• Capture Client 3.7
• Overview
  • Description
  • Navigation
  • Guide Conventions
• Dashboard
  • About the Dashboard
  • Global Dashboard
  • Tenant Dashboard
• Alerts and Notifications
  • Accessing Notifications
  • Viewing Alerts
• Threat Investigation
  • Investigating Threats
  • Analyst Verdict
  • Downloading a Threat File
  • Detected Threats
  • Threats Mitigated
  • Performing a Rollback
  • Resolving Threats
  • Blacklisting Threats
  • Benign Threats
• Investigating and Responding to Active Clients
  • SentinelOne Pending Actions
• Investigating and Responding to Active Users
• Enforce Trusted Certificates
• Investigating and Responding to Risky Applications
• SonicWall Support
  • About This Document

Investigating and Responding to Active Clients

This workflow shows administrators how to investigate the state of the devices, view details of the devices and details of the users using the endpoint. For threat events, refer to Threat Investigation.

To view the list of endpoints and take any actions, navigate to Assets > Devices.

View Clients

To view the list of devices managed by this instance of SonicWall Capture Client, navigate to Assets > Devices.

At the top of the page, you have the options to:

• Filter the list: Click and select the check the boxes for the Capture Client, SentinelOne, Health Status, Commissioned, Network Status, Pending Actions, Pending Threat Reboot, Operational State, Vulnerability Status, Type, OS, Network Protection, Update Requested, SentinelOne Pending Upgrade, Scan Status, Disk Encryption, or by entering the Client Version, SentinelOne version or the Location options in the respective search boxes to filter on.
• Search: Click and enter the search string.

• Columns: Click Columns to select and view the required columns. You can customize the options to display the required columns including Identifier (shows as an identifier or 'tag' assigned to the endpoint), Name (Endpoint name), Status (shows the current state of any updates performed), Health Status (shows as Healthy or Infected. An endpoint shows as infected if it has at least one active threat.), Commissioned, Network Status (Is Disconnect from Network enabled or disabled), Pending Actions, Pending threat reboot (Yes or No), Operational State (If an endpoint was disabled by the customer or by SentinelOne it shows Disabled. Otherwise it shows Not disabled.), Vulnerability Status, Tenant, Last Active (when the Agent last connected to the Management), Current User, Local IP, Console Visible IP (External IP address of the Agent), Location, Domain (Network domain that the endpoint belongs to), Type (Installer type - file used to install the Agent), OS, Network Protection, Client Version, SentinelOne Version, SentinelOne Pending Upgrade, Scan Status (when the last scan was completed), Disk Encryption (On or Off), and Group.

  

• Export as CSV: Click to export and download the devices details to CSV file.

• Refresh data: Click to refresh data.

• Taking appropriate actions for devices: Select the device from the list and click to take appropriate actions. You can take any of the following:

  • Initiate Scan
  • Uninstall
  • Decommission
  • Delete
  • Disconnect from Network
  • Refresh Active Directory Info

Monitoring and Managing the State of Devices

On clicking any of the devices, the Overview tab shows details of the device including the machine name, IP address, the operating system (OS) in which it is running, the licenses that are attached to this device and the users logged into this device the last time.

To collect information for troubleshooting or to manage state of the device, click and select:

• View Threats

• Update Policy to update the Endpoint Policy assigned to the user.

• Upgrade Client

• Refresh Active Directory Info

• Send Logs

• Enable Debug Logs

• Archive Logs

• Initiate Scan

• Send TSR (to pull specific data from the endpoint for investigation purposes)

• Disconnect Network

• Decommission to decommission Capture Client and remove it from console

• Uninstall Client to uninstall Capture Client from the endpoint

• Show Authorization Password

• Shutdown Device

• Reboot Device

• Reset Authorization Password

The key data points to be observed here are the three icons in the Overview tab that represent the state of the endpoint. The green colored icons represent a healthy state while gray icon indicates that there is a problem with that device.

Icon	Meaning
	Green if network is connected. Red if network is disconnected. Grey if network status is unavailable. Orange if network is reconnecting.
	Green if SentinelOne agent is online. Grey if SentinelOne agent is Offline. Yellow if SentinelOne is in 'Pending upgrade' or 'Pending uninstall' state. Red if SentinelOne has a pending action. For more details, refer to SentinelOne Pending Actions.
	Green if Capture Client on the endpoint is online. Grey if Capture Client on the endpoint is offline.

• Activated—This state means that the device on which Capture Client is running is connected to the network and can access the network.

  • Possible Problem—The Capture Client or any of its modules needs an upgrade to the most current version. The device is unavailable when the icon is red and pending connecting information when gray.

  • Resolution—Navigate to Policies > Client for the package and roll out the latest version of the package.

• Online—This state means that this device is up and running and is communicating with the Cloud Management Console.
  

  Even if the device is offline, the device is still protected.

  • Possible Problem—The endpoint is disconnected from the network and cannot communicate with the Client Management Console. If you see the icon in red, the device cannot communicate with either Cloud Management Console or SentinelOne.
  • Resolution—Validate with the user that the endpoint is up and running and online. If yes, then check for any firewalls or network connectivity issues that may be impacting connectivity to the console. Check the Logs folder in the Capture Client installation folder for the endpoint for any connectivity errors. If no error is identified, attempt a reboot of the system to restore it to a good state.

Reviewing Processes Running on a Device

Capture Client also obtains the list of processes running on an endpoint at any given time. Knowing what processes are running can be useful in malware incident investigations. It also helps you to know if a dubious application or process is being run on the endpoint. Navigate to Assets > Devices to see the entire list of processes running on that endpoint. Select a device and click on the Process tab. You can also search for specific processes by name or filter the list if you are looking for a specific process.

You can easily build bulk exclusions from the Processes tab of any device. Simply select the process or set of processes and then click . This icon is to Adds paths to exclusions. You can even search for processes belonging to a specific application or vendor (for example, Apple or Adobe) and exclude all their applications.

You can also de-list processes on the Processes tab (remove them from the Exclusions list). Those processes that are already excluded are identified by a gray checked shield at the end of the name. Select all those processes that you want to de-list, and click . This icon Removes paths from exclusions.

Click to refresh data.

Reviewing Policies Enforced on a Device

Click on Assets > Devices. Double-click on the desired device in the table to see the device detail. Select the Policies tab to view the policies assigned to the user who was logged into this device. This can be helpful in investigating if a policy issue may be causing problems with a specific endpoint. From this section, you can also navigate to editing the Capture Client policy or the child Threat Protection and Trusted Certificates policies.

Scroll down and click on the Details button to view the Policy Priority window. You can manually modify the policies assigned to a particular user. Refer to Capture Client Policies for more information.