How to Connect SentinelOne to SaaS Alerts

Before getting started

What SaaS Alerts requires: 

Creating a SentinelOne API connection to SaaS Alerts requires the creation of a Service Account with viewer permissions within the SentinelOne dashboard. We suggest extending the user expiration date to a custom value of 3 years to prevent having to create a new service account and API Token.

The connection also requires your SentinelOne URL (the address you will log into to create the needed Service account).

Connecting SentinelOne to SaaS Alerts

1. Create a new Organization or use an existing one and click the New Application button   
2. Select SentinelOne                 

3. Enter your full SentinelOne instances URL and then the entire API Key that you generated with the Service Account created and click Finish
4. After clicking Finish it may take up to 30 seconds or more to complete

PSA Support

Currently PSA ticket generation is supported by the App Wizard connections for all products as of May 2024. 

Monitored Events

NOTE: the following list of events for the initial release;

1. IAM Event - Authentication Success
2. IAM Event - Authentication Failure
3. IAM Event - MFA Authentication Failure
4. IAM Event - User Logged Out
5. IAM Event - New User Added
6. IAM Event - Password Reset
7. IAM Event - User Deleted
8. IAM Event - Password Reset Initiated
9. IAM Event - Account Locked
10. IAM Event - Multi-Factor Authentication Enabled
11. IAM Event - User Updated