Introduction
This guide provides information on how to:
- Set up Beyond Identity integration with SentinelOne
Prerequisites
Licensing Requirements
- SentinelOne SKUs and Features required:
- SentinelOne Control or Complete
- Beyond Identity SKUs and Features required:
- Included with Beyond Identity Secure Workforce
- https://www.beyondidentity.com/products/secure-work
Version Requirements
- SentinelOne Console: Union Square#34
- SentinelOne Agent: 22.2 and above
- Beyond Identity Authenticator: Version 2.70.0 and above, supports macOS and Windows
Role/Access Requirements
- SentinelOne Role/Access Requirements
- API Token created from a service user with:
- Account and site level scope access: Minimum built in role of ‘IR Team’
- Custom Role Requirements:
- API Token created from a service user with:
- Optional: Create a custom role with the following permissions:
- Endpoints > View
- Endpoints > Disconnect From Network
- Beyond Identity Role/Access Requirements
- Log in as a user with minimum role of ‘Integrations Administrators’ for adding and configuring integrations and ‘Policy Administrators’ for configuring policy.
- Log in as a user with minimum role of ‘Integrations Administrators’ for adding and configuring integrations and ‘Policy Administrators’ for configuring policy.
Configuration and Setup
SentinelOne Setup
Create a Custom Role
You can either use a built-in role IR Team or create a custom role.
To create a custom role:
- Log in to your SentinelOne Cloud console, then click Settings
- Select the Users tab.
- Select Roles.
- Click Actions, then select New Role.
- Give it a unique name and description, say BI_View_Disconnect
- Deselect Permissions by going through each of the permission sets associated with this role and clicking Deselect All (wherever allowed), or individually deselecting (where Deselect All is not permitted.)
- For Endpoint permission set, select only these 2 permissions
Endpoints > Endpoints View
Endpoints > Endpoints Disconnect From Network
- Click save
Create an API Key
To create an API key for SentinelOne, follow the steps below:
- Log in to your SentinelOne Cloud console, then click Settings
- Select the Users tab.
- Select Service Users.
- Click Actions, then select Create New Service User.
- In the Create New Service User pop-up window that opens, enter a Name and Description, then select an Expiration Date.
- Click on Access Level Account (even if this is already selected)
- Select your Account and then select BI_View_Disconnect role for your account.
- Click Create User.
Beyond Identity Setup
- In the Beyond Identity Admin Console, go to Integrations > Endpoint Management
- Choose SentinelOne and enter SentinelOne URL and API token
- Click Save Changes
The integration is now in place, proceed to testing
Testing
To test the Beyond Identity <-> SentinelOne integration, configure Beyond Identity policy rules:
- Create a monitor rule to evaluate SentinelOne isActive attribute. View results of monitor rule matches via match counts under Policy.
- Create a Deny rule scoped to test on a test user group or test device (via passkey tag) to test SentinelOne disconnect action.
Additional Information
The Beyond Identity <-> SentinelOne integration will trigger a poll of the SentinelOne API for a specific device via the serial number of the device. This occurs at each Beyond Identity transaction evaluated via policy once the SentinelOne integration is configured and a SentinelOne attribute and/or action is configured in the Beyond Identity policy rule set.
Comments
0 comments
Article is closed for comments.