Eyeglass Solutions Publication

SentinelOne Zero Trust Security Host Network Disconnect Integration

Home



 

Overview

Customers using SentinelOne can now leverage a native integration that initiates native API integration to isolate hosts where flagged as compromised by Superna Security Edition. 

  1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

Limitations

  1. None

Solution Overview

Superna Security Edition Zero Trust API receives webhook alerts from Security Edition and maps all relevant data fields into SentinelOne.  


Video Demo

Advanced Zero Trust Capabilities

  1. Superna Security Edition host Network disconnect api integration with SentinelOne. Default is enabled.
  2. Optional
    1. Host broadcast message sent to the host about the security actions taken.  Default is disabled.
    2. Initiate full scan of the host to look for threats inside the host.   Default is disabled.

What is SentinelOne?

SentinelOne is an Endpoint Detection and Response solution that employs artificial intelligence and machine learning to detect, prevent, and respond to cyber threats.


Integration Architecture



Solution Configuration in SentinelOne and Security Edition Zero Trust

Prerequisites

  1. Installed Security Edition
  2. Eyeglass OS appliance version 15.5
    1. cat /etc/os-release
  3. License key for the Zero Trust API 
  4. SentinelOne


Configuration in SentinelOne

To generate an API token in SentinelOne , you'll need to follow these steps.

  1. Create an API token for a service account user.

    1.  
    2. Create a log write api key 


  2. Record the api token to be used in the integration script.


Configuration Steps on Eyeglass Virtual Machine

High Level steps

  1. Create python location to run the application on the Eyeglass vm
  2. Create python main application script
  3. Create linux systemd service and set to auto start
  4. Create Zero Trust configuration in Security Edition
  5. Update the main script to customize with SentinelOne  python code
  6. Test the script is running as a service
  7. Create a test event in Security Edition to validate the alerts appear as indexed parsed events in SentinelOne

Configuration Step by Step

Configure the Service start and python integration files
  1. Login to eyeglass vm using ssh as the admin user to create zero trust application
    1. sudo -s 
    2. mkdir -p /opt/superna/cgi-bin
    3. touch /opt/superna/cgi-bin/sentinelone.py
    4. touch /opt/superna/cgi-bin/sentinelone.sh 
    5. chown sca:users /opt/superna/cgi-bin/sentinelone.*
    6. chmod +x  /opt/superna/cgi-bin/sentinelone.py 
    7. chmod +x /opt/superna/cgi-bin/sentinelone.sh 
  2. Create systemd configuration
    1. nano  /etc/systemd/system/sentinelone.service
    2. Copy the values below and Paste these contents into the file opened in nano editor in the step above
    3. Save the file 
      1. press control+x
      2. Answer yes to save and exit
  3. Restart systemd
    1. systemctl daemon-reload
  4. Set to enabled
    1. systemctl enable SentinelOne
  5. Create SentinelOne.sh service script
    1. Copy the values below
    2. nano /opt/superna/cgi-bin/sentinelone.sh
    3. paste the script values below into the nano editor
    4. Save the file
      1. press control+x
      2. Answer yes to save and exit the editor
  6. Once the script is created below,  do not start the service at this step.
  7. Done

### Service definition text to copy into /etc/systemd/system/sentinelone.service. ###
[Unit]
Description=Webhook listener for Zero Trust api translations and integrations
After=network.target

[Service]
User=sca
Group=users
WorkingDirectory=/opt/superna/cgi-bin
Environment="PATH=/opt/.pyenv/shims:/usr/bin:/usr/local/bin"

ExecStart=/bin/bash /opt/superna/cgi-bin/sentinelone.sh

[Install]
WantedBy=multi-user.target



copy for bash script

### service launch script /opt/superna/cgi-bin/sentinelone.sh ### 
#!/bin/bash
export PATH="/opt/.pyenv/bin:$PATH"
/opt/.pyenv/shims/python3 sentinelone.py


Configure the python packages and customize the SentinelOne integration python code

