Advance Notice: EDR “Tokyo” Release Announcement

We are pleased to announce that on Wednesday February 15th Endpoint Detection and Response (EDR) will be updated to SentinelOne’s “Tokyo” SP4. This release delivers significant enhancements to the management console.  

Excited to share some of the highlights below and please be sure to read the full Release Notes and supporting documentation available here:

“Tokyo” SP4 includes:

New Management User Type – Service Users

  • From version Tokyo SP4, there are two types of users: Console and Service. Both are created and managed similarly, but they have different purposes.
  • Console Users can access the Management Console or API and are each connected to a permanent email address.
  • Service Users (New in Tokyo SP4) can only use the API, and their API token is not linked to a specific Console user or email address.

    For example, when you require a Console API token for an integration with a specific product, you can create a service user for the integration.

Characteristics of a Service User:

  • Can use the API but cannot log in to the Management Console.
  • Has a name and optional description but an email address is not required. The name cannot be changed after you create the user, but the description can be changed.
  • The name of a service user is not required to be unique in the scope or in the environment. We recommend that you use unique names for tracking and auditing.
  • 2FA and SSO requirements do not apply.
  • Uses the same RBAC and scopes as Console users.
  • You can choose the expiration date of the API token when you create a service user. The expiration time can be as long or as short as necessary. After you create the service user, you cannot change the expire date.
  • For example, click Custom to select a date in three years or to enter an exact time on the same day as the user was created.

Behavior Change in Filters with Free Text

From Tokyo there is a change in how commas are applied in free text filters in the Console.

  • Commas are now considered part of the search string. This makes it possible to use filter strings, such as “VMware, Inc” that include commas. As a result, if you enter xxx,yyy,zzz, the Console searches for a complete string that contains commas.
  • To search for xxx or yyy or zzz, enter “xxx,yyy,zzz” in the free text filter, with quotes at the start and end. A space after each comma is optional.

    Example of a search for an endpoint serial number that contains one of three strings: “431,432,456”

Improved Control for API Token Generation

  • API tokens let users run API requests on your Management Console. This is a powerful capability that is usually required for specific needs and integrations. From Version Tokyo SP4, you have increased control over which users in your environment can generate API tokens and increased visibility for actions related to API tokens. Users with permission can revoke API tokens of other users, as necessary for security, to make sure that only users who require an API token have one.
  • There is granular control to set if users can generate API tokens for themselves, or if they can also enable others to generate tokens.

    The ability to generate an API token for yourself requires a per-user setting in the User Details that is not related to RBAC permissions. The ability to enable other users to create their own token requires RBAC permissions for API tokens. The predefined Admin role has all of these requirements. All other predefined roles do not have these RBAC permissions or the user setting. Admin users can enable the API Token settings for other users when necessary. You can also create custom roles with the new RBAC permissions.
  • To generate an API token for yourself:
    There is a specific setting for users who can generate API tokens: Can generate API Token. If this is enabled in your User Details, you can generate an API token. If it is disabled, you cannot generate an API token.

    This setting does not require RBAC permissions. A user with the API Token RBAC permission can enable or disable this setting for other users.
  • To generate API tokens for others:
    There are two new RBAC permissions related to API tokens in the Users permissions:
    • Users Can enable Generate API Token setting for self and others – Users with this permission can give other users the ability to create their own token. They can enable and disable the Can generate API Token setting in the User Details for other users.
    • Users Can Revoke API Tokens for others – Users with this permission can revoke API Tokens for other users who do not require them.

New Filters in the Sites Page

  • In Settings > Sites, you can now use filters to find and organize your Sites. For example, find all Sites with a specific SKU.

Endpoint and User Filters for Activities

  • Use the new User Email and Endpoint Name filters to select users and endpoints and filter the activities more specifically.
  • You can select multiple values for each filter. The Console uses an OR filter between the values to search for each value separately. For example, if you search for two user emails and two endpoint names, activities that contain one of the values will show in the filter.

Export Sites and Accounts to CSV

  • Export a list of Sites or Accounts with their SKU and License information from Settings > Sites or Settings > Accounts to a CSV file. The export is based on the current scope and filters.
  • Use the list to audit your scopes and their SKUs and the number of licenses compared to the number of active Agents.

Change in Account, Site and Group Name Requirements

  • Angle bracket characters, < and > , are no longer valid in Account, Site, and Group names.
  • If a scope has an angle bracket in its name before the Console is upgraded to Tokyo GA, no change is required. But if you edit the properties of the scope, you must remove the angle bracket characters from the scope name before you can save the changes.

    For example, a Site has the name MNP > CA. If you want to change the expiration date or licenses for the Site, you must change the Site’s name also.

We would also like to announce that N-able’s MSP Institute (available in our Partner Success Center) now includes a full Getting Started with EDR series with videos covering a wide range of topics.

The console update release is scheduled for completion within an eight-hour maintenance window and will begin on Wednesday, February 15th , at 10 am IDT / 9 am UTC +2/ 3 am EDT.  A few important things to note during this time:

  • All endpoints will continue to be protected.
  • EDR management console login and API access may be unavailable.

One final reminder do not forget to check out the full Release Notes at

As always, feedback is welcome on the release.

This entry was posted in N-central, N-sight. Bookmark the permalink.