SentinelOne Integration

Step 1 - Create Webhook for SentinelOne

  • Visit the Webhooks page in Binalyze AIR,

  • Click the "+ New Webhook" button in the upper right corner,

  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),

  • Select "Sentinel One Webhook Parser" as the parser for this webhook,

  • Select an Acquisition Profile when SentinelOne activates this webhook,

  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy

  • Click the "Save" button.

  • Copy the Webhook URL for Step 2.

Step 2 - Setting up SentinelOne

  • Find Singularity XDR Webhook in the marketplace and click Configure

  • Click and expand the dropdown menu:

    • Select the box under Response Actions: Make "Hooks" available as "Manual Response Actions" from Threats

    • Give an explanatory Threat Response Action Name

    • Select a relevant "Options for triggering"

    • Paste the webhook created in Step 1 to the URL field

    • Select POST in Action

    • Choose Full Threat Details in Webhook Request Body

    • Insert the following header into the Headers

      {"Content-Type": "application/json"}
    • Select Always send body

    • Click Next

  • Select your organization and site in the Access Level

  • Click Install.

Last updated