Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsStudyTraining
ProjectsChecklistsAI RankingsNewsletterStatusTagsAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Study
Training
Projects
Checklists
AI Rankings
Newsletter
Status
Tags
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

429+ Articles
114+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. HOWTOs
  3. SentinelOne Policy Configuration Best Practices
SentinelOne Policy Configuration Best Practices
HOWTOAdvanced

SentinelOne Policy Configuration Best Practices

This guide provides comprehensive best practices for configuring SentinelOne policies in MSP environments managing multiple client sites with Singularity...

Dylan H.

Security Operations

February 11, 2026
38 min read

SCENARIO

This guide provides comprehensive best practices for configuring SentinelOne policies in MSP environments managing multiple client sites with Singularity Complete. Proper policy configuration ensures optimal protection while minimizing false positives, performance impacts, and operational overhead across diverse client environments.

Use this guide when:

  • Deploying SentinelOne to new MSP clients
  • Standardizing policy configurations across client sites
  • Optimizing policies after initial deployment
  • Troubleshooting false positives or performance issues
  • Training team members on policy management
  • Creating client-specific policy templates
  • Balancing security requirements with operational needs

Target Audience: MSP security engineers, SOC analysts, and technical account managers

Reference Documentation:

  • SentinelOne Policy Management
  • SentinelOne API Documentation
  • HOWTO- SentinelOne MSP Client Onboarding
  • HOWTO- SentinelOne Create and Manage Exclusion Policies

REQUIREMENTS & ASSUMPTIONS

Prerequisites

Console Access:

  • SentinelOne Management Console access with Admin or Site Admin role
  • Multi-tenant console configured for MSP operations
  • API key with policy management permissions (for automation)

Knowledge Requirements:

  • Understanding of endpoint security concepts (EPP/EDR)
  • Familiarity with SentinelOne console navigation
  • Basic understanding of Windows/Linux/macOS security architecture
  • Knowledge of common enterprise applications and their behaviors

Assumed Environment

  • SentinelOne Singularity Complete SKU deployed
  • MSP multi-tenant console structure established
  • Agent version 22.x or later (current GA release recommended)
  • Clients segmented by Site in console hierarchy

POLICY ARCHITECTURE

Policy Hierarchy Overview

SentinelOne uses a hierarchical policy inheritance model that allows MSPs to establish baseline configurations while maintaining flexibility for client-specific requirements.

┌─────────────────────────────────────────────────────────────────┐
│                    ACCOUNT (MSP Level)                          │
│  • Global baseline settings                                     │
│  • Applies to ALL sites unless overridden                       │
│  • Managed by MSP security team                                 │
├─────────────────────────────────────────────────────────────────┤
│                        ↓ Inherits                               │
├─────────────────────────────────────────────────────────────────┤
│                    SITE (Client Level)                          │
│  • Client-specific overrides                                    │
│  • Compliance requirements                                      │
│  • Business-specific configurations                             │
│  • Managed by MSP with client input                             │
├─────────────────────────────────────────────────────────────────┤
│                        ↓ Inherits                               │
├─────────────────────────────────────────────────────────────────┤
│                    GROUP (Endpoint Type)                        │
│  • Workstations, Servers, VDI, etc.                             │
│  • Role-specific settings                                       │
│  • Most granular control level                                  │
└─────────────────────────────────────────────────────────────────┘

Policy Inheritance Model

How Inheritance Works:

LevelScopeOverride Capability
AccountAll sites and groupsCannot override - sets baseline
SiteAll groups within siteCan override Account settings
GroupSpecific endpointsCan override Site and Account settings

Inheritance Rules:

  1. Lower-level policies override higher-level settings
  2. Settings not explicitly defined inherit from parent level
  3. Exclusions aggregate (don't override) across levels
  4. Some settings can be "locked" to prevent lower-level override

Example Inheritance:

Account Policy: Network Quarantine = Disabled
    ↓
Site Policy: Network Quarantine = (not set - inherits Disabled)
    ↓
Group "Workstations": Network Quarantine = Enabled (override)
Group "Servers": Network Quarantine = (inherits Disabled)

When to Use Each Policy Level

LevelUse ForExamples
AccountUniversal MSP standardsAnti-tamper enabled, Cloud Intelligence enabled, Base detection engines
SiteClient-specific requirementsCompliance settings, notification preferences, client-specific exclusions
GroupEndpoint-type configurationsServer vs workstation settings, VDI optimizations, high-security groups

MSP Multi-Tenant Policy Strategy

Recommended Structure:

MSP Account
├── Account Policy (MSP Baseline)
│   • Core protection settings
│   • Anti-tamper enabled
│   • Cloud validation enabled
│   • Basic engine configuration
│
├── Site: Client-A (Healthcare)
│   ├── Site Policy (HIPAA compliance)
│   ├── Group: Workstations (Standard)
│   ├── Group: Servers (Healthcare apps)
│   ├── Group: Executives (Enhanced)
│   └── Group: Clinical (Medical devices)
│
├── Site: Client-B (Finance)
│   ├── Site Policy (PCI-DSS compliance)
│   ├── Group: Workstations (Standard)
│   ├── Group: Servers (Transaction systems)
│   ├── Group: Trading (High-speed requirements)
│   └── Group: ATM/Kiosk (Locked-down)
│
└── Site: Client-C (Standard SMB)
    ├── Site Policy (Standard protection)
    ├── Group: Workstations
    ├── Group: Servers
    └── Group: Remote Workers

Best Practices for Multi-Tenant Management:

  1. Standardize at Account Level:

    • Set protective defaults that apply universally
    • Enable all detection engines at Account level
    • Configure anti-tamper with strong passphrase

  2. Customize at Site Level:

    • Apply compliance-specific settings (HIPAA, PCI, SOC2)
    • Configure notification recipients per client
    • Add client-specific exclusions

  3. Optimize at Group Level:

    • Tailor settings for endpoint roles
    • Balance security vs performance per use case
    • Enable/disable features based on endpoint type

ENGINE CONFIGURATION

Detection Engine Overview

SentinelOne employs multiple detection engines that work in concert to identify threats:

┌─────────────────────────────────────────────────────────────────┐
│                    DETECTION ENGINES                            │
├─────────────────────┬───────────────────────────────────────────┤
│ Pre-Execution       │ Post-Execution                            │
├─────────────────────┼───────────────────────────────────────────┤
│ • Static AI         │ • Behavioral AI                           │
│ • Cloud Intelligence│ • Documents & Macros                      │
│ • Reputation        │ • Scripts Detection                       │
│                     │ • Lateral Movement                        │
│                     │ • Anti-Exploitation                       │
│                     │ • Fileless Attack Detection               │
└─────────────────────┴───────────────────────────────────────────┘

Static AI Engine Settings

Purpose: Pre-execution analysis of files using machine learning models to identify malware before execution.

Configuration Options:

SettingOptionsRecommendedNotes
Detection LevelOff, Low, Medium, HighHighHigher = more sensitive, more potential FPs
On-Write ScanDisabled, EnabledEnabledScans files when written to disk
On-Demand ScanDisabled, EnabledEnabledAllows manual/scheduled scans
Cloud ValidationDisabled, EnabledEnabledValidates verdicts with cloud intelligence

Recommended Configuration:

Static AI Engine:
  Detection Level: High
  On-Write Scan: Enabled
  On-Demand Scan: Enabled
  Cloud Validation: Enabled
 
  # Environment-specific adjustments:
  Development Workstations: Medium (reduces FPs on compiled code)
  Production Servers: High
  Standard Workstations: High

Behavioral AI Engine Settings

Purpose: Runtime behavior monitoring to detect malicious actions regardless of file reputation.

Configuration Options:

SettingOptionsRecommendedNotes
Detection LevelOff, Low, Medium, HighHighMonitors process behaviors
Process HollowingDisabled, EnabledEnabledDetects process injection
Shellcode InjectionDisabled, EnabledEnabledDetects in-memory attacks
Credential TheftDisabled, EnabledEnabledMonitors LSASS access

Recommended Configuration:

Behavioral AI Engine:
  Detection Level: High
  Process Hollowing Detection: Enabled
  Shellcode Injection Detection: Enabled
  Credential Theft Detection: Enabled
 
  # High-performance environments may need:
  Database Servers: Consider process exclusions for DB engines
  High-Frequency Trading: Evaluate Interoperability exclusions

Document & Macro Detection

Purpose: Detects malicious Office documents, PDFs, and macro-based attacks.

