Configuring the AlienApp for SentinelOne

Configuring the AlienApp for SentinelOne

SentinelOne API Configuration

To configure AlienApp for SentinelOne in USM Anywhere, you need to generate an API key in your SentinelOne instance and enter it into USM Anywhere.

To set up your SentinelOne API

  1. Log in to your SentinelOne management console.
  2. Go to Settings > Users.
  3. Click on the Admin user account (or user account with Incident Response [IR] Team Privileges) you want to use with USM Anywhere.
  4. Next to API Token, click Generate to create your API token.

  5. Click Download to save the API token.

    Save the API token where you can access it again easily when you configure the API in USM Anywhere.

Note: If you have previously enabled syslog collection for the SentinelOne Syslog AlienApp, you need to disable syslog collection when you connect the SentinelOne API to USM Anywhere to prevent duplicate logs.
In the SentinelOne management console, go to Settings > Integrations > Syslog and click Disable Syslog if it is currently enabled.

Configure AlienApp for SentinelOne in USM Anywhere

To enable the AlienApp for SentinelOne

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click Configure API.

  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  6. Enter the Management URL of your SentinelOne instance, your SentinelOne Username, and the API Token you created.

  7. Use the checkboxes to enable the AlienApp for SentinelOne to create and merge assets:

    Configure API Dialog Box

  1. Check Allow Creation of New Assets to enable SentinelOne scans to create new assets in USM Anywhere.
  1. Check Allow Merging of Existing Assets to enable USM Anywhere to run a match against the SentinelOne identification to merge the assets found with existing USM Anywhere assets.
Important: If you want to create new assets, you need to select both options, Allow Creation of New Assets and Allow Merging of Existing Assets to prevent the duplication of assets. USM Anywhere won't create new assets if you only select one of the options.
  1. Check Include Rogue Assets to enable USM Anywhere to collect and detect assets without an installed agent.
  1. Click Save.

AlienApp Log Collection

Once the AlienApp has been configured, you can choose to have USM Anywhere collect logs from the app on a regular basis.

To configure log collection for the AlienApp

  1. Go to Settings > Scheduler.
  2. In the Job Scheduler, search for the AlienApp on the sensor to which it was deployed.

  3. In the enabled column, click the  icon for the inactive collection job.

    The  icon turns green, and collection is enabled.

  4. (Optional.) Click the  icon to customize the frequency of the event collection.

The AlienApp for SentinelOne and the AlienApp for AT&T Managed Endpoint Security

Because both the AlienApp for SentinelOne and the AlienApp for AT&T Managed Endpoint Security share configuration components through AlienApp for SentinelOne, configuring one AlienApp will cause the other to appear as configured in your My Apps page. This is expected behavior. Do not delete or disable the AlienApp for SentinelOne or the AlienApp for AT&T Managed Endpoint Security. Changes to one AlienApp will cause configuration errors with the other AlienApp.

To ensure your API tokens remain up-to-date, the SentinelOne and AT&T Managed Endpoint Security Apps both include a scheduler job that automatically regenerates the API token. This job is not editable and runs automatically once the app is configured.

Note: Whether you are using the AlienApp for SentinelOne or the AlienApp for AT&T Managed Endpoint Security, this job will appear in your scheduled jobs as a SentinelOne job.
Important: This job will appear in your scheduled jobs as disabled until your SentinelOne app is fully configured.

    • Related Articles

    • AlienApp for Office 365

      Access Requirements This integration requires connectivity between your USM Anywhere Sensor and the Microsoft APIs. If you have an Azure Sensor deployed in your Azure subscription, you should use this sensor to configure the AlienApp because you ...

    • SentinelOne - Installing the macOS Agent

      Installing the macOS Agent Make sure you have all the requirements before you start the installation. To install the macOS Agent Get the Site or Group Token Install the Agent using the command line or the Installation Wizard. Authorize Full Disk ...

    • Most recent events in the threat landscape - September 2023

      Let's review some of the most recent events in the threat landscape. Over the last month, threat actors kept with their operations. The Ransomware groups Cuba and Snatch have been attacking US critical infrastructure in the United States. In ...

    • Most recent events in the threat landscape - August 2023

      Threat actors didn't go on vacation during August, and they kept exploiting vulnerabilities to carry out their operations. A zero-day vulnerability tracked as CVE-2023-3519 in Citrix was exploited by a financially motivated actor linked to the FIN8 ...

    • Configure remote syslog logging for a Fortinet Firewall

      This article describes the steps to configure Fortinet Firewalls to send syslog data to the RocketCyber Firewall Analyzer Configure your FortiGate firewall settings Configure the FortiGate firewall settings for your specific FortiOS operating system. ...