Overview

SentinelOne offers solutions that deliver real-time endpoint protection, detection and response, and monitors IoT frameworks for vulnerabilities. These solutions also provide features and leverage the cloud for scalability.

Data from SentinelOne is either collected by Hunters and ingested to our database, then populated in the Hunters portal and correlated to other related detected threats from SentinelOne and also different sources.

Note: Hunters currently supports collection for the SentinelOne API in version 2.1, and Cloud Funnel events collection to AWS-S3 buckets.

Supported data types

  • Raw Events (Cloud Funnel): Raw data collected by the SentinelOne agents.

  • Threats: All the Threats from SentinelOne's EDR solution.

sentinelone-threats schema
{
    "agentDetectionInfo": {
        "accountId": "String",
        "accountName": "String",
        "agentDetectionState": null,
        "agentDomain": "String",
        "agentIpV4": "String",
        "agentIpV6": "",
        "agentLastLoggedInUserName": "String",
        "agentMitigationMode": "String",
        "agentOsName": "String",
        "agentOsRevision": "String",
        "agentRegisteredAt": "2021-11-22T20:42:36.012930Z",
        "agentUuid": "String",
        "agentVersion": "String",
        "externalIp": "String",
        "groupId": "String",
        "groupName": "String",
        "siteId": "String",
        "siteName": "String"
    },
    "agentRealtimeInfo": {
        "accountId": "String",
        "accountName": "String",
        "activeThreats": 140,
        "agentComputerName": "String",
        "agentDecommissionedAt": null,
        "agentDomain": "String",
        "agentId": "String",
        "agentInfected": true,
        "agentIsActive": true,
        "agentIsDecommissioned": false,
        "agentMachineType": "String",
        "agentMitigationMode": "String",
        "agentNetworkStatus": "String",
        "agentOsName": "String",
        "agentOsRevision": "String",
        "agentOsType": "String",
        "agentUuid": "String",
        "agentVersion": "String",
        "groupId": "String",
        "groupName": "String",
        "networkInterfaces": [
            {
                "id": "String",
                "inet": [
                    "String"
                ],
                "inet6": [],
                "name": "String",
                "physical": "String"
            }
        ],
        "operationalState": "na",
        "rebootRequired": false,
        "scanAbortedAt": null,
        "scanFinishedAt": "2021-11-22T23:03:33.321830Z",
        "scanStartedAt": "2021-11-22T20:43:45.884845Z",
        "scanStatus": "finished",
        "siteId": "String",
        "siteName": "String",
        "storageName": null,
        "storageType": null,
        "userActionsNeeded": []
    },
    "containerInfo": {
        "id": null,
        "image": null,
        "labels": null,
        "name": null
    },
    "id": "String",
    "indicators": [
        {
            "category": "String",
            "description": "String",
            "ids": [
                int
            ],
            "tactics": [
                {
                    "name": "String",
                    "source": "String",
                    "techniques": []
                }
            ]
        }
    ],
    "kubernetesInfo": {
        "cluster": null,
        "controllerKind": null,
        "controllerLabels": null,
        "controllerName": null,
        "namespace": null,
        "namespaceLabels": null,
        "node": null,
        "pod": null,
        "podLabels": null
    },
    "mitigationStatus": [],
    "threatInfo": {
        "analystVerdict": "String",
        "analystVerdictDescription": "String",
        "automaticallyResolved": false,
        "browserType": null,
        "certificateId": "",
        "classification": "String",
        "classificationSource": "String",
        "cloudFilesHashVerdict": "String",
        "collectionId": "String",
        "confidenceLevel": "String",
        "createdAt": "2021-12-12T23:00:07.386997Z",
        "detectionEngines": [
            {
                "key": "String",
                "title": "String"
            }
        ],
        "detectionType": "String",
        "engines": [
            "String"
        ],
        "externalTicketExists": false,
        "externalTicketId": null,
        "failedActions": false,
        "fileExtension": "String",
        "fileExtensionType": "String",
        "filePath": "String",
        "fileSize": 833536,
        "fileVerificationType": "String",
        "identifiedAt": "2021-12-12T23:00:07.085000Z",
        "incidentStatus": "String",
        "incidentStatusDescription": "String",
        "initiatedBy": "String",
        "initiatedByDescription": "String",
        "initiatingUserId": null,
        "initiatingUsername": null,
        "isFileless": false,
        "isValidCertificate": false,
        "maliciousProcessArguments": "String",
        "md5": null,
        "mitigatedPreemptively": false,
        "mitigationStatus": "String",
        "mitigationStatusDescription": "String",
        "originatorProcess": "String",
        "pendingActions": false,
        "processUser": "String",
        "publisherName": "",
        "reachedEventsLimit": false,
        "rebootRequired": false,
        "sha1": "String",
        "sha256": null,
        "storyline": "String",
        "threatId": "String",
        "threatName": "String",
        "updatedAt": "2021-12-12T23:00:07.383888Z"
    },
    "whiteningOptions": [
        "String",
        "String"
    ]
}
JSON
  • Agents: All the Agents from SentinelOne's EDR solution.

