URL
SentinelOne uses different subdomains based on your region and who you purchased your licenses from. To get this value, log in to S1 and copy the URL from your address bar. It should look likehttps://usea1-011.sentinelone.net/. Using console[.]sentinelone[.]net is not a valid value.
API Key
To create an API Key you’ll need to create a service user. SentinelOne offers two console UIs; use the tab that matches the interface you see after logging in.- Classic console
- Singularity Operations Center
- Settings > Users > Actions
- Service Users > Actions > Create New Service User
- You may name it anything you’d like; we suggest Wirespeed
- When prompted to Select Scope of Access, we recommend Site > Client for MSP setups so access is scoped to the client being onboarded.
- Set the expiration to a value you feel comfortable with; we suggest 1 year. When the token expires you will receive an email notification from us saying the integration is experiencing errors. We also suggest setting a calendar reminder to update the token before it expires. In an upcoming release we will automatically notify you ahead of time.
- Copy the API token and paste it into Wirespeed when prompted.
Use the built-in IR Team role for this service user. SentinelOne includes this role by default. Choose the role scope that is appropriate for your SentinelOne setup (for example, Customer or Global in the classic console, or the matching site/account scope in Singularity Operations Center).
STAR designation is not exposed in Wirespeed through SentinelOne’s API.
On first sync, Wirespeed fetches alerts from the last 90 days, capped at the newest 5,000 alerts.