This guide helps you set up the SentinelOne Singularity Data Lake integration in Workbench.
Scope and Limitations
When choosing to set up this integration, remember the following:
- We only support on-prem Active Directory as a data source; if this is not your data source, you can still set up the integration but we will not leverage data from any other connected sources.
Prerequisites
- You must have SentinelOne's Deep Visibility so that we can fully triage and investigate your SentinelOne alerts.
Quick Links
Setup includes the following steps (select any step for detailed instructions):
Step 1: Enable API Access for Expel
You first need to create a new user account with the appropriate permissions and API access, and also obtain an API key.
- Log in to your SentinelOne console.
- Navigate to Policy & Settings > Singularity Data Lake > API Keys.
- Select New Key. Make sure to copy and save the API key to a safe place, as you will need it in the next section.
- Select Log Read Permissions.
- To change the name of the API key, hover on the key and select the Edit icon.
- Enter "Expel API" as the name.
- Select Save.
Step 2: Add SentinelOne Singularity Data Lake as a Security Device in Workbench
Now that you have enabled API access, you can configure the integration in Workbench. Before you begin, make sure you know your unique SentinelOne console access URL and the API key you generated in the previous step.
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
- Select Add Security Device.
- In the search box, type “SentinelOne” and then select the SentinelOne Singularity Data Lake integration.
- Complete the fields as follows:
- Name - enter a name that might help you more easily identify this integration, such as “CompanyName Singularity Data Lake”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
- Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
- Server Address - enter your SentinelOne console URL. It should look something like: https://<your_unique_address>.sentinelone.net.
- API Key - enter the API key generated in Step 1.
- Select Save.
- Do one of the following:
- If you have already set up a different SentinelOne integration and granted us console access at that time, select No thanks, I will not provide console access. You can then select Save and skip to step 9.
- If this is your first SentinelOne integration, select Set up now (recommended) from the console access dropdown and continue to step 7. Why do we need console access?
- Scroll down and complete the fields as follows:
- Console URL - enter your SentinelOne console URL.
- Username - enter your SentinelOne username.
- Password - enter your SentinelOne password.
- Two-factor secret key - enter the two-factor secret key used during the login process.
- Select Save.
- Your device should be created successfully within a few seconds. A few reminders:
- After your connection is healthy, it will take some time for your device to begin polling and receiving data.
- To check on the status, select the downward arrow for your device in the first column and choose View details.
- Polling will happen first; data will be received after that. You must refresh the page to see updates.
- If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
- To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.