SentinelOne Zero Trust Security Host Network Disconnect Integration

Free integration setupWe’ll install and validate this for you.

Book a setup call

Support Statement

DISCLAIMER

This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.

---

Overview

Customers using SentinelOne can leverage a native integration that initiates a native API call to isolate hosts flagged as compromised by Superna Security Edition. The Superna Security Edition Zero Trust API receives webhook alerts from Security Edition and maps all relevant data fields into SentinelOne.

Solution Overview

Superna Security Edition Zero Trust API receives webhook alerts from Security Edition and maps all relevant data fields into SentinelOne.

Video Demo

Advanced Zero Trust Capabilities

• Host network disconnect — isolates the offending endpoint via the SentinelOne API (enabled by default)
• Host broadcast message — sends a message to the affected host (disabled by default)
• Full disk scan initiation — triggers a full scan on the affected host (disabled by default)

What Is SentinelOne?

SentinelOne is an Endpoint Detection and Response (EDR) solution that employs artificial intelligence and machine learning to detect, prevent, and respond to cyber threats.

SentinelOne Marketplace

The solution is documented in the SentinelOne Marketplace.

Integration Architecture

Solution Configuration in SentinelOne and Security Edition Zero Trust

Prerequisites

• Installed Security Edition
• Eyeglass OS appliance version 15.5 — verify with cat /etc/os-release
• License key for the Zero Trust API
• SentinelOne

Configuration in SentinelOne

1. Create an API token for a service account user in the SentinelOne management console.
2. Record the API token — you will need it in the integration script.

Configuration Steps on Eyeglass Virtual Machine

High-Level Steps

1. Create the Python location to run the application on the Eyeglass VM.
2. Create the Python main application script.
3. Create the Linux systemd service and set it to auto-start.
4. Create the Zero Trust configuration in Security Edition.
5. Update the main script to customize it with the SentinelOne Python code.
6. Test the script is running as a service.
7. Create a test event in Security Edition to validate alerts appear as indexed parsed events in SentinelOne.

Configure the Service Start and Python Integration Files

Log in to the Eyeglass VM via SSH as the admin user:

ssh admin@<your-vm-ip>

Become root:

sudo -s

mkdir -p /opt/superna/cgi-bin

chown -R sca:users /opt/superna/cgi-bin

chmod -R u+rwX,g+rwX /opt/superna/cgi-bin

Switch to the SCA user:

sudo -u sca -s

cd /opt/superna/cgi-bin

Create a Python virtual environment for the integration:

python3 -m venv venv-sentinelone

source venv-sentinelone/bin/activate

Install required Python packages:

pip install flask boto3 requests logging

deactivate

Create integration script files:

touch sentinelone.py

touch sentinelone.sh

chmod +x sentinelone.py

chmod +x sentinelone.sh

Create the sentinelone.sh launch script:

nano /opt/superna/cgi-bin/sentinelone.sh

Paste the following content into the file:

#!/bin/bash

export PATH="/opt/.pyenv/bin:$PATH"

source /opt/superna/cgi-bin/venv-sentinelone/bin/activate

exec python /opt/superna/cgi-bin/sentinelone.py

Make the script executable:

chmod +x /opt/superna/cgi-bin/sentinelone.sh

Exit back to root:

exit

whoami # confirm you are root

Create the systemd service unit file:

nano /etc/systemd/system/sentinelone.service

Paste the following content into the file:

[Unit]
Description=Webhook listener for Zero Trust API translations and integrations
After=network.target

[Service]
Type=simple
User=sca
Group=users
WorkingDirectory=/opt/superna/cgi-bin
ExecStart=/bin/bash /opt/superna/cgi-bin/sentinelone.sh
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

Reload systemd to register the new service:

systemctl daemon-reload

Enable the service to start on boot (do not start it yet):

systemctl enable sentinelone

Configure Python Packages and Customize the Integration Code

1. Download the Python template code from the link to download (right-click, save as).

2. Open the Python template file in a text editor. Only replace the placeholder values — do not delete any commas.

3. Locate the # Define the endpoint and API token as variables section and add your SentinelOne API token and endpoint:

   # SentinelOne instance URL and API token
   instance_url = "https://yyyyyy.sentinelone.net"
   api_token = "xxxxxx"

4. Open the production file on the Eyeglass VM:

   nano /opt/superna/cgi-bin/sentinelone.py

5. Open the template file locally in Notepad, select all (Ctrl+A), and copy.

6. Paste the clipboard into the SSH terminal session with the open nano editor.

7. Save the file:

   • Press Ctrl+X
   • Answer Yes to save and exit

8. Start the service and verify it is running:

   systemctl start sentinelone
   
   systemctl status -l sentinelone

   Verify the service returns "active and running". If the service does not start, do not proceed — double-check the steps above.

Configure Security Edition Zero Trust Webhooks

1. Configure the Zero Trust endpoint in the Ransomware Security Edition Zero Trust tab.

   Recommended Configuration

   Send only Critical and Major events, and only webhooks that set lockout or delayed lockout. The goal is to send findings rather than a list of alarms that do not pinpoint a security incident. Customers can customize based on specific requirements.

