diff --git a/docs/administration/enterprise.md b/docs/administration/enterprise.md
index d45f2ca4..49d7fe2c 100644
--- a/docs/administration/enterprise.md
+++ b/docs/administration/enterprise.md
@@ -50,6 +50,11 @@ according to the [OpenAEV architecture](../deployment/platform/overview.md#archi
The Tanium Agent can be leveraged to execute implants as detached processes that will then execute payloads
according to the [OpenAEV architecture](../deployment/platform/overview.md#architecture)
+### SentinelOne Agent
+
+The SentinelOne Agent can be leveraged to execute implants as detached processes that will then execute payloads
+according to the [OpenAEV architecture](../deployment/platform/overview.md#architecture)
+
## Remediations in CVES
More detail: [CVES](taxonomies.md) and [Findings view](../usage/findings.md)
diff --git a/docs/deployment/assets/openaev_subprocessor_unix.sh b/docs/deployment/assets/openaev_subprocessor_unix.sh
new file mode 100644
index 00000000..88a2429d
--- /dev/null
+++ b/docs/deployment/assets/openaev_subprocessor_unix.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo $1 | base64 -d | sh
diff --git a/docs/deployment/assets/openaev_subprocessor_windows.ps1 b/docs/deployment/assets/openaev_subprocessor_windows.ps1
new file mode 100644
index 00000000..64c40b6c
--- /dev/null
+++ b/docs/deployment/assets/openaev_subprocessor_windows.ps1
@@ -0,0 +1,2 @@
+$command = $args[0];
+cmd.exe /d /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -NoProfile -encodedCommand $command
\ No newline at end of file
diff --git a/docs/deployment/assets/sentinelone-agents.png b/docs/deployment/assets/sentinelone-agents.png
new file mode 100644
index 00000000..c60ce207
Binary files /dev/null and b/docs/deployment/assets/sentinelone-agents.png differ
diff --git a/docs/deployment/assets/sentinelone-endpoints.png b/docs/deployment/assets/sentinelone-endpoints.png
new file mode 100644
index 00000000..a485573c
Binary files /dev/null and b/docs/deployment/assets/sentinelone-endpoints.png differ
diff --git a/docs/deployment/assets/sentinelone-scripts.png b/docs/deployment/assets/sentinelone-scripts.png
new file mode 100644
index 00000000..19dbd90d
Binary files /dev/null and b/docs/deployment/assets/sentinelone-scripts.png differ
diff --git a/docs/deployment/assets/sentinelone-unix-script1.png b/docs/deployment/assets/sentinelone-unix-script1.png
new file mode 100644
index 00000000..1520748d
Binary files /dev/null and b/docs/deployment/assets/sentinelone-unix-script1.png differ
diff --git a/docs/deployment/assets/sentinelone-unix-script2.png b/docs/deployment/assets/sentinelone-unix-script2.png
new file mode 100644
index 00000000..0e6c903b
Binary files /dev/null and b/docs/deployment/assets/sentinelone-unix-script2.png differ
diff --git a/docs/deployment/assets/sentinelone-windows-script1.png b/docs/deployment/assets/sentinelone-windows-script1.png
new file mode 100644
index 00000000..a4bc7e2d
Binary files /dev/null and b/docs/deployment/assets/sentinelone-windows-script1.png differ
diff --git a/docs/deployment/assets/sentinelone-windows-script2.png b/docs/deployment/assets/sentinelone-windows-script2.png
new file mode 100644
index 00000000..b85468a5
Binary files /dev/null and b/docs/deployment/assets/sentinelone-windows-script2.png differ
diff --git a/docs/deployment/configuration.md b/docs/deployment/configuration.md
index 7ac0ed71..76338738 100644
--- a/docs/deployment/configuration.md
+++ b/docs/deployment/configuration.md
@@ -43,16 +43,16 @@ Here are the configuration keys, for both containers (environment variables) and
#### Network and security
-| Parameter | Environment variable | Default value | Description |
-|:--------------------------------|:--------------------------------|:------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| server.ssl.enabled | SERVER_SSL_ENABLED | `false` | Turn on to enable SSL on the local server |
-| server.ssl.key-store-type | SERVER_SSL_KEY-STORE-TYPE | PKCS12 | Type of SSL keystore |
-| server.ssl.key-store | SERVER_SSL_KEY-STORE | classpath:localhost.p12 | SSL keystore path |
-| server.ssl.key-store-password | SERVER_SSL_KEY-STORE-PASSWORD | admin | SSL keystore password |
-| server.ssl.key-alias | SERVER_SSL_KEY-ALIAS | localhost | SSL key alias |
-| openaev.unsecured-certificate | OPENAEV_UNSECURED-CERTIFICATE | `false` | Turn on to authorize self-signed or unsecure ssl certificate |
-| openaev.with-proxy | OPENAEV_WITH-PROXY | `false` | Turn on to authorize environment with proxy |
-| openaev.extra-trusted-certs-dir | OPENAEV_EXTRA-TRUSTED-CERTS-DIR | | If you want to set extra trusted self-signed TLS certificates to communicate with external applications (Crowdstrike, Tanium,...),
fill this attribute with you local folder containing your public .PEM certs. If you install OpenAEV with Docker,
uncomment the volume and set the attribute in the [docker compose file](https://github.com/OpenAEV-Platform/docker/blob/master/docker-compose.yml) |
+| Parameter | Environment variable | Default value | Description |
+|:--------------------------------|:--------------------------------|:------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| server.ssl.enabled | SERVER_SSL_ENABLED | `false` | Turn on to enable SSL on the local server |
+| server.ssl.key-store-type | SERVER_SSL_KEY-STORE-TYPE | PKCS12 | Type of SSL keystore |
+| server.ssl.key-store | SERVER_SSL_KEY-STORE | classpath:localhost.p12 | SSL keystore path |
+| server.ssl.key-store-password | SERVER_SSL_KEY-STORE-PASSWORD | admin | SSL keystore password |
+| server.ssl.key-alias | SERVER_SSL_KEY-ALIAS | localhost | SSL key alias |
+| openaev.unsecured-certificate | OPENAEV_UNSECURED-CERTIFICATE | `false` | Turn on to authorize self-signed or unsecure ssl certificate |
+| openaev.with-proxy | OPENAEV_WITH-PROXY | `false` | Turn on to authorize environment with proxy |
+| openaev.extra-trusted-certs-dir | OPENAEV_EXTRA-TRUSTED-CERTS-DIR | | If you want to set extra trusted self-signed TLS certificates to communicate with external applications (Crowdstrike, Tanium, SentinelOne,...),
fill this attribute with you local folder containing your public .PEM certs. If you install OpenAEV with Docker,
uncomment the volume and set the attribute in the [docker compose file](https://github.com/OpenAEV-Platform/docker/blob/master/docker-compose.yml) |
⚠️ **Important**: If you are using the parameter `openaev.extra-trusted-certs-dir`, the file format needed for the
certificates in the folder are public PEM-armoured (*.pem), DER-encoded X509 certs.
diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md
index 7d1d5718..4f9d52fb 100644
--- a/docs/deployment/ecosystem/executors.md
+++ b/docs/deployment/ecosystem/executors.md
@@ -13,6 +13,7 @@ architectures. This table below summarizes the information about each agent.
| **OpenAEV Agent (native/default)** | Open source | As a user session, user service or system service | Script | A standard or admin background process | As a user standard, user admin or system admin | Yes, depending on the user and installation mode |
| **Tanium Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent |
| **Crowdstrike Falcon Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent |
+| **SentinelOne Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent |
| **Caldera Agent** | Open source | As a user session | Script | An admin background process | As a user admin | Yes, depending on the user |
## OpenAEV Agent
@@ -22,16 +23,24 @@ payloads on endpoints.
