r/SentinelOneXDR

Isolated/bricked network connections

I have sentinelone running on a work computer, and one night, when trying to transfer a ton of files onto a network drive using robocopy, I got the message “This device has been isolated due to suspicious activity! (Or malware, can’t remember)”

There no malware, so I’m guessing S1 freaked out and thought it was an attack of some sort, and isolated me as well as cut off all network access. Ethernet and WiFi don’t work.

I called up our S1 vendor, but they couldn’t help because the PC is showing offline on their end (can’t communicate with it) and also, it shows no quarantine on their end.

So they gave me a bunch of commands to run with the agent passphrase.

I tried to unquarantine it, disable services, reload services, disable them in the registry, and even uninstall the agent but nothing worked. I did this in safe mode too but still no dice. The one thing I was able to do in safe mode was rename the folder to .old, but that didn’t disable services upon regular boot.

My vendor has escalated this to an S1 engineer, but he advised himself that we just run the commands that I’ve already previously run. I can’t even grab the logs manually to give to them because it won’t let me.

reddit.com
u/Southern_Yesterday57 — 3 days ago

S1 agents going offline/breaking can be a full time job

How are you keeping your agents online consistently? Also, using the agent upgrade policy seems to break some agent. They show as offline in the console of course and when I run powershell queries on them, I find some with partially removed files (like the upgrade was interrupted/aborted) and some with stopped services that won't start. The most needy agent in my experience.

reddit.com
u/naes724 — 12 days ago

AI SIEM alerts

There is any way to configure the Detections to bring the event details that triggered the rules to the alert itself? For what I am seeing the alerts bring only the detection description and very little (none) information o the event that trigered the rule.

reddit.com
u/rafael4ndre — 13 days ago