SCENARIO
SentinelOne exclusion policies allow security teams to prevent false-positive detections and performance issues by excluding specific files, folders, processes, or file extensions from real-time scanning and behavioral monitoring. Properly configured exclusions ensure business-critical applications function correctly while maintaining comprehensive endpoint protection.
Use this method when:
- Business-critical applications generate false-positive threat detections
- Development/build environments require reduced monitoring (compilers, databases)
- Backup software or deployment tools conflict with agent monitoring
- Performance-sensitive applications experience slowdowns due to scanning
- Third-party security tools create scanning conflicts (DLP, encryption software)
- Line-of-business applications use unsigned executables or dynamic code generation
REQUIREMENTS & ASSUMPTIONS
Prerequisites:
- SentinelOne Management Console access with Admin or Site Admin role
- Understanding of the application/process requiring exclusion
- Documented business justification for exclusion (security policy requirement)
- Knowledge of exclusion scope (specific site, group, or global)
- Application file paths, process names, or file extensions to exclude
Assumed Environment:
- SentinelOne agents deployed and connected to management console
- Agents running version 21.5+ (earlier versions have limited exclusion capabilities)
- Policy management permissions for target site or group
- Change management approval for production exclusions (recommended)
Required Information:
- Exclusion type: Path, Hash, Certificate, Browser, or Cloud
- Exclusion scope: Static (file engine) or Interoperability (behavioral engine)
- Target scope: Global, Site-specific, or Group-specific
- Justification documentation for audit purposes
PROCESS
Step 1: Identify the exclusion requirement
Before creating exclusions, gather comprehensive information about the application or process:
Document the following:
- Application name and version
- Full file paths (installation directory, data directories, log directories)
- Process names (.exe files)
- File extensions generated by the application
- Specific threat detections or performance issues observed
- Business impact if exclusion is not implemented
- Security risk assessment of the exclusion
Example documentation:
Application: Acme Backup Pro 5.2
Issue: False-positive malware detections on backup executables
Threat IDs: Multiple detections of "Suspicious.Behavior.PowerShell"
File Paths:
- C:\Program Files\Acme Backup\
- D:\BackupCache\
Processes: AcmeBackup.exe, AcmeAgent.exe
Extensions: .bkf, .tmp
Business Impact: Critical - nightly backups failing
Risk Assessment: Low - signed executable from trusted vendor
Approval: Ticket #12345, approved by CISO
Step 2: Navigate to Exclusions in the console
- Log in to the SentinelOne Management Console
- In the left navigation pane, click Sentinels
- Click Exclusions (or navigate directly to Settings → Exclusions depending on console version)
- Review existing exclusions to avoid duplicates:
- Use the search bar to filter by path, hash, or description
- Check Scope column to understand coverage (Global, Site, Group)
- Review Mode to see if Static or Interoperability exclusions exist
Console navigation shortcut:
- Direct URL:
https://yourtenant.sentinelone.net/exclusions
Step 3: Determine exclusion type and scope
SentinelOne supports multiple exclusion types:
Exclusion Types:
-
Path Exclusion - Excludes specific files, folders, or wildcards
- Use case: Application directories, data folders
- Example:
C:\Program Files\Acme Backup\** - Supports wildcards:
*(single level),**(recursive)
-
Hash Exclusion - Excludes specific file based on SHA256 hash
- Use case: Specific executables that shouldn't be modified
- Example: SHA256 hash of trusted signed executable
- Most secure option (tamper-proof)
-
Certificate Exclusion - Excludes all files signed by specific certificate
- Use case: All applications from trusted vendor
- Example: Microsoft, Adobe, vendor-specific certificates
- Requires code-signed executables
-
Browser Exclusion - Excludes specific websites/URLs from browser monitoring
- Use case: Internal web applications flagged as suspicious
- Example:
https://internal-app.company.local/*
-
Cloud Exclusion - Excludes cloud-based file storage paths
- Use case: OneDrive, Dropbox, SharePoint sync folders
- Example:
%USERPROFILE%\OneDrive\**
Exclusion Modes:
-
Static (File Engine) - Excludes from on-access file scanning
- Scope: File read/write operations, file creation
- Impact: Files not scanned when accessed
- Use for: Performance optimization, backup software
-
Interoperability (Behavioral Engine) - Excludes from behavioral monitoring
- Scope: Process behavior, memory monitoring, network activity
- Impact: Process behaviors not analyzed for threats
- Use for: DevOps tools, compilers, legitimate admin tools
Best Practice: Use the most specific exclusion type and narrowest scope possible.
Step 4: Create a path exclusion (most common)
For static file scanning exclusion:
-
In the Exclusions page, click + New Exclusion (or Actions → Create Exclusion)
-
In the Create Exclusion wizard:
General Settings:
- Type: Select Path
- Operating System: Select Windows (or Linux/macOS as appropriate)
- Scope: Choose scope:
- Account (Global across all sites)
- Site (Select specific site from dropdown)
- Group (Select specific device group)
Path Configuration:
- Path Type: Select File or Folder
- Path: Enter full path with wildcards if needed
- Single folder:
C:\Program Files\Acme Backup\ - Recursive folder:
C:\Program Files\Acme Backup\** - Specific file:
C:\Program Files\Acme Backup\AcmeBackup.exe - All user profiles:
C:\Users\**\AppData\Local\Acme\** - Extension-based:
C:\Data\**\*.bkf
- Single folder:
Mode Selection:
- Check Static (File Engine) - Excludes from on-access scanning
- Check Interoperability (Behavioral Engine) - Excludes from behavioral monitoring
- Or check both as needed
Process Exclusions (Interoperability only):
- If excluding process behavior, specify process name
- Process Name:
AcmeBackup.exe - Include Child Processes: Check if child processes should also be excluded
Metadata:
- Description: Enter detailed justification
- Example: "Acme Backup Pro v5.2 - False positives on backup operations. Approved ticket #12345"
- Reference URL (optional): Link to approval ticket or documentation
-
Click Create to save the exclusion
Verification:
- Exclusion appears in the list with status Active
- Scope shows correct target (Global/Site/Group)
- Mode indicates Static and/or Interoperability
Step 5: Create a hash exclusion (most secure)
Use hash exclusions for specific executables that should never be modified:
- Obtain the SHA256 hash of the file:
# On endpoint with the file
Get-FileHash -Path "C:\Program Files\Acme Backup\AcmeBackup.exe" -Algorithm SHA256
# Output example:
# Algorithm Hash Path
# --------- ---- ----
# SHA256 8D969EEF6ECAD3C29A3A629280E686CF0C3F5D5A86AFF3CA12020C923ADC6C92 C:\Program Files...- In the SentinelOne console, click + New Exclusion
- Configure the hash exclusion:
- Type: Hash
- Operating System: Windows
- Scope: Select appropriate scope (Site/Group)
- Hash: Paste the SHA256 hash (without spaces)
- Mode: Check Static and/or Interoperability
- Description: "Acme Backup executable v5.2.0.1234 - SHA256 hash exclusion"
- Click Create
Advantages of hash exclusions:
- Most secure: Only exact file is excluded (prevents tampering)
- Version-specific: New versions require new exclusions (ensures review)
- No false matches: Hash is cryptographically unique
Disadvantages:
- Must update exclusion when application is updated
- Requires manual hash collection for each file
Step 6: Create a certificate exclusion (vendor-wide)
Exclude all executables signed by a trusted vendor:
- Obtain the certificate details from a signed file:
# Get certificate details
$file = Get-AuthenticodeSignature -FilePath "C:\Program Files\Acme Backup\AcmeBackup.exe"
$cert = $file.SignerCertificate
Write-Host "Certificate Issuer: $($cert.Issuer)"
Write-Host "Certificate Subject: $($cert.Subject)"
Write-Host "Certificate Thumbprint: $($cert.Thumbprint)"- In the console, click + New Exclusion
- Configure certificate exclusion:
- Type: Certificate
- Operating System: Windows
- Scope: Select scope (often Global for major vendors)
- Certificate Identifier: Enter certificate thumbprint or subject name
- Example thumbprint:
8D969EEF6ECAD3C29A3A629280E686CF0C3F5D5A86AFF3CA12020C923ADC6C92 - Example subject:
CN=Acme Corporation, O=Acme Corp, L=Seattle, S=Washington, C=US
- Example thumbprint:
- Mode: Check Static and/or Interoperability
- Description: "Acme Corporation code-signing certificate - all signed applications"
- Click Create
When to use certificate exclusions:
- Trusted vendor with multiple applications (Microsoft, Adobe)
- Organization has many applications from same vendor
- Vendor uses consistent code-signing practices
- Reduced administrative overhead (no per-file exclusions)
Security consideration: Certificate exclusions are broad. Use only for highly trusted vendors.
