SentinelOne STAR Advanced Automation and Watchlists

SCENARIO

Security teams face the challenge of detecting organization-specific threats, insider threats, and policy violations that generic detection rules cannot identify. Traditional EDR watchlists require manual monitoring and cannot automatically respond to matches. Organizations need the ability to create custom behavioral detection logic that executes at machine speed across all endpoints without waiting for signature updates or software deployments.

Use this guide when you need to:

• Automate detection and response for organization-specific threats (custom malware, insider threats, policy violations)
• Create behavioral watchlists that trigger automatic responses (process kill, network quarantine, alerts)
• Detect MITRE ATT&CK techniques specific to your threat landscape
• Monitor for specific IOCs (file hashes, domains, IPs, command-line patterns) across your entire fleet
• Enforce security policies automatically (block unauthorized tools, prevent data exfiltration)
• Reduce alert fatigue by automating response to known-bad behaviors
• Extend SentinelOne detection capabilities beyond built-in threat intelligence

Business Impact:

• Real-time automated response: STAR evaluates 200+ telemetry attributes at machine speed without software updates
• Zero-day protection: Detect and block threats before signatures exist based on behavioral patterns
• Custom threat intelligence: Integrate organization-specific IOCs and threat patterns
• Policy enforcement: Automatically block unauthorized applications, scripts, or network connections
• Reduced dwell time: Automatic response reduces attacker dwell time from days to seconds
• Compliance automation: Enforce security policies automatically (block unapproved software, detect data exfiltration)

SentinelOne Storyline Active Response (STAR) provides automated watchlist evaluation across 200+ telemetry attributes with custom detection logic and automatic response actions (kill process, network quarantine, alert).

REQUIREMENTS & ASSUMPTIONS

Prerequisites:

• SentinelOne Singularity Complete license: STAR is included with Complete tier
• Minimum agent version: 21.5 or later
• Console access: Admin or Analyst role with STAR permissions
• Deep Visibility familiarity: Understanding of Deep Visibility query language recommended
• MITRE ATT&CK knowledge: Familiarity with tactics and techniques helpful

License Verification:

Console > Settings > License > Modules: "Storyline Active Response (STAR)" should be listed

STAR Capabilities:

• 200+ telemetry attributes: Process, file, network, registry, user, DNS, command-line, parent-child relationships
• Real-time evaluation: Events evaluated against rules at machine speed (milliseconds)
• Automatic response: Kill process, network quarantine, alert only
• Scope control: Apply rules globally or to specific sites/groups
• 100+ default rules: Pre-built rules for common threats (upgradeable)

Assumptions:

• Administrators understand organizational threat landscape
• Custom IOCs are documented (file hashes, domains, command-line patterns)
• Response actions (kill vs. alert) are approved by security leadership
• Testing workflow exists for validating rules before production deployment

PROCESS

Step 1: Access STAR Custom Rules interface

1. Log in to SentinelOne Management Console
2. Navigate to Sentinels → STAR Custom Rules
3. STAR Rules dashboard displays:
   • Default Rules: Pre-built SentinelOne rules (100+ included)
   • Custom Rules: Organization-created rules
   • Rule Statistics: Total rules, enabled/disabled, triggered counts
   • Create Rule button

Result: STAR interface is accessible and ready for custom rule creation.

Step 2: Understand STAR rule structure

STAR rules consist of 3 components:

1. Query (Detection Logic)

• Deep Visibility query defining what to detect
• Uses 200+ telemetry attributes
• Supports complex boolean logic (AND, OR, NOT)

2. Event Condition (Trigger)

• When should the rule trigger? (every match, first match only, etc.)
• Frequency thresholds (e.g., trigger after 3 occurrences in 5 minutes)

3. Response Action (Automated Response)

• Alert Only: Create alert in console, no automated action
• Kill Process: Terminate matching process automatically
• Network Quarantine: Isolate endpoint from network
• Custom Script: Execute remediation script (advanced)

Example STAR Rule Structure:

