Topic
This article answers frequently asked questions about using the SentinelOne integration in NinjaOne.
Environment
- NinjaOne Integrations
- SentinelOne
Questions
Select a question to view the answer:
- What is SentinelOne?
- How do I access the SentinelOne API?
- If I change my API tokens, will this affect the integration? Do I need to change the API settings within the NinjaOne console?
- How do I confirm that the SentinelOne agent is installed via NinjaOne?
- Can I add exclusions for SentinelOne?
- Is SentinelOne compatible with NinjaOne mobile?
- Why am I seeing an error for an invalid Authentication token?
- What happens if SentinelOne is already installed on all my devices?
- What if SentinelOne is already installed on devices, but I don't want to use integration?
- Does the integration install the latest SentinelOne package?
- Does the SentinelOne Agent auto-upgrade?
- What is Management Console Domain?
- What is Site ID?
- How long will it take for an activity or threat from SentinelOne to appear in NinjaOne?
- How long does it take to clear an alert/threat from NinjaOne after remediation?
- Why does SentinelOne say "offline" on the device within NinjaOne?
- Do I need to reboot the device after installing SentinelOne?
- After installation, the device activity feed shows "Scan Started." Is this expected behavior?
- On Apple macOS devices, are users prompted to allow "Allow Full Disk Access"?
- What if we have SentinelOne licensed through a vendor other than NinjaOne?
- Can I create SentinelOne accounts for my team in the Sentinel University training portal?
- Can I add an additional account with my S1 integration?
- Can I increase the SentinelOne history from 2 to 4 weeks?
What is SentinelOne?
SentinelOne is an AI-powered cybersecurity platform that provides endpoint protection, detection, and response across various devices and environments.
How do I access the SentinelOne API?
SentinelOne uses tokens to access the API (Application Programming Interface) management console. You can also leverage tokens to enable the SentinelOne integration with NinjaOne. Refer to NinjaOne Integrations: Understanding SentinelOne API Tokens for instructions.
If I change my API tokens, will this affect the integration? Do I need to change the API settings within the NinjaOne console?
If the API token changes, you must enter the new API token into the NinjaOne console on the SentinelOne setup page. If the token is valid, no further action is needed.
How do I confirm that the SentinelOne agent is installed via NinjaOne?
In NinjaOne, navigate to the Device Dashboard, open the Software tab, and check for SentinelOne Agent. If you have access to the SentinelOne Management console, you can also confirm the agent's presence by checking the device inventory.
Can I add exclusions for SentinelOne?
To allow specific software and avoid false positives, the best solution is to create an exclusion. We recommend referring to SentinelOne documentation for this.
You must access SentinelOne documentation from your domain. You can access the documentation within your Management Console by navigating to Help → Online Help or using the URLs below and entering your domain name where specified.
- Best Practices for Exclusions:
https://{your domain name}.sentinelone.net/docs/en/best-practices-for-exclusions.html - Creating a Path Exclusion:
https://{your domain name}.sentinelone.net/docs/en/creating-a-path-exclusion.html - Creating a Hash Exclusion:
https://{your domain name}.sentinelone.net/docs/en/creating-a-hash-exclusion.html - Excluding a Certificate Signer Identity:
https://{your domain name}.sentinelone.net/docs/en/excluding-a-certificate-signer-identity.html
Is SentinelOne compatible with NinjaOne mobile?
No. At this time, SentinelOne is not supported for NinjaOne mobile.
Why am I seeing an error for an invalid Authentication token?
This error occurs if the API token you used to integrate NinjaOne with SentinelOne is expired. To correct this issue, a new API token should be generated and entered into the NinjaOne console on the SentinelOne setup screen.
For best practice, we recommend using a SentinelOne Service Account to generate an API token for use with our integration. Coming in a future release, our development team will be introducing a feature to programmatically handle refreshing authenticated tokens prior to their expiration date. The SentinelOne API Token Expiry Update notification may still be seen in the SentinelOne Management Console.
Generating an API token for yourself requires a setting in User Details that is unrelated to Role-Based Access Control (RBAC) permissions. The ability to enable other users to create their own token requires RBAC permissions for API tokens. The predefined administrator role has all of these requirements. All other predefined roles do not have these RBAC permissions or the user setting. Administrator users can enable the API Token settings for other users when necessary. You can also create custom roles with the new RBAC permissions.
