QUESTION

What's the difference between SentinelOneAlertPassthrough and SentinelOneThreats in Panther and when to use each detection?

ANSWER

While both SentinelOneAlertPassthrough and SentinelOneThreats handle SentinelOne-related detections in Panther, they serve different purposes. The key differences between these detections are:

• SentinelOneThreats: This detection specifically focuses on identified security threats detected by SentinelOne. It processes enriched data that highlights actionable security risks, particularly malware and suspicious activity.

• SentinelOneAlertPassthrough: This detection handles raw alerts from SentinelOne with minimal processing or filtering. It encompasses a broader scope, including custom rules, general detections, and policy violations.

When to Use Each Detection

• Use SentinelOneThreats when you need to specifically monitor and respond to security threats identified by SentinelOne

• Use SentinelOneAlertPassthrough when you want to track all SentinelOne alerts, including broader system events and policy-related notifications