SentinelOne Singularity Integration

Note: This integration requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

SentinelOne Singularity is an Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) offering. In Cisco XDR, we enable Singularity users to include their Singularity detections in Cisco XDR Incident analytics and detection. Additionally, we make it possible to leverage it for threat hunting and investigation features, as well as rapid response actions to understand and defend against threats on the endpoint. It also provides important device inventory context to help triage detected threats.

Use the SentinelOne Singularity integration to search for security detections involving specific hostnames, host GUIDs, filenames, paths, hashes, process names, and process arguments. SentinelOne Singularity can also be used through Cisco XDR to isolate hosts from the network and block file hashes on the endpoint, and used to provide host information, including vulnerability information for use in triaging incidents and detections.

Cisco XDR incorporates SentinelOne Singularity detections into Cisco XDR's overall incident detection and correlation capabilities, as shown below:

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the SentinelOne Singularity integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The SentinelOne Singularity integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the SentinelOne Singularity integration in Cisco XDR.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.

When you enable the SentinelOne Singularity integration, Cisco XDR ingests the detections and security events that are sent by SentinelOne Singularity and uses them for incident correlation.

To view incidents with SentinelOne Singularity data:

  1. In the Cisco XDR navigation menu, choose Incidents.

  2. Look for SentinelOne Singularity in the Source column to find incidents generated with SentinelOne Singularity data.

  3. Select an incident and open the Incident Detail page.

  4. Click on the Detection page to see events from SentinelOne Singularity and other sources.

    Note: The severity of the SentinelOne Singularity detections will display as Unknown due to SentinelOne Singularity not providing that data to Cisco XDR.

If you do not have any incidents with SentinelOne Singularity data, you can verify that Cisco XDR is receiving data from SentinelOne Singularity using the Detection Ingest Status card on the Dashboards page. For more information about Cisco XDR Dashboards, see Dashboards.

To create a new dashboard that includes the Detection Ingest Status card:

  1. In the Cisco XDR navigation menu, choose Control Center > Dashboards and click Customize in the upper right corner of the Dashboards page.

  2. In the My Dashboards area, click Create new dashboard and enter a unique dashboard name in the Dashboard Name field.

  3. In the list of integrations, find the Secure Cloud Analytics integration and click the (Expand) icon.

  4. Check the Detection Ingest Status check box to add the card to the dashboard.

  5. Click Save.

    The new customized dashboard is displayed on the Dashboards page. If no data is displayed in the Detection Ingest Status card for SentinelOne Singularity, check your integration configuration.

You can perform the following tasks after you integrate SentinelOne Singularity with Cisco XDR:

  • Investigations - Start a new investigation into any combination of hostnames, host GUIDs, filenames, paths, hashes, process names, and process arguments and the results will include any records of them found in SentinelOne Singularity. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know SentinelOne Singularity has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in SentinelOne Singularity. You can also install SentinelOne workflows from the Automation Exchange to add more actions to the Pivot menu.

  • Assets - View devices as reported by SentinelOne Singularity. For more information, including on how to filter the view to only the reports from SentinelOne Singularity, see Devices.

  • Automation:

    • Atomic Actions - The atomic actions for SentinelOne Singularity can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for SentinelOne Singularity can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The SentinelOne Singularity target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - An Automation system workflow that uses SentinelOne Singularity and is included in the Cisco Managed Incident Playbook can be used to Contain Incident: Assets (Devices), Identify Vulnerabilities, and Validate Eradicated Hosts and Unquarantine Assets. See Containment and Recovery on the Response page.