SentinelOne
Visualize SentinelOne endpoint agents and devices, map SentinelOne agents to devices and owners, and monitor changes through queries and alerts.
- Installation
- Authorization
- Data Model
- Types
- Release Notes
Installation
For this integration, you will first need to acquire an API Token in SentinelOne.
Configuration in SentinelOne
To create an API Token:
- In your SentinelOne Management Console, click Settings > USERS
- Select your username and navigate to Edit User > API Token > Generate
- Generate a token for use within JupiterOne.
If you see Revoke and Regenerate actions, you already have an existing token. Revoking or regenerating the existing token will break any scripts currently utilizing the revoked/regenerated token:
- Revoke removes the token authorization, and there is no confirmation on this action.
- Regenerate revokes the token and generates a new token. If you click Generate or Regenerate, a message shows the token string and the date that the token expires.
- Click DOWNLOAD for use in JupiterOne.
Configuration in JupiterOne
To install the SentinelOne integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select SentinelOne. Click New Instance to begin configuring your integration.
Creating an instance requires the following:
-
The Account Name used to identify the SentinelOne account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled. -
Description to assist in identifying the integration instance, if desired.
-
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration. -
Your SentinelOne Management Server Hostname/URL and API Token.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Account | sentinelone_account | Account |
| Agent | sentinelone_agent | HostAgent |
| Application | sentinelone_application | Application |
| Group | sentinelone_group | Group |
| Host | sentinelone_host | Host |
| User | sentinelone_user | User |
| Vulnerability | sentinelone_vulnerability | Finding, Vulnerability |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
sentinelone_account | HAS | sentinelone_group |
sentinelone_account | HAS | sentinelone_user |
sentinelone_agent | INSTALLED | sentinelone_application |
sentinelone_agent | IDENTIFIED | sentinelone_vulnerability |
sentinelone_group | HAS | sentinelone_agent |
sentinelone_host | PROTECTS | sentinelone_agent |
sentinelone_host | HAS | sentinelone_vulnerability |
sentinelone_user | ASSIGNED | sentinelone_group |
Sentinelone Account
sentinelone_account inherits from Account
Sentinelone Agent
sentinelone_agent inherits from HostAgent
| Property | Type | Description | Specifications |
|---|---|---|---|
activeThreats | number | ||
activeThreatsCount | number | ||
adComputerDistinguishedName | string | ||
agentVersion | string | ||
allowRemoteShell | boolean | ||
appsVulnerabilityStatus | string | ||
computerName | string | ||
consoleMigrationStatus | string | ||
coreCount | number | ||
cpuCount | number | ||
cpuId | string | ||
createdAt | number | Please use createdOn instead | deprecated: true |
domain | string | ||
encryptedApplications | boolean | ||
externalIp | string | ||
groupId * | string | ||
groupIp | string | ||
groupName | string | ||
groupUpdatedAt | number | Please use groupUpdatedOn instead | deprecated: true |
groupUpdatedOn | number | ||
infected | boolean | Please use isInfected instead | deprecated: true |
inRemoteShellSession | boolean | Please use isInRemoteShellSession instead | deprecated: true |
isActive | boolean | ||
isDecommissioned | boolean | ||
isInfected | boolean | ||
isInRemoteShellSession | boolean | ||
isPendingUninstall | boolean | ||
isUninstalled | boolean | ||
isUpToDate | boolean | ||
lastActiveDate | number | ||
lastLoggedInUserName | string | ||
macAddress | array of strings | ||
macAddresses | array of strings | ||
machineType | string | ||
missingPermissions | array of strings | ||
mitigationMode | string | ||
mitigationModeSuspicious | string | ||
modelName | string | ||
networkStatus | string | ||
osArch | string | ||
osName | string | ||
osRevision | string | ||
osStartTime | number | ||
osType | string | ||
osUsername | string | ||
policyUpdatedAt | number | Please use policyUpdatedOn instead | deprecated: true |
policyUpdatedOn | number | ||
registeredAt | number | Please use registeredOn instead | deprecated: true |
registeredOn | number | ||
scanAbortedAt | number | Please use scanAbortedOn instead | deprecated: true |
scanAbortedOn | number | ||
scanFinishedAt | number | Please use scanFinishedOn instead | deprecated: true |
scanFinishedOn | number | ||
scanStartedAt | number | Please use scanStartedOn instead | deprecated: true |
scanStartedOn | number | ||
scanStatus | string | ||
serial | string | ||
siteId | string | ||
siteName | string | ||
totalMemory | number | ||
updatedAt | number | Please use updatedOn instead | deprecated: true |
uuid | string |
Sentinelone Application
sentinelone_application inherits from Application
| Property | Type | Description | Specifications |
|---|---|---|---|
