Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

SentinelOne Containment

Updated Apr 4, 2024

Configure SentinelOne containment for Arctic Wolf monitoring

With the Active Response service, you can contain hosts in your network using SentinelOne containment if you configured the SentinelOne API to send the necessary logs to Arctic Wolf® for security monitoring.

Note: The SentinelOne containment integration is different from the SentinelOne Endpoint Detection and Response (EDR) integration. These steps are only required if you want Arctic Wolf to contain your endpoints using SentinelOne. See Configure SentinelOne for Arctic Wolf monitoring for more information.

Caution: For each application, you can only configure one sensor for containment. Configuring multiple sensors for containment for the same application can prevent successful containment.

Requirements

Before you begin

Steps

  1. Create a new service account.
  2. Provide your SentinelOne credentials to Arctic Wolf.
  3. Test SentinelOne containment.

Step 1: Create a new service account

Each SentinelOne service user generates one API token. Arctic Wolf uses this token to monitor the SentinelOne environment.

Notes:

  • If you manage Arctic Wolf services for multiple customers, you must create a new service user for each customer that you want to configure monitoring for.
  • The API token is only available to view during token creation. If this information is lost before you provide it to Arctic Wolf, you must create a new token for the API.
  • The service user token expires after two years. At that time, you must generate a new token for that user, and then provide it to Arctic Wolf.
  1. Go to https://<prefix>.sentinelone.net, where <prefix> is the prefix value that SentinelOne provided to your company.

  2. Sign in to the SentinelOne console with administrator permissions.

  3. Hover your mouse over the SentinelOne logo to open the navigation menu.

  4. Click Settings.

  5. Click the USERS tab.

  6. In the navigation menu, click Service Users.

  7. In the Actions list, select Create New Service User.

  8. In the Create New Service User dialog, configure these settings:

    • Name — Enter a name for the user. For example, SentinelOne Arctic Wolf Sensor.
    • Description — (Optional) Enter a description for this user.
    • Expiration Date — Select 2 Years.
  9. Click Next.

  10. If you manage multiple customers:

    1. In the Select Scope of Access section, click Site.
    2. Select the site that belongs to the customer that you are configuring monitoring for.
  11. If you manage only one customer:

    1. In the Select Scope of Access section, click Account.
    2. Select the account that the user should have access to.
  12. In the Role type list, select SOC.

  13. Click Create User.

  14. In the API Token dialog, copy the API Token value, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

  15. Exit the dialog and sign out of the account.

Step 2: Provide your SentinelOne credentials to Arctic Wolf

Note: If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After a polling failure, Arctic Wolf can't perform actions such as containment until the updated credentials are provided.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the cloud services list, click SentinelOne Containment.

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • URL — Enter the URL that you use to sign in to the SentinelOne console.

      This URL usually follows this format, where <prefix> is the prefix value that SentinelOne provided to your company: https://<prefix>.sentinelone.net.

    • API Token — Enter the API token obtained in Create a new service account.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  7. Click Test and submit credentials.

Step 3: Test SentinelOne containment

  1. Schedule a call with your CST for containment testing.

  2. An hour or more before the scheduled call with your CST, to generate a test observation, do one of these actions:

    • Use an EICAR file:

      • If you can access the EICAR file website — Download the eicar.com.txt file from Anti malware testfile to the host that you want to contain.

        Tip: If you are unable to download the eicar.com.txt file because of browser security, try downloading one of the zip files, and then extract the eicar.com.txt file.

      • If you are unable to access the EICAR file website or download the EICAR file — Create the eicar.com.txt file on the host you want to contain, with this content:

        X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    • Use the forcedThreatMemes configuration (Windows only):

      1. Enable the forcedThreatMemes configuration option with one of these methods:

        • Run this command to manually enable forcedThreatMemes using SentinelCtl.exe:

          .\sentinelctl.exe config -p forcedThreatMemes -v true -k<passphrase>
        • Implement this SentinelOne Agent policy override: {"forcedThreatMemes":true}.

      2. After forcedThreatMemes is enabled, generate one of these threat types:

        Note: Threats generated with the forcedThreatMemes configuration are classified as info stealer, malware, and generic heuristic threats.

        • Static threat — Run this command to create an executable named rickrolling2007.exe that starts with MZ and is not signed by a known vendor:

          echo "test" > rickrolling2007.exe
        • Dynamic threat — Run any executable named sneezingpanda2006.exe that is not signed by a known vendor.

  3. Directly before your call with your CST, turn off your auto-mitigation policy. Arctic Wolf is unable to contain a host if the relevant application already addressed the possible threat.

  4. Have the scheduled call with your CST. During this call, your CST:

    • Promotes the test observation to an incident, making it eligible for containment.
    • Contains the affected host to make sure that the containment works as expected.
    • Resolves issues that might arise. For example, misconfigured containment permissions.
    • Lifts containment from the host.