SentinelOne: Integration Guide

Topic

This article explains how to enable the SentinelOne integration with NinjaOne.

Environment

SentinelOne Integration

Description

SentinelOne is a comprehensive enterprise security platform that provides virus and threat detection, hunting, and response features. These features enable organizations to resolve vulnerabilities and protect IT operations.

Select a category to learn more:

About SentinelOne
Enable SentinelOne
- Enable with API Token
- Enable with Username/Password
Retry Failed Installation
Map NinjaOne to SentinelOne
Navigate to SentinelOne from NinjaOne
Additional Resources

About SentinelOne

SentinelOne OS Support

The SentinelOne integration is currently supported for:

Windows (x32): v23.3.3.264
Windows (x64): v24.1.4.257
MacOS: v24.2.2.7632
- Accessing this will prompt a Full Disk Access request.
Linux (x86-64_deb): v24.2.2.20
Linux (x86-64_rpm): v24.2.2.20
Linux (aarch-64_deb): v24.2.2.20
Linux (aarch-64_rpm): v24.2.2.20

At this time, the NinjaOne integration with SentinelOne does not support Windows ARM-based processors.

Agent Updates

The SentinelOne agent does not automatically update.
SentinelOne agent updates can be performed via the SentinelOne Web Management Console. https://{management-console-domain}/docs/en/upgrading-agents.html#upgrading-agents

Resources and Notes

The integration does not support multi-tenancy at this time.
A SentinelOne user can have only ONE (1) API token. The NinjaOne 5.7 release introduces the ability to automate renewal of this token. The version 7.0 release resolves an issue where the token was not being automatically renewed due to a failed validation check when updating division configuration credentials.
The SentinelOne integration will not install if other antivirus software is detected on the endpoint.
Disabling SentinelOne in NinjaOne does not result in SentinelOne being uninstalled from devices.
Users must have a token to access the API (Application Programming Interface) management console.
Service users need a minimum Scope of Access to be "View" for the SentinelOne integration (please note, accessing the integration is NOT the same as managing the API renewal; those actions will require different permissions as outlined in SentinelOne API Tokens).
- Refer to the following link to view SentinelOne Knowledge Base service user overview and instructions for creating users at the account or site level: https://{management-console-domain}.sentinelone.net/docs/en/service-users.html.
When SentinelOne is first installed, it automatically runs a Full Disk Scan; during this time, the option to manually run a scan may not be available.
SentinelOne's documentation may be located within the SentinelOne Management Console under Help > Online Help.

Scope of Access Requirements

A Service User in SentinelOne needs to meet the following minimum required permissions to enable this integration in NinjaOne.

Setting	Minimum Permission(s)
Endpoints	View View Threats Move to Another Site Initiate Scan Abort Scan
Endpoint Threats	View
Accounts	View
Activity	View
Cloud	View
Cloud Account	View
Cloud Policies	View
Console Integration	View
Console Users	Views
Endpoint Policy	View
Groups	View
Roles	View
Service Users	View
Sites	View
Threat Intelligence	View
Threat Services	View
Unified Alerts	View Star Alerts = View Mobile Alerts = View Identity Alerts = View Generic Alerts = View Endpoint Alerts = View

Enable SentinelOne

The SentinelOne integration currently supports the "Bring your own license model" which means you must have an existing SentinelOne account/license to enable the integration. If you do not have a license, you can easily purchase one through NinjaOne!

There are two methods to enable SentinelOne:

Enable with API token (Recommended). Click here for more information.
Enable with username/password—this method generates a one-time use API token.

Enable with API Token

The API token should not be confused with the SentinelOne Site Token—and the Site Token is not used in this process. the NinjaOne integration with SentinelOne uses an API token and SentinelOne Site ID. When the site is mapped and deployment occurs, the server provides the corresponding Site ID, which gives the installer a site token. Instructions for obtaining the Site ID are included in the steps below.

Open Administration in the left side navigation pane; select Apps and click Add Apps.
Select the SentinelOne app and enable it.
The Enable SentinelOne modal displays.
Choose Enable with API token.
If you need to manually generate an API token, click here for instructions.
Enter your Site ID.
- To Find the Default Site ID:
  1. Login to SentinelOne Web Management Console using your SentinelOne domain and established credentials.
  2. Select Settings from the left vertical menu in SentinelOne.
  3. Select Sites from the horizontal menu.
  4. If there are multiple "Sites,” select Default Site.
  5. Open the Site Info tab. You may need to scroll to the right to see this option.

Figure 1: Site Info in SentinelOne

1. 1. Click the double paper icon to copy the Site ID data.

In NinjaOne, paste the Site ID into the Site ID field. For Management console domain field, enter the URL from your SentinelOne account.
Click Enable.

Enable with Username/Password

Choose Enable with username/password.
Hover mouse on the icon next to the Management console domain for more information.
Fill in the information and click on the Save button.
Enter your 6-digit Authentication Code and select Submit.

Retry Failed Installation

If the SentinelOne integration fails to install on the target device, the result of this activity displays in the Health section of the device dashboard.

Click the arrow to the right of the health notification and select Retry Install to attempt to troubleshoot.

If that does not work, you may need to disable Windows Defender. When you install a new antivirus software, it will typically prompt you to disable Windows Defender during the installation process. If it does not prompt you, you can disable Windows Defender manually by following these steps:

Open the Windows Security app by clicking on the shield icon in the taskbar or searching for "Windows Security" in the Start menu.
Click Virus & threat protection in the left-hand menu.
Click Manage settings under the "Virus & threat protection settings" section.
Toggle the switch for Real-time protection to the off position.
Confirm that you want to turn off real-time protection by clicking Yes in the pop-up window.

Map NinjaOne to SentinelOne

Mapping between SentinelOne sites and NinjaOne organizations are tied to the NinjaOne account, rather than a particular user. API tokens can be swapped out and the mappings will remain the same.

Mapping Terminology

NinjaOne accounts are called "Organizations."
SentinelOne accounts are called "Sites."
Organizations need to be mapped to Sites.

Navigate to SentinelOne Mappings

In NinjaOne, click Administration in the left navigation pane.
Select Apps in the middle menu.
Open the SentinelOne app on the right side of the page.
Open the Mappings tab.

Mapping Statuses

There are three (3) mapping statuses:

Mapped
Unmapped
Needs Confirmation

Mapping statuses can be updated by activating the checkbox(es) for the desired organization(s) and clicking Confirm Selected Mappings at the top of the organization list.

For unmapped statuses, hover over the row and click the ellipsis button to see the mapping action. A modal will display allowing you to select the SentinelOne site from a dropdown list. You can create new sites in SentinelOne through Settings > Sites > New Sites. Please refer to SentinelOne developer documentation for more information.

Navigate to SentinelOne from NinjaOne

Threats can be remediated from the SentinelOne dashboard.

In NinjaOne, click Administration in the left navigation pane.
Select Apps in the middle menu.
Open the SentinelOne app on the right side of the page.
Select Go to Dashboard.
A popup notifies that the user is navigating outside of NinjaOne.
Click the Continue button to proceed to the SentinelOne dashboard.