What needs improvement with SentinelOne?

SentinelOne could improve by reducing the price.

I would like to have the same features such as ransomware that are available on the cloud version of SentinelOne also made available for the on-prem version because a lot of people in our region are not ready for cloud solutions.

SentinelOne has some inputs, some traditional NPRs, or models like IPS and IDS. We can configure individual rules for particular machines. In a sense, control is not from the console. There should be more integration models with different security operations tools or soft tools. It could provide a single pane for integration with the firewall, or a soft solution should be there.

The solution is a bit costly for some customers. DLP support would be a good addition. Currently, there are multiple vendors and agents on endpoints. The solution looks at data from a specific documentation view so it would be beneficial to use that same documentation to look at DLP.

The dashboard should include troubleshooting because it can have problems. Sometimes, the XDR does not configure its policies for data security on time. The XDR should include ECI compliance, multiple data securities, and the load balancer for network firewalls under one umbrella. It would be beneficial to buy a salient solution that does everything. The cloud side could be improved to include security, advanced integrations with other products, storage accounts, monitoring, and support. The solution should include USB blocking for specific machines.

It doesn't have application control capability. Other antivirus or EDR solutions have that. I would be happy if SentinelOne added that to their platform. This is the first point. The second point is SentinelOne should provide support for legacy open-source operating systems. For example, old versions of Oracle are not supported by SentinelOne. The third point is that SentinelOne does not support a few platforms, including IBM AIX and UNIX-based OS. These three platforms are almost all used in all enterprises, and SentinelOne does not support them. If SentinelOne provides agents for these missing platforms, it'll be very good. It would be ideal if they offered video support for troubleshooting issues.

The setup process could be improved, and it would be good if artificial intelligence were added as an additional feature in the next release.

SentinelOne makes it more difficult to define users. It is difficult to manage users in SentinelOne. There are many defining roles. It is granular, but it is also complicated. It is more granular than CrowdStrike, but it is not preferred because you have to check hundreds of roles. It's a challenge. This user assignment feature would be more efficient. It would be fantastic if they could design it. In comparison to CrowdStrike, EDR is less detailed. CrowdStrike provides more information about an adversary than SentinelOne. Having a good EDR is a huge plus. In my opinion, it earns two points. The number will be nine if they can expand it with a more detailed one. I could complain about SentinelOne's pricing right now, but I am sure CrowdStrike is using its own staff to provide its clients with a complete solution. Being expensive is a little more reasonable than you think. Most people want to know why CrowdStrike is more expensive than other options. CrowdStrike can assist you with their technical personnel, and CrowdStrike is the only provider who can assist you with their own threat hunters. SentinelOne is not currently doing this.

SentinelOne's performance and the accuracy of its incident filtering could be improved.

SentinelOne's phishing feature could be improved.

It's probably not that top-notch like CrowdStrike or Microsoft Defender. However, it's okay, it's not bad. The only problem I have is they don't manually review the threat files. That's the only thing I'm concerned about. The support needs improvement. There are some limitations.

The inventory is a good feature. However, it's not up to date. The delay in updating inventory is ten minutes. If it can be improved, it will help a lot. For the general IT management, there is a need to correlate the software version from inventory with the CVE information. For example, we have the CVE, however, it doesn't take into account the current version. We need it to stay up to date with the latest version.

We sometimes have issues with the disc space and that's because of the anti-ransomware technology they use. The volume of shadow copies becomes too large and we have to manage that.

Every site has its own key. I'm not sure how I can implement the key for the setup package. Therefore, with every installation, I need to do it manually and put on the site keys. It is an expensive product. They could work on lowering the price a bit.

The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work.

I cannot speak to any missing features. It has what we need. If they can extend their product further on the DLP side of it so that I don't have to have another agent run exclusively for DLP production, that would be ideal.

The only concern we have is that there are a few features that were not readily available. We use a lot of application files that didn't have a connection. We would also like to see integration with other tools that have to collect the logs. Although Microsoft claims the use of building artificial intelligence to correlate events, we have actually had a couple of events that should have logs but did not. The solution is not at the same level in terms of building artificial intelligence. SentinelOne can do a better job of not only creating corrective action based on the correlation. For example, someone was trying to repeatedly change their password. What they didn't realize was that they weren't connected correctly.

