SentinelOne

SentinelOne is an endpoint protection solution including prevention, detection, and response.

Related Enforcement Actions

• SentinelOne - Add or Remove Tag to/from Assets
• SentinelOne - Initiate Scan
• SentinelOne - Remove Asset
• SentinelOne - Execute Remote Script Orchestration
• SentinelOne - Isolate/Unisolate a Device

Types of Assets Fetched

This adapter fetches the following types of assets:

• Devices
• Users
• SaaS Data
  
  

Parameters

1. SentinelOne Domain (required) - The hostname or IP Address of the SentinelOne management server. This field format is '[instance].sentinelone.net'.

2. User Name and Password (optional) - The user name and password for an account that has site viewer access to the management server. For information on how to create users in SentinelONE, see Create a Single User.

   Note:

   • If API Token is not supplied, User Name and Password fields are required.
   • The User Name and Password parameters take precedence over the API Token parameter.

3. 2FA Secret (only for accounts with SaaS Management capability) - The secret generated in SentinelOne for setting up two-factor authentication for the adapter user created for collecting SaaS data.

4. API token (optional) - The API token is created within the My User Profile of the account with viewer access to the management server.

   Note:

   • If User Name and Password are not supplied, API Token field is required.
   • When Two Factor Authentication is used, you must use API Token and leave the User Name and Password fields empty.

5. Verify SSL - Select to verify the SSL certificate offered by the value supplied in SentinelOne Domain. For more details, see SSL Trust & CA Settings.

6. HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in SentinelOne Domain.

7. Enable Client Side Certificate - Select to enable Axonius to send requests using the certificates uploaded to allow Mutual TLS configuration for this adapter.

   • Click Upload File next to Client Private Key File to upload a client private key file in PEM format.
   • Click Upload File next to Client Certificate File to upload a public key file in PEM format.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

1. Fetch applications - Select this option to fetch Sentinel One applications.
2. Fetch application CVEs - Select whether to fetch CVE security vulnerability information for software.
3. Fetch decommissioned devices - Select whether to fetch devices that are decommissioned. This requires 'Endpoints View credentials' permission.
4. Fetch threats for infected devices - Select this option to fetch threats of a device when the infected value on the SentinelOne server is set to true.
5. Fetch latest installed apps only - Select this option to fetch only the latest installed app.
6. Fetch device control events - Select this option to fetch the device control events for each device.
7. Fetch Application settings (optional, default: true) (only for accounts with SaaS Management capability) - Select this option to fetch application settings for users.
8. Fetch last installed software version only - Select this option to fetch only the version with the most recent installed date for each software.
9. Deep Visibility query - Enter a SentinelOne Deep Visibility query name to fetch the query events and parse them inside the devices as “Deep Visibility Events“.
10. Remove old tags - Select this option to remove old tags that are no longer being fetched from SentinelOne.
11. Background fetch tasks - Select tasks from the drop-down that will be fetched in the background.
12. Background fetch interval (Hours)- (default: 72 (3 days)) - Set the interval in hours for background fetch.

APIs

Axonius uses the following APIs
To fetch users:

• v2.1/users

For users with SaaS Management Capabilities

To Fetch user roles:

• v2.1/rbac/roles

To fetch Groups

• v2.1/groups

To fetch Events

• v2.1/dv/init-query
• v2.1/dv/query-status
• v2.1/dv/events