In this article, you will learn how to integrate SentinelOne’s endpoint protection platform (EPP) with SecurityCoach. Once the integration is complete, data provided by SentinelOne will be available for use under the SecurityCoach tab of your KSAT console. This data can be viewed in SecurityCoach reports and used to create detection rules for real-time coaching campaigns. For general information about SecurityCoach, see our SecurityCoach Product Manual.
Create an API Key
Before you can set up this integration in your KSAT console, you will need to create a SentinelOne API key in your SentinelOne Cloud console.
To create an API key for SentinelOne, follow the steps below:
- Log in to your SentinelOne Cloud console, then click Settings.
- Select the Users tab.
- Select Service Users.
- Click Actions, then select Create New Service User.
- In the Create New Service User pop-up window that opens, enter a Name and Description, then select an Expiration Date.
- Click Next.
-
Click Create User.
-
In the pop-up window that opens, click Copy API Token to copy the API key to your keyboard, or click Download API Token to download a copy of the API key.
Note:Make sure to save this token to a place that you can easily access later. You will need the key to finish the setup process in the Set Up the Integration in Your KSAT Console section of this article.
Locate the API Domain
Before you set up the integration in your KSAT console, you will also need to locate your API domain. This domain is displayed in the URL of your SentinelOne Cloud console.
For example, in the image below, the API domain is “usea1-partners.sentinelone.net”.
You will need this API domain to complete the setup process in the Set Up the Integration in Your KSAT Console section below.
Set Up the Integration in Your KSAT Console
Once you have created your SentinelOne API key and located your API domain, you can set up the integration in your KSAT console. To set up the integration in your KSAT console, follow the steps below:
- Log in to your KSAT console and navigate to SecurityCoach > Setup > Security Vendor Integrations.
- Locate SentinelOne and click Configure.
- Enter your API Key and the API Domain in the corresponding fields, then click Authorize.
Map Your Users
After you’ve finished integrating SentinelOne, you can map your users either through mapping rules (recommended) or through a CSV file upload. For more information about user mapping, see our Mapping Users in SecurityCoach article.
Once you’ve successfully authorized this integration, you can manage detection rules for SentinelOne on the Detection Rules subtab of SecurityCoach. For a full list of available system detection rules for this vendor, see our Which Detection Rules Can I Use with My Vendors? article.