# SentinelOne Integration

**Step 1 - Create Webhook for SentinelOne**

* Visit the **Webhooks** page in AIR,
* Click the "**+ New Webhook**" button in the upper right corner,
* Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
* Select "**Sentinel One Webhook Parser**" as the parser for this webhook,
* Select an **Acquisition Profile** when SentinelOne activates this webhook,
* Select the **Ignore** option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
* Provide other settings such as **Evidence Repository**, **CPU Limit**, **Compression & Encryption** to use or let AIR configure them automatically based on the matching policy
* Click the "**Save**" button.
* Copy the Webhook URL for Step 2.

**Step 2 - Setting up SentinelOne**

* Find **Singularity XDR Webhook** in the marketplace and click **Configure**
* Click and expand the dropdown menu:
  * Select the box under **Response Actions**: **Make "Hooks" available as "Manual Response Actions" from Threats**
  * Give an explanatory **Threat Response Action Name**
  * Select a relevant **"Options for triggering"**
  * Paste the webhook created in Step 1 to the **URL field**
  * Select POST in **Action**
  * Choose **Full Threat Details** in **Webhook Request Body**
  * Insert the following header into the **Headers**

    ```
    {"Content-Type": "application/json"}
    ```
  * Select **Always send body**
  * Click **Next**
* Select your organization and site in the **Access Level**
* Click **Install**.