What happens if SentinelOne is already installed on all my devices?
The NinjaOne Agent recognizes that SentinelOne is installed and does not alter the existing installation. When the integration is enabled and the setup is complete, the devices with SentinelOne installed and NinjaOne agent present a report in the NinjaOne UI, and you are able to use all integration features.
What if SentinelOne is already installed on devices, but I don't want to use integration?
The SentinelOne agent information appears in the activity feed, along with any information regarding Antivirus being present on the device. (Examples: Install, Uninstall.)
If the integration is not enabled, you cannot resolve notifications for threats or actions on the SentinelOne deployment through NinjaOne.
Does the integration install the latest SentinelOne package?
No. You can upgrade devices to the latest package through SentinelOne by using a SentinelOne policy in the SentinelOne Management Console. Refer to SentinelOne documentation for steps on upgrading agents with Apple macOS using their "macOS Agent Upgrade Playbook". It may be necessary to complete specific actions depending on your macOS.
Manual updates can be performed within the SentinelOne Management Console under Sentinels— select the device(s), click Actions, and click Agent Version changes to Update Agent.
Does the SentinelOne Agent auto-upgrade?
No. You can upgrade to the latest package through SentinelOne by using a SentinelOne policy in the SentinelOne Management console to upgrade devices. You can perform manual updates within the SentinelOne Management console by navigating to Sentinels, selecting the device(s), clicking Actions, and clicking Agent Version changes to Update Agent.
What is Management Console Domain?
The Management Console Domain is where you log in to SentinelOne. You must add /web/api at the end of this URL during the enablement of SentinelOne Integration.
What is Site ID?
This is the default SiteID account used within SentinelOne during the enablement of the SentinelOne Integration.
To locate your Default SiteID:
- Log in to SentinelOne Web Management Console.
- Select Sentinels from the left navigation pane.
- Select SITE INFO from the top navigation menu.
- If multiple Sites, select Default Site.
How long will it take for an activity or threat from SentinelOne to appear in NinjaOne?
Activities and threats may take up to five minutes to display in the NinjaOne UI.
If SentinelOne is able to resolve a detected threat within this timeframe, there may be no threat data on the NinjaOne dashboard in the Health section; however, the Activities tab should still indicate that the threats appeared and were mitigated or resolved.
How long does it take to clear an alert/threat from NinjaOne after remediation?
Alert or threat remediation may take up to five minutes to display in the NinjaOne UI.
If the threat is not being cleared, the node may need to be cleaned; please reach out to NinjaOne Support for assistance. As a workaround, navigate to the threat remediation page in SentinelOne and change the Analysis Verdict to "False Positive" and the Incident Status to "In Progress" first, and then change to "Resolved".
Why does SentinelOne say "offline" on the device within NinjaOne?
If you delete a site within SentinelOne, this causes NinjaOne to lose the ability to communicate with SentinelOne.
Do I need to reboot the device after installing SentinelOne?
Not necessarily. You can configure this setting within your policies in the SentinelOne Management console.
After installation, the device activity feed shows "Scan Started." Is this expected behavior?
Yes, this is expected. SentinelOne agent performs a scan when it is installed. No information regarding this activity will show up in the Health section in NinjaOne, but there are Activity entries for that device.
On Apple macOS devices, are users prompted to allow "Allow Full Disk Access"?
Due to macOS security, users are prompted and need to allow Full Disk Access for SentinelOne.
What if we have SentinelOne licensed through a vendor other than NinjaOne?
This is not a problem; NinjaOne has a "bring your own license integration" with SentinelOne.
Can I create SentinelOne accounts for my team in the Sentinel University training portal?
Yes. Please contact your account manager for assistance.
Can I add an additional account with my S1 integration?
No, but you can add multiple sites through your existing account if you are integrating SentinelOne through NinjaOne.
Can I increase the SentinelOne history from 2 to 4 weeks?
No. SentinelOne provides 14 days of data retention for deep visibility, and you cannot change this setting.
Additional Resources
Refer to Integrations and Third-Party Apps: Resource Catalog to find more documentation about the NinjaOne and SentinelOne integration.