Document toolboxDocument toolbox

SentinelOne collector

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
2 min read

Service description

SentinelOne is an endpoint detection and response technology.

The Devo - SentinelOne integration collects data from the SentinelOne API and ingests it into Devo, where it is made available for analysts to query.

Data source description

The following data is ingested into Devo:

  • Threat Detections - detailed telemetry from any threat detected on a device with the SentinelOne agent installed in the organization. This data is additionally mapped to Devo's edr.all.threats union table for further analysis and integration with the Devo Security Operations application.
  • Management Console Activities - detailed events captured by the interactions with the SentinelOne management console.
  • Agent Data - system information and telemetry from devices with the SentinelOne agent installed.

Setup

SentinelOne

In order to configure the Devo - SentinelOne integration, you need to generate a SentinelOne API token. To do this, follow these steps:

  1. Login to the SentinelOne Management Console as the user you want to authorize API requests with. This user should have permission to view threat, agent, and management console activity data.
  2. From the Help menu, select API Doc.
  3. In the API Doc, navigate to Users → Generate API Token.
  4. Select Run on console.
  5. Select Run API query.
  6. Copy the value of the token key displayed in the RESPONSE section of the page.

Devo

The Devo - SentinelOne integration is deployed using the Devo Cloud Collector service. To enable the integration on your Devo domain, contact Devo support and provide the following details:

  1. The data you would like to ingest. Choose from Threat Detections, Management Console Activity, and/or Agent Telemetry data.
  2. The URL of your SentinelOne instance.
  3. The value of the API Token that Devo should use to authorize requests.

Devo support will then enable the integration on your behalf.

Querying data

Once enabled, data will be available in your Devo domain. You can start to query the data by following these steps:

  1. Log in to your Devo domain.
  2. Open the Data Search screen.
  3. From the Finders window, select the required table according to the data type you would like to explore:
    • Threat Detections - edr.sentinelone.agent.threats
    • Management Console Activities - edr.sentinelone.management.activities
    • Agent Data - edr.sentinelone.agent.agents