Website Test Drive

SentinelOne

This is a combined document for enabling the SentinelOne Dropzone AI Data Source and Alert Source.

The Dropzone AI Platform integrates with SentinelOne, an endpoint cybersecurity platform that protects against various types of threats. Integrating SentinelOne with Dropzone to automatically investigate incidents in your SentinelOne environment.

Create a Service User and API Key

SentinelOne requires an API key from a Service User with Viewer Access to enable.

To obtain an API Key, do the following:

  • Log in to the SentinelOne Management Console

  • In the left navigation bar of the SentinelOne dashboard, click "Settings"

Settings

  • Navigate to Users > Service Users

  • Click the Actions dropdown, then click "Create New Service User"

Create New Service User

  • Enter the Name, Description, and Expiration Date, then click "Next"

Enter information

  • Under Access Level, select "Account". Select the newly generated account and set the role to Viewer

Assign roles to the new Account

  • Click "Create User"

  • Copy the API Token shown for use later in the Dropzone UI where it is called "API Token"

Copy API Token

Enable the Dropzone Data Source Integration

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

Integrations Dropdown

  • Click "Data Sources" in the top left corner

Select the "Data Sources" button

  • In the EDR section, find the SentinelOne tile and click "Connect"

The SentinelOne Data Source Tile

  • Under SentinelOne Hostname, input the hostname for your main SentinelOne management dashboard (e.g., usea1-123.sentinelone.net)

  • Under SentinelOne XDR Hostname, input the hostname for the Singularity Data Lake Console (e.g., xdr.us1.sentinelone.net)

  • Input the API Token

The SentinelOne Data Source Configuration

  • Click "Test & Save"

Enable the Dropzone Alert Source Integration

In addition to data source integration, Dropzone can be configured to monitor and investigate specific incident types from SentinelOne.

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

Integrations Dropdown

  • Click "Alert Sources"

Select the "Alert Sources" button

  • Find the SentinelOne tile and click "Connect"

The SentinelOne Alert Source Tile

  • Under SentinelOne URL, input the URL for your main SentinelOne management dashboard (e.g., usea1-123.sentinelone.net )

  • Input the API Token

  • Under Incident Types, check the boxes for each incident type you want Dropzone to investigate

  • Leave the Multi-Tenant box unchecked, unless your SentinelOne environment contains data for multiple separate tenants that should be investigated separately. Dropzone currently supports multi-tenancy in SentinelOne by treating each SentinelOne “site” as a separate tenant. Contact your Dropzone AI support representative if you are unsure about this question

The SentinelOne Alert Source Configuration

  • Click "Test & Save"

If you have any errors or questions, engage your Dropzone AI support representative.

PreviousPantherNextSplunk

Last updated