SentinelOne Connector

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.

SentinelOne provides a range of products and services to protect organizations against cyber threats. The SentinelOne security platform, named Singularity XDR, is designed to protect against various threats, including malware, ransomware, and other advanced persistent threats (APTs). It uses machine learning and other advanced analytics techniques to analyze real-time security data and identify patterns and behaviors that may indicate a security threat. When a threat is detected, the platform can automatically trigger a response, such as quarantining a device or issuing an alert to security personnel. Our main products are designed to protect the three security surfaces attackers are targetting today: Endpoint, Cloud, and Identity.

Tip: For more information on how third-party integrations work, see Connectors.

Connector Details

Details Description

Supported products

SentinelOne Endpoint Security

Note: Cloud and Identity not supported.

Category

Endpoint Security

Ingested data

Assets and Findings

Ingested Asset Classes

Devices

Other Resources

Integration type

UNI directional (data is transferred from the Connector to Tenable Exposure Management in one direction)

Supported version and type

SaaS (latest)

Prerequisites and User Permissions

Before you begin configuring the connector, make sure you have the following:

  • SentinelOne Admin user account (only Admin users can generate an API token)

  • SentinelOne Server URL (for example, https://usea1-partners.sentinelone.net)

  • SentinelOne API token

Generate SentinelOne API Token

  1. In the SentinelOne platform, navigate to My User.

  2. Navigate to Actions > API Token Operations.

  3. Click Generate API tokens.

  4. Enter your Two-Factor Authentication credentials.

  5. Save the generated token. You will need it when configuring the connector in Exposure Management.

Add a Connector

To add a new connector:

  1. In the left navigation menu, click Connectors.

    The Connectors page appears.

  2. In the upper-right corner, click Add new connector.

    The Connector Library appears.

  3. In the search box, type the name of the connector.

  4. On the tile for the connector, click Connect.

    The connector configuration options appear.

Configure the Connector

To configure the connector:

  1. (Optional) In the Connector's Name text box, type a descriptive name for the connector.

  2. In the Server URL and API Token text boxes, paste credentials you generated in SentinelOne.

  3. In the Data pulling configuration section, you can configure dynamic settings specific to the connector.

    • From the Asset types to fetch drop-down, select the asset types you want to fetch for.

    • (Optional) To fetch vulnerabilities detected on the assets, select the Fetch detected vulnerabilities check box.

    • In the Asset Retention text box, type the number of days after which you want assets to be removed from Tenable Exposure Management. If an asset has not been detected or updated within the specified number of days, it is automatically removed from the application, ensuring your asset inventory is current and relevant.

      Tip: For more information, see Asset Retention.

  4. In the Test connectivity section, click the Test Connectivity button to verify that Tenable Exposure Management can connect to your connector instance.

    • A successful connectivity test confirms that the platform can connect to the connector instance. It does not, however, guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.

    • If the connectivity test fails, an error message with details about the issue appears. Click Show tests for more information about the exact error.

  5. In the Connector scheduling section, configure the time and day(s) on which you want connector syncs to occur.

    Tip: For more information, see Connector Scheduling

  6. Click Create. Tenable Exposure Management begins syncing the connector. The sync can take some time to complete.

  7. To confirm the sync is complete, do the following:

SentinelOne in Tenable Exposure Management

Locate Connector Assets in Tenable Exposure Management

As the connector discovers assets, Tenable Exposure Management ingests those devices for reporting.

To view assets by connector:

  1. In Tenable Exposure Management, navigate to the Assets page.

  2. In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view assets.

    The asset list updates to show only assets from the selected connector.

  3. Click on any asset to view Asset Details.

Locate Connector Weaknesses in Tenable Exposure Management

As the connector discovers weaknesses, Tenable Exposure Management ingests those weaknesses for reporting.

To view weaknesses by connector: 

  1. In Tenable Exposure Management, navigate to the Weaknesses page.

  2. In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view weaknesses.

    The weaknesses list updates to show only weaknesses from the selected connector.

  3. Click on any weakness to view Weakness Details.

Locate Connector Findings in Tenable Exposure Management

As the connector discovers individual findings, Tenable Exposure Management ingests those findings for reporting.

To view findings by connector:

  1. In Tenable Exposure Management, navigate to the Findings page.

  2. In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view findings

    The findings list updates to show only assets from the selected connector.

  3. Click on any asset to view Finding Details.

Data Mapping

Exposure Management integrates with the connector via API to retrieve relevant weakness and asset data, which is then mapped into the Exposure Management system. The following tables outline how fields and their values are mapped from the connector to Exposure Management.

