Login
    Contents x
    SentinelOne
    • 24 Jul 2024
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    SentinelOne

    • Updated on 24 Jul 2024
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    SentinelOne is an endpoint protection solution including prevention, detection, and response.

    Related Enforcement Actions

    Types of Assets Fetched

    This adapter fetches the following types of assets:

    • Devices
    • Users
    • Vulnerabilities
    • Software
    • Roles
    • Groups
    • Application Settings
    • SaaS Applications
    • Alerts/Incidents

    Parameters

    1. SentinelOne Domain (required) - The hostname or IP Address of the SentinelOne management server. This field format is '[instance].sentinelone.net'.

    2. User Name and Password (optional) - The user name and password for an account that has site viewer access to the management server. For information on how to create users in SentinelONE, see Create a Single User.

      Note:
      • If API Token is not supplied, User Name and Password fields are required.
      • The User Name and Password parameters take precedence over the API Token parameter.

    3. 2FA Secret (only for accounts with SaaS Management capability) - The secret generated in SentinelOne for setting up two-factor authentication for the adapter user created for collecting SaaS data.

    4. API token (optional) - The API token is created within the My User Profile of the account with viewer access to the management server.

      Note:
      • If User Name and Password are not supplied, API Token field is required.
      • When Two Factor Authentication is used, you must use API Token and leave the User Name and Password fields empty.

    5. Verify SSL - Select to verify the SSL certificate offered by the value supplied in SentinelOne Domain. For more details, see SSL Trust & CA Settings.

    6. HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in SentinelOne Domain.

    7. Enable Client Side Certificate - Select to enable Axonius to send requests using the certificates uploaded to allow Mutual TLS configuration for this adapter.

      • Click Upload File next to Client Private Key File to upload a client private key file in PEM format.
      • Click Upload File next to Client Certificate File to upload a public key file in PEM format.

    To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

    SEntinelOneSM


    Advanced Settings

    Note:

    Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

    1. Fetch applications - Select this option to fetch SentinelOne applications.
    Note:

    In order to fetch SentinelOne applications, you need to set the Application Scanning configuration in your SentinelOne environment. This is relevant for every Axonius version since 6.1.13.

    1. Fetch application CVEs - Select whether to fetch CVE security vulnerability information for software.
    2. Ignore vulnerabilities from ubuntu packages - Select this option to ignore vulnerabilities of software detected as an ubuntu package.
    3. Fetch decommissioned devices - Select whether to fetch devices that are decommissioned. This requires 'Endpoints View credentials' permission.
    4. Fetch threats for infected devices - Select this option to fetch threats of a device when the infected value on the SentinelOne server is set to true.
    5. Fetch latest installed apps only - Select this option to fetch only the latest installed app.
    6. Fetch device control events - Select this option to fetch the device control events for each device.
    7. Fetch Application settings (optional, default: true) (only for accounts with SaaS Management capability) - Select this option to fetch application settings for users.
    8. Fetch last installed software version only - Select this option to fetch only the version with the most recent installed date for each software.
    9. Deep Visibility query - Enter a SentinelOne Deep Visibility query name to fetch the query events and parse them inside the devices as “Deep Visibility Events“.
    10. Remove old tags - Select this option to remove old tags that are no longer being fetched from SentinelOne.
    11. Background fetch tasks - Select tasks from the drop-down that will be fetched in the background.
    12. Background fetch interval (Hours)- (default: 72 (3 days)) - Set the interval in hours for background fetch.


    Note:

    To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.


    APIs

    Axonius uses the following APIs
    To fetch users:

    • v2.1/users

    For users with SaaS Management Capabilities

    To Fetch user roles:

    • v2.1/rbac/roles

    To fetch Groups

    • v2.1/groups

    To fetch Events

    • v2.1/dv/init-query
    • v2.1/dv/query-status
    • v2.1/dv/events

    Required Permissions

    No specific permissions are required

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout