TTechclick ⚡ XP 0% All lessons
SentinelOne · Endpoint Security / XDR · Investigation & ResponseInteractive · L1 / L2 / L3

SentinelOne Storyline, ActiveEDR, Ranger & Rollback — Attack Correlation & One-Click Remediation

SentinelOne doesn't just flag an alert — it stitches every related event into one attack story you can read top to bottom, then lets you remediate or roll the whole machine back with a click. This lesson walks Storyline and its Storyline ID, the ActiveEDR analyst experience, Ranger device discovery, VSS-based ransomware rollback, Singularity XDR with Purple AI, so you can explain correlation and rollback in any interview.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live attack-story demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to SentinelOne's investigation and response features (2026): Storyline auto-correlation with a Storyline ID, the ActiveEDR analyst experience, Singularity Network Discovery (Ranger) for agentless asset visibility, VSS-based one-click ransomware rollback on Windows, Singularity XDR and marketplace integrations, and the Purple AI assistant — so you can explain Storyline and rollback in an interview.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Storyline

Auto-correlation into one attack story with an ID.

 2

ActiveEDR & hunting

Process tree, timeline and EDR data hunting.

 3

Ranger discovery

Agentless asset visibility and rogue isolation.

 4

Remediate & rollback

One-click cleanup and VSS ransomware revert.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. How does SentinelOne show you all events in one attack?

Answered in Storyline.

2. Does Ranger need a new agent on every network device?

Answered in Ranger discovery.

3. What does ransomware rollback rely on under Windows?

Answered in Remediate & rollback.

Most engineers think…

Most people think an EDR's job ends at 'raise an alert and let the analyst dig'. That mental model makes investigations slow and makes you look junior in an interview.

SentinelOne's whole pitch is the opposite. The on-agent AI builds the investigation for you: Storyline auto-correlates every related event — process, file, network, registry — into one attack story with a single Storyline ID. ActiveEDR is the analyst experience on top of that story, Ranger turns your existing agents into network sensors, and remediation runs off the same story — including one-click rollback that reverts ransomware damage on Windows via VSS. The skill to show is reading the story and choosing the response, not hand-correlating logs.

① Storyline — the whole attack as one connected story

The headline idea: SentinelOne does not hand you a pile of disconnected alerts. As the on-agent AI watches the endpoint, Storyline automatically links every related activity — a process spawning a child, a file being written or encrypted, a network connection, a registry edit — into one attack story. That whole story shares one identifier, the Storyline ID.

So instead of correlating logs by hand, you click a Storyline ID and the console draws the full picture: where the attack started, the process tree it spawned, and a timeline of what it touched. This correlation happens on the agent in real time, which is why it survives reboots and works even when the machine is offline. In an interview, the one-liner is: Storyline is automatic event correlation, and the Storyline ID is the key that opens the entire story.

Figure 1 — From event to attack story
Storyline auto-correlates raw endpoint events into one connected attack story with a single Storyline ID.From event to attack storyEventsprocess/file/net/regCorrelateon-agent AI linksStorylineone attack storyStoryline IDkey to the storyRespondremediate / rollback
Storyline auto-correlates raw endpoint events into one connected attack story with a single Storyline ID.
Figure 2 — What one Storyline ties together
A single Storyline ID groups every kind of related activity into one readable narrative.What one Storyline ties togetherProcess treeparents and the children they spawnedFile activitywrites, deletes and ransomware encryptionNetworkconnections, beacons and C2 callbacksRegistry & persistencekeys, services and autoruns added
A single Storyline ID groups every kind of related activity into one readable narrative.
Quick check · Q1 of 10 · Understand

What is a Storyline ID?

Correct: b. Storyline auto-correlates all related activity into one attack story, and the Storyline ID is the single key that opens that whole story — process tree, timeline and all related events.
👉 So far: Storyline = on-agent AI that auto-correlates every related event (process/file/network/registry) into one attack story; the Storyline ID is the single key to that story.

② ActiveEDR — the analyst experience and hunting

ActiveEDR is the human-facing layer built on top of Storyline. The agent has already done the correlation, so the analyst's job becomes reading and deciding, not stitching events together. Click the Storyline ID and you get a high-level origin diagram plus a process tree and timeline showing exactly what spawned what, in order, with full context.

