Endpoint Detection and Response

About this service

The new Vulnerability Insight and Threat Alerts (VITA) Team will be the home of documentation, discussion, and tooling for Information Security Services (ISS)-supported vulnerability management and endpoint detection & response solutions (presently Qualys and SentinelOne, respectively). This Team will act as a hub for campus IT practitioners to receive news about these tools and a forum to direct relevant questions to ISS. The associated SharePoint site will include documentation on deploying and using these tools. To gain access to the VITA team, please contact mailto:soc@uwaterloo.ca.

Managed workstations

University of Waterloo owned, managed PCs receive Sentinel One (S1) Endpoint Detection and Response (EDR).

Who can use this service

Employees

Support for this service

Submit an inquiry via Jira Help Portal

Pricing/cost

No charge

Non-managed or personal workstations

Non-managed, University-owned PCs should still install Sentinel One. To do so, please first consult with your local IT rep, who may escalate the request to IST.

For personal machines, please review the list of recommended alternatives.

Frequently asked questions

General

SentinelOne creates decoy files that have read/write access to help with ransomware detection. SentinelOne will periodically recreate these files if deleted.

Example decoy folder on C:\
Example contents of a decoy folder

 

It is not good practise to run multiple EDR/antivirus-type agents. They may “discover” each other and attempt to remove the other or start to mitigate a threat and then be unable to complete the task as the other has gotten there first. SentinelOne is centrally managed and monitored and is the best solution for University-owned equipment.

By design, endpoint detection and response software is necessarily invasive. It monitors running processes, the network connections they make, files they open, etc.

This would need to be a discussion with Information Security Services (ISS) as some agreements may require some form of EDR, while others may restrict administrative access to the systems, and so on. Every situation will be different.

In general, the agent will notify the user.

  • Windows: Open system tray icon

  • Mac: Open from menu bar

  • Linux: No graphical elements, but the agent will log actions to /opt/sentinelone/log/agent.log

If you believe SentinelOne is interfering with a legitimate process, submit an inquiry via Jira Help Portal with the device name and affected process and/or file information.

 

Technical/IT administrator

IST KB resources that may be related to this service entry

Service catalogue feedback

If you’d like to share any feedback about this service catalogue entry, please let us know.