To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.

Requirements

• SentinelOne XDR
• SentinelOne Singularity Control or greater subscription
• Lumu License
• Lumu Defender subscription

Setup SentinelOne XDR

Collect SentinelOne Base URL

To interact with the SentinelOne XDR API, collect the Base URL of the service. The Base URL is the URL you use to manage your SentinelOne XDR deployment.

The Base URL has the format `https://<host>.sentinelone.net`. The host string is specific for each SentinelOne deployment.

If you copy the base URL from your Web browser, make sure you delete the trailing “/” when you are configuring the integration in Lumu portal.

Identify SentinelOne operational scope

You need to identify the operational scope you want the integration to operate with. The scope could be defined at Account, Group or Site level. You can check this information through the SentinelOne Web console.

Create Role

We recommend creating a role with the minimum privileges required for the integration to work properly.To create this role, go to the Settings > Users > Roles within your SentinelOne console.

On this page, click on Actions > New Role. Fill in the required information: the role name, its description, and the required permissions according to the following table:

This role must be created within the Account scope.

The following images show how to configure the required permissions. Remember to save your configuration by clicking on the Save button.

Now, your new role has been successfully created and has the necessary permissions for the integration to work properly.

Create Service User

To interact with the SentinelOne REST API, you need to create a Service User. To do so, go to the Settings > Users > Service Users menu within your SentinelOne Console.

On this page, click on the Actions > Create New Service User menu. A modal will appear.  Fill in the required data: a name, a description and an expiration date.

If you created a role as in the previous step, select the created role otherwise we suggest the admin access level at account scope.

Copy the API Token, it will be required later to set up the integration.

Add Integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the integrations screen.

2. Locate the SentinelOne integration in the available apps area and click to add, then click to view details.

3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.

4. To activate the integration, add a Name and select the Threat Types you want to be pushed to your SentinelOne deployment. Click Next.

5. Fill in the required information, the Base URL and the API Token with the data collected before. Click Next.

6. Lumu will retrieve for you the SentinelOne operational scope alternatives. Specify the scope this integration will apply to. It can be any of SentinelOne accounts, sites, or groups. Click Activate.

You will need to activate several integrations if you want to use different scopes, or prefer a wider scope.

The integration is now created and active. Now, the Lumu Portal will display the details of the created integration:

Once the integration is activated, the SentinelOne blacklist will be updated with confirmed compromises found by Lumu within the preceding 3 days.