What is SentinelOne Singularity?
SentinelOne Singularity is an Endpoint Detection and Response (EDR) platform that IT, DevOps, and security teams to monitor activity on hosts connected to their network. Its purpose is to monitor endpoints for known threats, alert security operations if something is wrong, and prevent attackers from deploying malware.
Integration actions
SentinelOne Singularity can launch Cyber Triage collections remotely using a PowerShell script.
Whom is it built for?
Internal IR Teams.
Why is it useful?
EDRs will not be the sole source of evidence in your investigation. You’ll need to collect additional artifacts on the hosts you suspect were involved in the incident. This will mean bringing them into your DFIR analysis environment.
Where is it used?
The Cyber Triage/SentinelOne integration allows you to deploy a Cyber Triage collection at scale to many hosts at once or when activated by an alert trigger.
What are the deployment options?
- Push via EDR: Some EDRs can copy one or more files over. The files could be either the tool itself or a script that will download tools. For example, Sentinel One RemoteOps and Windows Defender can store scripts and tools in the central server and push them out as needed. This approach allows for the greatest amount of automation.
- Remote Shell: Some EDRs will provide you a remote Powershell prompt (or similar). From there, you can use a command such as ‘Invoke-Webrequest’ to download the scripts or tools from a URL. This approach may require you to configure a web server to host the data and requires you to type in commands on each system.
- Manual Copy: If the target system has file sharing enabled, you can manually copy the files by mounting the remote C$ drive or using various Powershell file copy commands. This approach requires you to keep track of where you copied the files to and you’ll still need a shell from the EDR at some point to launch those programs.
- File Share: Store your DFIR tools on a file share that each host has access to. You can then launch the tools from there. Note that permissions can be challenging in some environments depending on what account the EDR runs as.
- Baseline: You can include the DFIR tools in the base image on all systems so that they are there in case of an incident. The main challenge to this is making sure the copy on the system is up to date and hasn’t been tampered with. Like the previous approach, you’ll need to also make sure your EDR will give you a shell to launch these programs.
What is the required Cyber Triage version?
Team.
Additional links
- Blog Post: EDRs don’t collect all DFIR artifacts, but they can help you do it
- Documentation: Collect with SentinelOne Singularity
- Documentation: Collector Deployer Powershell Script
*For more information about this integration contact our sales team: sales@cybertriage.com.