Overview

SentinelOne offers solutions that deliver real-time endpoint protection, detection and response, and monitors IoT frameworks for vulnerabilities. These solutions also provide features and leverage the cloud for scalability.

Data from SentinelOne is collected by Hunters and ingested to our database, then populated in the Hunters portal and correlated to other related detected threats from SentinelOne and also different sources.

Note: Hunters currently supports collection for the SentinelOne API in version 2.1.

Supported data types

  • Threats: All the Threats from SentinelOne's EDR solution.

    {
        "agentDetectionInfo": {
            "accountId": "String",
            "accountName": "String",
            "agentDetectionState": null,
            "agentDomain": "String",
            "agentIpV4": "String",
            "agentIpV6": "",
            "agentLastLoggedInUserName": "String",
            "agentMitigationMode": "String",
            "agentOsName": "String",
            "agentOsRevision": "String",
            "agentRegisteredAt": "2021-11-22T20:42:36.012930Z",
            "agentUuid": "String",
            "agentVersion": "String",
            "externalIp": "String",
            "groupId": "String",
            "groupName": "String",
            "siteId": "String",
            "siteName": "String"
        },
        "agentRealtimeInfo": {
            "accountId": "String",
            "accountName": "String",
            "activeThreats": 140,
            "agentComputerName": "String",
            "agentDecommissionedAt": null,
            "agentDomain": "String",
            "agentId": "String",
            "agentInfected": true,
            "agentIsActive": true,
            "agentIsDecommissioned": false,
            "agentMachineType": "String",
            "agentMitigationMode": "String",
            "agentNetworkStatus": "String",
            "agentOsName": "String",
            "agentOsRevision": "String",
            "agentOsType": "String",
            "agentUuid": "String",
            "agentVersion": "String",
            "groupId": "String",
            "groupName": "String",
            "networkInterfaces": [
                {
                    "id": "String",
                    "inet": [
                        "String"
                    ],
                    "inet6": [],
                    "name": "String",
                    "physical": "String"
                }
            ],
            "operationalState": "na",
            "rebootRequired": false,
            "scanAbortedAt": null,
            "scanFinishedAt": "2021-11-22T23:03:33.321830Z",
            "scanStartedAt": "2021-11-22T20:43:45.884845Z",
            "scanStatus": "finished",
            "siteId": "String",
            "siteName": "String",
            "storageName": null,
            "storageType": null,
            "userActionsNeeded": []
        },
        "containerInfo": {
            "id": null,
            "image": null,
            "labels": null,
            "name": null
        },
        "id": "String",
        "indicators": [
            {
                "category": "String",
                "description": "String",
                "ids": [
                    int
                ],
                "tactics": [
                    {
                        "name": "String",
                        "source": "String",
                        "techniques": []
                    }
                ]
            }
        ],
        "kubernetesInfo": {
            "cluster": null,
            "controllerKind": null,
            "controllerLabels": null,
            "controllerName": null,
            "namespace": null,
            "namespaceLabels": null,
            "node": null,
            "pod": null,
            "podLabels": null
        },
        "mitigationStatus": [],
        "threatInfo": {
            "analystVerdict": "String",
            "analystVerdictDescription": "String",
            "automaticallyResolved": false,
            "browserType": null,
            "certificateId": "",
            "classification": "String",
            "classificationSource": "String",
            "cloudFilesHashVerdict": "String",
            "collectionId": "String",
            "confidenceLevel": "String",
            "createdAt": "2021-12-12T23:00:07.386997Z",
            "detectionEngines": [
                {
                    "key": "String",
                    "title": "String"
                }
            ],
            "detectionType": "String",
            "engines": [
                "String"
            ],
            "externalTicketExists": false,
            "externalTicketId": null,
            "failedActions": false,
            "fileExtension": "String",
            "fileExtensionType": "String",
            "filePath": "String",
            "fileSize": 833536,
            "fileVerificationType": "String",
            "identifiedAt": "2021-12-12T23:00:07.085000Z",
            "incidentStatus": "String",
            "incidentStatusDescription": "String",
            "initiatedBy": "String",
            "initiatedByDescription": "String",
            "initiatingUserId": null,
            "initiatingUsername": null,
            "isFileless": false,
            "isValidCertificate": false,
            "maliciousProcessArguments": "String",
            "md5": null,
            "mitigatedPreemptively": false,
            "mitigationStatus": "String",
            "mitigationStatusDescription": "String",
            "originatorProcess": "String",
            "pendingActions": false,
            "processUser": "String",
            "publisherName": "",
            "reachedEventsLimit": false,
            "rebootRequired": false,
            "sha1": "String",
            "sha256": null,
            "storyline": "String",
            "threatId": "String",
            "threatName": "String",
            "updatedAt": "2021-12-12T23:00:07.383888Z"
        },
        "whiteningOptions": [
            "String",
            "String"
        ]
    }
    JSON
  • Agents: All the Agents from SentinelOne's EDR solution.

