Set up Device Security and Cortex XSOAR for SentinelOne Singularity Endpoint Integration

Table of Contents

Set up SentinelOne Singularity Endpoint for Integration

Set up Device Security and Cortex XSOAR for SentinelOne Singularity Endpoint Integration

Configure Cortex XSOAR with integration instances and jobs to import information from SentinelOne.

To import information from SentinelOne Singularity Endpoint to Device Security, configure Cortex Cortex XSOAR with integration instances and jobs. If you want to integrate with multiple SentinelOne Singularity Endpoint solutions, you need to create separate integration instances and jobs.

Before configuring an integration instance in Cortex XSOAR, Set up SentinelOne Singularity Endpoint for Integration and have the following information ready:

Your SentinelOne server URL
Your SentinelOne API token for Cortex XSOAR

To set up Device Security to integrate through a cloud-hosted Cortex XSOAR instance with an on-premises SentinelOne Singularity deployment, you must also add a Cortex XSOAR engine to your network. If you are integrating with a cloud instance of SentinelOne Singularity, or if you have an on-premises Cortex XSOAR server, you don't need to install a Cortex XSOAR engine.

Cortex XSOAR Engine Installation

Install a Cortex XSOAR engine to facilitate communications between cloud and on-premises systems.

An on-premises XSOAR engine facilitates communications between the Cortex XSOAR cloud and an on-premises SentinelOne Singularity server. To install a Cortex XSOAR engine, follow the Cortex instructions to Install a Cortex XSOAR Engine. For more information about general operating systems and hardware requirements, see the Cortex XSOAR Administrator Guide.

We recommend downloading the Cortex XSOAR engine using the shell installer script and installing it on a Linux machine. This simplifies the deployment by automatically installing all required dependencies and also enables remote engine upgrades.

The on-premises firewall must allow the Cortex XSOAR engine to form HTTPS connections on TCP port 443 to the Cortex cloud at https://<your-domain>.iot.demisto.live/. You can see the URL of your Cortex XSOAR instance when you log in to Device Security and click Integrations and then click Launch Cortex XSOAR. It’s visible in the address bar of the web page displaying the Cortex XSOAR interface.

To create an Cortex XSOAR engine, access the Cortex XSOAR interface (from Device Security, click Integrations and then click Launch Cortex XSOAR). In the Cortex XSOAR UI, click SettingsEngines+ Create New Engine. Choose Shell as the type.

For Cortex XSOAR engine installation instructions, see Engine Installation.

For help troubleshooting Cortex XSOAR engines, including installations, upgrades, connectivity, and permissions, see Troubleshoot Engines and Troubleshoot Integrations Running on Engines.

Configure Device Security and Cortex XSOAR

Configure the SentinelOne integration instance and jobs in Cortex XSOAR.

Log in to Device Security and from there access the SentinelOne instance settings in Cortex XSOAR.
1. Log in to Device Security and then click Integrations Integration Management Manage Integrations.
  
  Device Security uses Cortex XSOAR to integrate with SentinelOne Singularity, and the settings you must configure are in the Cortex XSOAR interface.
2. Launch Cortex XSOAR.
  
  The Cortex XSOAR interface opens in a new browser tab or window.
3. Click Settings in the left navigation menu to go to Integrations Instances, and search for SentinelOne to locate it among other instances.
Configure the settings for a SentinelOne integration instance.
1. Click the active integration instance settings icon, or click Add instance, to open the settings panel.
2. Enter the following settings and leave the others at their default values:
  
  Name: Use the default name or enter a new one to help you identify the instance.
  
  Server URL: Enter the URL of your SentinelOne Singularity server.
  
  API Token: Enter the API token for SentinelOne.
  
  Optional Last Seen: Enter the time range in days that you want to get device or vulnerability information from SentinelOne. Device Security polls for all vulnerabilities or devices identified or updated in the specified time. By default, the SentinelOne jobs retrieve devices or vulnerabilities last seen in the past one day.
  
  Optional Severity Levels: Select the severity levels for vulnerabilities that you want to import from SentinelOne to Device Security. By default, Device Security imports only vulnerabilities with a severity level of Critical.
  
  Optional Learn Device Software Components: Select if you want the import job to include information about software components running on the devices from SentinelOne.
  
  Cloud-based Cortex XSOAR Run on Single engine: When using a cloud-based Cortex XSOAR instance and an on-premises SentinelOne Singularity server, choose the Cortex XSOAR engine that you want to communicate with the SentinelOne server.
3. When finished, click Test or Test resultsRun test to test the integration instance.
  
  If the test is successful, a Success message appears. If not, check that the settings were entered correctly, and then test the configuration again.
4. After the test succeeds, click Save & exit to save your changes and close the settings panel.
Enable the SentinelOne integration instance.
Create a job for Cortex XSOAR to receive information from SentinelOne.

Depending on whether you want to send device details or get vulnerability information, select the appropriate playbook when configuring the job. If you want to run multiple playbooks, you must create separate jobs, one for each playbook. You can also create multiple jobs if you have multiple integration instances.
1. Click Jobs in the sidebar, and then click New Job to create a new Cortex XSOAR job.
2. Configure the following settings in the New Job panel:
  Recurring: Select this if you want to periodically run the job. Clear it if you want to run the job on-demand.
  Optional Every: If you selected Recurring, enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days on which to run the job. If you don't select specific days, then the job will run every day by default. This determines how often Cortex XSOAR queries SentinelOne for information. You can configure Queue Handling to determine what happens if a new job starts while an old job is still running.
  Name: Enter a name for the job.
  Playbook: Select the playbook depending on the type of job you're configuring:
  Import SentinelOne Devices to PANW IoT – Import assets and asset information from SentinelOne.
  Import SentinelOne Open Vulnerabilities to PANW IoT – Get all known open vulnerabilities from SentinelOne SentinelOne Singularity.
  Integration Instance Name: Enter the name of the SentinelOne integration instance.
Enable the job and run it.

Check the Job Status for the job you created. If it's Disabled, select its checkbox and then click Enable.

You can immediately run the job by selecting it and clicking Run now. Otherwise, if you scheduled a recurring job, then the enabled job will run as scheduled.
Return to Device Security and check the status of the SentinelOne Singularity integration instance.
An integration instance can be in one of the following four states, which Device Security displays in the Status column on the Integrations page:
- Active — the integration was configured and enabled and is functioning properly.
  Disabled — either the integration was configured but intentionally disabled or it was never configured and a job that references it is enabled and running.
- Error — the integration was configured and enabled but is not functioning properly, possibly due to a configuration error or network condition.
- Inactive — the integration was configured and enabled but no job has run for at least the past 60 minutes.
When you see that the status of an integration instance is Active, its setup is complete.