Feature Spotlight | Introducing RemoteOps Custom Script Actions

SentinelOne Singularity RemoteOps enables security teams to orchestrate forensics, carry out investigations remotely across multiple endpoints, and respond rapidly at scale. With RemoteOps, security teams are empowered to safeguard their enterprise from complex and time-sensitive cyber threats.

Streamline Security Through RemoteOps Scripts

The ability to run scripts allows incident response teams to efficiently modify tools and collect forensic artifacts – all accelerating the overall investigation and response workflows. The RemoteOps Script Library houses an extensive collection of out-of-the-box scripts available for all platforms including PowerShell for Windows and bash scripts for Linux and macOS.

Using this library, security teams can quickly execute remote scripts either directly from the SentinelOne console or via API to simplify and speed up investigative tasks during active events.

RemoteOps makes it easy to execute tasks via SentinelOne’s agents – at scale, for large sets of endpoints, or targeting only individual endpoints. This has many different uses:

  • Extend the SentinelOne platform with literally any custom endpoint action – if you can script it, you can automate it!
  • Collect forensic artifacts, like memory dumps or other transient state from an endpoint
  • Collect metrics for dashboarding and aggregation with SentinelOne’s PowerQuery language, like graphing the count of endpoints that currently have a process running matching a name
  • Provide a library of scripted response actions for defenders, like rolling out a particular patch to an in-house application, deleting a service that matches a name regex, etc
  • Perform endpoint scans using open source or 3rd party tools
  • Deploy custom 3rd party software or settings to Windows, Linux, or Mac endpoints

Framework Flexibility | Developing Script Actions In Singularity RemoteOps

RemoteOps is a flexible framework allowing security teams to easily create their own scripts tailored specifically for their enterprise’s machines and requirements and run scripts at scale to collect data and deploy a faster response on endpoint events.

Within Singularity, users can develop custom scripts to perform an action or collect structured (e.g., JSON/JSONL, CSV) and unstructured (e.g., files, process dumps) data to the XDR data lake. Custom actions may also include payloads such as binary, additional scripts, installer files, and configuration files.

With all capabilities available in the SentinelOne console, RemoteOps uses role-based access control (RBAC) to determine what tasks can be scheduled, where, and by whom. Further, all actions are audited to ensure the security of the environment.

Case Study | Uploading New Custom Scripts In Singularity RemoteOps

Incident response teams can run or install forensic acquisition tools of their choice when investigating an incident prevented by SentinelOne. RemoteOps allows teams to package their tools, distribute the package across selected endpoints, install, and run it easily.

The below example shows the steps for creating a custom script to deploy the popular open-source forensic tool, Velociraptor.

A PowerShell script such as

$PackageDir = if ($ENV:S1_PACKAGE_DIR_PATH) { $ENV:S1_PACKAGE_DIR_PATH } else { $PSScriptRoot }

$log = Join-Path -Path $ENV:TEMP -ChildPath "velociraptor.install.log"
$msi = Join-Path -Path $PackageDir -ChildPath "velociraptor.msi"

Write-Output "Starting install from '$msi' and logging to '$log'"
Start-Process "msiexec.exe" -ArgumentList @("/i", $msi, "/qn", "/L*v", $log) -Wait -NoNewWindow
Copy-Item (Join-Path -Path $PackageDir -ChildPath "velociraptor.yaml") "C:\Program Files\Velociraptor\client.config.yaml" -Force

would deploy Velociraptor from the MSI installer to a Windows system.

Next, simply upload the custom script action and payload to the RemoteOps Script Library.

To schedule installation and execution, users can choose to use saved filters, manual selection, or live queries to run the action on any set of selected endpoints. Agents will then execute actions in parallel.

In addition to running scripts manually, security teams can also schedule script actions for automatic execution (e.g., response to a custom rule detection or threat detection) using Singularity Marketplace apps, or via SentinelOne’s console APIs using any security automation solution.

Conclusion

Delays in the investigation and remediation phase leave enterprises at a higher risk to long-term damage from cyber incidents. With the power of running scripts on millions of endpoints automatically, security teams can collect forensic artifacts valuable for incident investigations and expedite the triage and response processes. Customers can rely on Singularity RemoteOps to create and run complex scripts and commands efficiently to collect the right data and respond remotely to suspicious behaviors.

To learn more about how Singularity RemoteOps can give time back to security teams working against the clock and help alleviate the burden for remote forensic tasks, book a demo today.