# SentinelOne

## Introduction

SentinelOne integration enables [Host Lockdown](https://docs.vectra.ai/configuration/response/lockdown/host-lockdown-edr) and ingests data that helps Vectra's automated [HostID](https://docs.vectra.ai/reference/understanding-vectra-host-naming) to more accurately name hosts.

This integration works with both Respond UX (RUX) and Quadrant UX (QUX) deployments.

* If you are unsure of your deployment type, please see [Vectra Analyst User Experiences (Respond vs Quadrant)](https://docs.vectra.ai/deployment/getting-started/analyst-ux-options-rux-vs-qux) .

## Configuration:

### **How does SentinelOne integrate with my Vectra platform?**

Integration with SentinelOne adds host context to aid in host identification during a security investigation. When Vectra NDR sees a host session come online, it polls SentinelOne for host information. Host information may include the following:

* Machine ID
* Machine name
* Operating system
* Isolation status

SentinelOne host context is available under the Host Details tab of individual Host entity pages.

### **How do I enable the SentinelOne integration in Vectra NDR?**

SentinelOne is configured as an EDR Integration in your Vectra deployment.

In your Vectra UI, navigate to *Configuration → SETUP → EDR Integrations → SentinelOne*:

* Select **Edit** on the far right-hand side within the **SentinelOne** row.
* Toggle **Enable integration with SentinelOne** to **On**.

![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-2cb966264b7335a6fca408d5c2c3aa1efd084007%2F38d54cb81e936b78497f07d9560ba6b4ee457515cfa8cb67ccc4973962d437fd.png?alt=media)

* Enter your SentinelOne **Management URL** and **API Token**. If you do not have this information, please check the section below on how to get this information correctly.
* You can optionally enable SSL verification of the destination by checking the box next to that option.

![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-cec396d8a321c44c9b2fefffd7e83cdf0edc8055%2F0bf7078a98cb206c47bcc57ebee19fc521fad653123d99e986ce2fb69b931c92.jpg?alt=media)

* Proxy support
  * If you have a proxy configured in *Configuration → COVERAGE → Data Sources > Network > Brain Setup > Proxy*, then the **Use the configured proxy in Services** option will be displayed in the screenshot above.
  * If you would like API communication from the Vectra Brain to SentinelOne to use the same proxy settings that Vectra uses for communication to the Vectra Cloud, then check this box.
    * If you do not check this box, the Brain will attempt to communicate to SentinelOne directly and NOT use the configured proxy.
* Click **Save.**
* Once the credentials have been validated, the UI will provide confirmation that your configuration has been saved.
* Your SentinelOne EDR setup is now complete.

#### **Where can I find my SentinelOne Information to integrate with Vectra?**

To get credentials for SentinelOne for use with Vectra:

* Log into your SentinelOne Dashboard
* Navigate to *Settings → Users → Service Users → Actions → Create New Service User.*

![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-572f735464b2228318312991289bbad03d02687d%2Ff234344f133453d40e49e085436159daddf197d33a01d62af5c3f1e0a1ebc58e.jpg?alt=media)

* It is recommended to use a service user instead of a normal user because service users can have a longer expiration than a normal user.
  * It is up to the customer to manage the expiration of the user. Please set a reminder in the calendar of your choice to remind you to update the credentials for the integration before they expire.
* Give the new service user a name and a description (optional).
* Set the expiration date to something that complies with your internal policies and make note of the date so that you can update the credentials before they expire.
* You will next be on a screen where you will need to select the scope of access and permission level for the new service user.

![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-2ce269a9a890d8612fb277731e028a815cad9724%2F563a43cc3c216809365b2b477c81a61f085d7bb7fb6ccae87d11760dd9076333.jpg?alt=media)

* Select the appropriate scope for your deployment and then click where it says **Viewer** and pick the **Admin** role for the service user.
  * Note that the **Admin** role is required for the Host Lockdown feature, if that is not needed then a read only role will work.
* Click **Create User.**

![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-2c10e4ff85ca6d10abaf9eda8de080e613dca22b%2Ff733c4f829cc92d7bde46ae025098760c269e83c1c01ac316f067640ca714ed3.jpg?alt=media)

You can use the purple link to copy the API token. If you loose this token, you can regenerate a new one but this is the only time this token will ever be displayed.

* The only other information you will need is the IP or hostname for the login portal you are using for your SentinelOne login.
  * In our case we were using their partner system, your **URL** for the Vectra side of the deployment will likely be different than in our 1st screenshot.
  * Please note: Do NOT include the https\:// as you enter the IP or hostname, just put in the IP address or FQDN of your host.
* You now have all the information to set up the SentinelOne integration.

### **Can SentinelOne be used for Host Lockdown?**

Yes, for more details on Host Lockdown, please check this [article](https://docs.vectra.ai/configuration/response/lockdown/host-lockdown-edr).