[Learn More](../../usage/openaev-agent.md)
+---
+
## Tanium Agent
The Tanium agent can be leveraged to execute implants as detached processes that will then execute payloads, according
to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/overview).
+The implants will be downloaded to these folders on the different assets:
+
+* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX`
+* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX`
+
+where XXXXX will be a completely random UUID, generated for each inject that will be executed.
+This ensures that the implants are unique and will be deleted on assets' restart.
+
### Configure the Tanium Platform
-We
-provide [two Tanium packages](https://github.com/OpenAEV-Platform/openaev/blob/master/openaev-api/src/main/java/io/openaev/executors/tanium/openaev-tanium-packages.json)
-to be imported into the Tanium platform.
+We provide [two Tanium packages](https://github.com/OpenAEV-Platform/openaev/blob/master/openaev-api/src/main/java/io/openaev/executors/tanium/openaev-tanium-packages.json) to be imported into the Tanium platform.
@@ -72,15 +81,18 @@ Once configured and imported, retrieve the package IDs from the URL:
To use the Tanium executor, fill the following configuration:
-| Parameter | Environment variable | Default value | Description |
-|:-----------------------------------|:-----------------------------------|:--------------|:------------------------------------------------|
-| executor.tanium.enable | EXECUTOR_TANIUM_ENABLE | `false` | Enable the Tanium executor |
-| executor.tanium.url | EXECUTOR_TANIUM_URL | | Tanium API URL |
-| executor.tanium.api-key | EXECUTOR_TANIUM_API-KEY | | Tanium API key |
-| executor.tanium.computer-group-id | EXECUTOR_TANIUM_COMPUTER_GROUP_ID | `1` | Tanium Computer Group to be used in simulations |
-| executor.tanium.action-group-id | EXECUTOR_TANIUM_ACTION_GROUP_ID | `4` | Tanium Action Group to apply actions to |
-| executor.tanium.windows-package-id | EXECUTOR_TANIUM_WINDOWS_PACKAGE_ID | | ID of the OpenAEV Tanium Windows package |
-| executor.tanium.unix-package-id | EXECUTOR_TANIUM_UNIX_PACKAGE_ID | | ID of the OpenAEV Tanium Unix package |
+| Parameter | Environment variable | Default value | Description |
+|:------------------------------------------------------|:------------------------------------------------------|:---------------|:--------------------------------------------------------------------------------------------------------------------------------------------------|
+| executor.tanium.enable | EXECUTOR_TANIUM_ENABLE | `false` | Enable the Tanium executor |
+| executor.tanium.url | EXECUTOR_TANIUM_URL | | Tanium API URL |
+| executor.tanium.api-key | EXECUTOR_TANIUM_API-KEY | | Tanium API key |
+| executor.tanium.api-register-interval | EXECUTOR_TANIUM_API_REGISTER_INTERVAL | 1200 | Tanium API interval to register/update the computer groups/endpoints in OpenAEV (in seconds) |
+| executor.tanium.api-batch-execution-action-pagination | EXECUTOR_TANIUM_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Tanium API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Tanium to execute a payload) |
+| executor.tanium.clean-implant-interval | EXECUTOR_TANIUM_CLEAN_IMPLANT_INTERVAL | 8 | Tanium clean old implant interval (in hours) |
+| executor.tanium.computer-group-id | EXECUTOR_TANIUM_COMPUTER_GROUP_ID | `1` | Tanium Computer Group or Computer Groups to be used in simulations separated with commas |
+| executor.tanium.action-group-id | EXECUTOR_TANIUM_ACTION_GROUP_ID | `4` | Tanium Action Group to apply actions to |
+| executor.tanium.windows-package-id | EXECUTOR_TANIUM_WINDOWS_PACKAGE_ID | | ID of the OpenAEV Tanium Windows package |
+| executor.tanium.unix-package-id | EXECUTOR_TANIUM_UNIX_PACKAGE_ID | | ID of the OpenAEV Tanium Unix package |
!!! note "Tanium API Key"
@@ -118,8 +130,8 @@ according to the [OpenAEV architecture](https://docs.openaev.io/latest/deploymen
The implants will be downloaded to these folders on the different assets:
-* On Windows assets: `C:\Windows\Temp\.openaev\implant-XXXXX`
-* On Linux or MacOS assets: `/tmp/.openaev/implant-XXXXX`
+* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX`
+* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX`
where XXXXX will be a completely random UUID, generated for each inject that will be executed.
