Configure SentinelOne
Endpoint Detection and Response (EDR) integrations provide our NDR solution with a level of enrichment and intelligence into malicious activity at the endpoint that we would otherwise not see. Collecting EDR telemetry and infusing it into our threat detection capabilities makes our NDR Cases and Incidents richer and more holistic because we now have the vantage point of the endpoint and the network. Not only do our NDR detections become substantial, the EDR integration can also help influence the risk or severity score of what we see in NDR.
LogRhythm NDR leverages SentinelOne's capabilities to provide more advanced threat detection to our customers.
- Once SentinelOne is configured, LogRhythm NDR starts ingesting the SentinelOne events periodically using the time range which runs like a cronjob.
- SentinelOne events are ingested as a ThirdPartyEvent, and cases are created as events pass through the pipeline.
- A new collection named "endpoint_ruleset" is introduced in mongodb to store the endpoint integration rulesets of different endpoint integration services.
Obtain an API Token in SentinelOne
To configure a SentinelOne integration within LogRhythm NDR, you must first obtain an API Token within the SentintelOne management console.
For more information on obtaining required information within the SentinelOne management console, see API Overview.
To obtain an API token from within SentinelOne, you must create a new user with the role Threats View.
- To create a new user, click the Settings tab, and then click Users.
- Click New User.
- Complete the Full Name and Email Address fields.
- For the Role, select Admin.
- Click Save.
API Route | Methods Used | Required Role |
---|---|---|
/web/api/v2.1/private/threat-groups | GET | Threats View |
Once the user with the appropriate role has been created, an API token can be generated.
- To obtain the API token in the SentinelOne console, click the Settings tab, and then click Users.
- Click on the user for which you will generate the API token (the user created previously).
- Next to API Token, click Generate.
- Click Download.
The API Token is saved.
Add a New SentinelOne Integration in LogRhythm NDR
To create a new SentinelOne integration:
- Log in to the LogRhythm NDR UI.
- Click the Settings tab, and then click Endpoint Integrations.
The Endpoint page appears. - To add a new endpoint integration, click Add Endpoint Integration.
- Click Active to make the integration active.
- Click Endpoint Type, and then click SentinelOne.
Enter the integration credentials in the relevant fields.
Field
Description
API Token The API token generated in the SentinelOne management console.
API URL The API URL for SentinelOne is https://usea1-300-nfr.sentinelone.net
Integration Name A unique name for this integration configuration. Polling Interval The amount of time (in minutes) between each collection of new information from the integration. - To verify the credentials have been entered correctly, click Test.
If the information is correct, Connection Success appears. Otherwise, Connection Failed appears, meaning the credentials need to be verified and re-entered. - Click Save.
The SentinelOne integration is now complete within LogRhythm NDR.
Verify a SentinelOne Integration is Working
To verify that information is being collected for the SentinelOne integration:
- Log in to the LogRhythm NDR UI.
- Click the Hunt tab, and then click Activity.
The Activity page appears. By default, the legend graph is displayed, showing the logs and events for the past hour. - To view the integration events alone, click ThirdPartyEvent on the graph.
All integration-related events appear. - To view the integration, click the Discover icon located to the left of the search field, and then click General.
Select the Origin option, and then click the Visualize icon (which is the bar graph icon) for the item.
If events do not display, you may have to change the time range.To single out data for a selected filter, click the addfilter option in the Discover drop-down menu.
For example, use the "entry_origin" filter (entry_origin: "SentinelOne") to filter the engine that detected the traffic, giving you the following options:
1 - Distributed Analytics Engine
2 - Host Compliance Engine
3 - Network Analysis Engine
4 - Rules Engine
The Value based Filters & Aggregations dialog box appears.To add the filter to the item displayed in the Value based Filters & Aggregations dialog box, click the + icon next to the item.
To remove the filter, click the - icon next to the item.
To view the integration events, click the + icon.
Edit a SentinelOne Integration
To make changes to an existing SentinelOne integration:
- Click the Settings tab, and then click Endpoint Integrations.
The Endpoint page appears. - Click the green Edit icon in the Actions column for the SentinelOne integration you wish to edit.
The Edit Operator page opens. - After making changes, click Update.
The endpoint integration is updated within LogRhythm NDR.
Delete a SentinelOne Integration
To delete an existing SentinelOne integration:
- Click the Settings tab, and then click Endpoint Integrations.
The Endpoint page appears. - Click the red Delete icon in the Actions column for the SentinelOne integration you wish to remove.
- Click Yes.
The SentinelOne integration is deleted in LogRhythm NDR.