Overview
SA-SentinelOneDevices for Enterprise Security integrates SentinelOne's endpoint protection platform with Splunk ES's asset management framework. Organizations running SentinelOne have a comprehensive inventory of every protected endpoint — including agent version, policy group, threat status, and network configuration. This add-on makes that inventory available inside ES so it enriches correlation searches and analyst investigations.
Endpoint detection and response platforms like SentinelOne are often the first to surface threats on a host. When those threats generate events in Splunk, having accurate asset metadata from SentinelOne — already correlated at ingest time — dramatically speeds up triage.
How It Works
The add-on authenticates to the SentinelOne management API and retrieves endpoint records. Hostname, IP addresses, MAC addresses, OS details, agent version, and site/group membership are all extracted and mapped to ES's asset schema. The integration handles pagination for large deployments and runs incrementally to minimize API load. Full documentation is available at the project site.