Configuration:

SettingOptionsRecommendedNotes
Document AnalysisDisabled, EnabledEnabledScans Office docs, PDFs
Macro DetectionOff, Suspicious, AllSuspiciousBalance security/usability
OLE Object DetectionDisabled, EnabledEnabledEmbedded object analysis

Recommended by Environment:

EnvironmentMacro SettingRationale
Standard OfficeSuspiciousBlocks known-bad, allows business macros
Financial/AccountingSuspiciousMany legitimate Excel macros
High SecurityAllMaximum protection, requires exclusions
DevelopmentSuspiciousMay generate macro-like code

Script Detection (PowerShell, VBS, etc.)

Purpose: Monitors and detects malicious script execution across scripting engines.

Supported Script Types:

  • PowerShell (.ps1, encoded commands)
  • VBScript (.vbs, .vbe)
  • JavaScript/JScript (.js, .jse)
  • Windows Script Host (.wsf, .wsh)
  • Batch files (.bat, .cmd)
  • Python, Perl, Ruby (if engines installed)

Configuration:

SettingOptionsRecommendedNotes
Script DetectionDisabled, EnabledEnabledMonitor all script execution
Encoded Script DetectionDisabled, EnabledEnabledCritical for PowerShell attacks
Script Content LoggingDisabled, EnabledEnabledRecords script contents in Deep Visibility

Recommended Configuration:

Script Detection:
  Enable Script Monitoring: True
  Encoded Command Detection: True
  Script Content Logging: True
 
  # PowerShell-specific:
  Constrained Language Mode Bypass: Detect
  AMSI Bypass Attempts: Detect
 
  # Exclusions typically needed:
  - RMM agent scripts (Ninja, Datto, CW)
  - Configuration management (Intune, SCCM)
  - Legitimate automation frameworks

Lateral Movement Detection

Purpose: Detects attacker movement between systems using remote execution techniques.

Detection Capabilities:

TechniqueDetection Method
PsExecProcess and service creation patterns
WMI Remote ExecutionWMIC.exe and wmiprvse.exe monitoring
Remote PowerShellWSMan connections and process patterns
RDP HijackingSession enumeration and injection
Pass-the-HashNTLM authentication anomalies
DCSyncReplication request monitoring

Configuration:

SettingRecommendedNotes
Lateral Movement DetectionEnabledCore capability
Network Discovery DetectionEnabledDetects reconnaissance
Admin Tool MonitoringEnabledMonitors PsExec, WMI, etc.

Server-Specific Considerations:

Domain Controllers:
  # Higher sensitivity for DC-specific attacks
  DCSync Detection: Enabled
  Replication Monitoring: Enabled
 
  # May need exclusions for:
  - Legitimate AD replication
  - Authorized admin tools
  - Monitoring agents

Recommended Detection Levels by Environment

Environment TypeStatic AIBehavioral AIScriptsMacrosLateral Movement
Standard WorkstationHighHighEnabledSuspiciousEnabled
Executive/VIPHighHighEnabledAllEnabled
Development WorkstationMediumMediumEnabledSuspiciousEnabled
Production ServerHighHighEnabledSuspiciousEnabled
Database ServerHighMedium*EnabledOffEnabled
Domain ControllerHighHighEnabledOffEnabled
Terminal Server/VDIHighHighEnabledSuspiciousEnabled
High-Security/ComplianceHighHighEnabledAllEnabled

*With appropriate exclusions for database processes

PROTECTION SETTINGS

Mitigation Modes

SentinelOne offers three primary mitigation modes that control how the agent responds to detected threats:

┌─────────────────────────────────────────────────────────────────┐
│                    MITIGATION MODES                             │
├───────────────┬─────────────────┬───────────────────────────────┤
│    DETECT     │     PROTECT     │    PROTECT + KILL             │
│               │                 │                               │
│ • Alert only  │ • Alert         │ • Alert                       │
│ • No action   │ • Quarantine    │ • Kill process                │
│ • Manual      │ • Auto-remediate│ • Quarantine                  │
│   response    │                 │ • Auto-remediate              │
│               │                 │ • Most aggressive             │
├───────────────┼─────────────────┼───────────────────────────────┤
│ Use for:      │ Use for:        │ Use for:                      │
│ • Initial     │ • Production    │ • High-security               │
│   deployment  │ • Standard      │ • Known-good                  │
│ • Testing     │   operations    │   environments                │
│ • Validation  │ • Most clients  │ • Post-tuning                 │
└───────────────┴─────────────────┴───────────────────────────────┘

Mode Comparison:

ModeAlertsKills ProcessQuarantinesRemediatesRisk Level
DetectYesNoNoNoLow intervention
ProtectYesNoYesYesBalanced
Protect + KillYesYesYesYesAggressive

Recommended Mode by Scenario:

ScenarioModeRationale
First 2 weeks of deploymentDetectIdentify false positives
Production workstationsProtectBalance security/stability
Production servers (critical)ProtectAvoid unexpected process kills
Production servers (standard)Protect + KillMaximum protection
High-security environmentsProtect + KillZero tolerance
Development workstationsProtectMay trigger on legitimate tools

Auto-Mitigation Settings

Configuration Options:

SettingOptionsRecommendedNotes
ThreatsDetect, Protect, Protect+KillProtectFor confirmed threats
SuspiciousDetect, ProtectDetectHigher FP rate, monitor first
PUPsDetect, ProtectDetectPotentially unwanted programs

Recommended Configuration:

Auto-Mitigation Settings:
  Threats (Malicious):
    Action: Protect (Quarantine + Remediate)
    Auto-Resolve: After 72 hours if no user action
 
  Suspicious:
    Action: Detect (Alert only)
    Reason: Higher false positive rate
    Review: Daily by SOC
 
  PUPs (Potentially Unwanted):
    Action: Detect
    Reason: Business may use these tools
    Examples: Remote admin tools, password utilities

Network Quarantine Settings

Purpose: Isolates compromised endpoints from the network while maintaining console connectivity.

How It Works:

Normal State:
  Endpoint ←→ Network ←→ Internet ←→ S1 Console

Network Quarantine:
  Endpoint ←X→ Network
     ↓
  Only allowed: S1 Console communication

Configuration:

SettingOptionsRecommended
Enable Network QuarantineYes/NoYes (workstations)
Auto-Quarantine on ThreatYes/NoYes for high-severity
Allow DNSYes/NoNo (security)
Allow DHCPYes/NoNo (security)
Custom Allowed IPsIP listS1 console IPs only

Recommended by Endpoint Type:

Endpoint TypeNetwork QuarantineAuto-QuarantineNotes
WorkstationsEnabledOn High/CriticalStandard protection
Laptops/RemoteEnabledOn High/CriticalCritical for remote workers
Standard ServersDisabledManual onlyAvoid service disruption
Critical ServersDisabledManual onlyRequires change management
Domain ControllersDisabledNever autoCould break AD
Database ServersDisabledManual onlyApplication impact

Server Warning:

⚠️ CAUTION: Network quarantine on servers can cause:
- Service outages
- Application failures
- Dependent system failures
- Loss of management access

Always use manual quarantine with change control for servers.

Ransomware Protection Settings

Purpose: Specialized detection and recovery capabilities for ransomware attacks.

