# SentinelOne Singularity Complete (cloud)

The NetSPI Platform has a broad integration with SentinelOne (S1) Singularity Complete. This provides the NetSPI
Platform visibility into system and applications assets.

At this time, this integration supports SentinelOne (S1) Singularity Complete only. Other SentinelOne products
would need a different integration.

Similar to our other integrations, the SentinelOne Singularity Complete integration is read-only and does not
perform actions to configure systems or otherwise change anything about your SentinelOne Singularity Complete system.

## Supported asset types

The SentinelOne Singularity Complete integration provides the NetSPI Platform visibility into the following asset types:

- Systems
- Applications
- IPV4 Addresses

## Data run frequency

The SentinelOne Singularity Complete integration pulls data every 12 hours.

## Endpoints used

This integration needs access to the following API endpoints:

- `/web/api/v2.1/agents`
- `/web/api/v2.1/agents/applications`

## Required permissions

This integration uses an API Token that is associated with a username/password combination. This username must have
the following access permissions:

- The "Scope" needs to be "Account" while the "Role" needs to be "Viewer".

## Configuration steps

Use the section below for configuring SentinelOne Singularity to integrate with the NetSPI Platform.

## Step one: S1 configuration in the S1 management console

The S1 NetSPI Platform integration leverages an API token for authentication to the S1 API. In S1, API tokens are
linked to individual user accounts and, for this reason, we recommend creating a dedicated user account.

1. Log in to the S1 management console with an "Admin" role, and navigate to *Settings -> Users*, select
the **Actions** button, and then select *Add New User* as illustrated below.

   ![S1 Management Console](/static/caasm/sentinal_one_1.png "S1 Management Console")

2. Provide a descriptive username and a valid email address to receive the one-time
account setup link and select **Next**.

   ![S1 Management Console](/static/caasm/sentinal_one_2.png "S1 Management Console")

3. On the Select Scope of Access page, select the **Account** access level button and select the checkbox
corresponding to the appropriate S1 account.

   ![S1 Scope of Access](/static/caasm/sentinal_one_3.png "S1 Scope of Access")

4. Under the "roles" dropdown menu, select the *Viewer* role and select the **Create User** button as illustrated
above.

5. Log out of the S1 management console as the Admin level user.

6. Select the link sent to the email address provided in step 2 above, and set the password for the
newly-created account as illustrated below.

   ![S1 Login Screen](/static/caasm/sentinal_one_4.png "S1 Login Screen")

7. Log in to the S1 management console with the newly-created credentials and complete the 2FA setup.

8. In the S1 management console, select the username in the upper right corner of the page and then select *My User*
from the dropdown menu to display the S1 Options dialog box.

   ![S1 Options Dialog Box](/static/caasm/sentinal_one_5.png "S1 Options Dialog Box")

9. Select the *Generate* link to create a new API token associated with the NetSPI Platform account.

   ![S1 API Token Screen](/static/caasm/sentinal_one_6.png "S1 API Token Screen")

10. Select **Download** or **Copy** button in the resulting dialog box to save the API token value.
You will need this for the NetSPI Platform CAASM integration configuration process described in the next section.

11. Log out of the S1 management console.

## Step two: NetSPI Platform CAASM configuration

Use the steps below to configure the SentinelOne integration within the NetSPI Platform.

1. Log into the NetSPI Platform as a Client Admin user.

2. Navigate to *Settings -> CAASM Integrations* to display the Integrations page.

   ![Platform Integrations page](/static/caasm/integrations/integrations_landing.png "Platform Integrations page")

3. Select the *Integration Library tab -> Integration Categories / Managed Detection and Response (MDR) ->
SentinelOne Singularity Complete Integration*.

   ![Integration Library tab](/static/caasm/integrations/select_integration_sentinel.png "Integration Library tab")

   This brings the SentinelOne Singularity Complete integration card into focus.

   !!!Note
   You can also locate the integration card by:

      - Scrolling down the page on the *Integration Library* tab
      - Filter the integration options displayed by selecting any of the other left navigation choices besides
      *Integration Categories*, e.g., by *Modules* or *Integration Scopes* (cloud or on premise)
      - Enter the integration name in the Search integration bar
   !!!

4. Select the **Add** button on the SentinelOne card to display the SentinelOne Singularity Complete integration
configuration page.

   ![SentinelOne integration page](/static/caasm/integrations/integrations_sentinelone.png "SentinelOne integration page")

5. Select and enter values for the following fields.

   1. Select the integration type from the *Integration* drop-down list. In this case,
   *SentinelOne Singularity Complete Integration*, which is already selected by default.

   2. Select the integration scope from the *Scope* drop-down list. The SentinelOne integration can only run
   on a cloud scope, which was configured by NetSPI and *Cloud* displays as the default value.

   3. Enter an integration name and description in the *Integration Name* and *Description* fields.

   4. Select the *Enabled* slider button to display as either on (blue) or off (light gray).

   5. In the *SentinelOne Parameters* field group, enter or select the following in the corresponding field

      | Field | Value |
      | ----- | ----- |
      | SentinelOne Management Console URL | The console URL for your S1 management console along with the schema, e.g., [https://us01-customers.sentinelone.net)](https://us01-customers.sentinelone.net) |
      | SentinelOne API Token | the SentinelOne API toke you created in step 8 and 9 in the [Step one: SentinelOne system configuration](#step-one-s1-configuration-in-the-s1-management-console) section above |
      | Max Agent Batch Size | The Max Agents Batch Size may be adjusted from the default of 1000 if desired. This option controls how many "Agent" records the integration attempts to retrieve from the S1 API at a time. NetSPI recommends leaving this value set at the default of 1000 unless instructed otherwise by NetSPI Platform Support. |
      | *Associate observed users with Systems* drop-down list (optional) | Select *Yes* or *No* to associate observed users with the reported systems or not |
      | Type of data to ingest | Select the type of data you want the CAASM module in the NetSPI Platform to ingest from your SentinelOne instance *Applications* and *Systems* are the two available options. |

6. Select **Create** to create the integration. The new integration now displays on the Applied Integrations tab
   with its statuses: current and last run, last run time, and status (enabled/disabled).