SentinelOne API

The SentinelOne API integration enables querying Endpoint Event data from SentinelOne XDR and ingesting it into the Nebulock Platform.

1. In your SentinelOne portal, create a Service User for API Access under Policy and Settings, User Management.

   Make sure this is done at the correct site level (global keys will not work) need to do at the particular account level

   

2. For your newly created Service User, create a role with the SDL Query API and SDL Search permissions.

   

3. Find the Singularity Data Lake URL for your Region. The US is typically https://xdr.us1.sentinelone.net/. For other regions, look in the SentinelOne Portal Offline Help section to find your URL.

4. In the Nebulock platform, go to Integrations and click Add Integration.

5. 

   Choose SentinelOne from the Provider list and fill out the PowerQuery URL and PowerQuery API with the information generated above. Only fill out the SiteID and Hostnames fields if instructed to do so by the Nebulock team.