Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.osohq.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

This page walks through connecting a SentinelOne tenant to Oso so it can scan endpoints for installed AI agent software via SentinelOne Singularity Data Lake (SDL). For background on what EDR discovery does and how it compares to other sources, see the EDR overview.

1. Create an API token in SentinelOne

In the SentinelOne management console, create a service-account API token with a role that grants the following permissions:
  • Endpoints: View
  • SDL Search: View
  • SDL Data: View
  • SDL Data: View EDR
Copy the token (it is only shown once) and note your console URL — the full base URL of your SentinelOne management console (e.g. https://usea1-purple.sentinelone.net). You can find it in your browser’s address bar when logged in.

2. Connect SentinelOne in Oso

In Oso, with Oso for Agents selected in the product switcher, open Connections from the sidebar and scroll to the EDR section. SentinelOne Singularity Data Lake card before connecting Click Connect and fill in the dialog: SentinelOne connect dialog
FieldDescription
Display Name (optional)A label for this integration, useful when more than one SentinelOne tenant is connected.
API TokenThe service-account token from step 1.
Console URLThe full base URL of your SentinelOne management console (e.g. https://usea1-purple.sentinelone.net).
Host Filter (optional)A free-text expression that limits which endpoints are scanned. Leave blank to scan every endpoint visible to the API token.
Credentials are encrypted at rest. Once connected, the EDR card shows the configured console URL and a Scan now button.

3. Restrict scope with a host filter (optional)

The host filter is a SentinelOne free-text search applied during the seeding phase of every scan. It matches across hostname, operating system, IP address, agent UUID, and other endpoint metadata. Examples:
  • macOS — only macOS endpoints
  • prod- — endpoints whose hostname (or other metadata) contains prod-
  • 10.0.0. — endpoints in a specific IP range
Because the filter is a substring search across multiple fields, generic words may match more endpoints than expected — for example, network could match any endpoint whose interface metadata contains “Network”. Prefer specific substrings (a hostname prefix unique to your fleet, an exact OS name) over generic ones. The filter can be changed at any time using the Edit filter button on the EDR card. Changes take effect on the next scan.

4. Run a scan

The first scan starts shortly after the integration is connected. After that, Oso re-scans every 12 hours, and a scan can be triggered on demand at any time using the Scan now button on the EDR card. During a scan, Oso enumerates endpoints matching the filter and queries SentinelOne Singularity Data Lake for evidence of installed AI agent software on each one. SDL queries cover a recent time window of activity per endpoint — agents that have run within that window will appear; agents installed but never used may not be detected through this path. SentinelOne EDR card while scanning The card shows scan progress as endpoints complete. Click Stop scan to cancel an in-progress scan. SentinelOne EDR card after a scan

5. Disconnect

Click Disconnect on the EDR card to remove the integration. Oso deletes the stored credentials and stops querying SentinelOne.