SentinelOne
SentinelOne is an endpoint protection and threat response tool. You can bring application application install, device, threat intelligence, and security data from SentinelOne into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with SentinelOne and how to obtain that information from SentinelOne. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select SentinelOne from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate SentinelOne with Brinqa:
-
Server URL: The SentinelOne Server URL. The default URL format is
https://<tenant>.sentinelone.com. -
API token: The API token associated with the SentinelOne account, which must have permissions to log in to the API server and return data.
Generate a SentinelOne API token
For the SentinelOne connector to use the SentinelOne API, you must provide an API token from SentinelOne. SentinelOne does not allow retrieving the API token for an existing user. To generate a new API token, follow these steps:
-
Log in to your organization's SentinelOne server as an administrator.
-
Navigate to Settings > Users.
-
Select the user for which you want to generate a new API token.
-
Next to API Token, click Generate.
Your new API token displays. You can not view the token again after this. Copy and save it to a secure location.
If you do not have the permissions to create a SentinelOne API token, contact your SentinelOne administrator. Consult SentinelOne documentation for accuracy.
Additional settings
The SentinelOne connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the SentinelOne API before giving up and reporting a failure. The default setting is 10.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The SentinelOne connector can retrieve the following types of data from the SentinelOne API:
Table 1: Data retrieved from SentinelOne
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Application | No | Package |
| Application Install | No | Installed Package |
| Device | Yes | Host |
| Threat | No | Incident |
| Threat Definition | No | Incident Definition |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
For detailed steps on how to view the data retrieved from SentinelOne in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Application
Table 2: Application attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| app.name | NAME |
| app.osType | OS_TYPE |
| app.publisher | PUBLISHER |
| app.signed | SIGNED |
| app.size | SIZE |
| app.type | CATEGORIES |
| app.type | KIND |
| app.version | REVISION |
| Generated (MD5 of publisher, name, and version) | UID |
Application Install
Table 3: Application Install attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| app.agentComputerName | AGENT_NAME |
| app.agentId | AGENT_ID |
| app.agentId | TARGETS |
| app.createdAt | SOURCE_CREATED_DATE |
| app.id | UID |
| app.installedAt | INSTALLED_DATE |
| app.riskLevel | RISK |
| app.uid | TYPE |
| app.updatedAt | SOURCE_LAST_MODIFIED |
Device
Table 4: Device attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| agent.accountId | ACCOUNT_ID |
| agent.accountName | ACCOUNT_NAME |
| agent.activeDirectory.computerDistinguishedName | COMPUTER_DN |
| agent.activeDirectory.computerMemberOf | COMPUTER_MEMBER_OF |
| agent.activeDirectory.lastUserDistinguishedName | LAST_USER_DN |
| agent.activeDirectory.lastUserMemberOf | LAST_USER_MEMBER_OF |
| agent.activeThreats | ACTIVE_THREATS |
| agent.agentVersion | AGENT_VERSION |
| agent.allowRemoteShell | ALLOW_REMOTE_SHELL |
| agent.appsVulnerabilityStatus | VULNERABILITY_STATUS |
| agent.cloudProviders.*.cloudInstanceId | INSTANCE_ID |
| agent.computerName | DNS_NAMES |
| agent.computerName | HOSTNAMES |
| agent.computerName | NAME |
| agent.computerName | PRIVATE_DNS_NAMES |
| agent.consoleMigrationStatus | CONSOLE_MITIGATION_STATUS |
| agent.coreCount | CORE_COUNT |
| agent.cpuCount | CPU_COUNT |
| agent.cpuId | CPU_ID |
| agent.createdAt | SOURCE_CREATED_DATE |
| agent.detectionState | DETECTION_STATE |
| agent.domain | DOMAIN |
| agent.encryptedApplications | ENCRYPTED_APPLICATIONS |
| agent.externalId | EXTERNAL_ID |
| agent.externalIp | IP_ADDRESSES |
| agent.externalIp | PUBLIC_IP_ADDRESSES |
| agent.firewallEnabled | FIREWALL_ENABLED |
| agent.groupId | GROUP_ID |
| agent.groupName | GROUP_NAME |
| agent.id | AGENT_ID |
| agent.id | UID |
| agent.inRemoteShellSession | IN_REMOTE_SHELL_SESSION |
| agent.infected | INFECTED |
| agent.installerType | INSTALLER_TYPE |
| agent.isActive | IS_ACTIVE |
| agent.isDecommissioned | IS_DECOMMISSIONED |
| agent.isDecommissioned | STATUS |
| agent.isPendingUninstall | IS_PENDING_UNINSTALL |
| agent.isUninstalled | IS_UNINSTALLED |
| agent.isUpToDate | IS_UPTO_DATE |
| agent.lastActiveDate | LAST_ACTIVE |
| agent.lastActiveDate | LAST_SEEN |
| agent.lastIpToMgmt | IP_ADDRESSES |
| agent.lastIpToMgmt | PRIVATE_IP_ADDRESSES |
| agent.lastLoggedInUserName | LAST_LOGGED_IN_USERNAME |
| agent.lastSuccessfulScanDate | LAST_SUCCESSFUL_FULL_SCAN |
| agent.locations.name | LOCATIONS |
| agent.machineType | CATEGORIES |
| agent.machineType | MACHINE_TYPE |
| agent.machineSid | MACHINE_SID |
| agent.mitigationMode | MITIGATION_MODE |
| agent.mitigationModeSuspicious | MITIGATION_MODE_SUSPICIOUS |
| agent.modelName | MODEL |
| agent.networkInterfaces.inet | IP_ADDRESSES |
| agent.networkInterfaces.inet | PRIVATE_IP_ADDRESSES |
| agent.networkInterfaces.physical | MAC_ADDRESSES |
| agent.networkStatus | NETWORK_STATUS |
| agent.operationalState | OPERATIONAL_STATE |
| agent.osArch | OS_ARCH |
| agent.osName | OS_NAME |
| agent.osRevision | OS_REVISION |
| agent.osStartTime | LAST_STARTED |
| agent.osStartTime | OS_START_TIME |
| agent.osType | OS_TYPE |
| agent.osType, agent.osRevision, agent.osArch | DESCRIPTION |
| agent.osType, agent.osRevision, agent.osArch | OPERATING_SYSTEM |
| agent.osUsername | OS_USERNAME |
| agent.rangerStatus | RANGER_STATUS |
| agent.rangerVersion | RANGER_VERSION |
| agent.registeredAt | FIRST_SEEN |
| agent.registeredAt | REGISTERED_AT |
| agent.scanAbortedAt | SCAN_ABORTED_AT |
| agent.scanFinishedAt | SCAN_FINISHED_AT |
| agent.scanStartedAt | SCAN_STARTED_AT |
| agent.scanStatus | SCAN_STATUS |
| agent.serialNumber | SERIAL_NUMBER |
| agent.siteId | SITE_ID |
| agent.siteName | SITE_NAME |
| agent.threatRebootRequired | THREAT_REBOOT_REQUIRED |
| agent.totalMemory | TOTAL_MEMORY |
| agent.updatedAt | SOURCE_LAST_MODIFIED |
| agent.userActionsNeeded | USER_ACTION_NEEDED |
| agent.uuid | AGENT_UUID |
Threat
Table 5: Threat attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| threat.agentRealtimeInfo.agentUuid | TARGETS |
| threat.id | UID |
| threat.threatInfo.createdAt | FIRST_FOUND |
| threat.threatInfo.filePath | PATH |
| threat.threatInfo.fileSize | FILE_SIZE |
| threat.threatInfo.incidentStatusDescription | SOURCE_STATUS |
| threat.threatInfo.incidentStatusDescription | STATUS |
| threat.threatInfo.incidentStatusDescription | STATUS_CATEGORY |
| threat.threatInfo.mitigationStatusDescription | MITIGATION_STATUS |
| threat.threatInfo.threatName | TYPE |
| threat.threatInfo.updatedAt | LAST_FOUND |
Threat Definition
Table 6: Threat Definition attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| threat.threatInfo.classification | CATEGORIES |
| threat.threatInfo.confidenceLevel | CONFIDENCE_LEVEL |
| threat.threatInfo.threatName | NAME |
| threat.threatInfo.threatName | UID |
Vulnerability
Table 7: Vulnerability attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| Generated (MD5 of vendor, name, and version) | TARGETS |
| vulnerability.cveId | TYPE |
| vulnerability.daysDetected | DAYS_DETECTED |
| vulnerability.detectionDate | FIRST_FOUND |
| vulnerability.endpointId | TARGETS |
| vulnerability.id | UID |
| vulnerability.lastScanDate | LAST_FOUND |
| vulnerability.lastScanResult | LAST_SCAN_RESULT |
| vulnerability.markType | MARK_TYPE |
| vulnerability.markedBy | MARKED_BY |
| vulnerability.markedDate | MARKED_DATE |
| vulnerability.reason | REASON |
| vulnerability.status | PROVIDER_STATUS |
| vulnerability.status | SOURCE_STATUS |
| vulnerability.status | STATUS |
| vulnerability.status | STATUS_CATEGORY |
Vulnerability Definition
Table 8: Vulnerability Definition attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| vulnerability.baseScore | CVSS_V3_BASE_SCORE |
| vulnerability.cveId | CVE_IDS |
| vulnerability.cveId | CVE_RECORDS |
| vulnerability.cveId | NAME |
| vulnerability.cveId | UID |
| vulnerability.publishedDate | PUBLISHED_DATE |
| vulnerability.severity | SEVERITY |
| vulnerability.severity | SEVERITY_SCORE |
| vulnerability.severity | SOURCE_SEVERITY |
Data lifecycle management (DLM) strategy
The following table details the DLM strategy for the SentinelOne connector:
Table 9: SentinelOne DLM strategy
| Connector Object | Inactivity Condition | Purge Policy | Summary |
|---|---|---|---|
| Device | LAST_SEEN NOT IN LAST 30 DAYS | 30 days after inactivity | Uses the LAST_SEEN attribute to identify devices that are inactive for 365 days, and then purges the records after 30 days of inactivity. |
| Vulnerability | Inactivity is delegated to the Device object | 30 days after inactivity | Inactivity is determined by the lifecycle status of the associated device, and then purges the records after 30 days of inactivity. |
Operation options
The SentinelOne connector supports the following operation options. See connector operation options for information about how to apply them.
