
SentinelOne
Endpoint Protection- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
Data retrieved from SentinelOne
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Device | Yes | HOST |
| Application | Yes | PACKAGE |
| Application Install | Yes | INSTALLED_PACKAGE |
| Threat | Yes | INCIDENT |
| Threat Definition | Yes | INCIDENT_DEFINITION |
| Vulnerability | Yes | VULNERABILITY |
| Vulnerability Definition | Yes | VULNERABILITY_DEFINITION |
Model relationships
For detailed steps on how to view the data retrieved from SentinelOne in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select SentinelOne from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Server URL | Yes | https://<tenant>.sentinelone.com | SentinelOne server URL |
| API token | Yes | — | SentinelOne API token |
| Page size | No | 1000 | Maximum number of records to get per API request |
| Maximum retries | No | 10 | The maximum number of retry attempts before giving up a request |
| SSL / TLS | No | false | Skip certificate verification |
How to obtain SentinelOne credentials
SentinelOne uses a static API token passed in the Authorization header of every request.
Obtain the required credentials (url, apiToken) from your SentinelOne administrator or the SentinelOne admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Device
| Source Field Name | SDM Attribute |
|---|---|
agent.accountId | ACCOUNT_ID |
agent.accountName | ACCOUNT_NAME |
agent.activeDirectory.computerDistinguishedName | COMPUTER_DN |
agent.activeDirectory.computerMemberOf | COMPUTER_MEMBER_OF |
agent.activeDirectory.lastUserDistinguishedName | LAST_USER_DN |
agent.activeDirectory.lastUserMemberOf | LAST_USER_MEMBER_OF |
agent.activeThreats | ACTIVE_THREATS |
agent.agentVersion | AGENT_VERSION |
agent.allowRemoteShell | ALLOW_REMOTE_SHELL |
agent.appsVulnerabilityStatus | VULNERABILITY_STATUS |
agent.cloudProviders.*.cloudInstanceId | INSTANCE_ID |
agent.computerName | NAME |
agent.computerName | DNS_NAMES |
agent.computerName | HOSTNAMES |
agent.computerName | PRIVATE_DNS_NAMES |
agent.consoleMigrationStatus | CONSOLE_MITIGATION_STATUS |
agent.coreCount | CORE_COUNT |
agent.cpuCount | CPU_COUNT |
agent.cpuId | CPU_ID |
agent.createdAt | SOURCE_CREATED_DATE |
agent.detectionState | DETECTION_STATE |
agent.domain | DOMAIN |
agent.encryptedApplications | ENCRYPTED_APPLICATIONS |
agent.externalId | EXTERNAL_ID |
agent.externalIp | PUBLIC_IP_ADDRESSES |
agent.firewallEnabled | FIREWALL_ENABLED |
agent.groupId | GROUP_ID |
agent.groupName | GROUP_NAME |
agent.id | UID |
agent.id | AGENT_ID |
agent.infected | INFECTED |
agent.inRemoteShellSession | IN_REMOTE_SHELL_SESSION |
agent.installerType | INSTALLER_TYPE |
agent.isActive | IS_ACTIVE |
agent.isDecommissioned | STATUS |
agent.isDecommissioned | IS_DECOMMISSIONED |
agent.isPendingUninstall | IS_PENDING_UNINSTALL |
agent.isUninstalled | IS_UNINSTALLED |
agent.isUpToDate | IS_UPTO_DATE |
agent.lastActiveDate | LAST_SEEN |
agent.lastActiveDate | LAST_ACTIVE |
agent.lastIpToMgmt, agent.externalIp, agent.networkInterfaces.inet | IP_ADDRESSES |
agent.lastIpToMgmt, agent.networkInterfaces.inet | PRIVATE_IP_ADDRESSES |
agent.lastLoggedInUserName | LAST_LOGGED_IN_USERNAME |
agent.lastSuccessfulScanDate | LAST_SUCCESSFUL_FULL_SCAN |
agent.locations.name | LOCATIONS |
agent.machineSid | MACHINE_SID |
agent.machineType | CATEGORIES |
agent.machineType | MACHINE_TYPE |
agent.mitigationMode | MITIGATION_MODE |
agent.mitigationModeSuspicious | MITIGATION_MODE_SUSPICIOUS |
agent.modelName | MODEL |
agent.networkInterfaces.physical | MAC_ADDRESSES |
agent.networkStatus | NETWORK_STATUS |
agent.operationalState | OPERATIONAL_STATE |
agent.osArch | OS_ARCH |
agent.osName | OS_NAME |
agent.osRevision | OS_REVISION |
agent.osStartTime | LAST_STARTED |
agent.osStartTime | OS_START_TIME |
agent.osType | OS_TYPE |
agent.osType, agent.osRevision, agent.osArch | DESCRIPTION |
agent.osType, agent.osRevision, agent.osArch | OPERATING_SYSTEM |
agent.osUsername | OS_USERNAME |
agent.rangerStatus | RANGER_STATUS |
agent.rangerVersion | RANGER_VERSION |
agent.registeredAt | FIRST_SEEN |
agent.registeredAt | REGISTERED_AT |
agent.scanAbortedAt | SCAN_ABORTED_AT |
agent.scanFinishedAt | SCAN_FINISHED_AT |
