# Sentinelone
Connecting SentinelOne gives SureCloud read access to your SentinelOne management console's agent inventory, threat and detection records, policy assignments, and account configuration. SureCloud monitors agent coverage to identify endpoints where the SentinelOne agent is inactive, outdated, or in a degraded state, verifies that protection policies are set to the correct operating mode (Protect rather than Detect or Learning), collects threat detections and their resolution status, and audits console user access. This provides continuous evidence of endpoint detection and response coverage across your managed device estate.
{% hint style="info" %}
SureCloud connects to SentinelOne using an API token generated from a dedicated service account in the SentinelOne management console. SentinelOne does not support OAuth 2.0 for management API access.
{% endhint %}
## Authentication and setup
{% stepper %}
{% step %}
#### Create a dedicated service account
In the SentinelOne management console, navigate to **Settings → Users → Add New User** and create a service account:
* **Full name**: SureCloud CCM
* **Email**: a monitored service account email address (e.g. `surecloud-ccm@yourcompany.com`)
* **Role**: **Viewer** — provides read-only access to all data within the assigned scope
Assign the service account to the **Site** or **Account** scope depending on your deployment. Account-scope access is required to read data across all sites; Site-scope limits SureCloud to a single site.
{% hint style="info" %}
If your SentinelOne deployment uses multiple sites, assign the service account at the **Account** scope to ensure SureCloud can collect data across all sites in a single connection.
{% endhint %}
{% endstep %}
{% step %}
#### Generate an API token
Log in as the `surecloud-ccm` service account and navigate to **User Menu (top-right) → My User → API Token → Generate**.
Copy the token value immediately. SentinelOne API tokens expire after a configurable period (typically 6 months by default — check your account's token expiry setting).
{% hint style="warning" %}
Record the token expiry date and set a reminder to regenerate the token before it expires. Update the new token in **SureCloud → Integrations → SentinelOne → Edit Connection** before the old token expires to avoid a data collection gap.
{% endhint %}
{% endstep %}
{% step %}
#### Identify your SentinelOne management console URL
SentinelOne uses tenant-specific management console URLs. Your API base URL is the same as your console URL (e.g. `https://yourcompany.sentinelone.net`). The API is hosted at the same hostname under the `/web/api/v2.1/` path.
{% endstep %}
{% step %}
#### Enter credentials in SureCloud
In SureCloud, navigate to **Integrations → SentinelOne → Connect** and provide:
* **Management console URL** (e.g. `https://yourcompany.sentinelone.net`)
* **API token**
Click **Test Connection**, then **Save**.
{% endstep %}
{% endstepper %}
## Endpoints
| API Call | Use Case |
| ----------------------------------------- | ----------------------------------------------------------------------------------------- |
| `GET /web/api/v2.1/agents` | Enumerate all agents with health status, version, last active time, and policy assignment |
| `GET /web/api/v2.1/agents/{id}` | Read full agent record including OS version, network quarantine state, and scan status |
| `GET /web/api/v2.1/threats` | Retrieve threat detections with classification, status, and analyst verdict |
| `GET /web/api/v2.1/threats/{id}/timeline` | Read threat event timeline including detection, mitigation, and resolution steps |
| `GET /web/api/v2.1/policy` | Read active protection policy configuration per site |
| `GET /web/api/v2.1/groups` | Enumerate agent groups and their policy assignments |
| `GET /web/api/v2.1/sites` | List all sites and their agent counts |
| `GET /web/api/v2.1/accounts` | Read account-level configuration and feature settings |
| `GET /web/api/v2.1/users` | Enumerate console users and their role and scope assignments |
| `GET /web/api/v2.1/activities` | Collect console activity log events for administrative actions |
## Pagination
The SentinelOne API uses cursor-based pagination via a `nextCursor` value in the response `pagination` object. SureCloud passes the cursor as the `cursor` query parameter in successive requests until no `nextCursor` is returned.
```json
{
"pagination": {
"totalItems": 6284,
"nextCursor": "YWdlbnRJZD0xMjM0NTY3ODk="
},
"data": [
{
"id": "1234567890",
"computerName": "DESKTOP-ABC01",
"agentVersion": "23.4.2.12",
"isActive": true,
"networkStatus": "connected",
"policyName": "Default Policy"
}
]
}
```
SureCloud requests up to 1,000 records per page using the `limit=1000` query parameter, which is the maximum permitted by the SentinelOne API.
## Required permissions
The **Viewer** role at Account scope is sufficient for all SureCloud data collection endpoints. Viewer provides read-only access to agents, threats, policies, groups, sites, users, and activity logs. It does not permit initiating scans, changing policies, or quarantining or remediating endpoints.
## Polling frequency
| Data type | Collection interval |
| ------------------------------------------ | ------------------- |
| Agent inventory and health status | 24 hours |
| Threat detections and resolution status | 1 hour |
| Policy configuration and group assignments | 24 hours |
| Console user inventory | 24 hours |
| Activity log events | 6 hours |
## Troubleshooting
Agent data is returning for only one site despite multi-site deployment
The service account's scope determines which sites are visible. If the account was created with **Site** scope rather than **Account** scope, only the assigned site's agents will be returned.
In **SentinelOne → Settings → Users → \[surecloud-ccm]**, check the **Scope** column. If it shows a specific site name rather than **Account**, the scope must be updated to Account level by an Account-scope administrator.
API token has expired and data collection has stopped
SentinelOne API tokens have a configurable expiry. Once expired, all API calls return a 401 Unauthorized response.
Log in as the `surecloud-ccm` service account and navigate to **User Menu → My User → API Token → Revoke and Regenerate**. Copy the new token and update it in **SureCloud → Integrations → SentinelOne → Edit Connection → API Token**.
Threats are appearing but mitigation status is missing
Threat mitigation status is returned in the main threats endpoint response under the `mitigationStatus` field array. If mitigation status is absent, the threat may have been detected before the SentinelOne agent version that introduced the field was deployed, or the agent operating mode may be set to **Detect** rather than **Protect**, which means automated mitigation is not performed.
Review the agent's policy operating mode in **SentinelOne → Sentinels → \[Agent] → Policy**.
Policy configuration shows "Detect" mode for agents that should be in "Protect" mode
Policy operating modes in SentinelOne are configured per group and inherited by agents assigned to that group. If agents show an unexpected mode, the group's policy may have been changed or the agent may have been moved to a group with a different policy.
In **SentinelOne → Sentinels → Groups → \[Group] → Policy**, verify the **Protection Mode** setting and confirm all critical endpoint groups are set to **Protect**.
SentinelOne API reference (via your console)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/sentinelone.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.