SentinelOne is a cloud EDR product. Agents are deployed to computers/endpoints, monitoring and reporting back any malicious activity to the SentinelOne dashboard. The ThreatQ integration for SentinelOne allows the ingestion of various reports and detections from SentinelOne.

The integrations provides the following feeds:

• SentinelOne Threats - ingests any threats/incidents from SentinelOne.
• SentinelOne Threat Notes (supplemental) - fetches notes associated with a given threat/incident.
• SentinelOne Applications - ingests reports on vulnerable applications.
• SentinelOne Vulnerabilities (supplemental) - fetches the CVEs associated with a given application.

The integration ingests the following system objects:

• Attack Patterns
  • Attack Pattern Attributes
• Incidents
  • Incident Attributes
• Indicators
  • Indicator Attributes
• Reports
  • Report Attributes