Document toolboxDocument toolbox

SentinelOne collector

Service description

SentinelOne delivers autonomous endpoint protection through a single agent that prevents, detects, responds, and hunts attacks. SentinelOne Singularity platform is a data lake that fuses together the data, access, control, and integration plans of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform.

The Devo | SentinelOne integration collects data from various sources available through the SentinelOne API and ingests it into Devo, where it is made available for enterprise teams to query, analyze, and visualize for different use cases.

Devo Collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

Not allowed

Running environments

Collector Server, On Premise

Populated Devo events

Standard, Lookups

Data source description

The following data is ingested into Devo:

Data Source

Description

SentinelOne API endpoint

Collector service name

Devo tables

Available from release

Data Source

Description

SentinelOne API endpoint

Collector service name

Devo tables

Available from release

Threat Detections

Detailed telemetry from any threat detected on a device with the SentinelOne agent installed in the organization. This data is additionally mapped to Devo's edr.all.threats union table for further analysis and integration with the Devo SecOps application.

/web/api/v2.1/threats

threat_events

edr.sentinelone.agent.threats

v1.0.0

Management Console Activities

Detailed events captured by the interactions with the SentinelOne management console

/web/api/v2.1/activities

management_activity_events

edr.sentinelone.management.activities

v1.0.0

Management Console Activity Types

A lookup table which maps numeric activity types to their written description to add usability to the data

/web/api/v2.1/activities/types

activity_types

Lookup table: SentinelOne_Management_Console_Activity_Types

v1.0.0

Agent Telemetry

System information and telemetry from devices with the SentinelOne agent installed

/web/api/v2.1/agents

agent_telemetry

edr.sentinelone.agent.agents

v1.0.0

How to enable the collection in the vendor

In order to configure the SentinelOne collector, you need to generate a SentinelOne API token. Follow these steps to do it:

Steps

Screenshots

Steps

Screenshots

1

Log in to the SentinelOne Management Console as the user you want to authorize API requests with. This user should have permission to view threat, agent and management console activity data.

 

2

From the Help menu, select API Doc.

 

3

Navigate to the Users → Generate API Token.

 

4

Select Run on console.

 

5

Select Run API query and copy the value of the token key displayed in the RESPONSE section of the page.

 

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to download data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check the detail of the parameterization for more information.

Setting

Details

Setting

Details

url_value

Use this param to define the URL used by the collector to pull data. Replace XXXXXXXXX with your SentinelOne host name.

api_token_value

Set up here your access token created in the SentinelOne console.

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

The following are the accepted authentication methods for this collector.

Authentication Method

URL

API Token

Authentication Method

URL

API Token

1

API Token

required

required

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).