SentinelOne data source

Applicability

Vectra has two different integrations with SentinelOne:

• This new integration (the article you are reading) that brings detection and incident signal from SentinelOne into the Vectra AI platform.

  • This requires a Respond UX (RUX) deployment.

• An existing integration that enables Lockdown and ingests data that helps Vectra's automated HostID to more accurately name hosts.

  • Please see the SentinelOne EDR FAQ for details about the existing integration.

  • This integration works with both Respond UX (RUX) and Quadrant UX (QUX) deployments.

    • If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant) .

• For maximum benefit, it is recommended to enable both integrations when possible.

  • Both integrations must be configured separately.

Generating API Key in SentinelOne

Before you can configure the integration in your Vectra UI, you need to create a SentinelOne API key for use by Vectra.

• SentinelOne supports API keys for normal users and for service users.

• It is recommended to create a service user because normal user accounts can only have an API key be valid for 30 days in SentinelOne.

To get credentials for SentinelOne for use with Vectra:

• Log into your SentinelOne Dashboard

• Navigate to Settings > Users > Service Users > Actions > Create New Service User

• It is up to the customer to manage the expiration of the user.

• Give the new service user a name and a description (optional).

• Set the expiration date to something that complies with your internal policies and make note of the date so that you can update the credentials before they expire.

  • Please set a reminder in the calendar of your choice to remind you to update the credentials for the integration before they expire.

• You will next be on a screen where you will need to select the scope of access and permission level for the new service user.

• Select the appropriate scope for your deployment and then ensure that "Viewer" is selected as the role for the service user.

• Click "Create User".

• You can use the purple "Copy API Token" link to copy the API token.

  • If you loose this token, you can regenerate a new one but this is the only time this token will ever be displayed.

• The only other information you will need is the hostname for the login portal you are using for your SentinelOne login.

  • In our case we were using their partner system, your "URL" for the Vectra side of the deployment will likely be different than in our example configuration below.

  • Please note: Do NOT include the https:// as you enter the IP or hostname, just put in the FQDN of your host.

  • Example: https://usea1-partners.sentinelone.net

• You now have all the information to set up the SentinelOne integration.

Configuring the Integration in the Vectra UI

• Navigate in your Vectra UI to Data Sources > SentinelOne.

• Click on the "Get Started" link in the top right.

• Give your data source connector a name and click "Create & Continue"

• Input the SentinelOne Management URL and API Key that you gathered earlier and click the "Finish Setup" button.

• You should see a setup complete status for your connector, followed in a few minutes by a "Logs Flowing" message.

  • You can hover on the "Logs flowing" message to see a "Last Seen" message.

after a few min

• Congratulations! You have completed the integration.