SentinelOne data source
Integration with SentinelOne as a Data Source will allow detection and incident signal from SentinelOne to be ingested into the Vectra AI Platform.
Applicability
Vectra has two different integrations with SentinelOne:
This new integration (the article you are reading) that brings detection and incident signal from SentinelOne into the Vectra AI platform.
This requires a Respond UX (RUX) deployment.
An existing integration that enables Lockdown and ingests data that helps Vectra's automated HostID to more accurately name hosts.
Please see the SentinelOne EDR FAQ for details about the existing integration.
This integration works with both Respond UX (RUX) and Quadrant UX (QUX) deployments.
If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant) .
For maximum benefit, it is recommended to enable both integrations when possible.
Both integrations must be configured separately.
Generating API Key in SentinelOne
Before you can configure the integration in your Vectra UI, you need to create a SentinelOne API key for use by Vectra.
SentinelOne supports API keys for normal users and for service users.
It is recommended to create a service user because normal user accounts can only have an API key be valid for 30 days in SentinelOne.
To get credentials for SentinelOne for use with Vectra:
Log into your SentinelOne Dashboard
Navigate to Settings > Users > Service Users > Actions > Create New Service User

It is up to the customer to manage the expiration of the user.
Give the new service user a name and a description (optional).
Set the expiration date to something that complies with your internal policies and make note of the date so that you can update the credentials before they expire.
Please set a reminder in the calendar of your choice to remind you to update the credentials for the integration before they expire.
You will next be on a screen where you will need to select the scope of access and permission level for the new service user.

Select the appropriate scope for your deployment and then ensure that "Viewer" is selected as the role for the service user.
Click "Create User".

You can use the purple "Copy API Token" link to copy the API token.
If you loose this token, you can regenerate a new one but this is the only time this token will ever be displayed.
The only other information you will need is the hostname for the login portal you are using for your SentinelOne login.
In our case we were using their partner system, your "URL" for the Vectra side of the deployment will likely be different than in our example configuration below.
Please note: Do NOT include the https:// as you enter the IP or hostname, just put in the FQDN of your host.
You now have all the information to set up the SentinelOne integration.
Configuring the Integration in the Vectra UI
Navigate in your Vectra UI to Data Sources > SentinelOne.
Click on the "Get Started" link in the top right.

Give your data source connector a name and click "Create & Continue"

Input the SentinelOne Management URL and API Key that you gathered earlier and click the "Finish Setup" button.

You should see a setup complete status for your connector, followed in a few minutes by a "Logs Flowing" message.
You can hover on the "Logs flowing" message to see a "Last Seen" message.

after a few min

Congratulations! You have completed the integration.
Last updated
Was this helpful?