BitLyft Air: SentinelOne
SentinelOne Integration Overview
Overview
The BitLyft AIR® SentinelOne integration extends the platform’s security capabilities to include endpoint detection and response (EDR). By ingesting SentinelOne security telemetry and enabling direct response actions against protected endpoints, BitLyft AIR® allows security teams to detect malware activity, investigate compromised systems, and automate endpoint containment.
This integration improves visibility into endpoint threats while enabling automated response workflows that help security teams reduce dwell time and limit the impact of active attacks.
Core Capabilities
Endpoint Threat Detection
The SentinelOne integration includes detection policies designed to identify malware persistence, lateral movement, and other indicators of active compromise within endpoint environments.
These policies help security teams detect malicious activity early and initiate response actions before attackers can escalate access or spread across systems.
Malware Persistence Detection
Persistent malware activity on a host can indicate incomplete remediation, advanced malware techniques, or attackers maintaining long-term access to a system.
Example detection:
- Malware persistence observed on a host
This detection identifies repeated observations of malicious files or processes on a single endpoint. Monitoring persistence behavior helps security teams detect ongoing compromise and identify hosts requiring additional investigation or containment.
Malware Spread and Lateral Movement
Malware propagation across multiple endpoints often indicates active lateral movement or early stages of an outbreak.
Example detection:
- Malware observed across multiple hosts within a short time window
This detection helps identify coordinated malicious activity that may indicate worm-like behavior, automated propagation, or attackers attempting to expand their foothold within the environment.
Early detection of these patterns allows security teams to limit the blast radius of malware outbreaks.
Automated Response Capabilities
The SentinelOne integration enables BitLyft AIR® to perform response actions directly against endpoint agents. This allows security teams to automate containment and remediation actions without manually interacting with the SentinelOne console.
Automated response capabilities help reduce response time and ensure consistent remediation workflows during security incidents.
Key Benefits
-
Enables automated containment of compromised endpoints
-
Accelerates response to malware outbreaks and active threats
-
Reduces manual analyst effort during incident response
-
Supports scalable endpoint response during large-scale incidents
These capabilities allow organizations to move from detection to containment and remediation more efficiently.
Automation and Remediation
SOC-Ready Automations
The SentinelOne integration includes SOC-ready automations that connect endpoint detections directly to remediation actions within BitLyft AIR®.
These automations allow security teams to automatically contain infected hosts, mitigate malware threats, and initiate investigation workflows when suspicious activity is detected.
Automation Benefits
-
Rapid containment of compromised endpoints
-
Reduced manual investigation and remediation effort
-
Standardized incident response workflows
-
Faster response to active malware incidents
SOC-ready automations enable organizations to operationalize endpoint security workflows and respond consistently to malware activity.
SentinelOne Response Actions
The integration provides a wide range of response and investigation actions that enable security teams to interact with SentinelOne endpoints directly through BitLyft AIR®.
These actions support both security operations and endpoint administration workflows.
Endpoint Containment and Threat Mitigation
These actions allow security teams to isolate systems and contain malicious activity.
Examples include:
-
Disconnect endpoint agents from the network
-
Reconnect agents after remediation
-
Mitigate specific threats by threat ID
-
Mitigate threats using filters for large-scale incidents
These capabilities enable rapid containment during active malware outbreaks.
Malware Prevention and Enforcement
Security teams can enforce global controls to prevent malicious files from executing across the environment.
Examples include:
-
Ban malicious file hashes
-
Block known malicious hashes
-
Update banned hash enforcement rules
-
Remove blocklisted hashes when files are confirmed benign
These controls help prevent reinfection and stop known malware from executing across endpoints.
Endpoint Investigation and Visibility
The integration provides investigation capabilities to help analysts understand endpoint state and threat activity.
Examples include:
-
Retrieve endpoint agent inventory
-
Retrieve application lists installed on endpoints
-
Retrieve vulnerability data such as CVEs
-
Initiate endpoint security scans
These capabilities support threat investigation, vulnerability analysis, and endpoint health validation.
Endpoint and Administrative Management
The integration also supports actions related to endpoint administration and operational workflows.
Examples include:
-
Create SentinelOne users
-
Delete SentinelOne users
-
Restart endpoint systems
-
Shut down compromised machines
These actions support both incident response and operational endpoint management.
Security Value
The BitLyft AIR® SentinelOne integration enhances endpoint protection by enabling organizations to detect and respond to several common endpoint attack scenarios, including:
-
Malware persistence and advanced threats
-
Malware propagation and lateral movement
-
Endpoint compromise and unauthorized execution
-
Large-scale malware outbreaks
-
Endpoint misconfiguration and vulnerability exposure
By combining endpoint threat detection, automated containment workflows, and direct remediation actions, BitLyft AIR® enables security teams to manage endpoint incidents more efficiently and respond quickly to threats detected across their SentinelOne environment.
