The SentinelOne AuthZ source uses the default filter %{Connection:Client-Mac-Address-Colon}
In some cases the MAC address is not found in S1 because the endpoint is connected trough LAN instead of WiFi or connected using an USB-C docking. So the MAC address doesn't match any endpoint.
I can also use a value from our Active Directory (our Authentication Source) to query S1. The API offers this functionality.
However, when I change the filter to %{Authorization:CARE4GO:UserDN} it receives an HTTP 404 from the extension.
The log then show me this message;
[INFO] SentinelOne - [?adQuery__contains=CN=ID0019932,OU=ouComputers,OU=ouNL,DC=care4go,DC=nl] Request for information received from ::ffff:172.17.0.1.[DEBUG] SentinelOne - [?adQuery__contains=CN=ID0019932,OU=ouComputers,OU=ouNL,DC=care4go,DC=nl] Performing device lookup[DEBUG] SentinelOne - 1874580b-d165-41de-8f9e-664c97666bcc Request "GET 'agents'" took 204 ms.[INFO] SentinelOne - [?adQuery__contains=CN=ID0019932,OU=ouComputers,OU=ouNL,DC=care4go,DC=nl] Device not found.
I'm pretty sure the extension could be capable of querying the S1 API using the UserDN, ComputerDN or HostName.
Is this option available and if not, can the extension by modified to allow this?
The SentinelOne AuthZ source uses the default filter %{Connection:Client-Mac-Address-Colon}
In some cases the MAC address is not found in S1 because the endpoint is connected trough LAN instead of WiFi or connected using an USB-C docking. So the MAC address doesn't match any endpoint. I can also use a value from our Active Directory (our Authentication Source) to query S1. The API offers this functionality. However, when I change the filter to %{Authorization:CARE4GO:UserDN} it receives an HTTP 404 from the extension.
The log then show me this message;
[INFO] SentinelOne - [?adQuery__contains=CN=ID0019932,OU=ouComputers,OU=ouNL,DC=care4go,DC=nl] Request for information received from ::ffff:172.17.0.1.[DEBUG] SentinelOne - [?adQuery__contains=CN=ID0019932,OU=ouComputers,OU=ouNL,DC=care4go,DC=nl] Performing device lookup[DEBUG] SentinelOne - 1874580b-d165-41de-8f9e-664c97666bcc Request "GET 'agents'" took 204 ms.[INFO] SentinelOne - [?adQuery__contains=CN=ID0019932,OU=ouComputers,OU=ouNL,DC=care4go,DC=nl] Device not found.I'm pretty sure the extension could be capable of querying the S1 API using the UserDN, ComputerDN or HostName. Is this option available and if not, can the extension by modified to allow this?