This article is based on SentinelOne community documentation last updated on Aug 27, 2024
Mitigation of Malicious and Suspicious Threats
The Agent mitigates threats automatically based on the AI Confidence level if the policy is set to Protect. If the policy is set to Detect, threats are not mitigated automatically.
These Mitigation actions are available for each Operating System:
| Windows | macOS | Linux & K8s | Windows Legacy |
Kill | ✅ | ✅ | ✅ | ✅ |
Quarantine | ✅ | ✅ | ✅ |
|
Remediate | ✅ | ✅ |
|
|
Rollback | ✅ |
|
|
|
Unquarantine | ✅ | ✅ | ✅ |
|
Note: For static threats on all Operating Systems, only Kill and Quarantine are available. This is because static threats do not change or create processes.
For true positive threats
Before you run mitigation actions:
Decide if you will mitigate only the specific threat or all threats in your scope (if others exist).
Decide if you want to block this threat automatically in the future by adding it to the blocklist with the desired scope.
All of these options are available from the Mitigation action window.
For false positive threats:
If you think that a threat is not really a threat, mark the Analyst Verdict as False Positive. This changes the Status of the threat to Marked as Benign.
Decide if only this specific instance is benign or if you want to create an exclusion for all instances in your scope.
If you create an exclusion, you can choose the type (from those available) and scope in the New Exclusion window that opens.
These actions are available for threats:
Connect or Disconnect - Puts an endpoint in network quarantine, or restores a disconnected endpoint. If you think that the threat might attack other endpoints or communicate with the external network, you can quarantine the endpoint from the network. This can be an effective first response before you run other mitigations.
Tip: You can enable Disconnect from Network in the policy to automate network quarantine when an endpoint has a non-mitigated threat.
Mitigation Actions
Kill - Stops all processes related to the threat.
Quarantine - Moves the threat and the executables created or changed by the threat to a confined path, archives the files, and encrypts the archive.
Note: In Linux, only created files, not changed files, are quarantined.
Remediate - Deletes all files and system changes created by the threat.
If you select Remediate, Kill and Quarantine run also, if they were not completed already.
Note: If you have Remediate selected as part of your policy, the threat files are deleted automatically and you cannot unquarantine them.
Rollback - (Windows only) Restores the endpoint to a saved VSS snapshot, undoing the changes made by the process and its associated assets.
This option is best for ransomware mitigation and disaster recovery.
Remediate runs first and must finish before Rollback starts.
If Remediate does not complete with success, Rollback cannot start.
If Rollback is forced without Remediate, the action can restore a file created by the threat.
If you select Remediate, and Kill requires a reboot, all mitigation actions will show Pending.
Add To Blocklist - To automate threat handling, the Agent adds the detection to the blocklist on the Management for the current scope.
This changes the Analyst Verdict of the threat to True Positive.
If this threat is detected on a different endpoint in your deployment, the Agent blocks the detection immediately.
A description is added to the blocklist entry to help you understand the source of items on the Blocklist page.
Add To Exclusions - The Management adds the threat to the Exclusions of the current scope.
This changes the Analyst Verdict of the threat to False Positive.
The Exclusion types that show are based on the data available in the threat.
A description is added to the exclusion, to help you understand the source of items on the Exclusions page.
Tip: Keep all exclusions on the narrowest Scope possible. Path type exclusions have different modes. The Suppress Alerts Exclusion Mode is the default and usually resolves False Positives.
Unquarantine - This undoes the actions of Quarantine, which encrypts the file, changes its properties, and moves it to a confined path.
Unquarantine restores the file to its original state in its original path.
The option is available if a file was quarantined successfully.
Add a Note - Adds a note to the Notes section of the alert.
To Run Mitigation and Threat Actions:
Mitigate Threat
From Detection & Response > Antivirus Threats, select one or more issues.
Click Remediate from the issue details drawer
From the Remediation options, select Mitigate Threat
Select a mitigation action: Kill, Quarantine, Remediate, or Rollback.
When you select an action, the actions on its left are selected automatically.
For example, if you click Remediate, Kill and Quarantine are selected automatically.
Add Hash to Blocklist - See definition above and check the box if this is required.
The Hash can be investigated by following the link to Virus Total.
Select an Analyst Verdict - If the threat is True Positive or Suspicious.
Add an additional note - Adds a note to the Notes section of the threat.
Click "Remediate" which changes the Incident Status to Resolved.
Note: Resolving a threat may cause unquarantine actions to fail and limit the ability of the Agent to run other mitigation actions on the threat.
Mark as Safe
From Detection & Response > Antivirus Threats, select one or more issues.
Click Remediate from the issue details drawer
From the Remediation options, select Mark as Safe
Select a mitigation action: Keep in Quarantine or Unquarantine.
Add Hash to Exclusion - See definition above and check the box if this is required.
The Hash can be investigated by following the link to Virus Total.
Analyst Verdict is always defined as "False Positive"
Add an additional note - Adds a note to the Notes section of the threat.
Click Remediate which changes the Incident Status to Resolved.