Threat Hunting with SentinelOne: Cloud Workload Protection Platform

Visibility into cloud workloads is key to extending threat hunting capabilities and identifying risk within your cloud workloads. For this workshop, we have created a couple of scenarios around containerized workloads where certain behaviors are considered suspicious or malicious.

We have identified that there is a new threat actor group which is targeting containers in Cloud Service Providers (CSPs), and that they are using certain tactics, techniques, and procedures.

In this Capture the Flag workshop, you will assume the role of Threat Hunter:

• Each Threat Hunter will have access to the SentinelOne management console and our Capture the Flag environment.
• Each Threat Hunter will be given two missions, and in each mission, there will be a number of Flags (questions), which carry points. Hints are available, but cost points; the players can see the amount of points that a hint will cost them.
• The winner will be the one who captures the most flags and earns the most points within the allocated time for the event.

We will provide an overview of the SentinelOne console and instructions on how to build queries and pivot into the various artifacts that the queries find. Using these instructions, the threat hunters will be able to answer all the questions contained in the missions.