Skip to main content
All CollectionsConnectorsEndPoint Security
SentinelOne Connector (new revision)
SentinelOne Connector (new revision)
Updated over a week ago

Am I reading the correct user guide?

Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.

To open the correct user guide for your setup and version, go to the connector's setup page and click How to connect.


Connector details

About SentinelOne

SentinelOne provides a range of products and services to protect organizations against cyber threats. The SentinelOne security platform, named Singularity XDR, is designed to protect against various threats, including malware, ransomware, and other advanced persistent threats (APTs). It uses machine learning and other advanced analytics techniques to analyze real-time security data and identify patterns and behaviors that may indicate a security threat. When a threat is detected, the platform can automatically trigger a response, such as quarantining a device or issuing an alert to security personnel. Our main products are designed to protect the three security surfaces attackers are targetting today: Endpoint, Cloud, and Identity.

Endpoint: Our main product is a security platform that combines endpoint protection, EDR (Endpoint Detection and Response), and automated threat response capabilities into a single solution.

Support scope

Supported products

Endpoint security

Support notes:

  • Cloud and identity are not supported.

  • “Unprotected assets” are not supported.

Category

Endpoint Security

Ingestion type

Assets and vulnerabilities

Ingested asset type(s)

Hosts

Cloud Resources

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)

Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

Generating API token

  1. Go to the SentinelOne platform > My User.

  2. Go to Actions > API Token Operations.

  3. Click Generate API tokens

  4. Enter your Two-Factor Authentication credentials/code.

  5. Copy the generated token to use later on the connector's setup page on the Vulcan platform (notice its validity period).

Configuring the SentinelOne connector

  1. Login to the Vulcan ExposureOS platform and go to Connectors > Add a Connector.

  2. Click on the SentinelOne icon.

  3. Set up the Connector as follows:

    1. If a gateway is required, refer to the Vulcan Gateway guide to configure the gateway before proceeding. If not, continue following the steps in this guide.

    2. Enter your SentinelOne Server URL.

    3. Enter the API Key you generated earlier.

  4. Data pulling configuration:

    This configuration has dynamic settings tailored to the specific connector and integration type. Below are the configurations relevant to this connector.

    • Asset types to fetch: Click the drop-down and select the asset types you want to fetch.

    • Asset Retention: Configure the retention period for inactive assets based on their last seen date. If an asset has not been detected or updated in a scan within the specified days, it will be automatically removed from the Vulcan ExposureOS platform. This ensures your asset inventory stays current and relevant.

      Example:

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your SentinelOne instance.

    Notes:

    • A successful connectivity test confirms that the platform can connect to the SentinelOne instance. However, it does not guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.

      Example:

    • If the connectivity test fails, an error message with details about the issue will appear. Click the arrow next to the error message for more information about the exact error.

      Example:

  6. Connector scheduling: Set the connector's sync time and days. By default, all days are selected.

  7. Click Create to start syncing the new connector, or Save Changes if editing an existing connector.

  8. Allow some time for the sync to complete. Then, you can review the sync status on the Connectors main page or underConnector sync logs on the connector's specific setup page.

  9. To confirm the sync is complete, navigate to the Connectors page. The sync is complete once the SentinelOne icon shows Connected.
    Example:


SentinelOne in the Vulcan platform

Viewing findings

To view findings (instances) ingested by the SentinelOne connector:

  1. Go to the Findings page.

  2. Click on Filter and set the condition to Vulnerability > Source > is > SentinelOne.

    Example:

You can also:

Viewing vulnerabilities

To view vulnerabilities ingested by the SentinelOne connector:

  1. Go to the Vulnerabilities page.

  2. Click on Filter and set the condition to Vulnerability > Source > is > SentinelOne.

    Example:

You can also:

Viewing assets

To view assets ingested by the SentinelOne connector:

  1. Go to the Assets page.

  2. Click on Filter and set the condition to Asset > Source > is > SentinelOne.

    Example:

You can also:

Taking action on vulnerabilities and assets

To take remediation action on vulnerabilities and assets ingested by SentinelOne:

  1. Go to the Vulnerabilities or Assets Page.

  2. Use the Filter to view the assets/vulnerabilities by source. You can always filter by Business Group and add more filters to narrow your search.

  3. Select the relevant vulnerabilities/assets from the results list.

  4. Click on Take Action to proceed with remediation or further actions.

    Example:

Automating remediation actions on vulnerabilities

Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.


