SentinelOne

SentinelOne Singularity™ Endpoint Integration

The goal of this document is to assist in configuring Clear NDR® to interact with SentinelOne Singularity Endpoint and provide WebHooks examples.

SentinelOne Singularity Configuration

In your SentinelOne Singularity dashboard, register an new OAuth client to get the authentication token

Clear NDR® Configuration

Log in to Clear NDR® and navigate the Administration site by clicking on any words below Administration on the left hand side:

MS Teams integration example

In the Administration site, click on Integrations in the drop down menu in the top left:

MS Teams integration example

Create a WebHook that will send an API command to SentinelOne:

Variable

Purpose

Name

Name of the webhook you want to create

Hook

The alert you want to send to Sentinel One

URL

SentinelOne API URL

Headers

WebHook header

HTTP Method

The HTTP method expected by the API endpoint

Template format

The format of the request

Template content

The actual content of the request

SentinelOne Webhooks examples

Webhook 1 - Send a message to the user

Name: S1TestMessage

Hook: Threat on Asset

URL: https://usea1-partners.sentinelone.net/web/api/v2.1/agents/actions/broadcast

Headers:

Content-Type: application/json
Authorization: ApiToken <Auth Token>

HTTP method: POST

Template format: Json

Template content:

{
  "filter": {
   "networkInterfaceInet__contains": "{{ asset.value }}"
},
  "data": {
    "message": "Threat '{{ threat.name }}' has been detected on your computer.  Your network has been disconnected"
  }
}

Verify HTTPS certificate: On

Use system proxy: On

Choose Tenant: Tick the relevant tenant

How this would look in Clear NDR®:

MS Teams integration example

Webhook 2 - Isolate the machine

Name: S1Disconnect

Hook: Threat on Asset

URL: https://usea1-partners.sentinelone.net/web/api/v2.1/agents/actions/disconnect

Headers:

Content-Type: application/json
Authorization: ApiToken <Auth Token>

HTTP method: POST

Template format: Json

Template content:

{
  "filter": {
    "networkInterfaceInet__contains": "{{ asset.value }}",
    "groupIds":"<Group ID>"
},
  "data": {}
}

Verify HTTPS certificate: On

Use system proxy: On

Choose Tenant: Tick the relevant tenant