Configuring the BlueApp for SentinelOne

Role Availability Read-Only Investigator Analyst Manager

SentinelOne API Configuration

To configure BlueApp for SentinelOne in USM Anywhere, you need to generate an API key in your SentinelOne instance and enter it into USM Anywhere.

To set up your SentinelOne API

  1. Log in to your SentinelOne management console.
  2. Select My User under your name in the upper right of the console.
    The permissions granted to your user account will also be the permissions available to your BlueApp for SentinelOne. Ensure that your account has either Admin or Incident Response Team privileges.
  3. In the My User window, click Actions, and then Generate API token.

Note: Users with Admin permissions will click the Actions button, but users with IR Team or similar permissions will click Options in its place.

  1. Click Download to save the API token, or copy it to paste into the AlienApp.
    You will enter the API token in the BlueApp for SentinelOne when you configure the AlienApp.

Important: If you generate a new API token at some point in the future, it will revoke the token you just generated and render the connection configured with it unauthorized. To reestablish your connection through the AlienApp, you must update the token configured in your BlueApp for SentinelOne.

Note: If you have previously enabled syslog collection for the SentinelOne Syslog BlueApp, you need to disable syslog collection when you connect the SentinelOne API to USM Anywhere to prevent duplicate logs.

In the SentinelOne management console, go to Settings > Integrations > Syslog and click Disable Syslog if it is currently enabled.

Configure BlueApp for SentinelOne in USM Anywhere

To enable the BlueApp for SentinelOne

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Enter the Management URL of your SentinelOne instance, your SentinelOne Username, and the API Token you created.

  7. Use the checkboxes to enable the BlueApp for SentinelOne to create and merge assets.

    Configure API Dialog Box

    • Select the Allow Creation of New Assets checkbox to enable SentinelOne scans to create new assets in USM Anywhere.
    • Select the Allow Merging of Existing Assets checkbox to enable USM Anywhere to run a match against the SentinelOne identification to merge the assets found with existing USM Anywhere assets.
    • Important: If you want to create new assets, you need to select both options, Allow Creation of New Assets and Allow Merging of Existing Assets to prevent the duplication of assets. USM Anywhere won't create new assets if you only select one of the options.

    • Select the Include Rogue Assets checkbox to enable USM Anywhere to collect and detect assets without an installed agent.
    • See BlueApp for SentinelOne Asset Discovery and Management for more details on the asset creation and merging processes.

  8. Click Save.

BlueApp Log Collection

Once the BlueApp has been configured, you can choose to have USM Anywhere collect logs from the app on a regular basis.

To configure log collection for the BlueApp

  1. Go to Settings > Scheduler.
  2. In the Job Scheduler, search for the BlueApp on the sensor to which it was deployed.
  3. In the enabled column, click the icon for the inactive collection job.

    The icon turns green, and collection is enabled.

  4. (Optional.) Click the icon to customize the frequency of the event collection.

The BlueApp for SentinelOne and the BlueApp for AT&T Managed Endpoint Security

Because both the BlueApp for SentinelOne and the BlueApp for AT&T Managed Endpoint Security share configuration components through BlueApp for SentinelOne, configuring one BlueApp will cause the other to appear as configured in your My Apps page. This is expected behavior. Do not delete or disable the BlueApp for SentinelOne or the BlueApp for AT&T Managed Endpoint Security. Changes to one BlueApp will cause configuration errors with the other BlueApp.

To ensure your API tokens remain up-to-date, the SentinelOne and AT&T Managed Endpoint Security Apps both include a scheduler job that automatically regenerates the API token. This job is not editable and runs automatically once the app is configured.

Note: Whether you are using the BlueApp for SentinelOne or the AlienApp for AT&T Managed Endpoint Security, this job will appear in your scheduled jobs as a SentinelOne job.

Important: This job will appear in your scheduled jobs as disabled until your SentinelOne app is fully configured.