SentinelOne
Visualize SentinelOne endpoint agents and devices, map SentinelOne agents to devices and owners, and monitor changes through queries and alerts.
- Installation guide
- SentinelOne data model
- SentinelOne types
Installation
For this integration, you will first need to acquire an API Token in SentinelOne.
Configuration in SentinelOne
To create an API Token:
In your SentinelOne Management Console, click Settings > USERS
Select your username and navigate to Edit User > API Token > Generate
Generate a token for use within JupiterOne.
noteIf you see Revoke and Regenerate actions, you already have an existing token. Revoking or regenerating the existing token will break any scripts currently utilizing the revoked/regenerated token:
- Revoke removes the token authorization, and there is no confirmation on this action.
- Regenerate revokes the token and generates a new token. If you click Generate or Regenerate, a message shows the token string and the date that the token expires.
Click DOWNLOAD for use in JupiterOne.
Configuration in JupiterOne
To install the SentinelOne integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select SentinelOne. Click New Instance to begin configuring your integration.
Creating a configuration requires the following:
The Account Name used to identify the SentinelOne account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled.Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration.Your SentinelOne Management Server Hostname/URL and API Token.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Data Model
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Account | sentinelone_account | Account |
| Agent | sentinelone_agent | HostAgent |
| Agent | sentinelone_host | Host |
| Group | sentinelone_group | Group |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
sentinelone_account | HAS | sentinelone_group |
sentinelone_group | HAS | sentinelone_agent |
sentinelone_host | HAS | sentinelone_agent |
Sentinelone Account
sentinelone_account inherits from Account
Sentinelone Group
sentinelone_group inherits from Group
| Property | Type | Description | Specifications |
|---|---|---|---|
inherits | boolean | ||
creator | string | ||
filterName | string | ||
totalAgents | number | ||
filterId | string | ||
rank | number | ||
siteId * | string | ||
isDefault | boolean | ||
creatorId | string | ||
updatedAt | number | Please use updatedOn instead | deprecated: true |
createdAt | number | Please use createdOn instead | deprecated: true |
type | string |
Sentinelone Agent
sentinelone_agent inherits from HostAgent
| Property | Type | Description | Specifications |
|---|---|---|---|
domain | string | ||
appsVulnerabilityStatus | string | ||
siteName | string | ||
coreCount | number | ||
totalMemory | number | ||
inRemoteShellSession | boolean | Please use isInRemoteShellSession instead | deprecated: true |
isInRemoteShellSession | boolean | ||
osArch | string | ||
allowRemoteShell | boolean | ||
scanStatus | string | ||
consoleMigrationStatus | string | ||
updatedAt | number | Please use updatedOn instead | deprecated: true |
osName | string | ||
osType | string | ||
createdAt | number | Please use createdOn instead | deprecated: true |
externalIp | string | ||
activeThreatsCount | number | ||
activeThreats | number | ||
computerName | string | ||
modelName | string | ||
uuid | string | ||
encryptedApplications | boolean | ||
adComputerDistinguishedName | string | ||
osUsername | string | ||
groupName | string | ||
isInfected | boolean | ||
agentVersion | string | ||
policyUpdatedAt | number | Please use policyUpdatedOn instead | deprecated: true |
policyUpdatedOn | number | ||
cpuId | string | ||
registeredAt | number | Please use registeredOn instead | deprecated: true |
registeredOn | number | ||
groupUpdatedAt | number | Please use groupUpdatedOn instead | deprecated: true |
groupUpdatedOn | number | ||
machineType | string | ||
groupIp | string | ||
osStartTime | number | ||
osRevision | string | ||
scanAbortedAt | number | Please use scanAbortedOn instead | deprecated: true |
scanAbortedOn | number | ||
siteId | string | ||
scanStartedAt | number | Please use scanStartedOn instead | deprecated: true |
scanStartedOn | number | ||
isPendingUninstall | boolean | ||
scanFinishedAt | number | Please use scanFinishedOn instead | deprecated: true |
infected | boolean | Please use isInfected instead | deprecated: true |
scanFinishedOn | number | ||
lastActiveDate | number | ||
groupId * | string | ||
isActive | boolean | ||
networkStatus | string | ||
lastLoggedInUserName | string | ||
mitigationMode | string | ||
cpuCount | number | ||
isUninstalled | boolean | ||
isUpToDate | boolean | ||
isDecommissioned | boolean | ||
mitigationModeSuspicious | string | ||
serial | string | ||
macAddress | array of strings | ||
macAddresses | array of strings | ||
missingPermissions | array of strings |
Sentinelone Host
sentinelone_host inherits from Host
| Property | Type | Description | Specifications |
|---|---|---|---|
domain | string | ||
appsVulnerabilityStatus | string | ||
siteName | string | ||
coreCount | number | ||
totalMemory | number | ||
inRemoteShellSession | boolean | Please use isInRemoteShellSession instead | deprecated: true |
isInRemoteShellSession | boolean | ||
osArch | string | ||
allowRemoteShell | boolean | ||
scanStatus | string | ||
consoleMigrationStatus | string | ||
updatedAt | number | Please use updatedOn instead | deprecated: true |
createdAt | number | Please use createdOn instead | deprecated: true |
externalIp | string | ||
computerName | string | ||
modelName | string | ||
uuid | string | ||
encryptedApplications | boolean | ||
adComputerDistinguishedName | string | ||
osUsername | string | ||
groupName | string | ||
policyUpdatedOn | number | ||
cpuId | string | ||
registeredOn | number | ||
groupUpdatedOn | number | ||
machineType | string | ||
groupIp | string | ||
osStartTimeOn | number | ||
osRevision | string | ||
scanAbortedOn | number | ||
siteId | string | ||
scanStartedOn | number | ||
isPendingUninstall | boolean | ||
scanFinishedOn | number | ||
lastActiveDate | number | ||
groupId * | string | ||
isActive | boolean | ||
agentVersion | string | ||
lastLoggedInUserName | string | ||
mitigationMode | string | ||
cpuCount | number | ||
isUninstalled | boolean | ||
isUpToDate | boolean | ||
isDecommissioned | boolean | ||
mitigationModeSuspicious | string | ||
missingPermissions | array of strings |