Sentinel One
Workflow for Building Agentless Microsegmentation with Sentinel One
Onboarding
This section describes the steps required to integrate Sentinel One with the Xshield platform to enable advanced endpoint visibility and telemetry ingestion.
By connecting your SentinelOne environment, Xshield can:
- Import your sites, groups, and selected Sentinel One endpoints
- Ingest real-time XDR telemetry through Cloud Funnel
- Provide deep visibility and insights of the traffic flows between endpoints
This integration helps enhance your organization's security posture by enabling threat visibility and forensic analysis across your network without the need for any additional agents or footprint.
Prerequisites
To successfully integrate SentinelOne with Xshield, the customer needs to provide the following details:
-
SentinelOne Console URL: This is the base URL of your SentinelOne environment. Example:
https://usea1-partners.sentinelone.net
⚠️ Note: Your console URL may be different based on your region and deployment. -
API Token: This is used for authenticating Xshield with SentinelOne.
The Console URL and API Token are required for Xshield to import sites, groups, and endpoints from your SentinelOne environment.
To generate the API token, follow the instructions in the API Token section.
- Cloud Funnel Configuration: This enables streaming of IP-related XDR telemetry events from SentinelOne to Xshield.
Configuring SentinelOne Integration in Xshield Platform
- Login to Xshield console and navigate to Settings > Integrations > EDR > SentinelOne. Click on Activate button.
2. Fill the SentinelOne Console URL and API Token in the popup window and click Test to validate the credentials then click Save
✅ Once saved, Xshield will begin syncing your SentinelOne sites and groups. You can go to the next step to configure Cloud Funnel in SentinelOne
Configure Cloud Funnel in SentinelOne
To stream telemetry data from SentinelOne into Xshield, you must configure the Blob Storage SAS URL inside the SentinelOne console's Cloud Funnel settings.
-
Login to the SentinelOne console
-
Navigate to Settings > Integrations > Cloud Funnel
- Select the Cloud provider as Azure
- Blob Storage SAS URL: Copy the SAS URL from Xshield > Settings > Integrations > EDR > SentinelOne > Cloud Funnel Configuration
Paste the value in the Blob Storage SAS URL field in SentinelOne console and click Validate
- Enable Telemetry Streaming
- Query Filters : Enter the filter
event.category = 'ip'and click Validate - Click Save
You can set the Cloud Funnel at the Account level or at the Site level. If configuring at Site level, you must repeat the setup for each site, using the same SAS URL (From SentinelOne Integration tile)
After configuring the Cloud Funnel settings,
- SentinelOne begins streaming IP-related XDR telemetry to the specified Azure Blob Storage.
- Xshield consumes this data to provide rich traffic visibility. Customers can view the entire traffic flow in a user-friendly manner, enabling enhanced security analysis and effective policy enforcement.
Discovery
- A list of discovered groups from SentinelOne will be shown under EDR Groups > SentinelOne in the Xshield Tenant. The operator needs to select the desired groups and click Activate to import the corresponding endpoints into Xshield.
This option is provided as Customers might have a large number of hosts managed by SentinelOne platform and can decide which set of hosts needs to be imported into Xshield platform.
Confirm Activation: A confirmation popup will appear. Click Confirm to activate the selected groups.
Group retrieval may take 1–4 minutes. This is because the system triggers a background work request that is processed asynchronously. Please allow some time for the groups to appear after saving your SentinelOne credentials.
- After the groups are activated and synced with Xshield, the corresponding endpoints will be available in the Assets tab in Xshield. The Sentinel one endpoints can be filtered by using the filters Tags > Managed By > SentinelOne
Clicking on any asset name will take you to the details page. The asset details page will display information like IP Address, Operating System, Tags, etc.
Visibility
New SentinelOne segments (based on tags) can be created in Xshield for assets imported from SentinelOne. This follows the standard segment creation process in Xshield.
Click on Segments menu item in the left navigation bar. Select SentinelOne tab and click on Create Segment button. Provide the segment name, description and choose the criteria to add the respective endpoints to the segment.
After the segment is created - operator can wait for the assets to get grouped under the segment or can click on the Sync Firewall Group from EDR > SentinelOne to manually sync the assets.
Named Networks can be added to the segment during segment creation time or can be added later. To add Named Networks after the segment is created, click on more options ellipsis icon of the segment in the Xshield segments page and select Manage Named Networks. Add appropriate Named Networks and click Assign button to save the changes.
To Visualize the traffic flows between the imported endpoints, click on Visualize icon next to the segment.
You will be redirected to the Visualize page where you can now Visualize all the traffic flows between the imported endpoints.
Sync Timings
| Operation | Trigger | Time to Update |
|---|---|---|
| Import Groups | Integration activation Manual sync Scheduled Sync(every 24 hours) | Up to 10 minutes |
| Import Endpoints | Groups activation/deactivation Manual Sync Scheduled Sync(every 24 hours) | Up to 10 minutes |
| Import Network Telemetry | Continuous | Up to 10 minutes |
Summary
This integration helps enhance your organization's security posture by enabling visibility and threat analysis across your network without the need for any additional agents or footprint.