SentinelOne
SentinelOne is an endpoint protection and threat response tool. You can bring device, application, and application install data from SentinelOne into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with SentinelOne and how to obtain that information from SentinelOne. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select SentinelOne from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate SentinelOne with Brinqa:
-
Server URL: The SentinelOne Server URL.
-
API token: The API token associated with the SentinelOne account, which must have permissions to log in to the API server and return data.
Generate a SentinelOne API token
For the SentinelOne connector to use the SentinelOne API, you must provide an API token from SentinelOne. SentinelOne does not allow retrieving the API token for an existing user. To generate a new API token, follow these steps:
-
Log in to your organization's SentinelOne server as an administrator.
-
Navigate to Settings > Users.
-
Select the user for which you want to generate a new API token.
-
Next to API Token, click Generate.
Copy the API token to a safe and secure location.
Consult SentinelOne documentation for accuracy. If you do not have the permissions to create a SentinelOne API token, contact your SentinelOne administrator.
Additional settings
The SentinelOne connector contains additional options for specific configuration:
-
Set page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The SentinelOne connector can retrieve the following types of data from the SentinelOne API:
Table 1: Data retrieved from SentinelOne
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Application | No | Package |
| Application Install | No | Installed Package |
| Device | Yes | Host |
| Threat | No | Incident |
| Threat Definition | No | Incident Definition |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
For detailed steps on how to view the data retrieved from SentinelOne in the Brinqa Platform, see How to view your data.
Operation options
The SentinelOne connector supports the following operation options. See connector operation options for information about how to apply them.
Table 2: SentinelOne connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Device | osTypes | windows, macos, or linux | A comma-separated list of operating systems. You can use this option to retrieve data from SentinelOne that only contains the specified operating system. | Key: osTypes Value: linux. This key and value combination only retrieves data from SentinelOne that pertains to the Linux operating system. |
| machineTypes | desktop, laptop, server, storage, or kubernetes node | A comma-separated list of machine types. You can use this option to retrieve data from SentinelOne that only contains the specified machine type. | Key: machineTypes Value: desktop. This key and value combination only retrieves data from SentinelOne that pertains to desktop machines. |
The option keys are case-sensitive and the possible values are in lowercase as they are shown in the documentation.
APIs
The SentinelOne connector uses the SentinelOne API. Specifically, it uses the following endpoints:
Table 3: SentinelOne API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Application | /web/api/v2.1/installed-applications |
| Application Install | /web/api/v2.1/installed-applications |
| Device | /web/api/v2.1/agents |
| Threat | web/api/v2.1/threats |
| Threat Definition | web/api/v2.1/threats |
| Vulnerability | web/api/v2.1/application-management/risks |
| Vulnerability Definition | web/api/v2.1/application-management/risks |
Changelog
The SentinelOne connector has undergone the following changes:
3.1.7
- Added the Threat, Threat Definition, Vulnerability, and Vulnerability Definition objects.
3.1.6
- Updated dependencies.
3.1.15
-
Fixed some sync errors.
-
Made the Application and Application Install objects optional.
3.1.14
- Fixed an error when syncing the Device object.
3.0.7
- Added cloud metadata as a source for the Device object.
3.0.6
- Added a FIRST_SEEN attribute to the Device object.
3.0.0
- Initial Integration+ release.