SentinelOne

SentinelOne is an advanced cybersecurity platform leveraging AI to provide real-time threat detection and automated response. It delivers comprehensive endpoint protection by integrating prevention, detection, and response, ensuring robust defense against diverse cyber threats.

Integration Method: API (Application Programing Interfaces)

Tables: Detection Finding (2004), Device Config State, Security Finding (2001)

DataBee connects to SentinelOne APIs retrieve the threats and agents logs.

This integration has been tested against SentinelOne v2.1 endpoint.

SentinelOne Configuration

Before starting the configuration of data source on Databee UI, the user will need to create the API Token for API authentication.

Details can be found at https://usea1-019.sentinelone.net/docs/en/generating-api-tokens.html#generating-api-tokens 

Create API Client

• To access any SentinelOne API, the user will need an API Token.

• From SentinelOne console, Navigate to my User by clicking on your username on the top right corner

• Click on actions > API Token Operation > Generate API Token

• If the token is already generated, then it will show Regenerate API Token.

• Copy the API token.

Note: 

• Users will not be able to view API credentials again after completion of this step. Ensure that the user copies it to a secure location before closing.

• API Token will expire in 30 days.

Databee Configuration

1. Login to the DataBee console and navigate to the Data tab and click on Add New Data Source. Search and click on the SentinelOne as shown below. 

2. Click on the API Ingest option for collection method. Give the name of the Data Source and other relevant information as mentioned below. 

3. In the data source dialog, enter the following:

   • Authorization Method: Bearer Token

   • API URL: replace the <instance tag> with your specific SentinelOne information

   • Token: Paste the API token generated earlier

4. Click Submit