SCENARIO

Organizations face security risks from unauthorized applications, malware disguised as legitimate software, and shadow IT installations that bypass security policies. Traditional antivirus relies on signature-based detection which can be bypassed by unknown threats, while manual application whitelisting requires constant maintenance and often breaks business workflows when legitimate applications are blocked.

Use this guide when you need to:

Enforce application allow-lists (whitelist) to restrict endpoint execution to approved corporate software only
Block known malicious applications, ransomware executables, or hacking tools across all endpoints
Prevent zero-day threats by only allowing signed applications from trusted publishers
Implement zero-trust application security where nothing runs unless explicitly approved
Comply with security frameworks requiring application control (NIST 800-53, CIS Controls)
Reduce attack surface by blocking unnecessary or risky applications (P2P software, remote access tools, cryptocurrency miners)
Secure cloud and container workloads with automated application control without manual whitelist maintenance
Replace legacy application whitelisting solutions with AI-driven behavioral analysis

Business Impact:

Zero-day protection: Only approved applications execute, blocking unknown malware before signatures exist
Ransomware prevention: Block ransomware executables even if they evade signature detection
Compliance requirements: Meet audit requirements for application control (PCI-DSS 2.2.5, NIST 800-53 CM-7)
Shadow IT elimination: Prevent users from installing unapproved software (games, P2P clients, remote access tools)
Operational simplicity: Automated application control for cloud workloads eliminates manual whitelist maintenance
Reduced alert fatigue: Block known-bad applications proactively instead of remediating infections reactively

SentinelOne Application Control provides intelligent allow-lists and block-lists with automated learning for cloud/container workloads and hash/certificate-based policies for traditional endpoints.

REQUIREMENTS & ASSUMPTIONS

Prerequisites:

SentinelOne Singularity Control or Complete license: Application Control is included in Control tier and above
Minimum agent version: 21.6 or later (verify with sentinelctl.exe status)
Console access: Admin role with Policy Management permissions
Supported platforms:
- Windows 10/11, Windows Server 2016/2019/2022
- macOS 10.15 (Catalina) and later
- Linux (Ubuntu 18.04+, RHEL/CentOS 7+, Debian 9+)
- Cloud workloads (AWS, Azure, GCP)
- Containers (Docker, Kubernetes)

License Verification: Check console for Application Control availability:

Console > Settings > License > Modules: "Application Control" should be listed

Application Control Methods:

Method	Description	Best For
Hash-Based Allow-List	Allow specific file hashes (SHA256)	Known-good corporate applications
Certificate-Based Allow-List	Allow all applications signed by trusted publisher	Applications from trusted vendors (Microsoft, Adobe)
Path-Based Allow-List	Allow executables in specific directories	Controlled software installation directories
Block-List (Hash)	Block specific file hashes	Known malware, hacking tools, unauthorized software
Block-List (Certificate)	Block all applications signed by specific certificate	Untrusted publishers, revoked certificates
Automated (Cloud/Container)	AI learns baseline, auto-allows legitimate apps	Cloud workloads, containerized applications

Assumptions:

Administrators have identified business-critical applications
Approved application inventory is documented
Users have been notified of application control policies before enforcement
Helpdesk is prepared to handle application approval requests
For cloud/container deployments: Baseline learning period (7-14 days) is planned

PROCESS

Step 1: Audit current application usage before enforcement

Before deploying restrictive application control, audit current application execution to avoid blocking legitimate business tools.

Navigate to Console → Activity → Application Execution Logs
Review application execution history (last 30 days):
- What applications are users running?
- Which applications are signed vs. unsigned?
- Are there any unexpected executables (unknown publishers, suspicious paths)?
Generate application inventory report:
- Console → Reports → Application Inventory
- Export to CSV for review:
```
Application Name, Publisher, File Hash, Signature Status, Execution Count, Last Seen
```
Identify business-critical applications:
- Core business apps (Microsoft Office, ERP, CRM systems)
- Development tools (Visual Studio, Git, Docker)
- Communication tools (Slack, Zoom, Microsoft Teams)
- Approved utilities (7-Zip, Notepad++, PDF readers)
Identify unauthorized/risky applications:
- P2P software (BitTorrent, uTorrent)
- Remote access tools (TeamViewer, AnyDesk - unless approved)
- Hacking tools (Mimikatz, PsExec, Metasploit)
- Cryptocurrency miners
- Unsigned executables from unknown publishers
Communicate policy changes to users:
- Send email explaining:
  - Why application control is being implemented (security, compliance)
  - What applications will be blocked (unapproved software, security tools)
  - What applications remain allowed (corporate-approved software)
  - How to request exceptions (helpdesk ticket process)

Result: You have an inventory of approved applications and users are aware of upcoming application control enforcement.

Step 2: Create application allow-list policy

Application allow-lists (whitelists) restrict execution to only approved applications.

Navigate to Console → Settings → Policies
Select a Site or Group (recommend testing on pilot group first)
Click on the policy name (e.g., "Corporate Office Policy")
Scroll to Application Control section and click Configure
Enable Application Control:
- Toggle Application Control to ON

Select enforcement mode:

Mode	Description	Recommended For
Monitor Only	Log application execution but don't block	Initial deployment, policy tuning
Enforce	Actively block applications not on allow-list	Production enforcement after testing

Best Practice: Start with Monitor Only for 2-4 weeks to identify false positives.

