Configuring SentinelOne ActiveEDR to communicate with the QRadar product

To send threat alerts from SentinelOne ActiveEDR, you must have an API token. You need the API token when you configure a data source in the QRadar® product.

If you already have an API token that you want to use, you can omit this procedure.

Before you begin

You must have access to a SentinelOne account with administrator privileges.

Procedure

  1. Log in to your SentinelOne Management Console as an administrator.
  2. Click the username tab, and then select My User from the list.
  3. To obtain an API token, click Options, then select the option to generate an API token, or the option to regenerate an API token. Depending on whether you have an existing token, only one of the following options appears. You need the API token when you configure the default workflow parameters in the QRadar product.
    1. To generate a new token, select Generate API token.
    2. To replace an existing API token, select Regenerate API token.
    The API token appears.
    Important: The API token does not appear again. Do not close this window until you complete the next step to save the API token.
  4. To save the API token, choose one of the following options:
    1. To copy the token to your clipboard, click Copy API Token.
    2. To download the API token to a file, click Download API Token.

What to do next

Add a SentinelOne ActiveEDR data source that uses the Universal Cloud REST API connector. For more information about the Universal Cloud REST API connector, see Universal Cloud REST API data source parameters for SentinelOne ActiveEDR.

For more information about adding a data source, see Adding ingestion data sources.