The AlienApp for SentinelOne features powerful vulnerability assessment capabilities than can be paired with USM Anywhere for extended security management. When you configure the app in USM Anywhere, you have the option to allow Sentinel One to create assets that are discovered in scans, as well as merge the asset information provided from the SentinelOne scan with the existing asset information in USM Anywhere.
Asset Creation from AlienApp for SentinelOne
When SentinelOne runs a scan, it identifies all assets in the scan and assigns them an individual identifier (ID). These assets can be added to USM Anywhere by selecting the Allow Creation of New Assets checkbox in app's configuration menu. Assets created from a SentinelOne scan will include the information ported from SentinelOne in the USM Anywhere asset details.
Duplicate Asset Merge
Assets discovered in SentinelOne scans may duplicate the assets already discovered in USM Anywhere. When you select the Allow Merging of Existing Assets checkbox in the SentinelOne configuration menu, USM Anywhere will merge the information from the SentinelOne scan with the existing asset. Assets are matched by comparing the Sentinel One ID, MAC address, IP address, and host name (if valid) from the SentinelOne scan with the same asset details in USM Anywhere.
You can select the Include Rogue Assets checkbox in the SentinelOne configuration menu. This checkbox enables USM Anywhere to collect assets from the network using the SentineOne Rogue abilities for detecting assets without an installed agent.
Manual Asset Merge
If the Merge Duplicate Assets checkbox in the SentinelOne configuration menu isn't checked, USM Anywhere will keep a record of the assets that match one another. These assets are contained in the Merge Asset tab in the AlienApp for SentinelOne page.
To review these duplicate assets, click the Merge Asset tab and click Review next to the asset in the list. From here, you can respond to the asset discrepancy with one of the following actions:
- Reject: Cancel the match without creating a new asset or merging it with an existing asset, effectively ignoring the new asset discovered in the SentinelOne scan.
- Create New Asset: Create an asset in USM Anywhere based on the information from the SentinelOne scan.
- Merge: Merge the information from the SentinelOne scan with the matching asset details in USM Anywhere
- Manually Match: Choose the matching asset manually.
Once you have selected a response to the asset review, the status of your choice is reflected in the table of assets in the Merge Asset tab.
A USM Anywhere asset that has been merged with a SentinelOne profile can be split back into two separate assets after they have been merged.
To split a merged asset
- Go to Environment > Assets.
Locate the asset you want to split and click the button next to the asset, and then click Full Details.
In the full asset view window, click Split Asset in the Asset Discovery section.
A window displays showing the existing asset and the new asset that will be created once the two are split.
- Click Split Asset to undo the asset merge and create a separate, new asset.