Who is this for? Workspace Admins or Security Engineers who manage a workspace that uses SentinelOne Singularity. This guide walks you through creating two SentinelOne Service Users, configuring both modules in ContraForce, and verifying that threats flow end-to-end.
Before You Begin
What These Modules Do
SentinelOne integrates with ContraForce through two separate modules:Detection Module
Threat ingestion and investigation
- Polls the SentinelOne Threats API for new threats
- Classifies them as ContraForce Incidents or Detections
- Round-trips status changes and analyst notes back to SentinelOne
Response Module
Gamebook response actions
- Powers Contain and Lift Containment Gamebooks (Network Quarantine)
- Powers On-Demand Scan Gamebooks
- Required for any Gamebook that acts on a SentinelOne-managed endpoint
Prerequisites
SentinelOne Singularity subscription
An active SentinelOne Singularity subscription with endpoint agents deployed and reporting to the management console.
SentinelOne admin access
Access to Settings → Users → Service Users in the SentinelOne console. Creating Service Users typically requires the SentinelOne Admin role at the scope you plan to integrate.
ContraForce workspace
A ContraForce workspace created for the tenant, with your account assigned the Workspace Admin role.
Scope of Access
SentinelOne scopes roles by Global → Account → Site → Group. For most integrations, set the scope of each Service User to Site and pick the specific sites you want ContraForce to monitor. Use Account only if ContraForce should cover every site in the account.Step 1 — Create the Detection Service User in SentinelOne
- In the SentinelOne console, navigate to Settings → Users → Service Users
- Click Actions → Create New Service User
- Set Name to
ContraForce Detection - Set Description to
ContraForce threat ingestion and status writeback - Set Scope of access to Site (pick the sites ContraForce will monitor) or Account if all sites are in scope
- Assign the built-in role SOC
- Set an expiration date for the API token — SentinelOne supports up to 1 year. Pick a date that fits your rotation policy
- Click Create
If your organization doesn’t use the built-in SOC role, you can create a custom role with the following permissions instead: Threats (View, Modify), Threat Notes (View, Add, Edit, Delete), and Activity (View).
Step 2 — Create the Response Service User in SentinelOne
Repeat the process for a second Service User that ContraForce will use for Gamebook response actions.- In Settings → Users → Service Users, click Actions → Create New Service User
- Set Name to
ContraForce Response - Set Description to
ContraForce Gamebook response actions - Set Scope of access to match the Detection Service User
- Assign the built-in role IR Team
- Set an expiration date and click Create
If your organization doesn’t use the built-in IR Team role, you can create a custom role with the Detection permissions above plus Endpoints / Agents (View, Disconnect, Reconnect, Initiate Scan).
Step 3 — Configure the SentinelOne Detection Module in ContraForce
- In the ContraForce portal, navigate to Workspaces → your workspace → Modules
- Locate the SentinelOne Detection card and click Configure
- Fill in the following fields:
| Field | Value |
|---|---|
| Endpoint | The full URL of your SentinelOne console, for example https://yourtenant.sentinelone.net — no trailing slash and no /web/api/... path |
| API Token | The token from the Detection Service User you created in Step 1 |
- Click Test Connection to verify the credentials reach SentinelOne and have the required permissions
- Click Configure and Save
Step 4 — Configure the SentinelOne Response Module in ContraForce
- On the same Modules page, locate the SentinelOne Response card and click Configure
- Fill in the following fields:
| Field | Value |
|---|---|
| Endpoint | Inherited from the Detection module — read-only. Edit it on the Detection card if it needs to change. |
| API Token | The token from the Response Service User you created in Step 2 |
- Click Test Connection and then Configure and Save
Step 5 — Verify End-to-End
Wait for the first poll cycle
The Detection module polls SentinelOne on a short interval. New threats appear in ContraForce within a few minutes of being generated in SentinelOne.
Check the Command Dashboard
Navigate to the Command Dashboard. SentinelOne threats should appear alongside incidents from other sources.
Open an incident
Click into a SentinelOne-sourced incident and verify that the Entities and Timeline tabs are populated with threat data.
What Each Module Unlocks
| Capability | Requires Detection | Requires Response |
|---|---|---|
| Ingest SentinelOne threats as incidents or detections | ✓ | |
| Round-trip status and analyst notes to SentinelOne | ✓ | |
| Receive real-time incident updates in the portal | ✓ | |
| Run Contain and Lift Containment Gamebooks | ✓ | |
| Run On-Demand Scan Gamebooks | ✓ | |
| Trigger Security Delivery Agents on new incidents | ✓ |
Troubleshooting
| Issue | Likely cause | Fix |
|---|---|---|
| Test Connection fails with a URL / format error | The Endpoint is blank, has a trailing slash, or includes a path like /web/api/... | Re-enter the bare console URL, e.g. https://yourtenant.sentinelone.net |
Test Connection fails with 401 Unauthorized | The API token is wrong, expired, or was rotated in SentinelOne | Regenerate the token for the affected Service User and paste the new value into ContraForce |
Test Connection fails with 403 Forbidden on threats | The Detection Service User’s role is missing Threats: View (or the SOC role was customized) | Verify the SOC role is assigned, or check that your custom role has Threats (View, Modify) |
| Gamebook response actions are greyed out on SentinelOne incidents | The Response Service User’s role is missing Network Quarantine or Initiate Scan permissions | Verify the IR Team role is assigned to the Response Service User, or check that your custom role has Endpoints / Agents (View, Disconnect, Reconnect, Initiate Scan) |
| No threats appear after 15 minutes | No unresolved threats exist in the scope assigned to the Detection Service User | Verify threats exist in the SentinelOne console within the Sites or Account you selected |
| Status updates from ContraForce don’t appear in SentinelOne | The Detection Service User’s role is missing Threats: Modify | Re-assign the SOC role or grant Threats: Modify in the custom role |
| Polling stopped working after a while | The Detection API token’s expiration date has passed | Rotate the token — see the section below |
Rotating an API Token
SentinelOne API tokens expire (up to 1 year). Plan to rotate before expiration.- In SentinelOne, navigate to Settings → Users → Service Users
- Open the affected Service User (Detection or Response)
- Click Actions → Regenerate API Token
- Copy the new token immediately — it is only shown once
- In ContraForce, reopen the affected module (Detection or Response)
- Paste the new token into API Token and click Configure and Save
- Click Test Connection to verify
Related Documentation
What are Gamebooks?
Learn how Gamebook response actions work
Incident Management
Triage and resolve incidents in ContraForce
Entity Insights
Explore investigation context for an incident’s entities
Roles and Permissions
Detailed role reference for ContraForce users
Questions about connecting SentinelOne to ContraForce? Contact us at support@contraforce.com.