SentinelOne Remediation Actions
User & Platform Administration
| Action | Description | Use Case |
|---|---|---|
| Create a User in SentinelOne | Creates a new user account in SentinelOne with defined access permissions. | Used to automate onboarding of SOC analysts, security engineers, or administrators who require access to the SentinelOne management console. |
| Delete a User in SentinelOne | Removes an existing user account from SentinelOne. | Used during employee offboarding or when removing compromised accounts to ensure unauthorized access to the EDR platform is eliminated. |
Endpoint Inventory & Visibility
| Action | Description | Use Case |
|---|---|---|
| Get Agents | Retrieves a list of endpoints protected by SentinelOne agents. | Used to build endpoint inventories, validate agent deployment coverage, and identify systems that may require investigation or response actions. |
| Get Application List SentinelOne | Retrieves the list of installed applications on managed endpoints. | Helps identify unauthorized, vulnerable, or suspicious software across the environment during threat investigations or vulnerability assessments. |
| Get CVEs in SentinelOne | Retrieves known CVEs associated with detected applications. | Supports vulnerability assessments by identifying known vulnerabilities tied to installed software, helping prioritize patching and remediation efforts. |
Endpoint Operational Management
| Action | Description | Use Case |
|---|---|---|
| Restart Machines in SentinelOne | Restarts endpoints that match the specified criteria or filters. | Used to complete remediation processes that require a system reboot, such as after malware removal, system updates, or security configuration changes. |
| Shutdown an Agent in SentinelOne | Shuts down a specific managed endpoint. | Used during emergency containment when a system is severely compromised and must be immediately powered down to stop active malicious activity. |
Malware Prevention & Threat Blocking
| Action | Description | Use Case |
|---|---|---|
| Ban a Hash in SentinelOne | Adds a SHA1 hash to the SentinelOne global blocklist to prevent execution across endpoints. | Used to block known malicious files across the entire environment after threat intelligence or malware analysis confirms a file is malicious. |
| Block a Hash | Adds a SHA1 hash to the SentinelOne blocklist to prevent execution. | Prevents confirmed malware from executing again on protected endpoints following detection or incident response. |
| Delete Blocklisted Hash in SentinelOne | Removes a SHA1 hash from the SentinelOne blocklist. | Used when a previously blocked file is determined to be benign or incorrectly classified. |
| Update a Banned Hash in SentinelOne | Updates configuration details for an existing banned hash. | Allows administrators to modify enforcement settings or update threat blocking policies for known malicious files. |
Endpoint Isolation & Threat Containment
| Action | Description | Use Case |
|---|---|---|
| Disconnect an Agent from Network | Isolates an endpoint from all network communication while keeping it manageable through SentinelOne. | Used to contain active threats, stop lateral movement, and prevent communication with command-and-control infrastructure during an incident. |
| Reconnect an Agent from Network SentinelOne | Restores network connectivity for a previously isolated endpoint. | Used after remediation is complete and the endpoint has been verified as safe to return to normal network operations. |
Threat Investigation & Remediation
| Action | Description | Use Case |
|---|---|---|
| Initiate a Scan on an Agent | Triggers a malware scan on targeted endpoints. | Used to validate endpoint health, confirm removal of threats, or perform investigation scans following suspicious activity. |
| Mitigate Specific Threat IDs in SentinelOne | Applies remediation or mitigation actions to specific detected threat IDs. | Automates containment or cleanup for confirmed threats detected on endpoints. |
| Mitigate Threats Matching a Filter in SentinelOne | Applies mitigation actions to threats matching defined criteria. | Used for bulk containment or remediation during widespread malware outbreaks or coordinated attacks affecting multiple endpoints. |
Detection Tuning & False Positive Management
| Action | Description | Use Case |
|---|---|---|
| Create Exclusion Item in SentinelOne | Creates an exclusion to allow trusted files, paths, hashes, certificates, or applications. | Used to prevent false positives when legitimate software is incorrectly flagged as malicious. |
| Delete Exclusion Item in SentinelOne | Removes an existing exclusion from SentinelOne. | Used after temporary allowlisting or testing to restore normal detection policies. |
| Update Exclusion Item in SentinelOne | Updates configuration settings for an existing exclusion item. | Used to refine allowlists and reduce recurring false positives while maintaining detection coverage. |
Updated 6 days ago