SentinelOne Recommended Policy Settings

TABLE OF CONTENTS

SentinelOne Best Practices for Policy Modes
Definitions
Best Practices for Protection Modes
Best Practices for Detection Engines and Agent
Protection Mode Configuration
Detection Engines Settings
Agent Security Settings
Default Event Collection Settings

SentinelOne Best Practices for Policy Modes

Policy settings are crucial for optimizing security and ensuring effective threat detection and response. SentinelOne offers a wide range of policy settings that allows for greater control to help secure endpoints effectively.

To help you navigate what policy settings to use, we have gathered best practices for policy management from SentinelOne experts and from their wide global install base.

Note: These policy settings should serve as a guide, but manual judgment is required, based on your organization's culture, requirements, regulation compliance, and other proprietary factors. Keep in mind your Risk Level Management processes, as you balance your policies between security automation and performance.

Definitions

Detect

Sets the Agent action:  Send alerts but do not automatically mitigate.

Malicious

Agent AI result with a high confidence that a detection is malicious and a readiness level of Mitigate.

Policy

Set of mitigation actions that defines the behavior of SentinelOne Agents and their detection engines.

Protect

Sets the Agent action:  Automatically mitigate malicious actors with process kill (for known and unknown threats), file quarantine, and remediate (if there are malicious changes) or rollback (for Ransomware). Send Mitigated Threat alerts.

Note:  If a benign detection is quarantined, you can un-quarantine it.

Suspicious

Agent AI result with a low confidence that a detection is malicious and a readiness level of Validate (usually requires manual analysis). The file or process behavior shows it does or can do harm or creates harmful files or processes.

Unable to load the picture

Best Practices for Protection Modes

Protection Mode	Results
Malicious Threat - Protect Suspicious Threat - Detect	What to expect? (Default Policy) The Agent automatically mitigates threats with process kill and file quarantine. For suspicious detections, the Agent sends Suspicious Activity alerts without automatic mitigation.  Risk Level: Medium. This policy is a balance between automatic mitigation of high-confidence threats and undisturbed business activity and performance that can be interrupted if false-positives are blocked. When to use? This is the default recommended policy mode for mass deployments. It is the most popular with the SentinelOne install base.
Malicious Threat - Protect Suspicious Threat - Protect	What to expect? All threats and suspicious activities are automatically mitigated. Risk Level: Low. Complete automatic security. When to use? This option gives the highest level of security and real-time protection. It is required for the SentinelOne ransomware warranty. Use cases: Organizations that lack analyst headcount to manually mitigate all threats. The impact is the possibility of false-positives that can automatically block and quarantine benign events and applications. Organizations with multiple endpoints that are constantly exposed to risk, such as a professional services group of users that connect every day to client environments with unknown risk.  Early adopter organizations with small deployments. The impact is the need to search for false-positives and change the default policy if endpoint performance is impacted.
Malicious Threat - Detect Suspicious Threat- Detect	What to expect? All malicious activities create Active Threat or Suspicious Activity alerts but no mitigation occurs. Note: No execution is blocked when in Detect mode. In earlier Windows Agent versions (before 3.1), the Agent blocked execution of threats that are known by SentinelOne Cloud Intelligence Service or on your blocklist. Risk Level: High. Threats of all kinds will execute until you manually mitigate them. When to use? This is not recommended as an organization-wide long-term policy. The implied Risk Level is too high, and the benefits of an autonomous Agent that can prevent threats are not enabled. You can set this policy for endpoints with very high sensitivity to business process interruptions, such as production floor servers. But we recommend that you use this policy for a short learning phase. This gives you the opportunity to closely monitor and resolve false-positives with best-practice exclusions.

Best Practices for Detection Engines and Agent

All Detection Engines are enabled.

The Detect Interactive Threat engine is enabled and shows in the policy when Advanced Mode is enabled. If you do not see it, enable Advanced Mode in Configuration.

The Application Control engine is for containers only and not required.

Anti Tamper is enabled.

Snapshots is enabled.

Scan New Agents is enabled.

Things to keep in mind…

You may want to turn on remediate and rollback for full automated remediation of threats. You can leave remediate and rollback turned off if you want your analyst or tech support to investigate each threat and determine if additional remediation is required.

For critical servers that shouldn’t be disconnected from the network, make sure to leave Containment – Disconnect from network turned off.

Below is a full comparison of the default and recommended policy settings.