Key Features:

FeatureDescriptionRecommendation
Shadow Copy ProtectionPrevents ransomware from deleting VSSEnabled
Ransomware Canary FilesMonitors decoy files for encryptionEnabled
Behavioral Ransomware DetectionIdentifies encryption patternsEnabled
1-Click RollbackRestores encrypted files from VSSEnabled (Complete)

Configuration:

Ransomware Protection:
  Shadow Copy Protection: Enabled
  Canary Files: Enabled
  Behavioral Detection: Enabled
 
  # Complete SKU only:
  1-Click Rollback: Enabled
  VSS Snapshot Retention: Maximum available
 
  # Windows VSS Requirements:
  - Volume Shadow Copy service must be running
  - Sufficient disk space for snapshots
  - System Protection enabled on volumes

VSS Verification Script:

# Verify VSS is configured for ransomware rollback
function Test-VSSConfiguration {
    $results = @{
        VSSService = (Get-Service -Name VSS).Status
        SystemProtection = @()
        ShadowStorageSize = @()
    }
 
    # Check System Protection status per volume
    Get-WmiObject -Class Win32_Volume | Where-Object { $_.DriveLetter } | ForEach-Object {
        $drive = $_.DriveLetter
        $protection = vssadmin list shadowstorage 2>$null | Select-String $drive
 
        if ($protection) {
            $results.SystemProtection += "$drive : Enabled"
        } else {
            $results.SystemProtection += "$drive : Not configured"
        }
    }
 
    return $results
}
 
Test-VSSConfiguration

Anti-Tampering Configuration

Purpose: Prevents unauthorized modification or removal of the SentinelOne agent.

Protection Scope:

  • Agent service stop/disable
  • Agent file deletion/modification
  • Registry key changes
  • Driver unload attempts
  • Process termination

Configuration:

SettingOptionsRecommended
Anti-Tamper ProtectionEnabled/DisabledEnabled
Passphrase RequiredYes/NoYes
Passphrase ComplexitySimple/ComplexComplex
Local Upgrade AllowedYes/NoNo

Passphrase Best Practices:

Anti-Tamper Configuration:
  Protection: Enabled
  Passphrase Required: Yes
 
  # Passphrase Strategy:
  Account Level: Master passphrase (MSP only)
  Site Level: Client-specific passphrase (optional)
 
  # Storage:
  - Store in password manager (1Password, IT Glue)
  - Document in client runbook
  - Never share via email or chat
 
  # Passphrase Format (recommended):
  [ClientCode]-[RandomString]-[Year]
  Example: ACME-K9xP2mQ7-2026

Retrieving Anti-Tamper Passphrase:

# Via API - get passphrase for agent uninstallation
$apiToken = "YOUR_API_TOKEN"
$consoleUrl = "https://yourtenant.sentinelone.net"
$agentId = "AGENT_ID"
 
$headers = @{
    "Authorization" = "ApiToken $apiToken"
    "Content-Type" = "application/json"
}
 
$response = Invoke-RestMethod -Uri "$consoleUrl/web/api/v2.1/agents/$agentId/passphrases" -Headers $headers -Method GET
 
Write-Host "Uninstall Passphrase: $($response.data.uninstallPassword)"

DEEP VISIBILITY SETTINGS (Complete Feature)

Data Collection Overview

Deep Visibility is SentinelOne's EDR telemetry engine that captures comprehensive endpoint activity for threat hunting and forensic investigation.

Data Types Collected:

CategoryData Points
ProcessCreation, termination, command lines, parent/child
FileCreate, modify, delete, rename, hash
NetworkConnections, DNS queries, ports, protocols
RegistryKey/value changes (Windows)
LoginUser sessions, authentication events
ModuleDLL loads, driver loads
Cross-ProcessInjection, handle operations
IndicatorsThreat indicators, IOC matches

Data Collection Levels

LevelData CollectedStorage ImpactUse Case
OffNoneNoneNot recommended
LowThreats + related eventsMinimalBasic compliance
MediumAbove + suspicious activityModerateStandard clients
FullAll endpoint telemetryHighThreat hunting, investigations

Recommended Configuration:

Deep Visibility Settings:
  Collection Level: Full
 
  # Justification:
  # - Complete SKU includes full DV capability
  # - Enables proactive threat hunting
  # - Required for Purple AI effectiveness
  # - Essential for incident investigation
 
  # If performance concerns exist:
  # - Review high-I/O exclusions first
  # - Consider reducing on specific groups only

Retention Settings

Available Options:

Retention PeriodUse CaseCost Consideration
14 daysStandardIncluded with Complete
30 daysExtended investigationsAdditional cost
90 daysCompliance requirementsAdditional cost
365 daysRegulatory/legal holdAdditional cost

Recommended by Client Type:

Client TypeRetentionRationale
Standard SMB14 daysAdequate for most investigations
Healthcare (HIPAA)30-90 daysBreach investigation requirements
Financial (PCI)30-90 daysCompliance investigation needs
Legal/Government90-365 daysLegal hold requirements
High-Security90 days minimumExtended threat hunting

Performance Impact Considerations

Factors Affecting Performance:

FactorImpactMitigation
Collection LevelHigher = more CPU/disk I/OReduce on constrained systems
File Activity VolumeMore writes = more loggingExclude high-I/O paths
Network ActivityMany connections = more dataEvaluate necessity
Process ChurnFrequent spawns = more eventsNormal for some apps

Performance Optimization:

Deep Visibility Performance Tuning:
 
High-I/O Systems (Databases, File Servers):
  # Add Interoperability exclusions for:
  - Database data files (.mdf, .ldf, .ibd)
  - Database transaction logs
  - Backup staging directories
  - Large file processing directories
 
Terminal Servers/VDI:
  # Consider:
  - Excluding user profile temp directories
  - Excluding roaming profile paths
  - Reducing collection for user processes
 
Development Workstations:
  # Exclude:
  - Build output directories
  - Package cache directories (npm, nuget)
  - IDE index/cache folders

What to Enable/Disable by Client Type

Client TypeProcessFileNetworkRegistryDNSRecommendation
StandardFullFullFullFullFullDefault - all enabled
Performance-SensitiveFullMediumFullFullFullReduce file monitoring
Database ServerFullSelective*FullFullFullExclude DB files
Terminal ServerFullMediumFullMediumFullReduce user activity
Air-GappedFullFullMediumFullOffLimited network value

*Use Interoperability exclusions rather than disabling collection

EXCLUSION MANAGEMENT

When to Use Exclusions

Legitimate Reasons for Exclusions:

ReasonExampleExclusion Type
Vendor-documented conflictsSQL Server recommendationsPath
Confirmed false positivesInternal application flaggedHash (most secure)
Performance issuesBackup software slowdownPath + Interoperability
Legitimate admin toolsRMM agentsCertificate or Hash
Build/development toolsCompilers, IDEsPath

When NOT to Use Exclusions:

ScenarioWhy NotAlternative
"It's blocking everything"Overly broad, insecureInvestigate root cause
"User doesn't want alerts"Security riskUser education
"Application vendor said to"Verify necessityRequest specific KB article
"We've always excluded this"May be outdatedAudit and validate

Hash vs Path vs Certificate Exclusions

Comparison:

TypeSecurityMaintenanceScopeBest For
HashHighestHigh (update on changes)Single fileCritical executables
PathMediumLowDirectory/filesApplication directories
CertificateMediumLowAll signed filesVendor applications

Decision Matrix:

Is the file signed by a trusted vendor?
├── Yes → Use Certificate exclusion (vendor-wide)
│         Exception: If only excluding specific app, use Path
│
└── No → Does the file change frequently?
         ├── Yes → Use Path exclusion
         │         (Hash would require constant updates)
         │
         └── No → Use Hash exclusion (most secure)
                   (Specific file, version-locked)

Application-Specific Exclusions

RMM Tools

NinjaRMM:

Exclusion Type: Path + Interoperability
Paths:
  - C:\ProgramData\NinjaRMMAgent\**
  - C:\Program Files\NinjaRemote\**
Processes:
  - NinjaRMMAgent.exe
  - NinjaRemote.exe
Include Child Processes: Yes
Scope: Account (Global)

Datto RMM:

Exclusion Type: Path + Interoperability
Paths:
  - C:\Program Files\CentraStage\**
  - C:\ProgramData\CentraStage\**
Processes:
  - CagService.exe
  - AEMAgent.exe
Include Child Processes: Yes
Scope: Account (Global)

ConnectWise Automate:

Exclusion Type: Path + Interoperability
Paths:
  - C:\Windows\LTSvc\**
  - C:\Windows\LTSVC\**
Processes:
  - LTService.exe
  - LTTray.exe
Include Child Processes: Yes
Scope: Account (Global)

Backup Software

Veeam:

