SentinelOne Integration

Step 1 - Create Webhook for SentinelOne

• Visit the Webhooks page in Binalyze AIR,

• Click the "+ New Webhook" button in the upper right corner,

• Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),

• Select "Sentinel One Webhook Parser" as the parser for this webhook,

• Select an Acquisition Profile when SentinelOne activates this webhook,

• Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

• Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy

• Click the "Save" button.

• Copy the Webhook URL for Step 2.

Step 2 - Setting up SentinelOne

• Find Singularity XDR Webhook in the marketplace and click Configure

• Click and expand the dropdown menu:

  • Select the box under Response Actions: Make "Hooks" available as "Manual Response Actions" from Threats

  • Give an explanatory Threat Response Action Name

  • Select a relevant "Options for triggering"

  • Paste the webhook created in Step 1 to the URL field

  • Select POST in Action

  • Choose Full Threat Details in Webhook Request Body

  • Insert the following header into the Headers

    Copy

    {"Content-Type": "application/json"}

  • Select Always send body

  • Click Next

• Select your organization and site in the Access Level

• Click Install.