![University of Â鶹´«Ã½ at Mānoa](/its/template/system_2019/images/uh-nameplate.png")
SentinelOne
SentinelOne is a next-generation antimalware software that identifies malware and malicious behavior. Using machine learning and predictive modeling techniques, it can detect, isolate, and remediate threats. SentinelOne is the replacement antimalware/antivirus for university owned devices that were using Trellix FKA McAfee. As part of our subscription, SentinelOne's Vigilance team, a Managed Detection and Response (MDR) service that offers 24/7/365 coverage for all installed agents.
SentinelOne is required to be installed on all UH-owned endpoints (desktops, laptops) and servers. SentinelOne can be installed onto Windows, macOS, and Linux (RHEL, Debian derivatives).
Management Basics
Â鶹´«Ã½IT Specialists will have access to a central console to manage their endpoints and servers. This console is used to provide insight into their detections, environment inventory, applications, and risks.
NOTE: Login to the console regularly to avoid lockouts. If you are locked out, contact Â鶹´«Ã½Information Security to reenable your account.
Expectations
- Install SentinelOne on all university owned endpoints and servers
- Tag assets appropriately (helps with triaging assets by priority)
- Upgrade policies for agents (test on small groups of devices before deploying to the entire scope using asset tags)
- Review alerts to see if flagged files are needed for operations and notify infosec if exclusion is necessary. If malicious files are found, you should investigate to ensure the source file is remediated as well.
- Use groups to organize devices. This can assist in creating exclusions for applications that may only be installed for that group, as well as identifying risk level of endpoints based on their department i.e HR, fiscal, etc.
Endpoint Organization and Management
- Installing SentinelOne Agents onto Endpoints and Servers
Optional Management Functions
- Star Custom Rules for threats
- Add items to a blocklists
- Locations
- Notification Settings
- Device Control Policies
Exclusions
To prevent potential software conflicts, it is essential to validate SentinelOne against your specific applications and server environments. We recommend deploying it on a test machine that is configured with your standard install to identify any necessary exclusions.
If an exclusion for your application is necessary, contact InfoSec to have an exclusion added. Please provide links that the installer was downloaded from to help with investigations.
Responding to Alerts
The Vigilance MDR analysts will review all alerts and assign a verdict 24/7/365. Vigilance analysts review all alerts to assign verdicts. If you take action on an alert before the Vigilance MDR team responds, you are responsible for initiating the mitigation actions for the device as this takes it out of their ticket queue. Only assign false positives to alerts that you are 100% confident it is safe.
By default, identified malicious threats will automatically be killed and the executable quarantined. For suspicious threats, you must run the mitigation actions to stop the threat if it's malicious. When responding to dynamic threats, be sure to select the remediate command to remove the persistence mechanisms (e.g., registry keys, scheduled tasks, or executables).
You are responsible for verifying that these artifacts have been successfully purged.