Skip to content

SentinelOne

Cloudflare Zero Trust can integrate with SentinelOne to require that users connect to certain applications from managed devices. Our service-to-service posture check identifies devices based on their serial numbers.

Prerequisites

  • SentinelOne agent is deployed on the device.
  • Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to Service providers.

Set up SentinelOne as a service provider

1. Obtain SentinelOne settings

The following SentinelOne values are needed to set up the SentinelOne posture check:

  • API Token
  • REST API URL

To retrieve those values:

  1. Log in to your SentinelOne Dashboard.
  2. Go to Settings > Users > Create new Service User.
  3. Select Create New Service User.
  4. Enter a Name and Expiration Date and select Next.
  5. Set Scope of Access to Viewer.
  6. Select Create User. SentinelOne will generate an API Token for this user.
  7. Copy the API Token to a safe location.
  8. Select Close.
  9. Copy the Rest API URL from your browser’s address bar (for example, https://<S1-DOMAIN>.sentinelone.net).

2. Add SentinelOne as a service provider

  1. In Zero Trust, go to Settings > WARP Client.
  2. Scroll down to Device posture providers and select Add new.
  3. Select SentinelOne.
  4. Enter any name for the provider. This name will be used throughout the dashboard to reference this connection.
  5. In Client Secret, enter your API Token.
  6. In Rest API URL, enter https://<S1-DOMAIN>.sentinelone.net.
  7. Choose a Polling frequency for how often Cloudflare Zero Trust should query SentinelOne for information.
  8. Select Save.

You will see the new provider listed under Settings > WARP Client > Device posture providers. To ensure the values have been entered correctly, select Test.

3. Configure the posture check

  1. In Zero Trust, go to Settings > WARP Client > Service provider checks.
  2. Select Add new.
  3. Select the SentinelOne provider.
  4. Configure a device posture check and enter any name.
  5. Select Save.

Next, go to Logs > Posture and verify that the service provider posture check is returning the expected results.

Device posture attributes

Device posture data is gathered from the SentinelOne Management APIs. For more information, refer to https://<S1-DOMAIN>.sentinelone.net/api-doc/overview.

SelectorDescription
InfectedWhether the device is infected
Active ThreatsNumber of active threats on the device
Is ActiveWhether the SentinelOne Agent is active
Network statusWhether the SentinelOne Agent is connected to the SentinelOne service

Detect user risk behavior

SentinelOne provides endpoint detection and response (EDR) signals to determine user risk score. User risk scores allow you to detect users that present security risks to your organization. For more information, refer to Predefined risk behaviors.