Step 7: Create browser/cloud exclusions (specialized)
Browser Exclusion (for internal web applications):
- Click + New Exclusion
- Configure:
- Type: Browser
- URL Pattern: Enter URL with wildcards
- Example:
https://internal-crm.company.local/* - Wildcard all subdomains:
https://*.company.local/*
- Example:
- Browsers: Select specific browsers (Chrome, Edge, Firefox) or All
- Scope: Select scope
- Description: "Internal CRM application - browser monitoring exclusion"
- Click Create
Cloud Exclusion (for OneDrive/Dropbox):
- Click + New Exclusion
- Configure:
- Type: Path (not a separate Cloud type in most console versions)
- Path: Use environment variables for user-specific paths
- OneDrive:
%USERPROFILE%\OneDrive\** - Dropbox:
%USERPROFILE%\Dropbox\** - SharePoint:
%LOCALAPPDATA%\Microsoft\Office\**
- OneDrive:
- Mode: Typically Static only (file scanning)
- Scope: Global or Site
- Description: "OneDrive synchronization folder - performance optimization"
- Click Create
Step 8: Apply exclusions to specific groups
For granular control, apply exclusions to device groups instead of sites:
-
Create or identify the target group:
- Navigate to Sentinels → Groups
- Create new group: Click + Create Group
- Name:
Development Workstations - Type: Static or Dynamic
- Filter criteria (for Dynamic):
computerName contains "DEV-"
- Name:
- Add agents to static group if needed
-
Create exclusion scoped to group:
- Navigate to Exclusions
- Click + New Exclusion
- Scope: Select Group and choose
Development Workstations - Configure exclusion as normal (path, mode, etc.)
- Description: Include group name in description for clarity
-
Verify group assignment:
- Navigate to the exclusion in the list
- Click on exclusion to view details
- Verify Scope shows correct group name
- Click Affected Devices to see list of agents with this exclusion
Step 9: Test and validate exclusions
Method 1: Check exclusion application on endpoint
After creating the exclusion, verify it's applied to target endpoints:
# On the endpoint, check SentinelOne agent log for exclusion update
$logPath = "C:\ProgramData\SentinelOne\Logs\Agent.log"
Select-String -Path $logPath -Pattern "exclusion" -Context 0,2 | Select-Object -Last 10
# Expected output: Log entries showing exclusion policy updateMethod 2: Test file detection
- Place a test file in the excluded path:
# Create test file in excluded directory
New-Item -Path "C:\Program Files\Acme Backup\test-exclusion.txt" -ItemType File -Value "Test content" -Force- Download EICAR test file (safe malware test file) to excluded path:
# EICAR test file (harmless malware test signature)
$eicar = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
$eicar | Out-File -FilePath "C:\Program Files\Acme Backup\eicar.com" -Encoding ASCII -NoNewline-
Expected behavior:
- If exclusion working: No threat detection
- If exclusion not working: Threat detected and quarantined within seconds
-
Check console for threat detection:
- Navigate to Sentinels → Threats
- Search for recent detections on test endpoint
- If EICAR not detected = exclusion working correctly
Method 3: Review exclusion coverage
# PowerShell script to verify exclusion coverage
$excludedPaths = @(
"C:\Program Files\Acme Backup\",
"D:\BackupCache\"
)
foreach ($path in $excludedPaths) {
if (Test-Path $path) {
Write-Host "[FOUND] Excluded path exists: $path" -ForegroundColor Green
} else {
Write-Host "[MISSING] Excluded path not found: $path" -ForegroundColor Yellow
Write-Host " Exclusion may be ineffective - verify path is correct" -ForegroundColor Yellow