osType | string | ||
riskLevel | string | ||
signed | boolean | ||
size | number | ||
type | string | ||
vendor | string | ||
version | string |
Sentinelone Group
sentinelone_group inherits from Group
| Property | Type | Description | Specifications |
|---|---|---|---|
createdAt | number | Please use createdOn instead | deprecated: true |
creator | string | ||
creatorId | string | ||
filterId | string | ||
filterName | string | ||
inherits | boolean | ||
isDefault | boolean | ||
rank | number | ||
siteId * | string | ||
totalAgents | number | ||
type | string | ||
updatedAt | number | Please use updatedOn instead | deprecated: true |
Sentinelone Host
sentinelone_host inherits from Host
| Property | Type | Description | Specifications |
|---|---|---|---|
activeCoverage | array of strings | Active SentinelOne coverage modules (e.g. EPP, EDR). | |
adMachineDistinguishedName | string | The Active Directory machine distinguished name. | |
adsEnabled | boolean | Whether Application Detection & Security is enabled. | |
adUserDistinguishedName | string | The Active Directory user distinguished name. | |
agentId | string | Id of the SentinelOne agent installed on this host. | |
agentUuid | string | UUID of the SentinelOne agent installed on this host. | |
architecture | string | The CPU architecture of the device. | |
assetContactEmail | string | The asset contact email. | |
assetCriticality | string | The criticality assigned to the asset. | |
assetEnvironment | string | The environment the asset exists in (AWS, Azure, GCP, AD). | |
assetStatus | string | The status of the asset. | |
coreCount | number | The number of CPU cores. | |
cpu | string | The CPU model of the device. | |
detectedFromSite | string | The site from which the device was detected. | |
domain | string | The network domain of the device. | |
firstSeenOn | number | When the asset was first seen (epoch ms). | |
groupId | string | The SentinelOne group id. | |
groupName | string | The SentinelOne group name. | |
infectionStatus | string | The infection/alert status of the asset. | |
instanceId | string | The cloud instance id of the device, when applicable. | |
isAdConnector | boolean | Whether the device is an Active Directory connector. | |
isDcServer | boolean | Whether the device is a domain controller. | |
isVm | boolean | Whether the device is a virtual machine. | |
lastActiveOn | number | When the asset was last active (epoch ms). | |
lastApplicationScanOn | number | When applications were last scanned (epoch ms). | |
lastRebootOn | number | When the device last rebooted (epoch ms). | |
lastUpdateOn | number | When the asset record was last updated (epoch ms). | |
memoryReadable | string | Human-readable total memory (e.g. "16 GB"). | |
missingCoverage | array of strings | SentinelOne coverage modules that are missing. | |
modelName | string | The hardware model name. | |
osFamily | string | The operating system family. | |
osUsername | string | The last logged-in OS username on the device. | |
resourceType | string | The canonical resource type of the asset. | |
riskFactors | array of strings | Risk factors associated with the asset. | |
s1AccountId | string | The SentinelOne account id. | |
s1AccountName | string | The SentinelOne account name. | |
s1ActiveProtection | array of strings | Active SentinelOne protection modes. | |
s1ManagementId | number | The SentinelOne management id. | |
s1ScopeId | string | The SentinelOne scope id. | |
s1ScopeLevel | string | The SentinelOne scope level. | |
s1ScopePath | string | The SentinelOne scope path. | |
s1ScopeType | number | The SentinelOne scope type. | |
s1UpdatedOn | number | When SentinelOne last updated the asset (epoch ms). | |
siteId | string | The SentinelOne site id. | |
siteName | string | The SentinelOne site name. | |
subCategory | string | The asset sub-category (e.g. Laptop, Server). | |
surfaces | array of strings | The surfaces the asset belongs to. | |
totalMemory | number | Total physical memory in megabytes. |
Sentinelone User
sentinelone_user inherits from User
| Property | Type | Description | Specifications |
|---|---|---|---|
agreedEula | boolean | ||
agreedEulaVersion | string | ||
canGenerateApiToken | boolean | ||
dateJoinedOn | number | ||
firstLoginOn | number | ||
fullName | string | ||
lastLoginOn | number | ||
lowestRole | string | ||
primaryTwoFaMethod | string | ||
scope | string | ||
source | string | ||
twoFaConfigured | boolean | ||
twoFaEnabled | boolean | ||
twoFaStatus | string |
Sentinelone Vulnerability
sentinelone_vulnerability inherits from Finding, Vulnerability
| Property | Type | Description | Specifications |
|---|---|---|---|
agentCount | number | ||
applicationCount | number | ||
applicationName | string | ||
applicationVendor | string | ||
applicationVersion | string | ||
cvssVersion | string | ||
daysDetected | number | ||
detectedOn | number | ||
exploits | number | ||
lastScanDate | number | ||
lastScanResult | string | ||
publishedOn | number | ||
riskLevel | string |