🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

SentinelOne

integrations endpoints sentinelone edr


Use the following instructions to configure an integration between SentinelOne and Secureworks® Taegis™ XDR. The instructions are based on Version V of SentinelOne Management Console.

Note

This integration requires the SentinelOne Cloud Funnel add-on. Customers must contact their SentinelOne account representative for pricing details about Cloud Funnel.

Note

Currently, only apne1, apse1, euce1, and usea1 SentinelOne regions are supported by this integration. If your SentinelOne Management Console URL does not start with apne1, apse1, euce1, or usea1, please contact Secureworks Support.

Data Provided from Integration

  Alerts Auth DNS File Collection HTTP NIDS Netflow Process File Modification API Call Registry Scriptblock Management Persistence Thread Injection
SentinelOne      

Create a Service User in SentinelOne Management Console

Note

You need the following SentinelOne RBAC permissions to perform steps in this section: Roles and Service Users (View, Create, Edit, Delete). The built-in Admin role has these permissions.

Create a Role for the Service User

  1. In the SentinelOne Management Console, navigate to Settings → USERS → Roles.
  2. Select the built-in Viewer role, then choose Duplicate Role in the Actions drop down menu.

Duplicate Viewer Role

Duplicate Viewer Role

  1. Choose a name for the new user role then select Next.

Choose Role Name

Choose Role Name

  1. Select Cloud Funnel in the left pane. Choose Select All to allow full access to Cloud Funnel, then select Save.

Allow Full Access to Cloud Funnel

Allow Full Access to Cloud Funnel

Create a Service User

  1. In the SentinelOne Management Console, navigate to Settings→USERS→Service Users. Choose Create New Service User from the Actions drop down menu.

Create New Service User

Create New Service User

Configure the Basic Parameters of the Service User

  1. Add a Name. This identifies the user in SentinelOne Management Console. The name cannot have an equal sign (=) or angle bracket characters ( <, >).
  2. Enter an optional Description to identify the user.
  3. Set the Expiration Date of the API token. The default is one year. Select Custom to set a different date and time.

Note

The expiration time can be as long or as short as necessary; but after you create the service user, you cannot change the expiration date. Make sure that you create another service user and re-create the integration with Secureworks® Taegis™ XDR before the expiration date. You can copy the existing service user to re-create it.

  1. When you’re done with the basic parameters, select Next.

Configure Service User Basics

Configure Service User Basics

Configure the Scope of Access of the Service User

  1. Under Access Level, select the Account tile.
  2. Under Accounts Selected, select the account to be integrated with Secureworks® Taegis™ XDR, and the role created in the step above, Create a Role For the Service User.
  3. Select Create User.

Configure Service User Scope

Configure Service User Scope

  1. Securely copy the API token associated with the service user, then choose Close.

Copy API Token

Copy API Token

Configure SentinelOne Deep Visibility Policy

  1. In the SentinelOne Management Console, navigate to Sentinels → POLICY.
  2. Find the Deep Visibility section and ensure that Enable Deep Visibility option is selected.

Secureworks® Taegis™ XDR integration supports the following Deep Visibility event categories:

If you want the integration to ingest these event categories, select the corresponding options in the Deep Visibility Policy. Ensure that all event types in these categories are selected in Event Type Configuration as well.

  1. Select Save Changes to save any changes.

Configure Deep Visibility Policy

Configure Deep Visibility Policy

Create Your SentinelOne Integration in Secureworks® Taegis™ XDR

  1. In Secureworks® Taegis™ XDR, navigate to Integrations→Cloud APIs, then choose Add API Integration from the top right corner.
  2. Choose Set Up SentinelOne.

  3. Enter a Name. This is how the integration is identified in Secureworks® Taegis™ XDR.

  4. Enter the Management Console URL. This is the address of your SentinelOne Management Console. For example, usea1-999-example.sentinelone.net.
  5. Add the API Token. This is the API token you securely copied from Copy API Token above.
  6. Add the Account ID. This is the ID of the SentinelOne account to be integrated with Secureworks® Taegis™ XDR.
  7. When satisfied with the above configuration, select Add.

Note

The integration configures a Cloud Funnel that uses a Secureworks-owned S3 bucket. The S3 bucket name is similar to taegis-sentinelone-1-3z6ywcdee3bw3wcxz4d1sskhy4zfsuse1b-s3alias. Please do not change this Cloud Funnel configuration while the integration is in use.

Add Secureworks® Taegis™ XDR Integration

Add Secureworks® Taegis™ XDR Integration

 

On this page: