SentinelOne
SentinelOne is an endpoint protection and threat response tool. You can bring application application install, device, threat intelligence, and security data from SentinelOne into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with SentinelOne and how to obtain that information from SentinelOne. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select SentinelOne from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate SentinelOne with Brinqa:
-
Server URL: The SentinelOne Server URL.
-
API token: The API token associated with the SentinelOne account, which must have permissions to log in to the API server and return data.
Generate a SentinelOne API token
For the SentinelOne connector to use the SentinelOne API, you must provide an API token from SentinelOne. SentinelOne does not allow retrieving the API token for an existing user. To generate a new API token, follow these steps:
-
Log in to your organization's SentinelOne server as an administrator.
-
Navigate to Settings > Users.
-
Select the user for which you want to generate a new API token.
-
Next to API Token, click Generate.
Your new API token displays. You can not view the token again after this. Copy and save it to a secure location.
If you do not have the permissions to create a SentinelOne API token, contact your SentinelOne administrator. Consult SentinelOne documentation for accuracy.
Additional settings
The SentinelOne connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The SentinelOne connector can retrieve the following types of data from the SentinelOne API:
Table 1: Data retrieved from SentinelOne
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Application | No | Package |
| Application Install | No | Installed Package |
| Device | Yes | Host |
| Threat | No | Incident |
| Threat Definition | No | Incident Definition |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
For detailed steps on how to view the data retrieved from SentinelOne in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Application
Table 2: Application attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| app.name | name |
| app.osType | Local variable |
| app.publisher | Local variable |
| app.signed | Local variable |
| app.size | Local variable |
| app.type | Local variable |
| app.uid | uid |
| app.updatedAt | Local variable |
| app.version | Local variable |
| categories | categories |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Application Install
Table 3: Application Install attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| app.agentId | targets |
| app.agentComputerName | Local variable |
| app.createdAt | Local variable |
| app.id | uid |
| app.installedAt | Local variable |
| app.riskLevel | Local variable |
| app.uid | type |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Device
Table 4: Device attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| agent.accountId | Local variable |
| agent.accountName | Local variable |
| agent.activeDirectory.computerDistinguishedName | Local variable |
| agent.activeDirectory.computerMemberOf | Local variable |
| agent.activeDirectory.lastUserDistinguishedName | Local variable |
| agent.activeDirectory.lastUserMemberOf | Local variable |
| agent.activeThreats | Local variable |
| agent.agentVersion | Local variable |
| agent.allowRemoteShell | Local variable |
| agent.appsVulnerabilityStatus | Local variable |
| agent.computerName | dnsNames, name, hostnames |
| agent.consoleMigrationStatus | Local variable |
| agent.coreCount | Local variable |
| agent.cpuCount | Local variable |
| agent.cpuId | Local variable |
| agent.createdAt | sourceCreatedDate |
| agent.detectionState | Local variable |
| agent.domain | Local variable |
| agent.encryptedApplications | Local variable |
| agent.externalId | Local variable |
| agent.externalIp | ipAddresses, publicIpAddresses |
| agent.firewallEnabled | Local variable |
| agent.groupId | Local variable |
| agent.groupName | Local variable |
| agent.id | uid |
| agent.inRemoteShellSession | Local variable |
| agent.instanceId | instanceId |
| agent.installerType | Local variable |
| agent.isActive | Local variable |
| agent.isDecommissioned | status |
| agent.isPendingUninstall | Local variable |
| agent.isUninstalled | Local variable |
| agent.isUpToDate | Local variable |
| agent.lastActiveDate | lastSeen |
| agent.lastIpToMgmt | ipAddresses, privateIpAddresses |
| agent.lastLoggedInUserName | Local variable |
| agent.lastSuccessfulScanDate | Local variable |
| agent.locations.name | Local variable |
| agent.machineType | Local variable |
| agent.macAddress | macAddresses |
| agent.mitigationMode | Local variable |
| agent.mitigationModeSuspicious | Local variable |
| agent.modelName | model |
| agent.networkInterfaces.physical | macAddresses |
| agent.networkStatus | Local variable |
| agent.operationalState | Local variable |
| agent.osArch | Local variable |
| agent.osName | Local variable |
| agent.osRevision | Local variable |
| agent.osStartTime | lastStarted |
