SentinelOne Endpoint Integration with TEM

Overview

The SentinelOne integration with Threat Exposure Management (TEM) helps centralize visibility into endpoint-related indicators and vulnerability findings. It enables correlation of vulnerabilities with other security controls to support exposure analysis, prioritization, and remediation workflows.

Supported Capabilities

  1. Indicators of Compromise - Manages threat intelligence across all integrated security controls, ensuring consistent alignment and protection across the organization.

    Supported IoC Types include IP Addresses, Domains, and File Hashes (SHA1).

  2. Vulnerability Remediation

    • Identifies, correlates, and prioritizes vulnerabilities across your environment.

    • Provides actionable insights to remediate vulnerabilities effectively through compensating controls, such as configuration changes, access restrictions, or virtual patching.

    • Ensures that remediation actions are tracked and verified, supporting continuous risk reduction and improved security posture.

Integrating SentinelOne with TEM

Prerequisites

Verifying Firewall Control

Firewall Control must be enabled in SentinelOne, as it is required for IoC enforcement.

To verify:

  1. Log in to the SentinelOne Management Portal.

  2. From the left navigation panel, select Sentinels.

  3. From the top navigation panel, click Network Control.

  4. Confirm that Firewall Control is turned on.

Service User and Permissions

Create or use a dedicated service user in SentinelOne with the permissions listed below. These permissions must be assigned before generating the API token.

Permissions for IoC Management

The following permissions are required to allow TEM to create, update, and verify IoCs using SentinelOne Network Control:

  1. Firewall:

    • View

    • Modify Settings (Preferences tab)

    • Manage Rules and Tags

  2. Sites: View

Permissions for Vulnerability Visibility

The following permissions are required to allow TEM to retrieve vulnerability and risk information:

  1. Applications

    • View

    • View Risks

  2. Endpoints: View

Integration Flow

Step 1 - Collecting SentinelOne Domain

  1. Log in to the SentinelOne Management Portal.

  2. Copy the domain from the browser URL, for example: https://<domain>.sentinelone.net/dashboard. Save this value for later use.

Step 2 - Generating an API Token

  1. In the SentinelOne Management Portal, click your username on the top-right corner.

  2. Select My User.

  3. Click Actions > API Token Operations > Generate API Token.

    Save the generated token securely for further use in the integration.

Note -

  • If an API token already exists, it is recommended to reuse it.

  • Generating a new token invalidates the previous token.

  • Optionally, a dedicated service user can be created with minimum required permissions.

Minimum Required Permissions (Service User)

  1. Firewall (all sub-permissions) - IoC

  2. Sites (all sub-permissions) - IoC

  3. Applications (all sub-permissions) - Vulnerabilities

  4. Endpoints (all sub-permissions) - Vulnerabilities

Step 3 - Configuring the TEM Portal

  1. Log in to the TEM portal.

  2. Go to Settings > Integrations > Catalog > Singularity.

  3. In the Singularity pop-up that appears, navigate to the Connection tab and enter the following details.

    1. In the Connection Name field, enter a name for this connection.

    2. In the API Key field, enter the API key generated from SentinelOne Management Console.

    3. In the Host field, enter the hostname or IP address of the SentinelOne Management Console.

  4. Click Next.

  5. (Optional) In the Configuration section, enable the Import Indicators created before this integration was set up checkbox to backfill existing indicators into the integration.

  6. Click Connect to establish a connection.

IoC Behavior

  • IoCs defined in TEM are synchronized to SentinelOne based on the integration configuration.

  • Indicators are enforced using SentinelOne Network Control and blocklist mechanisms.

  • If an indicator already exists in SentinelOne, it is skipped automatically.

Verifying Indicator Deployment

  1. Log in to the SentinelOne Management Portal.

  2. Navigate to Sentinels > Network Control.

  3. Review firewall rules created by TEM.

  4. Verify rules with the description Created by Veriti.

  5. From the top menu, select Blocklist.

  6. Verify blocklist entries with the description Created by Veriti.

Note - IoCs that already exist in SentinelOne are skipped during synchronization.