Configure default application behavior:

Default Action	Description	Use Case
Allow All	All applications allowed unless explicitly blocked	Permissive (low-security environments)
Block All	All applications blocked unless explicitly allowed	Restrictive (high-security, zero-trust)
Allow Signed	Allow signed apps, block unsigned (recommended)	Balanced security and usability

Recommended: Select Allow Signed Applications from Trusted Publishers (blocks unsigned malware while allowing legitimate signed software).

Save policy configuration

Result: Application Control is enabled in monitoring mode for the selected site/group.

Step 3: Build application allow-list

Method A: Hash-Based Allow-List (most secure, most granular)

Navigate to Console → Settings → Policies → [Policy Name] → Application Control → Allow Rules
Click + New Allow Rule

Example Rule 1: Allow specific corporate application

Rule Name: Allow_Corporate_ERP_Application
Description: Allow Acme Corp ERP Client v5.2

Match Criteria:
- File Hash (SHA256): abc123def456...  (exact hash of erp_client.exe)

Action: Allow
Scope: All endpoints

Notes: Hash obtained from IT application repository

Pros: Most secure - only exact file versions are allowed Cons: Requires updating hashes every time application is updated

Method B: Certificate-Based Allow-List (most scalable)

Rule Name: Allow_Microsoft_Signed_Applications
Description: Allow all applications signed by Microsoft Corporation

Match Criteria:
- Certificate Publisher: Microsoft Corporation
- Certificate Thumbprint: (optional, for specific cert)

Action: Allow
Scope: All endpoints

Example Trusted Publishers:

Microsoft Corporation
Adobe Inc.
Google LLC
Mozilla Corporation
Oracle America, Inc.
Your organization's code-signing certificate

Pros: Auto-allows new versions if signed by same publisher Cons: Less granular - allows all apps from publisher, even if not business-critical

Method C: Path-Based Allow-List (simplest, least secure)

Rule Name: Allow_Program_Files_Applications
Description: Allow applications installed in Program Files (managed by IT)

Match Criteria:
- File Path: C:\Program Files\*
- File Path: C:\Program Files (x86)\*

Action: Allow
Scope: All endpoints

Notes: Assumes users cannot write to Program Files (UAC protected)

Pros: Easy to manage, auto-allows IT-installed software Cons: Can be bypassed if attackers gain admin privileges

Best Practice: Layered Approach

Priority 1: Certificate-based allow-list for trusted publishers (Microsoft, Adobe)
Priority 2: Hash-based allow-list for corporate applications (ERP, custom tools)
Priority 3: Path-based allow-list for C:\Program Files\
Priority 4: Block unsigned executables from user directories (%TEMP%, %APPDATA%, Downloads)

Save allow rules

Result: Application allow-list is configured to permit approved business applications.

Step 4: Create application block-list

Block-lists (denylists) explicitly prevent execution of known-bad applications.

Navigate to Console → Settings → Policies → [Policy Name] → Application Control → Block Rules
Click + New Block Rule

Example Block Rule 1: Block known malware hashes

Rule Name: Block_Mimikatz_Credential_Stealer
Description: Block all known Mimikatz variants

Match Criteria:
- File Hash (SHA256): <list of known Mimikatz hashes>
  Example: 123abc456def...

Action: Block
Logging: Enabled
Scope: All endpoints

Notes: Hashes sourced from VirusTotal, MISP, AlienVault OTX

Example Block Rule 2: Block remote access tools (if unauthorized)

Rule Name: Block_TeamViewer_Unauthorized
Description: Block TeamViewer remote access software (not approved by IT)

Match Criteria:
- File Name: TeamViewer.exe, TeamViewer_Service.exe
- OR Certificate Publisher: TeamViewer Germany GmbH

Action: Block
Logging: Enabled
Alert: Send notification to SOC
Scope: All endpoints EXCEPT Group: IT Administrators (who may need it for support)

Example Block Rule 3: Block cryptocurrency miners

Rule Name: Block_Cryptocurrency_Miners
Description: Block known cryptojacking malware and mining software

Match Criteria:
- File Name: xmrig.exe, nanominer.exe, phoenixminer.exe, cgminer.exe
- OR Process Command Line CONTAINS: -o pool.minexmr.com, stratum+tcp://

Action: Block
Logging: Enabled
Alert: Critical - Potential cryptojacking attack
Scope: All endpoints

Example Block Rule 4: Block hacking tools

Rule Name: Block_Penetration_Testing_Tools
Description: Block unauthorized hacking tools (Metasploit, Cobalt Strike, etc.)

Match Criteria:
- File Name: msfconsole.exe, meterpreter.exe, beacon.exe, mimikatz.exe
- OR File Path CONTAINS: \Metasploit\, \Cobalt Strike\

Action: Block
Logging: Enabled
Alert: Critical - Hacking tool detected
Scope: All endpoints EXCEPT Group: Security Red Team

Example Block Rule 5: Block unsigned executables from risky locations

Rule Name: Block_Unsigned_Executables_User_Directories
Description: Block unsigned apps in temp, downloads, appdata (common malware locations)

Match Criteria:
- Signature Status: Unsigned
- File Path:
  - %TEMP%\*.exe
  - %APPDATA%\*.exe
  - %LOCALAPPDATA%\Temp\*.exe
  - C:\Users\*\Downloads\*.exe

Action: Block
Logging: Enabled
Scope: All endpoints

Save block rules

Result: Known-bad applications and risky executables are blocked proactively.

