Description
As endpoint protection and EDR's evolve, we see solutions implement "distributed" vulnerability scanner functionality.
This means that each endpoint with the agent installed, will scan the network around it, and query nearby hosts for the ports and services they run.
This in turn looks a lot like attacker behavior, performing reconnaissance on your network with port scans.
In this guide we'll tackle how to exclude your Canary IPs from SentinelOne - Ranger scans in their portal.
📌
If you're uncertain about the cause of the alerts, feel free to reach out to the Canary support team at support@canary.tools - we're here to help and happy to to check.
Due to this activity coming from multiple sources, we want to avoid creating blindspots by ignoring this on the Canary Console. Instead, we can centrally add your Canaries to the SentinelOne Ranger exclusion lists.
Step 1: Collect your Canary IPs
You can find your Canary device IP addresses in the Console by selecting the Settings icon at the top, then navigating to Global Settings > Device IPs.
Step 2: Exclude IPs from Network Discovery
- Head over to https://community.sentinelone.com/s/login/?ec=302&startURL=%2Fs%2F
- In the left panel of the SentinelOne Portal, navigate to SentinelOne Menu
- Select Network Discovery then General Settings and head over Settings.
- Scroll down to Global Scan Restrictions: Do Not Scan These IPs in all networks.
- On the drop down menu select IP and add your Canary's IPs.
- Hit save and your Canaries will be excluded from future scans.
You're done! ;-)