# SentinelOne data source ## Applicability Vectra has two different integrations with SentinelOne: * This new integration (the article you are reading) that brings detection and incident signal from SentinelOne into the Vectra AI platform. * This requires a Respond UX (RUX) deployment. * An existing integration that enables Lockdown and ingests data that helps Vectra's automated HostID to more accurately name hosts. * Please see the [SentinelOne EDR FAQ](https://docs.vectra.ai/configuration/setup/edr-integrations/sentinelone) for details about the existing integration. * This integration works with both Respond UX (RUX) and Quadrant UX (QUX) deployments. * If you are unsure of your deployment type, please see [Vectra Analyst User Experiences (Respond vs Quadrant)](https://docs.vectra.ai/deployment/getting-started/analyst-ux-options-rux-vs-qux) . * For maximum benefit, it is recommended to enable both integrations when possible. * Both integrations must be configured separately. ## Generating API Key in SentinelOne Before you can configure the integration in your Vectra UI, you need to create a SentinelOne API key for use by Vectra. * SentinelOne supports API keys for normal users and for service users. * It is recommended to create a service user because normal user accounts can only have an API key be valid for 30 days in SentinelOne. To get credentials for SentinelOne for use with Vectra: * Log into your SentinelOne Dashboard * Navigate to ***Settings > Users > Service Users > Actions > Create New Service User*** ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-572f735464b2228318312991289bbad03d02687d%2Fsentinelone-data-source-1.jpg?alt=media) * It is up to the customer to manage the expiration of the user. * Give the new service user a name and a description (optional). * Set the expiration date to something that complies with your internal policies and make note of the date so that you can update the credentials before they expire. * **Please set a reminder in the calendar of your choice to remind you to update the credentials for the integration before they expire.** * You will next be on a screen where you will need to select the scope of access and permission level for the new service user. ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-766a45488e7e4b4776283d2ad3a10a17c82172cc%2F18a0818894719ac579bcf14e7b19fb2d064f5e042f50018694c3bebc9b1ec27f.jpg?alt=media) * Select the appropriate scope for your deployment and then ensure that **"Viewer"** is selected as the role for the service user. * Click **"Create User".** ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-2c10e4ff85ca6d10abaf9eda8de080e613dca22b%2Fsentinelone-data-source-3.jpg?alt=media) * You can use the purple "Copy API Token" link to copy the API token. * If you loose this token, you can regenerate a new one but this is the only time this token will ever be displayed. * The only other information you will need is the hostname for the login portal you are using for your SentinelOne login. * In our case we were using their partner system, your "URL" for the Vectra side of the deployment will likely be different than in our example configuration below. * Please note: Do NOT include the https\:// as you enter the IP or hostname, just put in the FQDN of your host. * Example: * You now have all the information to set up the SentinelOne integration. ## Configuring the Integration in the Vectra UI * Navigate in your Vectra UI to *Data Sources > SentinelOne*. * Click on the "Get Started" link in the top right. ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-278f2432709edee2a798337a7d16a87f184266f3%2Fab7ae68bddf45f4c3af00e6172d246a892e5666b7fc8a2e6783de0a04ad77d5a.jpg?alt=media) * Give your data source connector a name and click "Create & Continue" ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-8a48a4d22366c010bd983ae82df1c416f88100bc%2Fbd398247197cdaed97b24aa796253ff041c77d107e5d59bc2725d4bf84afb72c.jpg?alt=media) * Input the SentinelOne Management URL and API Key that you gathered earlier and click the "Finish Setup" button. ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-68668ad90b6bc817ce0c0b9c4a49fd1ef06ff48f%2F9822b24b15e3d1f3b4e44708106838f5be2f5941f6311019e4adec1823cd528d.jpg?alt=media) * You should see a setup complete status for your connector, followed in a few minutes by a "Logs Flowing" message. * You can hover on the "Logs flowing" message to see a "Last Seen" message. ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-46414527a865c35861f2ae59d3f257ad1487cdf6%2Fb9ff1123e59a963495811205d6e25cff0aefb7b80a6d3730c405d06924c137f3.jpg?alt=media) after a few min ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-6ae539323debebfcdb7c435d81aba5c1d80c2aee%2Fd5105cdc635b1e8486297c99e40ebaaa02bcd04f3ddeea96fd229981af732d0b.jpg?alt=media) * Congratulations! You have completed the integration.