We are pleased to announce that on Wednesday November 15th Endpoint Detection and Response (EDR) will be updated to SentinelOne’s “W” SP5. This release delivers significant enhancements to the management console.
This updates also includes Agent updates for Windows, macOS and Linux agent to version 23.2. We strongly recommend upgrading these agents as soon as possible to provide the maximum level of protection available.Read more: ADVANCE NOTICE: EDR “W” SP5 Release & Agents 23.2
Excited to share some of the highlights below and please be sure to read the full Release Notes and supporting documentation available on N-able Me
“W” SP5 Includes:
Using Cloud Rogues in your AWS Workloads
The Cloud Rogues feature helps you identify protection coverage gaps for cloud virtual machines (VMs). It gives you continuous visibility in to your AWS accounts to make sure all VMs are protected by SentinelOne Agents.
Cloud Rogues continuously monitors VMs in the AWS cloud accounts in which you have enabled the capability. It gives a full list of your currently unprotected VMs and identifies newly created VMs. You can use this data to deploy Agents to current and future VMs in AWS.
How Cloud Rogues are different from Network Rogues
Network Rogues. Network Rogues uses deployed SentinelOne Agents with network-based port scanning to detect devices that communicate on it. Scanning requires the Agent to be present in the network and can only detect rogue devices on that network.
Cloud Rogues. Cloud Rogues uses Cloud Service Provider APIs to detect virtual machines hosted in AWS accounts or organizations it has access to. It does not require the Agent and does not require network access to detect rogue cloud VMs.
Too learn more about Cloud Rogues check out the full EDR related documentation on N-able Me.
Manage Password Expiration Frequency for Improved Password Hygiene
Improve user password security by setting the frequency with which Console users are required to reset their passwords. Set the frequency of the password expiration by scope to create a policy that meets the standards of your organization.
Important! User password expiration is enabled and enforced by default for all Console users from the moment the console is updated to ‘W’.
Password expiration does NOT apply to Service Users or to users who login with SSO.
Please see the full Release notes for full details.
Blacklist is Changed to Blocklist Throughout the Management Console
To manage blocklist items, go to Sentinels >Blocklist. You will also see that Activity Logs Filters have been updated as well as Settings >Notifications.
Threat mitigation actions now show Add to Blocklist.
Roll-out of the new Application Management
The new Application Management (EA version) replaces the old Applications. The Applications page is replaced with the Application Management pages: Inventory, Risks and Policy. These features are supported by all versions of the Windows and Linux Agents. macOS Agents require version 22.2 GA or later.
Agents automatically scan endpoints for third-party applications, regardless of associated risk, and lists them in the Inventory page.
You can also click Scan Now to manually initiate a scan for applications.
Click an item in the inventory to view a list of endpoints with that application.
The Risks page aggregates Risks by applications and versions.
Click on an application to drill-down into additional data based on Endpoints or CVEs.
Policy page you have the ability to schedule weekly scans for Vulnerability and Application Scanning.
On the Policy page, for Windows Agents 22.3+, you can enable the Extensive Vulnerability Scan. This scan detects missing patches, and merges them later on with detected applications, to improve the accuracy of CVE detection.
Agent Upgrade Change
The expiration time for Agent version change tasks was changed from 5 minutes to 30 minutes. Other tasks expire after 5 minutes. In versions earlier all tasks expired after 5 minutes, including Agent version changes.
If an Agent Version Change task is in progress for 30 minutes the task becomes Expired. This makes resources available for other tasks. If the Agent updates the Management after this time, the status will change accordingly.
User Password Management Changes
Changes in how Console Users can change the password for other Console Users. These options apply to users who log in to the Management Console with their email and password. For users who login with SSO, changes to login credentials must be done with the Identity Provider for the SSO.
Send Reset Password Email – Send a different Console user an email with a link to change their password. Use this when a user forgets their password and does not have SentinelOne 2FA set up. The email is valid for 72 hours. The user’s existing password is valid until they change it. To use this, SMTP must be configured for the Console.
Force Reset Password on Login – This prompts a Console user to set a new password when they log in to the Management Console. They will not be able to log in with their previous password.
All password changes show in Activity. In Operations, search for “password” to see all of the password activities.
Site Level Authorization for Windows Agents
In your Sentinels > Upgrade Policy section you will now find Local Upgrade Authorization under Maintenance Window and Local Upgrade. Site Level Authorization improves the Management Console pre-installation approval flow for local Agent upgrades. This flow is required to make the upgrade of Windows Agents by external deployment tools (SCCM, Intune, GPO and others) more secure.
Site Level Authorization is supported by Windows Agents 22.1 and later.
With Site Level Authorization:
- Approve upgrades for the entire site instead of approving each Agent.
- Approve a local upgrade for Agents that do not show in the Console, but belong to the approved Site.
- Improved information in the Management Console:
- Shows the expiration status of the approval on the Site Level.
- Shows the expiration status of the approval on the Agent level.
- Shows the correlation between Agent level to Site Level Authorization.
- Granular reporting to the Activity log, and full RBAC support.
Change in API Token Expiration Period
The expiration period of new API tokens changed from 6 months to 30 days. This applies to tokens generated by Console Users (not service user tokens).
