SentinelOne integration

This section includes:

Note: Before implementing this channel integration, contact your Customer Success Manager for Perception Point X‑Ray to make sure that this functionality is included in your current Perception Point X‑Ray license.

About the Perception Point X‑Ray-SentinelOne integration

Perception Point X‑Ray can be integrated with various products. This page explains the configurations that are required to integrate Perception Point X‑Ray with SentinelOne. This page describes what must be performed by Perception Point Support and what must be performed by you, the customer, to perform the integration.

When Perception Point X‑Ray is integrated with SentinelOne, information is shared between Perception Point X‑Ray and SentinelOne. This enables both Perception Point X‑Ray and SentinelOne to improve the security that they provide in your organization.

From SentinelOne to Perception Point X‑Ray

SentinelOne will periodically send to your Perception Point X‑Ray installation a list of all files that were detected by SentinelOne to be malicious, in your organization. The hash of each of the malicious files is also sent. Perception Point X‑Ray will use this information to improve its scanning accuracy within your organization.

  • For each malicious file detected by SentinelOne, an event is added to the Perception Point X‑Ray event log. Each event in the log is assigned a high severity, and has the "Malicious File in Endpoint" type. This enables you to monitor the malicious events that are detected by SentinelOne - and shared with Perception Point X‑Ray. For details, see Events.

  • If a malicious file detected by SentinelOne has been included in a Perception Point X‑Ray scan [based on the hash value of the file], a note will be added to the scan details in Perception Point X‑Ray, indicating that SentinelOne found the file to be malicious. A request will be automatically generated to the Perception Point IR Team to investigate the file.

From Perception Point X‑Ray to SentinelOne

For each malicious file that Perception Point X‑Ray was informed about by SentinelOne, Perception Point X‑Ray creates a note in the Incidents > Threats page in SentinelOne.

The notes indicate:

  • Did Perception Point X‑Ray scan the file?

  • If the file was scanned by Perception Point X‑Ray, what scan verdict did Perception Point X‑Ray originally assign to the file.

  • What verdict did Perception Point X‑Ray assign to the file after analysis by the Perception Point IR Team?

Note: Malicious files that are detected in SentinelOne are included in the Events page in Perception Point X‑Ray. For details, see Events.

The SentinelOne integration procedure

Perform the 3-step procedure below to integrate Perception Point X‑Ray with SentinelOne.

Steps

Step 1 - Enabling and configuring Perception Point X‑Ray

Step 2 - Configuring SentinelOne

Step 3 - Verifying the integration

Step 1: Activating and configuring the Perception Point X‑Ray-SentinelOne integration

This step activates and configures the Perception Point X‑Ray-SentinelOne integration in Perception Point X‑Ray.

In Perception Point X‑Ray

  1. In Perception Point X‑Ray, in the left navigation menu, select Account > Bundles and Channels.

  2. Make sure that a bundle is assigned that includes SentinelOne.

  3. Under Enabled Channels, locate "SentinelOne" and then click "Activate" located on the right.

    The Granting Access dialog box opens.

    Note: If the Activate button does not appear, SentinelOne may not have been successfully enabled by Perception Point Support. Contact Perception Point Support [support@perception-point.io] for assistance.

  4. Enter the required information, described below:

    Configuration name

    Enter your SentinelOne configuration name. Your SentinelOne configuration name is the text after https://, and ending with sentinelone.net, in your SentinelOne URL.

    In the example below, the SentinelOne configuration name would be acme.sentinelone.net

    Platform

    [API Token]

    Insert the SentinelOne API token.

    To get the required API token:

    1. In the SentinelOne Management Console, click Settings in the left panel.

    2. Click Users in the top bar.

    3. Create a new user [click New User], or select an existing user.

      Note:

      • The user must be a "console" user - and not a "service" user.

      • The user must have the "Admin" role.

    4. Click Generate API token [or regenerate the token].

    5. When the API token appears, click Copy.

    6. Paste the token into the Platform field in Perception Point X‑Ray.

    Note: Although the SentinelOne API token may be valid for only 30 days, the token will be automatically renewed before the period ends.

    Account

    Select all the endpoint operating systems (platforms) [Windows / Mac / Linux] that will be included in the Perception Point-SentinelOne integration. Each of the selected platforms will require its own configuration.

  5. Click "Next".

    The Granting Access for Windows/Linux/macOS dialog box opens. [The dialog boxes that appear depend on the platforms that you specified in Account above.]

    You'll now need to copy this information from Perception Point X‑Ray into SentinelOne, as described in Step 2 below.

Step 2: Configuring SentinelOne

This step configures the Perception Point X‑Ray-SentinelOne integration in SentinelOne.

  1. In the SentinelOne Management Console, select Settings > Policy Override.

    Important: In the Policy Override, you can have only a single configuration for each operating system type (platform) [Windows / Mac / Linux]. If a configuration already exists in the Policy Override for any of the operating systems, in the step below, don't create a new configuration for that operating system, but rather modify [edit] the existing configuration.

  2. For each platform [Windows / Mac / Linux]:

    • Click New Configuration - to create a new configuration,

      - or -

    • Click the Edit icon [] - to edit the existing configuration.

    Copy the information below from Perception Point X‑Ray into SentinelOne:

    Perception Point X‑Ray

    SentinelOne

    Configuration name

    Configuration name:

    • Windows: Sha256

    • Linux: Sha256 Linux

    • Mac: Sha256 Mac

    Platform

    Platform: Windows, Mac, or Linux

    Account

    Account: The name of your organization.

    Configuration data

    Configuration data:

    {

    "mgmtReportedHashes": 3

    }

  1. Click Next, and repeat the above copy-and-paste operations for any other operating system configuration dialog boxes that appear. You may have to repeat it for Windows, Linux, and Mac.

Your Perception Point-SentinelOne integration should now be functional...

Step 3: Verifying the integration

A while after performing the integration procedure above, you can verify that the integration is functioning, as follows

  1. In Perception Point X‑Ray, open the Security Operations > Events page.

  2. Search for "Malicious File in Endpoint" and then look for entries in the SentinelOne channel.

Flow chart diagram

See also: