SentinelOne Containment

SentinelOne containment Direct link to this section

Arctic Wolf® uses SentinelOne APIs to monitor SentinelOne logs and alert you about suspicious or malicious activity. When required, the Active Response service can then contain compromised hosts within your network using SentinelOne containment.

To implement this functionality, you must provide the following to Arctic Wolf:

• SentinelOne API token
• SentinelOne sign-in URL

SentinelOne API limitations Direct link to this section

• The API token is only available to view during token creation. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create a new token for the API.
• The service user token expires after two years. At that time, you must generate a new token for that user and submit it to Arctic Wolf, following the instructions on this page.

Requirements Direct link to this section

• Singularity Core, Singularity Control, or Singularity Complete SentinelOne license.
• Admin role for the SentinelOne environment that you want Arctic Wolf to monitor.

Configure SentinelOne containment Direct link to this section

1. Create a new service account.
2. Provide credentials to Arctic Wolf.

Step 1: Create a new service account Direct link to this section

Each SentinelOne service user generates a single API token. Arctic Wolf uses this token to monitor the SentinelOne environment.

To create a new service user:

1. Go to https://<prefix>.sentinelone.net, where <prefix> is the prefix value that SentinelOne provided to your company.

2. Sign in to the SentinelOne console with an Admin role account.

3. Hover your mouse under the SentinelOne logo to open the navigation pane.

4. Select Settings.

5. Select the USERS tab.

6. In the navigation pane, select Service Users.

7. From the Actions dropdown list, select Create New Service User.

8. In the dialog box, fill in the following details:

   1. Name — Enter a relevant name, such as SentinelOne Arctic Wolf Sensor.
   2. (Optional) Description — Enter a description for this user.
   3. Expiration Date — From the dropdown list, select 2 Years.

9. Click Next.

10. Under Select Scope of Access, select Account.

11. Select the account that the user should have access to.

12. From the role type dropdown list, select SOC.

13. Click Create User to save the newly created user.

14. In the API Token dialog box, copy the API Token value to provide to Arctic Wolf later.

15. Exit the dialog box and sign out of the account.

Step 2: Provide credentials to Arctic Wolf Direct link to this section

1. Sign in to the Arctic Wolf Portal.

2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

   

3. Select +Add Account to open the Add Account form.

4. Select Cloud Detection and Response as the Account Type.

5. Select SentinelOne Containment and then fill in the form:

   1. Account Name — Enter a descriptive name for these credentials.

   2. URL — Enter the URL that you use to sign in to the SentinelOne console.

      This address usually follows this format, where <prefix> is the prefix value that SentinelOne provided to your company: https://<prefix>.sentinelone.net.

   3. API Token — Copy the API token obtained in Create a new service account.

6. Select Submit to CST.

7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.