}
}Step 10: Monitor and audit exclusions
Create exclusion audit report:
- Navigate to Exclusions page
- Use filters to review exclusions by:
- Scope: Filter by Global/Site/Group
- Mode: Filter by Static vs. Interoperability
- Type: Filter by Path/Hash/Certificate
- Click Export to download CSV of all exclusions
- Review exclusions quarterly for:
- Obsolete exclusions (applications no longer in use)
- Overly broad exclusions (wildcard abuse)
- Undocumented exclusions (missing justifications)
Automated exclusion monitoring via API:
# Retrieve all exclusions via SentinelOne API
$apiToken = "your-api-token-here"
$consoleUrl = "https://yourtenant.sentinelone.net"
$headers = @{
"Authorization" = "ApiToken $apiToken"
"Content-Type" = "application/json"
}
$exclusions = Invoke-RestMethod -Uri "$consoleUrl/web/api/v2.1/exclusions" -Headers $headers -Method Get
# Export to CSV for review
$exclusions.data | Select-Object id, type, value, mode, osType, description, scope, createdAt | Export-Csv -Path "C:\Temp\SentinelOne-Exclusions-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Total exclusions: $($exclusions.data.Count)"
Write-Host "Report saved to: C:\Temp\SentinelOne-Exclusions-$(Get-Date -Format 'yyyyMMdd').csv"VERIFICATION
Verify exclusion created successfully:
- Navigate to Sentinels → Exclusions
- Search for the exclusion by path, hash, or description
- Verify the following attributes:
- Status: Active (green indicator)
- Type: Correct exclusion type (Path/Hash/Certificate)
- Value: Correct path, hash, or certificate identifier
- Mode: Correct mode (Static and/or Interoperability)
- Scope: Correct scope (Global/Site/Group)
- Description: Justification documented
- Click on the exclusion to view full details
- Review Affected Devices count to ensure expected agents are covered
Verify exclusion applied to endpoints:
# Check agent log for policy update
$agentLog = Get-Content "C:\ProgramData\SentinelOne\Logs\Agent.log" -Tail 200
$exclusionUpdates = $agentLog | Select-String -Pattern "exclusion.*updated|policy.*received"
if ($exclusionUpdates) {
Write-Host "[SUCCESS] Exclusion policy received by agent" -ForegroundColor Green
$exclusionUpdates | Select-Object -Last 5
} else {
Write-Host "[WARNING] No recent exclusion policy updates in log" -ForegroundColor Yellow
}Functional test:
- Place EICAR test file in excluded path (see Step 9)
- Verify no threat detection occurs
- Place EICAR test file in non-excluded path
- Verify threat is detected and quarantined
- Remove test files
Console verification checklist:
- Exclusion appears in Exclusions list
- Exclusion status is Active
- Scope matches intended target (Global/Site/Group)
- Mode matches requirement (Static/Interoperability/Both)
- Description contains business justification
- Affected Devices count is accurate
- Functional test passed (EICAR not detected in excluded path)
TROUBLESHOOTING
Issue: Exclusion created but still detecting threats
Symptoms: Exclusion exists in console but files in excluded path are still being flagged
Solutions:
-
Verify exclusion mode matches detection type:
- Check threat details in console: Sentinels → Threats → [Threat ID]
- Look for detection source:
- "Static AI" or "File Scanner" = Requires Static mode exclusion
- "Behavioral AI" or "Behavioral Engine" = Requires Interoperability mode exclusion
- Update exclusion to include both modes if necessary
-
Check path format and wildcards:
