Advance Notice “Z” SP5 EDR Console Update (June 2)

Posted on May 29, 2024 by carlagajdecki

UPDATE MAY 31: Please note due to unforeseen changes, this release has been rescheduled to Sunday June 9th

We are pleased to announce that on Sunday June 2, during the SentinelOne’s regular scheduled Maintenance Window Endpoint Detection and Response (EDR) will be updated to SentinelOne’s “Z” SP5 for the consoles detailed below. This release delivers significant enhancements to the management console.

Excited to share some of the highlights below and please be sure to read the full Release Notes and supporting documentation available on N-able Me

“Z” SP5 Includes:

Manage your EDR Public Repository Tokens in the Management Console

Starting with Management version Z, you can create and manage public repository authentication tokens in the Management Console,

To create the token in the Management Console:

  1. Select the applicable scope for the token. You must be at the account or site level.
  2. Click Settings > Integrations > Token Management.
  3. In the new window, click Create token.
  4. Enter the title, description, and click Create.
  5. Copy the values under the User and Token columns for the install scripts to access the repository.

Mitigate Malicious Macros in Office Files

Starting with “Z” and Windows Agent version 23.4.1, you can enable the Windows Agent to automatically remove malicious macros from infected documents instead of quarantining the whole Office file.

You can also manually mitigate Office files with malicious macros. For example:

  • Remove the malicious macro from the file without quarantining the file itself. This keeps the Office file intact and available for business continuity.
  • Quarantine the file without removing the macro.
  • Add the SHA1 value of the file to the Blocklist.

If the detection of a macro was a false positive, add the SHA1 value of the legitimate macro to the exclusions list and exclude the macro from being mitigated.

Configure Suspicious Driver Blocking

Now available the ability to configure Suspicious Driver Blocking settings in the Management Console. By default, Suspicious Driver Blocking blocks Windows signed and unsigned drivers, as well as other suspicious drivers.

When a driver is blocked, a new Driver Blocked (Preemptive) threat notification shows in the Threats page. No further Mitigation Actions are necessary.

You can deselect driver types that are blocked, or turn off Suspicious Driver Blocking to only block drivers that you add to the Blocklist.

New RemoteOps Scheduling (Complete License)

For improved convenience and workflows, schedule a script to run on a specific day and time.

Users can manage scheduled and recurring tasks from the new Automation > Remote Settings > Scheduled Tasks Page. Users can filter scheduled tasks by:

  • Scheduled data and initiation time
  • Script Type, OS, and output destination

New Activities and Notifications for Policy Override

Policy Override activities now show in the Management Console Activity Log. To filter for these activities, select Operations > Policy Override Changes.

You can also set your notifications to receive syslog or email notifications for policy override changes in Notifications > Operations > Policy Override Actions.

The details of the new activities are:

API Token Infrastructure Update

Starting in Z, SentinelOne will gradually roll out an enhancement for Management API tokens that will change the length of the API token and change the format to JWT. This applies to Console User and Service User API tokens. We do not expect that it will impact your environment.

New API Rate Limits

Starting in Z, new API rate limits apply moving forward:

  • /web/api/v2.1/threats – 25 calls per second for each different user token or each IP address that communicates with the Console.
  • /web/api/v2.1/agents – 25 calls per second for each different user token or each IP address that communicates with the Console.


SSO Configuration Now Supports Granular Inheritance of Allowed Domains

When SSO is configured for an environment, you can now configure the SSO settings for each scope and choose to Inherit Allowed Domains from higher scopes and Apply Allowed Domains to lower scopes, or not to allow domain inheritance. This lets you add users with the same email domain to various scopes and SSO integrations throughout your Console. You can share the Allowed SSO domains between scopes with proper validation, but also have different Assertion Consumer Service URL and SP Entity IDs for different scopes. Adding domain inheritance settings does not change anything else in the SSO configuration. You can configure inheritance of allowed domains at each scope:

  • From the Global SSO configuration: You can select Apply Allowed Domains to Lower Scopes. If you do not select this, lower scopes can only use the domain names defined at the Global level if they do not have their own defined SSO configuration.
  • From an Account SSO Configuration, you can select one or both options from: Inherit Allowed Domains from Global and Apply Allowed Domains to Site.
  • From a Site SSO Configuration, select to inherit allowed domains from Account, Global, Global and Account, or not to inherit (None).

New Notifications for SSO User Creation and Modification

You can now set Notifications to receive syslog or email notifications for SSO user creation and modification in Notifications > Administrative > User added/modified/deleted. In earlier releases, only notifications for local (non-SSO) users were sent when this was selected. Now notifications for SSO users are sent also.

The details of the SSO user activities are:

Important Change in Console URL Behavior (Standalone)

Starting in Z, opening your Management Console in a browser requires that you enter a URL with a hostname in the sentinelone.net domain, for example, <your-Console-instance>.sentinelone.net.  Using an IP address or alias, will result in a 400 error. This change increases the security of your Management Console environment.

 Opt-in for New Singularity Operations Center (Early Access)

The new Singularity Operations Center consolidates all SentinelOne platform capabilities into a single unified interface that simplifies navigation and enhances user workflows. Not yet fully released but individual users can sneak peek by selecting at the top right of the Console, click your username and select My User.

In your user settings, in Early Access, turn on Singularity Operations Center.

Key Advancements

  • Seamless Experience – All SentinelOne products are seamlessly integrated in a single console interface.
    • Enhanced Navigation – The navigation is now aligned with user workflows. The new categorization supports streamlined, task-oriented navigation to optimize workflows.
    • Centralized Policies and Settings – You can now manage policies and settings for your SentinelOne products from one location in the Singularity Operations Center.

And More….

  • Searching for Console Activities in Event Search has changed check out Release Notes for full details
  • Import a Lookup Table in PowerQueries with the Dataset Command

The console update release is scheduled for completion within an eight-hour maintenance window and will begin on Sunday June 2nd  , at 10 am IDT / 9 am UTC +2/ 3 am EDT.  A few important things to note

Consoles scheduled for update include:

A few reminders;

  • Do not forget to check out the full Release Notes under EDR Documentation at N-able U
  • Do not forget to check out the full suite of EDR Courses on N-able U including our new Deep Visibility and Ranger courses
  • With EDR’s easy self-enablement please be sure to view your license usage across Control, Complete Licenses and the Billable add ons( Ranger and our latest RemoteOps)

As always, feedback is welcome on the release.

This entry was posted in N-central, N-sight. Bookmark the permalink.