A browser-based tool for building SentinelOne agent Policy Override (PO) JSON. Select from a library of validated templates across Windows, Linux, and macOS, or paste custom JSON blocks — the tool deep-merges everything into a single ready-to-deploy output.
- Select your platform — choose Windows, Linux, or macOS using the tabs at the top.
- Add override blocks — use the left panel to pick a template (grouped by category) or paste your own JSON directly into the editor.
- Label the block (optional) — give it a name, or leave it blank and the top-level key(s) will be used automatically.
- Click "+ Add Block" — the block appears in the right panel and the merged JSON output updates instantly below it.
- Export — copy to clipboard or download the final JSON file, ready to apply as a Policy Override in the SentinelOne console.
Each block is deep-merged in order, so later blocks override earlier ones on any conflicting keys.
- Node.js 18 or later
- npm (comes with Node)
git clone https://github.com/mickbrowns1/PO-Generator.git
cd PO-Generator
npm install
npm run devThe app will be available at http://localhost:3000.
| Command | Description |
|---|---|
npm run dev |
Start the development server with hot reload |
npm run build |
Build the production bundle |
npm run start |
Serve the production build locally |
npm run lint |
Run the Next.js linter |
Docker is the recommended way to deploy or share the tool without needing Node installed.
- Docker Desktop (Mac/Windows) or Docker Engine + Docker Compose (Linux)
git clone https://github.com/mickbrowns1/PO-Generator.git
cd PO-Generator
docker compose up --buildThe app will be available at http://localhost:3000.
To stop it:
docker compose downdocker compose up --build -dCheck it's running:
docker compose psView logs:
docker compose logs -fStop it:
docker compose downBuild the image:
docker build -t po-generator .Run it:
docker run -p 3000:3000 po-generatorRun in the background:
docker run -d -p 3000:3000 --name po-generator --restart unless-stopped po-generatorStop and remove the container:
docker stop po-generator && docker rm po-generatorTo run on a different host port (e.g. 8080), edit docker-compose.yml:
ports:
- "8080:3000"Or pass it directly with docker run:
docker run -p 8080:3000 po-generatorThen open http://localhost:8080.
The Dockerfile uses a three-stage build to keep the final image small:
- deps — installs npm dependencies via
npm ci - builder — runs
next buildto produce a standalone output bundle - runner — copies only the built output into a minimal Alpine image, runs as a non-root user
The resulting image contains no source code, no node_modules, and no dev tooling.
| Platform | Categories |
|---|---|
| Windows | Special Images, Deep Visibility, Behavioral Logic, Indicators & Detectors, Exclusions, Credential Protection, Exploit Prevention, Deep Hooking, Detection Extensions, Scanning, Agent UI, Injection, Named Pipes, Disk & Diagnostics, Communication |
| Linux | Anti-Tamper, Brute Force, Communication, Containers, Deep Visibility, eBPF, Engines, Events, File Monitoring, Firewall, Forensics & Diagnostics, Indicators & Detectors, Mitigation, Network, Ransomware, Remote Operations, Resource Limits, Security, Telemetry |
| macOS | Agent UI, Communication, Deep Visibility, Detection, Device Control, Firewall, Forensics, General, Indicators & Detectors, Network, Remediation, Remote Operations, Scanner |
Use the Import button in the top-right to paste an existing Policy Override JSON. The tool will load it as the base config for the current platform. You can then add further override blocks on top.
Use Reset to return to the default config for the selected platform.