SentinelOne EDR Connector

The SentinelOne connector creates a secure bridge between your SentinelOne environment and Qualys ETM to automatically consolidate endpoint security data for enhanced threat visibility. By centralizing asset and agent information from SentinelOne alongside vulnerability findings, security teams gain a unified view of their endpoint landscape with deduplicated and enriched risk intelligence.

The connector applies TruRisk scoring to findings and supports scheduled synchronization, enabling teams to quickly identify and prioritize endpoint vulnerabilities without manual data integration efforts. This automated approach reduces operational overhead while improving the accuracy and timeliness of endpoint risk assessments across the organization.

Connector Details

The following table provides a comprehensive overview of what the SentinelOne EDR connector supports.

Vendor	SentinelOne
Product Name	SentinelOne EDR
Category	Endpoint Security
Findings Support	Supported
Supported Assets	Host Assets (Compute)
Version	1.0.0
Integration Type	API Integration (REST)
Direction	Unidirectional
Delta Support	Supported
Supported Version & Type	SaaS (Latest)
Import of Installed Software	Not Supported
Import of Source Tags	Not Supported
Filters/Filter Query	Yes

Configure the Connector

The configuration wizard consists of three steps. A valid connection test is required before you can proceed.

Before You Begin - Authentication

Have the following ready before starting the connector configuration:

1. Ensure you have Admin-level access to your SentinelOne management console. Only Admin users are permitted to generate API tokens.
2. Generate an API token from the SentinelOne console. Navigate to your user profile, select My User, then under API Token Operations click Generate API Token. Copy and save the token immediately, as it cannot be viewed again after the initial generation.
3. Confirm network connectivity: Qualys cloud must be able to reach your SentinelOne instance over HTTPS (port 443). Verify that no firewall rules block this connection.

Permissions Required

The SentinelOne user account used to generate the API token must have Admin-level access. This is required both for generating the token and for granting sufficient read access to asset and vulnerability data through the SentinelOne API.

Scope and Data Access

The connector queries the following SentinelOne REST API endpoints to retrieve asset and vulnerability data:

• /web/api/v2.1/accounts — Validates the domain and token (Auth API).
• /web/api/v2.1/xdr/assets — Retrieves the endpoint asset list.
• /web/api/v2.1/agents — Retrieves agent-related information.
• /web/api/v2.1/application-management/risks — Retrieves vulnerability data.
• /web/api/v2.1/application-management/risks/cves — Retrieves CVEs for associated vulnerabilities.

Optional filters can be configured in the connector profile to scope which data is imported. Import of installed software and source tags is not supported.

Key Rotation

API tokens in SentinelOne have expiration dates. When regenerating a token, the previous token is automatically revoked. After generating a new token, update the connector configuration in Qualys ETM before the old token expires to avoid ingestion interruptions.

Generate an API Token in SentinelOne

Via User Profile

1. Log in to the SentinelOne management console with Admin credentials.
2. Click the account name drop-down in the top navigation and select My User.
3. On the user detail pane, click the Actions button and navigate to API Token Operations.
4. Select Generate API Token if this is the first time, or Regenerate API Token to replace an existing token.
5. Copy and save the token immediately. It cannot be retrieved again after this step.

Create the Profile & Connectivity

This step establishes the connector's identity and authenticates it with your SentinelOne environment.

1. Log in to Qualys ETM.
2. Navigate to Connectors > Integration.
3. Locate the SentinelOne EDR Connector on the Connector Marketplace and click Add. This is a one-time task.

   Note: If the connector is already added, navigate to My Connectors, search for the SentinelOne EDR connector, and click Manage Connections.

4. From the connector tile, click Manage Connections.
5. Click Create Connection. The Setup Guide opens with the Before You Begin checklist and four reference tabs: Overview, Auth Setup, Permissions, and Troubleshooting. Review these before continuing.
6. Click Proceed to Setup.
7. On the Profile & Connectivity page, complete the following fields:

   Connector Details

   Field	Description
   Name (required)	A unique display name for this connector connection.
   Description	An optional description of the connection's purpose.

   Authentication Details

   Provide the following values to authenticate the connector with your SentinelOne instance.

   Field	Type	Description
   Domain (required)	String	The URL of your SentinelOne instance without a protocol prefix or trailing path. Example: xxxx-xxxx.sentinelone.net. Do not include http:// or https://.
   API Key (required)	Encrypted String	The API token generated from your SentinelOne user profile or service user account.

   
   
8. Click Test Connection. A modal will appear showing the status of five sequential checks:
   • Network Reachability — Verifies the SentinelOne domain is reachable from Qualys cloud.
   • TLS Handshake — Confirms a secure HTTPS connection can be established.
   • Authentication Credential Check — Validates the API token against the SentinelOne /accounts endpoint.
   • Authorization Scope Check — Confirms the token has sufficient permissions to access asset and vulnerability data.
   • Data Fetch — Verifies that endpoint data can be retrieved successfully.
     

   Important: All five checks must pass before you can proceed. If the Authentication Credential Check fails with an Unauthorized error, verify that the API token entered is current and has not expired or been revoked, and that it was generated by an Admin-level user. If the token has expired, regenerate it in SentinelOne under My User > API Token Operations and update the connector configuration.

9. Click OK to dismiss the test result modal, then click Next.

Set the Scope & Schedule

This step defines what data is ingested and when the connector runs.

