SentinelOne Singularity Data Lake

Configure the connectors for SentinelOne Singularity Data Lake.

In this guide, you will integrate your SentinelOne Singularity Data Lake environment with Radiant.

You'll generate an API key in SentinelOne Singularity Data Lake to allow Radiant to query the endpoint telemetry events required for triage on demand.

Important note: This connector is used alongside the SentinelOne Deep Visibility Alerts connector to collect in triage alerts. In order to enable Radiant to collect alerts, configuration of the other connector is required.

At the end of this configuration, you will provide the following values:

  • API Token

  • API Base URL for example: https://xdr.us1.sentinelone.net

Prerequisites

Create the API Key

  1. Log into your SentinelOne console with an Admin role account.

  2. Hover your cursor over the SentinelOne logo to open the navigation pane.

  3. Select Visibility to access Singularity Data Lake, this will redirect to a new console. Copy the URL of the SDL console as the value for the API Base URL.

  4. In the top right corner, click on your username, and then click API Keys.

  5. In the Log Access Keys section, click Add Key and Add Read Key to generate a new key.

  6. Use the Copy to Clipboard button next to the key, or the Show Keys button to copy the key. You will need to provide this value to Radiant Security at the end of the configuration.

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, select Settings > Data Connectors and click + Add Connector.

  3. Search for and select the SentinelOne Singularity Data Lake option from the list and then click Data Feeds.

  4. Click Credentials.

  5. Give the credential an identifiable name (e.g. SentinelOne SDL Credentials).

  6. Under API Base URL, paste in your SentinelOne that you copied in step 3 of Create the API Key section.

  7. Under API Token, paste the token key that you copied in step 6 of Create the API Key section.

What data Singularity Data Lake collects

Singularity Data Lake collects telemetry data only. To collect alerts and device information, you must pair Singularity Data Lake with the SentinelOne Deep Visibility Alerts connector. To do this, follow the steps below.

Create a role and add the necessary permissions

  1. Log into your SentinelOne console with an Admin role account.

  2. Hover your cursor over the SentinelOne logo to open the navigation pane.

  3. Select Settings and then click the USERS tab.

  4. In the navigation pane, select Roles.

  5. From the Actions drop-down menu, select New Role.

  6. In the dialog box, fill in the following information:

    • Role Name: Radiant Security Service Role

    • Description: Radiant Security API Service Role

  7. Find and add the following permissions to give Radiant Security access to read data:

    • Endpoints: View, View Threats, and Search on Deep Visibility

    • Endpoint Threats: View

    • SDL Data: View and View EDR

    • SDL Search (Formerly Skylight): View

  8. This step is optional. Find and add the following permissions to give Radiant Security access to take certain actions in your environment:

    • Endpoints: Disconnect from Network and Reconnect to Network

    • Blocklist: View, Edit, Delete, and Create

    • Full Disk Scan: Initiate Scan and Abort Scan

  9. Click Save.

Create a service user and generate the API token

  1. Log into your SentinelOne console with an Admin role account.

  2. Hover your cursor over the SentinelOne logo to open the navigation pane.

  3. Select Settings and then click the USERS tab.

  4. In the navigation pane, select Service Users.

  5. From the Actions drop-down menu, select Create New Service User.

  6. In the dialog box, fill in the service account information:

    • Name: radiant_api_service

    • Description: Radiant Security API Service Account

    • Expiration Date: 1 Years

  7. Click Next.

  8. If you manage multiple customers:

    • Under Select Scope of Access, click Site.

    • Select the site that belongs to the customer that you are configuring monitoring for.

  9. If you do not manage multiple customers:

    • Under Select Scope of Access, click Account.

    • Select the account that the user should have access to.

  10. From the role type drop-down menu, select the Radiant Security Service Role created in the previous steps.

  11. Click Create User to save the newly created user.

  12. In the API Token dialog box, copy the API Token value to provide to Radiant Security.

Important note: Be sure to copy and store the API token value carefully, as it cannot be retrieved later. This will be provided to Radiant Security in the next section.

Add the credentials in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, select Settings > Credentials and click + Add Credential.

  3. Select SentinelOne from the list and click Configure Credential.

  4. Under Credential Name, give the credential an identifiable name (e.g. SentinelOne Deep Visibility Credentials).

  5. Under API Base URL, paste in your SentinelOne console base URL in the format https://<host>.sentinelone.net

  6. Under API Token, paste the token that you copied in a previous step.

  7. Click Add Credential to save the changes.

Add the Deep Visibility data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, select Settings > Data Connectors and click + Add Connector.

  3. Search for and select the SentinelOne option from the list and then click Data Feeds.

  4. Select only the Deep Visibility Alerts data feed and click Credentials.

  5. From the drop-down menu, select the SentintelOne credential that you created in the previous section.

  6. Click Add Connector to save the changes.

To add the action connector in Radiant, please refer to the specific guide: SentinelOne.

PreviousSentinelOne EDRNextSonicWall Network (syslog)

Last updated