Integrating SentinelOne and Netskope to leverage threat detection and enforce device classification provides a robust endpoint-to-cloud security approach.This integration facilitates effective device classification and management, enabling consistent security policies across both cloud and endpoint environments.

Requirements:

1. SentinelOne Admin Access
2. Netskope Tenant

Implementation:

SentinelOne Configuration

Configure the script on SentinelOne Tenant > Remote Ops > Create New

Click on Upload New Script and provide the script details

Upload the script

Script content:

This script will create an empty file with a specific file name in a specific directory that Netskope's client will look at and It will be created when there is high risk as determined by SentinelOne - and when the Netskope client sees this, it will be able to match on the device and respond appropriately.

# Define the directory and file path

$targetDirectory = "C:\ProgramData\Sentinel\Addons\SentinelRSO"

$filePath = Join-Path -Path $targetDirectory -ChildPath 'Netskope_S1_high.txt'

# Ensure the directory exists; create it if it does not

if (!(Test-Path -Path $targetDirectory)) {

   New-Item -Path $targetDirectory -ItemType Directory -Force

}

# Create an empty file in the specified directory

New-Item -Path $filePath -ItemType File -Force

# Output the exact file path

Write-Output "File created at: $filePath"

Script setting to be default

Click on Next and Click on Save

Now let’s go to the Singularity Marketplace to configure the SentinelRemote Ops Plugin

Provide all the required information for the configuration to run the Script ID created in the last step. All the other details you can modify for your own requirements.

Netskope Configuration

Create the Custom Device Classification Rule

Go to Settings > Manage > Device Classification

Put the file location you’re going to create using the automation script in the particular drive and click on save

Let’s create a policy for Risky Device classification and block all the action if any malicious activity is detected by the SentinelOne

Execution

Let’s verify and see both the SentinelOne and Netskope Agent are working

And we also verify the Device Classification is currently into the unmanaged state also.

Let’s try to perform any malicious activity on the endpoint.

SentinelOne was able to detect the Threat

As soon as a threat is detected the script will start executing on the device.The script will create a empty text file which help Netskope to change the device classification on the basis of the file.

And if we check for the same result in the particular drive, we’re able to find that particular file

Now if we again check for the device classification, we can find the device classification has been changed to Risky Device

If we now try to access any website from that particular device. Automatically it will be blocked by Netskope client because of the policy we enforced in the earlier steps