SentinelOne¶

SentinelOne Singularity™ Endpoint Integration¶

The goal of this document is to assist in configuring Clear NDR^® to interact with SentinelOne Singularity Endpoint and provide WebHooks examples.

SentinelOne Singularity Configuration¶

In your SentinelOne Singularity dashboard, register an new OAuth client to get the authentication token

Clear NDR^® Configuration¶

Log in to Clear NDR^® and navigate the Administration site by clicking on any words below Administration on the left hand side:

In the Administration site, click on Integrations in the drop down menu in the top left:

Create a WebHook that will send an API command to SentinelOne:

Variable	Purpose
Name	Name of the webhook you want to create
Hook	The alert you want to send to Sentinel One
URL	SentinelOne API URL
Headers	WebHook header
HTTP Method	The HTTP method expected by the API endpoint
Template format	The format of the request
Template content	The actual content of the request

SentinelOne Webhooks examples¶

Webhook 1 - Send a message to the user

Name: S1TestMessage

Hook: Threat on Asset

URL: https://usea1-partners.sentinelone.net/web/api/v2.1/agents/actions/broadcast

Headers:

Content-Type: application/json
Authorization: ApiToken <Auth Token>

HTTP method: POST

Template format: Json

Template content:

{
  "filter": {
   "networkInterfaceInet__contains": "{{ asset.value }}"
},
  "data": {
    "message": "Threat '{{ threat.name }}' has been detected on your computer.  Your network has been disconnected"
  }
}

Verify HTTPS certificate: On

Use system proxy: On

Choose Tenant: Tick the relevant tenant

How this would look in Clear NDR^®:

Webhook 2 - Isolate the machine

Name: S1Disconnect