Rule Name: Detect Mimikatz Credential Dumping
Description: Detect and kill mimikatz credential theft attempts

Query (Detection Logic):
  EventType = "Process Creation" AND
  (SrcProcName CONTAINS "mimikatz" OR
   SrcProcCmdLine CONTAINS "sekurlsa::logonpasswords")

Event Condition (Trigger):
  Trigger on EVERY match (real-time)

Response Action:
  Kill Process + Network Quarantine + Alert

Step 3: Create your first STAR custom rule

Example: Block Unauthorized Remote Access Tools (TeamViewer)

1. Navigate to Sentinels → STAR Custom Rules

2. Click + Create Rule

3. Configure rule details:

   • Rule Name: Block_Unauthorized_TeamViewer
   • Description: Block TeamViewer remote access tool (not approved by IT)
   • Severity: High
   • MITRE ATT&CK: T1219 (Remote Access Software)

4. Build detection query:

   Click Query Builder or write manual Deep Visibility query:

   EventType = "Process Creation" AND
   (SrcProcName CONTAINS "TeamViewer.exe" OR
    SrcProcName CONTAINS "TeamViewer_Service.exe" OR
    SrcProcDisplayName CONTAINS "TeamViewer")
   

   Test query: Click Run Query to verify it returns expected results

   • If too many false positives, refine query
   • If no results, verify TeamViewer process names are correct

5. Configure event condition:

   • Trigger: On every match (real-time response)
   • Frequency: No threshold (trigger immediately)

6. Configure response action:

   • ✅ Kill Process: Terminate TeamViewer.exe
   • ✅ Alert: Send alert to SOC
   • ⚠️ Network Quarantine: Optional (use for critical violations only)

7. Set rule scope:

   • Apply to: All Sites (or select specific sites/groups)
   • Exclusions: Group: IT Administrators (who may need TeamViewer for support)

8. Save and enable rule:

   • Click Save Rule
   • Toggle Enable to activate

Result: Rule is active. Any endpoint that executes TeamViewer will have the process killed automatically and alert generated.

Step 4: Create advanced STAR watchlist rules

Example 1: Detect PowerShell Command-and-Control Beaconing

Rule Name: Detect_PowerShell_C2_Beaconing
Description: Detect PowerShell making periodic network connections (C2 behavior)

Query:
  EventType = "Network Connection" AND
  SrcProcName CONTAINS "powershell.exe" AND
  DstPort IN (443, 8443, 8080) AND
  DstIP NOT IN CIDR ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")  # Exclude internal IPs

Event Condition:
  Trigger after 5 connections to same destination within 10 minutes

Response Action:
  Kill Process + Network Quarantine + Alert (Critical)

Example 2: Detect Lateral Movement (PsExec, WMI)

Rule Name: Detect_Lateral_Movement_Tools
Description: Detect lateral movement using PsExec or WMI remote execution

Query:
  (EventType = "Process Creation" AND
   (SrcProcName CONTAINS "psexec" OR
    SrcProcCmdLine CONTAINS "wmic" AND SrcProcCmdLine CONTAINS "/node:")) OR
  (EventType = "Network Connection" AND
   DstPort = 135 AND  # WMI/DCOM port
   SrcProcName NOT IN ("svchost.exe", "wmiprvse.exe"))

Event Condition:
  Trigger on every match

Response Action:
  Alert (Critical) + Network Quarantine
  (Do NOT kill process - may be legitimate IT admin activity, investigate first)

Example 3: Detect Suspicious File Creation in Temp Directories

Rule Name: Detect_Malware_Temp_Execution
Description: Detect executables created in temp directories (common malware behavior)

Query:
  EventType = "File Creation" AND
  FilePath CONTAINS ("\Temp\", "\AppData\Local\Temp\", "\Windows\Temp\") AND
  FileExtension = ".exe" AND
  FileSignedStatus = "Unsigned"

Event Condition:
  Trigger on every match

Response Action:
  Alert (High) + Quarantine File
  (Review alert before killing - may be legitimate installer)

