Elisity integrates with SentinelOne’s agent-based Endpoint Detection and Response (EDR) solution as a method to enrich device discovery and identity. Once connected via API, Elisity pulls data from SentinelOne into IdentityGraph for use as Core Effective Attributes when creating policies, enhancing the precision and accuracy of device classification and Policy Group matching.
Prerequisites
- SentinelOne API URL
- SentinelOne API Token
Steps to Connect SentinelOne
Step 1. Create a SentinelOne API Token by following the directions below or by reading the SentinelOne documentation here.
- Log in to the SentinelOne dashboard.
- At the top right of the Console, click your username and select My User.
- Select Actions>Allow API Token Generation if not already allowed. This requires reathentication.
-
Select API Token Operations>Generate API Token.
- In the API Token window, click Copy API Token and then Close. Save the API token string in a secured file. The Actions available under your username now include Revoke API Token and Regenerate API Token.
Step 2. Log into Elisity Cloud Control Center and navigate to Settings > Connectors and select + Add Connector button.
Step 3. A list of tiles will slide out from the right side of the screen. Click Configure on the SentinelOne connector.
Step 4. Input the API URL (specific to your instance) and the API Token that you generated in the first step and select Submit.
Step 5 (optional). Configure Advanced Settings for the SentinelOne connector.
Advanced Settings
The Advanced Settings tab exposes connector-level tuning options that control how Cloud Control Center queries the connector, how learned data is retained, and how the connector's data is used by IdentityGraph and Insights.
The following chart provides details about each advanced setting.
| Setting | Description |
|---|---|
| Initial Delay | The delay in seconds before Cloud Control Center initiates the first query to the connector after initially discovering a new device. Default is 0 seconds. |
| Connector Data Purging | When enabled, Cloud Control Center purges all data learned about a device from this connector if the device is no longer found when querying the connected application. The time period between purge events is configurable from 1 to 90 days. The connector status will change from "Up to Date" to "Stale" if the device is no longer known by the connector but prior to the purge event. |
| Query Exclusion Rules | Limit the scope of Cloud Control Center queries by excluding specific Subnets or Virtual Edge Nodes, and by enabling or disabling the querying of devices with Random MAC addresses. |
| Enrichment Lookback Window | Defines how far back IdentityGraph looks for device activity when determining a device's eligibility for enrichment from this connector. Devices whose last seen timestamp falls within the configured window are eligible for enrichment; devices outside the window are not. Increasing this value may improve enrichment coverage for environments with infrequently connected devices (servers, OT systems, remote assets) but can increase processing load. Available values: 1 hour, 1 day, 3 days (default), 7 days, 30 days, 90 days. |
| Trusted Connector |
Controls whether Insights uses data from this connector when generating recommended Policy Groups. When enabled, device attributes from this connector are eligible to inform Insights' Policy Group recommendations. When disabled, Insights ignores this connector as a source for recommendations. Note: This setting only affects Insights recommendations — it does not change device verification status, trust attributes, or how the connector's data is used elsewhere in the platform. |
Step 6. If all of the required connector values are correct, all checks will pass and the connector will be created.
After successful configuration, you should begin to see devices enriched by SentinelOne in IdentityGraph. Any devices learned by Elisity prior to the connector being configured will be automatically scheduled for enrichment during the next 24 hour cycle and based on their attachment timestamp. Alternatively, you can force a refresh by selecting the Refresh button next to the SentinelOne name under the Trust Attributes section of IdentityGraph.
Connector Status
The Connector status reflects its health and availability based on recent query performance. To ensure accuracy and reduce false positives, the status is determined using a rolling 15-minute evaluation window.
Connector Status Levels:
- Active: Normal operation with minimal query failures.
- Degraded: Increased query failures detected, but the connector is still operational.
- Inactive: The connector is unresponsive due to persistent failures.
Failures are defined as unsuccessful query responses, and the platform continuously monitors performance to update the status accordingly. These status changes are visible in the UI, event logs, and notifications pane for better troubleshooting. Email alerts can also be configured for connector status changes.
If the connector has not been queried within the evaluation window, the last known status is retained. This approach ensures reliable status reporting and helps identify potential issues before they impact operations.
Leveraging SentinelOne with Elisity
When Elisity discovers a new asset on the network and the SentinelOne connector is active, Cloud Control Center queries the SentinelOne platform via API for additional device attributes in order to enrich IdentityGraph. This enriched data is displayed in the IdentityGraph tab of the device.
To learn more about how to leverage IdentityGraph Core Effective Attributes review, review the IdentityGraph article.
If a device discovered by Elisity is also known in SentinelOne, the Trust Attribute flag for Known in SentinelOne will be set to Yes.
You can then leverage this trust attribute as a match criteria in Policy Group definition.
To learn more on how to leverage IdentityGraph Trust Attributes, review Leveraging Trust Attributes for Policy Group Definition.