Issue
We are trying to troubleshoot a possible issue with our SentinelOne Agent running on the endpoint. We want to confirm if the Agent is actively sending telemetry or not.
Environment
SentinelOne
Resolution
Deep Visibility
First, ensure that Deep Visibility is enabled - see How to Enable Deep Visibility in SentinelOne.
Once Deep Visibility (DV) is enabled, the quickest way to confirm if an Agent is sending telemetry is to:
- Login to your SentinelOne console
- Click on the Visibility tab (i.e Deep Visibility) on the left menu bar
- Select the Hunting tab at the top of the page
- Next, you will need to type the query Data Type "EndpointName" (it will populate automatically once you start typing it).
- Next type the Operator "Contains" and then the String "Type Your Endpoint's Name" (it must be in quotes). Then click the Search icon on the right of the query field.
Example:
If the endpoint has been sending telemetry you should see all of the event types (i.e Processes, Cross Process, Files, Network Actions, etc.) start to populate with data with today's data on the timestamp.
There is another easy way to open Deep Visibility for a specific endpoint and check for process telemetry:
- Go to your SentinelOne dashboard and click on "Sentinels" on the left menu bar.
- Next, search for a specific endpoint by clicking in the "Select filters..." field at the top of the page and type the endpoint's hostname.
- Now click on the endpoint's hostname when it shows up in the endpoints list. This will open a menu on the bottom right of the page.
- Click on the Actions | Shortcuts | Search in Deep Visibility.
This will open up the Deep Visibility page and auto-populate the endpoint's UUID. - Then click the Search icon on the right of the query field.
IP Allow List
If endpoints with SentinelOne sensors installed, online, and active are still not sending Deep Visibility data, it could be that the necessary SentinelOne IP addresses have not been added to the Allow list.
See Service and Ports for the list of IP addresses to add to an Allow List.