Data Mapping

The Vulcan Platform integrates with SentinelOne through an API that pulls relevant vulnerability and asset data and maps it to the platform's pages and fields. The vulnerabilities and/or assets data is ingested from the vendor platform and mapped into the Vulcan ExposureOs platform.

Host data mapping

Asset data

SentinelOne UI field

SentinelOne API field

Vulcan field

Cloud id

cloudProviders.<CloudProvider>.cloudInstanceId

Cloud ID cloud_instance_id

Application name

computerName

Host Name (hostname)

OS

osName

Host OS (os)

os version

osRevision

Host OS Version (os_version)

IP

externalIp or networkInterfaces[*].inet

Host IP (ip )

EXTERNAL IP

externalIp or networkInterfaces[*].inet

Host external IP (ip )

-

networkInterfaces[*].physical

Host MAC addresses (mac_address)

Application detection date

createdAt

Host first Seen (first_seen)

last active date

lastActiveDate

Host Last report (last_seen)

Type
site name
version
install date
group name

machineType

siteName

groupName

Host details (added_data)

Cloud tags

tags

Host Tags - Vendor’s tags (tags)

group name

groupName

Host Tags - Additional (tags)

Application

applicationName

Host Component - Package name (package)

package version

applicationVersion

Image Component - Package Version (package_version)

Unique vulnerability data

SentinelOne UI field

SentinelOne API field

Vulcan field

cve id

cveId

Unique Vulnerability uniqueness criteria

CVE

cveId

Vulnerability title (title)

risk score / cvss score?

baseScore

Vulnerability score (cvss_score)

description

description

Vulnerability description (description)

published date
modified date
severity

+ vulnerability data / description

publishedDatecve

baseScore

lastScanDate

mitreUrl

sevrity

Vulnerability details (added_data)

cve

-

CVE/S (report_item_cve)

Finding data (asset-instance connection)

SentinelOne UI field

SentinelOne API field

Vulcan field

endpoint + application + CVES

id

Vulnerability instance uniqueness criteria

first seen

detectionDate

Vulnerability instance First seen (first_seen)

-

lastScanDate

Vulnerability instance Last seen (last_seen)


-

id

Vulnerability instance details(added_data)

Cloud Resource data mapping

Asset data

SentinelOne API field

Vulcan field

computerName

Cloud resource Name (name)

machineType

resource type(resource_type)

createdAt

Cloud resource first Seen (first_seen)

lastActiveDate

Cloud resource Last report (last_seen)

tags

Cloud resource Tags - Additional (tags)

Unique vulnerability data

SentinelOne API field

Vulcan field

cveId

Vulnerability title (title)

baseScore

Vulnerability score (cvss_score)

description

Vulnerability description (description)

vulnerability data / description

Vulnerability details (added_data)

Finding data (asset-instance connection)

SentinelOne UI field

SentinelOne API field

Vulcan field

endpoint + application + CVES

id

Vulnerability instance uniqueness criteria

first seen

detectionDate

Vulnerability instance First seen (first_seen)

-

lastScanDate

Vulnerability instance Last seen (last_seen)


-

id

Vulnerability instance details(added_data)

Vulnerability status mapping

Findings (instances) ingested from connectors are mapped into the Vulcan platform by status.

  • Based on the status and severity fields.

SentinelOne status

Vulcan status

If status is "detected" and severity is anything other than "false positive"

Vulnerable

If status is "removed" (regardless of severity)

Fixed

If status is "detected" and severity is "false positive", the vulnerability is false positive.

False positive

The statuses are mapped into the Findings page > Show <status> view:


Vulnerability score mapping

Risk scores ingested from connectors are converted into numeric scores and mapped into the Vulcan platform risk score field, which eventually impacts the contextualized risk calculation.

  • Based on the baseScore field

SentinelOne score

Vulcan score

Critical

10

High

7

Medium

5

Low

3

-

0

The scores are mapped into the Score field of the Vulnerability details:

Status update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones.

The table below lists how the status update mechanism works in the <X Connector> for the vulnerabilities and assets in the Vulcan Platform.

Status change

When?

The asset is archived

- Asset not found on the connector's last sync

- Asset not seen for X days according to "Last Seen"

The vulnerability instance status changes to "Fixed"

- If the vulnerability no longer appears in the scan findings

- Vulnerability status on the connector's side changes to 'removed'

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

Support limitations and expected behavior

This section outlines any irregularities, expected behaviors, or limitations related to integrating the Vulcan Cyber ExposureOS platform and SentinelOne. It also highlights details about ingested and non-ingested data to clarify data handling and functionality within this integration.

