SentinelOne
Applicability
Vectra has two different integrations with SentinelOne:
An existing integration (this one that you are currently reading about) that enables Lockdown and ingests data that helps Vectra's automated HostID to more accurately name hosts.
This integration works with both Respond UX (RUX) and Quadrant UX (QUX) deployments.
If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant) .
A new integration that brings detection and incident signal from SentinelOne into the Vectra AI platform.
This requires a Respond UX (RUX) deployment.
Please see the SentinelOne Data Source Connector Deployment for details about the new integration.
For maximum benefit, it is recommended to enable both integrations when possible.
Both integrations must be configured separately.
SentinelOne EDR FAQ
What is SentinelOne?
SentinelOne is a unified endpoint security platform for preventative protection, post-breach detection, automated investigation, and response.
Integration:
How does SentinelOne integrate with my Vectra platform?
Integration with SentinelOne adds host context to aid in host identification during a security investigation. When Vectra NDR sees a host session come online, it polls SentinelOne for host information. Host information may include the following:
Machine ID
Machine name
Operating system
Isolation status
SentinelOne host context is available under the Host Details tab of individual Host entity pages.
How do I enable the SentinelOne integration in Vectra NDR?
SentinelOne is configured under the EDR Integrations Tab. In your Vectra UI, navigate to *Settings -> EDR Integrations -> SentinelOne*:
Select Edit on the far right-hand side within the SentinelOne row.
Toggle **Enable integration with SentinelOne **to On
Enter your SentinelOne Management URL and **API Token. **If you do not have this information, please check the section below on how to get this information correctly.
You can optionally enable SSL verification of the destination by checking the box next to that option.
Proxy support
If you have a proxy configured in Data Sources > Network > Brain Setup > Proxy, then the "Use the configured proxy in Services" option will be displayed.
If you would like API communication from the Vectra Brain to SentinelOne to use the same proxy settings that Vectra uses for communication to the Vectra Cloud, then check this box.
If you do not check this box, the Brain will attempt to communicate to SentinelOne directly and NOT use the configured proxy.
Click Save.
Once the credentials have been validated, the UI will provide confirmation that your configuration has been saved.
Your SentinelOne EDR setup is now complete.
Where can I find my SentinelOne Information to integrate with Vectra?
To get credentials for SentinelOne for use with Vectra:
Log into your SentinelOne Dashboard
Navigate to Settings > Users > Service Users > Actions > Create New Service User
It is recommended to use a service user instead of a normal user because service users can have a longer expiration than a normal user.
It is up to the customer to manage the expiration of the user. Please set a reminder in the calendar of your choice to remind you to update the credentials for the integration before they expire.
Give the new service user a name and a description (optional).
Set the expiration date to something that complies with your internal policies and make note of the date so that you can update the credentials before they expire.
You will next be on a screen where you will need to select the scope of access and permission level for the new service user.
Select the appropriate scope for your deployment and then click where it says "Viewer" and pick the "Admin" role for the service user.
Note that the **"Admin" **role is required for the Host Lockdown feature, if that is not needed then a read only role will work.
Click "Create User".
You can use the purple link to copy the API token. If you loose this token, you can regenerate a new one but this is the only time this token will ever be displayed.
The only other information you will need is the IP or hostname for the login portal you are using for your SentinelOne login.
In our case we were using their partner system, your "URL" for the Vectra side of the deployment will likely be different than in our 1st screenshot. Please note: Do NOT include the https:// as you enter the IP or hostname, just put in the IP address or FQDN of your host.
You now have all the information to set up the SentinelOne integration.
Can SentinelOne be used for Host Lockdown?
Yes, Vectra NDR release version 6.7 introduced support for Host Lockdown using SentinelOne. For more details, please check this article.
Last updated
Was this helpful?