Configure Simple Response for SentinelOne: Isolate Host

Configure a SentinelOne: Isolate Host simple response to isolate the endpoint of a user that is the victim of an incident automatically.

Typical use cases for this response include:

  • Preventing a compromised laptop or server from further compromising your network
  • Allowing your security team to review endpoint detection and response (EDR) findings before response

Complete the following steps to successfully configure this simple response:

  1. (Optional) Create an exclusion list
  2. Choose the response
  3. Connect to SentinelOne
  4. (Optional) Apply exclusions
  5. Choose when to respond

(Optional) Create an exclusion list

If you want your automation to exclude specific hosts, the hosts must be defined in one or more exclusion lists. For example, you can create a list of computers for your security team to prevent them from being locked out. During the simple response creation process, a step is available to apply exclusion lists to your automation. If a list you want to apply does not exist already, use the instructions in Exclusions to create it now.

Choose the response

In the Alert Logic console, click the navigation menu icon (), click Respond, click Automated Response, and then click Simple Responses. Click the add icon (), and then, under SentinelOne: Isolate Host, click START.

Connect to SentinelOne

This response requires a SentinelOne connection that grants Alert Logic access to SentinelOne. In the Connect step, name your response and connect to SentinelOne as follows.

To connect to SentinelOne:

  1. In Response Name, enter a descriptive name for your simple response (example: "Isolate Compromised Host").
  2. If you already have a connection to SentinelOne, leave Use an existing connection selected, and then select the connection in Connection. You can use the search bar to help you find the connection.
  3. If you do not have a SentinelOne connection, click Create a connection, and then complete the instructions in Create a SentinelOne connection to set it up.
  4. In Expiration in Seconds, enter the number of seconds before you want Alert Logic to release the host from isolation, or keep the default value of 0 if you do not want the response to expire.
  5. Click TEST to perform a dry run that checks the configuration without performing the response. After a few moments, results appear in a message.
    • If the result is Succeeded, continue to the next step in this procedure.
    • If the result is Failed, use the listed errors to assist with troubleshooting. If necessary, you can click Edit connection above SentinelOne Connection, and then use the information in Create a SentinelOne connection to check and fix the connection. For further assistance with troubleshooting, see Troubleshooting tips.
  6. If you want the simple response to be active, leave Response is active turned on. Turn it off if you want to save the configuration but not activate the response yet.
  7. Click NEXT to continue to the (Optional) Apply exclusions step.

Create a SentinelOne connection

A SentinelOne connection securely stores reusable authentication credential information for integrations with SentinelOne. To create the connection, Alert Logic requires the following information from SentinelOne:

  • Management Hostname—The hostname portion of your SentinelOne domain. For example, if the domain is u1234-s123.sentinelone.net, the hostname is u1234-s123.
  • API Token—SentinelOne API user token that you generate in SentinelOne. This token allows Alert Logic to access your SentinelOne domain.

Alert Logic provides the following steps to help you get the API token. For further questions about the steps performed in the SentinelOne console, or if your interface looks different, contact SentinelOne support.

  1. Generate an API token in SentinelOne
  2. Create the connection in the Alert Logic console

Generate an API token in SentinelOne

A connection to SentinelOne requires a SentinelOne API user token.

To generate an API token in SentinelOne:

  1. Log into the SentinelOne Management Console as a user with Admin-level access.
  2. On the Settings page, click the user's name in the top-right corner, and then click My User.
  3. Next to API Token, click the Generate link.
    If you see a "Last generated" date, you already have a token. In the menu accessed from the Options button, the Revoke API token and Regenerate API token options are available. Revoke removes the token authorization. Regenerate revokes the token and generates a new token. If you revoke or regenerate the token, existing integrations that use that token will not work.
  4. Click Copy and paste the token in a text editor for later. Note the expiration date. When the token expires, you must repeat this procedure to generate a new API token, and then edit the connection to use the new token.

Create the connection in the Alert Logic console

Next, go back to the Create a Simple Response page to enter information in the Connect step that grants Alert Logic access to SentinelOne.

To create the SentinelOne connection in the Alert Logic console:

  1. In Connection Name, type a descriptive name for the connectionfor example, "SentinelOne Connection".
  2. In Management Hostname, enter the hostname portion of your SentinelOne domain.
    If your SentinelOne domain is u1234-s123.sentinelone.net, for example, enter the hostname u1234-s123.
  3. In API Token, paste the API user token that you noted in Generate an API token in SentinelOne.
  4. Click SAVE.

(Optional) Apply exclusions

If you want to exclude hosts from the response, in Exclusion List(s), select one or more lists that define the exclusions. You can create exclusion lists from the Exclusions page if necessary, and then come back. For more information, see Exclusions.

After you choose one or more lists, or if you want to skip this step, click NEXT.

Choose when to respond

In the last step, choose whether to request approval before Alert Logic runs the response each time. Alert Logic sends the request by email and the Alert Logic Mobile App. You can request approval from multiple users, such as members of your security team. The first user to answer determines whether the response is approved or rejected. Subsequent users who respond receive a message stating that the inquiry was responded to already.

In this step you also choose the incident analytics that you want to trigger the response. You can respond to incidents generated from all analytics that Alert Logic recommends as triggers, or you can choose specific analytics.

To choose when to respond:

  1. If you do not want to require approval, click Do not require approval.
  2. If you want to require approval, click Send approval request, and then select one or more approval recipients in User(s). You can use the search bar to help you find names and email addresses.
    To improve traceability of approvals, Alert Logic recommends that you choose individuals not a distribution list.
  3. If you want to isolate hosts detected in incidents generated from all analytics that Alert Logic recommends as triggers for this response, leave Respond to all recommended analytics selected. The recommended analytics for this response include:
    • Possible Mimikatz usage detected on {victim_hostname}
    • PowerSploit PowerShell framework activity detected on {victim_hostname}
  4. If you prefer to choose from a list of all analytics available for this response type, click Choose analytics, and then select one or more analytics to use as triggers for the response.
    To learn more about a specific analytic, you can find it in the Threat Intelligence Center. For more information, see Threat Intelligence Center.

Troubleshooting tips

Here are common errors that can occur when you test the configuration and suggested troubleshooting steps.

400 Client Error: Bad Request

For authentication errors, try regenerating the API token in SentinelOne.

  1. Log into the SentinelOne Management Console as a user with Admin-level access.
  2. On the Settings page, click the user's name in the top-right corner, and then click My User.
  3. Click Options, and then click Regenerate API token.
  4. Click Copy.
  5. In the Connect step in the Alert Logic console, click EDIT CONNECTION, and then paste the regenerated token in API Token.

Technical reference

Simple Response Name

SentinelOne: Isolate Host

Permissions

Admin user or user with Endpoints Disconnect From Network privileges in SentinelOne