Exclusion Type: Path + Interoperability
Paths:
  - C:\Program Files\Veeam\**
  - C:\Program Files (x86)\Veeam\**
  - <Backup Repository Paths>\**
Processes:
  - VeeamAgent.exe
  - Veeam.Backup.Service.exe
  - VeeamDeploymentSvc.exe
Include Child Processes: Yes
Scope: Site (where Veeam deployed)

Datto BCDR:

Exclusion Type: Path + Interoperability
Paths:
  - C:\Program Files\Datto\**
  - C:\DattoDrivers\**
Processes:
  - DattoBackupAgent.exe
  - ShadowSnap.exe
Include Child Processes: Yes
Scope: Site (where Datto deployed)

Acronis:

Exclusion Type: Path + Interoperability
Paths:
  - C:\Program Files\Acronis\**
  - C:\ProgramData\Acronis\**
Processes:
  - AcronisCyberProtectionService.exe
  - AcronisAgent.exe
Include Child Processes: Yes
Scope: Site (where Acronis deployed)

Business Applications

Microsoft SQL Server:

Exclusion Type: Path + Interoperability (Static + Behavioral)
Paths:
  - C:\Program Files\Microsoft SQL Server\**
  - D:\SQLData\**  # Adjust to actual data location
  - E:\SQLLogs\**  # Adjust to actual log location
  - F:\SQLBackups\**  # Adjust to backup location
Processes:
  - sqlservr.exe
  - sqlagent.exe
  - sqlwriter.exe
Include Child Processes: Yes
Extensions:
  - .mdf
  - .ldf
  - .ndf
Scope: Group (SQL Servers)
Reference: Microsoft KB article

QuickBooks:

Exclusion Type: Path + Interoperability
Paths:
  - C:\Program Files\Intuit\**
  - C:\Program Files (x86)\Intuit\**
  - C:\Users\Public\Documents\Intuit\**
  - C:\ProgramData\Intuit\**
Processes:
  - QBW32.exe
  - QBDBMgrN.exe
  - QBCFMonitorService.exe
Include Child Processes: Yes
Scope: Site (accounting clients)

AutoCAD:

Exclusion Type: Path + Interoperability
Paths:
  - C:\Program Files\Autodesk\**
  - C:\Users\*\AppData\Local\Autodesk\**
  - C:\Users\*\AppData\Roaming\Autodesk\**
Processes:
  - acad.exe
  - AdskLicensingService.exe
Include Child Processes: Yes
Scope: Site (CAD users)

Documenting and Auditing Exclusions

Required Documentation for Each Exclusion:

Exclusion Documentation Template:
  ID: EXC-2026-001
  Created: 2026-01-08
  Created By: [Analyst Name]
 
  Application:
    Name: Acme Backup Pro
    Version: 5.2.1
    Vendor: Acme Corporation
 
  Exclusion Details:
    Type: Path
    Value: C:\Program Files\Acme Backup\**
    Mode: Static + Interoperability
    Scope: Site - Client-ABC
 
  Justification:
    Issue: False positive detections during backup operations
    Threat IDs: TH-123456, TH-123457
    Business Impact: Nightly backups failing, data protection risk
 
  Risk Assessment:
    Risk Level: Low
    Signed Binary: Yes
    Vendor Reputation: Established (10+ years)
    Attack Surface: Limited (backup operations only)
 
  Approval:
    Ticket: TICK-12345
    Approved By: [Security Lead]
    Approval Date: 2026-01-08
 
  Review Schedule:
    Next Review: 2026-07-08 (6 months)
    Review Owner: [Analyst Name]

Quarterly Exclusion Audit Process:

# Exclusion Audit Script
$apiToken = "YOUR_API_TOKEN"
$consoleUrl = "https://yourtenant.sentinelone.net"
 
$headers = @{
    "Authorization" = "ApiToken $apiToken"
    "Content-Type" = "application/json"
}
 
# Get all exclusions
$exclusions = Invoke-RestMethod -Uri "$consoleUrl/web/api/v2.1/exclusions?limit=1000" -Headers $headers
 
# Audit criteria
$auditResults = foreach ($exc in $exclusions.data) {
    $issues = @()
 
    # Check for overly broad paths
    if ($exc.value -match "^[A-Z]:\\\*\*$" -or $exc.value -match "^[A-Z]:\\$") {
        $issues += "CRITICAL: Entire drive excluded"
    }
 
    # Check for missing description
    if ([string]::IsNullOrWhiteSpace($exc.description)) {
        $issues += "Missing documentation/justification"
    }
 
    # Check age
    $created = [DateTime]$exc.createdAt
    if ($created -lt (Get-Date).AddMonths(-6)) {
        $issues += "Older than 6 months - review needed"
    }
 
    # Check for wildcard abuse
    if (($exc.value -split '\*\*').Count -gt 3) {
        $issues += "Excessive wildcards - may be too broad"
    }
 
    [PSCustomObject]@{
        Id = $exc.id
        Type = $exc.type
        Value = $exc.value
        Scope = $exc.scope
        Mode = ($exc.modes -join ", ")
        Created = $created
        Description = $exc.description
        Issues = ($issues -join "; ")
        NeedsReview = $issues.Count -gt 0
    }
}
 
# Export audit report
$auditResults | Export-Csv "SentinelOne-Exclusion-Audit-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
 
# Summary
$needsReview = ($auditResults | Where-Object { $_.NeedsReview }).Count
Write-Host "`n=== Exclusion Audit Summary ==="
Write-Host "Total Exclusions: $($auditResults.Count)"
Write-Host "Needs Review: $needsReview" -ForegroundColor $(if($needsReview -gt 0){"Yellow"}else{"Green"})
Write-Host "Report saved to: SentinelOne-Exclusion-Audit-$(Get-Date -Format 'yyyyMMdd').csv"

CLIENT-SPECIFIC POLICY TEMPLATES

Workstation Policy Template

Scope: Standard end-user workstations

# Workstation Policy Template
# Scope: Standard Windows workstations
# Target: Group "Workstations"
 
Detection Engines:
  Static AI: High
  Behavioral AI: High
  Documents & Macros: Suspicious
  Scripts: Enabled
  Lateral Movement: Enabled
  Anti-Exploitation: Enabled
 
Protection Mode:
  Engine Mode: Protect
  Mitigation Mode: Protect
  # After 2-week tuning period: Protect + Kill
 
Automated Actions:
  Threats (Malicious): Kill, Quarantine, Remediate
  Suspicious: Alert Only
  PUPs: Alert Only
 
Network Controls:
  Network Quarantine: Enabled
  Auto-Quarantine: On High/Critical Threats
  Firewall Control: Enabled
  Device Control: Enabled
 
Deep Visibility (Complete):
  Collection: Full
  Retention: 14 days
  Process Tracking: Enabled
  File Tracking: Enabled
  Network Tracking: Enabled
 
Remote Operations (Complete):
  Remote Shell: Disabled
  File Fetch: Enabled
  Require Approval: N/A
 
Agent Settings:
  Anti-Tamper: Enabled
  Show Tray Icon: Yes
  User Notifications: Enabled
  Local Upgrade: Disabled
  Local Uninstall: Disabled
 
Ransomware Protection:
  VSS Protection: Enabled
  Rollback: Enabled
  Canary Files: Enabled

Server Policy Template

Scope: Production Windows/Linux servers

# Server Policy Template
# Scope: Production servers (non-DC)
# Target: Group "Servers"
 
Detection Engines:
  Static AI: High
  Behavioral AI: High
  Documents & Macros: Suspicious
  Scripts: Enabled
  Lateral Movement: Enabled
  Anti-Exploitation: Enabled
 
Protection Mode:
  Engine Mode: Protect
  Mitigation Mode: Protect
  # Consider: Protect + Kill after thorough testing
 
Automated Actions:
  Threats (Malicious): Quarantine, Remediate
  # Note: Kill disabled to prevent service disruption
  Suspicious: Alert Only
  PUPs: Alert Only
 
Network Controls:
  Network Quarantine: DISABLED
  # Warning: Auto-quarantine can cause service outages
  Auto-Quarantine: Disabled
  Firewall Control: Enabled
  Device Control: Disabled (servers rarely use USB)
 
