Configure Endpoint Security - SentinelOne

Access SentinelOne threats on your RocketCyber dashboard

Overview

The Sentinel One App is designed to retrieve all threat data from the SentinelOne dashboard. It is designed to operate across all sites within your SentinelOne dashboard. This means that you will not have to authenticate the app to each organization within the RocketCyber console.

Required Permissions

The account that you logon to the SentinelOne dashboard and generate the API Token with must have access to the threat data. Typically this is provided with the SOC role that is a predefined role in the SentinelOne Dashboard.

How to Set Up

  1. Find your SentinelOne API Token
    1. Log in to the SentinelOne portal.  Copy the URL you use to do this, as it will be needed later.  It should be something like https://usea1-rocketcyber.sentinelone.net.
      1. DO NOT include any extra part of the URL after .net/.com (such as /dashboard or /console)
    2. Go to the user menu on the right and select My User
      screen-shot-2020-04-01-at-10-23-51-am.png
    3. There may be an option to Generate API Token on the main user page. If not, go to Options > Generate API Token
      screen-shot-2020-04-01-at-10-24-22-am.png
    4. Copy the generated token
  1. Set up your Antivirus-RocketCyber mapping if you have not already done so. Refer to Set Up Organization Mapping for Endpoint Security Integrations.
  2. Add the API Token and URL to your SentinelOne App configurations
    1. Go to your RocketCyber dashboard
    2. Enable the SentinelOne App in the App Store if you have not already done so
    3. Click the gear on the SentinelOne App to access the configuration menu
    4. Set up organization mapping so your detections are routed to the correct organization
    5. Paste the API Token into the API Token box
    6. Paste your SentinelOne login URL into the URL box
    7. Click Authenticate
  3. Enjoy the convenience of SentinelOne threats delivered directly to your RocketCyber dashboard!

Important Details

  1. This API token will last for 6 months. After that time you will need to follow this procedure again.
    1. You will get a warning in your app one week before the token expires
    2. To refresh the token, follow the exact same procedure outlined above.
    3. Paste the new API Token into the box, exactly like the first time. It will overwrite the old token
  2. If at any time you wish to revoke that token, you can click Revoke API token in the SentinelOne user menu, one item above the Generate API token option