Configure third-party response actions

Configure Elastic Security to perform response actions on hosts protected by third-party systems.

Endpoint response actions involving third-party systems require additional configuration. This page explains the high-level steps you'll need to take to enable these response actions.

Configure SentinelOne response actions

You can direct SentinelOne to perform response actions on protected hosts, such as isolating a suspicious endpoint from your network, without needing to leave the Elastic Security UI.

Technical preview

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.


  • Project features add-on: Endpoint Protection Complete
  • User roles: SOC manager or Endpoint operations analyst
  • Endpoints must have actively running SentinelOne agents installed.

Configuration requires the following general steps. Expand the steps and follow the links for detailed instructions:

  1. Generate API access tokens in SentinelOne. You'll need these tokens in later steps, and they allow Elastic Security to collect data and perform actions in SentinelOne.

    Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them:

    • SentinelOne integration: Permission to read SentinelOne data.
    • SentinelOne connector: Permission to read SentinelOne data and perform actions on SentinelOne-protected hosts (for example, isolating and releasing an endpoint).

    Refer to the SentinelOne integration docs or SentinelOne's docs for details on generating API tokens.

  2. Install the SentinelOne integration and Elastic Agent. Elastic's SentinelOne integration docs collects and ingests logs into Elastic Security.

    1. In Kibana, go to Integrations, search for and select SentinelOne, then select Add SentinelOne.
    2. Configure the integration with an Integration name and optional Description.
    3. Ensure that Collect SentinelOne logs via API is selected, and enter the required Settings:
      • URL: The SentinelOne console URL.
      • API Token: The SentinelOne API access token you generated previously, with permission to read SentinelOne data.
    4. Scroll down and enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to Elastic Agent policies.
    5. Click Save and continue.
    6. Select Add Elastic Agent to your hosts and continue with the Elastic Agent installation steps to install Elastic Agent on a resource in your network (such as a server or VM). Elastic Agent will act as a bridge collecting data from SentinelOne and sending it back to Elastic Security.
  3. Create a SentinelOne connector. Elastic's SentinelOne connector enables Elastic Security to perform actions on SentinelOne-protected hosts.


    Do not create more than one SentinelOne connector.

    1. In Kibana, go to Stack ManagementConnectors, then select Create connector.
    2. Select the SentinelOne connector.
    3. Enter the configuration information:
      • Connector name: A name to identify the connector.
      • SentinelOne tenant URL: The SentinelOne tenant URL.
      • API token: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on SentinelOne-protected hosts.
    4. Click Save.
  4. Create and enable a rule to generate Elastic Security alerts. Create a custom query detection rule to generate Elastic Security alerts whenever SentinelOne generates alerts.

    Use these settings when creating the custom query rule to target the data collected from SentinelOne:

    • Index patterns: logs-sentinel_one.alert*
    • Custom query: observer.serial_number:*


    Do not include any other index patterns or query parameters.

    This gives you visibility into SentinelOne without needing to leave Elastic Security. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the Take action menu on the alert details flyout.

On this page