, and a second switch to block all connectivity except from the server’s control panel. When you disconnect or contain a PC via these actions, you can still manage it from their console, which is similar to competitor’s products.
SentinelOne installed quickly but has some installation limitations. Its agent requires a dual-core CPU and at least 2GB of RAM to operate. For Windows endpoints a reboot is required and the software does show up as a running app in the Control Panel. It supports Windows 7 through 10, including the R2 Windows Server 2008 and 2012 versions.
If you are running the original Windows 7 OS, you need to install this patch. It also supports Macs and CenOS and Red Hat Linux endpoints. Its Linux-based server is available on both SaaS and on premises versions along with several virtual machine packages for Microsoft Hyper-V, VMware and Citrix Xen. That is a nice comprehensive collection of endpoints and VM environments.
Sign up for CIO Asia eNewsletters.