Professional Documents
Culture Documents
Policy Mode Best Practices
Policy Mode Best Practices
Policy Mode Best Practices
We gathered best practices for policy management from SentinelOne experts and from our wide global install base. Best
Important! Manual judgment is required, based on your organization's culture, requirements, regulation compliance, and other
proprietary factors. Keep in mind your Risk Level Management processes, as you balance your policies between security
Definitions
Detect
Sets the Agent action: Send alerts but do not automatically mitigate.
Malicious
Agent AI result with a high confidence that a detection is malicious and a readiness level of Mitigate.
Policy
Set of mitigation actions that defines the behavior of SentinelOne Agents and their detection engines.
Protect
Sets the Agent action: Automatically mitigate malicious actors with process kill (for known and unknown threats), file
quarantine, and remediate (if there are malicious changes) or rollback (for Ransomware). Send Mitigated Threat alerts.
Suspicious
Threat - Protect
(Default Policy) The Agent automatically mitigates threats with process kill and file quarantine. For suspicious detections, t
Suspicious
Threat - Detect
Protection Mode Results
Risk Level:
Medium. This policy is a balance between automatic mitigation of high-confidence threats and undisturbed business activity
When to use?
This is the default recommended policy mode for mass deployments. It is the most popular with the SentinelOne install bas
Threat - Protect
Suspicious
When to use?
This option gives the highest level of security and real-time protection. It is required for the SentinelOne ransomware warra
Use cases:
Organizations that lack analyst headcount to manually mitigate all threats. The impact is the possibility of false-p
Organizations with multiple endpoints that are constantly exposed to risk, such as a professional services group o
Early adopter organizations with small deployments. The impact is the need to search for false-positives and chan
Threat - Detect
All malicious activities create Active Threat or Suspicious Activity alerts but no mitigation occurs.
Protection Mode Results
Suspicious Note: No execution is blocked when in Detect mode. In earlier Windows Agent versions (before 3.1), the Agent blocked ex
Risk Level:
High. Threats of all kinds will execute until you manually mitigate them.
When to use?
This is not recommended as an organization-wide long-term policy. The implied Risk Level is too high, and the benefits of
for endpoints with very high sensitivity to business process interruptions, such as production floor servers. But we recomme
Agent AI result with a low confidence that a detection is malicious and a readiness level of Validate (usually requires
manual analysis). The file or process behavior shows it does or can do harm, or creates harmful files or processes.
Note:
The majority of endpoints get the default policy: Malicious is set to Protect and Suspicious is set to Detect.
The server that manages the assembly line gets a manual policy: both Malicious and Suspicious are set to Detect.
A small group of endpoints that test the latest version of the Agent get a Protect/Protect policy, to benchmark the false-
positive ratio.