Getting Started
Trust CenterTourStatusPageSupport
Start typing to search…

Create SentinelOne integration

Connect SentinelOne to Stairwell to automatically analyze malware alerts and file

This integration allows the Stairwell platform to connect to your SentinelOne environment. Once configured, Stairwell can receive malware alerts and file objects from your S1 tenant, enabling automated analysis and variant discovery.

This guide details the setup process and explains the critical configuration options for managing how assets are represented in Stairwell.

Prerequisites

Before you begin, ensure you have the following:

  • A SentinelOne (S1) organization tenant URL (e.g., stairwell.sentinelone.com)
  • An active S1 API key with the necessary permissions
  • Binary Vault Malware feature enabled in your SentinelOne environment

Setup Instructions

  1. Log into your Stairwell environment.
  2. Navigate to Settings (the gear icon).
  3. Select the Managed environments tab.
  4. Scroll to the desired environment, select the (...) icon under Actions, and choose Manage integrations.
  1. Select the "Add new SentinelOne integration" option
  1. Paste in the following information from your S1 tenant:
    • Base URI: Your S1 organization tenant URL.
    • API Key: Your S1 API key.

Configuration: Asset Creation

Your choice determines one of two modes:

Option 1: Check the box (Single Asset Mode)

  • What it does: Combines all files and alerts from all SentinelOne endpoints into one single asset in Stairwell (e.g., "SentinelOne Integration").
  • When to use it: Choose this for simple data aggregation if you do not need to track threats on a per-machine basis.

Option 2: Leave the box unchecked (Multi-Asset Mode) - Recommended

  • What it does: Creates a new, distinct asset for each unique computer (agent). Files are automatically mapped to the specific computer they came from.
  • When to use it: This is the recommended mode for granular, per-machine analysis and threat tracking.

How Multi-Asset Mode Works: To ensure accuracy, this mode uses the stable computer name from SentinelOne as the unique identifier. This method ensures that you have exactly one Stairwell asset for each of your computers, preventing duplicate assets from being created.


Additional Settings

  • Send variant analysis results for alerts
    • When checked, Stairwell will automatically send analysis results back to your SentinelOne console for corresponding alerts.

Final Steps

  1. After selecting your desired asset mode and settings, click Save.
  2. Your integration is now active. New alerts and files from SentinelOne will be processed according to your configuration. This change only affects new, incoming events and will not impact existing files or assets in Stairwell.

What if I need technical help?

If you have questions or require more information about this integration, you can always reach out to Stairwell support at [email protected].

Updated 5 days ago