Protection Mode Configuration

Protection Mode Setting	Default Configuration	Recommended Configuration	Description
Malicious Threat	Protect	Protect	When set to Detect: Sends Not Mitigated Threat alerts when it detects a malicious threat. Does not automatically mitigate. When set to Protect: The Agent automatically kills all processes, and quarantines files, that it determines with high confidence are malicious, and sends Mitigated Threat alerts. This gives the highest level of automatic security and real-time protection. It is required for the SentinelOne ransomware warranty.
Suspicious Threat	Detect	Protect	When set to Detect: The Agent sends Not Mitigated Threat alerts when it detects a suspicious threat. Does not automatically mitigate. When set to Protect: The Agent automatically kills all processes, and quarantines files, that it suspects are malicious, and sends Mitigated Threat alerts. This gives the highest level of automatic security and real-time protection. It is required for the SentinelOne ransomware warranty.
Protect Level	Kill & Quarantine	Kill & Quarantine	When the Agent detects with high confidence malicious or suspicious processes, it automatically kills the processes and quarantines the files.
Malicious Macro Mitigation	Disabled	Disabled	Defines the automatic mitigation of Office files that contain malicious VBA macros modules. When disabled, places malicious macros from Office files in quarantine but does not remove them from the file itself. When enabled, removes malicious macros from the Office file instead of placing the file in quarantine.
Containment: Disconnect from network (available from Management version S-24.2.6)	Disabled	Disabled	When disabled, the Agent does not disconnect endpoints from the network if a threat is found after the threat is executed. When enabled, endpoints are disconnected from the network if a threat is found after the threat is executed. Endpoints are not disconnected if a threat is detected pre-execution (by the Reputation or Static AI engines) because the threat is not active.

Detection Engines Settings

Detection Engine	Default Configuration	Recommended Configuration	Description
Reputation	Enabled	Enabled	A threat intelligence engine that matches on-disk file hashes to different threat intelligence feeds and user-defined blocklists to make sure no known malicious files are written to disk or executed. You cannot disable this engine. Applies to all endpoints.
Static AI	Enabled	Enabled	A Static AI engine that uses machine learning technologies and heuristics (through YARA rules) to scan for malicious files executed or written to disk. Malicious detections have a high confidence score generated by the Static AI engine. Applies to all endpoints.
Static AI - Suspicious	Enabled	Enabled	A Static AI engine that uses machine learning technologies and heuristics (through YARA rules) to scan for suspicious files executed or written to disk. Suspicious detections have a moderate confidence score generated by the Static AI engine. Applies to all endpoints.
Behavioral AI - Executables	Enabled	Enabled	A Behavioral AI engine that uses machine learning techniques to detect process chains associated with malicious activities. This engine detects malicious activities in real-time, when processes execute. Applies to all endpoints.
Documents, Scripts	Enabled	Enabled	A Behavioral AI engine that uses machine learning techniques to detect malicious documents and scripts. Applies to all endpoints. If this engine is disabled, it is only disabled for Windows endpoints.
Lateral Movement	Enabled	Enabled	A Behavioral AI engine that detects attacks initiated by remote devices. Attackers find a host on a network and use it to compromise other devices on the same network. Applies only to Windows endpoints.
Anti Exploitation/Fileless	Enabled	Enabled	A Behavioral AI engine that is focused on memory exploits and fileless attack techniques, such as web-related and command line exploits. Applies to all endpoints. If this engine is disabled, it is only disabled for Windows endpoints.
Potentially Unwanted Applications	Enabled	Enabled	A Static AI engine for macOS devices that inspects applications that are usually unsuitable for business networks and can potentially be used for malicious operations. Applies only to macOS endpoints.
Application Control (Containers only)	Disabled	Enabled	When enabled, the engine makes sure that only executables from the original container image run in the container. This maintains the immutability of the containerized workloads. This supports both K8s clusters and other containerized workloads. Applies only to Linux and K8s endpoints.
Detect Interactive Threat	Disabled	Enabled	When enabled, this Behavioral AI engine detects malicious activity in interactive sessions (for example, an authenticated user runs malicious actions from a CMD or PowerShell command line). When enabled, this engine detects malicious commands entered in a CLI, and so it is likely to generate false positives for endpoints with active legitimate CLI users. Applies only to Windows endpoints.

