SentinelOne Containment

Configuration Guide

Updated Mar 14, 2023

SentinelOne Containment

SentinelOne containment Direct link to this section

Arctic Wolf® uses SentinelOne APIs to monitor SentinelOne logs and alert you about suspicious or malicious activity. When required, the Active Response service can then contain compromised hosts within your network using SentinelOne containment.

To implement this functionality, you must provide the following to Arctic Wolf:

Note: The SentinelOne containment integration is different from SentinelOne cloud monitoring. You only need to complete these steps if you want to enable Arctic Wolf to contain your endpoints. For more information on cloud monitoring configuration, see SentinelOne Monitoring.

SentinelOne API limitations Direct link to this section

Requirements Direct link to this section

Configure SentinelOne containment Direct link to this section

  1. Create a new service account.
  2. Provide credentials to Arctic Wolf.

Step 1: Create a new service account Direct link to this section

Each SentinelOne service user generates a single API token. Arctic Wolf uses this token to monitor the SentinelOne environment.

To create a new service user:

  1. Go to https://<prefix>, where <prefix> is the prefix value that SentinelOne provided to your company.

  2. Sign in to the SentinelOne console with an Admin role account.

  3. Hover your mouse under the SentinelOne logo SentinelOne logo to open the navigation pane.

  4. Select Settings.

  5. Select the USERS tab.

  6. In the navigation pane, select Service Users.

  7. From the Actions dropdown list, select Create New Service User.

  8. In the dialog box, fill in the following details:

    1. Name — Enter a relevant name, such as SentinelOne Arctic Wolf Sensor.
    2. (Optional) Description — Enter a description for this user.
    3. Expiration Date — From the dropdown list, select 2 Years.
  9. Click Next.

  10. Under Select Scope of Access, select Account.

  11. Select the account that the user should have access to.

  12. From the role type dropdown list, select SOC.

  13. Click Create User to save the newly created user.

  14. In the API Token dialog box, copy the API Token value to provide to Arctic Wolf later.

  15. Exit the dialog box and sign out of the account.

Step 2: Provide credentials to Arctic Wolf Direct link to this section

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select SentinelOne Containment and then fill in the form:

    1. Account Name — Enter a descriptive name for these credentials.

    2. URL — Enter the URL that you use to sign in to the SentinelOne console.

      This address usually follows this format, where <prefix> is the prefix value that SentinelOne provided to your company: https://<prefix>

    3. API Token — Copy the API token obtained in Create a new service account.

  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.