SentinelOne enables organisations to prevent, detect, and respond to cyber attacks at machine-speed, greater scale, and higher accuracy across endpoint, cloud, and identity.
The SentinelOne API can be used to send and retrieve log data, archive events, and manage configuration files, users, and groups. To access the API, an API key must be generated.
There are four types: "Log Read Access", "Log Write Access", "Configuration Read Access", and "Configuration Write Access".
First, get a SentinelOne API key
Login to your SentinelOne instance
Click on the user menu and select "API Keys"
On the "Manage API Keys" page, click "Add Key" and add a "Read" or "Write" key
Hover over the generated key and click the "Copy" icon
The "Manage API Keys" page lists all generated API keys for the account in three tables:
Personal Access Keys: "Log Read" keys that let you
query
andpowerQuery
all Accounts you are a member ofLog Access Keys: "Log Read" and "Log Write" keys to read and write logs. If you are a member of multiple (team) accounts, the key must be issued in the account of interest
Configuration Access Keys. "Log Read" and "Log Write" keys to read or write configuration files. If you are a member of multiple (team) accounts, the key must be issued in the account of interest
Lastly, create a SentinelOne API credential in Tines
Login to your Tines tenant
Navigate to the team that will be using the API and click "Credential"
Click "+ New Credential" and select "Text"
Input the values for the SentinelOne credential
Name: sentinelone
Description: Optional
Value: API Key
Optional
Domains: Ensure that this credential can only be used when making HTTP requests to specific domains
Access: What other teams can also use the credential
Click "Save"
For more on creating credentials in Tines, click here.
You can find a selection of SentinelOne stories in the story library.
Using the credential in an action
The Header configuration for your SentinelOne credential should be:
"Authorization": "APIToken <<CREDENTIAL.sentinelone>>"
Here is an example SentinelOne action you can copy and paste onto your storyboard in Tines:
{"standardLibVersion":"35","actionRuntimeVersion":"4","agents":[{"disabled":false,"name":"Create a User in SentinelOne","description":"Create a new user in SentinelOne","options":"{\"url\":\"https://<<sentinelone_server>>/web/api/v2.0/users/\",\"content_type\":\"json\",\"method\":\"post\",\"payload\":{\"data\":{\"twoFaEnabled\":true,\"tenantRoles\":[\"Viewers\"],\"groupsReadOnly\":true,\"siteRoles\":[{\"id\":\"225494730938493804\",\"roles\":[\"Admins\"]}],\"allowRemoteShell\":true,\"fullNameReadOnly\":true,\"scope\":\"site\",\"fullName\":\"John Doe\",\"password\":\"A@!vk123jd\",\"email\":\"admin@sentinelone.com\",\"emailReadOnly\":true}},\"headers\":{\"accept\":\"application/json\",\"Authorization\":\"APIToken <<CREDENTIAL.sentinelone>>\"}}","position":{"x":765,"y":780},"type":"httpRequest","timeSavedUnit":"minutes","timeSavedValue":0,"monitorAllEvents":false,"monitorFailures":false,"monitorNoEventsEmitted":null,"recordType":null,"recordWriters":[],"form":null,"cardIconName":"httpRequest","createdFromTemplateGuid":"6a7e398f590b1fc65201d2ffb53c3235e9e193f536a862bfa5200985585f6c03","createdFromTemplateVersion":null,"originStoryIdentifier":"cloud:aa47f8215c6f30a0dcdb2a36a9f4168e:d4c15df0f02ba4789095426607003199"}],"links":[],"diagramNotes":[]}