I would like to see the reports from SentinelOne more customizable, as there are very few options.

The ability to integrate this product with an antivirus solution would be welcome. Even consolidation with more security products, like Umbrella networking abilities etc. to provide more on this platform, that would be great.

We need to analyze the threats and make decisions based on that, so the analytics could be better at analyzing exactly where the threats are coming from.

We want more communication about features that we request and when they will be added to the product. For example, they can tell us what is being done about it. part, if that can be shared for the new features. We've requested that SentinelOne's agent provide more reporting on the endpoint's OS, system host, modem, and serial number. It's not able to determine this now. If the SentinelOne team can provide us with some updates about whether they're working on it, that would be useful.Also, we'd like SentinelOne to upgrade automatically. It doesn't automatically update the agent if some system has an older version of the SentinelOne. It has to be triggered from the console.

I would like to see a better control panel for the managed service side of it.

The overall integration functionality for this solution could be improved.

The stability of SentinelOne should be improved.

They can improve the administrative interface. They can make it more user-friendly. Its price can be lower.

One area of SentinelOne that definitely has room for improvement is the reporting. The canned reports are clunky and we haven't been able to pull a lot of good information directly from them. Also, integration is almost non-existent. We would really like to see integration with ConnectWise. Within ConnectWise Automate, you're only allowed to deploy at the top-level group. Our company is dealership-focused, but if we have a parent dealership that has 10 sub-dealerships with SentinelOne, we have to treat them as one large group instead of one parent and 10 sub-groups. That's been a pain point for us. We've done some workarounds, but since there is no integration, it's tough.

As a cloud-based product, there is a minimum number of licenses that need to be purchased, which is unfortunate.

SentinelOne's ongoing updates and rate of technology improvments are adequate for now, and have kept SentinelOne ahead of the cyber criminals, but we cannot rest, and continuous development - in particular with regard to the areas of automation, machine learning, and artificial intelligence - is required to stay ahead of the cyber criminal techniques and exploits. The "false positive" detection rate could be improved, if possible, but this should not increase the risk of the endpoint being breached.

There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap. A couple of months ago, they came back to us and got our feedback on what we thought about their plan of implementing the agent health monitoring system would look like, and it looks pretty good. So, they are planning to release that functionality sometime during the Summer. I have been amazed with their turnaround time for getting concepts turned into reality.

All they need to do to improve it is for it to grow further. The hackers don't sleep. If the hackers don't sleep, the solution continually needs to be updated. They need to keep ahead of the hackers.

With respect to product patches, it should have the ability to patch directly from SentinelOne, rather than be presented with a list and have to do it separately. As it is now, it shows you what products require patching, but you need a separate application to install the patch. If you could initiate an update to the application from SentinelOne, that would be a nice feature.

The role-based access is in dire need of improvement. We actually discussed this on a roadmap call and were informed that it was coming, but then it was delayed. It limits the roles that you can have in the platform, and we require several custom roles. We work with a lot of third-parties whom we rely on for some of our IT services. Part of those are an external SOC function where they are over-provisioned in the solution because there isn't anything relevant for the level of work that they do.

The solution’s distributed intelligence at the endpoint is pretty effective, but from time to time I see that the agent is not getting the full execution history or command-line parameters. I would estimate the visibility into an endpoint is around 80 percent. There is 20 percent you don't see because, for some reason, the agents don't get all of the information. Another area that could be improved is their handling of the updating of the agent. It is far from optimal. The agent changes often and about 5 percent of our machines can't be automatically updated to the newest agent. That means you have to manually uninstall the agent and install the new agent. That needs to be improved.

We are now using an external monitoring tool to monitor the services of SentinelOne, because apparently they don't have any solution for that. When the SentinelOne agent is down, you can go to the interface and see a mark on SentinelOne that something is not correct or the server needs to be rebooted, but you will not get an alert. You will not be warned that there is an issue with the SentinelOne agent. I have found that a little bit disturbing, because then we need to use a third-party monitoring tool to make sure that all services of SentinelOne are up and running.

