SentinelOne

About this document

This document provides the step-by-step procedure to configure SentinelOne in SAFE.

Introduction

SAFE integrates with SentinelOne and allows you to effortlessly discover and import assets and their EDR findings directly into SAFE. 

Key Highlights of This Integration:

• Import Assets and EDR Findings: With this integration, you can now discover and import assets from SentielOne with their respective EDR findings into SAFE.
• Automated and On-Demand Synchronization: Take control of your assessment results with the option to set predefined time intervals for automatic synchronization. Furthermore, you can initiate on-demand assessments as needed.
• Data Filtering Flexibility: SAFE allows users to fine-tune data retrieval from SentileOne through the Group Filter feature. You have the freedom to specify group names for data filtering. In the absence of group names, SAFE pulls all assets accessible to the user into its system.

Prerequisites

You need the following connector details to configure SentielOne in SAFE:

• SentinelOne URL
• SentinelOneAPIToken 

Generate SentinelOne API Token

1. Log in to your SentinelOne account.
2. Click Settings from the left navigation.
   
3. Click the Users tab available in the header.
4. Click the Service Users option available in the left navigation.
5. Click the Actions dropdown and select Create New Service User. If this option is not available, contact your SentielOne admin.
   
6. On the Create New Service User pop-up, enter the Name, Description, and Expiration Date.
7. Click the Next button.
   
8. In the Scope of Access pop-up, Click the Site card.
9. In the SelectAccount, search for the account you want to pull the data to SAFE and click it.
10. The system displays a checklist for all the available sites for the account. 
11. Selecting the Default site, the system displays a Role drop-down that allows you to select Roles. Select the Viewer role.
12. Click the Create User button.
    
13. The system creates the service user account and also displays an API Token. Copy and save the API Token to use later while configuring the SentielOne account in SAFE. The system displays this API Token only once.
    

Configuring SentinelOne in SAFE

Navigate to SAFE Hooks.

1. Click the SentinelOne card.
2. Enter the details in their respective field
   1. SentinelOne URL 
   2. APIToken generated above.
   3. AnalystVerdictInclusionList: This field is populated by default. You can modify it to include specific analyst verdict statuses that should appear as failed findings in SAFE.
   4. AutoSync (in Days)
   5. Auto Onboard New Assets - By default, any resource that is present in SentinelOne and is not found in SAFE will be onboarded. The identifier used for the same is the Computer Name. To limit the integration to assessing only the endpoints/assets present in SAFE, uncheck this option.
   6. Update Existing Assets Metadata: If this checkbox is marked, the asset's metadata, such as asset name, IP address, etc., will get updated based on the data pulled from SentinelOne.
   7. GroupsNames(Optional): This field allows you to select which groups' threat data you wish to synchronize with SAFE. If left blank, it will automatically fetch data from all groups. This field accepts a comma-separated string input.
3. Click the TestConnection button to verify the connection.
4. Once the connection is verified, click Save to save the configuration.
5. To trigger an on-demand sync outside of the scheduled auto-sync, click Sync Now. The auto-sync time is 01:15 UTC.

Viewing Results from SentinelOne

After configuring SentinelOne in SAFE, you can view assets and findings generated from SentinelOne threats.

1. To view the Sync statistics, you can click the Details column of the row that corresponds to your Sync in the Integration History table. That system displays the following stats:
   1. Total Assets - Total assets/endpoints that are identified from SentinelOne which are available to the scope of API Token provided. SAFE onboard all the endpoints based on the group names passed irrespective of active threats count
   2. Failed Assets - The assets that are identified from SentinelOne but failed during submission as signals.
   3. Total Signals - Total signals generated and submitted to SAFE during Sync.
   4. Threats Processed - The count of only those threats that are contributing to a Failed finding status for SAFE based on the below-mentioned fail criteria mapping table.
      
2. To view the assets, click the See Updated Assets option available at the header of the History table.
   Alternatively, Navigate to Technology > Assets. Filter the list for Signal Source Equals security.safe.sentinelone.
3. SentinelOne threat statuses are mapped to SAFE statuses based on the combination of two fields called Threat Mitigation Status and Analyst Verdict. The mapping of the combination to SAFE statuses is as follows.