SentinelOne’s Deep Visibility empowers rapid threat hunting capabilities to conduct a deep investigation and enable hunting at scale. Threat hunters can quickly and easily query and pivot across the captured endpoint telemetry. SentinelOne automatically correlates all related objects (processes, files, threads, events, and more). For instance, say a process modifies another process by injecting code. When you run a query, all interactions between the source process, target process, and parent process are shown clearly in the cross-process details. This lets threat hunters quickly understand the data relationships: the root cause behind a threat with all of its context, relationships, and activities and enable them to understand the full story of what happened on an endpoint and see the complete chain of events.
You can create powerful hunting queries with easy-to-use shortcuts. Leverage a query library of hunts curated by SentinelOne research who continually evaluate new methodologies to uncover new IOCs and TTPs. These insights are the output of hypotheses that are proven across research data and are generic. For example, the use of unmanaged, unsigned Powershell is likely abnormal in most environments; and would commonly require additional investigation. The above example is not malicious in and of itself but fits in a hunting workflow, as they are descriptive of anomalies.
SentinelOne Hunter, a Chrome Extension, helps Security Operations and hunters save time. Hunter lets you quickly scrape data from your browser and opens a query in your SentinelOne Management Console to search for that data across your organization. Hunter captures these indicators from information open in your current browser tab: IP addresses, DNS names, and hashes (MD5, SHA-1, and SHA-256). When the indicators of interest are captured, they are redirected to your SentinelOne Management Console. The Hunter extension does not capture any personal or private data from the browser or the user.