# Common path mistakes:
# WRONG: C:\Program Files\Acme Backup (missing trailing backslash)
# RIGHT: C:\Program Files\Acme Backup\
# WRONG: C:\Program Files\Acme Backup\* (single asterisk, not recursive)
# RIGHT: C:\Program Files\Acme Backup\** (double asterisk for recursive)
# Test if file path matches exclusion pattern (manual verification)
$excludedPath = "C:\Program Files\Acme Backup\**"
$filePath = "C:\Program Files\Acme Backup\bin\AcmeBackup.exe"
# Exclusion should cover all files under the parent directory when using **- Force agent policy refresh:
# Restart SentinelOne agent service to pull latest policy
Restart-Service -Name "SentinelAgent" -Force
# Wait 30 seconds for policy sync
Start-Sleep -Seconds 30
# Check log for policy update
Select-String -Path "C:\ProgramData\SentinelOne\Logs\Agent.log" -Pattern "policy.*received" | Select-Object -Last 5- Verify agent version supports exclusion type:
- Navigate to Sentinels → Agents → [Agent]
- Check Agent Version
- Ensure version 21.5+ for full exclusion support
- Upgrade agent if necessary
Issue: Exclusion too broad or too narrow
Symptoms: Either too many files excluded (security gap) or specific files not excluded
Solutions:
- Review and refine path specificity:
# Too broad (excludes entire Program Files):
# C:\Program Files\**
# Better (excludes only vendor directory):
# C:\Program Files\Acme Backup\**
# Most specific (excludes only executables):
# C:\Program Files\Acme Backup\*.exe
# C:\Program Files\Acme Backup\bin\*.exe-
Use hash exclusions for critical files:
- Replace broad path exclusions with specific hash exclusions
- Ensures only exact files are excluded (prevents abuse)
-
Test exclusion scope incrementally:
- Start with specific file exclusion
- Expand to folder if needed
- Document each expansion with justification
Issue: Certificate exclusion not working
Symptoms: Files signed by excluded certificate still detected
Solutions:
- Verify file is actually signed by the certificate:
# Check file signature
$signature = Get-AuthenticodeSignature -FilePath "C:\Program Files\Acme Backup\AcmeBackup.exe"
Write-Host "Signature Status: $($signature.Status)"
Write-Host "Signer Certificate Subject: $($signature.SignerCertificate.Subject)"
Write-Host "Signer Certificate Thumbprint: $($signature.SignerCertificate.Thumbprint)"
# Status should be "Valid" for certificate exclusion to work
# Subject/Thumbprint should match exclusion configuration- Check certificate chain:
- Some files signed by intermediate certificates
- Exclusion may need to target root or intermediate certificate
- Review full certificate chain:
$signature = Get-AuthenticodeSignature -FilePath "C:\Program Files\Acme Backup\AcmeBackup.exe"
$signature.SignerCertificate.Chain.ChainElements | ForEach-Object {
Write-Host "Certificate Subject: $($_.Certificate.Subject)"
Write-Host "Certificate Thumbprint: $($_.Certificate.Thumbprint)"
Write-Host "---"
}- Re-create exclusion with correct certificate identifier:
- Delete existing certificate exclusion
- Create new exclusion using exact thumbprint or subject from verification above
Issue: Exclusion not applying to specific group
Symptoms: Exclusion scoped to group but agents in group still detecting threats
Solutions:
- Verify agents are in the correct group:
# Via console: Sentinels → Agents → [Agent] → Details → Groups
# Verify group assignment matches exclusion scope-
Check group type (Static vs. Dynamic):
- Dynamic groups: Agents may not meet filter criteria
- Navigate to Sentinels → Groups → [Group] → Members
- Verify expected agents appear in member list
-
Verify exclusion scope configuration:
- Navigate to Exclusions → [Exclusion]
- Click Edit
- Verify Scope is set to correct group (not Global or wrong group)
- Save if changes needed
-
Check policy inheritance:
- Group exclusions may be overridden by site-level policies
- Review Settings → Policies for conflicting configurations
Issue: Exclusion deleted or modified by another admin
Symptoms: Previously working exclusion no longer exists or behaves differently
Solutions:
-
Review audit log:
- Navigate to Settings → Activity
- Filter by:
- Activity Type: Exclusion Created, Exclusion Modified, Exclusion Deleted
- Date Range: Recent dates
- Identify admin who made changes and reason
-
Restore exclusion from documentation:
- Use documented exclusion details (Step 1) to recreate
- Implement change control process to prevent unauthorized modifications
-
Implement role-based access control:
- Navigate to Settings → Users
- Review admin roles and permissions
- Restrict exclusion management to specific roles (Site Admin+)
Issue: Performance impact despite exclusions
Symptoms: Application still experiencing slowdowns after exclusion created
Solutions:
-
Verify both Static and Interoperability modes excluded:
- Some applications require both modes for full performance optimization
- Edit exclusion and check both mode checkboxes
-
Expand exclusion scope to include all related paths:
- Applications may read/write to multiple directories
- Add exclusions for:
- Temporary file directories
- Log directories
- Cache directories
- User profile paths
-
Monitor agent resource usage:
# Check SentinelOne agent CPU/memory usage
Get-Process | Where-Object {$_.ProcessName -like "Sentinel*"} | Select-Object ProcessName, CPU, WorkingSet | Format-Table -AutoSize
# If high usage persists, engage SentinelOne support for investigationCOMMANDS/SCRIPTS
Bulk create exclusions via API:
<#
.SYNOPSIS
Bulk creates SentinelOne path exclusions from CSV file
.DESCRIPTION
Reads CSV file containing exclusion details and creates exclusions via API
.PARAMETER CsvPath
Path to CSV file with columns: Path, Mode, Scope, Description
.PARAMETER ApiToken
SentinelOne API token (Account Admin role required)
.PARAMETER ConsoleUrl
SentinelOne console URL (e.g., https://yourtenant.sentinelone.net)
.EXAMPLE
.\Create-BulkExclusions.ps1 -CsvPath "C:\Temp\exclusions.csv" -ApiToken "abc123..." -ConsoleUrl "https://yourtenant.sentinelone.net"
#>
param(
[Parameter(Mandatory=$true)]
[string]$CsvPath,
[Parameter(Mandatory=$true)]
[string]$ApiToken,
[Parameter(Mandatory=$true)]
[string]$ConsoleUrl
)
# Load CSV
$exclusions = Import-Csv -Path $CsvPath
Write-Host "Loaded $($exclusions.Count) exclusions from CSV" -ForegroundColor Cyan
# API headers
$headers = @{
"Authorization" = "ApiToken $ApiToken"
"Content-Type" = "application/json"
}
# Process each exclusion
$results = foreach ($exclusion in $exclusions) {
Write-Host "`nCreating exclusion: $($exclusion.Path)" -ForegroundColor Yellow
# Determine mode flags
$modes = @()
if ($exclusion.Mode -match "Static") { $modes += "static" }
if ($exclusion.Mode -match "Interoperability") { $modes += "interoperability" }
# Build request body
$body = @{
data = @{
type = "path"
value = $exclusion.Path
osType = "windows"
mode = $modes
description = $exclusion.Description
}
}
# Add scope based on CSV
if ($exclusion.Scope -eq "Global") {
$body.data.scope = "account"
} elseif ($exclusion.Scope -match "Site:") {
$siteName = $exclusion.Scope -replace "Site:", ""
# Retrieve site ID by name (requires additional API call)
$sites = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/sites" -Headers $headers -Method Get
