Issue
I use SentinelOne as my anchor integration. Why do I have a large number of endpoints reporting as not sending telemetry?
Environment
SentinelOne
Resolution
This is due to Deep Visibility being disabled on the endpoint policy, somewhere in the account/site/group structure.
To correct this, you will need to enable this feature in your SentinelOne Management Console.
- From the console, navigate to the Sentinels page
- Click the account, site or group you would like to edit
- Click the Policy tab
- Scroll down to the Deep Visibility settings
- Select the Enable Deep Visibility checkbox
- Enable all toggles except Data Masking
- Enable all File checkboxes within Event Type Configuration:
**NOTE: Make sure Data Masking is disabled. If any boxes are left unchecked under Event Type Configuration, a status failure will be triggered in Red Canary.
Cause
SentinelOne uses policy inheritance to control settings throughout the account/site/group structure. If you have a site or group that has policy inheritance disabled, then any changes made at the account level, like enabling deep visibility, will not be inherited.
The Deep Visibility feature is what collects and sends endpoint data to SentinelOne and Red Canary by extension. See How Red Canary integrates with SentinelOne for more information.
For more information on the specific data point slide bars, see the SentinelOne User Guide.
Comments
0 comments
Please sign in to leave a comment.