Step 5: Configure automated application control for cloud/container workloads

For cloud workloads and containers, SentinelOne uses AI-powered automated learning instead of manual whitelists.

Navigate to Console → Settings → Policies → [Cloud Workload Policy] → Application Control
Enable Automated Application Control:
- Toggle Automated Application Control to ON
Configure learning mode:
- Learning Period: 7-14 days (agents learn baseline application behavior)
- During learning: All applications are allowed, agent builds behavioral model
- After learning: Only applications matching learned baseline are allowed
Enforcement behavior:
- Strict Mode: Block any application not seen during learning period (zero-trust)
- Moderate Mode: Allow applications with behavioral similarity to baseline (reduces false positives)
- Monitor Mode: Log violations but don't block (for testing)

Example: Automated Application Control for Kubernetes Cluster

Policy Name: K8s_Production_Application_Control
Description: Auto-learn and enforce application control for production Kubernetes pods

Configuration:
- Learning Period: 14 days
- Enforcement Mode: Strict
- Immutable Enforcement: Enabled (block any changes to container runtime)
- Exception Handling: Alert security team for manual approval

Result:
- After 14 days, only baseline applications execute in production pods
- Any new process (cryptominer, malware, unauthorized tools) is blocked
- Container image updates require re-learning or manual approval

Monitor learned baseline:
- Console → Cloud Workloads → Application Baseline
- Review auto-detected applications:
```
Learned Applications:
- nginx (web server)
- node (application runtime)
- python (scripts)
- sh/bash (shell)
```
Adjust baseline (if needed):
- Add applications manually if learning period missed legitimate tools
- Remove applications if unauthorized software was detected during learning

Result: Cloud and container workloads are secured with automated application control requiring zero manual whitelist maintenance.

Step 6: Test application control policies in Monitor mode

Before enforcing policies, validate they work without blocking business applications.

Set policy to Monitor Only mode:
- Console → Settings → Policies → [Policy Name] → Application Control
- Change Enforcement Mode to Monitor Only
Deploy policy to pilot group
Monitor application execution logs:
- Console → Activity → Application Control Logs
- Filter: Enforcement Mode = Monitor Only
- Review applications that would be blocked if enforcement were enabled

Identify false positives:

Look for blocked legitimate business applications

Example:

Blocked Application (Monitor Only):
Application: custom_tool.exe
Publisher: (unsigned)
Path: C:\IT_Tools\custom_tool.exe
User: john.doe
Reason: Unsigned executable not on allow-list

Investigation: custom_tool.exe is IT-approved system utility
Resolution: Add hash or path exception for custom_tool.exe

Test critical workflows:
- Users run business-critical applications
- Developers compile and run code
- IT administrators run system tools
- Verify no business disruption
Tune allow-list/block-list:
- Add missing business applications to allow-list
- Remove false positives from block-list
- Adjust certificate trust list

Result: Application control policies are validated in Monitor mode, minimizing business disruption when enforcement begins.

Step 7: Enforce application control policies

After testing, switch to active enforcement.

Review and finalize policies:
- Verify all business-critical applications are allowed
- Document approved applications in policy notes
- Notify users before enforcement begins
Switch to Enforce mode:
- Console → Settings → Policies → [Policy Name] → Application Control
- Change Enforcement Mode to Enforce
- Click Save Changes
Policies take effect within 60 seconds

Expected user experience when application is blocked:

Windows: Application execution fails, user sees message:

Application Blocked by Security Policy

The application you attempted to run has been blocked by your organization's security policy.
Contact IT support if you need access to this application.

Application: unapproved_tool.exe
Reason: Not on approved application list

Helpdesk workflow for application approval requests:
- User submits ticket: "Need to run application X for project Y"
- IT reviews request for business justification
- If approved:
  - Identify application hash/certificate from logs
  - Add allow rule to application control policy
  - Rule takes effect within 60 seconds
  - Notify user to retry application

Result: Application control policies actively enforce zero-trust application security.

Step 8: Maintain application control policies

Weekly: Review blocked application events:
- Console → Activity → Application Control Logs
- Filter: Action = Blocked
- Identify patterns (legitimate apps needing approval, malware attempts)
Monthly: Update allow-list for software updates:
- When business applications are updated (new versions):
  - Hash-based rules: Update file hash to new version
  - Certificate-based rules: No action needed (auto-allows new versions if signed by same publisher)
Quarterly: Audit application inventory:
- Review all allowed applications
- Remove stale rules (decommissioned software)
- Add new approved business applications
Continuous: Monitor threat intelligence:
- Update block-list with new malware hashes from threat feeds (VirusTotal, MISP)
- Block newly identified hacking tools
- Subscribe to vendor security advisories for revoked certificates

Result: Application control policies remain effective and aligned with business needs.

VERIFICATION

Verify Application Control is active:

Check policy status:

Console → Settings → Policies → [Policy Name] → Application Control
- Application Control: Enabled
- Enforcement Mode: Enforce

Verify agent receives policy:

On managed endpoint:

# Windows
& "C:\Program Files\SentinelOne\Sentinel Agent *\SentinelCtl.exe" policy show
 
# Look for "Application Control: Enabled"

Test blocking unapproved application:
- Download a test executable (unsigned, not on allow-list)
- Attempt to run it
- Expected result: Execution blocked, event logged in console
Test allowing approved application:
- Run a business application on allow-list
- Expected result: Executes normally, event logged as ALLOWED
Test automated learning (cloud/container):
- Deploy new container with known-good application
- After learning period, verify application is auto-allowed
- Attempt to run unauthorized tool (e.g., curl if not in baseline)
- Expected result: Unauthorized tool blocked

TROUBLESHOOTING

Issue: Application control policies not applying

Symptoms: Applications execute despite block rules

Solutions:

Verify agent version: Must be 21.6+
Check agent connectivity: Agent must be online
Force policy refresh: Restart-Service SentinelAgent
Verify enforcement mode: Must be "Enforce" not "Monitor Only"

Issue: Legitimate application blocked (false positive)

Symptoms: Business-critical app cannot execute

Solutions:

Identify blocked application:
- Console → Activity → Application Control Logs
- Find blocked event, note hash/certificate/path
Create allow rule:
- Add hash, certificate, or path to allow-list
- Set higher priority than blocking rule
Temporary bypass (emergency only):
- Disable Application Control for specific endpoint
- Create exception for user's computer until allow rule is created

Issue: Automated learning blocking legitimate applications

Symptoms: Cloud workload blocks new process not in baseline

Solutions:

Extend learning period:
- Redeploy workload with longer learning (21-30 days)
Manually add application to baseline:
- Console → Cloud Workloads → Application Baseline
- Click + Add Application
- Specify process name/path
Switch to Moderate Mode:
- Reduces false positives by allowing behaviorally similar apps

COMMANDS/SCRIPTS

PowerShell script to export application inventory:

<#
.SYNOPSIS
    Export SentinelOne application inventory
.DESCRIPTION
    Retrieve all executed applications and generate inventory report
.PARAMETER ApiToken
    SentinelOne API token
.PARAMETER ConsoleUrl
    SentinelOne console URL
.PARAMETER Days
    Number of days to audit (default: 30)
#>
 
param(
    [Parameter(Mandatory=$true)]
    [string]$ApiToken,
 
    [Parameter(Mandatory=$true)]
    [string]$ConsoleUrl,
 
    [Parameter(Mandatory=$false)]
    [int]$Days = 30
)
 
$ErrorActionPreference = 'Stop'
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
Write-Host "=== SentinelOne Application Inventory Export ===" -ForegroundColor Cyan
 
$startDate = (Get-Date).AddDays(-$Days).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
 
# Retrieve application execution events
Write-Host "[1/2] Retrieving application execution events (last $Days days)..." -ForegroundColor Yellow
 
$activityFilter = @{
    createdAt__gte = $startDate
    activityTypes = @(5001)  # Application execution
}
 
$activity = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/activities" -Headers $headers -Method Get -Body $activityFilter
 
Write-Host "[SUCCESS] Retrieved $($activity.data.Count) application events" -ForegroundColor Green
 
# Build application inventory
Write-Host "[2/2] Building application inventory..." -ForegroundColor Yellow
 
$apps = @{}
foreach ($event in $activity.data) {
    $hash = $event.data.fileHash
    if (-not $apps.ContainsKey($hash)) {
        $apps[$hash] = [PSCustomObject]@{
            FileName = $event.data.fileName
            Publisher = $event.data.publisher
            FileHash = $hash
            Signed = $event.data.signed
            ExecutionCount = 0
            FirstSeen = $event.createdAt
            LastSeen = $event.createdAt
        }
    }
    $apps[$hash].ExecutionCount++
    $apps[$hash].LastSeen = $event.createdAt
}
 
$inventory = $apps.Values | Sort-Object ExecutionCount -Descending
 
$outputPath = "C:\Temp\SentinelOne-AppInventory-$(Get-Date -Format 'yyyyMMdd-HHmmss').csv"
$inventory | Export-Csv -Path $outputPath -NoTypeInformation -Encoding UTF8
 
Write-Host "[SUCCESS] Application inventory exported" -ForegroundColor Green
Write-Host "Report saved to: $outputPath"
Write-Host "`nTop 10 Most Executed Applications:" -ForegroundColor Cyan
$inventory | Select-Object -First 10 | Format-Table FileName, Publisher, ExecutionCount, Signed

REFERENCES

Document Version: 1.0 Last Updated: 2025-11-26 Author: CosmicBytez IT Operations Reviewed By: Security Operations Team

SCENARIO

Use this guide when you need to:

Enforce application allow-lists (whitelist) to restrict endpoint execution to approved corporate software only
Block known malicious applications, ransomware executables, or hacking tools across all endpoints
Prevent zero-day threats by only allowing signed applications from trusted publishers
Implement zero-trust application security where nothing runs unless explicitly approved
Comply with security frameworks requiring application control (NIST 800-53, CIS Controls)
Reduce attack surface by blocking unnecessary or risky applications (P2P software, remote access tools, cryptocurrency miners)
Secure cloud and container workloads with automated application control without manual whitelist maintenance
Replace legacy application whitelisting solutions with AI-driven behavioral analysis

Business Impact:

Zero-day protection: Only approved applications execute, blocking unknown malware before signatures exist
Ransomware prevention: Block ransomware executables even if they evade signature detection
Compliance requirements: Meet audit requirements for application control (PCI-DSS 2.2.5, NIST 800-53 CM-7)
Shadow IT elimination: Prevent users from installing unapproved software (games, P2P clients, remote access tools)
Operational simplicity: Automated application control for cloud workloads eliminates manual whitelist maintenance
Reduced alert fatigue: Block known-bad applications proactively instead of remediating infections reactively