  1. Now install required python packages for the SCA users that will run the service.  NOTE this is the same user that runs the main eyeglass application code.
    1. su - sca 
    2. pip3 install flask boto3 requests logging 
    3. exit 
    4. NOTE: you must type exit to ensure you are the root user for the remaining steps.  Type whoami to make sure you are the root user.
  2. Customize the application code by downloading the python code from this link to download
    1. Open the python template file in a text editor. NOTE: make sure to only replace the values and do not delete any of the commas
    2. Locate this section in the file # Define the endpoint and API token as variables to add your SentinelOne api token and endpoint for API calls . 
      1.  Add the API URL and API token into this section below
      2.  
        # SentinelOne instance URL and API token
        instance_url = "https://yyyyyy.sentinelone.net"
        api_token = "xxxxxx"
  1. nano /opt/superna/cgi-bin/sentinelone.py
  2. Open the file locally in Windows OS notepad and use control-A or select all the text in the python template
  3. Paste the clipboard into the ssh terminal session with the open nano editor file
  4. save the file
    1. press control+x
    2. Answer yes to save and exit the nano editor 
  5. Start the service and verify it is running
    1. systemctl start sentinelone
    2. systemctl status -l sentinelone 
    3. Verify the service is started successfully and returns "active and running".

  6. If the service does not start do not proceed and double check the steps above are completed. 

Configure Security Edition Zero Trust Webhooks

  1. The next step creates an Zero Trust Webhook URL.    
    1. Configure Zero Trust endpoint in Ransomware Security Edition Zero Trust tab.
      1. Recommended Configuration: Only Critical and Major events and only the webhooks that set lockout or delayed lockout.   Customers can customize based on specific requirements. The goal is to send findings versus a list of alarms that do not pinpoint a security incident.
      3. The endpoint url above will use localhost and will send Webhooks to the application service listening on port 5000. URL to use in the configuration
        1. http://localhost:5000/webhook 
        2. Add the Content-Type header with value of application/json as shown above to complete the webhook configuration.
        3. Click save to commit the configuration.
        4. Click save on the main Webhook configuration page
  2. Test the configuration is working following the next section


How to configure optional actions within the Integration

  1. The integration code will default to host isolation enabled,  host broadcast disabled, full scan disabled.
  2. Edit the integration code as follows to enable optional actions.
    1. # Flags to enable/disable features
    2. enable_isolation = True # Set this to False to disable isolation
    3. enable_broadcast = True # Set this to False to disable broadcast messages
    4. enable_full_scan = True # Set this to False to disable full disk scan
  3. nano /opt/superna/cgi-bin/sentinelone.py
  4. edit to True the options you want to enable
  5. Then save using control+x to save the file
  6. systemctl start sentinelone 




How to test the Integration with SentinelOne


  1. Follow these steps to test the integration. 
  2. Edit the integration script and locate this section
    1. # test an IP using hard coded
      # host_ip = 'x.x.x.x'
      # severity = 'CRITICAL'
  3. remove the # for the host_ip and severity line and enter an ip address for a SentinelOne endpoint to test the Isolation API
  4. Create a test lockout to generate a webhook, 
    1. Create a banned file extension type in the Security Edition File Filter list 
    2. Using a windows client pc mount an SMB share protected by Security Edition and create files with this section , create at least 100 files, verify your pc is locked out and an event is generated in the console.
    3. Now check SentinelOne console to verify if the network isolation network disconnect was processed.
  5. See below what the user experience looks like in SentinelOne console.
  6. Make sure to add the comment lines back when done using the # at the front of the line and save the file.

SentinelOne SecOps administrators Integration Experience 

Overview:  Once configured, Superna Security Edition integration with SentinelOne enables real time alert ingestion using the integration code and host network disconnect.  This ensures compromised hosts are disconnected from the network after a serious incident detection at the storage layer.


  1. Host before any Cyber Storage detecctions.
  2.  
  3. After a detection in Security Edition and integration code activated the host will look like this.
    1. Integration response log
    2.  
  4. Network status now shows Disconnected.
    1.  
  5. To reconnect to host use the actions menu
    1.   
  6. If host broadcast message is enabled the host will see this message (text can be customized)
    1.    
  7. If full scan is enabled as a response action the console will indicate a full scan has been started.
    1.  



How to Configure Data Security Essentials

Overview

Data Security Essentials saves alerts to the Windows Event log to a custom application log.   This integration will extract the log entries and the json payload contained within them and format as webhook data to send to SentinelOne to issue the host containment to the endpoint provided by SentinelOne.



