SentinelOne
Configuring SentinelOne base integration
To attach SentinelOne to your instance of Prelude, you will need 3 items:
- Base URL - (IE: https://usea1-partners.sentinelone.net/)
- Account ID
- API Secret
You can attach SentinelOne using the PreludeCLI or the Detect console
Prelude CLI
prelude partner attach sentinelone --api <https://usea1-partners.sentinelone.net> --user <AccountID> --secret <API Secret>
Detect Console
Navigate to integrations page by clicking your username in the top right -> Account Settings -> Integrations:
Obtain BaseURL
You can obtain the base url from your SentinelOne instance browser window or follow the directions below.
- Login to SentinelOne
- Click on Help -> API Doc
- Expand Accounts -> Click on Create Account
- Click run on console
- Click Run API query
- The URL will be displayed. Click Copy URL.
An example provided URL: https://usea1-partners.sentinelone.net/web/api/v2.1/accounts
Remove everything after the .net: https://usea1-partners.sentinelone.net
Obtain Account ID
- Login to SentinelOne and navigate to Account Scope
- Select the Sentinels page
- Click on "Account Info"
- The Account ID is displayed. Copy Account ID
Obtain API Secret
Option 1: Create a custom role and service account for the Prelude Integration
- Navigate to Settings -> Users -> Roles
- Create new role for Prelude Integration with the following permissions scoped to the Account
- Endpoints
- View
- Endpoint Threats
- View
- Update Incident Status
- Update Analyst Verdict
- Endpoint Policy
- View
- Endpoints
- Create new service account using the role created above and copy/save the token securely, this token will not be available to view again without creating a new one.
Option 2: User Account API Token
- Login to Sentinel One
- Click on Settings
- Click on Users tab
- Click on your console user -> you’ll see a modal for the selected user
- Click on the Actions drop down -> API Token Operations -> Generate API token
Your API Token is displayed. Copy and save the token securely, this token will not be available to view again without creating a new one.
Updated 29 days ago