Deep Visibility (Complete):
  Collection: Full
  Retention: 14 days
  Process Tracking: Enabled
  File Tracking: Enabled
  Network Tracking: Enabled
 
Remote Operations (Complete):
  Remote Shell: Enabled
  File Fetch: Enabled
  Require Approval: Optional (based on client policy)
  Session Timeout: 30 minutes
 
Agent Settings:
  Anti-Tamper: Enabled
  Show Tray Icon: No (server, no interactive user)
  User Notifications: Disabled
  Local Upgrade: Disabled
  Local Uninstall: Disabled
 
Ransomware Protection:
  VSS Protection: Enabled
  Rollback: Enabled
  Canary Files: Enabled
 
# Server-Specific Exclusions (add as needed):
Recommended Exclusions:
  - Database data/log files (if SQL Server)
  - Backup staging directories
  - Application-specific high-I/O paths
  - Cluster shared volumes (if applicable)

VDI/Terminal Server Policy

Scope: Remote Desktop Services, Citrix, VMware Horizon

# VDI/Terminal Server Policy Template
# Scope: Multi-user session hosts
# Target: Group "Terminal Servers" or "VDI"
 
Detection Engines:
  Static AI: High
  Behavioral AI: High
  Documents & Macros: Suspicious
  Scripts: Enabled
  Lateral Movement: Enabled
  Anti-Exploitation: Enabled
 
Protection Mode:
  Engine Mode: Protect
  Mitigation Mode: Protect
  # Note: Protect + Kill may affect multiple users
 
Automated Actions:
  Threats (Malicious): Kill, Quarantine, Remediate
  Suspicious: Alert Only
  PUPs: Alert Only
 
Network Controls:
  Network Quarantine: DISABLED
  # Critical: Would disconnect all users
  Auto-Quarantine: Disabled
  Firewall Control: Enabled
  Device Control: Policy-based (USB redirection)
 
Deep Visibility (Complete):
  Collection: Full
  Retention: 14 days
  Process Tracking: Enabled
  File Tracking: Medium (performance consideration)
  Network Tracking: Enabled
 
Remote Operations (Complete):
  Remote Shell: Enabled
  File Fetch: Enabled
  Require Approval: Yes (multiple users affected)
  Session Timeout: 30 minutes
 
Agent Settings:
  Anti-Tamper: Enabled
  Show Tray Icon: No (multi-user, confusing)
  User Notifications: Disabled (or Per-Session)
  Local Upgrade: Disabled
  Local Uninstall: Disabled
 
Performance Optimizations:
  # VDI-specific exclusions
  Exclusions:
    - User profile temp directories
    - FSLogix profile containers
    - Citrix AppLayering cache
    - VMware AppVolumes paths
 
  Paths to Consider:
    - C:\Users\*\AppData\Local\Temp\**
    - D:\FSLogix\**  (if using FSLogix)
    - C:\ProgramData\Citrix\**
    - C:\SnapVolumes\** (AppVolumes)
 
# Golden Image Considerations:
VDI Golden Image:
  - Install agent in golden image
  - Configure for non-persistent VDI if applicable
  - Use unique machine IDs (clone support)

High-Security Environment Policy

Scope: Compliance-regulated, high-value targets, executive systems

# High-Security Policy Template
# Scope: Compliance (HIPAA, PCI, SOC2), executives, sensitive data
# Target: Group "High-Security" or "Executives"
 
Detection Engines:
  Static AI: High
  Behavioral AI: High
  Documents & Macros: ALL (block all unknown macros)
  Scripts: Enabled (with logging)
  Lateral Movement: Enabled
  Anti-Exploitation: Enabled
 
Protection Mode:
  Engine Mode: Protect
  Mitigation Mode: Protect + Kill
  # Maximum protection, minimal tolerance
 
Automated Actions:
  Threats (Malicious): Kill, Quarantine, Remediate
  Suspicious: Kill, Quarantine  # More aggressive
  PUPs: Quarantine
 
Network Controls:
  Network Quarantine: Enabled
  Auto-Quarantine: On ALL Threats (not just High/Critical)
  Firewall Control: Enabled
  Device Control: Strict (block unauthorized USB)
 
Deep Visibility (Complete):
  Collection: Full
  Retention: 90 days (compliance requirement)
  Process Tracking: Enabled
  File Tracking: Full
  Network Tracking: Full
  DNS Logging: Enabled
 
Remote Operations (Complete):
  Remote Shell: Disabled (workstations) / Approval Required (servers)
  File Fetch: Enabled
  Require Approval: Always
  Session Timeout: 15 minutes (shorter)
 
Agent Settings:
  Anti-Tamper: Enabled (strong passphrase)
  Show Tray Icon: Yes
  User Notifications: Enabled (user awareness)
  Local Upgrade: Disabled
  Local Uninstall: Disabled
 
Ransomware Protection:
  VSS Protection: Enabled
  Rollback: Enabled
  Canary Files: Enabled
 
Additional STAR Rules (Complete):
  # Enable additional custom rules for:
  - Data exfiltration patterns
  - Unauthorized cloud storage access
  - Sensitive file access monitoring
  - After-hours activity alerts
 
Compliance Specific:
  HIPAA:
    - Extended retention (90+ days)
    - PHI file access monitoring
    - Audit log export to SIEM
 
  PCI-DSS:
    - Cardholder data environment isolation
    - Network segmentation enforcement
    - Quarterly scan requirements
 
  SOC2:
    - Full audit trails
    - Change management logging
    - Incident response documentation

Development Workstation Policy

Scope: Software developers, DevOps, IT engineers

# Development Workstation Policy Template
# Scope: Developer workstations, build systems
# Target: Group "Developers" or "IT Engineering"
 
Detection Engines:
  Static AI: Medium  # Reduced to avoid FPs on compiled code
  Behavioral AI: Medium
  Documents & Macros: Suspicious
  Scripts: Enabled (many legitimate scripts)
  Lateral Movement: Enabled
  Anti-Exploitation: Enabled
 
Protection Mode:
  Engine Mode: Protect
  Mitigation Mode: Protect
  # Note: Protect + Kill may interrupt builds
 
Automated Actions:
  Threats (Malicious): Quarantine, Remediate
  # Kill disabled to avoid interrupting long-running processes
  Suspicious: Alert Only
  PUPs: Alert Only (dev tools may trigger)
 
Network Controls:
  Network Quarantine: Enabled
  Auto-Quarantine: On High/Critical only
  Firewall Control: Enabled
  Device Control: Permissive (dev devices)
 
Deep Visibility (Complete):
  Collection: Full
  Retention: 14 days
  Process Tracking: Enabled
  File Tracking: Medium (high file churn)
  Network Tracking: Enabled
 
Remote Operations (Complete):
  Remote Shell: Enabled
  File Fetch: Enabled
  Require Approval: No (IT users)
  Session Timeout: 60 minutes
 
Agent Settings:
  Anti-Tamper: Enabled
  Show Tray Icon: Yes
  User Notifications: Enabled
  Local Upgrade: Disabled
  Local Uninstall: Disabled
 
# Development-Specific Exclusions (REQUIRED)
Exclusions:
  Build Directories:
    - C:\Users\*\source\repos\**\bin\**
    - C:\Users\*\source\repos\**\obj\**
    - C:\Projects\**\bin\**
    - C:\Projects\**\obj\**
 
  Package Caches:
    - C:\Users\*\.nuget\**
    - C:\Users\*\AppData\Roaming\npm-cache\**
    - C:\Users\*\.m2\repository\**
    - C:\Users\*\.gradle\**
    - C:\Users\*\AppData\Local\pip\Cache\**
 
  IDE Caches:
    - C:\Users\*\AppData\Local\JetBrains\**
    - C:\Users\*\.vscode\**
    - C:\Users\*\AppData\Local\Microsoft\VisualStudio\**
 
  Docker:
    - C:\ProgramData\Docker\**
    - C:\Users\*\.docker\**
    - \\wsl$\**  (WSL2 file system)
 
  Virtual Environments:
    - C:\Users\*\.virtualenvs\**
    - C:\Users\*\Anaconda3\**
    - C:\Users\*\miniconda3\**
 
# Process Exclusions (Interoperability):
Process Exclusions:
  - devenv.exe (Visual Studio)
  - Code.exe (VS Code)
  - rider64.exe (JetBrains Rider)
  - idea64.exe (IntelliJ)
  - node.exe (Node.js)
  - python.exe
  - java.exe
  - dotnet.exe
  - docker.exe
  - kubectl.exe

POLICY TEMPLATES (API Deployment)

JSON Policy Export Format

The following JSON templates can be used with the SentinelOne API for automated policy deployment.

