SentinelOne¶
The SentinelOne integration will download data about hosts, and any CVE data. It fetches hosts known to SentinelOne, using the Agents and Network Discovery API, or Rouges API. The Agents API will collect host data from its network interfaces for the “secured” hosts. The Network Discovery (Rangers) API will be utilized for the “unsupported”, “unknown”, and “unsecured” hosts. If Network Discovery is not enabled, the integration will utilize the Rogues API. For CVE data collection, the Application Management Risks endpoint will be utilized.
Once downloaded, the data will be used to create two separate Input Framework files. One file includes CVE information, and the other contains Host information. These files can be used by Zeek scripts to generate new logs, or enrich existing logs, such as the known_hosts.log or suricata_corelight.log.
The input file will be published with any other input files from other integrations (if there are any). If “input” in enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.
If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Configuration settings
Settings¶
sentinelone:
hosts_enabled: false
hosts_filename: hosts_data.tsv
cve_enabled: false
cve_filename: cve_data.tsv
interval_hours: 0
url: "" # required field
api_key: "" # required field
request_limit: 1000
debug: false
Hosts Input file¶
The input file contains the following information (if it’s available):
IP address (required)
MAC address
Hostname
Host Unique ID
OS version
OS Type
Endpoint status
Machine domain
Machine Type
Description
Endpoint information source (required)
If the data source is SentinelOne Agents data, the Host Unique ID comes from Agent data’s
'uuid'
field. When using SentinelOne Rouges data, thehost_uid
comes from Rouges data’s'id'
field. When using SentinelOne Network Discovery data, thehost_uid
comes from Network Discovery data’s'id'
field.
The following is a sample input file created by this integration, using tab-separated values.
#fields ip mac hostname host_uid os_version os_type status machine_domain machine_type desc source
10.1.12.204 14:9d:99:7b:93:bf Mac mini 507D2834-1B07-5EE2-A427-776F11395275 macOS macos Secured mynetwork.com desktop Endpoint Host Data SentinelOne Agents
172.30.176.1 00:15:5d:43:c7:6f My-Desktop 60f49f177a234282bac10ad25b1fb35d Windows 11 Pro windows Secured lab desktop Endpoint Host Data SentinelOne Agents
192.168.10.141 00:15:5d:43:c7:6f My-Desktop 60f49f177a234282bac10ad25b1fb35d Windows 11 Pro windows Secured lab desktop Endpoint Host Data SentinelOne Agents
172.17.0.1 02:42:DF:A8:48:3A ns1 fc7de780-bba1-53ed-c435-e4ae9bf98097 Linux linux Secured lab server Endpoint Host Data SentinelOne Agents
10.1.12.157 bc:24:11:64:57:45 Desktop-Win10 fa5a9989b3024a249cdb46a005ca1271 Windows 10 Pro windows Secured MYLAB desktop Endpoint Host Data SentinelOne Agents
192.168.10.1 f6:92:bf:91:2e:ee udm 2081026184155705172 unknown - Unsupported MYLAB - Endpoint Host Data SentinelOne Network Discovery
192.168.10.199 ac:1f:6b:b9:27:cc xigmanas 2081027202239115292 Debian - Unsecured XIGMANAS - Endpoint Host Data SentinelOne Network Discovery
192.168.10.5 48:ba:4e:82:e4:71 printer 2081027202247503901 Embedded - Unsupported MYLAB - Endpoint Host Data SentinelOne Network Discovery
10.1.12.163 c0:23:8d:d8:40:43 samsung 2142391012022914391 Embedded - Unsupported - - Endpoint Host Data SentinelOne Network Discovery
10.1.12.242 10:9f:41:cb:2d:97 - 2142391012039691609 macOS - Unsecured - - Endpoint Host Data SentinelOne Network Discovery
192.168.10.161 82:2b:d3:57:74:63 - 2146047853145358466 unknown - Unknown - - Endpoint Host Data SentinelOne Network Discovery
CVE Input file¶
The input file contains the following information (if it’s available):
IP address (required)
Hostname
Host Unique ID
Machine domain
OS version
Endpoint information source (required)
CVE list
If the data source is SentinelOne Agents data, the Host Unique ID comes from Agent data’s
'uuid'
field. When using SentinelOne Rouges data, thehost_uid
comes from Rouges data’s'id'
field. When using SentinelOne Network Discovery data, thehost_uid
comes from Network Discovery data’s'id'
field.
The following is a sample input file created by this integration, using tab-separated values.
#fields ip hostname host_uid machine_domain os_version source cve_list
192.168.56.10X DC fb5946b0422e4da49e4575995fb8XXXX windomain.local Windows Server 2016 SentinelOne Agents CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479,CVE-2020-1477
10.21.0.10X fleet 04a15f26ace249f68c583fd7be70XXXX - Ubuntu 20.04 SentinelOne Agents CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.1.15X ss2oh 62c850ec617843f8959f1442843bXXXX - Ubuntu 20.04 SentinelOne Agents CVE-2020-12313,CVE-2020-12319,CVE-2022-36402,CVE-2022-38096,CVE-2022-38457
192.168.1.15X skynet fae3f73ce1404e0aae1626dbddfcXXXX - Ubuntu 22.04 SentinelOne Agents CVE-2020-12313,CVE-2016-1585,CVE-2022-36227,CVE-2022-45884,CVE-2023-22995,CVE-2022-38457
192.168.56.10X DC 34a6b864b61146d6ad051a9d63a5XXXX windomain.local Windows Server 2016 SentinelOne Agents CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.10X WEF c6f3d2351739482baf36cc6e4af6XXXX windomain.local Windows Server 2016 SentinelOne Agents CVE-2017-11771,CVE-2022-34718,CVE-2019-0736,CVE-2022-35744
192.168.56.10X WEF 0bb70f50a9a3470dbc3e09bd6eb1XXXX windomain.local Windows Server 2016 SentinelOne Agents CVE-2022-26904,CVE-2022-34701,CVE-2020-0911,CVE-2022-24479
192.168.56.10X WIN10 a71be784db1a40e5b0fd7e6b73f6XXXX windomain.local Windows 10 SentinelOne Agents CVE-2021-36965,CVE-2021-43217,CVE-2022-22012,CVE-2020-9633,CVE-2021-24077
192.168.56.10X WIN10 23fac76b0e5246f8b8ba22d1bbd6XXXX windomain.local Windows 10 SentinelOne Agents CVE-2022-23279,CVE-2020-1286,CVE-2021-33784,CVE-2022-23299,CVE-2020-1391
Attention
The integration only creates the Input Framework files to be loaded on sensors. Additional Zeek scripts are required to be loaded on the sensors to use this data. If you enable these integrations, Corelight-update will upload the input files to the sensor. But if the desired script isn’t available on the sensor, the input data won’t be used.
See Zeek package management for information about using Corelight-update to manage Zeek package bundles.
See Zeek-Endpoint-Enrichment for an example of a Zeek package that can use this data.