SentinelOne
  • 19 Aug 2024
  • 4 Minutes to read
  • Dark
    Light
  • PDF

SentinelOne

  • Dark
    Light
  • PDF

Article summary

SentinelOne is an endpoint protection solution including prevention, detection, and response.

Related Enforcement Actions

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Users
  • Vulnerabilities
  • Software
  • Roles
  • Groups
  • Application Settings
  • SaaS Applications
  • Alerts/Incidents

Parameters

  1. SentinelOne Domain (required) - The hostname or IP Address of the SentinelOne management server. This field format is '[instance].sentinelone.net'.

  2. User Name and Password (optional) - The user name and password for an account that has site viewer access to the management server. For information on how to create users in SentinelONE, see Create a Single User.

    Note:
    • If API Token is not supplied, User Name and Password fields are required.
    • The User Name and Password parameters take precedence over the API Token parameter.
  3. 2FA Secret (only for accounts with SaaS Management capability) - The secret generated in SentinelOne for setting up two-factor authentication for the adapter user created for collecting SaaS data.

  4. Singularity Data Lake (SDL) API Key (optional) - Enter the API Key from the Singularity Data Lake in order to enable the SDL queries in Advanced Settings. Note: This requires Log Read Access permission.

  5. API token (optional) - The API token is created within the My User Profile of the account with viewer access to the management server.

    Note:
    • If User Name and Password are not supplied, API Token field is required.
    • When Two Factor Authentication is used, you must use API Token and leave the User Name and Password fields empty.
  6. Verify SSL - Select to verify the SSL certificate offered by the value supplied in SentinelOne Domain. For more details, see SSL Trust & CA Settings.

  7. HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in SentinelOne Domain.

  8. Enable Client Side Certificate - Select to enable Axonius to send requests using the certificates uploaded to allow Mutual TLS configuration for this adapter.

    • Click Upload File next to Client Private Key File to upload a client private key file in PEM format.
    • Click Upload File next to Client Certificate File to upload a public key file in PEM format.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

SEntinelOneSM


Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

  1. Fetch applications - Select this option to fetch SentinelOne applications.
Note:

In order to fetch SentinelOne applications, you need to set the Application Scanning configuration in your SentinelOne environment. This is relevant for every Axonius version since 6.1.13.

  1. Fetch application CVEs - Select whether to fetch CVE security vulnerability information for software.
  2. Ignore vulnerabilities from ubuntu packages - Select this option to ignore vulnerabilities of software detected as an ubuntu package.
  3. Fetch decommissioned devices - Select whether to fetch devices that are decommissioned. This requires 'Endpoints View credentials' permission.
  4. Fetch threats for infected devices - Select this option to fetch threats of a device when the infected value on the SentinelOne server is set to true.
  5. Fetch device control events - Select this option to fetch the device control events for each device.
  6. Fetch Application settings (optional, default: true) (only for accounts with SaaS Management capability) - Select this option to fetch application settings for users.
  7. Fetch last installed software version only - Select this option to fetch only the version with the most recent installed date for each software.
  8. Deep Visibility query - Enter a SentinelOne Deep Visibility query name to fetch the query events and parse them inside the devices as “Deep Visibility Events“.
  9. Remove old tags - Select this option to remove old tags that are no longer being fetched from SentinelOne.
  10. Background fetch tasks - Select tasks from the drop-down that will be fetched in the background.
  11. Background fetch interval (Hours) (default: 72 (3 days)) - Set the interval in hours for background fetch.
  12. Enable fetch from Skylight query - Toggle on to enable fetch from the Skylight query.
    • Skylight query - If Enable fetch from Skylight query is enabled, enter the SDL query to fetch events. Note: Requires configuring the Singularity Data Lake (SDL) API Key in Parameters.
  13. Ignore public IPs from externalIp field - Select this option to ignore public IPs from the externalIp field.


Note:

To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.


APIs

Axonius uses the following APIs
To fetch users:

  • v2.1/users

For users with SaaS Management Capabilities

To Fetch user roles:

  • v2.1/rbac/roles

To fetch Groups

  • v2.1/groups

To fetch Events

  • v2.1/dv/init-query
  • v2.1/dv/query-status
  • v2.1/dv/events

Required Permissions

  • The default 'read-only viewer role' that provides Read-only access to the system can be used with this adapter.
  • Log Read Access permission level is required in order to enter the SDL API key.



Was this article helpful?