REQUIREMENTS & ASSUMPTIONS

Prerequisites:

SentinelOne Singularity Control or Complete license: Application Control is included in Control tier and above
Minimum agent version: 21.6 or later (verify with sentinelctl.exe status)
Console access: Admin role with Policy Management permissions
Supported platforms:
- Windows 10/11, Windows Server 2016/2019/2022
- macOS 10.15 (Catalina) and later
- Linux (Ubuntu 18.04+, RHEL/CentOS 7+, Debian 9+)
- Cloud workloads (AWS, Azure, GCP)
- Containers (Docker, Kubernetes)

License Verification: Check console for Application Control availability:

Console > Settings > License > Modules: "Application Control" should be listed

Application Control Methods:

Method	Description	Best For
Hash-Based Allow-List	Allow specific file hashes (SHA256)	Known-good corporate applications
Certificate-Based Allow-List	Allow all applications signed by trusted publisher	Applications from trusted vendors (Microsoft, Adobe)
Path-Based Allow-List	Allow executables in specific directories	Controlled software installation directories
Block-List (Hash)	Block specific file hashes	Known malware, hacking tools, unauthorized software
Block-List (Certificate)	Block all applications signed by specific certificate	Untrusted publishers, revoked certificates
Automated (Cloud/Container)	AI learns baseline, auto-allows legitimate apps	Cloud workloads, containerized applications

Assumptions:

Administrators have identified business-critical applications
Approved application inventory is documented
Users have been notified of application control policies before enforcement
Helpdesk is prepared to handle application approval requests
For cloud/container deployments: Baseline learning period (7-14 days) is planned

PROCESS

Step 1: Audit current application usage before enforcement

Before deploying restrictive application control, audit current application execution to avoid blocking legitimate business tools.

Navigate to Console → Activity → Application Execution Logs
Review application execution history (last 30 days):
- What applications are users running?
- Which applications are signed vs. unsigned?
- Are there any unexpected executables (unknown publishers, suspicious paths)?
Generate application inventory report:
- Console → Reports → Application Inventory
- Export to CSV for review:
```
Application Name, Publisher, File Hash, Signature Status, Execution Count, Last Seen
```
Identify business-critical applications:
- Core business apps (Microsoft Office, ERP, CRM systems)
- Development tools (Visual Studio, Git, Docker)
- Communication tools (Slack, Zoom, Microsoft Teams)
- Approved utilities (7-Zip, Notepad++, PDF readers)
Identify unauthorized/risky applications:
- P2P software (BitTorrent, uTorrent)
- Remote access tools (TeamViewer, AnyDesk - unless approved)
- Hacking tools (Mimikatz, PsExec, Metasploit)
- Cryptocurrency miners
- Unsigned executables from unknown publishers
Communicate policy changes to users:
- Send email explaining:
  - Why application control is being implemented (security, compliance)
  - What applications will be blocked (unapproved software, security tools)
  - What applications remain allowed (corporate-approved software)
  - How to request exceptions (helpdesk ticket process)

Result: You have an inventory of approved applications and users are aware of upcoming application control enforcement.

Step 2: Create application allow-list policy

Application allow-lists (whitelists) restrict execution to only approved applications.

Navigate to Console → Settings → Policies
Select a Site or Group (recommend testing on pilot group first)
Click on the policy name (e.g., "Corporate Office Policy")
Scroll to Application Control section and click Configure
Enable Application Control:
- Toggle Application Control to ON

Select enforcement mode:

Mode	Description	Recommended For
Monitor Only	Log application execution but don't block	Initial deployment, policy tuning
Enforce	Actively block applications not on allow-list	Production enforcement after testing

Best Practice: Start with Monitor Only for 2-4 weeks to identify false positives.

Configure default application behavior:

Default Action	Description	Use Case
Allow All	All applications allowed unless explicitly blocked	Permissive (low-security environments)
Block All	All applications blocked unless explicitly allowed	Restrictive (high-security, zero-trust)
Allow Signed	Allow signed apps, block unsigned (recommended)	Balanced security and usability

Recommended: Select Allow Signed Applications from Trusted Publishers (blocks unsigned malware while allowing legitimate signed software).

Save policy configuration

Result: Application Control is enabled in monitoring mode for the selected site/group.

Step 3: Build application allow-list

Method A: Hash-Based Allow-List (most secure, most granular)

Navigate to Console → Settings → Policies → [Policy Name] → Application Control → Allow Rules
Click + New Allow Rule

Example Rule 1: Allow specific corporate application

Rule Name: Allow_Corporate_ERP_Application
Description: Allow Acme Corp ERP Client v5.2

Match Criteria:
- File Hash (SHA256): abc123def456...  (exact hash of erp_client.exe)

Action: Allow
Scope: All endpoints

Notes: Hash obtained from IT application repository

Pros: Most secure - only exact file versions are allowed Cons: Requires updating hashes every time application is updated

Method B: Certificate-Based Allow-List (most scalable)

Rule Name: Allow_Microsoft_Signed_Applications
Description: Allow all applications signed by Microsoft Corporation

Match Criteria:
- Certificate Publisher: Microsoft Corporation
- Certificate Thumbprint: (optional, for specific cert)

