Configure SentinelOne Singularity Identity to send logs to Arctic Wolf

You can configure SentinelOne® Singularity Identity to send the necessary logs to Arctic Wolf® for security monitoring.

Note:

To configure log monitoring for multiple SentinelOne products, only complete these instructions once. Make sure that the credentials that you submit to Arctic Wolf are associated with all required licenses and permissions.

  • Singularity Commercial or higher SentinelOne license
  • Admin permissions for the applicable SentinelOne environment
Note: Arctic Wolf doesn't support SentinelOne for federal government or AWS GovCloud.

Create a new service account

Each service user generates one API token that Arctic Wolf uses to monitor the SentinelOne environment.

Note:
  • If you manage Arctic Wolf services for multiple customers, you must create a new service user for each customer that you want to configure monitoring for.
  • The API token is only available to view during token creation. If this information is lost before you provide it to Arctic Wolf, you must create a new token for the API.
  • The service user token expires after two years. At that time, you must generate a new token for that user, and then provide it to Arctic Wolf.
  1. Go to https://prefix.sentinelone.net, where prefix is the prefix value that SentinelOne provided to you.
  2. Sign in to the SentinelOne console with administrator permissions.
  3. In the navigation menu, click "" Settings .
  4. Click the Users tab.
  5. In the navigation menu, click Service Users.
  6. Click Actions > Create New Service User.
  7. In the Create New Service User dialog, configure these settings:
    • Name — Enter a name for the user. For example, SentinelOne Arctic Wolf Sensor.
    • Description — (Optional) Enter a description for this user.
    • Expiration Date — Select 2 Years.
  8. Click Next.
  9. If you manage multiple customers:
    1. In the Select Scope of Access section, click Site.
    2. Select the site that belongs to the customer that you are configuring monitoring for.
  10. If you manage only one customer:
    1. In the Select Scope of Access section, click Account.
    2. Select the account that the user should have access to.
  11. In the Role type list, make sure that Viewer is selected.
  12. Click Create User.
  13. In the API Token dialog, copy the API Token value, and then save it in a safe, encrypted location to provide to Arctic Wolf later.
  14. Exit the dialog, and then sign out of the account.

Provide SentinelOne credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click SentinelOne.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • URL — Enter the URL that you use to sign in to the SentinelOne console. The URL usually follows this format, where prefix is the prefix value that SentinelOne provided to you: https://prefix.sentinelone.net.
    • API Token — Enter the API token created in Create a new service account.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.