This ensures that the implants are unique and will be deleted on assets' restart.
@@ -179,14 +191,7 @@ Put the following Input schema:
| script access | Users with the role of RTR Administrator or RTR Active Responder |
| shared with workflows | yes |
-Put the following script **(release version < 1.16.0)**:
-
-```PowerShell
-$command = $args[0] | ConvertFrom-Json | Select -ExpandProperty 'command';
-cmd.exe /d /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -NoProfile -Command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([convert]::FromBase64String('$command')))"
-```
-
-Put the following script **(release version >= 1.16.0)**:
+Put the following script:
```PowerShell
$command = $args[0] | ConvertFrom-Json | Select -ExpandProperty 'command';
@@ -254,17 +259,18 @@ applied.
To use the CrowdStrike executor, just fill the following configuration.
-| Parameter | Environment variable | Default value | Description |
-|:-----------------------------------------------------------|:-----------------------------------------------------------|:-----------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------|
-| executor.crowdstrike.enable | EXECUTOR_CROWDSTRIKE_ENABLE | `false` | Enable the Crowdstrike executor |
-| executor.crowdstrike.api-url | EXECUTOR_CROWDSTRIKE_API_URL | `https://api.us-2.crowdstrike.com` | Crowdstrike API url |
-| executor.crowdstrike.api-register-interval | EXECUTOR_CROWDSTRIKE_API_REGISTER_INTERVAL | 1200 | Crowdstrike API interval to register/update the host groups/hosts/agents in OpenAEV (in seconds) |
-| executor.crowdstrike.api-batch-execution-action-pagination | EXECUTOR_CROWDSTRIKE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | Crowdstrike API pagination per second to set for hosts batch executions (number of hosts sent per second to Crowdstrike to execute a payload) |
-| executor.crowdstrike.client-id | EXECUTOR_CROWDSTRIKE_CLIENT_ID | | Crowdstrike client id |
-| executor.crowdstrike.client-secret | EXECUTOR_CROWDSTRIKE_CLIENT_SECRET | | Crowdstrike client secret |
-| executor.crowdstrike.host-group | EXECUTOR_CROWDSTRIKE_HOST_GROUP | | Crowdstrike host group id or hosts groups ids separated with commas |
-| executor.crowdstrike.windows-script-name | EXECUTOR_CROWDSTRIKE_WINDOWS_SCRIPT_NAME | `OpenAEV Subprocessor (Windows)` | Name of the OpenAEV Crowdstrike windows script |
-| executor.crowdstrike.unix-script-name | EXECUTOR_CROWDSTRIKE_UNIX_SCRIPT_NAME | `OpenAEV Subprocessor (Unix)` | Name of the OpenAEV Crowdstrike unix script |
+| Parameter | Environment variable | Default value | Description |
+|:-----------------------------------------------------------|:------------------------------------------------------------|:-----------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|
+| executor.crowdstrike.enable | EXECUTOR_CROWDSTRIKE_ENABLE | `false` | Enable the Crowdstrike executor |
+| executor.crowdstrike.api-url | EXECUTOR_CROWDSTRIKE_API_URL | `https://api.us-2.crowdstrike.com` | Crowdstrike API url |
+| executor.crowdstrike.api-register-interval | EXECUTOR_CROWDSTRIKE_API_REGISTER_INTERVAL | 1200 | Crowdstrike API interval to register/update the host groups/hosts/agents in OpenAEV (in seconds) |