Action: Allow
Scope: All endpoints

Example Trusted Publishers:

Microsoft Corporation
Adobe Inc.
Google LLC
Mozilla Corporation
Oracle America, Inc.
Your organization's code-signing certificate

Pros: Auto-allows new versions if signed by same publisher Cons: Less granular - allows all apps from publisher, even if not business-critical

Method C: Path-Based Allow-List (simplest, least secure)

Rule Name: Allow_Program_Files_Applications
Description: Allow applications installed in Program Files (managed by IT)

Match Criteria:
- File Path: C:\Program Files\*
- File Path: C:\Program Files (x86)\*

Action: Allow
Scope: All endpoints

Notes: Assumes users cannot write to Program Files (UAC protected)

Pros: Easy to manage, auto-allows IT-installed software Cons: Can be bypassed if attackers gain admin privileges

Best Practice: Layered Approach

Priority 1: Certificate-based allow-list for trusted publishers (Microsoft, Adobe)
Priority 2: Hash-based allow-list for corporate applications (ERP, custom tools)
Priority 3: Path-based allow-list for C:\Program Files\
Priority 4: Block unsigned executables from user directories (%TEMP%, %APPDATA%, Downloads)

Save allow rules

Result: Application allow-list is configured to permit approved business applications.

Step 4: Create application block-list

Block-lists (denylists) explicitly prevent execution of known-bad applications.

Navigate to Console → Settings → Policies → [Policy Name] → Application Control → Block Rules
Click + New Block Rule

Example Block Rule 1: Block known malware hashes

Rule Name: Block_Mimikatz_Credential_Stealer
Description: Block all known Mimikatz variants

Match Criteria:
- File Hash (SHA256): <list of known Mimikatz hashes>
  Example: 123abc456def...

Action: Block
Logging: Enabled
Scope: All endpoints

Notes: Hashes sourced from VirusTotal, MISP, AlienVault OTX

Example Block Rule 2: Block remote access tools (if unauthorized)

Rule Name: Block_TeamViewer_Unauthorized
Description: Block TeamViewer remote access software (not approved by IT)

Match Criteria:
- File Name: TeamViewer.exe, TeamViewer_Service.exe
- OR Certificate Publisher: TeamViewer Germany GmbH

Action: Block
Logging: Enabled
Alert: Send notification to SOC
Scope: All endpoints EXCEPT Group: IT Administrators (who may need it for support)

Example Block Rule 3: Block cryptocurrency miners

Rule Name: Block_Cryptocurrency_Miners
Description: Block known cryptojacking malware and mining software

Match Criteria:
- File Name: xmrig.exe, nanominer.exe, phoenixminer.exe, cgminer.exe
- OR Process Command Line CONTAINS: -o pool.minexmr.com, stratum+tcp://

Action: Block
Logging: Enabled
Alert: Critical - Potential cryptojacking attack
Scope: All endpoints

Example Block Rule 4: Block hacking tools

Rule Name: Block_Penetration_Testing_Tools
Description: Block unauthorized hacking tools (Metasploit, Cobalt Strike, etc.)

Match Criteria:
- File Name: msfconsole.exe, meterpreter.exe, beacon.exe, mimikatz.exe
- OR File Path CONTAINS: \Metasploit\, \Cobalt Strike\

Action: Block
Logging: Enabled
Alert: Critical - Hacking tool detected
Scope: All endpoints EXCEPT Group: Security Red Team

Example Block Rule 5: Block unsigned executables from risky locations

Rule Name: Block_Unsigned_Executables_User_Directories
Description: Block unsigned apps in temp, downloads, appdata (common malware locations)

Match Criteria:
- Signature Status: Unsigned
- File Path:
  - %TEMP%\*.exe
  - %APPDATA%\*.exe
  - %LOCALAPPDATA%\Temp\*.exe
  - C:\Users\*\Downloads\*.exe

Action: Block
Logging: Enabled
Scope: All endpoints

Save block rules

Result: Known-bad applications and risky executables are blocked proactively.

Step 5: Configure automated application control for cloud/container workloads

For cloud workloads and containers, SentinelOne uses AI-powered automated learning instead of manual whitelists.

Navigate to Console → Settings → Policies → [Cloud Workload Policy] → Application Control
Enable Automated Application Control:
- Toggle Automated Application Control to ON
Configure learning mode:
- Learning Period: 7-14 days (agents learn baseline application behavior)
- During learning: All applications are allowed, agent builds behavioral model
- After learning: Only applications matching learned baseline are allowed
Enforcement behavior:
- Strict Mode: Block any application not seen during learning period (zero-trust)
- Moderate Mode: Allow applications with behavioral similarity to baseline (reduces false positives)
- Monitor Mode: Log violations but don't block (for testing)

Example: Automated Application Control for Kubernetes Cluster

Policy Name: K8s_Production_Application_Control
Description: Auto-learn and enforce application control for production Kubernetes pods

Configuration:
- Learning Period: 14 days
- Enforcement Mode: Strict
- Immutable Enforcement: Enabled (block any changes to container runtime)
- Exception Handling: Alert security team for manual approval

Result:
- After 14 days, only baseline applications execute in production pods
- Any new process (cryptominer, malware, unauthorized tools) is blocked
- Container image updates require re-learning or manual approval

Monitor learned baseline:
- Console → Cloud Workloads → Application Baseline
- Review auto-detected applications:
```
Learned Applications:
- nginx (web server)
- node (application runtime)
- python (scripts)
- sh/bash (shell)
```
Adjust baseline (if needed):
- Add applications manually if learning period missed legitimate tools
- Remove applications if unauthorized software was detected during learning

Result: Cloud and container workloads are secured with automated application control requiring zero manual whitelist maintenance.

