ADVANCE NOTICE: EDR “X” SP5 Release & Mac Agent 23.3 – Sunday Feb 25th

Posted on February 21, 2024 by carlagajdecki

Update Feb 25th: Please be advised the Maintenance Window has been extended to run until 19:00 UTC

We are pleased to announce that on Sunday February 25, during the SentinelOne’s regular scheduled Maintenance Window Endpoint Detection and Response (EDR) will be updated to SentinelOne’s “X” SP5 for the consoles detailed below. This release delivers significant enhancements to the management console.

This updates also includes Agent updates for macOS agent version 23.3. We strongly recommend upgrading these agents as soon as possible to provide the maximum level of protection available.

Excited to share some of the highlights below and please be sure to read the full Release Notes and supporting documentation available on N-able Me

“X” SP5 Includes:

Keep Your Agents Updated With Auto-Upgrade Policies

(Standalone and new integration only)

Auto-Upgrade Policy helps you make sure your SentinelOne Agents are always up-to-date with the latest approved and supported version. Keeping your SentinelOne Agents updated, results in better security, functionality, and performance.

Create an Auto-Upgrade Policy to automatically upgrade Agents to a specific version. You can set which endpoints have their Agents upgraded based on endpoint scope or endpoint tags.

Auto-Upgrade Policies can be created in each scope. A scope can inherit an Auto-Upgrade Policy of a higher scope. For example, a Site can have no Auto-Upgrade Policy of its own but it can inherit the policy of the Account it belongs to.

The Management frequently checks each Agent that connects to the Management, and checks if an Upgrade Policy applies. For example, re-commissioned Agent, Agent moved between Sites, and new Agent that were installed after an Upgrade Policy started to be active.

New Filter for macOS Endpoints: Missing Permissions

For improved management of macOS endpoints, a new filter lets you see clearly when an endpoint is missing permissions that it requires. The filter applies to all currently supported macOS endpoints.

To show the filter in Endpoints, click View More Filters, select Missing permissions, and click Back to filters.

2FA Management Improvements

Improvements have been made to the security of SentinelOne 2FA, and making it easier to track and control the 2FA status of each user.

In Users, you can Enroll 2FA, Reset 2FA, and Delete 2FA for each user.

  • Enroll 2FA – Sends users an email with a link to the Console login page. They will be prompted to set up 2FA.
  • Delete 2FA – Deletes users’ current 2FA configuration.
  • Reset 2FA – Deletes users’ current 2FA configuration and sends them an email with a link to the Console login page. They will be prompted to set up 2FA.

See Full Release Notes for complete details.

Data Collection Scripts

(Standalone and new integration only)

Data Collection Scripts is a new feature to let you collect data from endpoints easily and efficiently.

With Data Collection Scripts you can run a library of pre-built SentinelOne scripts to collect data, including Windows event logs, network connections, shell history, and rapidly collect artifacts across multiple Operating Systems.

Data Collection Scripts is free and is a part of the Complete SKU, enabled by default.

  • With Data Collection Scripts you can:
    • View and run pre-built SentinelOne data collection scripts.
  • Track the status of data collection. See the execution status, and error messages if the script failed to run
  • After you run scripts, view script results in Singularity™ Data Lake, correlated with EDR data fields, or download them as formatted files from the Management Console.
  • Configure thresholds (create a guardrail) to prevent users from running unnecessary scripts, or from running scripts on more endpoints than is required.
  • Configure a password, so that every time a user runs a script, a password is required to view the script results.

See full Release Notes to learn more about Data Collection Scripts

Application Management

(Standalone and new integration only)

Automated vulnerability scans are now off by default until you enable scanning in the Scan Policy. Manual vulnerability scans also require that you enable scanning in the Scan Policy.

  • To decrease false positives and false negatives from your list of application CVEs, you can:
  • Add an undetected CVE to an application’s CVE list. For details, see Add a CVE to an Application.
  • Report a detected CVE as a false positive. For details, see Report Detected CVEs as False Positives.