Example 4: Enforce Data Exfiltration Prevention

Rule Name: Prevent_Data_Exfiltration_Cloud_Upload
Description: Block large file uploads to cloud storage services

Query:
  EventType = "Network Connection" AND
  DstFqdn CONTAINS ("dropbox.com", "drive.google.com", "onedrive.com", "mega.nz") AND
  NetTxBytes > 50000000  # >50MB uploaded

Event Condition:
  Trigger on every match

Response Action:
  Kill Process + Alert (Critical) + Block Network Connection

Example 5: Detect Privilege Escalation Attempts

Rule Name: Detect_UAC_Bypass_Techniques
Description: Detect UAC bypass and privilege escalation attempts

Query:
  EventType = "Process Creation" AND
  (SrcProcCmdLine CONTAINS ("eventvwr.exe", "fodhelper.exe", "sdclt.exe") OR
   SrcProcIntegrityLevel = "High" AND
   SrcProcParentIntegrityLevel = "Medium")  # Process elevated unexpectedly

Event Condition:
  Trigger on every match

Response Action:
  Alert (Critical) + Kill Process (if malicious) or Monitor (if uncertain)

Step 5: Use STAR watchlists for IOC monitoring

STAR can monitor for specific IOCs (file hashes, domains, IPs) across your entire fleet.

Example: Monitor for Known-Malicious File Hashes

Rule Name: Watchlist_Known_Malware_Hashes
Description: Detect execution of known-malicious file hashes from threat intel

Query:
  EventType = "Process Creation" AND
  SrcProcSha256 IN (
    "abc123def456...",  # Mimikatz hash
    "789ghi012jkl...",  # Cobalt Strike beacon hash
    "345mno678pqr..."   # Emotet malware hash
  )

Event Condition:
  Trigger on every match

Response Action:
  Kill Process + Network Quarantine + Alert (Critical)

Pro Tip: Maintain a centralized IOC list and update STAR rules monthly with new threat intelligence.

Example: Monitor for Malicious Domains (C2 Servers)

Rule Name: Watchlist_Known_C2_Domains
Description: Block connections to known command-and-control servers

Query:
  EventType = "DNS Query" AND
  DstFqdn IN (
    "evil-c2-server.com",
    "malicious-domain.net",
    "attacker-infra.org"
  )

Event Condition:
  Trigger on every match

Response Action:
  Block Network Connection + Network Quarantine + Alert (Critical)

Step 6: Test STAR rules before production deployment

Critical: Always test rules on pilot group before global deployment.

1. Create test rule with limited scope:

   • Set Scope: Test Group only (small set of test endpoints)
   • Set Response Action: Alert Only (no automated kill/quarantine)

2. Generate test event:

   • On test endpoint, trigger the condition (e.g., run blocked application)
   • Verify alert appears in console

3. Review alert quality:

   • Are false positives acceptable?
   • Is detection logic accurate?
   • Does response action align with severity?

4. Tune rule if needed:

   • Refine query to reduce false positives
   • Adjust event condition thresholds
   • Modify response action (alert vs. kill)

5. Deploy to production:

   • Once validated, expand scope to All Sites
   • Enable automated response (Kill Process, Network Quarantine)
   • Monitor for first 24 hours

Step 7: Monitor STAR rule effectiveness

1. Navigate to Sentinels → STAR Custom Rules

2. Review rule statistics:

   Rule Name	Enabled	Triggered (24h)	Triggered (30d)	False Positives	Actions Taken
   Block_Unauthorized_TeamViewer	✅	3	45	0	45 kills
   Detect_PowerShell_C2_Beaconing	✅	0	2	0	2 quarantines
   Detect_Lateral_Movement_Tools	✅	1	8	2	6 alerts

3. Investigate triggered rules:

   • Click rule name to view triggered events
   • Review Storyline for each triggered event
   • Confirm true positive vs. false positive

4. Tune rules with high false-positive rate:

   • Refine query to exclude legitimate activity
   • Add exclusions for known-good processes/users
   • Adjust thresholds (e.g., "trigger after 5 occurrences" instead of "every match")

