Skip to content

Commit

Permalink
Merge pull request #1668 from SEKOIA-IO/MikeShvejk-sentinelone-1
Browse files Browse the repository at this point in the history 
Update sentinelone.md
  • Loading branch information
@SHVEIM
SHVEIM authored Mar 28, 2024
2 parents 6516585 + ccc21c6 commit 263dcb4
Showing 1 changed file with 14 additions and 14 deletions.
28 changes: 14 additions & 14 deletions docs/xdr/features/collect/integrations/endpoint/sentinelone.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,22 +4,22 @@ type: intake

## Overview

SentinelOne is an Endpoint Detection and Response (EDR) solution. By using the standard SentinelOne EDR logs collection by API, you will be provided with high level information on detection and investigation of your EDR.
SentinelOne is an Endpoint Detection and Response (EDR) solution. By using the standard SentinelOne EDR logs collection by API, you will be provided with high-level information on the detection and investigation of your EDR.

Please find bellow a limited list of field types that are available with SentinelOne default EDR logs:
Please find below a limited list of field types that are available with SentinelOne default EDR logs:

- Information about the Endpoint
- Information about the SentinelOne agent installed
- Activity type and its description (authentication access, user management, 2FA setup...)
- Activity type and its description (authentication access, user management, 2FA setup, etc.)

And depending on the context of the log, additional content could be available, such as:
Depending on the context of the log, additional content could be available, such as:

- Process information
- Network information
- File information

!!! Tip
For advanced log collection, we suggest you to use SentinelOne Cloud Funnel 2.0 option, as described offered by the [SentinelOne Cloud Funnel 2.0 integration](sentinelone_cloudfunnel2.0.md).
For advanced log collection, we suggest you use the SentinelOne Cloud Funnel 2.0 option, as described in the [SentinelOne Cloud Funnel 2.0 integration](sentinelone_cloudfunnel2.0.md).


{!_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md!}
Expand All @@ -33,27 +33,27 @@ This setup guide will show you how to pull events produced by SentinelOne EDR on
**Important**: If you have multiple SentinelOne Management Consoles, you must generate an API Token for each one.

!!! note
The API token you generate is time limited. To regenerate a new token (and invalidate the old one), you will need to copy the Service User. Please refer to the SentinelOne documentation to obtain guidance on how to do this action.
The API token you generate is time-limited. To generate a new token (and invalidate the old one), you will need to copy the Service User. Please refer to the SentinelOne documentation to obtain guidance on how to do this action.

1. In the SentinelOne management console, go to `Settings`, click on `USERS` and then on `Service Users`.
1. In the SentinelOne management console, go to `Settings`, select `USERS`, and then select `Service Users`.
2. Create a new `Service User` by specifying a name and an expiration date.
3. Choose the `Scope` of the `Service User`: `Global`, `Account` or `Site`, select the appropriate `Account(s)` or `Site(s)` and the role to grant to the `Service User`
4. Click on `Create User` and copy the API token generated.
4. Select `Create User` and copy the generated API token.

!!! note
A `Service User` with a role of `Site Admin` or `IR Team` can mitigate threats from [Sekoia.io](https://app.sekoia.io/) using [SentinelOne playbook actions](../../../automate/library/sentinel-one.md). A user with a role of `Site Viewer` can view activity events and threats but cannot take action.
A `Service User` with the `Site Admin` or `IR Team` role can mitigate threats from [Sekoia.io](https://app.sekoia.io/) using [SentinelOne playbook actions](../../../automate/library/sentinel-one.md). A user with the `Site Viewer` role can view activity events and threats but cannot take action.

## Create a SentinelOne intake

In the [Sekoia.io Operation Center](https://app.sekoia.io/operations/intakes):

1. Click on the `Intake` page.
1. Go to the `Intakes` page.
2. Search for `SentinelOne` by navigating the page or using the search bar.
3. Click `Create` on the relevant object.
4. Fulfil the `Name` of your intake that will be displayed, the related `Entity` and select `Automatically`:
3. Click `Create` under the relevant object (SentinelOne EDR or SentinelOne Cloud Funnel).
4. Enter the `Name` of your intake that will be displayed, select the related `Entity` from the dropdown, and then select `Automatically`:

![SentinelOne EDR Intake creation](/assets/operation_center/integration_catalog/endpoint/sentinelone/sentinelone_edr_auto.png){: style="max-width:60%"}
![SentinelOne EDR Intake creation](/assets/operation_center/integration_catalog/endpoint/sentinelone/sentinelone-configure-intake.png){: style="max-width:60%"}

5. Fulfil the SentinelOne `API token` previously downloaded and the related `URL Domain`:
5. Enter the previously downloaded SentinelOne `API token` and the related `URL Domain`:

![SentinelOne EDR secret](/assets/operation_center/integration_catalog/endpoint/sentinelone/sentinelone_edr_api.png){: style="max-width:60%"}

0 comments on commit 263dcb4

Please sign in to comment.