Integrating SentinelOne and Netskope to leverage threat detection and enforce device classification provides a robust endpoint-to-cloud security approach.This integration facilitates effective device classification and management, enabling consistent security policies across both cloud and endpoint environments.
Requirements:
- SentinelOne Admin Access
- Netskope Tenant
Implementation:
SentinelOne Configuration
Configure the script on SentinelOne Tenant > Remote Ops > Create New
Click on Upload New Script and provide the script details
Upload the script
Script content:
This script will create an empty file with a specific file name in a specific directory that Netskope's client will look at and It will be created when there is high risk as determined by SentinelOne - and when the Netskope client sees this, it will be able to match on the device and respond appropriately.
# Define the directory and file path
$targetDirectory = "C:\ProgramData\Sentinel\Addons\SentinelRSO"
$filePath = Join-Path -Path $targetDirectory -ChildPath 'Netskope_S1_high.txt'
# Ensure the directory exists; create it if it does not
if (!(Test-Path -Path $targetDirectory)) {
New-Item -Path $targetDirectory -ItemType Directory -Force
}
# Create an empty file in the specified directory
New-Item -Path $filePath -ItemType File -Force
# Output the exact file path
Write-Output "File created at: $filePath"
Script setting to be default
Click on Next and Click on Save
Now let’s go to the Singularity Marketplace to configure the SentinelRemote Ops Plugin
Provide all the required information for the configuration to run the Script ID created in the last step. All the other details you can modify for your own requirements.
Netskope Configuration
Create the Custom Device Classification Rule
Go to Settings > Manage > Device Classification
Put the file location you’re going to create using the automation script in the particular drive and click on save
Let’s create a policy for Risky Device classification and block all the action if any malicious activity is detected by the SentinelOne
Execution
Let’s verify and see both the SentinelOne and Netskope Agent are working
And we also verify the Device Classification is currently into the unmanaged state also.
Let’s try to perform any malicious activity on the endpoint.
SentinelOne was able to detect the Threat
As soon as a threat is detected the script will start executing on the device.The script will create a empty text file which help Netskope to change the device classification on the basis of the file.
And if we check for the same result in the particular drive, we’re able to find that particular file
Now if we again check for the device classification, we can find the device classification has been changed to Risky Device
If we now try to access any website from that particular device. Automatically it will be blocked by Netskope client because of the policy we enforced in the earlier steps