Back to Integrations
SentinelOne
Active IntegrationEndpoint Detection & Response

SentinelOne

Introduced in BitLyft AIR® v1.23, the SentinelOne integration closes the gap between detection and containment — enabling fully automated endpoint response without analyst intervention.

5

Response Actions

2

Detection Policies

v1.23

Available Since

Native Endpoint Response — Fully Automated

The v1.23 integration connects BitLyft AIR® directly to SentinelOne's agent management layer, giving the platform real-time visibility into endpoint telemetry, threat detections, and agent health across your entire environment — not just individual machines.

Response actions are executed natively through the SentinelOne API, meaning AIR® can act on endpoints as part of a fully automated workflow. Teams move from detection to containment in seconds rather than minutes or hours. Where previously teams had to pivot between platforms, that gap is now closed.

Automated Response Actions

Endpoint Isolation

Immediately disconnect a compromised host from the network while preserving agent communication for continued investigation.

Malware Containment

Quarantine malicious files and terminate active threat processes directly through the SentinelOne agent.

Threat Mitigation

Apply SentinelOne threat mitigation actions — remediate, rollback — as part of an automated AIR® playbook step.

System Recovery

Trigger agent-assisted recovery workflows to restore endpoint state following confirmed remediation.

Agent Status Monitoring

Continuously monitor SentinelOne agent health and flag disconnected or unhealthy agents as part of environment hygiene detection.

Out-of-the-Box Detection Policies

SentinelOne Malware Persistence on Host

Detects repeated observations of malicious files or processes on a single host, indicating malware persistence or incomplete remediation.

Security Impact

  • Advanced threats maintaining long-term access to the environment
  • Credential abuse tied to the compromised endpoint
  • Lateral movement originating from a host believed to be clean

SentinelOne Malware Spread

Detects malicious files or processes observed across multiple hosts within a short timeframe, indicating active lateral movement or malware propagation.

Security Impact

  • Active outbreak events reaching critical mass before detection
  • Ransomware or worm-style propagation across the environment
  • High-severity mass isolation scenarios requiring immediate action

See the full release notes

SentinelOne integration was shipped in BitLyft AIR® v1.23 with five response actions and two out-of-the-box detection policies.

Read the v1.23 release post

Running SentinelOne? Let's close the loop.

See how AIR® automates endpoint isolation and malware containment alongside your SentinelOne deployment.

Request a Demo