SentinelOne

SentinelOne

Overview

The SentinelOne integration connects the Praetorian Guard Platform (PGP) with SentinelOne's endpoint detection and response (EDR) platform to import managed endpoints, agent status information, and threat detections. By ingesting data from SentinelOne, PGP gains visibility into your endpoint security posture and can correlate endpoint assets with the broader attack surface.

Endpoints are a critical component of any organization's attack surface. The SentinelOne integration ensures that PGP has an accurate and current inventory of all endpoints managed by SentinelOne, including their agent health status, operating system details, and network information. This enables security teams to identify gaps between known assets and protected endpoints, and to understand which systems have active threat detections.

This integration uses the SentinelOne Management Console API v2.1 in a read-only capacity. PGP queries SentinelOne for agent and threat data and does not modify any configurations, policies, or threat responses in your SentinelOne environment.

What the Integration Does

The SentinelOne integration connects to your SentinelOne Management Console via the REST API to retrieve agent inventory and threat detection data. For each agent registered in your SentinelOne environment, PGP imports the endpoint as an asset, capturing details such as hostname, IP addresses, operating system, agent version, and agent health status.

When threat import is enabled, the integration also retrieves active and resolved threat detections, allowing PGP to incorporate endpoint threat intelligence into its risk model. The integration validates connectivity by querying the accounts endpoint before proceeding with data import.

All operations are strictly read-only. PGP does not modify agent configurations, initiate scans, trigger responses, or alter any threat status in your SentinelOne console.

Prerequisites

Before setting up the SentinelOne integration, ensure you have:

  • A SentinelOne Management Console with API access enabled

  • An API Token with read permissions for agents and threats

  • The console URL for your SentinelOne Management Console (e.g., https://your-company.sentinelone.net). Customers in other regions will see a regional prefix on the hostname, such as usea1-, eu1-, or apse1- (for example, https://usea1-yourcompany.sentinelone.net).

Creating an API Token

  • Sign in to your SentinelOne Management Console.

  • Navigate to Settings > Users > Service Users (not Console Users).

  • Click Actions > Create New Service User. Service Users cannot log into the Console, are designed for API integrations, and decouple PGP's access from any individual employee.

  • Set the Name, Description, and Expiration Date for the service user.

  • Set the Scope of Actions for the Service User for either the Account or Site level and then click Create User.

  • Click Actions > API Token Operations > Generate API Token.

  • Ensure the Service User's role grants the following permissions:

    • Accounts.view
    • Endpoints.view
    • Threats.view
    • SDL Data.viewEdr โ€” for threat hunting (Deep Visibility queries)

  • The built-in Viewer role covers the .view permissions for asset and threat sync. For threat hunting, duplicate the Viewer role, add SDL Data.viewEdr, and assign the new role to the Service User.

  • Deep Visibility requires the Singularity Complete SKU. If your tenant is on Singularity Core, DV is unavailable regardless of role configuration.

Warning -- the API token is displayed exactly once. SentinelOne does not let you re-view it. Copy it immediately into a secrets manager. To rotate the token, you must delete and recreate the Service User.

Setup

  • In PGP, navigate to the Integrations page.

  • Select SentinelOne from the list of available integrations.

  • Enter your SentinelOne console URL and API token in the configuration form.

  • Save the integration. PGP will validate connectivity to the SentinelOne API by querying the accounts endpoint.

Note -- static egress IPs. PGP connects to SentinelOne from a fixed static IP pool, which can be allowlisted in your console's network policy if you restrict API access by source IP.

Field Reference

Field

Description

Required

Console URL

The full URL of your SentinelOne Management Console (e.g., https://your-company.sentinelone.net). Customers in other regions will see a regional prefix such as usea1-, eu1-, or apse1-.

Yes

API Token

The API token generated from your SentinelOne user account

Yes

What Data Is Synced

Endpoints / Agents (Assets)

The integration imports all managed endpoints from SentinelOne as assets into PGP.

