SentinelOne Integration

Step 1 - Create Webhook for SentinelOne
  • Visit the Webhooks page in Binalyze AIR,
  • Click the "+ New Webhook" button in the upper right corner,
  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
  • Select "Sentinel One Webhook Parser" as the parser for this webhook,
  • Select an Acquisition Profile when SentinelOne activates this webhook,
  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
  • Click the "Save" button.
  • Copy the Webhook URL for Step 2.
Step 2 - Setting up SentinelOne
  • Find Singularity XDR Webhook in the marketplace and click Configure
  • Click and expand the dropdown menu:
    • Select the box under Response Actions: Make "Hooks" available as "Manual Response Actions" from Threats
    • Give an explanatory Threat Response Action Name
    • Select a relevant "Options for triggering"
    • Paste the webhook created in Step 1 to the URL field
    • Select POST in Action
    • Choose Full Threat Details in Webhook Request Body
    • Insert the following header into the Headers
      {"Content-Type": "application/json"}
    • Select Always send body
    • Click Next
  • Select your organization and site in the Access Level
  • Click Install.