---
title: "SentinelOne"
slug: "sentinelone"
updated: 2024-12-18T18:21:08Z
published: 2024-12-18T18:21:08Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safe.security/llms.txt
> Use this file to discover all available pages before exploring further.

# SentinelOne

## About this document

---

This document provides the step-by-step procedure to configure SentinelOne in SAFE.

## Introduction

---

SAFE integrates with SentinelOne and allows you to effortlessly discover and import assets and their EDR findings directly into SAFE.

**Key Highlights of This Integration:**

- **Import Assets and EDR Findings**: With this integration, you can now discover and import assets from SentielOne with their respective EDR findings into SAFE.
- **Automated and On-Demand Synchronization**: Take control of your assessment results with the option to set predefined time intervals for automatic synchronization. Furthermore, you can initiate on-demand assessments as needed.
- **Data Filtering Flexibility**: SAFE allows users to fine-tune data retrieval from SentileOne through the Group Filter feature. You have the freedom to specify group names for data filtering. In the absence of group names, SAFE pulls all assets accessible to the user into its system.

## Prerequisites

---

You need the following connector details to configure SentielOne in SAFE:

- **SentinelOne URL**
- **SentinelOneAPIToken**

## Generate SentinelOne API Token

---

1. Log in to your SentinelOne account.
2. Click **Settings** from the left navigation.

![SentielOne 1](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/SentielOne%201.png)
3. Click the **Users** tab available in the header.
4. Click the **Service Users** option available in the left navigation.
5. Click the **Actions** dropdown and select **Create New Service User.**If this option is not available, contact your SentielOne admin.

![SentinelOne 3](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/SentinelOne%203.png)
6. On the **Create New Service User**pop-up, enter the **Name**,**Description**, and **Expiration Date**.
7. Click the **Next** button.

![ SentinelOne 3](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/image-1695295557217.png)
8. In the **Scope of Access** pop-up, Click the **Site** card.
9. In the **SelectAccount**, search for the account you want to pull the data to SAFE and click it.
10. The system displays a checklist for all the available sites for the account.
11. Selecting the **Default** site, the system displays a **Role** drop-down that allows you to select Roles. Select the **Viewer** role.
12. Click the **Create User**button.

![SentinelOne 4](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/SentinelOne%204.png)
13. The system creates the service user account and also displays an **API Token**. **Copy** and **save** the **API Token** to use later while configuring the SentielOne account in SAFE. **The system displays this API Token only once.**

![SentinelOne 5](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/SentinelOne%205.png)

## Configuring SentinelOne in SAFE

---

Navigate to Integrations on the left navigation.

1. Click the **SentinelOne** card.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Screenshot 2024-05-22 at 6.01.56 PM.png)
2. Enter the details in their respective field
  1. **SentinelOne URL**
  2. **APIToken** generated above.
  3. **AnalystVerdictInclusionList**: This field is populated by default. You can modify it to include specific analyst verdict statuses that should appear as failed findings in SAFE.
  4. **AutoSync** (in Days)
  5. **Auto Onboard New Assets** - By default, any resource that is present in SentinelOne and is not found in SAFE will be onboarded. The identifier used for the same is the Computer Name. To limit the integration to assessing only the endpoints/assets present in SAFE, uncheck this option.
  6. **Update Existing Assets Metadata**: If this checkbox is marked, the asset's metadata, such as asset name, IP address, etc., will get updated based on the data pulled from SentinelOne.
  7. **GroupsNames(Optional)**: This field allows you to select which groups' threat data you wish to synchronize with SAFE. If left blank, it will automatically fetch data from all groups. This field accepts a comma-separated string input.
3. Click the **TestConnection** button to verify the connection.
4. Once the connection is verified, click **Save** to save the configuration.
5. To trigger an on-demand sync outside of the scheduled auto-sync, click **Sync Now.**The auto-sync time is 01:15 UTC.

![SentielOne 6](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/SentielOne%206.png)

## Import Tags from SentinelOne via Custom-field

---

SAFE can bring in tags from SentinelOne. Since SentinelOne uses key-value tags, you can import these tags into SAFE using a Custom Field.

To do this, go to **Settings** > **Custom Field** and create a new custom field. Make sure the name of this custom field matches exactly with the key of the tag in SentinelOne.![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/image(384).png)

When the next sync with SentinelOne happens, the values for your custom field will be updated. You can also start a manual sync by going to **Integrations** > **SentinelOne** > **Configure**.

## Viewing Results from SentinelOne

---

After configuring **SentinelOne** in SAFE, you can view assets and findings generated from SentinelOne threats.

1. Go to the Integrations on the left navigation.
2. Scroll to find the SentinelOne integration card or search for SentinelOne in the s[earch bar](http://bar.Click).
3. Click on the SentinelOne integration card for **Finding View** and **Asset View**.
  - **Finding View:** This tab displays all the findings details pulled from Fastly.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Screenshot 2024-05-22 at 6.35.30 PM.png)
  - **Asset View:** This tab displays all the Asset details pulled from Fastly.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Screenshot 2024-05-22 at 6.35.40 PM.png)