SentinelOne - Path Exclusion

Path Exclusion is a feature in SentinelOne that allows an administrator to suppress false positive events originating from specific files and processes. It also enables an administrator to exclude a path or file from monitoring where there are any interoperability issues. The exclusion also applies to processes whose route process is in the excluded path or file, meaning that if a process creates other child-processes the exclusion will apply to them too.

Exclusion modes: There exist five different modes of Path exclusions. These modes limit the amount of interaction and monitoring that the Agent has over the selected processes. While useful on suppressing the false-positive events on an environment, the exclusion of a path blocks the Agent from mitigating a legitimate threat and to have full visibility over that process. It is very important for admins to make sure that the detection the exclusion is based on, is a false positive.

Suppress Alerts: This is the default Path exclusion. With this mode selected the Agent does not display alerts or mitigate detections on the excluded processes

• It can be used to stop false positives from a specific file process

• If the root threat group is suppressed, events of the child processes are also suppressed

Interoperability: This option reduces the monitoring level on the excluded process in addition to suppressing alerts. The Agent continues the monitoring and usage of kernel events.

• Use cases:

  1. Can be used to create a PoC (Proof of Concept) when SentinelOne is running next to another existing vendor.

  2. Can be used to mitigate performance problems of applications because of SentinelOne’s monitoring

Interoperability Extended: Reduces the monitoring level on the excluded process and their child processes.

• Use case:

  1. This is useful when the interoperability issues still exist after the interoperability mode has been enabled.

*Performance focus: Disables the monitoring of processes completely. Moreover, it stops the Agent from monitoring kernel events generated by the process.

• Use case:

  1. Can be used to solve issues where a specific application generates many events and causes high CPU utilization on the endpoint due to Agent event analysis.

*Performance focus extended: Disables monitoring of excluded processes and their child processes.

• Use case:

  1. To solve issues where a specific application generates many events resulting in high CPU utilization, and the problem has not been resolved with “Performance Focus” mode enabled.

*Performance focus and Performance focus extended cause the agent to lose visibility of actions originating from the excluded path/file. As a result, these options should only be used under the instruction of SentinelOne Support to ensure the security of your systems is not a casualty of such an exclusion.