Standard Workstation Policy JSON

{
  "policy": {
    "name": "MSP-Workstation-Standard",
    "description": "Standard workstation policy for MSP clients",
    "inheritanceSettings": {
      "inheritFrom": "site"
    },
    "engines": {
      "staticAi": {
        "enabled": true,
        "detectionLevel": "high"
      },
      "behavioralAi": {
        "enabled": true,
        "detectionLevel": "high"
      },
      "documentMacro": {
        "enabled": true,
        "mode": "suspicious"
      },
      "scripts": {
        "enabled": true,
        "encodedCommandDetection": true
      },
      "lateralMovement": {
        "enabled": true
      },
      "antiExploit": {
        "enabled": true
      }
    },
    "mitigationMode": {
      "threats": "protect",
      "suspicious": "detect"
    },
    "networkQuarantine": {
      "enabled": true,
      "autoQuarantine": {
        "enabled": true,
        "triggerOn": ["high", "critical"]
      }
    },
    "deepVisibility": {
      "enabled": true,
      "collectionLevel": "full"
    },
    "remoteShell": {
      "enabled": false
    },
    "antiTamper": {
      "enabled": true
    },
    "agentUi": {
      "showTrayIcon": true,
      "showNotifications": true
    },
    "localConfig": {
      "allowLocalUpgrade": false,
      "allowLocalUninstall": false
    }
  }
}

Server Policy JSON

{
  "policy": {
    "name": "MSP-Server-Production",
    "description": "Production server policy - no auto-quarantine",
    "inheritanceSettings": {
      "inheritFrom": "site"
    },
    "engines": {
      "staticAi": {
        "enabled": true,
        "detectionLevel": "high"
      },
      "behavioralAi": {
        "enabled": true,
        "detectionLevel": "high"
      },
      "documentMacro": {
        "enabled": true,
        "mode": "suspicious"
      },
      "scripts": {
        "enabled": true,
        "encodedCommandDetection": true
      },
      "lateralMovement": {
        "enabled": true
      },
      "antiExploit": {
        "enabled": true
      }
    },
    "mitigationMode": {
      "threats": "protect",
      "suspicious": "detect"
    },
    "networkQuarantine": {
      "enabled": false,
      "autoQuarantine": {
        "enabled": false
      }
    },
    "deepVisibility": {
      "enabled": true,
      "collectionLevel": "full"
    },
    "remoteShell": {
      "enabled": true,
      "requireApproval": false,
      "sessionTimeoutMinutes": 30
    },
    "antiTamper": {
      "enabled": true
    },
    "agentUi": {
      "showTrayIcon": false,
      "showNotifications": false
    },
    "localConfig": {
      "allowLocalUpgrade": false,
      "allowLocalUninstall": false
    }
  }
}

High-Security Policy JSON

{
  "policy": {
    "name": "MSP-HighSecurity-Compliance",
    "description": "High-security policy for compliance environments",
    "inheritanceSettings": {
      "inheritFrom": "site"
    },
    "engines": {
      "staticAi": {
        "enabled": true,
        "detectionLevel": "high"
      },
      "behavioralAi": {
        "enabled": true,
        "detectionLevel": "high"
      },
      "documentMacro": {
        "enabled": true,
        "mode": "all"
      },
      "scripts": {
        "enabled": true,
        "encodedCommandDetection": true,
        "contentLogging": true
      },
      "lateralMovement": {
        "enabled": true
      },
      "antiExploit": {
        "enabled": true
      }
    },
    "mitigationMode": {
      "threats": "protect_kill",
      "suspicious": "protect"
    },
    "networkQuarantine": {
      "enabled": true,
      "autoQuarantine": {
        "enabled": true,
        "triggerOn": ["medium", "high", "critical"]
      }
    },
    "deepVisibility": {
      "enabled": true,
      "collectionLevel": "full",
      "retentionDays": 90
    },
    "remoteShell": {
      "enabled": false
    },
    "antiTamper": {
      "enabled": true
    },
    "agentUi": {
      "showTrayIcon": true,
      "showNotifications": true
    },
    "localConfig": {
      "allowLocalUpgrade": false,
      "allowLocalUninstall": false
    },
    "deviceControl": {
      "enabled": true,
      "defaultAction": "block"
    }
  }
}

PowerShell API Deployment Script

<#
.SYNOPSIS
    Deploy SentinelOne policy to specified scope via API
.DESCRIPTION
    Creates or updates SentinelOne policies using the Management API
.PARAMETER PolicyJson
    Path to JSON file containing policy configuration
.PARAMETER ScopeType
    Target scope: Account, Site, or Group
.PARAMETER ScopeId
    ID of the target scope (Site ID or Group ID)
.PARAMETER ApiToken
    SentinelOne API token
.PARAMETER ConsoleUrl
    SentinelOne console URL
.EXAMPLE
    .\Deploy-S1Policy.ps1 -PolicyJson ".\workstation-policy.json" -ScopeType "Site" -ScopeId "123456" -ApiToken "xxx" -ConsoleUrl "https://tenant.sentinelone.net"
#>
 
param(
    [Parameter(Mandatory=$true)]
    [string]$PolicyJson,
 
    [Parameter(Mandatory=$true)]
    [ValidateSet("Account", "Site", "Group")]
    [string]$ScopeType,
 
    [Parameter(Mandatory=$false)]
    [string]$ScopeId,
 
    [Parameter(Mandatory=$true)]
    [string]$ApiToken,
 
    [Parameter(Mandatory=$true)]
    [string]$ConsoleUrl
)
 
# Read policy JSON
$policyData = Get-Content $PolicyJson -Raw | ConvertFrom-Json
 
# API headers
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
# Determine API endpoint based on scope
$endpoint = switch ($ScopeType) {
    "Account" { "$ConsoleUrl/web/api/v2.1/account/policy" }
    "Site"    { "$ConsoleUrl/web/api/v2.1/sites/$ScopeId/policy" }
    "Group"   { "$ConsoleUrl/web/api/v2.1/groups/$ScopeId/policy" }
}
 
Write-Host "=== SentinelOne Policy Deployment ===" -ForegroundColor Cyan
Write-Host "Policy: $($policyData.policy.name)"
Write-Host "Scope: $ScopeType $(if($ScopeId){"(ID: $ScopeId)"})"
Write-Host "Target: $endpoint"
Write-Host ""
 
# Get current policy for comparison
try {
    $currentPolicy = Invoke-RestMethod -Uri $endpoint -Headers $headers -Method GET
    Write-Host "Current policy retrieved successfully" -ForegroundColor Green
} catch {
    Write-Host "No existing policy found or error retrieving: $($_.Exception.Message)" -ForegroundColor Yellow
}
 
# Confirm deployment
$confirm = Read-Host "Deploy policy? (y/N)"
if ($confirm -ne 'y') {
    Write-Host "Deployment cancelled" -ForegroundColor Yellow
    exit 0
}
 
# Deploy policy
try {
    $body = $policyData | ConvertTo-Json -Depth 10
 
    $response = Invoke-RestMethod -Uri $endpoint -Headers $headers -Method PUT -Body $body
 
    Write-Host "`n[SUCCESS] Policy deployed successfully" -ForegroundColor Green
    Write-Host "Policy Name: $($policyData.policy.name)"
    Write-Host "Applied To: $ScopeType $(if($ScopeId){$ScopeId})"
 
    # Log deployment
    $logEntry = [PSCustomObject]@{
        Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
        PolicyName = $policyData.policy.name
        ScopeType = $ScopeType
        ScopeId = $ScopeId
        Status = "Success"
        DeployedBy = $env:USERNAME
    }
 
    $logPath = "C:\BIN\LOGS-$(Get-Date -Format 'yyyyMMdd')-S1-PolicyDeployment.csv"
    $logEntry | Export-Csv -Path $logPath -Append -NoTypeInformation
    Write-Host "Deployment logged to: $logPath"
 
