Home  >  Results  >  SentinelOne  >  Configuration

SentinelOne Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE comments are included in italics.

Product Versions


SentinelOne is an autonomous endpoint protection platform and enterprise detection and response platform (EPP+EDR) delivered in a single agent. The agent's role is to protect the endpoint from malicious activity at any stage of the attack chain - from the successful exploit to the last payload operation. It can detect threats either pre-execution using a machine-learning based file scanner or on-execution using a unique behavioral engine with both predefined detection logics and a behavioral AI layer while also offering various response actions.

All detection engines are localized to the agent so there is no cloud reliance for determination of threat or automated response action. The AI detection engines are continuously trained. The agent monitors the endpoint via kernel driver, process injections for user mode monitoring (hooking, traps etc), this allows the Behavioral Engine to maintain context over dynamic operations that is not based on a simple process trees. Our "smart attribution" mechanism is able to truly attribute operations, to the point where every event coming from an injected code, execution of APC to a remote process, RPC requests from a system process (using COM objects, WMI etc) and much more are "re-attributed" to the original caller. This mechanism differentiates our ability to handle many types of execution manipulations commonly done by attackers. This visibility is applied in real time to the threat models which allows for conviction of a "story" as soon as it becomes malicious. The agent can detect malicious behavior and threats immediately, offering detection of key infiltration and attack events as defined by the MITRE ATT&CK framework.

Also integrated within the single agent is an endpoint detection and response engine (EDR) that facilitates threat hunting and response investigation by collecting many OS events (process, file, network, user) with full context attribution (same mechanism used in the detection engines). All of the data is streamed to a central database which is then made available for analyst queries. Response actions available within the SentinelOne platform include Kill, Quarantine, Network Isolation, one-click remediation, and a unique feature called Rollback. The solution offers protection, visibility, simplicity and automation for any business or governmental organization. We support Windows, Mac and Linux as well as virtualized technologies. Management can be cloud-delivered or on-premise. Lastly, SentinelOne can replace traditional AV or complement it by running concurrently.


    Policy Configuration: Detect / Detect (no prevention enabled); all analysis engines; turned on; Deep Visibility enabled
    Additional Configuration:
  • Custom build allowing for credentials to be dumped (e.g. mimikatz, hashdump, etc.)
  • Agent version is not publicly available due to above modification; out of box configuration blocks output resulting from various credential attacks