To integrate SentinelOne you will need 2 pieces of information, the URL and the API Key of your SentinelOne account.

URL

SentinelOne uses different subdomains based on your region and who you purchased your licenses from. To get this value, log in to S1 and copy the URL from your address bar. It should look like https://usea1-011.sentinelone.net/. Using console[.]sentinelone[.]net is not a valid value.

API Key

To create an API Key you’ll need to create a service user.

  1. Settings > Users > Actions
  2. Service Users > Actions > Create New Service User
  3. You may name it anything you’d like, we suggest ‘Wirespeed’
  4. Select a role with the following permissions:
    1. Endpoints
      1. Reconnect to Network
      2. Disconnect from Network
      3. View
    2. Endpoint Threats
      1. View
      2. Update Incident Status
      3. Update Analyst Verdict
  5. Set the expiration to a value you feel comfortable with, however we suggest 1 year. When the token expires you will receive an email notification from us saying the integration is experiencing errors. However, we suggest setting a calendar reminder to update the token before it expires. In an upcoming release we will automatically notify you ahead of time.