SentinelOne Integration

  • Updated on Sep 07, 2022
  • 7 minutes to read
  • Contributors

Note: The SentinelOne integration is in Early Preview. Final design can change, without warning, prior to the Generally Available release.

Overview

SentinelOne is an Endpoint Detection and Response (EDR) platform that collects device telemetry data to determine if a device is in a compromised state. Banyan is able to integrate with SentinelOne to obtain device information unique to SentinelOne’s platform.

Prerequisites

  • SentinelOne integration requires the Banyan app to be on version 3.3 or greater.

  • SentinelOne Agent sensor must be present on the device.

Step 1: Begin adding the integration

1.1 To configure Banyan’s SentinelOne integration, navigate to Settings in the Command Center.

1.2 In Settings, select Trust Integrations, under the TrustScore Settings on the left pane.

1.3 Select Add Integration.

1.4 Select SentinelOne as the Integration Partner.

Step 2: Enter integration details

2.1 Enter a recognizable name in the Integration Name field.

Note: It is recommended the name match the name used when discussing the SentinelOne instance, such as ‘Production SentinelOne’ or ‘ SentinelOne'. This name appears as the source for factors derived from the integration.

2.2 Optional: Provide a description of the SentinelOne tenant being integrated.

Step 3: Enter API details

3.1 To obtain the API details from SentinelOne, adhere to the SentinelOne guide

Note: We require an API Tenant URL and API token to provide service-to-service communication.

The API requires read-only scope for the integration to be successful. We use the API details provided to obtain a short-lived OAuth 2.0 token, which is leveraged to gather the information requested by each factor available from the integration.

After creating an API key inside SentinelOne, complete the following steps:

3.2 Enter the API Endpoint.

3.3 Enter the API Key.

Step 4: Test the connection to add the integration

In order for an integration to be added within Banyan, a successful test connection must be completed for your SentinelOne instance. At least one operating system (per factor) must be selected in order to save the integration.

4.1 After a successful test connection, the Add Integration button will become available.

4.2 Select Add Integration to save the configuration.


Optional: Editing the Integration

To edit the SentinelOne integration, complete the following steps:

1. Select the Integration Name that matches the integration you need to change.

2. Select the pencil icon in the top corner of the integration details page.

3. Make any desired changes in the configuration fields.

As previously mentioned in Step 4, a successful test connection must be completed in your SentinelOne instance in order for the integration to be saved. To trigger a test connection, select Test Connection. The test connection will result in either of a successful or unsuccessful connection response.

After a successful test connection is completed, an option to Save will become available.

4. Select Save to save the configuration.


Available Factors

Available factors of a SentinelOne integration are shown after the integration of the SentinelOne tenant is successfully added within the Command Center. Some factors have configurations that can be changed to meet the requirements for one’s organization. Other factors are only available to turn on and off, representing a true or false for that factor. The following table shows the available factors and which Operating Systems they are supported on:

Factor Name macOS Windows Linux Android iOS
Registered With    
Not Active Threat    

The following table shows the APIs from SentinelOne used to obtain the required information for each factor:

Factor Name SentinelOne API Endpoint
Registered With /web/api/v2.1/agents
Not Active Threat /web/api/v2.1/agents
Registered With

The Registered With factor validates that the device is registered with the SentinelOne environment. **Registered With is a boolean (true/false) factor and is derived from the following SentinelOne API endpoint:

/web/api/v2.1/agents

The Registered With factor is satisfied if Banyan receives a valid response from the endpoint above. This response is based on the SentinelOne agentID, which is reflected on the Banyan app.

Not Active Threat

The Not Active Threat factor validates that the device does not contain any active threats, as defined by SentinelOne. Not Active Threat is a boolean (true/false) factor and is derived from the following SentinelOne API endpoint:

/web/api/v2.1/agents

The key value Banyan reviews to determine Not Active Threat status is activeThreats, as shown below:

...
"externalId": "string",
"threatRebootRequired": "boolean",
"id": "225494730938493804",
"activeThreats": 3,
"serialNumber": "string",
...

Configuring Factors

SentinelOne factors follow Banyan’s device Trust Scoring model.

Enabling/Disabling a SentinelOne Factor

To enable or disable a SentinelOne factor, navigate to Settings.

In Settings, select Device Scoring under TrustScore Settings.

Locate the SentinelOne factors required to enable or disable by referring to the Source column and finding the Name that corresponds to the correct SentinelOne instance.

Configuring Remediation for a SentinelOne Factor

Remediation settings for SentinelOne factors follow Banyan’s model for configuring remediation messages.

To see the remediation messages for SentinelOne factors, add the integration first. Given that there can be multiple SentinelOne integrations, each factor listed on the Remediation page contains the name of the SentinelOne instance next to the factor name.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.