Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            SentinelOne Configuration

            Modified on Thu, 29 Jan at 3:40 PM

            TABLE OF CONTENTS


            SentinelOne Ingest

            1.0 Overview

            ADR can ingest logs from SentinelOne using an API token or by sending syslogs to the ADR CCE VM.


            2.0 Configuration (via API)

            1. In the SentinelOne management console, go to Settings and then click Users.
            2. Click on the Admin that will be used to generate the API token.
            3. Click Generate next to API token.
            4. Click on the Copy API token link.
               
            5. On the APE dashboard, navigate to Settings -> Administration -> Add-on Store. 
            6. Search for then select 'SentinelOne'.  
            7. On the right-side, select 'Add SentinelOne' 
            8. Fill in the fields as follows, then click the Save button.
              • Device: Use the device type 'SentinelOne'.
              • Name: Choose an arbitrary name. It can be the same as the Device type.
              • CCE Host: Enter the IP address of your CCE.
              • Access ID/ User Name: Leave blank.
              • Password/Secret Key: Enter the API token previously copied in step 4.
              • Config: Use a JSON formatted string:
                {"host": "<your_management_url>", "account_type": "<user_account_type>"}
                • <your_management_url>: Enter your SentinelOne management URL (without https://).
                • <user_account_type>: The value can be either “service” or “console”. “console” is the default if none provided.

             

            3.0 Configuration (TCP over TLS)

            Follow the steps below to set up SentinelOne configuration to send logs to ADR CCE VM. Note that these steps are not necessary if you have already configured the system to use an API token in the previous section.

            1. Open the SentinelOne Administrator Console.
            2. Select your site.
            3. On the left side menu, click the slider icon [⊶] to open the settings menu.
            4. Select the INTEGRATIONS tab.
              1. Under Types, select SYSLOG.
              2. Toggle the button to enable Syslog.
              3. Under Host, enter your CCE VM IP address and port 514.
              4. Under TLS, enable TLS.
              5. Under Formatting, select CEF2.
              6. Save changes.
            5. Configure SentinelOne to send notifications.
              1. Open the NOTIFICATIONS tab.
              2. Under Notification Types, check all options under Syslog notifications.
                Note: We recommend enabling all notification options to send Syslogs. However, this setting is optional.


            SentinelOne Remediator

            1.0 Overview

            ADR integrates with SentinelOne EDR using the SentinelOne Management API. This allows ADR to automatically isolate/unisolate endpoints, kill malicious processes, and enforce remediation workflows based on detected threats.


            2.0 Prerequisites

            On SentinelOne Console

            • Access to SentinelOne Management Console.
            • An API token created with proper scopes (Admin recommended).
            • Scope permissions include:
              • Agents: isolate/unisolate
              • Threats: remediate
              • Read/Write access to devices.
            • Console URL (varies by region, e.g., https://<tenant>.sentinelone.net).

            On ADR Platform

            • ADR CCE with HTTPS access to SentinelOne Console.
            • Admin access to ADR UI.


            3.0 Configuration Steps

            Step 1: Generate API Token in SentinelOne

            1. Log into SentinelOne Management Console.
            2. Navigate to Settings → Users → API Tokens.
            3. Click Generate New Token.
            4. Assign appropriate scopes:
              • agents.isolate
              • agents.unisolate
              • threats.remediate
            5. Copy the token securely (only displayed once).

            Step 2: Note Tenant Details

            1. Copy the Console URL (tenant-specific).
            2. Identify the Site ID or Account ID if needed for policy scoping.

            Step 3: Configure in ARIA

            1. Log into ARIA UI → Administration → Remediator.
            2. Click Add.
            3. Fill in details:
              • Device Category: EDR
              • Devices: SentinelOne
              • Host URL: SentinelOne Console URL
              • User Name/Access ID: Leave blank
              • API Token (Secret Key): From Step 1
              • CCE IP: ARIA CCE IP
              • Config: {}
            4. Save configuration.


            4.0 Checking Test Connection

            1. In the ADR Remediator list, find the SentinelOne entry.
            2. Click Test Connection, then wait a minute and click Test Status.
            3. If successful → ARIA confirms API access.
            4. If failed → verify console URL, token, and permissions.


            5.0 Verification

            1. Trigger a test remediation (e.g., isolate a test endpoint).
            2. In SentinelOne Console → Devices → Endpoint, confirm the device shows as Isolated.
            3. Trigger Unisolate and verify connectivity is restored.
            4. Review ARIA remediation logs for confirmation.


            6.0 Troubleshooting

            IssuePossible CauseResolution
            401 UnauthorizedInvalid/expired tokenGenerate a new token and update in ADR.
            403 ForbiddenToken missing required scopesEnsure token includes isolate/unisolate/remediate permissions.
            Connection TimeoutWrong tenant URL or network blockUse the correct SentinelOne Console URL and allow HTTPS traffic.
            Remediation fails selectivelyEndpoint not online or not in assigned siteEnsure agent is active and mapped to the correct site in Console.

            If the issue persists, contact ARIA Support with version and configuration details.



            7.0 References

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0