Policy Mode Best Practices

We gathered best practices for policy management from SentinelOne experts and from our wide global install base. Best

practices depend on why, how, and when you use policies.

Important! Manual judgment is required, based on your organization's culture, requirements, regulation compliance, and other

proprietary factors. Keep in mind your Risk Level Management processes, as you balance your policies between security

automation and performance.

Definitions

Detect

Sets the Agent action: Send alerts but do not automatically mitigate.

Malicious

Agent AI result with a high confidence that a detection is malicious and a readiness level of Mitigate.

Policy

Set of mitigation actions that defines the behavior of SentinelOne Agents and their detection engines.

Protect

Sets the Agent action: Automatically mitigate malicious actors with process kill (for known and unknown threats), file

quarantine, and remediate (if there are malicious changes) or rollback (for Ransomware). Send Mitigated Threat alerts.

Note: If a benign detection is quarantined, you can unquarantine it.

Suspicious

Protection Mode Results

Malicious What to expect?

Threat - Protect

(Default Policy) The Agent automatically mitigates threats with process kill and file quarantine. For suspicious detections, t

Suspicious

Threat - Detect
 Protection Mode Results

Risk Level:

Medium. This policy is a balance between automatic mitigation of high-confidence threats and undisturbed business activity

When to use?

This is the default recommended policy mode for mass deployments. It is the most popular with the SentinelOne install bas

Malicious What to expect?

Threat - Protect

All threats and suspicious activities are automatically mitigated.

Suspicious

Threat - Protect Risk Level:

Low. Complete automatic security.

When to use?

This option gives the highest level of security and real-time protection. It is required for the SentinelOne ransomware warra

Use cases:

 Organizations that lack analyst headcount to manually mitigate all threats. The impact is the possibility of false-p

 Organizations with multiple endpoints that are constantly exposed to risk, such as a professional services group o

 Early adopter organizations with small deployments. The impact is the need to search for false-positives and chan

Malicious What to expect?

Threat - Detect

All malicious activities create Active Threat or Suspicious Activity alerts but no mitigation occurs.
 Protection Mode Results

Suspicious Note: No execution is blocked when in Detect mode. In earlier Windows Agent versions (before 3.1), the Agent blocked ex

Threat- Detect your blocklist.

Risk Level:

High. Threats of all kinds will execute until you manually mitigate them.

When to use?

This is not recommended as an organization-wide long-term policy. The implied Risk Level is too high, and the benefits of

for endpoints with very high sensitivity to business process interruptions, such as production floor servers. But we recomme

to closely monitor and resolve false-positives with best-practice exclusions.

Agent AI result with a low confidence that a detection is malicious and a readiness level of Validate (usually requires

manual analysis). The file or process behavior shows it does or can do harm, or creates harmful files or processes.

Best Practices for Policy Modes

Note:

 Malicious Threat In Management versions Jamaica and earlier is called Threats.

 Suspicious Threat In Management versions Jamaica and earlier is called Suspicious.

Use case of multiple policies:

 The majority of endpoints get the default policy: Malicious is set to Protect and Suspicious is set to Detect.

 The server that manages the assembly line gets a manual policy: both Malicious and Suspicious are set to Detect.
 A small group of endpoints that test the latest version of the Agent get a Protect/Protect policy, to benchmark the false-

positive ratio.