SentinelOne - True Context

True Context is heralded as a gem in SentinelOne’s crown. It minimises the dwell time by neatly linking the attack chain together, allowing your security team to rapidly trace the actions of a breach.

In 2019 the average time-to-containment of a breach was 314 days with 108 days to contain a breach once found. With the average incident responder salary at £62,500, responding to incidents can quickly become an expensive process. Most of the time spent responding to an incident is spent scoping out the extent of the breach and finding the entry point. If we can take this response time down to minutes or, in this case, perhaps even seconds, the savings in both time and money are manifest.

True Context is a feature of SentinelOne’s Complete licence (more on SentinelOne’s licensing options) and is used to contextualise events within their Deep Visibility platform. A True Context ID is provided to every action that happens on the endpoint. True Context gives the same ID to all events and processes that have been spawned from the same action or event, allowing you to see what is directly related to that event. It then ties this to the True Context IDs of the events leading up to it (this could be opening a browser or logging on).

In this article, I cover what True Context tracks, how it can be used, and the solution it provides.

Aims of this article

  • Show two different entry points for a breach and how True Context tags them.

  • See lateral movement within SentinelOne’s management console.

  • How Deep visibility displays this information and is used in investigating incidents.


My Lab

In this article, I show how SentinelOne displays lateral movement, how True Context is able to link the events together to trace back to the entry point of a breach, and how we can see this within Deep Visibility.

The Malware

The malware that I used in this lab was a strain of ransomware named Locky. Locky can be distributed in various ways but is most commonly distributed via emails containing attachments enticing users to open them, or via drive-by-download. To lower the chance of detection and to give you a device in which to pay the ransom from, some ransomware like Locky will only encrypt specific file extensions. Locky scans the computer’s local and remov