Hunting on EDR data

The same rich data is huntable. Analysts query historical endpoint telemetry to chase indicators across the fleet, and with Storyline Active Response (STAR) you turn a hunt into a custom, always-on detection rule that auto-responds the next time the behaviour appears. The interview line: Storyline builds the story; ActiveEDR is how a human reads it and hunts on it.

🧵
Storyline
tap to flip

On-agent AI that auto-correlates every related event — process, file, network, registry — into one attack story sharing a single Storyline ID.

🔎
ActiveEDR
tap to flip

The analyst experience on top of Storyline — click the Storyline ID to read the process tree and timeline, and hunt across endpoint data.

📡
Ranger
tap to flip

Singularity Network Discovery — existing agents become passive sensors that fingerprint every IP device and isolate rogue ones, no new gear.

Rollback
tap to flip

Windows VSS-based one-click revert of files maliciously encrypted or deleted by ransomware, back to their pre-attack state.

Lead with the Storyline ID

In an interview, don't say 'I'd correlate the logs'. Say: SentinelOne already correlates them — I open the Storyline ID, read the process tree and timeline, decide the response, and if needed turn the hunt into a STAR rule so it auto-responds next time.

Quick check · Q2 of 10 · Remember

What does ActiveEDR give the analyst on top of Storyline?

Correct: c. Storyline does the correlation on the agent; ActiveEDR is the human layer — clicking the Storyline ID shows the origin diagram, process tree and timeline, and the same data is huntable (and turnable into STAR rules).
👉 So far: ActiveEDR is the analyst layer on Storyline — read the process tree and timeline from the Storyline ID, hunt the EDR data, and promote hunts to STAR detection rules.

③ Ranger — see and control every device, no new agents

You can only protect what you can see. Ranger — now Singularity Network Discovery — solves visibility without deploying anything new. SentinelOne intelligently elects some of your existing agents to act as passive sensors: they listen to broadcast traffic (ARP, DHCP and similar) and fingerprint every IP-enabled device on the network, managed or not.

The payoff is twofold. First, an inventory of what is connected where — including unmanaged IoT and OT, the things attackers love. Second, rogue-device control: with a click you can isolate a suspicious or unmanaged device so it cannot move laterally to your managed Windows, Mac and Linux hosts. Crucially this needs no extra hardware, no SPAN/TAP, no network changes — it is part of the agent you already run. Interview framing: Ranger is agentless discovery that rides your existing agents.

Figure 3 — Investigation & response, all off one story
Storyline is the centre — ActiveEDR, Ranger, rollback, XDR and Purple AI all work from the same correlated data.Investigation & response, all off one storyStoryline+ Storyline IDActiveEDRThreat hunting / STARRanger discoveryOne-click remediateVSS rollbackXDR + Purple AI
Storyline is the centre — ActiveEDR, Ranger, rollback, XDR and Purple AI all work from the same correlated data.
'Ranger needs an agent on every device' confusion

Ranger does NOT install on the devices it discovers. It elects your existing SentinelOne agents to passively fingerprint everything on the network. Saying it needs a per-device agent or a SPAN/TAP appliance gets the architecture wrong.

Quick check · Q3 of 10 · Apply

You need to find unmanaged IoT devices on the LAN without deploying new sensors. What do you use?

Correct: a. Ranger elects existing SentinelOne agents to passively listen and fingerprint every IP device, including unmanaged IoT — with no extra hardware, SPAN/TAP or network changes.
👉 So far: Ranger (Singularity Network Discovery) elects existing agents as passive sensors to fingerprint every IP device and isolate rogue ones — no new hardware, SPAN/TAP or network changes.

④ Remediate & rollback — one click off the same story

Because Storyline already knows every artefact an attack touched, response is one decision, not fifty. One-click Remediate kills the malicious processes and cleans up everything in the Storyline — files dropped, persistence, registry changes — across the whole story at once. Rollback goes further on Windows: it reverts files that ransomware maliciously encrypted or deleted back to their pre-attack state.

