Call : (+91) 968636 4243
Mail : info@EncartaLabs.com
EncartaLabs

SentinelOne Incident Responder

( Duration: 2 Days )

This SentinelOne Incident Responder training course provides the knowledge and skills necessary to effectively use the SentinelOne platform to identify and respond to incidents.

By attending SentinelOne Incident Responder workshop, delegates will learn to:

  • Gain a Strong Understanding of the SentinelOne Console
  • Filtering Functionality
  • Searching Functionality
  • Threat Analysis
  • Mitigation and Resolution Workflow
  • Managing the Blacklist
  • Managing Exclusions
  • Application Risk Management
  • Remote Shell
  • Deep Visibility
  • Working with Reports
  • IR Threat Hunting

  • Understanding of networking and network security
  • Understanding of fundamental information security concepts
  • Be familiar with the Microsoft Windows environment

The SentinelOne Incident Responder class is ideal for:

  • Security Analysts
  • SecOps
  • Security Architects

COURSE AGENDA

1

Introduction

  • What is SentinelOne
  • SentinelOne Versions
  • SentinelOne Strengths
  • Underlying Technology
  • SentinelOne Ranger
  • SentinelOne Vigilance
  • SentinelOne Resources
2

S1 Capabilities and Management Console Overview

  • Getting Logged in
  • AI Engines
  • Automatic/Manual Response
  • Endpoint Firewall
  • Device Control
  • Incident Response
  • Threat Hunting
  • Ranger
  • Application Risk Management
  • Activity
  • Reports
  • Dashboard
  • Settings
3

SentinelOne Investigator

  • Getting Logged in
  • AI Engines Explained
  • Remediating Simple Malware
    • Review incident
    • Explore Incident
    • Kill and quarantine
    • Black list
    • Un-Quarantine
    • Exceptions
    • Story line
    • Remediation
  • Remediating Ransomware
    • Review incident
    • Explain Rollback
  • Device Control
  • Firewall Control Managing Blacklists
  • Managing Exclusions
    • Hash
    • Path
    • Signer Identity
    • File Type
    • Browser
  • Analyzing Threats
    • Threat Management
    • Mitigation Actions
    • On-Demand File Fetch
  • Full Disk Scan
  • Management Console Dashboard
    • Working with Widgets
  • Application Risk Management
  • Remote Shell
4

Introduction to Regular Expressions

  • What is a Regular Expression?
  • Literals vs. Operators
  • RegEx Syntax
    • Escape Characters
    • Or Operators
    • Sets
    • Repetition Operators
    • Metacharacters
    • Character Classes
    • Pattern Anchors
    • Capturing & Non-Capturing Groups
5

Ranger Administration

  • Understanding Deep Visibility
  • How to Use Deep Visibility
  • Threat Hunting Query
  • Take Action from the Visibility Page
  • Deep Visibility Query Syntax
  • Deep Visibility Use Cases
  • Hunting Abnormal Behavior on an Endpoint
  • Responding to Incidents with Deep Visibility
  • Configuring Deep Visibility Data Collection
  • Saving Threat Hunting Queries and Watchlists
  • Working with Saved Deep Visibility Queries
  • Query with Custom Time Range
  • Managing the Browser Extension
  • Supported File Types for Deep Visibility
6

Mindset of a Threat Hunte

  • EC Council's 17 Phases
  • What is Threat Hunting
  • What a Blue Team does and which skills to take away from Blue Team experience
  • What a Red Team does and which skills to take away from Red Team experience
  • Intel
    • Intel the process
    • Intel the product
    • ATT&CK MITRE
    • Common Vocabulary
    • Behaviors > Indicators
  • Paranoia
  • The cycle of thought that drives threat hunting
  • Supported File Types for Deep Visibility
7

Hunting, Not Searching

  • Difference between searching and hunting
  • Knowing when searching is OK
  • Building better hunts
  • Postulating
  • Creating and testing an attack hypothesis
  • IOCs, TTPs and Storyline
8

Advanced IR

  • Techniques
    • S1QL
    • Watchlists/WAR
    • Hunter Extension
    • Hermes
    • SIEM/SOAR
  • Remote Shell
    • Scripting and Remote Execution
    • Architecture
    • Execution
  • Reporting
9

Threat Hunting with SentinelOne

  • Containment and Acquisition
    • Network Quarantine
    • File Fetch
  • Alerts
    • Incident Threats Page
    • Notes
    • MITRE Mapping
  • Deep Visibility
    • Storyline
    • 30 days of Event Data
  • Remote Shell
    • Using other Forensic Kits (Scripts)
    • Issuing WMI Commands
  • "Mark as Threat" Workflow
  • Rollback
  • Remediation
  • Device Control
  • Firewall Orchestration
  • Group Policies
  • API
10

Ranger Monitoring

  • Recognizing rogue systems
  • Categorizing unknown systems
  • Understanding search results

Encarta Labs Advantage

  • One Stop Corporate Training Solution Providers for over 6,000 various courses on a variety of subjects
  • All courses are delivered by Industry Veterans
  • Get jumpstarted from newbie to production ready in a matter of few days
  • Trained more than 50,000 Corporate executives across the Globe
  • All our trainings are conducted in workshop mode with more focus on hands-on sessions

View our other course offerings by visiting https://www.encartalabs.com/course-catalogue-all.php

Contact us for delivering this course as a public/open-house workshop/online training for a group of 10+ candidates.

Top
Notice
X