SentinelOne

Overview

Configuring a cloud source in Scope is a two-step process.

  • Generating SentinelOne client credentials in the SentinelOne Management Console. Please refer to Section 1 – SentinelOne Setup

  • Setting up the SentinelOne cloud source in the Scope application. Please refer to Section 2 – Scope Setup

SentinelOne Setup

To get started, you’ll need to generate the following client credentials in the SentinelOne portal –

  1. Service User Name
  2. API Token
  3. API Token Expiry Date
  4. Base URL (Management URL)

Step 1: Generate an API Token

  • Sign in to the SentinelOne Management Console.

  • To create a new service user, navigate to Settings -> Users.

  • Click Service Users on the Users page.

  • Select Actions -> Create New Service User.

  • Enter the information for the new service user:

    • Name: Provide a name for the service user.
    • Description: Describe the user.
    • Expiration Date: Set the expiration date for the API Token (recommended: 1 year).

  • In the Scope of Access section:

    • Set Access Level to Account and select the respective Account Name.
    • For the Role, select Admin.

  • Click Create User.

  • Authenticate the Create User action with the required 2FA Authentication Code.

  • The API token is generated. Copy the API Token and API Token Expiry Date and save them securely.

    Note: Please make sure to copy the API Token and API Token Expiry Date immediately, as they will not be available once you leave this page.

Step 2: Get the Base URL (Management URL)

  • In the SentinelOne Management Console, navigate to Settings -> Configuration.

  • Copy the URL available in the Management URL text box.

  • The generated API Token, API Token Expiry Date, and Base URL (Management URL) are to be configured in Scope Setup: Step 1 for initiating the SentinelOne log ingestion.

Scope Setup

Step 1: SentinelOne Cloud Source Registration in the Scope Application

Once the credentials are generated, they must be configured in the Scope application to establish the connection and enable data ingestion from the SentinelOne environment.

In the Scope application, to register a SentinelOne cloud source, navigate to the cloud source registration page –

  • Log into the Scope application

  • Select the required organization

  • Navigate to the Side menu -> Administration

  • Navigate to the Cloud sources tab

  • Click on the +Add Source button

  • In the Create New Source pop-up, provide the parameters below.

    • Site: The user defined name for the SentinelOne service.

    • Username: The username of the SentinelOne Service User for which the API token was generated (from Step 1).

    • Base URL: The Management URL from Step 2.

    • API Token: The API token generated in Step 1.

    • API Token Expiry Date: The expiry date of the API Token (from Step 1).

    • Polling Interval: The polling interval for making periodic API calls to the SentinelOne server. Select the time interval from the dropdown.

    • Contact Email: The email address of the person who registers the SentinelOne service in Scope.

    • Category: By default, the three log type categories activities, alerts, and threats are selected.

      Note: For customers with a SentinelOne Complete subscription, all three categories should be selected. For customers with a SentinelOne Core subscription, only activities and threats should be selected — the alerts category is not part of the Core subscription.

Once the application details are entered, the SentinelOne registration is complete in Scope and is ready for ingestion of SentinelOne logs.