## Overview

**SentinelOne** offers security solutions for endpoints (EDR), cloud environments, and identities. It detects threats and malicious behavior across multiple vectors and automatically responds to remediate cyber threats in real-time.

SentinelOne logs provide critical insights into your organization's security, including endpoint activities, detected threats, and user and admin actions. Monitor your logs in the Coralogix platform to identify patterns, investigate threats and abnormal actions, and understand the context of potential security breaches.

## Prerequisites

### SentinelOne permissions

You must have the following SentinelOne admin permissions:

- Console Users: `View`
- Service Users: `View/Create`

### SentinelOne API token

To deploy the SentinelOne integration package, you must create a new service user in SentinelOne with the roles described below and create an API token to be used for authentication with Coralogix.

Follow these steps:

**STEP 1**. Navigate to **Settings** > **Users** > **Roles**

**STEP 2**. Select **Actions** > **New Role**

**STEP 3**. Create a new role with these permissions: `Endpoint Threats: View`, `Activity: View`

**STEP 4**. Navigate to **Settings** > **Users** > **Service Users**

**STEP 5**. Select **Actions** > **Create New Service User**

**STEP 6**. Create a new service user while selecting the desired scope and role defined above.

**STEP 7**. Copy the API token displayed once the service user is created.

**Notes**:

- Make sure to update the API token before it expires to prevent the integration from stopping. The default expiration period is 30 days, but an admin can modify this setting.
- When a token is set to expire, copy the Service User and choose a new expiration date. This lets you replace the token while the old one is active and prevents monitoring downtime. Find out more [here](https://app.scalyr.com/solutions/import-sentinelone).

## Required permissions

To configure this integration, users must have all of the following Coralogix permissions:

| Resource     | Action     | Description                | Explanation                                |
| ------------ | ---------- | -------------------------- | ------------------------------------------ |
| integrations | ReadConfig | View Deployed Integrations | View deployed integration packages.        |
| integrations | Manage     | Manage Integrations        | Deploy, undeploy, and update integrations. |

Find out more about roles and permissions [here](https://coralogix.com/docs/user-guides/aaa/access-control/permissions/index.md).

## Setup

**STEP 1**. From your Coralogix toolbar, navigate to **Data Flow** > **Integrations**. Select **SentinelOne**. Click **Connect**.

**STEP 2**. Click **Add New.**

**STEP 3**. Define the integration settings:

- **Integration name**. This field is automatically populated, but may be modified.
- **Application name**. Select an application name.
- **Subsystem name**. Select a subsystem name. This field will default to "SentinelOne", but may be modified.
- **SentinelOne tenant**. URL of your SentinelOne tenant to connect and read logs from.
- **SentinelOne API token**. SentinelOne API token created above.

**STEP 4**. Click **Complete**.

## Use-Cases

- Create an alert once SentinelOne detects malware on an endpoint machine.
- Create an alert to track if suspicious admin activity is taken in SentinelOne products, such as the unlikely removal of protection policy.

## Support

**Need help?**

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to reach out to us **via our in-app chat** or by emailing [support@coralogix.com](mailto:support@coralogix.com).