| agent.osType | Local variable |
| agent.osUsername | Local variable |
| agent.rangerStatus | Local variable |
| agent.rangerVersion | Local variable |
| agent.registeredAt | firstSeen |
| agent.scanAbortedAt | Local variable |
| agent.scanFinishedAt | Local variable |
| agent.scanStartedAt | Local variable |
| agent.scanStatus | Local variable |
| agent.serialNumber | serialNumber |
| agent.siteId | Local variable |
| agent.siteName | Local variable |
| agent.threatRebootRequired | Local variable |
| agent.totalMemory | Local variable |
| agent.updatedAt | sourceLastModified |
| agent.userActionsNeeded | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Threat
Table 5: Threat attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| threat.agentRealtimeInfo.agentUuid | targets |
| threat.id | uid |
| threat.threatInfo.createdAt | firstFound |
| threat.threatInfo.createdAt.updatedAt | lastFound |
| threat.threatInfo.filePath | path |
| threat.threatInfo.fileSize | Local variable |
| threat.threatInfo.incidentStatusDescription | status |
| threat.threatInfo.mitigationStatusDescription | Local variable |
| threat.threatInfo.threatName | type, uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Threat Definition
Table 6: Threat Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| threat.threatInfo.classification | categories |
| threat.threatInfo.confidenceLevel | Local variable |
| threat.threatInfo.threatName | type, name |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Vulnerability
Table 7: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| vulnerability.applicationVendor | targets |
| vulnerability.applicationName | targets |
| vulnerability.applicationVersion | targets |
| vulnerability.endpointId | targets |
| vulnerability.detectionDate | firstFound |
| vulnerability.id | uid |
| vulnerability.lastScanDate | lastFound |
| vulnerability.status | providerStatus, status, sourceStatus, statusCategory |
| vulnerability.daysDetected | Local variable |
| vulnerability.lastScanResult | Local variable |
| vulnerability.markType | Local variable |
| vulnerability.markedBy | Local variable |
| vulnerability.markedDate | Local variable |
| vulnerability.reason | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Vulnerability Definition
Table 8: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| vulnerability.cveId | type, name, cveIds, cveRecords |
| vuln.baseScore | cvssV3BaseScore |
| vuln.publishedDate | publishedDate |
| vuln.severity | severity |
Operation options
The SentinelOne connector supports the following operation options. See connector operation options for information about how to apply them.
Table 2: SentinelOne connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Device | osTypes | windows, macos, or linux | A comma-separated list of operating systems. You can use this option to retrieve data from SentinelOne that only contains the specified operating system. | Key: osTypes Value: linux. This key and value combination only retrieves data from SentinelOne that pertains to the Linux operating system. |
| machineTypes | desktop, laptop, server, storage, or kubernetes node | A comma-separated list of machine types. You can use this option to retrieve data from SentinelOne that only contains the specified machine type. | Key: machineTypes Value: desktop. This key and value combination only retrieves data from SentinelOne that pertains to desktop machines. |
The option keys are case-sensitive and the possible values are in lowercase as they are shown in the documentation.
APIs
The SentinelOne connector uses the SentinelOne REST API. Specifically, it uses the following endpoints:
Table 3: SentinelOne API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Application | /web/api/v2.1/installed-applications |
| Application Install | /web/api/v2.1/installed-applications |
| Device | /web/api/v2.1/agents |
| Threat | /web/api/v2.1/agents |
web/api/v2.1/threats | |
| Threat Definition | web/api/v2.1/agents |
/web/api/v2.1/threats | |
| Vulnerability | web/api/v2.1/application-management/risks |
| Vulnerability Definition | web/api/v2.1/application-management/risks |
Changelog
The SentinelOne connector has undergone the following changes:
3.2.2
- Code clean up and general maintenance.
3.2.1
-
Added more attributes to the Device object.
-
Code clean up and general maintenance.
3.2.0
-
Changed the CVSS_V3_BASE_SCORE attribute type on the Vulnerability Definition object from string to double.
-
Code clean up and general maintenance.
3.1.18
- Added support for Data lifecycle management to the Device and Vulnerability objects.
3.1.7
- Added the Threat, Threat Definition, Vulnerability, and Vulnerability Definition objects.
3.1.6
- Updated dependencies.
3.1.15
-
Fixed some sync errors.
-
Made the Application and Application Install objects optional.
3.1.14
- Fixed an error when syncing the Device object.
3.0.7
- Added cloud metadata as a source for the Device object.
3.0.6
- Added a FIRST_SEEN attribute to the Device object.
3.0.0
- Initial Integration+ release.