You may also download a PDF version of this topic.
Product Overview
SentinelOne Singularity Hologram's primary goal is to trick, expose, and analyze attackers who have already bypassed perimeter defenses and are inside a network. To do this, it creates a fake digital "hologram" of your real network that is filled with enticing but fake assets. These decoys mimic real endpoints, servers, applications, and even specialized devices like IoT or industrial control systems.
Once an attacker engages with a decoy, Hologram immediately detects their presence without relying on signatures, generating a high-fidelity alert. The system then safely records every action the attacker takes, providing invaluable intelligence on their methods, tools, and objectives. This forensic data helps security teams understand the threat, respond faster, and strengthen defenses against future attacks.
Detection Strategy for SentinelOne Singularity Hologram
Detection
Network traffic monitoring is a critical element of our detection strategy, offering insight into the activity of data as it moves across an organization's systems. The network traffic data source focuses on network connection creation (the initial construction of a network connection such as socket information, and src and dst IP and Ports ), network traffic content (logged network traffic data showing both protocol header and body values like PCAP), and network traffic flow (summarized network packet data, with metrics, such as protocol headers and volume like netflow or http logs).
We pull this information into our detection pipeline as events in the form of both security alerts and raw telemetry (depending on the integration). When a threat is detected, our automated response bot, Ruxie, takes action by enriching evidence fields with first- and third-party threat intelligence. Additional Ruxie actions query a wide span of technologies directly to arm analysts with key pieces of investigative information and related events.
Response
Network technologies are utilized for support across many types of Expel Alerts such as endpoint and cloud. The main focus of the response strategy is on source IP, destination IP, and domain tracking to identify related connections, along with user activity summaries to give extra alert context.
To learn more about our overall approach to detection strategy, see About Detection Strategy in the Help Center.
What We Support for SentinelOne Singularity Hologram
To see a comprehensive list of the most up-to-date Expel detection rules, vendor detection rules, opt-in detections, and available DUETs (did you expect this) that we support for SentinelOne Singularity Hologram, you can visit the Detections page in Workbench or ask your Sales or Support rep for the most recent download.
| SentinelOne Singularity Hologram Setup for Workbench detection rules support | Yes, through Splunk and Sumo Logic. |
| Detection rules written by Expel | Yes. |
| Investigative support through Workbench |
Yes. We can perform standard investigative actions like Query IP and Query Domain across the SIEM. These actions search across all available log data in the SIEM, using the alert from the deception tool as the starting point for a broader investigation. |
| Hunting support | No. Hunting is not currently available for this integration. |
Additional Details and Common Questions
Console Access
A vendor alert does not typically include all of the contextual timeline activity surrounding the event of interest. Because this integration does not allow us to get all necessary data via the API, we will ask you for a certain level of console access during onboarding.
The level of access that we require is meant to support essential triage and research activities, and to help us determine the vector and extent of attacker activity for an identified threat. At minimum, we will ask for visibility into alert data, timeline events recorded, and live response/real time response shell (if applicable).