Reach greater network visibility with SentinelOne and Vulcan Cyber. Retrieve vulnerability information from SentinelOne application data to automate notifications and ticket system integrations. In this article, you will find how to connect, locate, and automate SentinelOne with Vulcan Cyber.
First, log in to your account-specific SentinelOne dashboard.
Click on your user profile icon and the My User link.
Generate an API Token as Admin user by clicking the Generate hyperlink within the user details section.
Once presented with the API Token, choose to download or copy the token as the value is hidden upon leaving the screen.
The generated token expires in 6 months. You will need to regenerate the token and update your Vulcan system before the expiration time
Log in to your Vulcan Cyber platform and click on Connectors.
Click on the Add a Connector button.
Click on the SentinelOne icon.
Enter the following information into the connector setup page.
Server URL - Your specific instance of SentinelOne.
Api Key - The previously generated API key.
Fetch Decommissioned Assets - Here the value is kept un-checked to avoid syncing decommissioned assets.
Inactive Assets - In this example, the default value of 30 days is used. To remove inactive assets quicker or keep them longer, as seen by SentinelOne, change this value to suit your needs.
Once all information has been entered, click the Test Connectivity button to verify that Vulcan Cyber can connect to your SentinelOne instance, as shown below, and finally click the Create button.
Navigate to the Connectors page and once the SentinelOne icon shows as Connected, the connection is complete.
Locating SentinelOne Vulnerabilities in Vulcan Cyber
As SentinelOne discovers vulnerabilities, the Vulcan Cyber connector will import those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities discovering specific vulnerabilities via source is made easy with filters.
Open the Vulcan Cyber dashboard and navigate to the Vulnerabilities section. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate SentinelOne on the vulnerability source list and click to filter results by SentinelOne.
The risk score is assessed from a base score of 8.1 in SentinelOne combined with Vulcan threat intelligence and asset impact.
Click on any vulnerability to view further information and potentially take action by clicking the Take Action drop-down and choosing an option, as shown below.
Screenshot below is for asset comparison, but currently this asset does not exist in Vulcan anymore that I can find. Therefore, waiting on update to decide on a course of action.
Automating SentinelOne Vulnerability Actions in Vulcan Cyber
Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the SentinelOne connector.
Open the Vulcan Cyber dashboard and navigate to the Automation section. Once there, click the Create new Playbook button.
First, give your automation playbook a name, here the name given is, "Assign Critical SentinelOne Vulnerabilities to Email".
Choose SentinelOne for the source of vulnerabilities and add the risk is critical vulnerability condition, leaving the rest as defaults.
Click on the Assign via Email as the Remediate Action button.
Choose how the separation of tickets is handled, here up to 200 vulnerabilities are aggregated into a single email. Then add the recipient emails to be notified.
Leave all other steps as default and click on Save and Run.