Device Mapping

Tenable Exposure Management UI Field

SentinelOne Field
Asset Unique Identifier id

Asset - External Identifier or

Asset - Provider Identifier

 cloudProviders.<CloudProvider>.cloudInstanceId
Asset - Name computerName
Other Resources > Cloud Resource Type machineType
Asset - Operating Systems osName + osRevision

Asset - IPv4 Adresses

Asset - IPv6 Adresses

externalIp
Asset - MAC Addresses networkInterfaces[*].physical
Asset - First Observation Date createdAt
Asset - Last Observed At lastActiveDate

Asset - External Tags

tags

Asset Custom Attributes

machineType

siteName

groupName

Findings Mapping

Tenable Exposure Management UI Field

SentinelOne Field
Unique Identifier cveId + id + endpointId
Finding Name cveId
CVEs cveId
Severity Driver baseScore or severity
Description description
Finding Custom Attributes

id

applicationName

applicationVersion

publishedDate

severity

lastScanDate

mitreUrl

nvdUrl
First Seen detectionDate
Last seen (Observed) lastSeenTimestamp

Finding Status Mapping

Tenable Exposure Management Status

Microsoft TVM Status

Active

All other statuses

Fixed

status = 'Removed'

severity = 'False Positive'

Note:For Microsoft TVM, Exposure Management ingests only active/vulnerable findings.

Finding Severity Mapping

Tenable Exposure Management Severity

SentinelOne Score

Critical

CVSS: 9.0 - 10.0

Severity: Critical

High

CVSS: 7.0 - 8.9

Severity: High

Medium

CVSS4.0 - 6.9

Severity: Medium

Low

CVSS: 1-3.9

Severity:Low

None

CVSS:0

Severtity: empty

Note:For SentinelOne, Tenable uses the baseScore or severity fieldield to determine severity.

Status Update Mechanisms

Every day, Tenable Exposure Management syncs with the vendor's platform to receive updates on existing findings and assets and to retrieve new ones (if any were added).

The table below describes how the status update mechanism works in the connector for findings and assets ingested into Tenable Exposure Management.

Update Type in Exposure Management

Mechanism (When?)

Archiving Assets

- Asset that appears in Tenable Exposure Management and isn't returned on the next connector's sync.

- Asset not seen for X days according to Last Seen. See Asset Retention.

Change of a Finding status from "Active" to "Fixed"

- Finding no longer appears in the scan findings

- Finding status changes to Removed, or False Positive on the vendor's side.
Note: Updates on the vendor side are reflected in Tenable Exposure Management only when the next scheduled connector sync time is complete (once a day).

Uniqueness Criteria

Tenable Exposure Management uses defined uniqueness criteria to determine whether an ingested asset or finding should be recognized as a distinct record. These criteria help define how assets and findings are identified and counted from each connector.

Tip:  Read all about Third-Party Data Deduplication in Tenable Exposure Management

The uniqueness criteria for this connector are as follows:

Data

Uniqueness Criteria

Asset

id

Detection cveId

Finding

cveId + id + endpointId

API Endpoints in Use

API version: 2.0

API

Use in Tenable Exposure Management

{{baseUrl}}/web/api/v2.1/agents

 

Assets

{{baseUrl}}/web/api/v2.1/application-management/risks

Findings, Detections
{{baseUrl}}/web/api/v2.1/application-management/risks/cves

Detections enrichment

Support and Expected Behavior

This section outlines any irregularities, expected behaviors, or limitations related to integrating the Tenable Exposure Management and SentinelOne. It also highlights details about ingested and non-ingested data to clarify data handling and functionality within this integration.

  • The integration supports only API tokens generated for users with a single-scope account.

  • If the API token belongs to a user with access to multiple scope accounts, the sync will fail.

Data Validation

This section shows how to validate and compare data between Tenable Exposure Management and the SentinelOne platform.

Asset Data Validation

Objective: Ensure the number of endpoints (assets) in SentinelOne aligns with the assets displayed in Tenable Exposure Management.

In SentinelOne:

  1. Navigate to the Sentinels section to view all endpoints. These endpoints represent the assets that should be ingested into Exposure Management.

  2. Note the total number of endpoints. If needed, apply filters or use the export option to generate a refined list.

In Tenable Exposure Management:

  1. Locate your connector assets.

  2. Compare the number of assets in Tenable Exposure Management to the number of endpoints in SentinelOne.

If an asset is not visible in Exposure Management, check the following conditions:

Findings Data Validation

Objective: Ensure that the total number of findings between SentinelOne and Exposure Management is consistent.

In SentinelOne:

  1. Navigate to the Applications section and select a specific application from the list.

  2. Each application displays its associated endpoint and related CVEs. The combination of these endpoints and CVEs represents the total findings in SentinelOne.

In Tenable Exposure Management:

  1. Locate your connector findings.

  2. Compare the number of findings in Tenable Exposure Management to the number in SentinelOne.

If a finding is missing from Exposure Management or no longer active, check the following conditions:

  • The finding is marked as Fixed and appears under the Fixed state on the Findings screen

  • The finding no longer appears because its related asset was archived.

    Tip: To learn more on how assets and findings are archived or change status, see Status Update Mechanisms.