SentinelOne - User Guide

In this article, you will understand step by step how to easily integrate with SentinelOne


Viewer permissions 

Connecting Scytale & SentinelOne

To connect SentinelOne, you'll need to provide the following details:

  1. Base URL: The Base URL is the URL you use to manage your SentinelOne EDR deployment. The Base URL has the format https://<host>
  2. API Token: A unique API token generated by a SentinelOne user. In the following section, we will cover how to create a Service User and generate an API token with the minimum scope of access.

We highly recommend creating a new dedicated service user for the integration. This is to prevent a user from being removed from SentinelOne and disrupting your data ingestion.

Here is how you can create a new service user with the minimum required permissions for the integration.

1. Create a new Service User

In the SentinelOne console:

1.  Navigate to the Settings page

2. Click on Users

3. Select the Service Users option in the left hand menu

4. Select Create New Service User from the Actions dropdown menu


2. Configure Service User

Give the user a name and description, and then set the Expiration Date to a time period that suits your organization’s security policy.
Recommend setting the Expiration Date to 2 years.

Scytale will not automatically renew the API token associated with this Service Account, you will have to manually create a new user and update your Scytale connection with the new API token every time you provision a new Service User.



3. Select User Scope of Access

After creating the user, you will be prompted to assign the new user a scope of access. The user will require the Viewer role to access the data required for the integration. We do not recommend giving the user any additional permissions.



4. Generate API Token

After creating the user, SentinelOne will generate an API token for your new Service User. This token is required to authenticate with the SentinelOne API. Copy the token and store it in a secure location. You will need to provide this token in Scytale connection.