Documentation Index

Fetch the complete documentation index at: https://support.appgate.com/llms.txt

Use this file to discover all available pages before exploring further.

SentinelOne

  • Published on Jun 17, 2026
  • 1 minute read
Prev Next

SentinelOne is an endpoint security tool that installs an agent across all protected endpoints to track malicious activity and ensure endpoints are properly secured.

The SentinelOne adapter in the Risk Engine retrieves detection events captured by SentinelOne services and evaluated according to different indicators of compromise. SentinelOne's evaluation process follows these steps:

  1. Threat detection: SentinelOne detects a possible threat on a protected endpoint.

  2. AI confidence level: SentinelOne's AI assigns a confidence level to the threat: suspicious, malicious, or N/A (not an attack).

  3. Analyst verdict: A verdict is generated based on two criteria: SentinelOne's AI confidence level and the analysis of the security analyst assigned to the event. Possible verdicts are undefined, suspicious, true positive, or false positive.

The risk mapping configuration in ZTP tells the Risk Engine how to convert SentinelOne's evaluation into an AppGate risk level (low, medium, or high), based on both the confidence level and the verdict of an event.

NOTE

To configure the SentinelOne adapter in the Risk Engine, you need a Client Secret (API Token in the SentinelOne environment) and a Management URL. Retrieve both values from your SentinelOne environment.

When retrieving the API Token, you must set an expiration date in the SentinelOne environment. Renew the token and update the value in ZTP before it expires to maintain uninterrupted communication between the Risk Engine and SentinelOne

Risk mapping for the SentinelOne adapter

SentinelOne performs threat analysis with input from a security analyst for any potential threat flagged by an indicator of compromise. For example, if a security analyst determines that a threat marked as suspicious by the AI also warrants a suspicious verdict, a ZTP administrator can configure that combination of confidence level and verdict to return a high risk level in the Risk Engine.

You can edit the risk mapping in the Risk Engine using any combination of confidence level and analyst verdict. Editing one field may affect others to prevent overlapping ranges. The default setting provides a suggested risk mapping as a starting point.

NOTE

All end-user devices must run version 6.3.1 or later of the AppGate ZTNA client to use the SentinelOne adapter.

Related articles