Issue
We are trying to troubleshoot a possible issue with our SentinelOne Agent running on the endpoint. We want to confirm if the Agent is actively sending telemetry or not.
Environment
SentinelOne
Resolution
The quickest way to confirm if an Agent is sending telemetry is to login to your SentinelOne console, click on the Visibility tab (i.e Deep Visibility) on the left menu bar, then select the Hunting tab at the top of the page.
Next, you will need to type the query Data Type "EndpointName" (it will populate automatically once you start typing it). Next type the Operator "Contains" and then the String "Type Your Endpoint's Name" (it must be in quotes). Then click the Search icon on the right of the query field.
Example:
If the endpoint has been sending telemetry you should see all of the event types (i.e Processes, Cross Process, Files, Network Actions, etc.) start to populate with data with today's data on the timestamp.
There is another easy way to open Deep Visibility for a specific endpoint and check for process telemetry:
- Go to your SentinelOne dashboard and click on "Sentinels" on the left menu bar.
- Next, search for a specific endpoint by clicking in the "Select filters..." field at the top of the page and type the endpoint's hostname.
- Now click on the endpoint's hostname when it shows up in the endpoints list. This will open a menu on the bottom right of the page. Click on the Actions | Shortcuts | Search in Deep Visibility.
- This will open up the Deep Visibility page and auto-populate the endpoint's UUID. Then click the Search icon on the right of the query field.