Configure SentinelOne Singularity Endpoint for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform host-based response actions in your network using SentinelOne® Singularity Endpoint.

SentinelOne Singularity Endpoint supports these response actions:
  • Contain a host/Remove from containment

For more information, see Response action descriptions.

These resources are required:

  • Singularity Core or higher SentinelOne license
  • Admin permissions for the applicable SentinelOne environment
Note: Arctic Wolf doesn't support SentinelOne for federal government or AWS GovCloud.
  • Contact your CST to validate the Active Response integration. Have a device or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Create a custom SentinelOne Singularity Endpoint role

  1. Go to https://prefix.sentinelone.net, where prefix is the prefix value that SentinelOne provided to you.
  2. Sign in to the SentinelOne console with administrator permissions.
  3. In the top navigation pane, click and make sure that you are in the global site.
  4. In the navigation menu, click "" Settings .
  5. Click the Users tab.
  6. In the navigation menu, click Roles.
  7. Click Actions > New Role.
  8. In the New Role dialog, configure these settings:
    • Role Name — Enter Active Response Admin.
    • Description — (Optional) Enter a description.
  9. Click Endpoints.
  10. Select these checkboxes:
    • View
    • Disconnect From Network
    • Reconnect To Network
  11. Click Save.

Create a new service account

Each service user generates one API token that Arctic Wolf uses to monitor the SentinelOne environment.

Note:
  • If you manage Arctic Wolf services for multiple customers, you must create a new service user for each customer that you want to configure monitoring for.
  • The API token is only available to view during token creation. If this information is lost before you provide it to Arctic Wolf, you must create a new token for the API.
  • The service user token expires after two years. At that time, you must generate a new token for that user, and then provide it to Arctic Wolf.
  1. Go to https://prefix.sentinelone.net, where prefix is the prefix value that SentinelOne provided to you.
  2. Sign in to the SentinelOne console with administrator permissions.
  3. In the navigation menu, click "" Settings .
  4. Click the Users tab.
  5. In the navigation menu, click Service Users.
  6. Click Actions > Create New Service User.
  7. In the Create New Service User dialog, configure these settings:
    • Name — Enter a name for the user. For example, SentinelOne Arctic Wolf Sensor.
    • Description — (Optional) Enter a description for this user.
    • Expiration Date — Select 2 Years.
  8. Click Next.
  9. If you manage multiple customers:
    1. In the Select Scope of Access section, click Site.
    2. Select the site that belongs to the customer that you are configuring monitoring for.
  10. If you manage only one customer:
    1. In the Select Scope of Access section, click Account.
    2. Select the account that the user should have access to.
  11. In the Role type list, make sure that Active Response Admin is selected.
  12. Click Create User.
  13. In the API Token dialog, copy the API Token value, and then save it in a safe, encrypted location to provide to Arctic Wolf later.
  14. Exit the dialog, and then sign out of the account.

Provide SentinelOne Singularity Endpoint Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click SentinelOne.
  5. On the New Active Response Integration page, configure these settings:
    • Integration Name — Enter a unique and descriptive name for the integration, including the tenant name. For example, <tenant_name> SentinelOne Singularity Endpoint Active Response Integration.
    • API Base URL — Enter the URL that you use to sign in to the SentinelOne console. The URL usually follows this format, where prefix is the prefix value that SentinelOne provided to you: https://prefix.sentinelone.net.
    • API Token — Enter the API token obtained in Create a new service account.
    • Search Results Limit — Enter the maximum number of objects for a query to return. We recommend 100.
    • Alert Retrieval Type — (Optional) Select Alerts or Threats. Alerts include any activity that you receive notifications about, while threats only include potential vulnerabilities, like a compromised endpoint.
    • Download File Password (Optional) — Enter the password to open SentinelOne file archives.
    • Endpoint Offline Timeout (Hours) — Enter the number of hours that Arctic Wolf should continue checking for a command response from SentinelOne. We recommend 1.
    • Default Search Query — (Optional) Keep this field blank.
    • User-Defined Mapping — (Optional) Keep this field blank.
  6. Click Save Integration.