PURPOSE How to document investigation steps, decisions, and follow-up actions. GENERAL STEPS Open SentinelOne in a supported browser, sign in with the correct work account, and navigate to the relevant site, group, endpoint, agent, threat, activity, policy, report, exclusion, or settings area. VERIFY RESULTS Confirm that the endpoint, agent status, threat state, remediation action, isolation state, policy assignment, report, ticket reference, note, or investigation detail appears as expected before closing the task. TROUBLESHOOTING If SentinelOne behaves unexpectedly, refresh the page, confirm you are viewing the correct site and endpoint, check your permissions, verify the endpoint is reporting, and capture any error message, hostname, threat ID, or timestamp. BEST PRACTICE Treat endpoint security actions carefully. Do not dismiss, remediate, isolate, rollback, or exclude anything without enough context and the correct approval path.