Agent Security Settings

Security Setting	Default Configuration	Recommended Configuration	Description
Snapshots	Enabled	Enabled	When enabled, the Agent keeps VSS snapshots for rollback. If disabled, rollback is not available. Applies only to Windows endpoints.
Anti-Tamper	Enabled	Enabled	When enabled, the Agent does not let end users, or malware, change, uninstall, or disable the Agent. Applies to all endpoints.
Scan New Agents	Enabled	Enabled	When enabled, Agents run a Full Disk Scan when they first connect to the Management. Full Disk Scan finds dormant suspicious activity, threats, and compliance violations, that are then mitigated according to the Malicious Threat and Suspicious Threat settings of the policy. Applies to all endpoints.
Suspicious Driver Blocking	Enabled	Enabled	When enabled, a preemptive engine prevents Windows suspicious kernel drivers from loading. These driver types are blocked: Drivers without a digital signature. Drivers without a valid timestamp for their digital signature. Unauthorized drivers. Drivers published by unauthorized entities. Drivers that exhibit suspicious behavior or characteristics. Drivers added to the Blocklist. In addition, we recommend you also enable the blocking of all suspicious Windows drivers that are signed and unsigned. Applies only to Windows endpoints with Agent versions 23.4 and higher.
Logging	Enabled	Enabled	When enabled, the Agent saves logs for troubleshooting and Support. Applies only to Windows endpoints.
Local Upgrade/Downgrade: Online authorization	Disabled	Enabled	When enabled, end-users must get authorization before they are allowed to locally upgrade (or downgrade) Agents. If you enable this setting, you must go to the Local Upgrade Authorization page to authorize local upgrades.

Default Event Collection Settings

Event Collection Setting	Default Configuration	Recommended Configuration	Description
Enable or Disable Deep Visibility	Disabled	Enabled	Deep Visibility is enabled or disabled for this scope. When enabled, Agents send Deep Visibility data to the Management. Applies to all endpoints.
Process	Disabled	Enabled	When enabled, Agents collect created and changed processes. Applies to all endpoints.
File	Disabled	Enabled	When enabled, Agents collect created, changed, or deleted files. Applies to all endpoints.
URL	Disabled	Enabled	When enabled, Agents collect visited sites. Requires the SentinelOne browser extension for most browsers. Applies to all endpoints.
DNS	Disabled	Enabled	When enabled, Agents collect DNS connection data. Applies to all endpoints.
IP	Disabled	Enabled	When enabled, Agents collect incoming and outgoing connection data. Applies to all endpoints.
Login	Disabled	Enabled	When enabled, Agents collect login related events. Applies only to Windows and macOS endpoints.
Registry Keys	Disabled	Enabled	When enabled, Agents collect events that add, edit, or remove registry keys. Applies only to Windows endpoints.
Scheduled Tasks	Disabled	Enabled	When enabled, Agents collect scheduled task data. Applies only to Windows endpoints.
Behavioral Indicators	Disabled	Enabled	When enabled, Agents collect and organize data on suspicious behavior and techniques. Applies to all endpoints.
Command Scripts	Disabled	Enabled	When enabled, Agents collect PowerShell and other command-line scripts. Applies only to Windows endpoints.
Cross Process	Disabled	Enabled	When enabled, Agents collect events between processes. Applies to all endpoints.
Named Pipes	Disabled	Enabled	When enabled, Agents collect created named pipes and remote collections. Applies only to endpoints with Windows Agent 22.4 and higher.
Driver Load	Disabled	Enabled	When enabled, Agents collect events that load drivers. Applies only to Windows endpoints.
Data Masking	Disabled	Enabled	When enabled, Agents mask paths of ZIP, PDF, and Office documents. Applies to all endpoints.
Focused File Monitoring	Disabled	Disabled	When enabled, Agents focus file collection on binaries and files suspected to contain active content. This can significantly improve network bandwidth consumption. Applies only to endpoints with Windows and Linux Agents 22.3 and higher.
Automatically install Deep Visibility browser extensions	Disabled	Enabled	Important: Do not select if your organization uses Google Workspace (formerly G Suite) to manage browser extensions. When installed, this overrides other browser extensions deployed with Google Workspace. If your organization uses Google Workspace to deploy browser extensions, deselect this option and deploy the SentinelOne browser extension in the same way you deploy other extensions. Applies only to endpoints with Windows Agents 4.7 and higher.

Helpdesk