Skip to main content
Skip table of contents

SentinelOne Deployment

Overview

By integrating HYAS Protect and SentinelOne, it’s easy to deploy HYAS Protect rapidly and easily throughout an organization. It enables all the HYAS Protect functionality like deep visibility into your DNS queries, and blocking access to malicious domains. There are 2 parts to the integration:

  1. Reading all DNS query logs to gain visibility into DNS traffic (required for integration)

  2. Blocking access to malicious domains (optional)

When HYAS Protect identifies an FQDN for blocking, it adds it to SentinelOne's Network Control Sentinel as a firewall rule. Although the rule lists the FQDN, SentinelOne blocks based on the IP address the FQDN resolves to. Consequently, other FQDNs and domains may also get blocked if they share the same IP as the one listed in the firewall rule.

The diagram below shows the interaction between different parts:

Prerequisites

Licensing Requirements

  • SentinelOne SKUs required:

    • SentinelOne Complete 

      • Cloud Funnel

  • HYAS SKUs

    • HYAS Protect Essentials

Role/Access Requirements

  • SentinelOne Role/Access Requirements

    • Optional, if blocking, API Token created from a service user with:

      • Account level scope access: Account

Please make sure your account level scope access is set as ‘Account’ and not ‘Site’. If set incorrectly, you’ll receive an API key issue error.

  • Minimum Built-in RBAC Role: Standard built-in RBAC role not recommended

    • Custom Role Requirements: Firewall -> Manage Rules and Tags=Allowed

  • HYAS Role

    • Admin (for initial configuration)

Configuration and Setup

S3 Bucket Creation

  1. Create an S3 Bucket on AWS for storing logs using SentinelOne’s recommended settings

    1. Instructions Here

Please be sure to give HYAS both ‘list’ & ‘get’ access for the integration to work.

Enabling Cloud Funnel Streaming

  1. On SentinelOne enable Cloud Funnel streaming

    1. Instructions Here

Configure Integration in HYAS Protect

  1. In HYAS Protect go to Configuration -> SentinelOne

  2. Set the integration to “Enabled” 

  3. Configure the details of the AWS S3 bucket as configured in step 1

  4. Click “Verify Access” to ensure everything is working correctly.

Enable Blocking - Optional

Only required if blocking of malicious domains is desired

  1. Obtain your SentinelOne Account ID

    1. In SentinelOne, navigate to Sentinels>Account Info. Your account ID will be in the on the left side of the page under your account name.

  2. Obtain SentinelOne API Token

    1. In SentinelOne create a new role with only the the following permissions

      1. Firewall -> Manage Rules and Tags = Allowed

      2. Instructions on creating a new role Here

    2. Create a Service User and assign the aforementioned role.

      1. Choose the Access Level Global or Account

      2. Make note of the API token generated as it is needed to complete the configuration and cannot be retrieved later (only reset)

      3. Instructions on creating a Service user Here

  3. Enter the SentinelOne Account ID, API Key and Tenant URL as configured in previous steps.

  1. Click 'Verify SentinelOne Access’

  2. Click 'Save'

  3. Blocking is now configured.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close