SentinelOne Connector

SentinelOne is an endpoint security platform that delivers prevention, detection, response, and hunting across user endpoints, containers, cloud workloads, and IoT devices. It uses autonomous AI agents to secure endpoints in real time.

What is the SentinelOne API Connector?

The SentinelOne API Connector creates a secure bridge between your SentinelOne environment and Qualys ETM. Once configured, it automatically transfers asset and agent data using scheduled API calls. Qualys ETM processes this data by:

  • Deduplicating redundant entries

  • Normalizing data formats

  • Enriching findings with additional context

  • Calculating risk scores using TruRisk

Category Supported Asset Type Supported Finding Type
API Connector Endpoint Asset Asset

Prerequisites

These are the required configurations to successfully create a SentinelOne connection with Qualys ETM.

User Roles and Permissions

You require the SentinelOne Domain and your personal API Key to create a connector.

Only Admin users in SentinelOne are permitted to generate API keys.

How to Get Domain and API Key

Domain

  • This is the URL of your SentinelOne instance.

  • Do not include http:// or https:// in the input.

  • Example: xxxx-xxxx.sentinelone.net

API Key

  1. Log into your SentinelOne dashboard.

  2. Click on your user profile icon and select My User.

  3. Under API Token Operations, click:

    • Generate API Key (if it’s the first time)

    • Or Regenerate API Key (if one already exists)


The API token has an expiration time. You must regenerate and update the token in Qualys before it expires. The token expiry time is shown during generation and in the user profile.

Create a New API Connector

Basic Details

  1. Provide the Connector's Name and Description.
  2. Select the type of Data Model you want to import - currently, we support Asset.
  3. Select the Data Model Type - currently we support Host Asset.
    The following screenshot displays the Basic Details fields.

  4. Next, provide the API authentication details of the Sentinel One environment. You need to provide the following.

    1. Domain

    2. API Key

The steps to generate the above values are described in the Prerequisites section.

Data Model

The SentinelOne Connector offers an out-of-box data model mapping for you to map with Qualys ETM schema. You can view the schema to understand the attributes in the data model.

Transform Maps

Transform Maps ensure the data is transformed correctly during the import or export process.

The SentinelOne Connector offers an out-of-box transform map for you to proceed without further configuration. View the map to understand the data transformation or clone the map to edit its configurations.

Click Create New for a new Transform Map.

Perform the following steps to configure a Transform Model:

  1. Transform Map Name: Enter a unique name for the Transform Map. This name helps identify the specific transformation configuration within this connector.
  2. Source Data Model: Select the data model that serves as the input for the transformation. This is the model from which data will be extracted.
  3. Target Data Model: Choose the data model that receives the transformed data. This model defines how the data will be structured after the transformation.

     

Fields Mapping

The Fields Mapping section maps fields from the Source Data Model to the Target Data Model.

  1. Source Field: Specify the field in the Source Data Model containing the transformed data.
  2. Data Type: Indicate the data type of the Source Field (e.g., string, integer, date).
  3. Target Field: Designate the corresponding field where the transformed data will be placed in the Target Data Model.

Click Add to create and display the mapping for the Source Field, Data Type, and Target Field below the section. This visual helps ensure that all necessary fields are mapped correctly and allows easy verification and adjustments.

Profile

Create a profile for your connector. A profile decides the connector status, execution schedule and transform map to choose. The connector follows the configurations of this profile for all future executions.

Click the "+" to create a new profile.

In the Add Profile screen, provide the necessary inputs for your new profile.

Provide a Name and Description.

Select the required Transform Map for the data mapping.

The Filter field let's you add snippets of code to further determine what data should be parsed.

The Status field determines whether the connector should be in Active or Inactive state after creation. 

Lastly, the Schedule section lets you either create a Single Occurrence schedule or a Recurring schedule. Provide the exact date and time for the Single Occurence execution and provide the Start and End date/time for the Recurring schedule.

Select Identification Rules

The Identification Rules are a set of out-of-the-box precedence rules set by Qualys CSAM. The connector discovers findings based on the order set by the selected Identification Rules.

You can proceed to the next step without making any changes to this screen.

Select Identification Rules screen.

If you don't want to choose a specific rule, turn off the toggle next to it. But, ensure that at least one rule is selected.

To learn more about the different rules and options present in this screen, refer to the CSAM Online Help.

Review and Confirm

Review the configurations provided in the previous steps. Ensure all details are correct and complete. Confirm the setup to finalize the configuration of the API connector.

This streamlined process allows for efficient data integration, ensuring accuracy and consistency across systems.

Saving and Running the Connector

Save and run the connector to process the data accordingly, transforming and importing it as per the configurations set.

How Does a Connection Work?

The SentinelOne connector functions through configured profiles that define which endpoint assets to synchronize. The connector operates on a scheduled basis (or on-demand), pulling asset and agent data from SentinelOne into Qualys ETM for consolidated visibility.

Once configured, your SentinelOne connector appears in the Processed state in the Connector screen.

Connector States

A successfully configured connector progresses through the following states:

  • Registered – Connector created and ready to fetch data

  • Scheduled – Connector is scheduled to run

  • Processing – Connector is actively pulling data

  • Processed – Connector has completed asset data import

It may take up to 2 hours to fully process and populate the asset data in Qualys ETM.

View Assets and Findings in ETM

Navigate to Enterprise TruRisk Management (ETM) to analyze imported endpoint data.

View Assets

  • Go to Assets > Endpoint Asset

  • Use the filter:inventory: (source: SentinelOne)to view assets imported from SentinelOne

These assets include endpoint metadata such as hostname, OS, agent version, and installation status.

Additional Information

API Reference

Name Endpoint Info
Auth API /web/api/v2.1/accounts Used to validate domain and token
Fetch Assets /web/api/v2.1/xdr/assets Retrieves endpoint asset list
Fetch Agents /web/api/v2.1/agents Retrieves agent-related information

Data Model Mapping

This section explains the attribute mappings of the values from SentinelOne and Qualys ETM.

SentinelOne Vulnerability Transformation Mapping

Here's the SentinelOne Transformation Map:

SentinelOne Field (Source)

Transformation Field (Target)

id

externalAssetId

agentInfo.computerName

hostName

cpu

processorDescription

lastRebootDt

lastBoot

serialNumber

serialNumber

agentInfo.cpuCount

numberOfCpu

agentInfo.externalIp

ipAddress

agentInfo.modelName

model

agentInfo.networkInterfaces[].gatewayIp

gatewayAddress

agentInfo.networkInterfaces[].name

interfaceName

agentInfo.networkInterfaces[].physical

macAddress

agentInfo.osArch

operatingSystemArchitecture

agentInfo.osName

operatingSystemName

agentInfo.osRevision

operatingSystemVersion

© Qualys , Inc. All rights reserved. Privacy Policy.