# SentinelOne

The Dropzone AI Platform integrates with SentinelOne, an endpoint cybersecurity platform that protects against various types of threats. Integrating SentinelOne with Dropzone allows Dropzone to automatically investigate security incidents in your SentinelOne environment.

## Create a Service User and API Key

SentinelOne requires an API key from a Service User with Viewer Access to enable.

To obtain an API Key, do the following:

* Log in to the SentinelOne Management Console
* In the left navigation bar of the SentinelOne dashboard, click "Settings"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-714bb0c73bec30881b21fb98f691b45f1fc75206%2Fsentinelone-api-1.png?alt=media" alt=""><figcaption><p>Settings</p></figcaption></figure>

* Navigate to Users > Service Users
* Click the Actions dropdown, then click "Create New Service User"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-53568911c3dfd42b74745d1be64a3a0943329976%2Fsentinelone-api-2.png?alt=media" alt=""><figcaption><p>Create New Service User</p></figcaption></figure>

* Enter the Name, Description, and Expiration Date, then click "Next"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-0a0cb5b1342bbe38a924ec1b2f778ce9d7ab292f%2Fsentinelone-api-3.png?alt=media" alt=""><figcaption><p>Enter information</p></figcaption></figure>

* Under Access Level, select "Account." Select the newly generated account and set the role to Viewer

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-91ec53dbecc8783bb505ce9d42bef7fa9defa8d3%2Fsentinelone-api-4.png?alt=media" alt=""><figcaption><p>Assign roles to the new Account</p></figcaption></figure>

* Click "Create User"
* Copy the API Token shown for use later in the Dropzone UI where it is called "API Token"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-a56621c081de9133d546b8e5184844a728e770ec%2Fsentinelone-api-5.png?alt=media" alt=""><figcaption><p>Copy API Token</p></figcaption></figure>

## Enable SentinelOne

To enable the Alert Source integration, you'll need the following information:

| Dropzone Field       | Source                                                    |
| -------------------- | --------------------------------------------------------- |
| SentinelOne Hostname | Your SentinelOne Hostname, e.g. usea1-123.sentinelone.net |
| API Token            | The API token value you copied earlier                    |

To enable the Alert Source integration, do the following:

* Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app
* In the bottom left hand corner, navigate to Settings > Integrations

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-b3f07f902b1402dadc7abbd8bb62f9c204547390%2Fui-integrations-dropdown.png?alt=media" alt=""><figcaption><p>Integrations Dropdown</p></figcaption></figure>

* Click "Available"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-434641ec6d4e45051842f86164f485d6bd289424%2Fapp_system_integrations_available.png?alt=media" alt=""><figcaption><p>Click Available</p></figcaption></figure>

* In the Search bar, search SentinelOne, then click "Configure"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-6dfcf69b126436ef0b16ed762e947dbb4e1774d6%2Fapp_system_integrations_available_SentinelOne.png?alt=media" alt=""><figcaption><p>The SentinelOne Tile</p></figcaption></figure>

* Under the Alert Source header, input your SentinelOne hostname and API Token

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-af3cfa4fdbe85ddd57043f86e87561e12c9ed0e1%2Fapp_system_integrations_available_sentinelone_alert_config_1.png?alt=media" alt=""><figcaption><p>The SentinelOne alert configuration (pt 1)</p></figcaption></figure>

* If you wish to treat each of your sites in SentinelOne as separate tenants, check the box labeled "Multi-tenant environment" and click "Add Item." Then input the site IDs for each of the sites you wish Dropzone to be able to analyze

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-de54809e1f3c9a64fbd59afad591fecdac2cb145%2Fapp_system_integrations_available_sentinelone_alert_config_2.png?alt=media" alt=""><figcaption><p>The SentinelOne alert configuration (pt 2)</p></figcaption></figure>

* Under "Incident types," check the incident types you want Dropzone to investigate alerts for
* Under "Incident status," check the incident statuses you want Dropzone to investigate alerts for
* Under "Log Ingestion delay," input your desired log ingestion delay in minutes

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-31becf2e4a1b55094a9aee983b95800f7aad6e6b%2Fapp_system_integrations_available_sentinelone_alert_config_4.png?alt=media" alt=""><figcaption><p>The SentinelOne alert configuration (pt 3)</p></figcaption></figure>

* If you wish, you may exclude threats from investigation by threat name regex. To do so, click "Add Item" in the "Threat Name Regexes" section and input your exclusions

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-a2a399b7ade060833a737c55a6f92cb675c91c6c%2Fapp_system_integrations_available_sentinelone_alert_config_5.png?alt=media" alt=""><figcaption><p>The SentinelOne alert configuration (pt 4)</p></figcaption></figure>

* Input your desired poll interval and lookback

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-17dbcaf2a2414038ad14827d0039887541604983%2Fapp_system_integrations_available_sentinelone_alert_config_6.png?alt=media" alt=""><figcaption><p>The SentinelOne Alert Source Configuration (pt 5)</p></figcaption></figure>

* Click "Test & Save" to finish

If you have any errors or questions, engage your Dropzone AI support representative.