- 19 Aug 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
SentinelOne
- Updated on 19 Aug 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
SentinelOne is an endpoint protection solution including prevention, detection, and response.
Related Enforcement Actions
- SentinelOne - Add or Remove Tag to/from Assets
- SentinelOne - Initiate Scan
- SentinelOne - Remove Asset
- SentinelOne - Execute Remote Script Orchestration
- SentinelOne - Isolate/Unisolate a Device
- SentinelOne - Change Asset Site
- SentinelOne - Change Asset Group
Types of Assets Fetched
This adapter fetches the following types of assets:
- Devices
- Users
- Vulnerabilities
- Software
- Roles
- Groups
- Application Settings
- SaaS Applications
- Alerts/Incidents
Parameters
SentinelOne Domain (required) - The hostname or IP Address of the SentinelOne management server. This field format is '[instance].sentinelone.net'.
User Name and Password (optional) - The user name and password for an account that has site viewer access to the management server. For information on how to create users in SentinelONE, see Create a Single User.
Note:- If API Token is not supplied, User Name and Password fields are required.
- The User Name and Password parameters take precedence over the API Token parameter.
2FA Secret (only for accounts with SaaS Management capability) - The secret generated in SentinelOne for setting up two-factor authentication for the adapter user created for collecting SaaS data.
Singularity Data Lake (SDL) API Key (optional) - Enter the API Key from the Singularity Data Lake in order to enable the SDL queries in Advanced Settings. Note: This requires Log Read Access permission.
API token (optional) - The API token is created within the My User Profile of the account with viewer access to the management server.
Note:- If User Name and Password are not supplied, API Token field is required.
- When Two Factor Authentication is used, you must use API Token and leave the User Name and Password fields empty.
Verify SSL - Select to verify the SSL certificate offered by the value supplied in SentinelOne Domain. For more details, see SSL Trust & CA Settings.
HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in SentinelOne Domain.
Enable Client Side Certificate - Select to enable Axonius to send requests using the certificates uploaded to allow Mutual TLS configuration for this adapter.
- Click Upload File next to Client Private Key File to upload a client private key file in PEM format.
- Click Upload File next to Client Certificate File to upload a public key file in PEM format.
To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
Advanced Settings
Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to Advanced Configuration for Adapters.
- Fetch applications - Select this option to fetch SentinelOne applications.
In order to fetch SentinelOne applications, you need to set the Application Scanning configuration in your SentinelOne environment. This is relevant for every Axonius version since 6.1.13.
- Fetch application CVEs - Select whether to fetch CVE security vulnerability information for software.
- Ignore vulnerabilities from ubuntu packages - Select this option to ignore vulnerabilities of software detected as an ubuntu package.
- Fetch decommissioned devices - Select whether to fetch devices that are decommissioned. This requires 'Endpoints View credentials' permission.
- Fetch threats for infected devices - Select this option to fetch threats of a device when the infected value on the SentinelOne server is set to true.
- Fetch device control events - Select this option to fetch the device control events for each device.
- Fetch Application settings (optional, default: true) (only for accounts with SaaS Management capability) - Select this option to fetch application settings for users.
- Fetch last installed software version only - Select this option to fetch only the version with the most recent installed date for each software.
- Deep Visibility query - Enter a SentinelOne Deep Visibility query name to fetch the query events and parse them inside the devices as “Deep Visibility Events“.
- Remove old tags - Select this option to remove old tags that are no longer being fetched from SentinelOne.
- Background fetch tasks - Select tasks from the drop-down that will be fetched in the background.
- Background fetch interval (Hours) (default: 72 (3 days)) - Set the interval in hours for background fetch.
- Enable fetch from Skylight query - Toggle on to enable fetch from the Skylight query.
- Skylight query - If Enable fetch from Skylight query is enabled, enter the SDL query to fetch events. Note: Requires configuring the Singularity Data Lake (SDL) API Key in Parameters.
- Ignore public IPs from externalIp field - Select this option to ignore public IPs from the externalIp field.
To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.
APIs
Axonius uses the following APIs
To fetch users:
- v2.1/users
For users with SaaS Management Capabilities
To Fetch user roles:
- v2.1/rbac/roles
To fetch Groups
- v2.1/groups
To fetch Events
- v2.1/dv/init-query
- v2.1/dv/query-status
- v2.1/dv/events
Required Permissions
- The default 'read-only viewer role' that provides Read-only access to the system can be used with this adapter.
- Log Read Access permission level is required in order to enter the SDL API key.