API & Integrations - SentinelOne Integration - Cloud Gateway

This article provides information on integrating Mimecast with SentinelOne to enhance Human Risk scoring by adding human interaction with malware on devices, allowing security awareness practitioners to send users training and other information based on users' malware-associated behavior. 

Overview

The integration periodically reads endpoint protection events from the threats endpoint of the SentinelOne API. These are then forwarded to the Human Risk Control Center, which associates each event with a specific user and updates the malware behavior score for that user. 

Prerequisites

• SentinelOne subscription.
• Mimecast Engage subscription.
• Mimecast Administrator account.

Authentication

To authenticate with SentinelOne, the following two pieces of information are required:

1. The SentinelOne platform url. This is the management URL of SentinelOne and is in the following format:

   https://<your company name>.sentinelone.net

2. An API Token. We recommend that the token be from a service user, so that the token is not tied to a specific user and email address.

Service User Considerations

The following provides details on service user permissions:

• Service users can use the API, but cannot log in to the Management Console.
• Service users use the same RBAC and scopes as Console users. They can perform most of the actions permitted by their RBAC permissions and access level, but only through the API.

The following details the requirements for creating a service user:

• A service user requires a name. A description is optional, and an email address is not required.

• Two-factor authentication and Single Sign-On requirements do not apply.
• The expiration date of the API token can be set when you create a service user. The expiration time can be as long or as short as required.

Information on creating a service user can be found here. To create a service user, you can use the following link: Create a service user.

Permissions

View permissions are required for:

• Endpoint Threats
• Accounts
• Groups
• Roles
• Sites

Configuration

To integrate Mimecast with SentinelOne:

1. Navigate to your API Provider's website to obtain the Client Secret and Base URL, which will be required for step 6.
2. Log in to the Mimecast Administration Console.
3. Navigate to Integrations | Integrations Hub.

4. Navigate to the SentinelOne menu item.
5. Click on the Configure New button.

5. Complete the Details section with the following:

• • Application Name 
  • Description

6. Complete the Activate section by entering the API credentials provided by SentinelOne.

• • Client Secret: The Client Secret is retrieved from your API provider's site.
  • Base URL: This is the consistent part, or the root of your API's website address.

7. Click on Save. This will validate the API credentials by connecting to the SentinelOne app.
8. Your new integration will be added, and you will see the following toast message to confirm this. 

9. Ensure that the Status reflects as Connected.

10. Navigate to Human Risk | Dashboard. The integration is now successful, and you should be able to receive the data from SentinelOne.

11. Click View Details in the Malware section of the Human Risk Behaviours section, which is where data from SentinelOne will be found.

12. You can also click on a specific user under Highest Risks to see the Individual Risk Profile of that user.

13. You can then click on Malware to see the Events related to Malware in more detail.