Help Documentation

Managed Detection and Response

SentinelOne Monitoring

Updated Sep 27, 2023

Configure SentinelOne for Arctic Wolf monitoring

You can configure SentinelOne® to send the necessary logs to Arctic Wolf for security monitoring.

Requirements

Steps

  1. Create a new service account.
  2. Provide credentials to Arctic Wolf.

Step 1: Create a new service account

Each SentinelOne service user generates a single API token. Arctic Wolf uses this token to monitor the SentinelOne environment.

Notes:

  • If you manage Arctic Wolf services for multiple customers, you must create a new service user for each customer that you want to configure monitoring for.
  • The API token is only available to view during token creation. If this information is lost before you submit it to Arctic Wolf, you must create a new token for the API.
  • The service user token expires after two years. At that time, you must generate a new token for that user and submit it to Arctic Wolf.

  1. Go to https://<prefix>.sentinelone.net, where <prefix> is the prefix value that SentinelOne provided to your company.

  2. Sign in to the SentinelOne Console as an administrator.

  3. Hover your mouse over the SentinelOne logo to open the navigation pane.

  4. Click Settings.

  5. Click the USERS tab.

  6. In the navigation pane, click Service Users.

  7. In the Actions list, select Create New Service User.

  8. In the dialog, configure these settings:

    • Name — Enter a relevant name. For example SentinelOne Arctic Wolf Sensor.
    • Description — (Optional) Enter a description for this user.
    • Expiration Date — Select 2 Years.

  9. Click Next.

  10. If you manage multiple customers:

    1. In the Select Scope of Access section, click Site.
    2. Select the site that belongs to the customer that you are configuring monitoring for.

  11. If you do not manage multiple customers:

    1. In the Select Scope of Access section, click Account.
    2. Select the account that the user should have access to.

  12. In the role type list, select Viewer.

  13. Click Create User to save the newly created user.

  14. In the API Token dialog, copy the API Token value to provide to Arctic Wolf later.

  15. Exit the dialog and sign out of the account.

Step 2: Provide credentials to Arctic Wolf

Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select SentinelOne.

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.
    • URL — Enter the URL you use to sign in to the SentinelOne console. This URL usually follows this format, where <prefix> is the prefix value that SentinelOne provided to your company: https://<prefix>.sentinelone.net.
    • API Token — Enter the API token obtained in Create a new service account.
    • Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.

  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

MDR polling frequency

Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.

Next steps