Kill, Quarantine, Remediate and Rollback - SentinelOne

Updated: Mar 6, 2020

The mitigation chain for malicious incidents SentinelOne offers are fourfold, and give the flexibility, speed and efficacy required by organisations to limit their Mean Time To Recovery (MTTR).

Each level includes all the actions taken at the previous mitigation level i.e. Quarantine will Kill a threat first.


Preventative measures - These actions stop damage being caused to the Endpoint.


1.Kill

The Kill option stops the attack in it's tracks. All active content in documents, executables, and sub-processes are stopped. The agent enables Kill for processes that act contrary to normal endpoint behaviour, or do not fit the actions of the application the process is hiding in.


2.Quarantine

The Quarantine option encrypts malicious executables, and moves them to a confined path. Quarantined files can be retrieve from the SentinelOne Management console for further analysis i.e. detonation in a sandbox.


Response measures - These measure are used to restore an Endpoint to a pre-attack state.


3.Remediate

The Remediate response measure removes linked libraries, deletes seed files, and restores the configuration of the OS, application, and user settings to the state before an attack began.


4.Rollback (Windows Only)