Endpoint Logs
      Back to home
      1. Radiant Help Center
      2. Getting Started
      3. Endpoint Logs

      SentinelOne (Deep Visibility)

      Pull SentinelOne’s endpoint alerts and enable one-click containment and remediation tasks.

      Overview

      In this guide, you will create a service account and generate API credentials in SentinelOne to ingest endpoint alerts and events in Radiant Security. The guide will also help you enable one-click containment and remediation tasks in Radiant Security which will allow you to execute actions like blocking files, isolating a device, and releasing a device from isolation.

      To do this, you’ll need to complete the following steps:

      At the end of this configuration, you will provide Radiant Security with these values:

      • API Base URL (console URL)
        • Example: https://usea1-swprd1.sentinelone.net
      • API Token

      Prerequisites

      • Admin role for the SentinelOne environment that you want to connect to Radiant Security.

      Create a role and add the necessary permissions

      1. Log into your SentinelOne console with an Admin role account.
      2. Hover your mouse under the SentinelOne logo to open the navigation pane.
      3. Select Settings and then click the USERS tab.
      4. In the navigation pane, select Roles.
      5. From the Actions drop-down menu, select New Role.
      6. In the dialog box, fill in the following information:
        1. Role Name: Radiant Security Service Role
        2. Description: Radiant Security API Service Role
      7. Find and add the following permissions to give Radiant Security access to read data:
        1. Endpoints: View, View Threats, and Search on Deep Visibility
        2. Endpoint Threats: View
        3. SDL Data: View and View EDR
        4. SDL Search (Formerly Skylight): View
      8. This step is optional. Find and add the following permissions to give Radiant Security access to take certain actions in your environment:
        1. Endpoints: Disconnect from Network, Reconnect to Network
        2. Blocklist: View, Edit, Delete, and Create
      9. Click Save.

      Create a service user and generate the API token

      1. Log into your SentinelOne console with an Admin role account.
      2. Hover your mouse under the SentinelOne logo to open the navigation pane.
      3. Select Settings and then click the USERS tab.
      4. In the navigation pane, select Service Users.
      5. From the Actions drop-down menu, select Create New Service User.
      6. In the dialog box, fill in the service account information:
        1. Name: radiant_api_service
        2. Description: Radiant Security API Service Account
        3. Expiration Date: 1 Years
      7. Click Next.
      8. If you manage multiple customers:
        1. Under Select Scope of Access, click Site.
        2. Select the site that belongs to the customer that you are configuring monitoring for.
      9. If you do not manage multiple customers:
        1. Under Select Scope of Access, click Account.
        2. Select the account that the user should have access to.
      10. From the role type drop-down menu, select the Radiant Security Service Role created in the previous steps.
      11. Click Create User to save the newly created user.
      12. In the API Token dialog box, copy the API Token value to provide to Radiant.

      Important Note: Be sure to copy and store the API token value carefully, as it cannot be retrieved later. This will be provided to Radiant Security in the next step.

      Add the credentials in Radiant Security

      1. Log in to Radiant Security.
      2. From the navigation menu, select Settings > Credentials and click + Add Credential.
      3. Select SentinelOne from the list and click Configure Credential.
      4. Under Credential Name, give the credential an identifiable name (e.g. SentinelOne Deep Visibility Credentials).
      5. Under API Token, paste the token that you copied in a previous step.Screenshot 2025-01-08 at 19.00.57
      6. Click Add Credential to save the changes.

      Add the data connector in Radiant Security

      1.   Log in to Radiant Security.
      2.   From the navigation menu, select Settings > Data Connectors and click + Add Connector to create a new action connector.
      3.   Select the SentinelOne Connector and click Credentials. Screenshot 2025-01-08 at 19.03.31
      4.   Select only the Deep Visibility Alerts data feed and click Credentials. Screenshot 2025-01-08 at 19.05.24
      5.   Select the credential that you created previously from the drop-down menu and click Add Connector to save your changes.

      Add the action connector in Radiant Security

      1.   Log in to Radiant Security.
      2.   From the navigation menu, select Settings > Action Connectors and click + Add Connector to create a new action connector.
      3.   Select the SentinelOne Connector and click Credentials. Captura de Tela 2024-02-22 às 12.20.51
      4.   Select the credential for the data connector that you created previously from the drop-down menu and click Add Connector to save your changes. Captura de Tela 2024-02-22 às 12.24.47


      We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai 

       

      Last updated: 2025-01-08