How rollback actually works

Rollback is built on Microsoft's Volume Shadow Copy Service (VSS). The agent watches file activity at the kernel level and SentinelOne takes VSS snapshots (by default every few hours), while protecting the VSS service itself so ransomware cannot wipe the shadow copies first. Because it depends on VSS, full rollback is Windows-only — Mac and Linux lack the same native shadow-copy technology. Above all this sits Singularity XDR with marketplace integrations to ingest third-party data, and Purple AI, the natural-language and agentic investigation assistant.

Figure 4 — Remediate vs Rollback
Two different response actions off the same Storyline — clean up the attack versus restore the data.Remediate vs RollbackOne-click RemediateKills malicious processesRemoves dropped files &Undoes registry / autorun changesWorks across Windows, Mac, LinuxRollbackRestores encrypted / deleted filesBuilt on Windows VSS snapshotsReverts to pre-attack stateWindows-only (needs VSS)
Two different response actions off the same Storyline — clean up the attack versus restore the data.
Figure 5 — Ransomware caught and rolled back
When ransomware starts encrypting, Storyline groups it, the agent stops it, and Windows rollback restores the files.Ransomware caught and rolled backDetectbehaviour flaggedStorylineall encryption groupedKillstop the processRollbackVSS restores filesVerifyfiles back, clean
When ransomware starts encrypting, Storyline groups it, the agent stops it, and Windows rollback restores the files.

Priya at a Pune logistics firm faces this

At 2am a finance laptop starts mass-encrypting files; the user wakes to a ransom note and a hundred '.locked' documents.

Likely cause

A malicious macro launched a ransomware process that began encrypting the user's documents folder.

Diagnosis

Open the console, click the Storyline ID — the whole attack is one story: the macro, the child process, every file it encrypted and a callback to C2.

Console ▸ Incidents ▸ Storyline ▸ Process tree + Actions
Fix

From the single Storyline, kill the process, run one-click Remediate to clean persistence, then Rollback to restore the encrypted files from VSS snapshots to their pre-attack state.

Verify

Re-open the documents folder — originals are back, the '.locked' files are gone, and the Storyline shows the threat mitigated with no residual persistence.

Prove the rollback, don't assume it

After rollback, confirm from the endpoint and the Storyline: the encrypted files are restored to their pre-attack content, the malicious process is mitigated, and persistence is gone. Remember rollback restores data (Windows/VSS); Remediate cleans the attack on all OSes — they're different actions.

▶ Watch ransomware get stopped and rolled back

How one Storyline takes a ransomware hit from detection to restored files. Press Play for the healthy path, then Break it to see the classic failure.

① EncryptA macro launches a process that starts mass-encrypting the user's documents on a Windows laptop.
② CorrelateStoryline groups the macro, the child process and every encrypted file into one attack story with a single Storyline ID.
③ Kill + remediateThe behavioural AI flags ransomware and stops the process; one-click Remediate cleans dropped files and persistence.
④ RollbackRollback uses VSS snapshots to restore the encrypted files to their pre-attack state — the user's documents come back.
Press Play to step through the healthy detect-and-rollback path. Then press Break it.
Quick check · Q4 of 10 · Analyze

Why is full ransomware rollback Windows-only?

Correct: c. Rollback is built on Windows VSS snapshots to restore encrypted/deleted files to their pre-attack state. Mac and Linux don't have the same native shadow-copy technology, so full rollback is Windows-only.
👉 So far: One-click Remediate cleans the whole Storyline on any OS; Rollback restores ransomware-encrypted files on Windows via VSS. Above it sit Singularity XDR, marketplace integrations and Purple AI.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What does the Storyline ID let an analyst do?

Correct: b. The Storyline ID is the single key to one auto-correlated attack story; clicking it shows the origin diagram, process tree, timeline and every related event.
Q6 · Understand

What is the relationship between Storyline and ActiveEDR?

Correct: a. Storyline does the automatic correlation on the agent; ActiveEDR is the human layer for reading the story (process tree/timeline) and hunting the EDR data, with STAR for custom auto-response.
Q7 · Apply

Finance laptops just got hit by ransomware on Windows. Which action restores the encrypted files?

Correct: c. Rollback is the action that restores files encrypted or deleted by ransomware to their pre-attack state, using Windows Volume Shadow Copy Service snapshots.
Q8 · Analyze

Why can SentinelOne remediate or roll back an entire attack with essentially one decision?

