Working a SentinelOne lateral movement alert, found that it shows what MITRE indicators were triggered but doesn’t provide details beyond that. For example, one indicator was for “Too many SPN requests” yet SentinelOne didn’t provide any further detail about those SPN requests.

It sort of felt like the alert was a bit of a black box. I’ve had this similar feeling with some MDE alerts and have heard similar tales from the Huntress world. This is more for the EDR/behavioral alerts than traditional antivirus scanning alerts.

Just curious what thoughts folks have on this. Please tell me if it sounds more like operator error too ;)