> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.
# SentinelOne Detection and Response Modules
> Connect the SentinelOne Detection and Response modules to a ContraForce workspace to ingest threats and enable endpoint response actions.
**Who is this for?** Workspace Admins or Security Engineers who manage a workspace that uses SentinelOne Singularity. This guide walks you through creating two SentinelOne Service Users, configuring both modules in ContraForce, and verifying that threats flow end-to-end.
## Before You Begin
### What These Modules Do
SentinelOne integrates with ContraForce through two separate modules:
**Threat ingestion and investigation**
* Polls the SentinelOne Threats API for new threats
* Classifies them as ContraForce Incidents or Detections
* Round-trips status changes and analyst notes back to SentinelOne
**Gamebook response actions**
* Powers Contain and Lift Containment Gamebooks (Network Quarantine)
* Powers On-Demand Scan Gamebooks
* Required for any Gamebook that acts on a SentinelOne-managed endpoint
The two modules use separate SentinelOne Service Users so each has only the role it needs.
### Prerequisites
An active SentinelOne Singularity subscription with endpoint agents deployed and reporting to the management console.
Access to **Settings → Users → Service Users** in the SentinelOne console. Creating Service Users typically requires the SentinelOne **Admin** role at the scope you plan to integrate.
A ContraForce workspace created for the tenant, with your account assigned the **Workspace Admin** role.
Identify the full URL of your SentinelOne management console (for example, `https://yourtenant.sentinelone.example`). You will enter this as the **Endpoint** when configuring the Detection module.
You can confirm the Management Console URL by logging in to SentinelOne — the base URL in your browser (without any path after the hostname) is the value you will use. Do not include a trailing slash.
### Scope of Access
SentinelOne scopes roles by **Global → Account → Site → Group**. For most integrations, set the scope of each Service User to **Site** and pick the specific sites you want ContraForce to monitor. Use **Account** only if ContraForce should cover every site in the account.
***
## Step 1 — Create the Detection Service User in SentinelOne
1. In the SentinelOne console, navigate to **Settings → Users → Service Users**
2. Click **Actions → Create New Service User**
3. Set **Name** to `ContraForce Detection`
4. Set **Description** to `ContraForce threat ingestion and status writeback`
5. Set **Scope of access** to **Site** (pick the sites ContraForce will monitor) or **Account** if all sites are in scope
6. Assign the built-in role **SOC**
7. Set an expiration date for the API token — SentinelOne supports up to 1 year. Pick a date that fits your rotation policy
8. Click **Create**
SentinelOne will display the **API Token** on the confirmation screen.
The API Token is shown once at creation time and cannot be retrieved later. Copy it to a secure location immediately. If you lose it, you must regenerate the token from the same Service User.
If your organization doesn't use the built-in **SOC** role, you can create a custom role with the following permissions instead: **Threats** (View, Modify), **Threat Notes** (View, Add, Edit, Delete), and **Activity** (View).
***
## Step 2 — Create the Response Service User in SentinelOne
Repeat the process for a second Service User that ContraForce will use for Gamebook response actions.
1. In **Settings → Users → Service Users**, click **Actions → Create New Service User**
2. Set **Name** to `ContraForce Response`
3. Set **Description** to `ContraForce Gamebook response actions`
4. Set **Scope of access** to match the Detection Service User
5. Assign the built-in role **IR Team**
6. Set an expiration date and click **Create**
Copy the **API Token** for the Response Service User.
If your organization doesn't use the built-in **IR Team** role, you can create a custom role with the Detection permissions above plus **Endpoints / Agents** (View, Disconnect, Reconnect, Initiate Scan).
Creating two separate Service Users — one with SOC for Detection, one with IR Team for Response — follows the principle of least privilege. The Detection user can't disconnect an endpoint, and the Response user doesn't get more threat access than it needs.
***
## Step 3 — Configure the SentinelOne Detection Module in ContraForce
1. In the ContraForce portal, navigate to **Workspaces** → your workspace → **Modules**
2. Locate the **SentinelOne Detection** card and click **Configure**
3. Fill in the following fields:
| Field | Value |
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
| **Endpoint** | The full URL of your SentinelOne console, for example `https://yourtenant.sentinelone.example` — no trailing slash and no `/web/api/...` path |
| **API Token** | The token from the Detection Service User you created in Step 1 |
1. Click **Test Connection** to verify the credentials reach SentinelOne and have the required permissions
2. Click **Configure and Save**
If **Test Connection** fails, see the [Troubleshooting](#troubleshooting) table before saving.
