Skip to main content

Cloud ConnectorsExabeam Cloud Connectors Configuration Guide

SentinelOne Cloud Connector

The SentinelOne Endpoint Protection Platform (EPP) offers real-time endpoint security, behavior-based threat detection, data protection, advanced mitigation to stop threats, and protection against advanced malware. SentinelOne provides unified endpoint protection that predicts malicious behavior, eliminates threats, and protects against advanced cyber-attacks via machine learning and intelligent automation. For more information see the product information.  

Prerequisites to Configure the SentinelOne Connector

Before you configure the SentinelOne connector you must obtain the following account information:

  • API token

  • API hostname – To obtain the API hostname, contact SentinelOne support.

  • Authentication data if you want to use the Deep Visibility endpoint

Obtain the API Token for Console Users

SentinelOne APIs are authenticated via application keys. You must obtain the API token to use while configuring the SentinelOne connector. It is recommended that you change the console user token every 30 days.

To obtain the API token for console users:

  1. Log in to the SentinelOne Management Console as an administrator.

  2. Navigate to Settings > Users.

  3. Click your username.

  4. Click Edit.

  5. Navigate to Edit User> API Token.

  6. Click Generate.

    Note

    SentinelOne generates a new token every six months. When you generate or regenerate a token, SentinelOne displays the expiration date for the token.

    If a token is already generated, the window displays Revoke or Regenerate buttons. Clicking Revoke removes the authorization by the existing token. Clicking Regenerate removes the authorization by the existing token and creates a new API token. If you revoke or regenerate a token, any scripts that use the token will stop working.

  7. Click Copy to record the value for the API token that appears in a new window.

  8. Click Download. Use the API token value while configuring the SentinelOne Connector on the Exabeam Cloud Connector platform.

Note

The telemetry data is consumed through Cloud Funnel v2 (AWS S3 bucket) in the Cloud Collectors app. The security or audit or system logs are consumed via API in SaaS Cloud Connector. You must ensure that as an administrator, you configure the correct SentinelOne sites for the API in the SentinelOne portal. Also ensure that you renew the API keys every 6 months.

Obtain the API Token for Service Users

If you want to customize the API token validity and set the expiration date, use the service user token.

To obtain the API token for service users:

  1. Log in to the SentinelOne Management Console as an administrator.

  2. Navigate to Settings > Users.

  3. Click Service Users.

  4. Click Actions > Create New Service User.

  5. Enter the name and description for the new service user and select the Expiration Date.

  6. Select the account for which you want to get the data and click Create User.

    The API Token section displays an API Token represented by a string of letters and numbers.

  7. Click Copy API Token.

    Record the API Token to further use this value while configuring the cloud connector.

Obtain the Authentication Data for Deep Visibility Endpoint

SentinelOne offered a new built-in component Deep Visibility with its 2.4.252 release. By default, this endpoint is inactive and requires additional authentication data. For more information see SentinelOne Deep Visibility. If you want to use this endpoint, contact SentinelOne support to obtain the following data.

  • Username and password for your Deep Visibility Kafka topic

  • CA certificate

  • Topic name

  • Kafka Bootstrap server (connection string)

  • Optional group name

You must import the CA certificate in to the Exabeam trust store. Perform the following steps to import the CA certificate:

  1. Run the following command to find the conf directory.

    # maybe the folder is bound-mount confDir=$(sudo docker inspect sk4_conf -f '{{.Options.device}}') # and maybe not [ "${confDir}" == "<no value>" ] && confDir=$(sudo docker inspect sk4_conf -f '{{.Mountpoint}}'

  2. Create a .pem file with a name sentinelone.pem in the conf directory that you found and copy the certificate that you received from SentinelOne support, to the .pem file.

    Note

    Microsoft Windows and Unix operating systems support different certificate file formats. Do not open and copy and paste the certificate file from a Windows environment to a Unix environment.

  3. Run the following command to import thecertificate into the Exabeam cloud connector’s trust store.

    docker exec sk4tomcat keytool -import -trustcacerts -keystore /usr/local/tomcat/sk4conf/sk4cacerts -noprompt -storepass changeit -alias "sentinelone.pem" -file /usr/local/tomcat/sk4conf/sentinelone.pem

  4. Restart the SentinelOne service by running the following command:

    sudo systemctl restart sk4compose

Configure SentinelOne Connector

The SentinelOne Endpoint Protection Platform (EPP) offers real-time endpoint security, behavior-based threat detection, data protection, advanced mitigation to stop threats, and protection against advanced malware. SentinelOne provides unified endpoint protection that predicts malicious behavior, eliminates threats, and protects against advanced cyber-attacks via machine learning and intelligent automation. For more information see the product information.  

The following table displays audit source API and security events supported by the connector.

Audit Source: API

Service or Module Covered

Events Included

Management API

Any

All

Deep Visibility

Any

All

Table 25. Audit source API and security events supported by the connector


To configure the SentinelOne connector to import data into the Exabeam Cloud Connector platform:

  1. Complete the Prerequisites to Configure the SentinelOne Connector.

  2. Log in to the Exabeam Cloud Connectors platform with your registered credentials.

  3. Navigate to Settings > Accounts > Add Account.

  4. Click Select Service to Add, then select SentinelOne from the list.

  5. In the Accounts section, enter the required information. Required fields are indicated with a red bar.

    1. Tenant – Select a tenant to attach to the connector if you are using a multi-tenant edition of Exabeam. Otherwise, select default.

    2. Account Name – Specify a name for the SentinelOne connector. For example, Corporate Endpoint Protection.

    3. Description – (Optional) Describe the SentinelOne connector. For example, SentinelOne EPP for endpoint and data security, and threat protection.

    4. API Token – Enter the value for API token that you obtained while completing prerequisites.

    5. API Hostname – Enter the API hostname that you obtained while completing prerequisites. Ensure that you enter only the domain name and not the prefix ‘https’. For example, my-mgmt.sentinelone.com.

    6. If you want to use the Deep Visibility endpoint, enter the values for the fields in the Endpoint Deep Visibility section. Contact SentinelOne support to obtain the relevant authentication information. Fields in this section are optional.

  6. To confirm that the Exabeam Cloud Connector platform communicates with the service, click Test Connection.

  7. Click Done to save your changes. The cloud connector is now set up on the Exabeam Cloud Connector platform.

  8. To ensure that the connector is ready to send and collect data, Start the connector and check that the status shows OK.