SentinelOne Context Integration with Netography Fusion Accelerates Investigation, Incident Response, and Policy Enforcement
By Patrick Bedwell, Head of Product Marketing
Our Netography Fusion® platform now enables customers to leverage data collected by your SentinelOne agents to accelerate their investigation, incident response, and policy enforcement within the Fusion platform.
Netography Fusion is a 100% cloud-native network defense platform that delivers a single-pane view and monitoring of all your cloud and on-premises activity and traffic.
The integration with SentinelOne gives Fusion customers the ability to ingest critical context from your SentinelOne agents running on endpoints and in your cloud workloads. By retrieving context labels from your Singularity XDR and Singularity Ranger deployments via the Fusion API, you can add critical context to extend the visibility, monitoring, and response that Fusion already provides.
Three specific examples of the value of SentinelOne data integrated with Fusion:
1. Investigation Acceleration
When your security operations center (SOC) or network operations center (NOC) analysts see an alert in Fusion identifying anomalous activity, they often want to see information about the device owner as part of their initial inquiry.
With SentinelOne context, they can use Netography Query Language (NQL) to expedite their investigation process. They can create an NQL query to add essential data about the device from your SentinelOne agents, including:
- Owner of the device
- Last user
Ingesting the context from SentinelOne directly into the Fusion console eliminates any delay in the investigation caused by accessing a separate IP address management (IPAM) system like SolarWinds or IAM system such as Okta to determine owner and user information.
2. Incident Response Acceleration
After conducting an initial investigation into anomalous activity, an analyst may determine that they need to initiate their incident response playbook on a specific device and will need to locate the device on the network.
The SentinelOne integration saves time by providing additional data on the device, including:
- Active Directory domain
- MAC address
- Security group
- The VPC the IP resides in (for cloud workloads)
Ingesting this data directly into Fusion eliminates the need to log into a separate asset management tool, such as IBM or SAP, or open a request for another team to provide the information.
Armed with this detailed information, Fusion enables you to quickly initiate mitigation and remediation workflows in your Security Information and Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), and Endpoint Detection and Response (EDR) tools.
3. Policy Enforcement Acceleration
Context labels from SentinelOne agents also make it easier for teams to identify endpoints in violation of policies, such as the lack of an installed SentinelOne agent.
Fusion users can quickly create a detection model based on context from SentinelOne to generate an alert whenever there is an endpoint on the network that should have a SentinelOne agent installed but does not. Context from the SentinelOne agents include:
- Operating system
- Version of OS
- SentinelOne agent version installed
Netography Fusion and SentinelOne are made more powerful by this integration, yet Fusion delivers compelling value on its own. Some popular use cases from our customers include:
- Gaining comprehensive visibility across all their networks without deploying sensors, agents, or taps.
- Ensuring compliance with Zero Trust, social media bans, and other policies in real-time and at scale.
- Responding in real-time when threat actors have compromised their IT, OT, or IoT environments.
- Validating the performance of their DDoS mitigation technologies to minimize the cost and impact of a DDoS attack.
If you’d like more information on the integration, or how Fusion alone can help you with any of the above, contact us for more info, a demo, or to get started with a trial.