SentinelOne
Last updated
Last updated
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for SentinelOne.
The Dropzone AI Platform integrates with SentinelOne, an endpoint cybersecurity platform that protects against various types of threats. Integrating SentinelOne with Dropzone to automatically investigate incidents in your SentinelOne environment.
SentinelOne requires an API key from a Service User with Viewer Access to enable.
To obtain an API Key, do the following:
Log in to the SentinelOne Management Console
In the left navigation bar of the SentinelOne dashboard, click "Settings"
Navigate to Users > Service Users
Click the Actions dropdown, then click "Create New Service User"
Enter the Name, Description, and Expiration Date, then click "Next"
Under Access Level, select "Account". Select the newly generated account and set the role to Viewer
Click "Create User"
Copy the API Token shown for use later in the Dropzone UI where it is called "API Token"
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Data Sources" in the top left corner
In the EDR section, find the SentinelOne tile and click "Connect"
Under SentinelOne Hostname, input the hostname for your main SentinelOne management dashboard (e.g., usea1-123.sentinelone.net)
Under SentinelOne XDR Hostname, input the hostname for the Singularity Data Lake Console (e.g., xdr.us1.sentinelone.net)
Only leave "SentinelOne XDR Hostname" blank if your SentinelOne license does not include Singularity Data Lake - otherwise you will miss crucial investigation data.
Input the API Token
Click "Test & Save"
In addition to data source integration, Dropzone can be configured to monitor and investigate specific incident types from SentinelOne.
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Alert Sources"
Find the SentinelOne tile and click "Connect"
Under SentinelOne URL, input the URL for your main SentinelOne management dashboard (e.g., usea1-123.sentinelone.net )
Input the API Token
Under Incident Types, check the boxes for each incident type you want Dropzone to investigate
Leave the Multi-Tenant box unchecked, unless your SentinelOne environment contains data for multiple separate tenants that should be investigated separately. Dropzone currently supports multi-tenancy in SentinelOne by treating each SentinelOne “site” as a separate tenant. Contact your Dropzone AI support representative if you are unsure about this question
Click "Test & Save"
If you have any errors or questions, engage your Dropzone AI support representative.
