SentinelOne Browser Extension Nedir ve Nas?l Kullan?l?r? / What is SentinelOne Browser Extension and how to use it?
* English versions are added below each paragraph *
De?erli ba?lant?lar?m, bu makalemde SentinelOne(S1) XDR Taraf?nda "Browser Extension" ?zelli?inin tan?m?ndan ve bu ?zelli?in nas?l kullan?labilece?inden detayl?ca bahsetmeye ?al???yor olaca??m.
Dear connections, in this article, I will be trying to talk about the definition of the "Browser Extension" feature on the SentinelOne(S1) XDR Side and how this feature can be used in detail.
“Browser Extension” ?zelli?i ile birlikte, endpointler üzerindeki Safari, Chrome, Firefox, ve Edge Chromium taray?c?lar?ndaki tüm URL Eventlerini toplay?p ajana g?nderir ve ajan vas?tas?yla da S1 Cloud üzerine bu eventleri basmaktad?r, S1 Cloud taraf?ndaki dashboard üzerinden bu URL Eventlerin kontrolü ger?ekle?tirilebilmektedir. Bu i?lemler “Browser Extension” ?zelli?i ile sa?lanabilmektedir.
With the "Browser Extension" feature, it collects all URL Events from Safari, Chrome, Firefox, and Edge Chromium browsers on endpoints and sends them to the agent, and these events are printed on the S1 Cloud via the agent, these URL Events can be controlled via the dashboard on the S1 Cloud side. These operations can be provided with the "Browser Extension" feature.
S1 Cloud üzerindeki configuration k?sm?ndan bu extension?n otomatik olarak ajan kurulumu ile birlikte yüklenmesi i?in ayarlama yap?labilinmekte oldu?u gibi, detayl? bilgisi a?a??daki tabloda yer almaktad?r;
In the configuration section on S1 Cloud, it is possible to set this extension to be installed automatically with the agent installation, and its detailed information is given in the table below;
Chrome
?
Browser Extension Deployment is from Automatically install Deep Visibility browser extensions
?
If selected - The Agent automatically installs the Deep Visibility? browser extension.
?
If not selected - The browser extension does NOT install automatically. Use this option to control the Deep Visibility? browser extension installation.
?
If the extension is installed and then URL is cleared, Windows Agents will uninstall the extension.
?
Example:
?
If your organization uses Google Workspace (formerly G Suite) to manage browser extensions, deselect this option and deploy the SentinelOne browser extension in the same way you deploy other extensions. Use the SentinelOne Extension ID - iekfdmgbpmcklocjhlabimljddkeflgl
?
To learn how to deploy extensions with Google Workspace, see Automatically install apps and extensions.
?
Chrome on macOS endpoints: You can manage the Chrome extension on macOS endpoints with these sentinelctl commands.
?
sentinelctl deep-visibility disable-chrome-profile-activation --passphrase passphrase
?
sentinelctl deep-visibility enable-chrome-profile-activation --passphrase passphrase
?
sentinelctl deep-visibility install-chrome-profile --passphrase passphrase
?
sentinelctl deep-visibility remove-chrome-profile --passphrase passphrase
Edge Chromium (Windows only)
?
Browser Extension Deployment is based on Automatically install Deep Visibility browser extensions
?
If selected - The Agent automatically installs the Deep Visibility? browser extension.
?
If cleared - The browser extension does NOT install automatically. Use this option when you want to control the Deep Visibility? browser extension installation.
?
Get the extension from Microsoft Edge Add-ons.
?
Example:
?
If your organization uses Domain Group policy to manage browser extensions, deselect this option and deploy the SentinelOne browser extension in the same way you deploy other extensions. Use the SentinelOne Extension ID - ogjmklkhajdbaannfffilmkpneihckoh
?
Firefox
?
(Windows 21.6+)
?
Browser Extension Deployment is from Automatically install Deep Visibility browser extensions
?
If selected - The Agent automatically installs the Deep Visibility? browser extension.
?
If not selected - The browser extension does NOT install automatically. Use this option to control the Deep Visibility? browser extension installation.
?
The extension is not in the Firefox extension store. If you select Automatically install, the extension is deployed when you install the Agent on an endpoint.
?
?
Installation path: C:/Program Files/SentinelOne/Sentinel Agent version/sentinelone-firefox-extension.xpi
?
(Where version is the installed version.)
?
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox with value ExtensionSettings of type REG_MULTI_SZ and contents:
?
{
?{
???"install_url": "file:///C:/Program%20Files/SentinelOne/Sentinel%20Agent%20[VERSION]/sentinelone-firefox-extension.xpi",
???"installation_mode": "force_installed"
?}
}
?
?
?
Safari
?
(macOS only)
?
To enable the extension on Safari:
?
In the SentinelOne Console, select Automatically install Deep Visibility browser extensions.
?
On the endpoint, click Safari > Preferences > Extensions and select the SentinelOne Extension.
?
The Safari extension is not downloaded from a store. It is part of macOS Agent. It is detected by macOS and by Safari and shows automatically in the extensions.
?
Safari extension binary identifier: com.sentinelone.sentinel-helper.safari
?
App extension bundle: /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentinel_helper.app/Contents/PlugIns/SentinelOne Monitor.appex
P.S1: Internet Explorer yerine minimum Microsoft Edge kullan?m? S1 Taraf?ndan ?nerilmektedir.
P.S1:Minimum use of Microsoft Edge instead of Internet Explorer is recommended by S1.
P.S2: S1 Cloud konfigürasyonu üzerinden otomatik olarak ajan kurulumu ile birlikte “Browser Extension” kurulumu yap?lacaksa, bu kurulum ile birlikte, kurum i?inde da??t?m i?in kullan?lan bir GPO vs varsa bunlar ge?ersiz olacak ve ajan kurulumundaki “Browser Edtension” kurulumu override edilecektir.
P.S2: If a "Browser Extension" will be installed with the agent installation automatically over the S1 Cloud configuration, if there is a GPO used for distribution within the organization, these will be invalidated and the "Browser Edtension" installation in the agent installation will be overridden.
S1 Cloud Konfigürasyonu’nun nas?l ger?ekle?tirilebilece?inin bilgisi ise a?a??da detayl? olarak yer almaktad?r;
Information on how to perform S1 Cloud Configuration is given below in detail;
??lemi ger?ekle?tirece?imiz site a girip hemen akabinde ilgili client grubuna ge?tikten sonra “Policies” menüsü alt?ndaki “Endpoint Policy” k?sm?na girip “Deep Visibility” alt?ndaki “Automatically Install Deep Visibility Browser extensions” se?ene?i check edilip sa? alt k?s?mdan “Save Changes” butonuna t?klanmal?d?r.
After entering the site where we will perform the operation, immediately after switching to the relevant client group, enter the "Endpoint Policy" section under the "Policies" menu, check the "Automatically Install Deep Visibility Browser extensions" option under "Deep Visibility" and click the "Save Changes" button from the lower right.
Bu i?lem, “Browser Extension” ?n otomatik olarak ajan kurulumu ile birlikte ger?ekle?mesi i?in yeterli olacakt?r. Alana ait ?rnek ekran g?rüntüsü ise a?a??daki ?ekildedir;
This will be enough for the "Browser Extension" to be installed automatically with the agent installation. The sample screenshot of the field is as follows;
Kurulum sonras?nda taray?c?y? a?t??n?zda a?a??da da g?rülebilece?i gibi, sa? tarafa SentinelOne simgesi gelecek ve bu da “Browser Extension” ?n kuruldu?unu belirtecektir. Bu ?zellik devreye al?nd?ktan sonra, ajan?n yeniden kurulmas?na ihtiya? yoktur, mevcut ajan da bu güncellemeyi al?p browser taraf?n? update ederek extension ?n kurulumunu otomatik olarak ger?ekle?tirmi? olacakt?r, extension ?n kurulum oldu?u taray?c?n?n ve kurulumla birlikte edindi?i haklar?n ?rnek bir ekran g?rüntüsü ise a?a??daki ?ekildedir;
When you open the browser after installation, the SentinelOne icon will appear on the right, as can be seen below, indicating that the "Browser Extension" has been installed. After this feature is activated, the agent does not need to be reinstalled, the existing agent will receive this update and update the browser side and install the extension automatically. A sample screenshot of the browser where the extension is installed and the rights it acquires with the installation is as follows;
Kurulum sonras?nda ger?ekle?tirdi?im bir test mevcuttur. ?rnek vermek ad?na “Browser Extension” ?n kurulum oldu?u client üzerinden Microsoft Edge taray?c?s?ndan facebook.com websitesine bir kullan?c? ad? ve ?ifre ile login olmay? denedim ve bunun i?in, S1 Cloud’un dashboardunda “Visibility” k?sm?nda g?rdü?üm event ??kt?s? a?a??daki gibi oldu. Buna ait ?rnek ekran g?rüntüsünü a?a??da payla??yorum;
There is a test I performed after installation. To give an example, I tried to login to facebook.com website with a username and password from Microsoft Edge browser on the client where "Browser Extension" is installed, and for this, the event output that I saw in the "Visibility" section of S1 Cloud's dashboard was as follows. I am sharing a sample screenshot of this below;
“Broser Extension” eklentisi ile birlikte, web sitelerine girilen kullan?c? ad? ve ?ifre bilgileri bu event detaylar?nda yer almamaktad?r, bu eklentinin kulland?m amac? eri?im yap?lan URL’lerin eventlerinin bilgilerini vermek ?eklinde olup, web sitelerine girilen kullan?c? ad? ve ?ifre bilgileri dahil olmak üzere, anl?k mesjala?ma i?in kullan?lan uygulamalardaki yaz??malar? da toplay?p event i?inde g?stermemektedir.
With the "Broser Extension" add-on, the user name and password information entered on the websites are not included in these event details. It also does not collects the correspondence in the applications used for messaging and does not show them in the event.
Günün sonunda, S1 Browser Extension eklentisinin yüklü oldu?u clientlardan, ziyaret edilen web siteleri ile ilgili bilgiler al?nabilinirken, bu eklentinin yüklü olmad??? clientlardan S1 Cloud Dashboard taraf?nda herhangi bir web sitesi bilgisi elde edilemeyecektir ve query at?l??p arama yap?ld???nda da bize herhangi bir sonu? vermesini bekleyemeyiz.
At the end of the day, while information about visited websites can be obtained from clients with the S1 Browser Extension plug-in installed, no website information can be obtained on the S1 Cloud Dashboard side from clients without this plug-in, and we cannot expect it to give us any results when a query is made.
Kullan?m alan? dü?ünüldü?ünde ilgili meslekta?lar?ma faydas? olabilecek bir yaz? olmas?n? temenni ediyorum, vakit ay?rd???n?z i?in te?ekkür ederim. Sonraki yaz?lar?mda tekrar g?rü?mek üzere.
Considering the usage area, I hope it will be a useful article for my colleagues, thank you for your time. See you again in my next articles.
Director of Cyber Security at Natica IT Consulting
1 年Te?ekkürler Din?er, ?ok faydal? bir yaz? olmu?.
System & Network Team Manager
1 年Bu ürünü daha ?nce kulland?m mükemmel ürün, cloud ve on premise olan se?enekleri de mevcut. Bilgisayara virüs gibi girip her istedi?ini yapabiliyor. Eline sa?l?k güzel makale olmu?.