Step 6: Test application control policies in Monitor mode

Before enforcing policies, validate they work without blocking business applications.

Set policy to Monitor Only mode:
- Console → Settings → Policies → [Policy Name] → Application Control
- Change Enforcement Mode to Monitor Only
Deploy policy to pilot group
Monitor application execution logs:
- Console → Activity → Application Control Logs
- Filter: Enforcement Mode = Monitor Only
- Review applications that would be blocked if enforcement were enabled

Identify false positives:

Look for blocked legitimate business applications

Example:

Blocked Application (Monitor Only):
Application: custom_tool.exe
Publisher: (unsigned)
Path: C:\IT_Tools\custom_tool.exe
User: john.doe
Reason: Unsigned executable not on allow-list

Investigation: custom_tool.exe is IT-approved system utility
Resolution: Add hash or path exception for custom_tool.exe

Test critical workflows:
- Users run business-critical applications
- Developers compile and run code
- IT administrators run system tools
- Verify no business disruption
Tune allow-list/block-list:
- Add missing business applications to allow-list
- Remove false positives from block-list
- Adjust certificate trust list

Result: Application control policies are validated in Monitor mode, minimizing business disruption when enforcement begins.

Step 7: Enforce application control policies

After testing, switch to active enforcement.

Review and finalize policies:
- Verify all business-critical applications are allowed
- Document approved applications in policy notes
- Notify users before enforcement begins
Switch to Enforce mode:
- Console → Settings → Policies → [Policy Name] → Application Control
- Change Enforcement Mode to Enforce
- Click Save Changes
Policies take effect within 60 seconds

Expected user experience when application is blocked:

Windows: Application execution fails, user sees message:

Application Blocked by Security Policy

The application you attempted to run has been blocked by your organization's security policy.
Contact IT support if you need access to this application.

Application: unapproved_tool.exe
Reason: Not on approved application list

Helpdesk workflow for application approval requests:
- User submits ticket: "Need to run application X for project Y"
- IT reviews request for business justification
- If approved:
  - Identify application hash/certificate from logs
  - Add allow rule to application control policy
  - Rule takes effect within 60 seconds
  - Notify user to retry application

Result: Application control policies actively enforce zero-trust application security.

Step 8: Maintain application control policies

Weekly: Review blocked application events:
- Console → Activity → Application Control Logs
- Filter: Action = Blocked
- Identify patterns (legitimate apps needing approval, malware attempts)
Monthly: Update allow-list for software updates:
- When business applications are updated (new versions):
  - Hash-based rules: Update file hash to new version
  - Certificate-based rules: No action needed (auto-allows new versions if signed by same publisher)
Quarterly: Audit application inventory:
- Review all allowed applications
- Remove stale rules (decommissioned software)
- Add new approved business applications
Continuous: Monitor threat intelligence:
- Update block-list with new malware hashes from threat feeds (VirusTotal, MISP)
- Block newly identified hacking tools
- Subscribe to vendor security advisories for revoked certificates

Result: Application control policies remain effective and aligned with business needs.

VERIFICATION

Verify Application Control is active:

Check policy status:

Console → Settings → Policies → [Policy Name] → Application Control
- Application Control: Enabled
- Enforcement Mode: Enforce

Verify agent receives policy:

On managed endpoint:

# Windows
& "C:\Program Files\SentinelOne\Sentinel Agent *\SentinelCtl.exe" policy show
 
# Look for "Application Control: Enabled"

Test blocking unapproved application:
- Download a test executable (unsigned, not on allow-list)
- Attempt to run it
- Expected result: Execution blocked, event logged in console
Test allowing approved application:
- Run a business application on allow-list
- Expected result: Executes normally, event logged as ALLOWED
Test automated learning (cloud/container):
- Deploy new container with known-good application
- After learning period, verify application is auto-allowed
- Attempt to run unauthorized tool (e.g., curl if not in baseline)
- Expected result: Unauthorized tool blocked

TROUBLESHOOTING

Issue: Application control policies not applying

Symptoms: Applications execute despite block rules

Solutions:

Verify agent version: Must be 21.6+
Check agent connectivity: Agent must be online
Force policy refresh: Restart-Service SentinelAgent
Verify enforcement mode: Must be "Enforce" not "Monitor Only"

Issue: Legitimate application blocked (false positive)

Symptoms: Business-critical app cannot execute

Solutions:

Identify blocked application:
- Console → Activity → Application Control Logs
- Find blocked event, note hash/certificate/path
Create allow rule:
- Add hash, certificate, or path to allow-list
- Set higher priority than blocking rule
Temporary bypass (emergency only):
- Disable Application Control for specific endpoint
- Create exception for user's computer until allow rule is created

Issue: Automated learning blocking legitimate applications

Symptoms: Cloud workload blocks new process not in baseline

Solutions:

Extend learning period:
- Redeploy workload with longer learning (21-30 days)
Manually add application to baseline:
- Console → Cloud Workloads → Application Baseline
- Click + Add Application
- Specify process name/path
Switch to Moderate Mode:
- Reduces false positives by allowing behaviorally similar apps

