--- title: SentinelOne --- runZero integrates with ((SentinelOne)) by importing data from the [SentinelOne API](https://www.sentinelone.com/faq/). This integration allows you to sync and enrich your asset inventory, import software installed on assets, and import vulnerabilities affecting the installed software. Adding your SentinelOne data to runZero makes it easier to find things like endpoints that are missing required software or identify vulnerable endpoints.
Any IP address reported by SentinelOne will be treated as a secondary address, not a primary address, since these IPs can be stale and may not be associated with a specific network or site.
## Getting started {#sentinelone-getting-started} To set up the SentinelOne integration, you'll need to: 1. Configure SentinelOne to allow API access through runZero. 2. Add the SentinelOne API key and SentinelOne base API URL in runZero. 3. Choose whether to configure the integration as [a scan probe or connector task](integrations-inbound.md#integration-probe-connector). 4. Activate the SentinelOne integration to sync your data with runZero. ## Requirements {#sentinelone-requirements} Before you can set up the SentinelOne integration: * Make sure you have access to the SentinelOne admin portal. ## Step 1: Configure SentinelOne to allow API access to runZero 1. Sign in to SentinelOne with the account being used for the runZero integration. 2. Go to **User > My User**. 3. **Generate** the API token, then download or copy it. This API key expires and will need to be regenerated every six months. ## Step 2: Add the SentinelOne credential to runZero 1. Go to the [Credentials page](https://console.runzero.com/credentials/new) in runZero. Provide a name for the credentials, like `SentinelOne`. 2. Choose **SentinelOne API key** from the list of credential types. 3. Provide the following information: * **SentinelOne API URL** - Your organization-specific base URL, which will depend on your account type. It will be something like `organization.sentinelone.net`. * **SentinelOne API key** - To generate your API key, go to **User > My User** in your SentinelOne portal. From there, a key can be generated, regenerated, or revoked. 4. If you want other organizations to be able to use this credential, select the _Make this a global credential_ option. Otherwise, you can configure access on a per-organization basis. 5. Save the credential. You're now ready to set up and activate the connection to bring in data from SentinelOne. ## Step 3: Choose how to configure the SentinelOne integration The SentinelOne integration can be configured as either a [scan probe or a connector task](integrations-inbound.md#integration-probe-connector). Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync. ## Step 4: Set up and activate the SentinelOne integration to sync data After you add your SentinelOne credential, you'll need to set up a connector task or scan probe to sync your data. ### Step 4a: Configure the SentinelOne integration as a connector task A connection requires you to specify a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new SentinelOne-only assets are created. 1. Activate a [connection to SentinelOne](https://console.runzero.com/ingest/sentinelone). You can access all available third-party connections from the [integrations page](https://console.runzero.com/integrations), your [inventory](https://console.runzero.com/inventory), or the [tasks page](https://console.runzero.com/tasks). 2. Choose the credentials you added earlier. If you don't see the credentials listed, make sure the credentials have access to the organization you are currently in. 3. Enter a name for the task, like `SentinelOne sync`. 4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set. 5. Under **Task configuration**, choose the site you want to add your assets to. 6. If you do not want to import software, switch the **Import Software** toggle to _No_. 7. If you do not want to import vulnerabilities, switch the **Import Vulnerabilities** toggle to _No_. 8. If the **Import Vulnerabilities** toggle is set to _Yes_, you can set the desired vulnerability severities to import using the **Severities** checkboxes. 9. If you want to exclude assets that have not been scanned by runZero from your integration import, switch the **Exclude unknown assets** toggle to _Yes_. By default, the integration will include assets that have not been scanned by runZero. 10. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the [Scheduled tasks](https://console.runzero.com/tasks) to see when the next sync will occur. ### Step 4b: Configure the SentinelOne integration as a scan probe 1. Create a new scan task or select a future or recurring scan task from your [Tasks page](https://console.runzero.com/tasks). 2. Add or update the scan parameters based on any additional requirements. 3. On the Probes and SNMP tab, choose which additional probes to include, set the SentinelOne toggle to _Yes_, and change any of the default options if needed. 4. On the Credentials tab, set the SentinelOne toggle for the credential you wish to use to _Yes_. 5. Click **Initialize scan** to save the scan task and have it run immediately or at the scheduled time. ## Step 5: View SentinelOne assets and software After a successful sync, you can [go to your inventory](https://console.runzero.com/inventory) to view your SentinelOne assets. These assets will have a SentinelOne icon listed in the **Source** column. The SentinelOne integration gathers details about installed software in addition to enriching asset inventory data. Go to Inventory > [Software](https://console.runzero.com/inventory/software) to view the software data provided by SentinelOne. To filter by SentinelOne assets, consider running the following queries: * [View all SentinelOne assets](https://console.runzero.com/inventory?search=source%3Asentinelone): ``` source:SentinelOne ``` * [Find assets that have a SentinelOne agent installed](https://console.runzero.com/inventory?search=edr.name%3Asentinelone): ``` edr.name:SentinelOne ``` * [Find Windows assets, excluding servers, that are missing a SentinelOne agent](https://console.runzero.com/inventory?search=os%3Awindows%20and%20not%20type%3Aserver%20and%20not%20edr.name%3Asentinelone): ``` os:windows and not type:server and not edr.name:SentinelOne ``` Click into each asset to see its individual attributes. runZero will show you the attributes returned by the SentinelOne API, with the exception of policies. ## Troubleshooting {#sentinelone-troubleshooting} If you are having trouble using this integration, the questions and answers below may assist in your troubleshooting. ### Why is the SentinelOne integration unable to connect? 1. Are you getting any data from the SentinelOne integration? * Make sure to query the inventory rather than look at the task details to review all the data available from this integration. * In some cases, integrations have a configuration set that limits the amount of data that comes into the runZero console. 2. Some integrations require very specific actions that are easy to overlook. If a step is missed when setting up the integration, it may not work correctly. Please review this documentation and follow the steps exactly. 3. If the SentinelOne integration is unable to connect be sure to check the task log for errors. Some common errors include: * 500 - server error, unable to connect to the endpoint * 404 - hitting an unknown endpoint on the server * 403 - not authorized, likely a credential issue 4. Verify you are running the integration task from an Explorer with access to the SentinelOne host if it is on-premises.