Skip to content

SentinelOne

AQtive Guard can ingest SentinelOne endpoint data, including installed applications and IT inventory details, to enable centralized IT management and enhance security posture.

SentinelOne requirements

  • The SentinelOne URL you will connect to.
  • A SentinelOne API token (requires user creation).

In addition to the requirements above, a valid SentinelOne Singularity™ RemoteOps Forensics license is needed to deploy the AQG Filesystem Scanner and trigger a scan.

Refer to Trigger SentinelOne scan for details.

Configure the SentinelOne integration

There are two main steps to configure the SentinelOne integration:

  1. In SentinelOne: Create a user account and generate an API token.
  2. In AQtive Guard: Configure the SentinelOne data source.

Create a user

In SentinelOne, follow these steps to create a user and generate an API token. For more information, refer to Generating an API token in the SentinelOne user documentation.

  1. Sign in to the SentinelOne Management Console with Admin user credentials.
  2. In the Management Console, select Settings.
  3. In the Settings view, select Users, then Service Users.
  4. Select the Actions dropdown, then Create New Service User.
  5. Enter the information for the new service user.
  6. In Role, select Admin.
  7. Select Save.

Log in to the SentinelOne Management Console with the credentials of the new user you just created to complete the following steps.

  1. Navigate to Settings, then Users.
  2. Select the newly added service user.
  3. Select Options, then Generate API token.
  4. Copy or download this API Token.

Important

The API token will not be displayed again for security reasons.

Configure the SentinelOne data source

Log in to AQtive Guard to complete the following steps.

  1. Select Data sources from the main menu, then select Configure in the SentinelOne panel.
  2. Enter the following information into the designated fields:
    • Instance URL - the location of the SentinelOne API.
    • API Token - the API token you generated in SentinelOne.
  3. (Optional) Select Test Connection to check the connection to the SentinelOne API.
  4. Select Submit to update the settings.

Note

Selecting Submit performs the same check as the Test connection button, in addition to verifying the API token is valid.

Use

Once the integration is configured, you can ingest inventory data or trigger a SentinelOne scan.

Note

If the SentinelOne settings aren’t configured, the ingestion option will be disabled.

Ingest inventory data

To ingest inventory data from SentinelOne:

  1. Select Data sources from the main menu, then select Details in the SentinelOne panel.

  2. Select: Start IT Inventory ingestion to trigger the ingestion of data into AQtive Guard.

    You’ll see a notification confirming that the data ingestion has started.

View SentinelOne inventory data

Once the ingestion is complete, any relevant data will begin populating. To find it, select Hosts or Apps from IT Assets and look for the S1 tag in the Data sources column.

Trigger SentinelOne scan

To run a scan and ingest SentinelOne data for analysis by AQtive Guard:

  1. Select Data sources from the main menu, then select Details in the SentinelOne panel.

  2. In the Scans section, select Start Scan and configure the following:

    • Scan name - a default date and timestamp is provided. You can change this to any unique name.
    • Scan Settings Profile - the impact that the scan will have on your infrastructure. There are 3 options:
      • High impact - this will use a workload of 100%. There’s also no limit to the number of files that can be scanned per second, and the max file size is 1 GB.
      • Standard impact (default) - this will use a workload of 50%. The number of files that can be scanned per second is 10,000 and the max file size is 1 MB.
      • Low impact - this will use a workload of 5%. The number of files that can be scanned per second is 1,000 and the max file size is 512 KB.
    • OS - select MacOS, Linux, Windows, or any combination of the three.

    • Hostname (optional) - only scan hosts that contain the entered text in their name. You can select multiple hosts by separating any text you enter with a comma. For instance, entering sentinel-one-windows, testmachine in this field would scan hosts that contain either of these phrases in their hostnames.

      The Estimated number of affected hosts section updates as you fill in the required fields.

  3. Select Start Scan to scan the selected hosts and ingest the data into AQtive Guard for analysis.

View SentinelOne scan data

Once you start a scan, you can see the progress in the Scans table. The table displays the following information:

  • Name - the scan name provided when configuring the scan.
  • Status - the status of a scan. The possible values are:
    • Pending - scan is in the scan queue.
    • In Progress - actively scanning.
    • Completed - scan has been successfully ingested into AQtive Guard.
    • Canceled - the scan has been terminated by user action.
  • Progress - the number of hosts scanned / total number of hosts selected. Once the scan is completed, this column shows the number of both successful and failed scans.
  • Scan Start - the timestamp for when the scan started (MM/DD/YYYY HH:MM:SS AM/PM), based on the time zone set in your browser, with system time in UTC.
  • Scan End - the timestamp for when the scan is completed or stopped (MM/DD/YYYY HH:MM:SS AM/PM), based on the time zone set in your browser, with system time in UTC.
  • Duration - the length of time the scan was active.

You can view more information for a specific scan by selecting Details in the row of the scan you’re interested in. The Scan Results table appears, which displays the following:

  • IT Asset - the name of the asset (host or device) included in the scan.
  • Scan Status: The current status of an asset’s scan within AQtive Guard, indicating its progress and outcome:
    • Pending: The asset is in the scan queue, waiting for processing.
    • Setting Up: AQtive Guard is preparing the environment and resources necessary to initiate the scan on the asset.
    • Scanning: The scan is actively running on the asset.
    • Pending Trace Retrieval: The scan has completed on the asset, and AQtive Guard is preparing to begin collecting the generated scan data.
    • Retrieving Trace: AQtive Guard is actively collecting the scan data from the asset.
    • Retrieved Trace: The scan data has been successfully collected from the asset by AQtive Guard.
    • Downloading Trace: AQtive Guard is actively ingesting and transferring the scan results into its processing pipeline.
    • Downloaded Trace: The scan results have been successfully transferred and are ready for processing within AQtive Guard.
    • Success: The scan data was successfully ingested and processed by AQtive Guard.
    • Fail: The scan on this asset encountered an error and didn’t complete successfully.
  • OS - the asset’s Operating System (OS). This can be MacOS, Linux, Windows, or a combination of the three.

Any assets successfully scanned will also appear in IT assets.

Unlink the SentinelOne integration only if your organization needs to reconfigure or stop data sharing with SentinelOne.

To unlink the SentinelOne configuration:

  1. Select Data sources from the main menu, then select Details in the SentinelOne panel.
  2. Select Unlink.
  3. Select Confirm and unlink SentinelOne.