- 20 Mar 2025
- 1 Minute to read
- Print
- DarkLight
SentinelOne
- Updated on 20 Mar 2025
- 1 Minute to read
- Print
- DarkLight
SentinelOne delivers comprehensive endpoint protection by integrating prevention, detection, and response, ensuring robust defense against diverse cyber threats.
More information can be found at SentinelOne.
Integration Method: API
Tables: Detection Finding (2004), Device Config State (5002)
This integration supports the following events.
Event | Description |
---|---|
Agents | Retrieves agents and their associated data. |
Threats | Retrieves a list of threats. |
This integration supports the following versions.
SentinelOne API version | v2.0 |
Note:
SentinelOne is a continuously updated cloud service. As of this document preparation, the latest release was S-25.1.1.61.
Prerequisites
The user should have access to the SentinelOne platform to generate API clients.
The user should have access to the DataBee console.
Configuration Overview
Generate client credentials with the required scopes.
Add the SentinelOne data feed in the DataBee console with the below parameters.
DataBee Parameter
SentinelOne Parameter
Token
API Token
API Base URL<instance>
Replace <instance> with the Management URL provided in the invitee’s email. It's in this format: https://<your_management_url>
SentinelOne Configuration
Before you start configuring data feed on Databee UI, you will need to create the API Client and get the necessary information for API authentication such as Client ID and Client Secret. To generate API Client, follow these steps:
Logon to SentinelOne Platform.
Click your username from the top right corner > Select My User.
Click on Actions > API Token Operations > Generate API Token.
Note:
If the token has already been generated, the option to Regenerate API Token will be displayed.
Copy the generated API Token.
Note:
The user needs to re-create the client secret every 30 days once it expires and reconfigure the data feed in DataBee console. Additionally, once this step is completed, the user will not be able to view the API credentials again. Ensure the keys are stored in a secure location before proceeding.
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for the SentinelOne and click it as shown below.
Click on the API Ingest option for the collection method.
Enter feed contact information and click Next.
In the configuration page, confirm the following:
Authorization Method: Bearer Token
API Base URL: replace the placeholder with your instance details. For example: SentinelOne.
Token: paste the API Token.
Event Types: preselected for all the event types that integration pulls.
Click Submit.
Troubleshooting Tips
If you’re facing invalid_client or unauthorized_client issues this might be possibly due to incorrect credentials. Ensure the token is pasted correctly. Since you cannot view the token after the 1st time, re-create the token, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.