Skip to main content
SentinelOne Authentication Guide

How to authenticate SentinelOne for use with Tines

Updated over a week ago

SentinelOne enables organisations to prevent, detect, and respond to cyber attacks at machine-speed, greater scale, and higher accuracy across endpoint, cloud, and identity.

The SentinelOne API can be used to send and retrieve log data, archive events, and manage configuration files, users, and groups. To access the API, an API key must be generated.

  • There are four types: "Log Read Access", "Log Write Access", "Configuration Read Access", and "Configuration Write Access".

First, get a SentinelOne API key

  1. Login to your SentinelOne instance

  2. Click on the user menu and select "API Keys"

  3. On the "Manage API Keys" page, click "Add Key" and add a "Read" or "Write" key

  4. Hover over the generated key and click the "Copy" icon

    1. The "Manage API Keys" page lists all generated API keys for the account in three tables:

      1. Personal Access Keys: "Log Read" keys that let you query and powerQuery all Accounts you are a member of

      2. Log Access Keys: "Log Read" and "Log Write" keys to read and write logs. If you are a member of multiple (team) accounts, the key must be issued in the account of interest

      3. Configuration Access Keys. "Log Read" and "Log Write" keys to read or write configuration files. If you are a member of multiple (team) accounts, the key must be issued in the account of interest

Lastly, create a SentinelOne API credential in Tines

  1. Login to your Tines tenant

  2. Navigate to the team that will be using the API and click "Credential"

  3. Click "+ New Credential" and select "Text"

  4. Input the values for the SentinelOne credential

    1. Name: sentinelone

    2. Description: Optional

    3. Value: API Key

  5. Optional

    1. Domains: Ensure that this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the credential

  6. Click "Save"

For more on creating credentials in Tines, click here.

You can find a selection of SentinelOne stories in the story library.

Using the credential in an action

The Header configuration for your SentinelOne credential should be:

"Authorization": "APIToken <<CREDENTIAL.sentinelone>>"

Here is an example SentinelOne action you can copy and paste onto your storyboard in Tines:

{"standardLibVersion":"35","actionRuntimeVersion":"4","agents":[{"disabled":false,"name":"Create a User in SentinelOne","description":"Create a new user in SentinelOne","options":"{\"url\":\"https://<<sentinelone_server>>/web/api/v2.0/users/\",\"content_type\":\"json\",\"method\":\"post\",\"payload\":{\"data\":{\"twoFaEnabled\":true,\"tenantRoles\":[\"Viewers\"],\"groupsReadOnly\":true,\"siteRoles\":[{\"id\":\"225494730938493804\",\"roles\":[\"Admins\"]}],\"allowRemoteShell\":true,\"fullNameReadOnly\":true,\"scope\":\"site\",\"fullName\":\"John Doe\",\"password\":\"A@!vk123jd\",\"email\":\"\",\"emailReadOnly\":true}},\"headers\":{\"accept\":\"application/json\",\"Authorization\":\"APIToken <<CREDENTIAL.sentinelone>>\"}}","position":{"x":765,"y":780},"type":"httpRequest","timeSavedUnit":"minutes","timeSavedValue":0,"monitorAllEvents":false,"monitorFailures":false,"monitorNoEventsEmitted":null,"recordType":null,"recordWriters":[],"form":null,"cardIconName":"httpRequest","createdFromTemplateGuid":"6a7e398f590b1fc65201d2ffb53c3235e9e193f536a862bfa5200985585f6c03","createdFromTemplateVersion":null,"originStoryIdentifier":"cloud:aa47f8215c6f30a0dcdb2a36a9f4168e:d4c15df0f02ba4789095426607003199"}],"links":[],"diagramNotes":[]}
Did this answer your question?