Providing SentinelOne Credentials to Arctic Wolf

Configuration Guide

Overview

This document describes how to retrieve the API token credentials that Arctic Wolf® needs to monitor security information using the SentinelOne APIs. After you complete this configuration, Arctic Wolf can monitor logs from your SentinelOne environment.

As part of this configuration, you must provide the following information for your SentinelOne environment to Arctic Wolf using the Arctic Wolf Portal:

Notes:

Before you begin

This process requires that you are an Admin for the SentinelOne environment that you want Arctic Wolf to monitor.

Creating a new user

Each SentinelOne console user generates a single API token. Arctic Wolf uses this token to monitor the SentinelOne environment.

Note: Creating a new user in the SentinelOne console requires an email address in the company domain for verification. Arctic Wolf recommends asking your IT team to generate an email account for this use, such as sentinelone_arcticwolf@<company>.com.

To create a new user:

  1. Sign in to the SentinelOne console with an Admin role account.

    Tip: You can access the SentinelOne console using this address, where <prefix> is the prefix value that SentinelOne provided to your company: https://<prefix>.sentinelone.net.

  2. Hover your mouse under the SentinelOne logo SentinelOne logo to open the navigation pane.

  3. Select Settings, and then select the USERS tab.

  4. Select New User to open the Add a new user dialog box.

  5. Fill out the dialog box:

    1. Full Name — Enter a memorable name, such as SentinelOne Artic Wolf Sensor.

    2. Role — Select Viewer.

    3. Email address — Enter the email address for new user verification.

    Tip: Arctic Wolf recommends asking your IT team to generate an email account for this use, such as sentinelone_arcticwolf@<company>.com.

  6. Select Save to close the dialog box and create the user. SentinelOne also emails the email address that you specified in step 5c.

  7. Follow the prompts in the email from SentinelOne to verify the email address and set a password for the new account.

Generating SentinelOne API tokens

To generate SentinelOne API tokens with the new user:

  1. Sign in to the SentinelOne console using the credentials of the user created in Creating a new user.

  2. From the navigation bar, select the user menu, and then select My User from the menu. This opens a dialog box.

  3. Beside API Token, select Generate. This opens the API Token dialog box.

  4. Copy the API Token value to provide to Arctic Wolf later.

  5. Exit the dialog box and sign out of the account.

Providing credentials to Arctic Wolf

To provide your SentinelOne credentials to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select SentinelOne from the list of cloud services.

    1. Enter a descriptive name for the credentials.

    2. For the URL text box, enter the URL that you use to sign in to the SentinelOne console.

      Tip: This address usually follows this format, where <prefix> is the prefix value that SentinelOne provided to your company: https://<prefix>.sentinelone.net.

    3. Copy the API token obtained earlier into the API Token text box.

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team (CST) provisions security monitoring for your SentinelOne environment, the status of your credentials changes to Connected.

All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.