This documentation explains Intezer's alert triage, response, and hunting solution for SentinelOne.
You can get clear recommendations for response on every alert in SentinelOne, by having Intezer investigate and triage alerts for you. Here you can learn more about Intezer automates alert triage, reduces false positives, classifies threats, extracts IOCs, and prioritizes response.
- How Intezer works with SentinelOne
- Intezer and SentinelOne Integration Benefits
- Setting up the connection for SentinelOne alerts
- Setting up Intezer's Live Endpoint Scanner
Get a quick overview of how Intezer's solution for SentinelOne works in this quick 3-minute video:
How Intezer works with SentinelOne
- SentinelOne detects malicious activity on an endpoint and creates an alert.
- Intezer fetches the relevant artifacts (files, URLs, processes, memory image) from the endpoint through SentinelOne for analysis and triage.
- Intezer provides analysis results and clear recommendations for every alert in SentinelOne, so your team knows what to do next.
- From Intezer’s analysis result in SentinelOne, you get verdict, malware family information, additional context, and a link to Intezer’s full investigation so you can review, get IOCs, or related threat hunting queries.
- Additional indicators can be added to the SentinelOne blacklist or with a custom detection rule from Intezer to alert and perform an automated response next time those indicators are seen.
- Scan a suspicious endpoint or proactively hunt for traces of advanced in-memory threats (such as fileless and packed malware, malicious code injections, or any unrecognized code) by using Intezer’s Live Endpoint Scanner as a script from inside SentinelOne.
- Threat hunting queries can be extracted from Intezer and used with SentinelOne to hunt for additional indicators across the environment.
Intezer and SentinelOne Integration Benefits
- Triage for every alert and time savings with a unified, automated workflow.
- Transparent analysis and additional context about scanned artifacts including attribution, malware families, indicators of compromise (IOCs), and TTPs mapped to MITRE ATT&CK®.
- Rapid verdicts of both malicious and benign artifacts classified using Intezer’s proprietary genetic analysis solution.
- Auto remediate false positives identified by Intezer’s analysis: based on your pre-defined classifications for SentinelOne alerts, Intezer updates the Analyst Verdict to “False Positive” and updates the Incident Status to “Resolved.”
- Hunt for traces of advanced in-memory threats such as fileless and packed malware, malicious code injections, or any unrecognized code by running Intezer’s Live Endpoint Scanner as a script from inside SentinelOne.
- Out-of-the-box detection content and queries for threat hunting provide immediate time-to-value.
Set up the connection
- Create a new role in SentinelOne for the integration ("Intezer Integration") with the following permissions:
- Endpoints
- View
- File Fetch
- Endpoint Threats
- View
- Update Incident Status
- Update Analyst Verdict
- Threat Actions
- Fetch Threat File
- Activity
- View
- Sites
- View
- Deep Visibility
- View
- File Fetch
- Create
- RemoteOps (Optional - Required for automatic Live Endpoint Scan)
- View
- Run Scripts > Run Action Script
- Endpoints
- Create a new service user in SentinelOne, assign the integration role, and copy its access token (alternatively, you can generate an API token for a console user).
- Enter your API Token and Base URL into the connect sources page.
Automated Alert Remediation
Intezer’s auto alert remediation is a feature that automatically closes false positive alerts in your EDR instance based on Intezer’s verdict. The purpose is to reduce false positives and save valuable time for your team, helping you focus on alerts that require deeper investigation.
How does it work?
Any alert that EDR deems to be risky or malicious but Intezer issues a “Trusted” verdict after deeper analysis is considered a “false positive” by Intezer.
All false positive alerts that fall into your pre-configured types (see the section below) are then auto-remediated by Intezer. For these alerts, Intezer changes the initial Analyst Verdict of the alert to “False Positive” and updates the Incident Status to “Resolved”.
How to get started?
Contact us at support@intezer.com with the classifications you would like to auto-remediate. We recommend starting with low-severity classifications such as “PUA” and “Adware”.
What type of alerts are auto-remediated?
Intezer automatically resolves alerts that it detects as "False positive" and have external severity of "Low" or "Medium".
Calculating external severity
SentinelOne does not provide alert severity out of the box. Therefore, Intezer calculates the external severity of the alerts based on SentinelOne's classification:
- Low severity
PUA (Potentially Unwanted Application), Adware, Packed, Toolbar, Application Control, Benign - Medium severity
Malware, Linux.Malware, Generic.Heuristic, Hacktool, Spyware, Virus, Cryptominer, Miner, Phishing - High severity
Infostealer, Exploit, Trojan, Worm, Interactive shell, Dropper, Downloader - Critical severity
Ransomware, Backdoor, Rootkit
Example of a False Positive Alert:
Set up Intezer's Live Endpoint Scanner
- Follow the setup guide: Set Up Live Endpoint Scanner Script in Your EDR
- To allow automatic Live Endpoint Scanner to be triggered by Intezer:
- Make sure that the Intezer Integration role has the following permissions:
- RemoteOps > View
- Run Scripts > Run Action Script
- Go to Automation > Remote Settings and verify that Enable approval thresholds is Disabled (if enabled it could prevent from Intezer to automatically execute the Live Endpoint Scanner Script)
- Contact Intezer's support to enable automatic Live Endpoint Scan
- Make sure that the Intezer Integration role has the following permissions: