☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

SentinelOne

Use the following instructions to configure an integration between SentinelOne and Secureworks® Taegis™ XDR. The instructions are based on Version V of SentinelOne Management Console.

Note

This integration requires the SentinelOne Cloud Funnel add-on. Customers must contact their SentinelOne account representative for pricing details about Cloud Funnel.

Note

Currently, only apne1, apse1, euce1, and usea1 SentinelOne regions are supported by this integration. If your SentinelOne Management Console URL does not start with apne1, apse1, euce1, or usea1, please contact Secureworks Support.

Data Provided from Integration ⫘

	Alerts	Auth	DNS	File Collection	HTTP	NIDS	Netflow	Process	File Modification	API Call	Registry	Scriptblock	Management	Persistence	Thread Injection
SentinelOne	✓	✓	✓		✓		✓	✓	✓	✓	✓	✓		✓	✓

Create a Service User in SentinelOne Management Console ⫘

Note

You need the following SentinelOne RBAC permissions to perform steps in this section: Roles and Service Users (View, Create, Edit, Delete). The built-in Admin role has these permissions.

Create a Role for the Service User ⫘

In the SentinelOne Management Console, navigate to Settings → USERS → Roles.
Select the built-in Viewer role, then choose Duplicate Role in the Actions drop down menu.

Duplicate Viewer Role

Choose a name for the new user role then select Next.

Choose Role Name

Select Cloud Funnel in the left pane. Choose Select All to allow full access to Cloud Funnel, then select Save.

Allow Full Access to Cloud Funnel

Create a Service User ⫘

In the SentinelOne Management Console, navigate to Settings→USERS→Service Users. Choose Create New Service User from the Actions drop down menu.

Create New Service User

Configure the Basic Parameters of the Service User ⫘

Add a Name. This identifies the user in SentinelOne Management Console. The name cannot have an equal sign (=) or angle bracket characters ( <, >).
Enter an optional Description to identify the user.
Set the Expiration Date of the API token. The default is one year. Select Custom to set a different date and time.

Note

The expiration time can be as long or as short as necessary; but after you create the service user, you cannot change the expiration date. Make sure that you create another service user and re-create the integration with XDR before the expiration date. You can copy the existing service user to re-create it.

When you’re done with the basic parameters, select Next.

Configure Service User Basics

Configure the Scope of Access of the Service User ⫘

Under Access Level, select the Account tile.
Under Accounts Selected, select the account to be integrated with XDR, and the role created in the step above, Create a Role For the Service User.
Select Create User.

Configure Service User Scope

Securely copy the API token associated with the service user, then choose Close.

Copy API Token

Configure SentinelOne Deep Visibility Policy ⫘

In the SentinelOne Management Console, navigate to Sentinels → POLICY.
Find the Deep Visibility section and ensure that Enable Deep Visibility option is selected.

XDR integration supports the following Deep Visibility event categories:

Process
DNS
Registry Keys
Command Scripts
File
IP
Scheduled Tasks
Cross Process
URL
Login
Behavioral Indicators
Module (may not be configurable in the policy)

If you want the integration to ingest these event categories, select the corresponding options in the Deep Visibility Policy. Ensure that all event types in these categories are selected in Event Type Configuration as well.

Select Save Changes to save any changes.

Configure Deep Visibility Policy

Create Your SentinelOne Integration in XDR ⫘

In XDR, navigate to Integrations→Cloud APIs, then choose Add API Integration from the top right corner.
Choose Set Up SentinelOne.
Enter a Name. This is how the integration is identified in XDR.
Enter the Management Console URL. This is the address of your SentinelOne Management Console. For example, usea1-999-example.sentinelone.net.
Add the API Token. This is the API token you securely copied from Copy API Token above.
Add the Account ID. This is the ID of the SentinelOne account to be integrated with XDR.
When satisfied with the above configuration, select Add.

Note

The integration configures a Cloud Funnel that uses a Secureworks-owned S3 bucket. The S3 bucket name is similar to taegis-sentinelone-1-3z6ywcdee3bw3wcxz4d1sskhy4zfsuse1b-s3alias. Please do not change this Cloud Funnel configuration while the integration is in use.

Add XDR Integration

SentinelOne

Data Provided from Integration ⫘

Create a Service User in SentinelOne Management Console ⫘

Create a Role for the Service User ⫘

Create a Service User ⫘

Configure the Basic Parameters of the Service User ⫘

Configure the Scope of Access of the Service User ⫘

Configure SentinelOne Deep Visibility Policy ⫘

Create Your SentinelOne Integration in XDR ⫘

On this page: