Dropzone AI Documentation
WebsiteTest Drive
  • Dropzone Documentation
  • Overview
    • Alert Sources
    • Data Sources
    • Communicators
    • On-prem Support - Dropzone Connector
    • Interactive Chat
    • Metrics Guide
  • Dropzone Administraton
    • Team Admin
      • Google Workspace SAML
      • Okta SAML
  • Dropzone Integrations
    • Alert + Data Source Integrations
      • Amazon Web Services (AWS)
        • Cross-Account Access via CloudFormation
        • Cross-Account Access via Console
      • CrowdStrike
      • Datadog
      • Elasticsearch
      • Google Workspace
      • Google GCP
      • Jira
      • Microsoft 365 / Microsoft Defender
      • Palo Alto Networks Firewall
      • Panther
      • SentinelOne
      • Splunk
      • Sumo Logic
    • Alert Integrations
      • Gem
    • Communicators
      • Slack Communicator
    • Data Source Integrations
      • AbuseIPDB
      • Active Directory (LDAP)
      • Archive Inspector
      • Blocklist.de
      • CAPA
      • Censys
      • Crowdstrike Falcon Intelligence
      • DNSResolver
      • File
      • GreyNoise
      • Hybrid Analysis
      • Host.io
      • IPInfo.io
      • IPQualityScore
      • MalwareBazaar
      • Nuclei
      • NVD
      • Okta
      • oletools
      • OpenSSL Sign Code
      • PDF Analysis
      • Perplexity AI
      • PhishTank
      • Shodan
      • TShark
      • QRadar
      • UnshortenMe
      • URLhaus
      • Urlscan.io
      • VirusTotal
      • Vision
      • WHOIS
      • YARAify
Powered by GitBook
On this page
  • Create a Service User and API Key
  • Enable the Dropzone Data Source Integration
  • Enable the Dropzone Alert Source Integration

Was this helpful?

  1. Dropzone Integrations
  2. Alert + Data Source Integrations

SentinelOne

PreviousPantherNextSplunk

Last updated 6 months ago

Was this helpful?

This is a combined document for enabling the Dropzone AI Data Source and Alert Source for SentinelOne.

The Dropzone AI Platform integrates with SentinelOne, an endpoint cybersecurity platform that protects against various types of threats. Integrating SentinelOne with Dropzone to automatically investigate incidents in your SentinelOne environment.

Create a Service User and API Key

SentinelOne requires an API key from a Service User with Viewer Access to enable.

To obtain an API Key, do the following:

  • Log in to the SentinelOne Management Console

  • In the left navigation bar of the SentinelOne dashboard, click "Settings"

  • Navigate to Users > Service Users

  • Click the Actions dropdown, then click "Create New Service User"

  • Enter the Name, Description, and Expiration Date, then click "Next"

  • Under Access Level, select "Account". Select the newly generated account and set the role to Viewer

  • Click "Create User"

  • Copy the API Token shown for use later in the Dropzone UI where it is called "API Token"

Enable the Dropzone Data Source Integration

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Data Sources" in the top left corner

  • In the EDR section, find the SentinelOne tile and click "Connect"

  • Under SentinelOne Hostname, input the hostname for your main SentinelOne management dashboard (e.g., usea1-123.sentinelone.net)

  • Under SentinelOne XDR Hostname, input the hostname for the Singularity Data Lake Console (e.g., xdr.us1.sentinelone.net)

Only leave "SentinelOne XDR Hostname" blank if your SentinelOne license does not include Singularity Data Lake - otherwise you will miss crucial investigation data.

  • Input the API Token

  • Click "Test & Save"

Enable the Dropzone Alert Source Integration

In addition to data source integration, Dropzone can be configured to monitor and investigate specific incident types from SentinelOne.

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Alert Sources"

  • Find the SentinelOne tile and click "Connect"

  • Under SentinelOne URL, input the URL for your main SentinelOne management dashboard (e.g., usea1-123.sentinelone.net )

  • Input the API Token

  • Under Incident Types, check the boxes for each incident type you want Dropzone to investigate

  • Leave the Multi-Tenant box unchecked, unless your SentinelOne environment contains data for multiple separate tenants that should be investigated separately. Dropzone currently supports multi-tenancy in SentinelOne by treating each SentinelOne “site” as a separate tenant. Contact your Dropzone AI support representative if you are unsure about this question

  • Click "Test & Save"

If you have any errors or questions, engage your Dropzone AI support representative.

Settings
Create New Service User
Enter information
Assign roles to the new Account
Copy API Token
Integrations Dropdown
Select the "Data Sources" button
The SentinelOne Data Source Tile
The SentinelOne Data Source Configuration
Integrations Dropdown
Select the "Alert Sources" button
The SentinelOne Alert Source Tile
The SentinelOne Alert Source Configuration