In the User Role (RBAC) UI, the names of some Console pages were improved. See full release notes for all changes.
Policy Override configurations now have an Expand option to see the configuration settings more clearly. This shows as a toggle at the top of the Policy Override window.
Latest Agent Updates
SentinelOne agent versions included in this update are:
- Windows 23.2 (184.108.40.2068),
- Mac 23.2 (220.127.116.1151)
- Linux 23.2 (18.104.22.168)
Windows Agent Update (22.214.171.1248)
On-demand scan logs improvements
On-demand scan logs now report the total number of scanned files inside archive files in addition to the number of archive files that were scanned. Example: Total files scanned: 2 on disk(s), 12 inside archives.
Added an option to list all files that were not scanned in the log report (excluding archive files and files within the archive) and map this information to a status in the scan report. In order to use this capability, run this sentinelctl command:
Or add this Policy Override:
Safe Mode Protection
The Agent now blocks any process from booting into safe mode, except excluded ones.
For the Agent to allow endpoints to boot into safe mode, run this sentinelctl command:
Customized Scanned File Types
You can add more file types to be scanned by the Static AI scan with Policy Override or Sentinelctl.
When a file is written or modified on the disk the file will be inspected by the Blocklist and SentinelOne Cloud Intelligence. When a Full Disk scan or On Demand Scan is run the file will be inspected by the Blocklist.
VSS management improvements
Added the ability to configure an available VSS storage from UNBOUNDED, in case of an attack, to a configurable threshold (example, 90%).
Either run this sentinelctl command (syntax):
where integer is a number (percent) between 0 to 100,
Or add this Policy Override:
- Added retention mechanism to VSS snapshots used by the Agent. You can define how long you want to keep SentinelOne snapshots available for rollback purposes as a remediation to a ransomware attack.
Run this sentinelctl command:
with any combination of these:
where integer is a number in days, hours, or minutes, depending on which command you run.
But there is more!
- Improved detection coverage of SharpHound
- Bug fixes and improvements
macOS Agent Update (126.96.36.19951)
Follow the installation instructions in the User Guide carefully to make sure that the Agent has all the required permissions. An Agent without permissions is not protected and will show a Pending Action label in the Endpoint Details in the Management Console.
Added support for macOS Sonoma 14.0
Added support for macOS Sonoma 14.0 – macOS Agent version 23.2.2 has been tested and validated on macOS Sonoma14.0. Do not upgrade your endpoints until you have a supported SentinelOne Agent. See EDR Documentation on N-able Me for the full .macOS Agent Upgrade Playbook – macOS Sonoma
But there is more!
- Detection Enhancements for various MITRE Techniques
- Events from the same terminal command instance can now be grouped together in the same Storyline and threat.
Linux Agent Update (188.8.131.52)
Optimized performance focus exclusions: The Agent now filters out system events coming from processes excluded by performance focus and performance focus-extended exclusions in the eBPF program, as soon as it receives them from the operating system. This process reduces the Agent resource use and increases event throughput.
Note: This feature requires the Agent to use eBPFs for telemetry collection.
Performance focus exclusions for active content: Performance focus and Performance focus – extended exclusions are now supported for active content, such as bash scripts and python scripts. This will instruct the Agent not to process system events coming from the excluded scripts and, in case of Performance focus – extended exclusions, their children processes.
Excluding network mounts by default: The Agent now ships with default mount type exclusions of fuse.lxcfs, cifs, nfs, nfs4, secfs2, ceph, fuse.glusterfs, nfsd, acfs, omfs, and hdfs. This instructs the Agent to exclude file events coming from these mount types from being processed. This can be fine-tuned using the “mounts_excluded-types” and “mounts_excluded-prefixes” settings with Policy Override, or sentinelctl mounts exclusion.
The “mounts_excluded-types” and “mounts_excluded-prefixes” configurations are now stored as JSON arrays, instead of CSV strings. Example, the “mounts_excluded-types” configuration appears as:
instead of “fuse.lxcfs,cifs,nfs,nfs4, secfs2,ceph,fuse.glusterfs,nfsd,acfs,omfs,hdfs”. The Agent will still accept a Policy Override in the previous format of CSV string for backwards compatibility.
But there is more!
- Support added for x86 and ARM Agents: Debian 12, RHEL 9.2, 8.8, RockyLinux 9.2, 8.8, and AlmaLinux 9.2, 9.1, 8.8, SUSE 15sp5, Amazon 2023.1.
- Support added for x86 Agents: Oracle Linux 9.2, 9.1, and 8.8.
- Support added for x86-64 Agents: CloudLinux Shared v6 and v8
- Detection Enhancements
The console update release is scheduled for completion within an eight-hour maintenance window and will begin on Wednesday Nov 15th, at 10 am IDT / 9 am UTC +2/ 3 am EDT. A few important things to note during this time:
- All endpoints will continue to be protected.
- EDR management console login and API access may be unavailable.
Consoles scheduled for update include:
A few reminders;
- Do not forget to check out the full Release Notes under EDR Documentation at N-able U
- Do not forget to check out the full suite of EDR Courses on N-able U including our new Deep Visibility and Ranger courses
- Do not forget to sign up for SentinelOne’s Partner Portal to learn more check out our full post here
As always, feedback is welcome on the release.