2. The endpoint URL uses localhost and sends webhooks to the application service listening on port 5000:

   http://localhost:5000/webhook

3. Add the Content-Type header with value application/json to complete the webhook configuration.

4. Click Save to commit the configuration.

5. Click Save on the main Webhook configuration page.

Configure Optional Actions Within the Integration

The integration code defaults to host isolation enabled, host broadcast disabled, and full scan disabled. Edit the integration code to enable optional actions:

# Flags to enable/disable features
enable_isolation = True   # Set to False to disable isolation
enable_broadcast = True   # Set to False to disable broadcast messages
enable_full_scan = True   # Set to False to disable full disk scan

Open the file to edit:

nano /opt/superna/cgi-bin/sentinelone.py

Set each option to True to enable it. Save with Ctrl+X, then restart the service:

systemctl start sentinelone

How to Test the Integration with SentinelOne

1. Edit the integration script and locate the following section:

   # test an IP using hard coded
   # host_ip = 'x.x.x.x'
   # severity = 'CRITICAL'

2. Remove the # for the host_ip and severity lines and enter an IP address for a SentinelOne endpoint to test the isolation API.

3. Create a test lockout to generate a webhook:

   • Create a banned file extension type in the Security Edition File Filter list.
   • Using a Windows client PC, mount an SMB share protected by Security Edition and create at least 100 files with the banned extension.
   • Verify the PC is locked out and an event is generated in the console.

4. Check the SentinelOne console to verify if the network isolation (network disconnect) was processed.

5. Add the # comment characters back when done testing and save the file.

SentinelOne SecOps Administrators Integration Experience

Once configured, Superna Security Edition integration with SentinelOne enables real-time alert ingestion and host network disconnect. This ensures compromised hosts are disconnected from the network after a serious incident detection at the storage layer.

• Integration response log — shows each action taken for each received webhook event
• Network status — the affected host changes to Disconnected in the SentinelOne console
• Reconnection — the SOC can restore host connectivity through the Actions menu after remediation
• Host broadcast message — if enabled, a message displays on the affected host's screen (text can be customized)
• Full scan — if enabled, the console indicates a full scan has been started on the affected host

Configure Data Security Essentials (DSE)

Overview

Data Security Essentials saves alerts to the Windows Event log under a custom application log. This integration extracts those log entries and the JSON payload contained within them, formats the data as webhook events, and sends them to SentinelOne to issue host containment.

Requirements

1. Follow the SentinelOne integration steps above to configure the integration.

2. Install Python for Windows on the Data Security Essentials host and allow the installation to add Python to the PATH variable.

   note

   Ensure Python is installed for all users so service accounts have access — enable the for all users option during installation.

3. The integration code matches event log entries from the following event log source names:

   • Superna Data Security Essentials BOT Service
   • Superna Data Security Policy Engine

Features

• Logs for each execution are stored alongside the Python code
• Each execution stores the event log record ID, date time, and event number of the last processed event in last_processed_record.txt — this file is read on each execution to continue processing from the last record
• The scheduled sync runs every minute and only processes events since the last record
• Only events matching the severity filter are processed — the sample code defaults to Major and Critical events; all other severities are ignored

Steps to Configure Event Sync to SentinelOne Host Containment Integration

1. Download the integration code (right-click, save as).

2. Modify the Python file and update the SentinelOne integration settings to match your environment:

   # SentinelOne API credentials
   client_id = 'xxxxxx'
   client_secret = 'yyyyyyy'
   base_url = "https://api.us-2.SentinelOne.com"
   
   # Configuration
   server = 'localhost'
   log_name = 'Data Security Essentials'
   source_names = ['Superna Data Security Essentials BOT Service', 'Superna Data Security Policy Engine']
   trigger_severities = ['MAJOR', 'CRITICAL', 'WARNING']
   enable_isolation = True  # Set to False to disable isolation actions

3. Copy the Python code to C:\Program Files\Superna\cgi-bin on the Data Security Essentials host and name the file sentinelone-dse.py.

4. Install Python dependencies:

   note

   Open a command prompt as the service account (hold down Shift and right-click the command prompt icon → Run as). This is required to install the Python packages under the correct user account.

   pip install pywin32 requests

5. Test the script from a command prompt:

   cd "C:\Program Files\Superna\cgi-bin"
   python sentinelone-dse.py

   The output should display event log entries that match and show the data sent to the SentinelOne endpoint. You can review last_processed_record.txt to see the last processed date, time, and event ID. Delete this file to have the script start reading from the oldest Windows event log entry.

6. Grant the Data Security Essentials AD service account the Log on as a batch job right via Local Security Policy (secpol.msc).

7. Download the Task Scheduler XML file (right-click, save as). You can rename it to SentinelOne integration.xml.

8. Open Task Scheduler (taskschd.msc), right-click Task Scheduler Library, and select Import Task.

9. In the task definition:

   • Edit the name to SentinelOne Containment integration
   • Click the Actions tab and browse to select C:\Program Files\Superna\cgi-bin\sentinelone-dse.py
   • Update the service account name, domain, and password
   • Click OK to save