Skip to main content

SentinelOne

Updated

Complete guide for integrating SentinelOne EDR with the Qevlar AI Platform, enabling automated security incident investigation and analysis.

Overview

SentinelOne is an AI-powered endpoint security platform that provides comprehensive protection against malware, exploits, and other cyber threats. By integrating SentinelOne with Qevlar AI, you can:

  • Automatically investigate security incidents detected by SentinelOne
  • Retrieve contextual endpoint data for enhanced threat analysis
  • Streamline your security operations workflow
  • Leverage XDR capabilities for deeper insights

This guide covers both Data Source and Alert Source integrations to fully connect your SentinelOne environment with Qevlar AI.

Prerequisites

Before starting the integration, ensure you have:

  • Administrative access to your SentinelOne Management Console
  • Access to the Qevlar AI platform with integration permissions
  • Your SentinelOne hostname (e.g., usea1-123.sentinelone.net)
  • (Optional) Your Singularity Data Lake Console hostname for XDR features

Step 1: Create a SentinelOne Service User

First, you'll need to create a dedicated Service User in SentinelOne with the appropriate permissions.

1.1 Access SentinelOne Settings

Log in to your SentinelOne Management Console and navigate to the Settings page by clicking Settings in the left navigation panel.

SentinelOne Settings Navigation

1.2 Navigate to Service Users

In the Settings page:

  1. Click on the USERS tab
  2. Select Service Users from the left sidebar
  3. Click the Actions dropdown button
SentinelOne Service Users Page

1.3 Create New Service User

From the Actions dropdown, select Create New Service User.

Create New Service User Option

1.4 Configure Service User Details

Fill in the service user information:

  • Name: Enter "Qevlar AI" (or another descriptive name)
  • Description: Add a description like "Service user for Qevlar AI integration"
  • Expiration Date: Select an appropriate expiration period (6 months recommended)

Click Next to proceed.

Service User Configuration

1.5 Set Access Scope and Permissions

Configure the access level for the service user:

  1. Select Account as the Access Level
  2. Choose your organization/account from the list
  3. Set the Role to Viewer
  4. Click Create User
Access Scope Configuration

1.6 Save the API Token

Important: A dialog will appear showing the API token. This is the only time you can view this token!

  1. Click Copy API Token to copy it to your clipboard
  2. Save this token securely, you'll need it for the Qevlar configuration
  3. Click Close when done
API Token Display

Step 2: Configure Data Source Integration in Qevlar

The Data Source integration allows Qevlar AI to retrieve endpoint data and context from SentinelOne.

2.1 Access Qevlar Integration Center

  1. Navigate to your Qevlar platform
  2. Select Integrations from the menu
Integration Center - SentinelOne Tile
  1. In the Integration Center, locate the SentinelOne tile (Add new data sources)
  2. Click the + button on the SentinelOne tile to begin configuration

2.2 Configure Data Source Settings

You'll need to provide the following information:

Field Value
API Key The API token you copied from SentinelOne
Site ID Your SentinelOne site ID (https://<site-id>.sentinelone.net)
Datasets Select which datasets to enable

Enter the required information in the configuration dialog:

SentinelOne Configuration Dialog

Related articles