> ## Documentation Index
> Fetch the complete documentation index at: https://www.osohq.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# SentinelOne
> Connect SentinelOne Singularity Data Lake to Oso to scan endpoints for unsanctioned AI agents.
This page walks through connecting a SentinelOne tenant to Oso so it can scan endpoints for installed AI agent software via SentinelOne Singularity Data Lake (SDL). For background on what EDR discovery does and how it compares to other sources, see the [EDR overview](/oso-for-agents/integrations/edr).
## 1. Create an API token in SentinelOne
In the SentinelOne management console, create a service-account API token with a role that grants the following permissions:
* **Endpoints**: View
* **SDL Search**: View
* **SDL Data**: View
* **SDL Data**: View EDR
Copy the token (it is only shown once) and note your console URL — the full base URL of your SentinelOne management console (e.g. `https://usea1-purple.sentinelone.net`). You can find it in your browser's address bar when logged in.
### What Oso does with this access
Oso uses read-only access to scan endpoints for installed AI agent software. Nothing is written to or modified on your endpoints or in SentinelOne.
## 2. Connect SentinelOne in Oso
In Oso, with **Oso for Agents** selected in the product switcher, open **Connections** from the sidebar and scroll to the **EDR** section.
Click **Connect** and fill in the dialog:
| Field | Description |
| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
| **Display Name** (optional) | A label for this integration, useful when more than one SentinelOne tenant is connected. |
| **API Token** | The service-account token from step 1. |
| **Console URL** | The full base URL of your SentinelOne management console (e.g. `https://usea1-purple.sentinelone.net`). |
| **Host Filter** (optional) | A free-text expression that limits which endpoints are scanned. Leave blank to scan every endpoint visible to the API token. |
Credentials are encrypted at rest. Once connected, the EDR card shows the configured console URL and a **Scan now** button.
## 3. Restrict scope with a host filter (optional)
The host filter is a SentinelOne free-text search applied during the seeding phase of every scan. It matches across hostname, operating system, IP address, agent UUID, and other endpoint metadata. Examples:
* `macOS` — only macOS endpoints
* `prod-` — endpoints whose hostname (or other metadata) contains `prod-`
* `10.0.0.` — endpoints in a specific IP range
Because the filter is a substring search across multiple fields, generic words may match more endpoints than expected — for example, `network` could match any endpoint whose interface metadata contains "Network". Prefer specific substrings (a hostname prefix unique to your fleet, an exact OS name) over generic ones.
The filter can be changed at any time using the **Edit filter** button on the EDR card. Changes take effect on the next scan.
## 4. Run a scan
The first scan starts shortly after the integration is connected. After that, Oso re-scans every 12 hours, and a scan can be triggered on demand at any time using the **Scan now** button on the EDR card.
During a scan, Oso enumerates endpoints matching the filter and queries SentinelOne Singularity Data Lake for evidence of installed AI agent software on each one. SDL queries cover a recent time window of activity per endpoint — agents that have run within that window will appear; agents installed but never used may not be detected through this path.
The card shows scan progress as endpoints complete.
Click **Stop scan** to cancel an in-progress scan.
## 5. Disconnect
Click **Disconnect** on the EDR card to remove the integration. Oso deletes the stored credentials and stops querying SentinelOne.