SentinelOne
Note
This integration is available in Intel Exchange from v3.6.3.7 onwards
Connector Category: Endpoint Detection Response (EDR)
About Integration
SentinelOne is an AI-powered cybersecurity platform designed to protect enterprise endpoints, cloud workloads, and IOT devices. With advanced endpoint detection and response (EDR) capabilities, SentinelOne swiftly detects, analyzes, and neutralizes security incidents with minimal human intervention. It also integrates with Intel Exchange to seamlessly share and analyze ingested indicators of compromise (IoCs).
The SentinelOne internal application in Intel Exchange supports the following actions:
Action Name | Description |
|---|---|
Add IOCs to SentinelOne | This action adds IOCs to SentinelOne. You can add the following IOC types from Intel Exchange to SentinelOne:
|
Configure SentinelOne In Intel Exchange
Configure the SentinelOne internal application in Intel Exchange to establish seamless connectivity with the SentinelOne platform.
Before you Start
You must have the View Tool Integrations and the Update Tool Integrations permissions in Intel Exchange.
You must have the base URL and API key of the SentinelOne application.
Note
Ensure that the API credentials include read and write permission to all indicators on the SentinelOne platform.
Steps
To configure a SentinelOne internal application instance in Intel Exchange, follow these steps:
Go to Administration > Integration Management, and select Internal Applications under Tool Integrations.
Select Endpoint Detection Response, and then select the SentinelOne application.
Click Add Instance and enter the following details:
Instance Name: Enter a unique instance name. For example, Prod_MS_Defender.
Base URL: Enter the base URL of your SentinelOne platform. The default base URL is
https://<your_management_url>/web/api/v2.1/.API Key: Enter the API key for your SentinelOne account. This key is used for API authentication.
Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the Intel Exchange SentinelOne servers. By default, SSL verification is enabled.
Note
It is recommended to enable Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly, and Intel Exchange will not be able to notify you in case of a broken or improper connection.
4. Click Save.
The SentinelOne instance is configured. To configure multiple instances of this integration, click Manage > Add More.
Enable App Actions
Enable the action of the SentinelOne internal application to add IOCs to the SentinelOne platform.
Steps
To enable the Add IOCs action, follow these steps:
Go to Administration > Integration Management and select Internal Applications under Tool Integrations.
Select Endpoint Detection Response, and then select the SentinelOne application.
On the upper-right corner, click the vertical ellipsis and click Manage.
Click Manage Actions and select the Add IOCs action.
Turn on the toggle to enable the action and click Save.
The action is enabled, and you can use the action in rules to add indicators to the SentinelOne platform.
Create a Rule to Add IOCs
Create a rule in Intel Exchange to define the sources of indicators and to add it to the SentinelOne platform for further section.
Before you Start
Ensure that the Add IOCs action of the SentinelOne internal application is enabled.
Steps
To create a rule to add indicators to the Sentinel platform, follow these steps:
Go to Main Menu > Actions > Rules.
Click New Rule.
Enter a Title name within 100 characters and click Submit.
In Source, select the sources and collections from which you want to retrieve IOCs.
In Condition, enter the following details:
Intent Type: Select the intent type as Indicator to retrieve a list of IOCs.
Rule Type: Select a rule type to apply specific conditions.
Select Object for Actioning: Select this option to perform the action of a rule on the selected object. This option ensures that the action is performed only on the selected object when you define multiple conditions with multiple objects.
In Actions, enter the following details:
Actions: Select the Add IOCs action.
Application: Select the SentinelOne application.
Account: Select an instance you have configured for the SentinelOne internal application.
Title: Enter a title for the indicator submission.
Description: Enter a description for the indicator submission.
Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.
Click Save.
When you run the rule, indicators will be retrieved based on the configured sources and conditions. The retrieved indicators will be added to the SentinelOne platform for actioning.