SentinelOne Singularity Endpoint
You can integrate SentinelOne Singularity Endpoint with Sophos Central so that it sends data to Sophos.
You need an API token from Singularity Endpoint.
The key steps are as follows:
- Create a service user and API token in Singularity Endpoint.
- Configure an integration in Sophos Central.
Create a service user and API token
Create a service user account as follows. This generates the API token you need.
Note
We recommend that you create a service user account instead of a user account. The user API token expires after 30 days.
- Go to
https://<organization-name>.sentinelone.net
where<organization-name>
is the prefix that SentinelOne provided for your company. - Sign in to the SentinelOne console with administrator permissions.
- Hover over the SentinelOne logo to open the menu.
- Click Settings.
- Click the USERS tab.
- In the menu, click Service Users.
- In the Actions list, select Create New Service User.
-
In the Create New Service User dialog, enter the following settings:
- Name: Enter a name for the user. For example, "Sophos integration".
- Description: (Optional) Enter a description for this user.
-
Expiration Date: Select 2 Years.
Alternatively, you can set a custom expiration date.
-
Click Next.
-
In Select Scope of Access, do as follows:
- If you manage multiple customers, click Site and select the site belonging to the customer that you're configuring integration for.
- If you manage only one customer, click Account and select the account that the user should have access to.
-
In Role type, select Viewer.
- Click Create User.
- In the API Token dialog, copy the API Token value, and save it in a safe, encrypted location. You'll provide it to Sophos Central later.
- Close the dialog and sign out of the account.
Configure an integration
To integrate Singularity Endpoint with Sophos Central, do as follows:
- In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
-
Click SentinelOne Singularity Endpoint.
The SentinelOne Singularity Endpoint page opens. You can configure integrations here and see a list of any you've already configured.
-
In Data Ingest (Security Alerts), click Add Configuration.
Note
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
-
In Integration steps, do as follows:
- Enter the Integration name and Integration description.
-
Enter the Authentication details as follows:
- API token: This is the token value you got from SentinelOne earlier.
- API version: This is
2.1
. - Base URL: This is the URL you use to manage your account and is usually in the following format:
https://<organization-name>.sentinelone.net/web
.
-
Click Save.
We create the integration and it appears in your list. If the status icon shows Healthy, your data should appear in the Sophos Data Lake after validation.