SentinelOne

Enterprise

runZero integrates with SentinelOne by importing data from the SentinelOne API. This integration allows you to sync and enrich your asset inventory, as well as gain visibility into the software installed on SentinelOne assets. Adding your SentinelOne data to runZero makes it easier to find things like endpoints that are missing required software.

How runZero maps SentinelOne hosts to assets:

  • For SentinelOne hosts that can be matched to an existing runZero asset, asset-level attributes such as operating system, hardware platform, hostname, and MAC address will be updated, and SentinelOne-specific attributes will be added.

  • For hosts that cannot be matched with an existing runZero asset, a new asset will be created in the site specified when the integration task is set up.

runZero is able to merge existing assets with SentinelOne data when the MAC address or hostname overlaps. SentinelOne devices can also be manually merged into runZero assets using the Merge button on the Asset Inventory page.

Any IP address reported by SentinelOne will be treated as a secondary address, not a primary address, since these IPs can be stale and may not be associated with a specific network or site.

Getting started

To set up the SentinelOne integration, you’ll need to:

  1. Configure SentinelOne to allow API access through runZero.
  2. Add the SentinelOne API key and SentinelOne base API URL in runZero.
  3. Activate the SentinelOne connection to sync your data with runZero.

Requirements

Before you can set up the SentinelOne integration:

  • Verify that you have runZero Enterprise.
  • Make sure you have access to the SentinelOne admin portal.

Step 1: Configure SentinelOne to allow API access to runZero

  1. Log in to SentinelOne with the account being used for the runZero integration.
  2. Go to User > My User.
  3. Generate the API token, then download or copy it. This API key expires and will need to be regenerated every six months.

Step 2: Add the SentinelOne credential to runZero

  1. Go to the Credentials page in runZero. Provide a name for the credentials, like SentinelOne.
  2. Choose SentinelOne API key from the list of credential types.
  3. Provide the following information:
    • SentinelOne API URL - Your organization-specific base URL, which will depend on your account type. It will be something like organization.sentinelone.net.
    • SentinelOne API key - To generate your API key, go to User > My User in your SentinelOne portal. From there, a key can be generated, regenerated, or revoked.
  4. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
  5. Save the credential. You’re now ready to set up and activate the connection to bring in data from SentinelOne.

Step 3: Set up and activate the SentinelOne connection to sync data

After you add your SentinelOne credential, you’ll need to set up a connection to sync your data from SentinelOne. A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new SentinelOne-only assets are created.

  1. Activate a connection to SentinelOne. You can access all available third-party connections from your inventory or tasks page.
  2. Choose the credentials you added earlier. If you don’t see the credentials listed, make sure the credentials have access to the organization you are currently in.
  3. Enter a name for the task, like SentinelOne sync.
  4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
  5. Under Task configuration, choose the site you want to add your assets to.
  6. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.

Step 4: View SentinelOne assets and software

After a successful sync, you can go to your inventory to view your SentinelOne assets. These assets will have a SentinelOne icon listed in the Source column.

The SentinelOne integration gathers details about installed software in addition to enriching asset inventory data. Go to Inventory > Software to view the software data provided by SentinelOne.

To filter by SentinelOne assets, consider running the following queries:

Click into each asset to see its individual attributes. runZero will show you the attributes returned by the SentinelOne API, with the exception of policies.