} catch {
    Write-Host "`n[ERROR] Policy deployment failed" -ForegroundColor Red
    Write-Host "Error: $($_.Exception.Message)"
 
    if ($_.ErrorDetails.Message) {
        $errorDetail = $_.ErrorDetails.Message | ConvertFrom-Json
        Write-Host "API Error: $($errorDetail.errors | ConvertTo-Json)"
    }
 
    exit 1
}

Bulk Policy Deployment Script

<#
.SYNOPSIS
    Bulk deploy SentinelOne policies to multiple sites/groups
.DESCRIPTION
    Reads CSV file with site/group mappings and deploys appropriate policies
.PARAMETER MappingCsv
    Path to CSV with columns: ScopeType, ScopeId, PolicyTemplate
.PARAMETER PolicyDirectory
    Directory containing policy JSON templates
#>
 
param(
    [Parameter(Mandatory=$true)]
    [string]$MappingCsv,
 
    [Parameter(Mandatory=$true)]
    [string]$PolicyDirectory,
 
    [Parameter(Mandatory=$true)]
    [string]$ApiToken,
 
    [Parameter(Mandatory=$true)]
    [string]$ConsoleUrl
)
 
# Load mapping
$mappings = Import-Csv $MappingCsv
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
$results = foreach ($mapping in $mappings) {
    Write-Host "`nDeploying $($mapping.PolicyTemplate) to $($mapping.ScopeType) $($mapping.ScopeId)..." -ForegroundColor Yellow
 
    $policyFile = Join-Path $PolicyDirectory "$($mapping.PolicyTemplate).json"
 
    if (-not (Test-Path $policyFile)) {
        Write-Host "[ERROR] Policy file not found: $policyFile" -ForegroundColor Red
        [PSCustomObject]@{
            ScopeType = $mapping.ScopeType
            ScopeId = $mapping.ScopeId
            Policy = $mapping.PolicyTemplate
            Status = "Failed"
            Error = "Policy file not found"
        }
        continue
    }
 
    $policyData = Get-Content $policyFile -Raw | ConvertFrom-Json
 
    $endpoint = switch ($mapping.ScopeType) {
        "Site"  { "$ConsoleUrl/web/api/v2.1/sites/$($mapping.ScopeId)/policy" }
        "Group" { "$ConsoleUrl/web/api/v2.1/groups/$($mapping.ScopeId)/policy" }
    }
 
    try {
        $body = $policyData | ConvertTo-Json -Depth 10
        $response = Invoke-RestMethod -Uri $endpoint -Headers $headers -Method PUT -Body $body
 
        Write-Host "[SUCCESS] Deployed $($mapping.PolicyTemplate)" -ForegroundColor Green
 
        [PSCustomObject]@{
            ScopeType = $mapping.ScopeType
            ScopeId = $mapping.ScopeId
            Policy = $mapping.PolicyTemplate
            Status = "Success"
            Error = $null
        }
    } catch {
        Write-Host "[ERROR] Failed: $($_.Exception.Message)" -ForegroundColor Red
 
        [PSCustomObject]@{
            ScopeType = $mapping.ScopeType
            ScopeId = $mapping.ScopeId
            Policy = $mapping.PolicyTemplate
            Status = "Failed"
            Error = $_.Exception.Message
        }
    }
}
 
# Summary
Write-Host "`n=== Deployment Summary ===" -ForegroundColor Cyan
Write-Host "Total: $($results.Count)"
Write-Host "Successful: $(($results | Where-Object {$_.Status -eq 'Success'}).Count)" -ForegroundColor Green
Write-Host "Failed: $(($results | Where-Object {$_.Status -eq 'Failed'}).Count)" -ForegroundColor Red
 
# Export results
$results | Export-Csv "PolicyDeployment-Results-$(Get-Date -Format 'yyyyMMdd-HHmmss').csv" -NoTypeInformation
Write-Host "`nResults exported to: PolicyDeployment-Results-$(Get-Date -Format 'yyyyMMdd-HHmmss').csv"

Example Mapping CSV:

ScopeType,ScopeId,PolicyTemplate
Site,12345,MSP-Site-Standard
Group,23456,MSP-Workstation-Standard
Group,34567,MSP-Server-Production
Group,45678,MSP-HighSecurity-Compliance

MSP BEST PRACTICES

Policy Governance

Change Management Process:

Policy Change Workflow:
  1. Request:
     - Requestor submits change request
     - Include: Scope, Settings, Justification
     - Ticket created in PSA system
 
  2. Review:
     - Security team reviews request
     - Assess impact on protection posture
     - Evaluate potential for false positives
     - Document risk assessment
 
  3. Approval:
     - Security lead approves/denies
     - High-risk changes require additional approval
     - Document approval in ticket
 
  4. Implementation:
     - Deploy during maintenance window (if production)
     - Test in pilot group first (major changes)
     - Document all changes made
 
  5. Verification:
     - Confirm policy applied correctly
     - Monitor for issues (24-48 hours)
     - Document verification results
 
  6. Documentation:
     - Update policy documentation
     - Update client runbook
     - Close ticket

Performance Considerations

Balancing Security and Performance:

Performance ConcernPotential CauseSolution
High CPU usageFull behavioral monitoringAdd process exclusions for known-good
Slow file operationsOn-write scanningAdd path exclusions for high-I/O
Network slowdownDeep Visibility collectionEvaluate collection level
Login delaysBoot-time scanningOptimize startup exclusions
Application slowdownScanning app directoriesAdd application exclusions

Performance Monitoring:

# Check SentinelOne agent resource usage
function Get-S1AgentPerformance {
    $processes = Get-Process | Where-Object { $_.ProcessName -like "Sentinel*" }
 
    $results = foreach ($proc in $processes) {
        [PSCustomObject]@{
            ProcessName = $proc.ProcessName
            CPUPercent = [math]::Round(($proc.CPU / (Get-Date - $proc.StartTime).TotalSeconds) * 100, 2)
            MemoryMB = [math]::Round($proc.WorkingSet64 / 1MB, 2)
            Handles = $proc.HandleCount
            Threads = $proc.Threads.Count
        }
    }
 
    return $results
}
 
# Run and display
Get-S1AgentPerformance | Format-Table -AutoSize

Security Trade-offs

Understanding Risk vs Usability:

SettingSecurity ImpactUsability ImpactRecommendation
Detection Level: HighMaximum detectionMore FPs possibleUse with exclusion tuning
Network QuarantineStops lateral movementDisrupts user/serviceEnable for workstations only
Protect + KillFastest threat stopMay kill legitimate processUse after tuning period
Block All MacrosPrevents macro malwareBreaks legitimate macrosUse for high-security only
Full DV CollectionComplete visibilitySlight performance impactEnable for investigation capability

Documentation Standards

Required Documentation per Client:

Client Policy Documentation:
  Client Name: [Client]
  Site ID: [ID]
  Last Updated: [Date]
  Updated By: [Name]
 
  Policy Summary:
    Account Policy: MSP Baseline
    Site Policy: [Client-specific overrides]
    Groups:
      - Workstations: Standard Workstation Policy
      - Servers: Production Server Policy
      - [Other groups as applicable]
 
  Exclusions:
    Global (from Account):
      - [List inherited exclusions]
    Site-Specific:
      - [List client exclusions with justifications]
    Group-Specific:
      - [List group exclusions with justifications]
 
  Custom STAR Rules:
    - [List any client-specific rules]
 
  Special Considerations:
    - [Compliance requirements]
    - [Performance tuning applied]
    - [Known issues/workarounds]
 
  Change History:
    - [Date]: [Change description] - [Technician]

VERIFICATION

Policy Configuration Checklist

## Policy Configuration Verification
 
Client: _______________
Date: _______________
Verified By: _______________
 
### Account Level Policy
- [ ] Core detection engines enabled (Static AI, Behavioral AI)
- [ ] Anti-tamper protection enabled
- [ ] Cloud validation enabled
- [ ] MSP baseline settings documented
 
