SentinelOne
Cloudflare Zero Trust can integrate with SentinelOne to require that users connect to certain applications from managed devices. Our service-to-service posture check identifies devices based on their serial numbers.
- SentinelOne agent is deployed on the device.
-
Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to Service providers.
The following SentinelOne values are needed to set up the SentinelOne posture check:
- API Token
- REST API URL
To retrieve those values:
- Log in to your SentinelOne Dashboard.
- Go to Settings > Users > Create new Service User.
- Select Create New Service User.
- Enter a Name and Expiration Date and select Next.
- Set Scope of Access to Viewer.
- Select Create User. SentinelOne will generate an API Token for this user.
- Copy the API Token to a safe location.
- Select Close.
- Copy the Rest API URL from your browser’s address bar (for example,
https://<S1-DOMAIN>.sentinelone.net
).
- In Zero Trust ↗, go to Settings > WARP Client.
- Scroll down to Device posture providers and select Add new.
- Select SentinelOne.
- Enter any name for the provider. This name will be used throughout the dashboard to reference this connection.
- In Client Secret, enter your API Token.
- In Rest API URL, enter
https://<S1-DOMAIN>.sentinelone.net
. - Choose a Polling frequency for how often Cloudflare Zero Trust should query SentinelOne for information.
- Select Save.
You will see the new provider listed under Settings > WARP Client > Device posture providers. To ensure the values have been entered correctly, select Test.
- In Zero Trust ↗, go to Settings > WARP Client > Service provider checks.
- Select Add new.
- Select the SentinelOne provider.
- Configure a device posture check and enter any name.
- Select Save.
Next, go to Logs > Posture and verify that the service provider posture check is returning the expected results.
Device posture data is gathered from the SentinelOne Management APIs. For more information, refer to https://<S1-DOMAIN>.sentinelone.net/api-doc/overview
.
Selector | Description |
---|---|
Infected | Whether the device is infected |
Active Threats | Number of active threats on the device |
Is Active | Whether the SentinelOne Agent is active |
Network status | Whether the SentinelOne Agent is connected to the SentinelOne service |
SentinelOne provides endpoint detection and response (EDR) signals to determine user risk score. User risk scores allow you to detect users that present security risks to your organization. For more information, refer to Predefined risk behaviors.