COMMANDS/SCRIPTS

PowerShell script to export application inventory:

<#
.SYNOPSIS
    Export SentinelOne application inventory
.DESCRIPTION
    Retrieve all executed applications and generate inventory report
.PARAMETER ApiToken
    SentinelOne API token
.PARAMETER ConsoleUrl
    SentinelOne console URL
.PARAMETER Days
    Number of days to audit (default: 30)
#>
 
param(
    [Parameter(Mandatory=$true)]
    [string]$ApiToken,
 
    [Parameter(Mandatory=$true)]
    [string]$ConsoleUrl,
 
    [Parameter(Mandatory=$false)]
    [int]$Days = 30
)
 
$ErrorActionPreference = 'Stop'
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
Write-Host "=== SentinelOne Application Inventory Export ===" -ForegroundColor Cyan
 
$startDate = (Get-Date).AddDays(-$Days).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
 
# Retrieve application execution events
Write-Host "[1/2] Retrieving application execution events (last $Days days)..." -ForegroundColor Yellow
 
$activityFilter = @{
    createdAt__gte = $startDate
    activityTypes = @(5001)  # Application execution
}
 
$activity = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/activities" -Headers $headers -Method Get -Body $activityFilter
 
Write-Host "[SUCCESS] Retrieved $($activity.data.Count) application events" -ForegroundColor Green
 
# Build application inventory
Write-Host "[2/2] Building application inventory..." -ForegroundColor Yellow
 
$apps = @{}
foreach ($event in $activity.data) {
    $hash = $event.data.fileHash
    if (-not $apps.ContainsKey($hash)) {
        $apps[$hash] = [PSCustomObject]@{
            FileName = $event.data.fileName
            Publisher = $event.data.publisher
            FileHash = $hash
            Signed = $event.data.signed
            ExecutionCount = 0
            FirstSeen = $event.createdAt
            LastSeen = $event.createdAt
        }
    }
    $apps[$hash].ExecutionCount++
    $apps[$hash].LastSeen = $event.createdAt
}
 
$inventory = $apps.Values | Sort-Object ExecutionCount -Descending
 
$outputPath = "C:\Temp\SentinelOne-AppInventory-$(Get-Date -Format 'yyyyMMdd-HHmmss').csv"
$inventory | Export-Csv -Path $outputPath -NoTypeInformation -Encoding UTF8
 
Write-Host "[SUCCESS] Application inventory exported" -ForegroundColor Green
Write-Host "Report saved to: $outputPath"
Write-Host "`nTop 10 Most Executed Applications:" -ForegroundColor Cyan
$inventory | Select-Object -First 10 | Format-Table FileName, Publisher, ExecutionCount, Signed

REFERENCES

Document Version: 1.0 Last Updated: 2025-11-26 Author: CosmicBytez IT Operations Reviewed By: Security Operations Team

SentinelOne Application Control Policies

SCENARIO

REQUIREMENTS & ASSUMPTIONS

PROCESS

Step 1: Audit current application usage before enforcement

Step 2: Create application allow-list policy

Step 3: Build application allow-list

Step 4: Create application block-list

Step 5: Configure automated application control for cloud/container workloads

Step 6: Test application control policies in Monitor mode

Step 7: Enforce application control policies

Step 8: Maintain application control policies

VERIFICATION

TROUBLESHOOTING

COMMANDS/SCRIPTS

REFERENCES

SentinelOne Threat Investigation Workflow

SentinelOne Control vs Complete Feature Comparison

SentinelOne Create and Manage Exclusion Policies

SentinelOne Application Control Policies

SCENARIO

REQUIREMENTS & ASSUMPTIONS

PROCESS

Step 1: Audit current application usage before enforcement

Step 2: Create application allow-list policy

Step 3: Build application allow-list

Step 4: Create application block-list

Step 5: Configure automated application control for cloud/container workloads

Step 6: Test application control policies in Monitor mode

Step 7: Enforce application control policies

Step 8: Maintain application control policies

VERIFICATION

TROUBLESHOOTING

COMMANDS/SCRIPTS

REFERENCES

SentinelOne Threat Investigation Workflow

SentinelOne Control vs Complete Feature Comparison

SentinelOne Create and Manage Exclusion Policies

SCENARIO

REQUIREMENTS & ASSUMPTIONS

PROCESS

Step 1: Audit current application usage before enforcement

Step 2: Create application allow-list policy

Step 3: Build application allow-list

Step 4: Create application block-list

Step 5: Configure automated application control for cloud/container workloads

Step 6: Test application control policies in Monitor mode

Step 7: Enforce application control policies

Step 8: Maintain application control policies

VERIFICATION

TROUBLESHOOTING

COMMANDS/SCRIPTS

REFERENCES

Related Reading

SCENARIO

REQUIREMENTS & ASSUMPTIONS

PROCESS

Step 1: Audit current application usage before enforcement

Step 2: Create application allow-list policy

Step 3: Build application allow-list

Step 4: Create application block-list

Step 5: Configure automated application control for cloud/container workloads

Step 6: Test application control policies in Monitor mode

Step 7: Enforce application control policies

Step 8: Maintain application control policies

VERIFICATION

TROUBLESHOOTING

COMMANDS/SCRIPTS

REFERENCES

Related Reading