SentinelOne Integration
Step 1 - Create Webhook for SentinelOne
- Visit the Webhooks page in AIR,
- Click the ”+ New Webhook” button in the upper right corner,
- Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
- Select “Sentinel One Webhook Parser” as the parser for this webhook,
- Select an Acquisition Profile when SentinelOne activates this webhook,
- Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
- Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
- Click the “Save” button.
- Copy the Webhook URL for Step 2.
Step 2 - Setting up SentinelOne
- Find Singularity XDR Webhook in the marketplace and click Configure
- Click and expand the dropdown menu:
-
Select the box under Response Actions: Make “Hooks” available as “Manual Response Actions” from Threats
-
Give an explanatory Threat Response Action Name
-
Select a relevant “Options for triggering”
-
Paste the webhook created in Step 1 to the URL field
-
Select POST in Action
-
Choose Full Threat Details in Webhook Request Body
-
Insert the following header into the Headers
{"Content-Type": "application/json"} -
Select Always send body
-
Click Next
-
- Select your organization and site in the Access Level
- Click Install.