SentinelOne Connector

overview the sentinelone connector enables automated interaction with sentinelone's endpoint protection capabilities, facilitating real time threat detection and response sentinelone delivers autonomous endpoint protection through a single agent that successfully prevents, detects, responds, and hunts attacks across all major vectors the sentinelone turbine connector for swimlane turbine enables security teams to automate threat detection and response actions, such as adding notes to threats, broadcasting messages to agents, and managing blacklist items by integrating with sentinelone, users can streamline their security operations, reduce response times, and enhance their overall security posture within the swimlane turbine platform prerequisites to effectively utilize the sentinelone connector within the swimlane turbine platform, ensure you have the following prerequisites api key authentication url endpoint url for the sentinelone management api api token a valid api token from sentinelone to authenticate requests obtaining an api token navigate to the sentinel one portal select your user in the upper right corner of the menu select the menu by your user account name, then select my user a modal will pop up displaying your account information select generate to generate a new api token and copy the value into the swimlane asset capabilities the sentinelone integration provides the following capabilities add threat note broadcast message connect agents create blacklist item create exclusion create power query and get query id deep visibility create query and get query id deep visibility get events by query id delete blocklist item delete threat note disconnect agents download from cloud fetch files fetch threat file get activities get agent applications get agents get alerts get blocklist items get groups get hash get rogues settings get sites get threat analysis get threat appearences get threat events get threat notes get threat timeline get threats initiate scan mitigate threats new firewall rule ping a power query update alert analyst verdict update alert incident update threat analyst verdict update threat external ticket id update threat incident update threat note initiate scan action full disk scan finds dormant suspicious activity, threats, and compliance violations, that are then mitigated according to the policy it scans the local file system full disk scan does not inspect drives that require user credentials (such as network drives) or external drives full disk scan does not work on hashes it does not check each file against the blacklist if the static ai determines a file is suspicious, the agent calculates its hash and sees if the hash is in the blacklist if a file is executed, all aspects of the process are inspected, including hash based analysis and blacklist checks full disk scan can run when the endpoint is offline, but when it is connected to the management, it can use the most updated cloud data to improve detection create firewall rule to keep it simple for the user, this action currently only supports adding remote hosts to a firewall rule should this action need to be expanded to support others, please contact swimlane support about deep visibility queries for complete query syntax, see query syntax in the knowledge base or the console help notes the api documentation can be found on your sentinel one instance by doing the following select the arrow next to your user in the top right of the navigation bar select api doc and a new tab of the api documentation will open this connector was last tested against product version api v2 1