1. Data to Sync — Select one of the following options:
   • Assets & Findings — Ingests both host asset records and associated CVE-based vulnerability findings (recommended).
   • Assets — Ingests host asset records only, without vulnerability findings.
2. Advanced Settings — Click Advanced Settings to open a panel where you can configure filters, view the active transform map, and review or customize risk severity mappings. See Advanced Settings below.
3. Schedule — Under the Schedule section, select an execution frequency from the Occurs dropdown (for example, Daily). The system will display the calculated start date, end date, and timezone for the scheduled run.

   Note: The schedule timezone is determined by your Qualys account settings. The connector will run from the configured start date for a default period of 5 years.

4. Click Next to proceed to the final step.

 

Review all configured settings before creating the connection.

Advanced Settings

Enabling the Advanced toggle on the Scope & Schedule page or clicking the Advanced Settings link opens a panel with three tabs: Filters, Transform Map, and Risk Severity Mapping.

Filters Tab

The Filters tab provides a free-text Filter field where you can enter query expressions to scope which endpoint assets are imported. Leave this field empty to import all available asset data.

Transform Map Tab

The Transform Map tab displays the active transformation map applied during connector execution. For the SentinelOne EDR connector, the default active map is:

• SentinelOne Host Asset Transformation Map — Status: Active

This map is predefined by Qualys and applied automatically. No configuration is required — this tab is provided for reference. See Transformation Maps in the Additional Information section for the full field-level mapping details.

Risk Severity Mapping Tab

The Risk Severity Mapping tab controls how SentinelOne severity values are translated into Qualys Detection Score (QDS) scores for non-CVE findings.

The default mapping is as follows:

SentinelOne Severity (Source Value)	Qualys Severity Level	QDS Score (Range 1–100)
1	1	20
2	2	40
3	3	60
4	4	80
5	5	100

A Default Severity can also be configured — this value is applied when the severity field is unavailable in the source data.

How the Connection Works

On each scheduled or on-demand run, the SentinelOne EDR connector queries multiple SentinelOne REST API endpoints to retrieve the following data and import it into ETM:

• Assets (Host Asset Records) — Endpoint inventory including hostname, OS, agent version, CPU, memory, network interfaces, and serial number.
• Vulnerability Findings (CVEs) — Application-level CVE data detected by the SentinelOne agent, including severity, status, CVE identifiers, and affected application details.

Connector States

After creation, a connector connection moves through the following states:

• Registered — The connection is created and registered; data fetching has not yet begun.
• Scheduled — The connection is queued for its next scheduled execution.
• Processing — Assets and findings are actively being fetched from SentinelOne.
• Processed — Assets have been imported; findings may continue processing in the background.

Viewing Assets and Findings in ETM

After ingestion, SentinelOne endpoint assets and vulnerability findings are available in ETM.

• Assets: Navigate to Enterprise TruRisk Management > Inventory > Assets > All Assets.
  Use the filter: inventory:(source:SentinelOne) to view assets imported from SentinelOne.
  Assets include endpoint metadata such as hostname, OS, agent version, IP address, and serial number.
  

Troubleshooting

The following table covers the most common issues encountered when configuring or running the SentinelOne EDR connector.

Issue	Resolution
Authentication failure on connector run	Verify the API token entered in Qualys ETM is current and has not expired or been revoked. Confirm the token was generated by an Admin-level user. If the token has expired, regenerate it in the SentinelOne console under My User > API Token Operations and update the connector configuration.
Connection test fails	Verify the Domain value is in the correct format (xxxx-xxxx.sentinelone.net) without a protocol prefix (http:// or https://) or trailing path. Confirm that Qualys cloud can reach the SentinelOne instance over HTTPS (port 443).
No assets imported after the first run	The connector transitions through Registered, Scheduled, Processing, and Processed states. Full data population on the first run may take up to 2 hours. Verify the service account or user has the Admin role in SentinelOne and that the token has not expired.
Test Connection fails at Authorization Scope Check	Ensure the API token belongs to an Admin-level user or service user in SentinelOne. Non-Admin tokens do not have sufficient read access to the required API endpoints.
Test Connection fails at Data Fetch	Confirm that the SentinelOne domain resolves correctly and that there are no IP allowlist restrictions blocking Qualys cloud IP ranges from accessing your SentinelOne instance.

Additional Information

API Reference

The SentinelOne EDR connector uses the following REST API endpoints during each execution:

Name	Endpoint	Purpose
Auth API	/web/api/v2.1/accounts	Validates the domain and API token
Fetch Assets	/web/api/v2.1/xdr/assets	Retrieves the endpoint asset list
Fetch Agents	/web/api/v2.1/agents	Retrieves agent-related information
Fetch CVE Data	/web/api/v2.1/application-management/risks	Retrieves vulnerability data per application
Fetch CVEs	/web/api/v2.1/application-management/risks/cves	Retrieves CVE identifiers for associated vulnerabilities

Transformation Maps

The following tables document how SentinelOne source fields are mapped to Qualys ETM target fields during connector execution. These mappings are predefined and applied automatically via the SentinelOne Host Asset Transformation Map.

Asset Transformation Mapping

SentinelOne Host Asset Transformation MapSentinelOne Host Asset Transformation Map

Vulnerability Transformation Mapping

SentinelOne Vulnerability Transformation MapSentinelOne Vulnerability Transformation Map