SentinelOne Containment
Updated Sep 27, 2023Configure SentinelOne containment
Arctic Wolf® uses SentinelOne® APIs to monitor SentinelOne logs and alert you about suspicious or malicious activity. When required, the Active Response service can then contain hosts in your network using SentinelOne.
Note: The SentinelOne containment integration is different from the SentinelOne Endpoint Detection and Response (EDR) integration. You only need to complete these steps if you want Arctic Wolf to contain your endpoints using SentinelOne. For more information on the EDR configuration, see SentinelOne Monitoring.
To implement this functionality, you must provide these credentials to Arctic Wolf:
- SentinelOne API token
- SentinelOne sign-in URL
Requirements
- Singularity Core, Singularity Control, or Singularity Complete SentinelOne license.
- Admin role for the SentinelOne environment that you want Arctic Wolf to monitor.
Before you begin
- Complete the steps in SentinelOne Monitoring to configure the EDR integration.
Steps
Step 1: Create a new service account
Each SentinelOne service user generates a single API token. Arctic Wolf uses this token to monitor the SentinelOne environment.
Notes:
- If you manage Arctic Wolf services for multiple customers, you must create a new service user for each customer that you want to configure monitoring for.
- The API token is only available to view during token creation. If this information is lost before you submit it to Arctic Wolf, you must create a new token for the API.
- The service user token expires after two years. At that time, you must generate a new token for that user and submit it to Arctic Wolf.
-
Go to
https://<prefix>.sentinelone.net
, where<prefix>
is the prefix value that SentinelOne provided to your company. -
Sign in to the SentinelOne Console as an administrator.
-
Hover your mouse over
to open the navigation pane.
-
Click Settings.
-
Click the USERS tab.
-
In the navigation pane, click Service Users.
-
In the Actions list, select Create New Service User.
-
In the dialog, configure these settings:
- Name — Enter a relevant name. For example
SentinelOne Arctic Wolf Sensor
. - Description — (Optional) Enter a description for this user.
- Expiration Date — Select 2 Years.
- Name — Enter a relevant name. For example
-
Click Next.
-
If you manage multiple customers:
- In the Select Scope of Access section, click Site.
- Select the site that belongs to the customer that you are configuring monitoring for.
-
If you do not manage multiple customers:
- In the Select Scope of Access section, click Account.
- Select the account that the user should have access to.
-
In the role type list, select SOC.
-
Click Create User to save the newly created user.
-
In the API Token dialog, copy the API Token value to provide to Arctic Wolf later.
-
Exit the dialog and sign out of the account.
Step 2: Provide credentials to Arctic Wolf
Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After a polling failure, Arctic Wolf cannot perform actions such as containment until the updated credentials are provided.
-
Sign in to the Arctic Wolf Unified Portal.
-
In the menu bar, click Telemetry Management > Connected Accounts.
-
Click Add Account +.
-
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
-
From the list of cloud services, select SentinelOne Containment.
-
On the Add Account page, complete these steps:
-
Account Name — Enter a unique and descriptive name for the account.
-
In the URL field, enter the URL that you use to sign in to the SentinelOne console.
This URL usually follows this format, where
<prefix>
is the prefix value that SentinelOne provided to your company:https://<prefix>.sentinelone.net
. -
In the API Token field, enter the API token obtained in Create a new service account.
-
Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
-
-
Click Test and Submit Credentials.
After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.
Test SentinelOne containment
After you configure SentinelOne containment and provide credentials to Arctic Wolf, you should test the containment and containment lifting procedures with your CST.
Before you begin
- Schedule a call with your CST for containment testing.
Generate a test observation
Note: Generate the test observation at least one hour before the call.
Use one of these methods to generate a test observation for SentinelOne:
Use an EICAR file
If you:
-
Can reach the EICAR file website — Download the
eicar.com.txt
file from https://www.eicar.org/download-anti-malware-testfile/ to the host that you want to contain.Tip: If you can't download the
eicar.com.txt
file due to browser security, try downloading one of the.zip
files and extracting theeicar.com.txt
file. -
Can’t reach the EICAR file website or can't download the EICAR file — Create the
eicar.com.txt
file on the host you want to contain, with this content:X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
If these options don't work due to your security controls, contact your CST for assistance.
Use the forcedThreatMemes
configuration (Windows only)
-
Enable the forcedThreatMemes configuration option using one of these methods:
-
Run this command to manually enable forcedThreatMemes using SentinelCtl.exe:
shell .\sentinelctl.exe config -p forcedThreatMemes -v true -k “<passphrase>”
-
Implement this SentinelOne Agent policy override:
{"forcedThreatMemes":true}
.
-
-
Once forcedThreatMemes is enabled, generate one of these threat types:
-
Static threat — Run this command to create an executable named rickrolling2007.exe that starts with MZ and is not signed by a known vendor:
echo "test" > rickrolling2007.exe
-
Dynamic threat — Run any executable named sneezingpanda2006.exe that is not signed by a known vendor.
-
Threats generated with the forcedThreatMemes configuration are classified as info stealer, malware, and generic heuristic threats.
Next steps
Note: Turn off your auto-mitigation policy before the call because Arctic Wolf can’t contain a host if the relevant application already addressed the possible threat.
During the scheduled call, your CST:
-
Promotes the test observation to an incident, making it eligible for containment.
-
Contains the affected host to make sure that the containment works as expected.
-
Resolves any issues that may arise, such as misconfigured containment permissions.
-
Lifts containment from the host.