Sentinel One AI SIEM Walkthrough

Introduction

Good day! My name is Dave Glover, and I am a Solutions Architect here at SentinelOne. Today, I would like to provide you with a detailed walkthrough of SentinelOne's AI SIEM (Singularity AI Sim).

What is Singularity AI Sim?

Singularity AI Sim is a high-performance, cloud-native SIEM (Security Information and Event Management) solution that centralizes the collection of machine-readable log data from various sources. This includes on-premises firewalls and cloud-native applications such as Office 365, among others. It seamlessly integrates SentinelOne’s own endpoint data and telemetry. This data undergoes parsing and normalization using the OCSF (Open Cybersecurity Schema Framework) data schema, creating a unified language for searching across diverse event sources. Additionally, the data is enriched with threat intelligence and telemetry information, providing analysts with a comprehensive dataset for thorough investigations.

Key Capabilities of Singularity AI Sim

Singularity AI Sim transforms the security team's experience by employing AI-powered monitoring, investigation, and response capabilities while ensuring scalability, automation efficiencies, and strict adherence to data governance standards. Some of the key features include:

• Enterprise-Grade Management: Flexible multi-tenancy and role-based access control.
• Data Ingest and Normalization: Simplified data onboarding and parsing to a common schema.
• Near Real-Time Analysis: Fast event searches, alerting, and notifications, alongside a built-in rule library with customizable rules.
• Long-Term Storage and Retrieval: All data remains accessible without requiring retrieval from long-term storage.
• Hunting and Analytics: Features for comprehensive investigations and analysis.
• Response Capabilities: Effective incident response mechanisms.

A significant benefit of Singularity AI Sim is the integration of Purple AI, an AI assistant that helps analysts query data using natural language. This functionality is particularly advantageous for newer analysts who may not be familiar with complex query languages. They can simply ask Purple AI about specific attacks or data occurrences, and it constructs the necessary queries, showing analysts the actions taken.

Architecture Walkthrough

Let’s break down the architecture of Singularity AI Sim.

• Data Collection: Data sources can range from Office 365 and AWS to on-premises firewalls and machine logs. This data is ingested, processed, and normalized into the OCSF schema.
• Redaction Capabilities: Sensitive data, such as credit card information, can be redacted during data ingestion.
• Analyst Interaction: Analysts can run queries against the data, and thanks to the fast processing speeds of AI Sim, they can retrieve results quickly.
• Enriched Information: The ingested data also includes threat intelligence, facilitating detailed investigations.
• Dashboard and Reporting: Analysts can create and customize dashboards based on their needs and can interface with other tools through APIs.

Live Demo Overview

Upon logging into the AI Sim console, users can access various functions on the left side of the screen and visualize their dashboards. Alerts, event searches, correlation rules management, and interaction with Purple AI are readily available.

Data Ingestion

The system supports about 130 different event sources. Users can configure log ingestion from various platforms, including Office 365 and AWS. Additionally, threat intelligence sources can be integrated seamlessly.

Dashboard Capabilities

Users have the ability to create numerous dashboards or use existing ones, focusing on areas of interest. The interactive capability allows users to drill down into data, enhancing the investigation process with detailed insights based on previously set parameters.

Event Search

The event search function provides access to parsed log data, allowing investigators to focus on specific data sources and events. Purple AI assists by identifying significant events and suggesting remediation steps.

Correlation Rules Management

The system includes pre-built correlation rules, which are mapped to the MITRE ATT&CK framework. Users can activate these rules to monitor activities efficiently.

Purple AI Interaction

In addition to querying events, Purple AI can directly answer questions and create notebooks that track inquiries and their outcomes, enhancing the analyst's ability to document processes and findings comprehensively.

Overall, SentinelOne’s AI SIEM provides a powerful, user-friendly solution for managing and investigating security events.

Keyword

• Singularity AI Sim
• Cloud-native SIEM
• Data ingestion
• OCSF schema
• Threat intelligence
• Purple AI
• Event search
• Correlation rules
• MITRE ATT&CK framework
• User-friendly interface

FAQ

1. What is Singularity AI Sim?
Singularity AI Sim is a cloud-native security information and event management solution by SentinelOne that collects and centralizes log data from various sources.

2. How does Purple AI assist analysts?
Purple AI allows analysts to query data using natural language, making it easier for those unfamiliar with query languages to retrieve relevant information.

3. What kind of data sources can be integrated into Singularity AI Sim?
The system supports a wide range of data sources, including cloud applications like Office 365 and AWS, as well as on-premises systems.

4. How are correlation rules managed?
The platform includes pre-built correlation rules mapped to the MITRE ATT&CK framework, which can be activated and customized according to the user's needs.

5. Can data be stored long-term?
Yes, all ingested data remains hot and accessible without the need for retrieval, allowing for efficient searching and analysis.