  • Cloud and identity are not supported.

  • “Unprotected assets” are not supported.

API endpoints in use

API version: 2.1

API

Use in Vulcan

{{baseUrl}}/web/api/v2.1/agents

Assets

{{baseUrl}}/web/api/v2.1/application-management/risks

findings, vulnerabilities

{{baseUrl}}/web/api/v2.1/application-management/risks/cves

vulnerabilities enrichment


Data Validation

This section shows how to validate and compare data between Vulcan ExposureOS and the SentinelOne platform.

Matching Asset Count

Objective: Ensure the number of endpoints (assets) in SentinelOne aligns with the assets displayed in Vulcan.

In SentinelOne:

  1. Go to the Sentinels section where all endpoints are listed. These endpoints represent the assets that should be ingested into Vulcan.


  2. Note the total number of endpoints. If applicable, apply any filters or export options for a refined list.

    Example:


In Vulcan:

  1. Go to Assets and filter by connector (Set Where → Asset → Connector to SentinelOne).

  2. The filtered list in Vulcan should match (or closely align with) the number of endpoints in SentinelOne.|

    Example:


Validations if an asset is not present in Vulcan:

  • Archive by date: Ensure the asset is not archived in Vulcan based on an outdated last-seen date.

  • Archive by status: If the asset is no longer present or valid, confirm that it was removed or deleted.

  • Data pulling configuration: Verify that the relevant data-pulling configurations are correctly set on the connectors setup page. Make sure to click Save Changes if you modify the connector's setup.

Matching vulnerabilities count

Objective: Ensure the number of unique vulnerabilities found in SentinelOne aligns with Vulcan’s unique vulnerabilities.

In SentinelOne:

  1. Go to the Applications section and select a specific application from the list.

    Example:

  2. Switch the toggle from Endpoints to CVEs. This screen displays the vulnerabilities associated with that application.​

    Example:


    Note: SentinelOne’s UI may only show vulnerabilities for a single application at a time. To see the total set of vulnerabilities, you may need to repeat this step for each application.


In Vulcan:

  1. Go to Vulnerabilities and filter by connector (Set Where → Vulnerability → Source to SentinelOne).

  2. Verify that the categories or identifiers (e.g., CVEs) match the vulnerabilities shown in SentinelOne.

    Example:


Validations if vulnerability is not present in Vulcan:

  • No asset has this vulnerability: Check if the vulnerability is tied to an asset in <X> that exists in Vulcan.

  • Asset-vulnerability mapping: Ensure correct mapping between the asset and its vulnerabilities.

  • Filtered Severities: If you configured the connector to exclude certain severities, those vulnerabilities won’t appear in Vulcan.

Matching findings (instances) count

Objective: Ensure that the total number of vulnerability instances (connections between specific endpoints and CVEs) between SentinelOne and Vulcan is consistent.

In SentinelOne:

  1. Go to the Applications section and select a specific application from the list.

  2. You will see the endpoint and the associated CVEs for each application. The combined set of these endpoints plus CVEs represents the total findings (asset-vulnerability instances) in SentinelOne.

    Example:


In Vulcan:

  1. Go to Findings and filter by connector (Set Where → Asset → Connector to SentinelOne).

  2. Compare the total count of findings to SentinelOne’s asset-CVE connections. The final sum of asset-vulnerability connections in SentinelOne should match the number of findings displayed in Vulcan.

    Example:

Possible discrepancies:

  • Fix or Resolution: If a vulnerability instance is fixed in SentinelOne, you should see it on Vulcan’s Fixed screen.

  • Unsupported Asset Types: If SentinelOne provides data for asset types not supported by Vulcan, the data will not appear in Vulcan.

  • Branch or Scan Differences (if applicable): Only the latest scan or default branch might sync.

Validations if a connection is not present in Vulcan:

  • Archived or Removed Assets: If an endpoint was removed in SentinelOne, check if Vulcan archived it based on your retention rules.

  • Filtered Severities: Some vulnerabilities might not appear if the connector is configured to ignore certain severity levels.

  • Unsupported Data: SentinelOne might display data (e.g., partial scans, specialized application metrics) that Vulcan does not ingest.

keywords: sentinel one, sentinelone

Did this answer your question?