If they would stop changing the dashboard so much I'd be a happy man. Also, if it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit. The nice thing about SentinelOne is that I get to directly engage with their leadership at any time I want. That allows me to provide feedback such as, "I would like this function," and they've built a lot of functions for me as a result of my requests. I don't really have much in the way of complaints because if I want something, I generally tend to get it.

I would like to improve the reports because they are not so customizable and we would like more info from them. I cannot download all the hosts that we have on our tenant, because there is limit of 10,000. I have asked our provider to work with SentinelOne to fix this. For example, my complaint is that if I want to download an Excel file or CSV, I have a limit of 10,000 rows. However, in our tenant environment, we can download more than 16,000 rows.

They have tiers of support like most companies do. For the first three years, we had the top tier of their support and we would get a response from a technician quickly. We didn't have many things we had to ask of them. They would be very quick. We are now one tier down from that. The SLA for us is no longer within an hour or two. It's within half a day or something like that. As far as if I do ask a question of them, it is a little slower than what it used to be. I understand that we're at a lesser tier, but sometimes it feels like that could be a little better. I have to preface that by specifying that we're no longer paying for their top tier support. They changed the UI a little bit which is to be expected but there are times where I actually preferred the older UI. The newer UI, once I got used to it, was fine. But before, when we would launch into the UI, it went straight to the bread and butter. In this case, it goes to a dashboard, which gives some statistics on the attack surface, endpoint connection status, and stuff, which looks nice. It's a lot of nice bar graphs. It's a lot of nice pie charts. But that's not what I really need. I had to configure it to get it somewhat back to what it was. I wanted to know immediately if there any threats that are incoming. I actually had to add that. I think the new dashboard has a lot of bells and whistles but I don't need it. We used to have to dig in to get this kind of stuff and that's exactly what I prefer it to be. The dashboard, in my particular case, has to tell me where the threat is, how severe the threat is, and let me remediate it as quickly as possible. I don't want to fish through pie charts to find that. I think they put this new dashboard in two versions ago. In their defense, it's a fully customizable dashboard. I was able to put back what I wanted. It seemed like that should be a default, not something I have to add later.

We have had one or two occasions when we had to roll back off our Windows machine. Then, we had an issue with SentinelOne where we couldn't let the client make contact with the cloud service anymore. Therefore, the integration with the Windows Service Recovery could be improved in the future.

It's good on Linux, and Windows is pretty good except that the Windows agents sometimes ask for a lot of resources on the endpoints. That could be in the fine-tuning of the scanning. In Mac, they are complaining about the same problems, that it's using a lot of resources, but that could also be that we have to configure what it is scanning and what it should not scan. Currently it scans everything.

One of the areas which would benefit from being improved is the policies. There are still software programs where we need to manually program in the policies to tell the system, "This program is legitimate." Some level of AI-based automation in creating those policies would go a long way in improving the amount of time it takes to deploy the system. There is also a bit of room for improvement in the way SentinelOne is deployed. Right now we push it, but a lot of the time the pushing doesn't work. So we have to log in to each computer and do a manual install. That area would help in making the product stronger.

In terms of improvement, they should work on agents' updates because that is not a strong part. It's not their strong point. It's not straightforward to upgrade agents. I send them questions about it. They already worked on this and they promised that in the next release that they will show me their solution for it. But this year I have had complaints about agents' updates, that they aren't clear. They have a lot of updates on their management console. They have a lot of features. There is not enough time to read about it all. It's really a lot. The features that they apply are great and I would love to use them, but it's lots of things to know. And if you're not only working with antivirus on SentinelOne like me, there isn't much time to learn about it.

I think communication and documentation could be improved in the solution. When you get a virus alert, there's not a lot of upfront training to let you know how to resolve a situation when it occurs. The first couple of times you're flailing a little bit until you get it sorted. I would probably also suggest that the interface could use a little bit of help. It's a little hunt and peck. For additional features, I'd like to see the ability to control it on a cell phone. It would be great if I could have it in the palm of my hand so that if I get a false positive, I can just look at the dashboard on my phone.

