All Collections
Integrations
Connecting SentinelOne
Connecting SentinelOne

This article covers how to connect SentinelOne EDR to Drata.

Faraz Yaghouti avatar
Written by Faraz Yaghouti
Updated over a week ago

HERE'S WHY

SentinelOne is an EDR (Endpoint Detection and Response) platform that provides real-time threat detection and response capabilities, automated incident response, and forensic investigation capabilities. Drata customers would like to easily get anti-virus and device health related compliance evidence for all of their devices from their approved software.

BEFORE DIVING IN

  • Drata's current integration does not treat SentinelOne as a full source of device data, in the same way as the Drata Agent or one of our MDM connections. You must first sync device data through the Drata Agent or an MDM as normal. These sources will sync device serial numbers. SentinelOne must be running on those devices AND the SentinelOne serial numbers must match the agent- or MDM-sourced serial numbers.

  • Drata will only provide SentinelOne evidence for devices that map to a SentinelOne agent/device using the device serial number. Drata also allows the admin to manually map a SentinelOne device to a Drata device for completeness. Any Drata device that does not have a linked SentinelOne device will fail the compliance test for anti-malware software detection (Test 64).

You will need your SentinelOne credentials to be able to connect to your SentinelOne account from Drata. The next section will explain how to get those.

HERE'S HOW

Enabling the SentinelOne connection

On the ‘Connections’ page, select ‘Available connections’ and select the EDR category or search for SentinelOne at the top search bar and select the ‘Connect’ button.

In the connection drawer, enter your SentinelOne service account URL and API token.

To learn how to create a SentinelOne service account, go to Creating Service Users. The following list is the minimum permissions for the service account:

  • Endpoints: View

  • Console Users: View

The following image showcases the API URL and API token fields.

Note that you can only have one SentinelOne connection from Drata. It is a global connection i.e. it is NOT workspace specific. Once the connection is successfully enabled, you will see a ‘Review linked devices’ button on the SentinelOne connection card.

On clicking this button, a page will appear showing the SentinelOne devices that are linked to the Drata device by matching the device serial number. Wherever the serial number did not match, you are able to manually select a SentinelOne device to be linked to a Drata device. This step is optional.

You will observe the following changes once the SentinelOne connection is enabled:

  • Test 64 - Test 64 will automatically get enabled, if it was disabled. It will start testing for SentinelOne agent running in the correct state on all Drata devices. If the test fails, you will see a list of all failed devices along with the information on why the device failed.

    1. SentinelOne agent not found: The column ‘SentinelOne Serial number’ will be blank if there is no SentinelOne device linked to a Drata device. This means that no SentinelOne agent was found on this Drata device.

    2. SentinelOne agent’s operational state is not functional: If SentinelOne serial number exists but ‘Operational state’ value is anything but ‘na’, then that means the SentinelOne agent is not running in the right state on this device. Learn more about the SentinelOne ‘Operational state’ here (Needs SentinelOne log in). There is an option to download the list of failed devices as a .CSV file from Test 64. To learn more about how to fix failed devices for test 64, review this article. You may exclude devices from this test by simply excluding the Personnel to whom the device belongs or unlinking the device.

  • Personnel page - The ‘Device compliance’ column on the Personnel page will be calculated based on the anti-virus information from SentinelOne.

  • Asset page - Asset page will now also start showing the same ‘Device compliance’ column. It will be blank for all classes except the class type ‘Hardware’. Similar to the Personnel page, the ‘Device compliance’ will be calculated based on the anti-virus information from SentinelOne. You can view the SentinelOne anti-virus details like SentinelOne agent version number, device health status, SentinelOne operational state and SentinelOne user in the Asset drawer by clicking on any hardware asset.

Disabling the SentinelOne connection

Deleting the SentinelOne connection on the Connections page will revert all the changes mentioned in the above section.

  • Test 64 - Test 64 will still be enabled. It will revert back to either the Drata agent or an MDM integration testing for an anti-virus software as detailed here.

  • Personnel page - The ‘Device compliance’ column will be calculated based on the anti-virus information obtained by the Drata agent or an MDM integration.

  • Asset page - Asset page will continue to show the new ‘Device compliance’ column for hardware class type. Similar to the Personnel page, it will show ‘Device compliance’ column results based on the anti-virus information obtained by the Drata agent or an MDM integration.

Additional Information

  • If you are manually uploading evidence for anti-virus from the Personnel page, it will override the anti-virus result from the SentinelOne.

  • Currently, the SentinelOne data is imported into Drata once every 24 hours.

Did this answer your question?