SentinelOne

Overview

SentinelOne is an endpoint protection platform for XDR that delivers behavioral threat detection, autonomous response, device control, and real-time visibility across endpoints. It continuously monitors processes, files, network connections, and system activity to detect ransomware, exploits, fileless attacks, and advanced persistent threats.

SentinelOne operates directly at the endpoint level and serves as a frontline defense against malware and post-exploitation activity. If high-severity alerts, suspicious processes, or active threats are not addressed immediately, attackers can escalate privileges, move laterally, or disrupt business operations. Rapid containment and remediation at the endpoint layer is therefore critical.

By integrating SentinelOne with ManageEngine Log360 Cloud, security teams can not only detect and correlate endpoint threats centrally but also execute automated SOAR actions directly from incident workflows, enabling immediate containment and controlled remediation without switching consoles.

Use cases

Automatically mitigate detected threats

When Log360 Cloud correlates suspicious endpoint activity, such as abnormal process execution combined with lateral authentication attempts, it can automatically trigger the Mitigate Threat action in SentinelOne.

This enables immediate containment measures, such as killing malicious processes, quarantining files, and isolating the threat at the endpoint level. Instead of waiting for manual analyst intervention, the response is executed as part of a predefined playbook, reducing dwell time and limiting blast radius.

For example: If a ransomware-like pattern is detected across multiple endpoints, Log360 Cloud can automatically initiate mitigation actions while simultaneously updating the threat status and recording analyst notes for audit tracking.

Similarly, you can automate actions such as:

• Initiate endpoint scans or run remote scripts using initiateEndpointScan or runRemoteScript to investigate suspicious activity and collect forensic evidence remotely.
• Enable, disable, or update detection rules and IOCs using createIOC, updateDetectionRules, enableDetectionRules, and disableDetectionRules to dynamically adjust security controls in response to emerging threats.

Pre-requisites

• Before creating a connection for a pre-defined service, ensure that the corresponding integration/extension is installed in Log360 Cloud.
• Only after installing the extension, the service will appear in the Connections page for connection setup.

Configuring SentinelOne integration via Connections

To enable communication between Log360 Cloud and SentinelOne, a connection must be configured.

1. Log in to the product console.
2. Navigate to the Settings tab and select Admin.
3. Under Integrations, select Connections.

   

4. From the list of available integrations, select SentinelOne.

   

5. In the window that opens, click Create Connection.

   

6. In the Create Connection - SentinelOne window, provide the following details:
   • Authentication Type: This is preselected as API Key based on the integration.
   • Connection Name: Enter a name to identify the connection.
   • Instance URL: Enter the URL of your SentinelOne management console
     NOTE The API Token can be generated from the SentinelOne Management Console. To generate the API token:

     1. Log in to the SentinelOne management console.
     2. Navigate to My Profile.
     3. From the Actions dropdown, select Regenerate API Token to generate a new API token.
   • API Token: Enter the API token generated from the SentinelOne console.

   

7. Click Authorize and Save to complete authentication and create the connection.

Supported SOAR functionalities

The SentinelOne extension provides custom functions that enable playbooks to interact with SentinelOne APIs. These functions can be used to manage agents, investigate threats, control detection rules, handle IOCs, and perform automated response actions.

1. sentinelone_broadCastMessage

Broadcasts a message to multiple agents or groups.

2. sentinelone_connectAgent

Reconnects one or more agents to the network.

3. sentinelone_createDetectionRule

Creates a new STAR (custom) detection rule.

4. sentinelone_createIOC

Creates a Threat Intelligence indicator (IOC).

5. sentinelone_createPowerQuery

Creates a Power Query for advanced event analysis.

6. sentinelone_createQuery

Creates a Deep Visibility query for event investigation.

7. sentinelone_createWhiteListItem

Creates a whitelist exclusion item in SentinelOne.

8. sentinelone_deleteDetectionRule

Deletes one or more detection rules.

9. sentinelone_deleteGroup

Deletes a specified group.

10. sentinelone_deleteIOC

Deletes one or more Threat Intelligence indicators (IOCs).

11. sentinelone_disableDetectionRules

Disables one or more detection rules.

12. sentinelone_disconnectAgent

Disconnects one or more agents from the network.

13. sentinelone_enableDetectionRules

Enables one or more detection rules.

14. sentinelone_expireSite

Expires a specified site.

15. sentinelone_getAccounts

Retrieves account details for one or more accounts.

16. sentinelone_getActivities

Retrieves audit and system activity logs with filtering support.

17. sentinelone_getAgents

Retrieves detailed information about one or more agents.

18. sentinelone_getAlerts

Retrieves security alerts with filtering and pagination support.

19. sentinelone_getBlockList

Retrieves the list of blocked items (hashes, paths, certificates).

20. sentinelone_getDetectionRules

Retrieves detection rules with filtering and pagination support.

21. sentinelone_getDVQueryStatus

Retrieves the execution status of a Deep Visibility query.

22. sentinelone_getEvents

Retrieves events for a previously created Deep Visibility query.

23. sentinelone_getGroups

Retrieves a list of groups with filtering support.

24. sentinelone_getInstalledApplications

Retrieves installed applications on specified agents.

25. sentinelone_getIOC

Retrieves Threat Intelligence indicators (IOCs) with filtering support.

26. sentinelone_getRemoteScriptTaskResults

Retrieves download results for completed remote script tasks.

27. sentinelone_getRemoteScriptTaskStatus

Retrieves the execution status of remote script tasks.

28. sentinelone_getServiceUsers

Retrieves service user accounts with optional filtering.

29. sentinelone_getThreatNotes

Retrieves analyst notes associated with a specific threat.

30. sentinelone_getThreats

Retrieves threats with extensive filtering and pagination support.

31. sentinelone_getWhitelist

Retrieves the list of whitelist (allowlist) exclusion items.

32. sentinelone_initiateEndpointScan

Initiates an on-demand security scan on one or more endpoints.

33. sentinelone_markAsThreat

Marks a suspicious item as a confirmed threat.

34. sentinelone_mitigateThreat

Performs a mitigation action on one or more threats.

35. sentinelone_moveAgent

Moves one or more agents to a different group.

36. sentinelone_reactivateSite

Reactivates an expired or inactive site.

37. sentinelone_removeItemFromWhiteList

Removes a specified item from the whitelist.

38. sentinelone_runRemoteScript

Executes a remote script on specified agents.

39. sentinelone_shutdownAgent

Sends a shutdown command to one or more agents.

40. sentinelone_uninstallAgent

Sends an uninstall command to one or more agents.

41. sentinelone_updateAlertStatus

Updates the incident status of one or more alerts.

42. sentinelone_updateAlertVerdict

Updates the analyst verdict for one or more alerts.

43. sentinelone_updateDetectionRules

Updates an existing detection rule configuration.

44. sentinelone_updateThreatAnalystVerdict

Updates the analyst verdict and incident status for one or more threats.

45. sentinelone_updateThreatStatus

Updates the status of one or more threats.

46. sentinelone_writeThreatNote

Adds an analyst note to one or more threats.

Read also

This page explains how to integrate SentinelOne and use SOAR actions for endpoint threat response. For more information on related integration features, refer to:

• Veeam
• Okta