Correct: b. Storyline pre-correlates every artefact (processes, files, persistence, registry) into one story, so response acts on the whole story at once rather than item by item.
Q9 · Evaluate

An interviewer asks how Ranger achieves network visibility without new hardware. Best answer?

Correct: b. Ranger (Singularity Network Discovery) reuses your existing agents as passive sensors to fingerprint every IP device and isolate rogue ones, with no additional hardware, SPAN/TAP or network changes.
Q10 · Evaluate

Why does SentinelOne protect the VSS service itself, and what's the limitation of rollback?

Correct: d. Advanced ransomware tries to wipe shadow copies first, so SentinelOne guards the VSS service; and because rollback relies on Windows VSS, full file rollback is Windows-only — Mac and Linux lack equivalent native shadow-copy technology.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: how would you explain Storyline and ransomware rollback to an interviewer? Then compare with the expert version.

Expert version: Storyline is SentinelOne's automatic, on-agent correlation: it links every related event — process spawns, file writes, network calls, registry edits — into one attack story that shares a single Storyline ID, so instead of hand-correlating logs you click the ID and read the whole process tree and timeline. ActiveEDR is the analyst experience on top, including hunting and STAR auto-response rules. Because the story already knows every artefact the attack touched, response is one decision: one-click Remediate cleans the whole attack on any OS, and on Windows Rollback uses Volume Shadow Copy Service snapshots to restore the files ransomware encrypted back to their pre-attack state — with the VSS service itself protected so ransomware can't delete the snapshots first.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Storyline
On-agent AI that automatically correlates every related event — process, file, network, registry — into one connected attack story.
Storyline ID
The single identifier that ties one attack's events together; clicking it opens the full origin diagram, process tree and timeline.
ActiveEDR
The analyst experience on top of Storyline — reading the process tree and timeline and hunting across stored EDR data.
STAR
Storyline Active Response — turning a hunting query into an always-on custom detection rule that auto-responds to matching behaviour.
Ranger / Singularity Network Discovery
Agentless asset discovery that elects existing agents as passive sensors to fingerprint every IP device and isolate rogue ones.
One-click Remediate
A response action that kills malicious processes and removes dropped files, persistence and registry changes across the whole Storyline.
Rollback
Windows-only restore of files maliciously encrypted or deleted by ransomware, using Volume Shadow Copy Service snapshots.
VSS (Volume Shadow Copy Service)
The Microsoft Windows service that creates point-in-time snapshots of volume data; the basis for SentinelOne rollback.
Singularity XDR
Extended detection and response that ingests third-party data via marketplace integrations alongside native telemetry.
Purple AI
SentinelOne's AI security assistant — natural-language threat hunting plus 2026 agentic investigation that can investigate threats largely autonomously.

📚 Sources

  1. SentinelOne — Singularity Network Discovery (formerly Ranger): agentless asset discovery and rogue-device isolation. sentinelone.com/platform/singularity-network-discovery
  2. SentinelOne — What is Ransomware Rollback? VSS snapshots, kernel-level tracking and one-click restore. sentinelone.com/cybersecurity-101/cybersecurity/what-is-ransomware-rollback
  3. SentinelOne — Customize Your EDR with SentinelOne Storyline Active Response (STAR). sentinelone.com/blog/customize-your-edr-to-adapt-to-your-environment-with-sentinelone-storyline-active-response-star
  4. SentinelOne — Behavioral AI: an unbounded approach to protecting the enterprise (Storyline & ActiveEDR). sentinelone.com/blog/behavioral-ai-an-unbounded-approach-to-protecting-the-enterprise
  5. SentinelOne — Purple AI: AI security analyst for autonomous SecOps. sentinelone.com/platform/purple
  6. SentinelOne Press — SentinelOne Opens Purple AI Agentic Investigation to All Customers (June 17, 2026). sentinelone.com/press/sentinelone-opens-purple-ai-agentic-investigation-to-all-customers

What's next?

Want the foundations under all of this? Go back to the first SentinelOne lesson on the Singularity platform and the autonomous on-agent AI EDR — the Static and Behavioral AI engines that detect threats on the endpoint with no cloud lookup, which is exactly what feeds Storyline.

Next · All interview lessons → Practice on exam.techclick.in →