Data Field

Source

Description

Hostname

Agent data

The computer name of the managed endpoint

IP Addresses

Agent data

Internal and external IP addresses reported by the agent

OS Type

Agent data

The operating system type (Windows, macOS, Linux)

OS Version

Agent data

The full operating system version string

Agent Version

Agent data

The installed SentinelOne agent version

Agent Status

Agent data

Current agent health status (active, inactive, disconnected)

Machine Type

Agent data

Physical, virtual, or cloud instance classification

Last Active

Agent data

Timestamp of the agent's most recent communication with the console

Site / Group

Agent data

The SentinelOne site and group the endpoint belongs to

Threat Detections (Risks)

When threat import is enabled, the integration retrieves threat detections from SentinelOne.

Data Field

Source

Description

Threat Name

Threat data

The name or classification of the detected threat

Threat Status

Threat data

Current status of the threat (active, mitigated, resolved)

Classification

Threat data

SentinelOne's threat classification (malware, ransomware, PUP, etc.)

Confidence Level

Threat data

The detection confidence level assigned by SentinelOne

Affected Endpoint

Threat data

The agent/endpoint where the threat was detected

Detection Time

Threat data

When the threat was first detected

API Endpoints Used

Endpoint

Method

Purpose

/web/api/v2.1/accounts

GET

Validate API credentials and console connectivity

/web/api/v2.1/agents

GET

Retrieve the full inventory of managed endpoints and agent details

/web/api/v2.1/threats

GET

Retrieve threat detections across all managed endpoints

/web/api/v2.1/dv/init-query

POST

Submit a Deep Visibility query for threat hunting

/web/api/v2.1/dv/query-status

GET

Poll Deep Visibility query progress

/web/api/v2.1/dv/events

GET

Retrieve Deep Visibility query results

The integration paginates through agent and threat data using SentinelOne's cursor-based pagination. All requests are authenticated using the API token passed in the Authorization: ApiToken header.

Required API Permissions

Permission

Purpose

Accounts.view

Credential validation

Endpoints.view

Endpoint inventory sync

Threats.view

Threat detection sync

SDL Data.viewEdr

Threat hunting (Deep Visibility queries). Requires Singularity Complete SKU.

Setting

Recommendation

Service User Scope

Account or Site (whichever matches what you want PGP to ingest)

Role

Viewer for asset and threat sync. For threat hunting, duplicate Viewer and add SDL Data.viewEdr.

Token Expiration

Set a calendar reminder before the expiration date โ€” PGP will surface a 401 once the token lapses

Troubleshooting

Issue

Cause

Fix

"Missing required configuration: API Token"

The API token field was left empty

Enter a valid API token in the integration configuration

"Failed to process URL"

The console URL is malformed or missing the protocol

Ensure the URL includes https:// and matches your SentinelOne console address

"Failed to validate credentials" (401)

The API token is invalid or expired

Generate a new API token in the SentinelOne console and update it in PGP

"Failed to validate credentials" (401) appearing suddenly after working

The Service User token expiration date passed

Generate a new token on the existing Service User, or recreate the Service User. Tokens cannot be extended past their original expiration

"Failed to validate credentials" (403)

The API token lacks required permissions

Ensure the associated user account has at least Viewer role permissions

API error with specific error code

SentinelOne returned a specific error message

Review the error detail provided and consult SentinelOne API documentation for the error code

No agents discovered

The API token scope is limited to an empty site or group

Verify the token has access to the appropriate sites and groups in your SentinelOne console

Integration times out

Very large environment with thousands of agents

The integration has a 60-second timeout. Contact support if your environment requires a longer window

Threat hunting returns no events

Service User role lacks SDL Data.viewEdr, or the tenant is not on Singularity Complete

Duplicate the Viewer role, add SDL Data.viewEdr, and reassign it to the Service User. Verify DV licensing with your SentinelOne account team.

Security and Data Handling

The SentinelOne integration operates in a strictly read-only mode. It queries the SentinelOne Management Console API to retrieve agent and threat metadata and does not modify any agent configurations, trigger scans, initiate threat responses, or alter any settings in your SentinelOne environment.

Credentials are handled securely within PGP. The SentinelOne API token is encrypted at rest and used exclusively for authenticating API requests during sync operations. The token is not exposed in logs or transmitted to any third party.

PGP imports only endpoint metadata and threat detection summaries. No endpoint file content, forensic data, quarantined samples, or response actions are accessed or stored by PGP.