### Site Level Policy
- [ ] Site created with correct name
- [ ] Site SKU verified (Complete)
- [ ] Client-specific overrides documented
- [ ] Notification recipients configured
- [ ] Site-level exclusions documented and justified
 
### Group Level Policies
- [ ] Workstation group created with appropriate policy
- [ ] Server group created with appropriate policy
- [ ] Additional groups as needed (VDI, Executives, etc.)
- [ ] Each group policy documented
 
### Exclusion Management
- [ ] Standard MSP exclusions applied (RMM, backup, etc.)
- [ ] Client-specific exclusions documented
- [ ] All exclusions have business justification
- [ ] Exclusion audit scheduled (quarterly)
 
### Deep Visibility (Complete)
- [ ] Collection level set appropriately
- [ ] Retention period configured per client needs
- [ ] Verified data populating in console
 
### Functional Validation
- [ ] Agent deployed and connected
- [ ] EICAR test file detected
- [ ] Policy settings verified on endpoint
- [ ] No unexpected false positives
 
### Documentation
- [ ] Client runbook updated
- [ ] Policy changes logged
- [ ] Team notified of new client/changes

Policy Validation Script

<#
.SYNOPSIS
    Validates SentinelOne policy configuration against MSP standards
.DESCRIPTION
    Retrieves policy for specified scope and checks against baseline requirements
#>
 
param(
    [Parameter(Mandatory=$true)]
    [string]$SiteId,
 
    [Parameter(Mandatory=$true)]
    [string]$ApiToken,
 
    [Parameter(Mandatory=$true)]
    [string]$ConsoleUrl
)
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
# Get site policy
$sitePolicy = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/sites/$SiteId/policy" -Headers $headers
 
# Get groups for site
$groups = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/groups?siteIds=$SiteId" -Headers $headers
 
Write-Host "=== SentinelOne Policy Validation ===" -ForegroundColor Cyan
Write-Host "Site ID: $SiteId"
Write-Host ""
 
# Define required settings
$requiredSettings = @{
    "staticAi.enabled" = $true
    "behavioralAi.enabled" = $true
    "antiTamper.enabled" = $true
    "deepVisibility.enabled" = $true
}
 
$validationResults = @()
 
# Validate site policy
Write-Host "Site Policy Validation:" -ForegroundColor Yellow
foreach ($setting in $requiredSettings.GetEnumerator()) {
    $path = $setting.Key -split '\.'
    $value = $sitePolicy.data
 
    foreach ($p in $path) {
        $value = $value.$p
    }
 
    $passed = $value -eq $setting.Value
    $status = if($passed) { "[PASS]" } else { "[FAIL]" }
    $color = if($passed) { "Green" } else { "Red" }
 
    Write-Host "  $status $($setting.Key): $value (Expected: $($setting.Value))" -ForegroundColor $color
 
    $validationResults += [PSCustomObject]@{
        Scope = "Site"
        Setting = $setting.Key
        Expected = $setting.Value
        Actual = $value
        Passed = $passed
    }
}
 
# Validate each group
foreach ($group in $groups.data) {
    Write-Host "`nGroup '$($group.name)' Policy Validation:" -ForegroundColor Yellow
 
    $groupPolicy = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/groups/$($group.id)/policy" -Headers $headers
 
    foreach ($setting in $requiredSettings.GetEnumerator()) {
        $path = $setting.Key -split '\.'
        $value = $groupPolicy.data
 
        foreach ($p in $path) {
            $value = $value.$p
        }
 
        # Handle inherited values
        if ($null -eq $value) {
            $value = "(inherited)"
        }
 
        $passed = ($value -eq $setting.Value) -or ($value -eq "(inherited)")
        $status = if($passed) { "[PASS]" } else { "[FAIL]" }
        $color = if($passed) { "Green" } else { "Red" }
 
        Write-Host "  $status $($setting.Key): $value" -ForegroundColor $color
 
        $validationResults += [PSCustomObject]@{
            Scope = "Group: $($group.name)"
            Setting = $setting.Key
            Expected = $setting.Value
            Actual = $value
            Passed = $passed
        }
    }
}
 
# Summary
$passedCount = ($validationResults | Where-Object { $_.Passed }).Count
$totalCount = $validationResults.Count
$passRate = [math]::Round(($passedCount / $totalCount) * 100, 1)
 
Write-Host "`n=== Validation Summary ===" -ForegroundColor Cyan
Write-Host "Checks Passed: $passedCount / $totalCount ($passRate%)"
 
if ($passRate -lt 100) {
    Write-Host "`nFailed Checks:" -ForegroundColor Red
    $validationResults | Where-Object { -not $_.Passed } | ForEach-Object {
        Write-Host "  - $($_.Scope): $($_.Setting)"
    }
}
 
# Export results
$validationResults | Export-Csv "PolicyValidation-$SiteId-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "`nResults exported to: PolicyValidation-$SiteId-$(Get-Date -Format 'yyyyMMdd').csv"

TROUBLESHOOTING

Common Policy Issues

Issue: Policy not applying to agents

# Verify agent is receiving policy
$sentinelCtl = Get-Item "C:\Program Files\SentinelOne\Sentinel Agent*\SentinelCtl.exe" | Select-Object -First 1
 
# Check policy status
& $sentinelCtl.FullName config server.policyName
 
# Force policy refresh
Restart-Service -Name "SentinelAgent" -Force
Start-Sleep -Seconds 30
 
# Verify policy update
& $sentinelCtl.FullName config server.policyName

Issue: Agent in wrong group

  1. Console: Sentinels → Select Agent → Actions → Move to Group
  2. API:
$body = @{
    data = @{
        groupId = "TARGET_GROUP_ID"
    }
    filter = @{
        ids = @("AGENT_ID")
    }
} | ConvertTo-Json
 
Invoke-RestMethod -Uri "$consoleUrl/web/api/v2.1/agents/actions/move-to-group" -Headers $headers -Method POST -Body $body

Issue: Exclusion not working

  1. Verify exclusion mode matches detection type:

    • Static AI detection → Static mode exclusion
    • Behavioral AI detection → Interoperability mode exclusion

  2. Verify path format:

    Wrong: C:\Program Files\App
Right: C:\Program Files\App\**

Wrong: C:\Program Files\App\*
Right: C:\Program Files\App\**  (for recursive)

  3. Force policy update on endpoint

Issue: Performance impact after policy change

  1. Identify high-I/O processes:

    Get-Process | Sort-Object -Property CPU -Descending | Select-Object -First 10

  2. Review agent analyzer:

    & "C:\Program Files\SentinelOne\Sentinel Agent*\SentinelCtl.exe" create_agent_analyzer_report -o "C:\Temp\analyzer.txt" -m 60

  3. Add appropriate exclusions for identified processes

RELATED DOCUMENTATION

  • HOWTO- SentinelOne MSP Client Onboarding
  • HOWTO- SentinelOne Create and Manage Exclusion Policies
  • HOWTO- SentinelOne Control vs Complete Feature Comparison
  • HOWTO- SentinelOne Deep Visibility Threat Hunting
  • HOWTO- SentinelOne STAR Custom Detection Rules
  • HOWTO- SentinelOne PowerShell API Automation

REVISION HISTORY

VersionDateAuthorChanges
1.02026-01-08CosmicBytezInitial creation - Complete SKU policy best practices

Related Reading

  • SentinelOne Control vs Complete Feature Comparison
  • SentinelOne Deep Visibility Threat Hunting
  • SentinelOne Forensics Rollback and Remediation
#sentinelone#edr#Security#threat-hunting#deployment#policy#automation#forensics#api#incident-response#AI#detection-rules#device-control#firewall

Related Articles

SentinelOne Control vs Complete Feature Comparison

This document provides a comprehensive comparison between SentinelOne Singularity Control and Singularity Complete SKUs to help MSP teams understand the...

17 min read

SentinelOne Deep Visibility Threat Hunting

Deep Visibility is SentinelOne's EDR telemetry engine that provides comprehensive endpoint data collection for threat hunting, incident investigation, and...

22 min read

SentinelOne Forensics Rollback and Remediation

This document provides comprehensive procedures for forensic evidence collection, ransomware rollback, and threat remediation using SentinelOne Complete...

39 min read
Back to all HOWTOs