# SentinelOne Singularity Complete

The NetSPI Platform has a broad integration with SentinelOne (S1) Singularity Complete. This provides the NetSPI Platform visibility into system and applications assets.

At this time, this integration supports SentinelOne (S1) Singularity Complete only. Other SentinelOne products would need a different integration.

Similar to our other integrations, the SentinelOne Singularity Complete integration is read-only and does not perform actions to configure systems or otherwise change anything about your SentinelOne Singularity Complete system.

# Supported asset types

The SentinelOne integration provides the NetSPI Platform visibility into the following asset types:

• Systems
• Applications
• IPV4 Addresses

# Endpoints used

This integration needs access to the following API endpoints:

• /web/api/v2.1/agents
• /web/api/v2.1/agents/applications

# Required permissions

This integration uses an API Token that is associated with a username/password combination. This username must have the following access permissions:

• The "Scope" needs to be "Account" while the "Role" needs to be "Viewer".

# Configuration steps

Use the section below for configuring SentinelOne Singularity to integrate with the NetSPI Platform.

# Step one: S1 configuration in the S1 management console

The S1 NetSPI Platform integration leverages an API token for authentication to the S1 API. In S1, API tokens are linked to individual user accounts and, for this reason, we recommend creating a dedicated user account.

1. Log in to the S1 management console with an "Admin" role, and navigate to Settings -> Users, select the Actions button, and then select Add New User as illustrated below.

   

2. Provide a descriptive username and a valid email address to receive the one-time account setup link and select Next.

   

3. On the Select Scope of Access page, select the Account access level button and select the checkbox corresponding to the appropriate S1 account.

   

4. Under the "roles" dropdown menu, select the Viewer role and select the Create User button as illustrated above.

5. Log out of the S1 management console as the Admin level user.

6. Select the link sent to the email address provided in step 2 above, and set the password for the newly-created account as illustrated below.

   

7. Log in to the S1 management console with the newly-created credentials and complete the 2FA setup.

8. In the S1 management console, select the username in the upper right corner of the page and then select My User from the dropdown menu to display the S1 Options dialog box.

   

9. Select the Generate link to create a new API token associated with the NetSPI Platform account.

   

10. Select Download or Copy button in the resulting dialog box to save the API token value. You will need this for the NetSPI Platform CAASM integration configuration process described in the next section.

11. Log out of the S1 management console.

# Step two: NetSPI Platform CAASM configuration

Use the steps below to configure the SentinelOne integration within the NetSPI Platform.

1. Log into the NetSPI Platform as a Client Admin user.

2. Navigate to Settings -> CAASM Integrations to display the Integrations page.

   

3. Select the Integration Library tab -> Integration Categories / Managed Detection and Response (MDR) -> SentinelOne Singularity Complete Integration.

   

   This brings the SentinelOne Singularity Complete integration card into focus.

   Note

   You can also locate the integration card by:

   • Scrolling down the page on the Integration Library tab
   • Filter the integration options displayed by selecting any of the other left navigation choices besides Integration Categories, e.g., by Modules or Integration Scopes (cloud or on premise)
   • Enter the integration name in the Search integration bar

4. Select the Add button on the SentinelOne card to display the SentinelOne Singularity Complete integration configuration page.

   

5. Select and enter values for the following fields.

   1. Select the integration type from the Integration drop-down list. In this case, SentinelOne Singularity Complete Integration, which is already selected by default.

   2. Select the integration scope from the Scope drop-down list. The SentinelOne integration can only run on a cloud scope, which was configured by NetSPI and Cloud displays as the default value.

   3. Enter an integration name and description in the Integration Name and Description fields.

   4. Select the Enabled slider button to display as either on (blue) or off (light gray).

   5. In the SentinelOne Parameters field group, enter or select the following in the corresponding field

      Field	Value
      SentinelOne Management Console URL	The console URL for your S1 management console along with the schema, e.g., https://us01-customers.sentinelone.net)
      SentinelOne API Token	the SentinelOne API toke you created in step 8 and 9 in the Step one: SentinelOne system configuration section above
      Max Agent Batch Size	The Max Agents Batch Size may be adjusted from the default of 1000 if desired. This option controls how many "Agent" records the integration attempts to retrieve from the S1 API at a time. NetSPI recommends leaving this value set at the default of 1000 unless instructed otherwise by NetSPI Platform Support.
      Associate observed users with Systems drop-down list (optional)	Select Yes or No to associate observed users with the reported systems or not
      Type of data to ingest	Select the type of data you want the CAASM module in the NetSPI Platform to ingest from your SentinelOne instance Applications and Systems are the two available options.

6. Select Create to create the integration. The new integration now displays on the Applied Integrations tab with its statuses: current and last run, last run time, and status (enabled/disabled).