sentinelone-agents schema
{
    "accountId": "String",
    "accountName": "String",
    "activeDirectory": {
        "computerDistinguishedName": null,
        "computerMemberOf": [],
        "lastUserDistinguishedName": null,
        "lastUserMemberOf": []
    },
    "activeThreats": 1,
    "agentVersion": "String",
    "allowRemoteShell": true,
    "appsVulnerabilityStatus": "String",
    "cloudProviders": {},
    "computerName": "String",
    "consoleMigrationStatus": "N/A",
    "coreCount": 16,
    "cpuCount": 16,
    "cpuId": "String",
    "createdAt": "2021-04-06T14:59:22.791311Z",
    "detectionState": null,
    "domain": "String",
    "encryptedApplications": false,
    "externalId": "",
    "externalIp": "String",
    "firewallEnabled": false,
    "firstFullModeTime": null,
    "groupId": "String",
    "groupIp": "String",
    "groupName": "String",
    "id": "String",
    "inRemoteShellSession": false,
    "infected": true,
    "installerType": "String",
    "isActive": true,
    "isDecommissioned": false,
    "isPendingUninstall": false,
    "isUninstalled": false,
    "isUpToDate": true,
    "lastActiveDate": "2021-12-13T15:30:53.053654Z",
    "lastIpToMgmt": "String",
    "lastLoggedInUserName": "String",
    "licenseKey": "",
    "locationEnabled": true,
    "locationType": "String",
    "locations": [
        {
            "id": "String",
            "name": "String",
            "scope": "String"
        }
    ],
    "machineType": "String",
    "mitigationMode": "String",
    "mitigationModeSuspicious": "String",
    "modelName": "String",
    "networkInterfaces": [
        {
            "gatewayIp": "String",
            "gatewayMacAddress": "String",
            "id": "String",
            "inet": [
                "String"
            ],
            "inet6": [],
            "name": "String",
            "physical": "String"
        }
    ],
    "networkQuarantineEnabled": false,
    "networkStatus": "connected",
    "operationalState": "na",
    "operationalStateExpiration": null,
    "osArch": "String",
    "osName": "String",
    "osRevision": "String",
    "osStartTime": "2021-12-09T12:25:11Z",
    "osType": "String",
    "osUsername": null,
    "rangerStatus": "Enabled",
    "rangerVersion": "String",
    "registeredAt": "2021-04-06T14:59:22.787465Z",
    "remoteProfilingState": "disabled",
    "remoteProfilingStateExpiration": null,
    "scanAbortedAt": "2021-04-06T15:00:55.635228Z",
    "scanFinishedAt": "2021-04-06T15:31:20.877585Z",
    "scanStartedAt": "2021-04-06T15:12:03.592336Z",
    "scanStatus": "finished",
    "siteId": "String",
    "siteName": "Default site",
    "storageName": null,
    "storageType": null,
    "threatRebootRequired": false,
    "totalMemory": 65469,
    "updatedAt": "2021-12-13T15:17:31.832317Z",
    "userActionsNeeded": [],
    "uuid": "String"
}
JSON

Sending Raw Events (Cloud Funnel) data to Hunters

In order to enable Hunters' collection & ingestion of SentinelOne Raw Events (Could Funnel), the logs should be exported from your SentinelOne account to an S3 bucket, and shared with Hunters. More details on Could Funnel by SentinelOne can be found here.

Sending Agents and Threats data to Hunters

Hunters will access SentinelOnes API on your behalf, and collect the agents and threats events.

The following information is required to configure SentinelOne events collection:

  1. Host Name

  2. API Token

SentinelOne APIs are authenticated via application keys. You must obtain the API token to use while configuring the SentinelOne connector.

Obtain the host name

Contact SentinelOne Support, and ask for your API host name. It should be similar to “usea1-025“.

Obtain the API token

  1. Log in to the SentinelOne Management Console as an administrator.

  2. Navigate to Settings > Users.

  3. Click your username.

  4. Click Edit.

  5. Navigate to Edit User> API Token.

  6. Click Generate.

  7. Click Copy to record the value for the API token that appears in a new window.

  8. Click Download. Share the API token with Hunters to onboard SentinelOne Threats.

The SentinelOne cloud connector generates a new token every six months. When you generate or regenerate a token, SentinelOne displays the expiration date for the token.

If a token is already generated, the window displays Revoke or Regenerate buttons. Clicking Revoke removes the authorization by the existing token. Clicking Regenerate removes the authorization by the existing token and creates a new API token. If you revoke or regenerate a token, any scripts that use the token will stop working.