CSEDR Update – How SentinelOne agents do what they do

June 26th, 2023
CSEDR Update – How SentinelOne agents do what they do
Occasionally the SentinelOne agents included in our CSEDR offering are operating but show a red "x" denoting that the agent is operational, but not visible to the main SentinelOne console.

SentinelOne has updated their agents to better explain why they are not communicating. Most simple reasons like local database corruption are resolved in a reboot. That is why you may have had us reach out and ask for specific device reboots to keep the agent optimally configured.

We also send the weekly "CSEDR devices we haven't seen in a week report" to keep a constant focus on making sure all agents are working at full capacity and promptly addressing any that need some help to resolve whatever issues they are having.

From time to time we are asked what is the level of protection for a SentinelOne agent which is functioning but contains a red "x". Here is a more complete answer provided by one of the upstream SOCs watching over your SentinelOne deployments

"All rules, policies and enforcements within SentinelOne are contained fully within the platform on the device itself. The console is used primarily to receive alerts fired locally for remediation, threat hunting of actions taken, forensics analysis, and acting upon the machine with tasks like disconnect/reconnect if verified a threat is discovered. If you have selected that option with us, disconnected due to a verified threat is fully automated. In the recent independent MitreEnginuityCarbanak+FIN7 ransomware tests, there is a requirement to perform these tests independent of any cloud console connection with the understanding the first thing a threat actor may do is block the ports that effectuate console connectivity. In addition, there are multiple ways for the SOC team to access the logs on a device outside of the console such as establishing an SSH connection to the device where required."

The bottom line is that a SentinelOne agent with a red "x" is fully operational and independently providing the same protection until such time the console can see it again to alert and allow increased visibility and a more robust remediation from the Security Operations Center team.

Our goal is always to keep track of your agents and work with you as quickly as possible to re-establish that console connection for full visibility to go with the basic, full protection that happens whenever the agent is alive and running on the endpoint.

If you have questions, let us know.

-Scott Quimby