Table 10: SentinelOne connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Device | isDecommissioned | true, false | You can use this option to filter retrieved devices based on their commissioned status, as determined by SentinelOne. | Key: isDecommissioned Value: false. This key and value combination only retrieves devices that have not been decommissioned. |
| osTypes | windows, macos, linux | A comma-separated list of operating systems. You can use this option to retrieve data from SentinelOne that only contains the specified operating system. | Key: osTypes Value: linux. This key and value combination only retrieves data from SentinelOne that pertains to the Linux operating system. | |
| machineTypes | desktop, laptop, server, storage, kubernetes node | A comma-separated list of machine types. You can use this option to retrieve data from SentinelOne that only contains the specified machine type. | Key: machineTypes Value: desktop. This key and value combination only retrieves data from SentinelOne that pertains to desktop machines. |
The option keys are case-sensitive and the possible values are in lowercase as they are shown in the documentation.
APIs
The SentinelOne connector uses the SentinelOne REST API. Specifically, it uses the following endpoints:
Table 11: SentinelOne API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Application | /web/api/v2.1/installed-applications |
| Application Install | /web/api/v2.1/installed-applications |
| Device | /web/api/v2.1/agents |
| Threat | /web/api/v2.1/threats |
| Threat Definition | /web/api/v2.1/threats |
| Vulnerability | /web/api/v2.1/application-management/risks |
| Vulnerability Definition | /web/api/v2.1/application-management/risks |
Changelog
The SentinelOne connector has undergone the following changes:
Table 12: SentinelOne connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.2.7 | Bug Fixes Application Install Date/Time Attributes - Fixed the 'Application Install' model where 'Created at', 'Installed date', and 'Updated at' were stored as integer values instead of date/time. These fields now correctly reflect the timestamps returned by the SentinelOne API. Migration Required - 'Application Install': The 'Created at' attribute has been renamed to 'Source created date' and 'Updated at' has been renamed to 'Source last modified' to align with standard platform attributes. The 'Installed date' attribute type has changed from integer to date/time. A full re-sync of Application Install records is required after upgrading to apply the updated attribute names and types. | June 3rd, 2026 |
| 3.2.6 | Improvements Dependency Upgrades - Upgraded internal framework and storage libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. No Migration | June 3rd, 2026 |
| 3.2.5 | Code cleanup and general maintenance. | October 11th, 2024 |
| 3.2.4 | Code cleanup and general maintenance. | October 11th, 2024 |
| 3.2.3 | - The connector now uses the IS_DECOMMISIONED attribute to determine device status. - Added a new operation option to filter devices by their decommissioned status: isDecommissioned. | October 10th, 2024 |
| 3.2.2 | Code cleanup and general maintenance. | October 10th, 2024 |
| 3.2.1 | - Added more attributes to the Device object. - Code cleanup and general maintenance. | October 10th, 2024 |
| 3.2.0 | - Changed the CVSS_V3_BASE_SCORE attribute type on the Vulnerability Definition object from string to double. - Code cleanup and general maintenance. | October 9th, 2024 |
| 3.1.18 | Added support for Data lifecycle management to the Device and Vulnerability objects. | September 27th, 2024 |
| 3.1.17 | The connector now retrieves the Threat, Threat Definition, Vulnerability, and Vulnerability Definition objects from SentinelOne. | April 8th, 2024 |
| 3.1.16 | Updated dependencies. | March 8th, 2024 |
| 3.1.15 | - Fixed some sync errors. - Made the Application and Application Install objects optional. | September 13th, 2023 |
| 3.1.14 | Fixed an issue where the Device object sync was failing. | September 13th, 2023 |
| 3.0.13 | Code cleanup and general maintenance. | January 18th, 2023 |
| 3.0.12 | Code cleanup and general maintenance. | December 10th, 2022 |
| 3.0.11 | The CATEGORY attribute on the Application and Device objects has been renamed to CATEGORIES | December 8th, 2022 |
| 3.0.10 | Code cleanup and general maintenance. | December 5th, 2022 |
| 3.0.9 | Code cleanup and general maintenance. | December 5th, 2022 |
| 3.0.8 | Code cleanup and general maintenance. | December 4th, 2022 |
| 3.0.7 | Added cloud metadata as a source for the Device object. | December 4th, 2022 |
| 3.0.6 | Added the FIRST_SEEN attribute to the Device object. | December 3rd, 2022 |
| 3.0.5 | Code cleanup and general maintenance. | December 3rd, 2022 |
| 3.0.4 | Code cleanup and general maintenance. | December 3rd, 2022 |
| 3.0.3 | Code cleanup and general maintenance. | December 1st, 2022 |
| 3.0.2 | Updated the connector icon. | December 1st, 2022 |
| 3.0.1 | Fixed an issue where the status for the Device object was not applied properly. | November 15th, 2022 |
| 3.0.0 | Initial Integration+ release. | November 14th, 2022 |