Eyeglass Solutions Publication

SentinelOne Zero Trust Singularity Data Lake Integration

Home

Overview

Customers using SentinelOne Singularity Data Lake can now leverage a native integration that initiates native API integration to send root cause detections with details into natively parsed log entries within Singularity Data Lake by Superna Security Edition.

NOTE: This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts

Limitations

None

Solution Overview

Superna Security Edition Zero Trust API receives webhook alerts from Security Edition and maps all relevant data fields into SentinelOne Singularity Data Lake.

Video Demo

Advanced Zero Trust Capabilities

Superna Security Edition maps root cause events to native parsed log entries in SentinelOne Singularity Data Lake to be used in incident response and triggers.

What is SentinelOne?

SentinelOne is an Endpoint Detection and Response solution that employs artificial intelligence and machine learning to detect, prevent, and respond to cyber threats.

Integration Architecture

Solution Configuration in SentinelOne Singularity Data Lake and Security Edition Zero Trust

Prerequisites

Installed Security Edition
Eyeglass OS appliance version 15.5
1. cat /etc/os-release
License key for the Zero Trust API
SentinelOne

Configuration in SentinelOne Singularity Data Lake

To generate an API token in SentinelOne , you'll need to follow these steps.

Create an API token for a service account user.
Create a log write api key
Record the api token to be used in the integration script.

Configuration Steps on Eyeglass Virtual Machine

High Level steps

Create python location to run the application on the Eyeglass vm
Create python main application script
Create linux systemd service and set to auto start
Create Zero Trust configuration in Security Edition
Update the main script to customize with SentinelOne python code
Test the script is running as a service
Create a test event in Security Edition to validate the alerts appear as indexed parsed events in SentinelOne

Configuration Step by Step

Configure the Service start and python integration files

Login to eyeglass vm using ssh as the admin user to create zero trust application
1. sudo -s
2. mkdir -p /opt/superna/cgi-bin
3. touch /opt/superna/cgi-bin/sentinelonesiemsiem.py
4. touch /opt/superna/cgi-bin/sentinelonesiem.sh
5. chown sca:users /opt/superna/cgi-bin/sentinelonesiem.*
6. chmod +x /opt/superna/cgi-bin/sentinelonesiem.py
7. chmod +x /opt/superna/cgi-bin/sentinelonesiem.sh
Create systemd configuration
1. nano /etc/systemd/system/sentinelonesiem.service
2. Copy the values below and Paste these contents into the file opened in nano editor in the step above
3. Save the file
  1. press control+x
  2. Answer yes to save and exit
Restart systemd
1. systemctl daemon-reload
Set to enabled
1. systemctl enable sentinelonesiem
Create SentinelOne.sh service script
1. Copy the values below
2. nano /opt/superna/cgi-bin/sentinelonesiem.sh
3. paste the script values below into the nano editor
4. Save the file
  1. press control+x
  2. Answer yes to save and exit the editor
Once the script is created below, do not start the service at this step.
Done

### Service definition text to copy into /etc/systemd/system/sentinelonesiem.service. ###

[Unit]

Description=Webhook listener for Zero Trust api translations and integrations

After=network.target

[Service]

User=sca

Group=users

WorkingDirectory=/opt/superna/cgi-bin

Environment="PATH=/opt/.pyenv/shims:/usr/bin:/usr/local/bin"

ExecStart=/bin/bash /opt/superna/cgi-bin/sentinelonesiem.sh

[Install]

WantedBy=multi-user.target

copy for bash script

### service launch script /opt/superna/cgi-bin/sentinelonesiem.sh ###

#!/bin/bash

export PATH="/opt/.pyenv/bin:$PATH"

/opt/.pyenv/shims/python3 sentinelonesiem.py

Configure the python packages and customize the SentinelOne Singularity Data Lake integration python code

Now install required python packages for the SCA users that will run the service. NOTE this is the same user that runs the main eyeglass application code.
1. su - sca
2. pip3 install flask boto3 requests logging
3. exit
4. NOTE: you must type exit to ensure you are the root user for the remaining steps. Type whoami to make sure you are the root user.
Customize the application code by downloading the python code from this link to download
1. Open the python template file in a text editor. NOTE: make sure to only replace the values and do not delete any of the commas
2. Locate this section in the file # Replace with your SentinelOne HEC token and URL to add your SentinelOne api token and endpoint for API calls. Review this link on how to determine your ingestion URL.
  1. Add the API URL and API token into this section below
  2. # Replace with your SentinelOne HEC token and URL
    SENTINELONE_HEC_TOKEN = 'xxxxxxxxxx'
    SENTINELONE_HEC_URL = 'https://ingest.us1.sentinelone.net/services/collector/event'

nano /opt/superna/cgi-bin/sentinelonesiem.py
Open the file locally in Windows OS notepad and use control-A or select all the text in the python template
Paste the clipboard into the ssh terminal session with the open nano editor file
save the file
1. press control+x
2. Answer yes to save and exit the nano editor
Start the service and verify it is running
1. systemctl start sentinelonesiem
2. systemctl status -l sentinelonesiem
3. Verify the service is started successfully and returns "active and running".
If the service does not start do not proceed and double check the steps above are completed.

Configure Security Edition Zero Trust Webhooks

The next step creates an Zero Trust Webhook URL.
1. Configure Zero Trust endpoint in Ransomware Security Edition Zero Trust tab.
  1. Recommended Configuration: Only Critical and Major events and only the webhooks that set lockout or delayed lockout.Customers can customize based on specific requirements. The goal is to send findings versus a list of alarms that do not pinpoint a security incident.
  3. The endpoint url above will use localhost and will send Webhooks to the application service listening on port 5000. URL to use in the configuration
    1. http://localhost:5000/webhook
    2. Add the Content-Type header with value of application/json as shown above to complete the webhook configuration.
    3. Click save to commit the configuration.
    4. Click save on the main Webhook configuration page
Test the configuration is working following the next section

How To Configure SentinelOne Singularity Star Rule to create detections

Create a STAR Rule
with this Search criteria logfile='Superna_ZeroTrust'
4. Click Next to Save and Activate

How to test the Integration with SentinelOne Singularity Data Lake

Follow these steps to test the integration.
Create a test lockout to generate a webhook,
1. Create a banned file extension type in the Security Edition File Filter list
2. Using a windows client pc mount an SMB share protected by Security Edition and create files with this section , create at least 100 files, verify your pc is locked out and an event is generated in the console.
3. Now check SentinelOne console to verify if the network isolation network disconnect was processed.
See below what the user experience looks like in SentinelOne Singularity Data Lake console.

SentinelOne Singularity Data Lake SecOps administrators Integration Experience

Overview: Once configured, Superna Security Edition integration with SentinelOne enables real time alert ingestion using the integration code.