SentinelOne Containment
SentinelOne containment Direct link to this section
Arctic Wolf® uses SentinelOne APIs to monitor SentinelOne logs and alert you about suspicious or malicious activity. When required, the Active Response service can then contain compromised hosts within your network using SentinelOne containment.
To implement this functionality, you must provide the following to Arctic Wolf:
- SentinelOne API token
- SentinelOne sign-in URL
Note: The SentinelOne containment integration is different from SentinelOne cloud monitoring. You only need to complete these steps if you want to enable Arctic Wolf to contain your endpoints. For more information on cloud monitoring configuration, see SentinelOne Monitoring.
SentinelOne API limitations Direct link to this section
- The API token is only available to view during token creation. If this information is lost before it is submitted to Arctic Wolf on the Arctic Wolf Portal, you must create a new token for the API.
- The service user token expires after two years. At that time, you must generate a new token for that user and submit it to Arctic Wolf, following the instructions on this page.
Requirements Direct link to this section
- Singularity Core, Singularity Control, or Singularity Complete SentinelOne license.
- Admin role for the SentinelOne environment that you want Arctic Wolf to monitor.
Configure SentinelOne containment Direct link to this section
Step 1: Create a new service account Direct link to this section
Each SentinelOne service user generates a single API token. Arctic Wolf uses this token to monitor the SentinelOne environment.
To create a new service user:
-
Go to
https://<prefix>.sentinelone.net
, where<prefix>
is the prefix value that SentinelOne provided to your company. -
Sign in to the SentinelOne console with an Admin role account.
-
Hover your mouse under the SentinelOne logo
to open the navigation pane.
-
Select Settings.
-
Select the USERS tab.
-
In the navigation pane, select Service Users.
-
From the Actions dropdown list, select Create New Service User.
-
In the dialog box, fill in the following details:
- Name — Enter a relevant name, such as
SentinelOne Arctic Wolf Sensor
. - (Optional) Description — Enter a description for this user.
- Expiration Date — From the dropdown list, select 2 Years.
- Name — Enter a relevant name, such as
-
Click Next.
-
Under Select Scope of Access, select Account.
-
Select the account that the user should have access to.
-
From the role type dropdown list, select SOC.
-
Click Create User to save the newly created user.
-
In the API Token dialog box, copy the API Token value to provide to Arctic Wolf later.
-
Exit the dialog box and sign out of the account.
Step 2: Provide credentials to Arctic Wolf Direct link to this section
-
Sign in to the Arctic Wolf Portal.
-
Select Connected Accounts in the banner menu to open the Connected Accounts page.
-
Select +Add Account to open the Add Account form.
-
Select Cloud Detection and Response as the Account Type.
-
Select SentinelOne Containment and then fill in the form:
-
Account Name — Enter a descriptive name for these credentials.
-
URL — Enter the URL that you use to sign in to the SentinelOne console.
This address usually follows this format, where
<prefix>
is the prefix value that SentinelOne provided to your company:https://<prefix>.sentinelone.net
. -
API Token — Copy the API token obtained in Create a new service account.
-
-
Select Submit to CST.
-
When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.
-
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.
Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.
If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.