Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Back to All Docs

SentinelOne SentinelOne

Last Updated: Jul. 01, 2024


SentinelOne offers security solutions for endpoints (EDR), cloud environments, and identities. It detects threats and malicious behavior across multiple vectors and automatically responds to remediate cyber threats in real-time.

SentinelOne logs provide critical insights into your organization’s security, including endpoint activities, detected threats, and user and admin actions. Monitor your logs in the Coralogix platform to identify patterns, investigate threats and abnormal actions, and understand the context of potential security breaches.


SentinelOne permissions

You must have the following SentinelOne admin permissions:

  • Console Users: View
  • Service Users: View/Create

SentinelOne API token

To deploy the SentinelOne integration package, you must create a new service user in SentinelOne with the roles described below and create an API token to be used for authentication with Coralogix.

Follow these steps:

STEP 1. Navigate to Settings > Users > Roles

STEP 2. Select Actions > New Role

STEP 3. Create a new role with these permissions: Endpoint Threats: View, Activity: View

STEP 4. Navigate to Settings > Users > Service Users

STEP 5. Select Actions > Create New Service User

STEP 6. Create a new service user while selecting the desired scope and role defined above.

STEP 7. Copy the API token displayed once the service user is created.


  • Make sure to update the API token before it expires to prevent the integration from stopping. The default expiration period is 30 days, but an admin can modify this setting.
  • When a token is set to expire, copy the Service User and choose a new expiration date. This lets you replace the token while the old one is active and prevents monitoring downtime. Find out more here.

Required permissions

To configure this integration, users must have all of the following Coralogix permissions:

integrationsReadConfigView Deployed IntegrationsView deployed integration packages.
integrationsManageManage IntegrationsDeploy, undeploy, and update integrations.

Find out more about roles and permissions here.


STEP 1. From your Coralogix toolbar, navigate to Data Flow > Integrations. Select SentinelOne. Click Connect.

STEP 2. Click Add New.

STEP 3. Define the integration settings:

  • Integration name. This field is automatically populated, but may be modified.
  • Application name. Select an application name.
  • Subsystem name. Select a subsystem name. This field will default to “SentinelOne”, but may be modified.
  • SentinelOne tenant. URL of your SentinelOne tenant to connect and read logs from.
  • SentinelOne API token. SentinelOne API token created above.

STEP 4. Click Complete.


  • Create an alert once SentinelOne detects malware on an endpoint machine.
  • Create an alert to track if suspicious admin activity is taken in SentinelOne products, such as the unlikely removal of protection policy.


Need help?

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to reach out to us via our in-app chat or by emailing support@coralogix.com.

On this page