+| executor.crowdstrike.api-batch-execution-action-pagination | EXECUTOR_CROWDSTRIKE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | Crowdstrike API pagination per 5 seconds to set for hosts batch executions (number of hosts sent per 5 seconds to Crowdstrike to execute a payload) |
+| executor.crowdstrike.clean-implant-interval | EXECUTOR_CROWDSTRIKE_CLEAN_IMPLANT_INTERVAL | 8 | Crowdstrike clean old implant interval (in hours) |
+| executor.crowdstrike.client-id | EXECUTOR_CROWDSTRIKE_CLIENT_ID | | Crowdstrike client id |
+| executor.crowdstrike.client-secret | EXECUTOR_CROWDSTRIKE_CLIENT_SECRET | | Crowdstrike client secret |
+| executor.crowdstrike.host-group | EXECUTOR_CROWDSTRIKE_HOST_GROUP | | Crowdstrike host group id or hosts groups ids separated with commas |
+| executor.crowdstrike.windows-script-name | EXECUTOR_CROWDSTRIKE_WINDOWS_SCRIPT_NAME | `OpenAEV Subprocessor (Windows)` | Name of the OpenAEV Crowdstrike windows script |
+| executor.crowdstrike.unix-script-name | EXECUTOR_CROWDSTRIKE_UNIX_SCRIPT_NAME | `OpenAEV Subprocessor (Unix)` | Name of the OpenAEV Crowdstrike unix script |
### Checks
@@ -285,6 +291,108 @@ Endpoint on the OpenAEV endpoint page.
You are now ready to leverage your CrowdStrike platform to run OpenAEV payloads!
+---
+
+## SentinelOne Agent
+
+The SentinelOne agent can be leveraged to execute implants as detached processes that will then execute payloads
+according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/overview).
+
+The implants will be downloaded to these folders on the different assets:
+
+* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX`
+* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX`
+
+where XXXXX will be a completely random UUID, generated for each inject that will be executed.
+This ensures that the implants are unique and will be deleted on assets' restart.
+
+!!! warning "SentinelOne"
+
+ Please note that the SentinelOne license with add-on “remote script orchestration” is required to launch SentinelOne scripts with OpenAEV → see in SentinelOne/Settings/Configuration/Add-ons
+
+
+### Configure the SentinelOne Platform
+
+#### Upload OpenAEV scripts
+
+First of all, you need to create two custom scripts, one for Windows and one for Unix, covering both Linux and MacOS
+systems.
+
+To create it, go to `Automation` > `Remote Ops` > `Create new`. The names
+of the scripts can be changed if necessary, the ids will be put in the OpenAEV configuration.
+
+*Unix Script*
+
+Upload the following script (encoded for Unix):
+
+[Download](../assets/openaev_subprocessor_unix.sh)
+
+Put the following Input schema:
+
+
+
+
+*Windows script*
+
+Upload the following script (encoded for Windows):
+
+[Download](../assets/openaev_subprocessor_windows.ps1)
+
+Put the following Input schema:
+
+
+
+
+Once created, your Remote Ops scripts should have something like this:
+
+
+
+#### Create a wrapper with your targeted assets
+
+To create a wrapper (account/site/group), go to `Settings` > `Accounts/Sites`.
+
+### Configure the OpenAEV platform
+
+!!! warning "SentinelOne API Key"
+
+ Please note that the SentinelOne API key created in "Settings/Users/Service Users" should have the following minimum role: “IR Team”. The API key and the scripts must be created for and with the same user and the required account/site.
+
+To use the SentinelOne executor, just fill the following configuration.