Full Disk Scan Management Improvement

A new column in the Endpoints page shows Last Successful Scan Time. This is the last time the endpoint successfully completed a Full Disk Scan. Use the arrows to sort the table by this value. If an endpoint never successfully completed a Full Disk Scan, it shows N/A.

A new Last Successful Scan filter in the Endpoints page lets you search for endpoints that completed a Full Disk Scan in a specific time range.

The Full Disk Scan column and filter still show a combination of the status and the time completed. In a future release it will show only the status and the last scan time will be only in the Last Successful Scan column and filter.

Exclusion Catalog Improvements

The Exclusions Catalog is now improved and easier to use. The Exclusions Catalog is organized by application category. You can search for applications or categories from the list. An application can show in multiple categories.

Use the filters at the top of the page to find specific application exclusions.

Applications found in your environment, in the Application Inventory for your current scope, show with an Applications icon. Use the Inventory Listed – Found filter to see the exclusions for these applications. The Number of Endpoints column shows the endpoints in your current scope that have a the application installed. Click the  pivot icon to open the list of endpoints in a new tab. These are the endpoint that will be impacted by the exclusion.

There is now an Exclusions Catalog content version to help you track catalog changes. Changes will be recorded in Exclusion Catalog Content Updates.

And still there is more..

  • Change in How to Allow Users to Generate API Tokens
  • New Filters in the Get Agents and Count Agents API Requests
  • Add a Predefined Status to Endpoints in Application Management
  • New Exclusions in the Exclusions Catalog for CWS (Linux)
  • Updated Pending Action Status changes
  • Ranger: Automatic Marking of Secured Devices In Different Accounts

Latest Agent Updates

SentinelOne agent versions included in this update are:

  • Mac 23.3 (23.3.2.7123)

macOS Agent Update (23.3.2.7123)

Improved DNS events collection in Deep Visibility™..

To use the legacy mDNSResponder method of DNS event collection, use this Policy Override:

Where integer is:

  • 0 = Disable DNS events collection
  • 1 = mDNS Responder
  • 2 = Network Extension (Default)

Enhanced macOS Endpoint Management:

From 23.3+, the macOS Agent will report in Pending Actions when it is deployed on an Incompatible OS, and will show this message in the Agent UI:

Missing Permissions is now its own filter category. From macOS Agent version 23.3+ and Management version X GA, instead of one general filter for missing Full Disk Access permissions, you can filter Missing Permissions reported by macOS endpoints to see the specific missing Full Disk Access permission:

  • Full Disk Access – Remote Shell
  • Full Disk Access – Sentinel Agent Helper
  • Full Disk Access – Sentinel Agent

The Endpoint Details window now shows separate missing Full Disk Access permissions for Remote ShellSentinel Agent, and Sentinel Agent Helper in Pending Actions.

Older Agent versions will continue to report Full Disk Access – Sentinel Agent Detection.

When you filter by Network Extension and select an endpoint, the Endpoint Details window now shows missing permissions for Network Extension and Content Filter separately in Pending Actions.

See full Release Notes for more information

But there is more!

  • Detection Enhancements

The console update release is scheduled for completion within an eight-hour maintenance window and will begin on Sunday February 25th, at 10 am IDT / 9 am UTC +2/ 3 am EDT.  A few important things to note during this time:

  • All endpoints will continue to be protected.
  • EDR management console login and API access may be unavailable.

Consoles scheduled for update include:

A few reminders;

  • Do not forget to check out the full Release Notes under EDR Documentation at N-able U
  • Do not forget to check out the full suite of EDR Courses on N-able U including our new Deep Visibility and Ranger courses
  • With EDR’s easy self-enablement please be sure to view your license usage across Control, Complete and Ranger ADD-On

As always, feedback is welcome on the release.

This entry was posted in N-central, N-sight. Bookmark the permalink.