Periodically we have an application that does not work correctly when SentinelOne is installed, yet performs as expected when SentinelOne is removed. SentinelOne gives no clue as to the problem, so to diagnose what is happening can be difficult. To make it worse, the behavior is inconsistent. Two people in the office might have the application working correctly, but a third person using the same program will have a problem. Nothing is displayed by the agent that is running on the workstations, but it would be helpful to have a mode available where we can see feedback as to what it is doing. We wouldn't want it running all the time because there would be more overhead, but it could be helpful for debugging or diagnosing problems.

The area where it could be improved is reporting. They have some online reporting, but it would be nice to be able to pick and choose. When I'm looking at the console, I would love to be able to pull certain things into a report, the things that are specific to me. They're very responsive. They regularly ask customers to provide feedback. They've been working on their reporting since the last feedback meetings. It's not only me but other customers as well who would like to see improvements in the reporting. File Integrity Monitoring is not a gap, but to do it you have to type several times. It's not the few-click intuitive situation. It would be nice to have some data leakage included. Also, when it comes to data leakage, while you can get out everything that a person does on a machine, there needs to be a proper way of doing so, like other products that are just focused on data leakage. I can't wait to see their advances in the cloud infrastructure (containers and serverless). It would be nice (and is critical) to allow administrators to notate when they make changes to the console configurations - perhaps a tag for reporting. I might, for example, whitelist an application. If I did that today and I leave the company at some point, someone might wonder why I did this. There should be a place to easily notate everything.

The agent update schedule is a little sporadic, and the updates are frequent. You are definitely going to want to have a good management solution in place, such as SCCM, Intune, or Jamf in order to maintain the environment properly. There is agent data, such as last known IP address, that is not stored historically. It would be nice if the console stored data daily, so that you could look at a timeline of events on a machine over a period of time, and currently this is not possible. You can see a snapshot of the data at the moment, but once it changes whatever was there previously is not stored.

Set up is very labor-intensive. You have to provide multiple codes from multiple places within the S1 dashboard in order to use the provided automation, and it's different for each client (or "sites" as they call it). It very much feels like an enterprise application that has been adapted for SMBs, but not very thoroughly. It would be better if they had a "site package" similar to the one offered by SolarWinds for the RMM. You just run the package on the client machine and done.

The price is a bit high. They should make their pricing model more affordable. The solution needs better reporting on new threats and malware. The reporting is present, but I can't find the information easily.

It corrects all of the EFC files with a virus. All the achievements, maximum EFC files. Many EFC files will be flagged as a virus. Some virus databases need to be updated. The model is good at finding many EFC files. The trouble is it needs to be updated. From the client-side, some scanning and other features can be enabled for scanning viruses better. If they want to scan for an individual reason other than viruses, such as scanning for legal files, they haven't been able to gather that from the client-side. Some features could be more user-friendly. For instance, setting restrictions in the explorer for what level one must be to use it is not user-friendly. It is difficult to find what we're searching for.

This solution would be more attractive to customers if the price were lower.

In terms of improvement, I would like to see better alerting to let us know if there is anything wrong with SentinelOne working on the endpoint of the computer.

The automation of certain features could use improvement. For example, it seems common sense to me that if a threat was executed out of a task in your task scheduler that part of neutralizing the threat would be removing that task from the scheduler. I would like to see something a little more sophisticated than simply being able to mark a false positive as safe or there's usually just one or two options in certain areas and they're a little rudimentary at this stage.

The reporting needs improvement and I would like to see a more granular level of administrative privileges.

The SentinelOne is one of my daily consoles and I use it regularly to identify the root cause of some infections. However, when a file is flagged as suspicious it would be very helpful to have the system highlight precisely what event or characteristic of the file SentinelOne considers potentially dangerous. In this way it would help focus our investigations on the specific characteristics or actions of the file.

There is not much flexibility in terms of policy fine-tuning. We can turn it off or turn it on, but there's nothing much else to do. Everything is predefined. It's good in a way, but you don't get much flexibility if you want to do something particular.