Integrating with SentinelOne

Introduction

Follow this article to integrate Blackpoint with SentinelOne. We've broken down the integration into five main steps:

  1. Acquiring the API token
  2. Acquiring a SentinelOne URL
  3. Integrating your customers with their relevant Site ID(s) and Group ID(s)
  4. Configuring the integration in the Blackpoint Portal
  5. Verifying your integration

Prerequisites

  • You must have Admin-level access in SentinelOne.

Instructions

Acquiring the API Token

  1. Log into the SentinelOne Management Console and click the Settings icon in the left-hand menu.
  2. In the Settings page, click Users tab > New User.
  3. An Add a New User pop-up window will appear. Enter the following:
    1. Full Name - Enter the user's first and last name.
    2. Role - Select Admin.
    3. Email address - Enter the user's email address.
    4. Note: In the Full Name field, you could put "Blackpoint Cyber MDR" or some other appropriate name. The email address should be a valid email where you can receive messages.
  4. Click Save.
  5. Log out of the Management Console and back in again using the credentials of the newly set up user.
  6. In the top-right corner, click the user's name and select My User.

  7. Click the Generate link next to API Token.

  8. Click the Copybutton as you will need it in the next section below. We highly recommend that you click Download to save the token. Store your downloaded token in a secure, password-protected location.

    Important. Ensure that you copy and store the token safely before clicking Back. Once you leave the page, you will not be able to retrieve the token again.

Acquiring the SentinelOne URL

  1. Log into the SentinelOne Management Console web interface.
  2. Copy the web interface URL from the browser address bar. Save this URL somewhere so you can reference it later.

Integrating Your Customers

Each customer you are integrating will require at least one Site ID and at least one Group ID. SentinelOne is very flexible in how you organize endpoints so make sure to identify the correct Site ID(s) and Group ID(s). Repeat the steps in this section of the article for each customer you set up.

Note: Most of your customers will probably have one Site ID and one Group ID. However, some may be organized under multiple Site ID(s) and/or multiple Group ID(s). In that case, ensure that you provide the correct IDs for each customer when completing these steps.
  1. Log into the SentinelOne Management Console and navigate to Settings in the left-hand menu.
  2. In the Settings page, click the Sites tab. Locate and click the Name of site to be integrated.
  3. Click the Site Info tab. At the top of the page, you will see the Site ID. Click the Copy to Clipboard button. Paste this information in a safe location as you will need to access it later in this section.
  4. In the top left-hand corner, click the blue circle icon.
  5. Locate and click the Site that contains your customer. Then, click the Group associated with your customer.
  6. Navigate to the left-hand menu and click the Sentinels (star) icon.
  7. Click the Group Info tab. At the top of the page, copy the Group ID. Paste this information in a safe location as you will need to access it later in this section.
  8. Repeat Steps 5 to 7 above for any additional sites and/or groups that belong to this specific customer.

Configuring the integration in the Blackpoint Portal

  1. In the Blackpoint Portal, navigate to Customer in the left-hand menu.
  2. In the Customer List section, find the customer for whom you want to add SentinelOne integration and click Manage. You will be redirected to the Customer Details page.
  3. In the Integrations section, click the +Add button.
  4. In the Add Integration pop-up, select SentinelOne in the drop-down menu and click Next.
  5. In the next pop-up, enter the following information:
    1. Management Console URL - The URL you noted in the Acquiring the SentinelOne URL section above.
    2. API Token - The token value you noted in the in the Acquiring the API Token section above.
    3. Site ID - The Site ID(s) for this particular customer you noted in the Integrating Your Customer section above.
    4. Group ID - The Group ID(s) for this particular customer you noted in the Integrating Your Customer section above.
    5. Important. Do not add all your customers' Site and Group IDs here. Only add the relevant Site and Group IDs for this specific customer.

  6. Click the Test & Save button.
  7. Back in the Customer Details page, you will see the new SentinelOne integration.

Verifying your integration

  1. In the Blackpoint Portal, click the SNAP-Defense icon.
  2. In the Dashboard page, search for and click your customer.
  3. Click Collection in the left-hand menu and then on the Status tab at the top. In the Devices section, click the Package drop-down and select the SentinelOne package.
    1. To view the full list of devices detected by SentinelOne, click the menu icon in the top-left corner of the Devices section.
    2. Optionally, you can click Network in the left-hand menu which opens the full Device List. Click the inverted triangle icon to expand the filters. Then, expand the Collection Type heading to see the number of SentinelOne devices being collected. Once you click Apply Filters the diagram will adjust to show only devices collected by SentinelOne.

Deleting the integration in the Blackpoint Portal

If you are deleting the SentinelOne integration due to an expired API token, follow the steps below to delete your existing integration from the Blackpoint Portal. Then, return to the Acquiring the API token section at the beginning of this KB article to generate a new token and set up the integration once more.

  1. In the Blackpoint Portal, navigate to Customer in the left-hand menu.
  2. In the Customer List section, find the customer for whom you want to delete the SentinelOne integration. Click the Manage button. You will be redirected to the Customer Details page.
  3. In the Integrations section, click the Edit button next to the SentinelOne integration.
  4. In the Edit Integration pop-up, click Delete Integration.