agent.scanStartedAt | SCAN_STARTED_AT |
agent.scanStatus | SCAN_STATUS |
agent.serialNumber | SERIAL_NUMBER |
agent.siteId | SITE_ID |
agent.siteName | SITE_NAME |
agent.threatRebootRequired | THREAT_REBOOT_REQUIRED |
agent.totalMemory | TOTAL_MEMORY |
agent.updatedAt | SOURCE_LAST_MODIFIED |
agent.userActionsNeeded | USER_ACTION_NEEDED |
agent.uuid | AGENT_UUID |
Application
| Source Field Name | SDM Attribute |
|---|---|
app.name | NAME |
app.osType | OS type |
app.publisher | Publisher |
app.signed | Signed |
app.size | Size |
app.type | CATEGORIES |
app.type | Kind |
app.version | Revision |
MD5(publisher:name:version) | UID |
Application Install
| Source Field Name | SDM Attribute |
|---|---|
app.agentComputerName | Agent name |
app.agentId | TARGETS |
app.agentId | Agent ID |
app.createdAt | Source created date |
app.id | UID |
app.installedAt | Installed date |
app.riskLevel | Risk |
app.uid | TYPE |
app.updatedAt | Source last modified |
Threat
| Source Field Name | SDM Attribute |
|---|---|
threat.agentRealtimeInfo.agentUuid → resolved to agent ID | TARGETS |
threat.id | UID |
threat.threatInfo.createdAt | FIRST_FOUND |
threat.threatInfo.filePath | PATH |
threat.threatInfo.fileSize | FILE_SIZE |
threat.threatInfo.incidentStatusDescription | SOURCE_STATUS |
threat.threatInfo.incidentStatusDescription | STATUS |
threat.threatInfo.incidentStatusDescription | STATUS_CATEGORY |
threat.threatInfo.mitigationStatusDescription | MITIGATION_STATUS |
threat.threatInfo.threatName | TYPE |
threat.threatInfo.updatedAt | LAST_FOUND |
Threat Definition
| Source Field Name | SDM Attribute |
|---|---|
threat.threatInfo.classification | CATEGORIES |
threat.threatInfo.confidenceLevel | CONFIDENCE_LEVEL |
threat.threatInfo.threatName | UID |
threat.threatInfo.threatName | NAME |
Vulnerability
| Source Field Name | SDM Attribute |
|---|---|
MD5(vendor:name:version) + vulnerability.endpointId | TARGETS |
vulnerability.cveId | TYPE |
vulnerability.daysDetected | DAYS_DETECTED |
vulnerability.detectionDate | FIRST_FOUND |
vulnerability.id | UID |
vulnerability.lastScanDate | LAST_FOUND |
vulnerability.lastScanResult | LAST_SCAN_RESULT |
vulnerability.markedBy | MARKED_BY |
vulnerability.markedDate | MARKED_DATE |
vulnerability.markType | MARK_TYPE |
vulnerability.reason | REASON |
vulnerability.status | PROVIDER_STATUS |
vulnerability.status | SOURCE_STATUS |
vulnerability.status | STATUS |
vulnerability.status | STATUS_CATEGORY |
Vulnerability Definition
| Source Field Name | SDM Attribute |
|---|---|
vulnerability.baseScore | CVSS_V3_BASE_SCORE |
vulnerability.cveId | UID |
vulnerability.cveId | NAME |
vulnerability.cveId | CVE_IDS |
vulnerability.cveId | CVE_RECORDS |
vulnerability.publishedDate | PUBLISHED_DATE |
vulnerability.severity | SEVERITY |
vulnerability.severity | SEVERITY_SCORE |
vulnerability.severity | SOURCE_SEVERITY |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Device
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Application
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Application Install
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Threat
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Threat Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Vulnerability
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Vulnerability Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Changelog
The SentinelOne connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.7 | Bug Fixes Application Install Date/Time Attributes - Fixed the Application Install model where Created at, Installed date, and Updated at were stored as integer values instead of date/time. These fields now correctly reflect the timestamps returned by the SentinelOne API. | • Application Install: The Created at attribute has been renamed to Source created date and Updated at has been renamed to Source last modified to align with standard platform attributes. The Installed date attribute type has changed from integer to date/time. A full re-sync of Application Install records is required after upgrading to apply the updated attribute names and types. |
| 3.2.6 | Improvements Dependency Upgrades - Upgraded internal framework and storage libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |