Comprehensive Guide to SentinelOne API Integration

sentinelone-icon.png

Welcome to the comprehensive guide on integrating SentinelOne API into your systems. This article will provide you with all the necessary information to effectively collect and manage data from the SentinelOne Management Console. By following the steps outlined here, you will be able to securely store authentication, scheduling, and tracking information required for successful integration.

Understanding SentinelOne API Data Collection

The SentinelOne Mgmt API Source facilitates the collection of data from various object types within the SentinelOne console. These object types include activities, agents, and threats. Once you create the Source, it will immediately begin collecting historical data and maintain a polling interval of five minutes to ensure real-time updates.

Tracking SentinelOne API Source States

A SentinelOne Mgmt API Source constantly monitors its health, start-up progress, and any errors encountered during the integration process. Through the use of Health Events, you will receive real-time notifications regarding the connection status and any user action required. The Source progresses through several states upon creation:

  1. Pending: The Source is submitted, validated, and stored in a pending state.
  2. Started: A collection task is created on the Hosted Collector.
  3. Initialized: The task configuration is completed in Sumo Logic.
  4. Authenticated: The Source successfully authenticates with SentinelOne.
  5. Collecting: The Source actively collects data from SentinelOne.

If any issues arise during these states, the Source is marked as Error. When you delete a Source, it transitions to the Stopping state and is deleted from your Hosted Collector once successfully stopped. To monitor the health and status of your Sources, visit the Collection page and utilize the Health Events feature.

See also  ProgramMatek: Unlocking the Benefits of Home Depot Product API

hover c2c error.png

You can hover your mouse over the status icon to access a tooltip with a count of detected errors and warnings. Clicking on the status icon opens a Health Events panel that provides detailed information about each issue.

Authenticating Your SentinelOne API Source

To authenticate your SentinelOne Mgmt API Source, you need an API token associated with your SentinelOne account. Follow these steps to generate an API token:

  1. Log in to the SentinelOne Management Console using Admin user credentials.
  2. Access the Settings section.
  3. Click on Users within the Settings view.
  4. Create a new user with Admin privileges.
  5. Log in to the console using the newly created user’s credentials.
  6. Navigate to Settings > Users.
  7. Select the new console user.
  8. Click on Options.
  9. Choose Generate API token.
  10. Copy or download the generated API Token.

Creating a SentinelOne Mgmt API Source

Before creating a SentinelOne Mgmt API Source, identify the Hosted Collector you want to use or create a new one. Follow these steps to configure your Source:

  1. In the Sumo Logic platform, select Manage Data > Collection > Collection.
  2. On the Collectors page, click Add Source next to the desired Hosted Collector.

sentinel one icon.png

  1. Choose SentinelOne Mgmt API as the source type.
  2. Provide a desired Name for the Source (this will be displayed in the Sumo web application). You can also include an optional description.
  3. Assign a Source Category (a string used to tag the collected output) if desired.
  4. Enable Forward to SIEM if you want to send your data to Cloud SIEM Enterprise. This option configures metadata fields for compatibility.
  5. Use the Fields feature to define additional metadata fields associated with the Source.
  6. Enter your SentinelOne Management URL in the Base URL field.
  7. Provide the API Token obtained from the SentinelOne Management Console in the API Token field.
  8. Select the desired APIs to collect: activities, agents, and threats.
  9. Once the configuration is complete, click Submit.
See also  Find Files Faster with Filepursuit API Key

Understanding SentinelOne API Error Types

Sumo Logic employs Health Events to track any issues encountered during SentinelOne API integration. Here are the possible error types along with their characteristics:

ThirdPartyConfig: This error occurs due to an invalid configuration. You need to review and update the Source configuration to resolve it. No automatic retries are attempted until the Source is updated. Health Event Name: ThirdPartyConfigError.

ThirdPartyGeneric: Errors related to communication with third-party service APIs fall into this category. The Source will attempt indefinite retries to establish communication. Health Event Name: ThirdPartyGenericError.

FirstPartyGeneric: Errors arising from communication issues with internal Sumo Logic APIs belong here. Similar to ThirdPartyGeneric errors, the Source will retry indefinitely. Health Event Name: FirstPartyGenericError.

Restarting Your Source

If your Source encounters ThirdPartyConfig errors, you can easily restart it through the Sumo Logic UI or Sumo Logic API.

UI Restart

To restart your Source within the Sumo Logic platform, follow these steps:

  1. Open the Collection page and navigate to Manage Data > Collection > Collection.
  2. Select the Source and click the information icon on the right side of the row.
  3. In the API usage information popup, click the Restart Source button at the bottom left.
  4. Confirm the restart request.
  5. You will receive a notification once the request is successfully processed.

API Restart

To restart your Source using the Sumo Management API, use the following method and example endpoint:

  • Method: POST
  • Example endpoint: api.sumologic.com

Please note that Sumo Logic endpoints may vary based on the deployment location. For more information, refer to the Sumo Logic Endpoints documentation.

See also  How to Effectively Utilize Amazon Reviews API for Sellers

JSON Configuration

You can configure SentinelOne Mgmt API Sources using UTF-8 encoded JSON files and the Collector Management API. This method offers flexibility and ease of management. Visit the SentinelOne documentation for details on configuring Sources using JSON.

The JSON configuration for a SentinelOne Mgmt API Source includes the following parameters:

  • Accessconfig: Contains the configuration parameters for the Source.
  • schemaRef: Set to {"type":"SentinelOne Mgmt API"}.
  • sourceType: Set to Universal.

The following table provides details on the config parameters for a SentinelOne Mgmt API Source:

Parameter Type Required? Default Description Access
name String Yes None A unique name for the Source. Assigned to the metadata field _source. Modifiable
description String No None A description of the Source. Modifiable
category String No None A category for the Source. Assigned to the metadata field _sourceCategory. Modifiable
fields JSON Object No None Key-value fields (metadata) associated with the Collector or Source. Modifiable
base_url String Yes None The SentinelOne Management URL in the format: https://<your_management_url>. Modifiable
api_secret String Yes None Your API Token from SentinelOne for authenticating collection requests. Modifiable
supported_apis Array of Strings Yes None The available APIs to collect: activities, agents, and threats. Modifiable

Example JSON configuration for SentinelOne Mgmt API Source:

{
  "Accessconfig": {
    "name": "<Name of the Source>",
    "description": "<Description of the Source>",
    "category": "<Category of the Source>",
    "fields": {},
    "base_url": "https://<your_management_url>",
    "api_secret": "<Your_API_Token>",
    "supported_apis": ["activities", "agents", "threats"]
  },
  "schemaRef": {
    "type": "SentinelOne Mgmt API"
  },
  "sourceType": "Universal"
}

With this comprehensive guide, you now have all the information needed to seamlessly integrate SentinelOne API into your systems. For further assistance or more details, visit ProgramMatek to explore additional resources and support. Happy integrating!