SentinelOne Agent Monitor

Brief description

This custom monitor collects SentinelOne Windows agent health and status directly from the endpoint using sentinelctl. It exposes seven fields to N-central for alerting and dashboards: agent status, version, whether the device requires a reboot, whether security is being enforced, last seen time, whether active threats are present, and whether the agent is up to date versus your approved version. The monitor can optionally take an Input Version parameter so you can track upgrade compliance across sites. It writes a transcript to C:\Temp\Logs\SentinelOne_Monitor.log for easy troubleshooting.

Check it out here: https://developer.n-able.com/n-central/update/recipes/sentinelone-agent-monitor-enhanced#/

Inputs

InputVersion (string, optional) - set to your approved SentinelOne Windows agent version to drive the UpToDate flag.

Outputs|

NCOD_AgentStatus - string NCOD_AgentVersion - string NCOD_RequireReboot - boolean NCOD_EnforcingSecurity - boolean NCOD_LastSeen - datetime NCOD_ActiveThreats - boolean NCOD_AgentUpToDate - boolean

Notes

Windows endpoints only. Script locates and runs SentinelCtl.exe under Program Files\SentinelOne. Creates C:\Temp\Logs if it does not exist and appends to SentinelOne_Monitor.log. Runs locally on the device via N-central.

Version info from the file

Script header version: 1.0.1.0 AMP package metadata version: 2.10.0.19 Author: harish.sharma Company: Red Rhino Networks

Changelog

1.0.1 - 2025-10-07 Initial public release of the custom monitor. Added optional InputVersion parameter to compare installed agent version against an approved target. Collected and published these fields to N-central: Agent Status, Agent Version, Require Reboot, Enforcing Security, Last Seen, Active Threats, Agent UpToDate.

Implemented transcript logging to C:\Temp\Logs\SentinelOne_Monitor.log.

**Note: Please note that the outputs do include the naming NCOD in the format, you can change this if not preferred.