Requirements

  1. Follow the SentinelOne integration steps above to configure the Scripted REST API endpoint integration.
  2. Install python for Windows on the Data Security Essentials host and allow the installation to add python to the path variable. https://www.python.org/downloads/windows/
    1. NOTE: Ensure it's installed for all users so service accounts have access, by enabling for all users during installation.
  3. The integration code matches event log entries from Custom trigger BOT policies and File management policies
    1. The event log source names are below 
      1. Superna Data Security Essentials BOT Service
      2. Superna Data Security Policy Engine 

Features

  1. Logs for each execution are stored in the path below along with the python code. 
    1.  
  2. Each execution will store the event log record ID and date time and event number of the last processed event in a file called last_processed_record.txt.  This file is read on each execution to continue processing from last record.  The record number is not visible in Event Viewer, the date time and event number can be used to understand where in the log the last processing occurred.
  3. The schedule sync runs every minute and only processes events since the last record and logs all processing as well as event matches in the log file for debugging.
  4. Only events that match the severity filter will be processed for client ip address.   The sample code defaults to Major and Critical severity events all other severities will be ignored. 

Steps to Configure Event Sync to SentinelOne Host Containment Integration

  1. Download the integration code from here. (Right Click Save as to download)
  2. Modify the python and update the SentinelOne integration settings highlighted in yellow to match your environment.
    1. # SentinelOne API credentials
      client_id = 'xxxxxx'
      client_secret = 'yyyyyyy'
      base_url = "https://api.us-2.SentinelOne.com"

      # Configuration
      server = 'localhost'
      log_name = 'Data Security Essentials'
      source_names = ['Superna Data Security Essentials BOT Service', 'Superna Data Security Policy Engine']
      trigger_severities = ['MAJOR', 'CRITICAL','WARNING'] # Configure severities that should trigger containment
      enable_isolation = True # Set to False to disable isolation actions
  3. Copy the Python code into C:\Program Files\Superna\cgi-bin on the Data Security Essentials host and name the file sentinelone-dse.py
  4. Install python dependancies
    1. MANDATORY Step: Open a command prompt as the service account (hold down shift and right click the command prompt icon) run as  option to login as the service account dse-service.  This is required to install the python packages under the correct user account.
    2. Install the dependencies with this command
      1. pip install pywin32 requests
    3. This command installs the windows API python libraries needed to read the event log.
  5. Test the script can correctly reach your SentinelOne instance from a dos prompt
    1. cd C:\Program Files\Superna\cgi-bin
    2. python  SentinelOne-dse.py
    3. The output should display event log entries that match  and  will ignore severities that do not match script settings .  It will display the event payload details in json format and will show the data that was sent to the SentinelOne endpoint.   
    4. Example output
      1.   
    5. You can also review this file last_processed_record.txt to see the last date and time within the event log and event id that was last processed.  This file can be deleted to have the script start reading from the oldest windows event log entry.  This can be done for testing puposes.
    6. The above examples shows the output when a client ip address is successfully located and the host containment api returns success.
    7. The example below is logged when event data is processed and inspected for client ip and matching severity.
      1. Right Click here to download and save and open
  6. Steps to Schedule sync alerts into SentinelOne Security Incidents 
    1. Open secpol.msc, Local policies
    2. Give the Data security essentials AD service account the  "Logon as a batch job"  OS permission.
    3.   
    4. Create a file 
  7. Right click this link to save to a file. The task scheduler XML file to import into Task Scheduler
    1. You can rename the xml from Servicenow alert sync.xml to SentinelOne integration.xml. 
  8. Open Task Scheduler
    1. Run taskschd.msc, right click task schedule library 
    2.   
    3. Import the xml file
    4. You will be prompted with the task definition, you will need to change the service account to match your service account name and domain and re-enter the password to save the task scheduler.  All other settings are configured and match the path and settings used above.  Adjust any parameters that you changed if you did not use all the steps above. 
      1. Edit the name "SentinelOne Containment integration"
      2. Click the Actions tab and browse to select the file C:\Program Files\Superna\cgi-bin\SentinelOne-dse.py
      3. Click ok to save 
      4.   
    5. done.
© Superna Inc