$site = $sites.data | Where-Object {$_.name -eq $siteName}
if ($site) {
$body.data.scope = "site"
$body.data.siteIds = @($site.id)
} else {
Write-Host "[ERROR] Site not found: $siteName" -ForegroundColor Red
continue
}
}
# Create exclusion
try {
$response = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/exclusions" -Headers $headers -Method Post -Body ($body | ConvertTo-Json -Depth 10)
[PSCustomObject]@{
Path = $exclusion.Path
Status = "Success"
ExclusionId = $response.data.id
}
Write-Host "[SUCCESS] Exclusion created: ID $($response.data.id)" -ForegroundColor Green
}
catch {
[PSCustomObject]@{
Path = $exclusion.Path
Status = "Failed"
Error = $_.Exception.Message
}
Write-Host "[ERROR] Failed to create exclusion: $($_.Exception.Message)" -ForegroundColor Red
}
}
# Summary
Write-Host "`n=== SUMMARY ===" -ForegroundColor Cyan
Write-Host "Total exclusions: $($results.Count)"
Write-Host "Successful: $(($results | Where-Object {$_.Status -eq 'Success'}).Count)"
Write-Host "Failed: $(($results | Where-Object {$_.Status -eq 'Failed'}).Count)"
# Export results
$results | Export-Csv -Path "C:\Temp\exclusion-creation-results-$(Get-Date -Format 'yyyyMMdd-HHmmss').csv" -NoTypeInformation
Write-Host "Results saved to: C:\Temp\exclusion-creation-results-$(Get-Date -Format 'yyyyMMdd-HHmmss').csv"Example CSV format for bulk exclusions:
Path,Mode,Scope,Description
"C:\Program Files\Acme Backup\**",Static|Interoperability,Global,"Acme Backup Pro v5.2 - False positives ticket #12345"
"D:\BackupCache\**",Static,Site:Production,"Backup cache directory - performance optimization"
"C:\BuildAgent\**",Interoperability,Site:Development,"DevOps build agent - compiler exclusion"
"%USERPROFILE%\OneDrive\**",Static,Global,"OneDrive sync folder - performance"Audit and review existing exclusions:
# Retrieve all exclusions and identify potential issues
$apiToken = "your-api-token"
$consoleUrl = "https://yourtenant.sentinelone.net"
$headers = @{
"Authorization" = "ApiToken $apiToken"
"Content-Type" = "application/json"
}
# Get all exclusions
$exclusions = Invoke-RestMethod -Uri "$consoleUrl/web/api/v2.1/exclusions" -Headers $headers -Method Get
# Analyze exclusions
$analysis = foreach ($exclusion in $exclusions.data) {
$issues = @()
# Check for overly broad wildcards
if ($exclusion.value -match "^\w:\\?\*\*") {
$issues += "Overly broad: Excludes entire drive"
}
# Check for missing description
if ([string]::IsNullOrWhiteSpace($exclusion.description)) {
$issues += "Missing justification"
}
# Check for old exclusions (created > 1 year ago)
$createdDate = [DateTime]$exclusion.createdAt
if ($createdDate -lt (Get-Date).AddYears(-1)) {
$issues += "Created over 1 year ago - review if still needed"
}
[PSCustomObject]@{
ExclusionId = $exclusion.id
Type = $exclusion.type
Value = $exclusion.value
Mode = $exclusion.mode -join ", "
Scope = $exclusion.scope
Description = $exclusion.description
CreatedAt = $createdDate
Issues = ($issues -join "; ")
}
}
# Export audit report
$analysis | Export-Csv -Path "C:\Temp\SentinelOne-Exclusion-Audit-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
# Display exclusions with issues
$problematic = $analysis | Where-Object {![string]::IsNullOrWhiteSpace($_.Issues)}
Write-Host "`nFound $($problematic.Count) exclusions requiring review:" -ForegroundColor Yellow
$problematic | Format-Table -AutoSize
Write-Host "`nFull audit report saved to: C:\Temp\SentinelOne-Exclusion-Audit-$(Get-Date -Format 'yyyyMMdd').csv"