***
## Step 4 — Configure the SentinelOne Response Module in ContraForce
1. On the same **Modules** page, locate the **SentinelOne Response** card and click **Configure**
2. Fill in the following fields:
| Field | Value |
| ------------- | ----------------------------------------------------------------------------------------------------- |
| **Endpoint** | Inherited from the Detection module — read-only. Edit it on the Detection card if it needs to change. |
| **API Token** | The token from the Response Service User you created in Step 2 |
1. Click **Test Connection** and then **Configure and Save**
A successful test means Gamebook response actions are ready for SentinelOne-managed endpoints.
***
## Step 5 — Verify End-to-End
The Detection module polls SentinelOne on a short interval. New threats appear in ContraForce within a few minutes of being generated in SentinelOne.
Navigate to the **Command Dashboard**. SentinelOne threats should appear alongside incidents from other sources.
Click into a SentinelOne-sourced incident and verify that the **Entities** and **Timeline** tabs are populated with threat data.
If the Response module is configured, open a SentinelOne incident where the affected entity is an agent and confirm that **Contain**, **Lift Containment**, and **On-Demand Scan** Gamebook actions are available.
***
## What Each Module Unlocks
| Capability | Requires Detection | Requires Response |
| ----------------------------------------------------- | :----------------: | :---------------: |
| Ingest SentinelOne threats as incidents or detections | ✓ | |
| Round-trip status and analyst notes to SentinelOne | ✓ | |
| Receive real-time incident updates in the portal | ✓ | |
| Run Contain and Lift Containment Gamebooks | | ✓ |
| Run On-Demand Scan Gamebooks | | ✓ |
| Trigger Security Delivery Agents on new incidents | ✓ | |
You can configure the Detection module without the Response module if you don't need Gamebook response actions for SentinelOne endpoints. Configuring only the Response module without Detection is not a supported configuration — you'd have no incidents for the Gamebooks to run on.
***
## Troubleshooting
| Issue | Likely cause | Fix |
| ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Test Connection fails with a URL / format error | The **Endpoint** is blank, has a trailing slash, or includes a path like `/web/api/...` | Re-enter the bare console URL, e.g. `https://yourtenant.sentinelone.example` |
| Test Connection fails with `401 Unauthorized` | The API token is wrong, expired, or was rotated in SentinelOne | Regenerate the token for the affected Service User and paste the new value into ContraForce |
| Test Connection fails with `403 Forbidden` on threats | The Detection Service User's role is missing **Threats: View** (or the SOC role was customized) | Verify the **SOC** role is assigned, or check that your custom role has Threats (View, Modify) |
| Gamebook response actions are greyed out on SentinelOne incidents | The Response Service User's role is missing Network Quarantine or Initiate Scan permissions | Verify the **IR Team** role is assigned to the Response Service User, or check that your custom role has Endpoints / Agents (View, Disconnect, Reconnect, Initiate Scan) |
| No threats appear after 15 minutes | No unresolved threats exist in the scope assigned to the Detection Service User | Verify threats exist in the SentinelOne console within the Sites or Account you selected |
| Status updates from ContraForce don't appear in SentinelOne | The Detection Service User's role is missing **Threats: Modify** | Re-assign the SOC role or grant Threats: Modify in the custom role |
| Polling stopped working after a while | The Detection API token's expiration date has passed | Rotate the token — see the section below |
### Rotating an API Token
SentinelOne API tokens expire (up to 1 year). Plan to rotate before expiration.
1. In SentinelOne, navigate to **Settings → Users → Service Users**
2. Open the affected Service User (Detection or Response)
3. Click **Actions → Regenerate API Token**
4. Copy the new token immediately — it is only shown once
5. In ContraForce, reopen the affected module (Detection or Response)
6. Paste the new token into **API Token** and click **Configure and Save**
7. Click **Test Connection** to verify
***
## Related Documentation
Learn how Gamebook response actions work
Triage and resolve incidents in ContraForce
Explore investigation context for an incident's entities
Detailed role reference for ContraForce users
***
Questions about connecting SentinelOne to ContraForce? Contact us at [support@contraforce.com](mailto:support@contraforce.com).