    {
        "accountId": "String",
        "accountName": "String",
        "activeDirectory": {
            "computerDistinguishedName": null,
            "computerMemberOf": [],
            "lastUserDistinguishedName": null,
            "lastUserMemberOf": []
        },
        "activeThreats": 1,
        "agentVersion": "String",
        "allowRemoteShell": true,
        "appsVulnerabilityStatus": "String",
        "cloudProviders": {},
        "computerName": "String",
        "consoleMigrationStatus": "N/A",
        "coreCount": 16,
        "cpuCount": 16,
        "cpuId": "String",
        "createdAt": "2021-04-06T14:59:22.791311Z",
        "detectionState": null,
        "domain": "String",
        "encryptedApplications": false,
        "externalId": "",
        "externalIp": "String",
        "firewallEnabled": false,
        "firstFullModeTime": null,
        "groupId": "String",
        "groupIp": "String",
        "groupName": "String",
        "id": "String",
        "inRemoteShellSession": false,
        "infected": true,
        "installerType": "String",
        "isActive": true,
        "isDecommissioned": false,
        "isPendingUninstall": false,
        "isUninstalled": false,
        "isUpToDate": true,
        "lastActiveDate": "2021-12-13T15:30:53.053654Z",
        "lastIpToMgmt": "String",
        "lastLoggedInUserName": "String",
        "licenseKey": "",
        "locationEnabled": true,
        "locationType": "String",
        "locations": [
            {
                "id": "String",
                "name": "String",
                "scope": "String"
            }
        ],
        "machineType": "String",
        "mitigationMode": "String",
        "mitigationModeSuspicious": "String",
        "modelName": "String",
        "networkInterfaces": [
            {
                "gatewayIp": "String",
                "gatewayMacAddress": "String",
                "id": "String",
                "inet": [
                    "String"
                ],
                "inet6": [],
                "name": "String",
                "physical": "String"
            }
        ],
        "networkQuarantineEnabled": false,
        "networkStatus": "connected",
        "operationalState": "na",
        "operationalStateExpiration": null,
        "osArch": "String",
        "osName": "String",
        "osRevision": "String",
        "osStartTime": "2021-12-09T12:25:11Z",
        "osType": "String",
        "osUsername": null,
        "rangerStatus": "Enabled",
        "rangerVersion": "String",
        "registeredAt": "2021-04-06T14:59:22.787465Z",
        "remoteProfilingState": "disabled",
        "remoteProfilingStateExpiration": null,
        "scanAbortedAt": "2021-04-06T15:00:55.635228Z",
        "scanFinishedAt": "2021-04-06T15:31:20.877585Z",
        "scanStartedAt": "2021-04-06T15:12:03.592336Z",
        "scanStatus": "finished",
        "siteId": "String",
        "siteName": "Default site",
        "storageName": null,
        "storageType": null,
        "threatRebootRequired": false,
        "totalMemory": 65469,
        "updatedAt": "2021-12-13T15:17:31.832317Z",
        "userActionsNeeded": [],
        "uuid": "String"
    }
    JSON

Sending data to Hunters

Hunters will access SentinelOnes API on your behalf, and collect the agents and threats events.

The following information is required to configure SentinelOne events collection:

  1. Host Name

  2. API Token

SentinelOne APIs are authenticated via application keys. You must obtain the API token to use while configuring the SentinelOne connector.

Obtain the host name

Contact SentinelOne Support, and ask for your API host name. It should be similar to “usea1-025“.

Obtain the API token

  1. Log in to the SentinelOne Management Console as an administrator.

  2. Navigate to Settings > Users.

  3. Click your username.

  4. Click Edit.

  5. Navigate to Edit User> API Token.

  6. Click Generate.

  7. Click Copy to record the value for the API token that appears in a new window.

  8. Click Download. Share the API token with Hunters to onboard SentinelOne Threats.

The SentinelOne cloud connector generates a new token every six months. When you generate or regenerate a token, SentinelOne displays the expiration date for the token.

If a token is already generated, the window displays Revoke or Regenerate buttons. Clicking Revoke removes the authorization by the existing token. Clicking Regenerate removes the authorization by the existing token and creates a new API token. If you revoke or regenerate a token, any scripts that use the token will stop working.