SentinelOne collector
- Juan Tomás Alonso Nieto (Deactivated)
Service description
SentinelOne delivers autonomous endpoint protection through a single agent that prevents, detects, responds, and hunts attacks. SentinelOne Singularity platform is a data lake that fuses together the data, access, control, and integration plans of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform.
The Devo | SentinelOne integration collects data from various sources available through the SentinelOne API and ingests it into Devo, where it is made available for enterprise teams to query, analyze, and visualize for different use cases.
Devo Collector features
Feature | Details |
|---|---|
Allow parallel downloading ( |
|
Running environments |
|
Populated Devo events |
|
Data source description
The following data is ingested into Devo:
Data Source | Description | SentinelOne API endpoint | Collector service name | Devo tables | Available from release |
|---|---|---|---|---|---|
Threat Detections | Detailed telemetry from any threat detected on a device with the SentinelOne agent installed in the organization. This data is additionally mapped to Devo's |
|
|
|
|
Management Console Activities | Detailed events captured by the interactions with the SentinelOne management console |
|
|
|
|
Management Console Activity Types | A lookup table which maps numeric activity types to their written description to add usability to the data |
|
| Lookup table: |
|
Agent Telemetry | System information and telemetry from devices with the SentinelOne agent installed |
|
|
|
|
How to enable the collection in the vendor
In order to configure the SentinelOne collector, you need to generate a SentinelOne API token. Follow these steps to do it:
Steps | Screenshots | |
|---|---|---|
| 1 | Log in to the SentinelOne Management Console as the user you want to authorize API requests with. This user should have permission to view threat, agent and management console activity data. | 
|
| 2 | From the Help menu, select API Doc. | 
|
| 3 | Navigate to the Users → Generate API Token. |
|
| 4 | Select Run on console. |
|
| 5 | Select Run API query and copy the value of the token key displayed in the RESPONSE section of the page. |
|
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to download data with basic configuration are defined below.
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check the detail of the parameterization for more information.
Setting | Details |
|---|---|
| Use this param to define the URL used by the collector to pull data. Replace |
| Set up here your access token created in the SentinelOne console. |
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.
Accepted authentication methods
The following are the accepted authentication methods for this collector.
Authentication Method | URL | API Token | |
|---|---|---|---|
| 1 | API Token | required | required |
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).