+
+| Parameter | Environment variable | Default value | Description |
+|:-----------------------------------------------------------|:-----------------------------------------------------------|:--------------|:------------------------------------------------------------------------------------------------------------------------------------------------------|
+| executor.sentinelone.enable | EXECUTOR_SENTINELONE_ENABLE | `false` | Enable the SentinelOne executor |
+| executor.sentinelone.url | EXECUTOR_SENTINELONE_URL | | SentinelOne URL, the API version used is the 2.1 |
+| executor.sentinelone.api-register-interval | EXECUTOR_SENTINELONE_API_REGISTER_INTERVAL | 1200 | SentinelOne API interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) |
+| executor.sentinelone.api-batch-execution-action-pagination | EXECUTOR_SENTINELONE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | SentinelOne API pagination per 5 seconds to set for agents batch executions (number of agents sent per 5 seconds to SentinelOne to execute a payload) |
+| executor.sentinelone.clean-implant-interval | EXECUTOR_SENTINELONE_CLEAN_IMPLANT_INTERVAL | 8 | SentinelOne clean old implant interval (in hours) |
+| executor.sentinelone.api-key | EXECUTOR_SENTINELONE_API_KEY | | SentinelOne API key |
+| executor.sentinelone.account-id | EXECUTOR_SENTINELONE_ACCOUNT_ID | | SentinelOne account id or accounts ids separated with commas (optional if site or group is filled) |
+| executor.sentinelone.site-id | EXECUTOR_SENTINELONE_SITE_ID | | SentinelOne site id or sites ids separated with commas (optional if account or group is filled) |
+| executor.sentinelone.group-id | EXECUTOR_SENTINELONE_GROUP_ID | | SentinelOne group id or groups ids separated with commas (optional if site or account is filled) |
+| executor.sentinelone.windows-script-id | EXECUTOR_SENTINELONE_WINDOWS_SCRIPT_ID | | Id of the OpenAEV SentinelOne Windows script |
+| executor.sentinelone.unix-script-id | EXECUTOR_SENTINELONE_UNIX_SCRIPT_ID | | Id of the OpenAEV SentinelOne Unix script |
+
+### Checks
+
+Once enabled, you should see SentinelOne available in your `Install agents` section
+
+
+
+Also, the assets and the asset groups in the selected accounts/sites/groups should now be available in the endpoints and asset
+groups sections in OpenAEV:
+
+
+
+NB : An Asset can only have one SentinelOne agent installed due to the uniqueness of the MAC address parameters. If you
+try to install again a SentinelOne agent on a platform, it will overwrite the actual one and you will always see one
+Endpoint on the OpenAEV endpoint page.
+
+!!! success "Installation done"
+
+ You are now ready to leverage your SentinelOne platform to run OpenAEV payloads!
+
+---
## Caldera Agent
The Caldera agent can be leveraged to execute implants as detached processes that will the execute payloads according to
diff --git a/docs/reference/deployment/telemetry.md b/docs/reference/deployment/telemetry.md
index 9042d309..45c6156e 100644
--- a/docs/reference/deployment/telemetry.md
+++ b/docs/reference/deployment/telemetry.md
@@ -34,7 +34,7 @@ The application collects statistical data related to its usage. Here is an exhau
- The total number of agents deployed
- The total number of agents deployed as services or sessions
- The total number of agents deployed for users or admins
-- The total number of agents deployed for each executor (e.g. Caldera, OpenAEV, CrowdStrike, etc.)
+- The total number of agents deployed for each executor (e.g. Caldera, OpenAEV, CrowdStrike, Tanium, SentinelOne, etc.)
- The number of simulations, scenarios, and atomic tests created
- The number of simulations or injects executed
diff --git a/docs/usage/assets.md b/docs/usage/assets.md
index 0c066608..0888b55a 100644
--- a/docs/usage/assets.md
+++ b/docs/usage/assets.md
@@ -69,7 +69,7 @@ To register new endpoints, you will need to install an agent. You can find detai
| Attribute | Meaning |
|-----------------|----------------------------------------------------------------------|
| **Name** | Local user account on the endpoint that executes the agent process |
-| **Executor** | Agent type (OpenAEV, Crowdstrike, Tanium or Caldera) |
+| **Executor** | Agent type (OpenAEV, Crowdstrike, Tanium, SentinelOne or Caldera) |
| **Privilege** | Local account's privileges on the endpoint (admin, or standard user) |
| **Deployment** | Installation type (Service or Session) |
| **Status** | Active or Inactive (threshold: 1 hour) |