BitLyft AIR® v1.23: SentinelOne Integration
BitLyft AIR® v1.23 introduces native integration with SentinelOne, expanding automated endpoint detection and response capabilities within the AIR® platform. This integration enhances endpoint visibility, strengthens malware detection, and enables automated remediation actions directly against protected SentinelOne agents.
Release v1.23
SentinelOne Integration Now Live
Native EDR automation — detect, contain, and recover faster than ever
What's New in v1.23
Native SentinelOne Integration
Direct API connection to SentinelOne agents
2 New Detection Policies
Malware persistence and spread detection
Automated Response Actions
Isolate, contain, and recover endpoints automatically
Native SentinelOne Integration
The v1.23 integration connects BitLyft AIR® directly to SentinelOne's agent management layer, giving the platform real-time visibility into endpoint telemetry, threat detections, and agent health — across your entire environment, not just individual machines.
Response actions are executed natively through the SentinelOne API, meaning AIR® can now act on endpoints as part of a fully automated workflow without analyst intervention. Teams move from detection to containment in seconds rather than minutes or hours.
Automated Response Actions
Endpoint Isolation
Immediately disconnect a compromised host from the network while preserving agent communication for continued investigation.
Malware Containment
Quarantine malicious files and terminate active threat processes directly through the SentinelOne agent.
Threat Mitigation
Apply SentinelOne's threat mitigation actions (remediate, rollback) as part of an automated AIR® playbook step.
System Recovery
Trigger agent-assisted recovery workflows to restore endpoint state following confirmed remediation.
Agent Status Monitoring
Continuously monitor SentinelOne agent health and flag disconnected or unhealthy agents as part of environment hygiene detection.
New SentinelOne Detection Policies
SentinelOne Malware Persistence on Host
Detects repeated observations of malicious files or processes on a single host, which may indicate malware persistence or incomplete remediation.
Security Impact
Persistent malware activity is a strong indicator that initial remediation was incomplete or that an advanced threat is actively maintaining a foothold. Left undetected, this can lead to:
- •Advanced threats maintaining long-term access to the environment
- •Credential abuse tied to the compromised endpoint
- •Lateral movement originating from a host believed to be clean
This detection helps identify compromised systems before attackers escalate activity, and triggers automated re-remediation workflows within AIR®.
SentinelOne Malware Spread
Detects malicious files or processes observed across multiple hosts within a short timeframe, indicating active lateral movement or malware propagation across the environment.
Security Impact
Malware spread across multiple hosts is one of the highest-severity events a SOC team can face. Every minute of delay increases the blast radius. This policy is designed to:
- •Surface active outbreak events before they reach critical mass
- •Trigger automated mass isolation workflows across affected hosts
- •Reduce dwell time during ransomware or worm-style propagation events
Early detection through this policy gives teams the window needed to contain an outbreak before it spreads to critical systems or reaches domain controllers.
What This Means for AIR® Customers
Version 1.23 brings SentinelOne-protected environments into the full AIR® automated response loop. Where previously teams had to pivot between platforms — detecting in AIR®, then manually executing containment in SentinelOne — that gap is now closed.
Workflows like endpoint isolation, malware containment, threat mitigation, and system recovery can now be fully automated as steps within AIR® playbooks. Detection triggers the response. The response executes. Analysts are notified of the outcome — not paged to perform the action.
For teams running SentinelOne
If your environment is protected by SentinelOne and you are an existing AIR® customer, contact your BitLyft representative to enable the integration and configure your tenant policies for the two new detections. New customers can request a demo to see the full SentinelOne + AIR® workflow in action.
Ready to See It in Action?
See how BitLyft AIR® v1.23 automates endpoint detection and response with SentinelOne in your environment.