Restrict device access with SentinelOne

Device posture attributes from SentinelOne are currently in beta.

SentinelOne device posture integration is available for the Enterprise plan.

SentinelOne collects a series of signals from its agents that can be used to determine the security posture of a device. Tailscale can fetch these signals from SentinelOne and use them as device posture attributes in access rules, which can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.

This can be achieved using Tailscale's device posture management features:

SentinelOne posture integration, which synchronizes signals from SentinelOne to device posture attributes in Tailscale.
Device Identity Collection, which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in SentinelOne.
Posture conditions in access rules, which allows configuring access restrictions based on device attributes.

This document provides instructions on how to:

Enable Device Identity collection for your tailnet.
Configure SentinelOne posture integration.

What is SentinelOne posture integration?

SentinelOne posture integration lets you connect your Tailscale network to SentinelOne. The integration runs periodically and copies signals from SentinelOne agents to device posture attributes.

When configured, it will periodically:

Fetch a list of hosts recorded in your SentinelOne account, and the data reported by their agents.
Match SentinelOne agents with corresponding devices in your tailnet, based on the serial numbers associated with a device.
Write the data from the agents of each device into the following Tailscale device posture attributes:

Attribute key	Description	Allowed values
`sentinelOne:isActive`	Whether the agent is active	`true`, `false`
`sentinelOne:agentVersion`	Version of the running SentinelOne agent	`version`
`sentinelOne:activeThreats`	Number of active threats detected by the agent	`number`
`sentinelOne:infected`	Whether the agent detects that the device is infected	`number`
`sentinelOne:firewallEnabled`	Whether the agent detects that the firewall is enabled	`true`, `false`
`sentinelOne:encryptedApplications`	Whether the agent detects that the disk is encrypted	`true`, `false`
`sentinelOne:operationalState`	Operational state of the agent, the string "na" means that the agent has not been disabled or corrupted. This is the expected state.	`string`

Prerequisites

Device Identity Collection is enabled, and devices in your tailnet are reporting identifiers
SentinelOne API Token

Create SentinelOne Service User and API Token

Create a SentinelOne Service User and API Token that will be used to fetch a list of agents and their data from SentinelOne.

In SentinelOne, in the left-hand panel, select Settings.
From the top menu, select Users and then in the left-hand panel, select Service Users.
Select Actions and then select Create New Service User.
Add a name and expiration date for the Service User and select Next.
Choose the site or account that the Service User will have access to and select Create.
The API Token will be shown once, make sure to copy it for use later.

Also make a note of the Base URL (for example, https://example.sentinelone.net/).

Configure SentinelOne posture integration

Configure Tailscale to fetch the attributes from SentinelOne.

Open the Device management page of the Tailscale admin console.
Under the Device Posture Integrations section, select Connect next to the SentinelOne integration.
Enter your SentinelOne URL, the URL you use to access the SentinelOne console.
Enter your API Token.
Select the Connect to SentinelOne button.

View the integration status

Check that the integration has run successfully.

In the Device Posture Integrations section of the Device management page, configured integrations and their status will show under Integrations. The time of the most recent sync will display here. If an error occurs while synchronizing, it will display here.

Check node attributes

After you configure SentinelOne posture integration, you can confirm that the new attributes are being written for your Tailscale nodes via the Machines page of the admin console.

Open the Machines page of the Tailscale admin console.
Select a machine you want to inspect.
The attributes for the machine are in the Machine Details section. This should include the set of sentinelOne: attributes listed previously.

View of the machine attributes in the Machines page.

You can also check node attributes via the Tailscale API.

Adjust Tailscale access rules

Once SentinelOne posture integration is configured and your devices have device posture attributes that reflects their signals as reported by SentinelOne, you can use that device posture attribute as part of your posture rules.

For example, to only allow access to tag:production from devices that have an active SentinelOne agent; in a known good operational state and have zero active threats , you can create a new posture and use it as part of a corresponding access rule:

"postures": {
  "posture:trusted": [
    "sentinelOne:isActive == true",
    "sentinelOne:activeThreats == 0",
    "sentinelOne:operationalState == 'na'"
  ],
},
"acls": [
  {
    "action":     "accept",
    "src":        ["autogroup:member"],
    "srcPosture": ["posture:trusted"],
    "dst":        ["tag:production:*"],
  },
]

Schedule

For each configured integration, Tailscale will aim to sync device posture attributes every 15 minutes, with a few exceptions:

Adding a new integration, or changing configuration of an existing one, will trigger an out-of-schedule sync.
If an integration fails due to authentication error (usually caused by invalid credentials), it will be paused for up to 24 hours.

Limitations

We have observed that SentinelOne does not report serial numbers for some machines running Linux. Without serial number details, Tailscale will not be able to populate device posture attributes for such machines.

Audit log events

The following audit log events are added for device posture.

Target	Action	Description
Integration	Create posture integration	A new posture integration was created
Integration	Update posture integration	A posture integration was updated
Integration	Removed posture integration	A posture integration was removed
Node	Update node attribute	Device posture attributes for a node were changed