I am trying to create an analysis for SentinelOne service, I basically want to see what the state of the service is in for our Windows and Linux machines, I have no issue gathering this info for our windows boxes but I am having an issue getting it for our Linux boxes and having them in the same analysis.
For windows I am using this
if exists service “SentinelAgent” then state of service “SentinelAgent” else “Not Installed”
The problem with that is all the Linux boxes pop up with “Not Installed” obviously because it doesn’t not have that service name (SentinelAgent), the service name in Linux is “sentineld” can someone help me finish this off?
You may need to adjust the Linux portion of the logic, but here’s one potential approach that leverages nested conditionals to account for different scenarios:
if (windows of operating system) then (if exists service "SentinelAgent" then state of service "SentinelAgent" else "Not Installed") else if (name of operating system starts with "Linux") then (if exists service "sentineld" then state of service "sentineld" else "Not Installed") else ("n/a")
Aram - Thanks for the quick post, I had a similar config that I was trying but I just was not getting my ( ) correct. This looks like it is going to work!
I will need to confirm what is reporting in BF is correct, so I may have another question for you
Regards to the Linux portion - Looks like the service name changed at some point to “sentinelone” I made that change in the relevance and I seemed to be getting better data. On a system that I know the service is running the BigFix analysis is showing the status as stopped instead of running, any thoughts about that?
I am still running through the verify other systems, for example ones that show “not installed” if they really are not installed.
@Frankie, I’d be happy to help you with the Linux portion of your SentinelOne relevance. Can you please advise if your SentinelOne client installations are performed via distribution package management (i.e. RPM/YUM for CentOS/RHEL or APT for Debian/Ubuntu)? If not package management, can you provide additional details on how your organization is installing the SentinelOne on your endpoints?
In the mean time, please try the following relevance using the local QNA (/opt/BESClient/bin/qna) on one of your Linux endpoints.
exists names whose (it contains "sentinelone") of processes
To further expand on @Aram prior relevance statement, the following:
if (name of operating system as string as lowercase contains "Linux" as lowercase) then (if (exists names whose (it contains "sentinelone") of processes) then ("SentinelOne Running") else ("Not Installed")) else "Not Linux"
@cmcannady - Sorry for the confusion, should I be taking your relevance and replacing the Linux portion of @Aram relevance? It seems like that would break the Windows portion cause any server that does not have “seninelone” service would show not installed -> that would be all the windows boxes?
@Frankie, the following is an amologation of @amar and my relevance statements to work with both Windows and Linux endpoints.
if (windows of operating system) then (if exists service "SentinelAgent" then state of service "SentinelAgent" else "Not Installed") else if (name of operating system as string as lowercase contains "Linux" as lowercase) then (if (exists names whose (it contains "sentinelone") of processes) then ("SentinelOne Running") else ("Not Installed/Running")) else ("N/A")
@cmcannady - Thank you! I think we are getting close, seems like the relevance is working perfect for CentOS, for RedHat version it appears it is hitting the windows statement somehow, I will show you and example for “results”. Shouldn’t the only results for “linux” machines be → ‘SentinelOne Running’ → Not Installed/Running or “N/A”
@Frankie, since I don’t have the Sentinel agent in my lab, I tested the relevance from my prior post by referencing the BESClient service on *NIX/WIN endpoints in my environment.
if (windows of operating system) then (if exists service "BESClient" then state of service "BESClient" else "Not Installed") else if (name of operating system as string as lowercase contains "Linux" as lowercase) then (if (exists names whose (it contains "BESClient") of processes) then ("Running") else ("Not Installed/Running")) else ("N/A")
The above works across all Linux distributions as expected. What is the likely culprit is the name of the process may be different on RHEL vs CentOS vs Ubuntu, etc. Can you double-check this within your targeted environment?
@cmcannady - Thank you for all of your help! I think there might have been a bigger delay in updating the results after the relevance was changed then I anticipated. I checked this morning and it appears that everything is showing up properly, thanks again!