Step 8: Maintain and update STAR rules

Monthly maintenance:

1. Review triggered rules: Identify rules with zero triggers (may need tuning or removal)
2. Update IOC watchlists: Add new malware hashes, C2 domains from threat intel
3. Tune false positives: Refine rules generating excessive false alerts
4. Add new rules: Create rules for emerging threats or organizational needs

Threat intelligence integration:

• Subscribe to threat intelligence feeds (MISP, AlienVault OTX, VirusTotal)
• Update STAR rules with new IOCs weekly/monthly
• Automate IOC updates using SentinelOne API (advanced)

Rule version control:

• Document rule changes in description field
• Export rules to JSON for backup
• Version control rule configurations in Git

VERIFICATION

Verify STAR is operational:

1. Check license:

   Console → Settings → License → Modules: "Storyline Active Response (STAR)" = Active
   

2. Verify rule is enabled:

   Console → Sentinels → STAR Custom Rules → [Rule Name] → Status = Enabled
   

3. Test rule trigger:

   • On test endpoint, trigger rule condition (e.g., run blocked application)
   • Verify alert appears in Console → Alerts within 1 minute
   • Verify automated action executed (process killed, endpoint quarantined)

4. Check agent receives STAR policy:

   # On managed endpoint
   & "C:\Program Files\SentinelOne\Sentinel Agent *\SentinelCtl.exe" policy show
   # Look for "STAR Rules: X rules active"

TROUBLESHOOTING

Issue: STAR rule not triggering

Solutions:

1. Verify rule is enabled: Console → STAR Custom Rules → [Rule] → Status
2. Test query manually: Run Deep Visibility query to verify it returns results
3. Check rule scope: Ensure rule applies to test endpoint's site/group
4. Verify agent version: STAR requires agent 21.5+
5. Check event condition: If using thresholds, verify condition is met

Issue: Too many false positives

Solutions:

1. Refine query: Add exclusions for known-good processes/users
2. Adjust thresholds: Change "every match" to "after X occurrences in Y minutes"
3. Add exclusions: Exclude specific sites/groups (e.g., IT Administrators)
4. Use alert-only mode: Change response from "Kill" to "Alert Only" while tuning

Issue: Rule kills legitimate process

Solutions:

1. Immediately disable rule: Console → STAR Rules → [Rule] → Disable
2. Review triggered events: Identify why legitimate process matched
3. Add exclusion: Exclude process by hash, path, or certificate
4. Re-enable with refined query: Test on pilot group before global deployment

COMMANDS/SCRIPTS

PowerShell script to export STAR rules (backup):

<#
.SYNOPSIS
    Export all STAR custom rules from SentinelOne console
.PARAMETER ApiToken
    SentinelOne API token
.PARAMETER ConsoleUrl
    SentinelOne console URL
#>
 
param(
    [Parameter(Mandatory=$true)]
    [string]$ApiToken,
    [Parameter(Mandatory=$true)]
    [string]$ConsoleUrl
)
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
Write-Host "Exporting STAR rules..." -ForegroundColor Cyan
 
$rules = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/cloud-detection/rules" -Headers $headers -Method Get
 
$rules.data | ConvertTo-Json -Depth 10 | Out-File "STAR-Rules-Backup-$(Get-Date -Format 'yyyyMMdd').json"
 
Write-Host "Exported $($rules.data.Count) STAR rules" -ForegroundColor Green

REFERENCES

• SentinelOne STAR Blog - Customize Your EDR
• STAR Datasheet
• SentinelOne Unveils STAR (Press Release)
• STAR Community Queries (GitHub)

Document Version: 1.0 Last Updated: 2025-11-26 Author: CosmicBytez IT Operations Reviewed By: Security Operations Team

Related Reading

• SentinelOne Control vs Complete Feature Comparison
• SentinelOne Deep Visibility Threat Hunting
• SentinelOne Forensics Rollback and Remediation