Singularity Endpoint

Infinity XDRClosed Extended Detection & Response/XPRClosed Extended Prevention & Response analyzes the logs from Singularity Endpoint management portal for malicious activity, and recommends preventive actions to isolate affected endpoints.

Integrating Singularity Endpoint

To configure Singularity Endpoint to send logs to Infinity XDR/XPR:

  1. Log in to the SentinelOne web portal.

  2. Select your site.

  3. In the left navigation pane, click .

  4. Click the Integrations tab.

  5. From the Types list, select SYSLOG.

  6. Turn off the Disable SYSLOG toggle button to enable syslog.

  7. In the Host field, enter your syslog server IP address and port:

    1. For EU region, enter 20.76.50.141 and port 6514

    2. For US region, enter 20.22.126.247 and port 6514

  8. In the TLS field, select the Use TLS secure connection checkbox.

  9. In the Formatting field, from the Information format list, select CEF.

  10. Click Test.

  11. Click Save.

To receive response on Singularity Endpoint from Infinity XDR/XPR:

Note - This section is optional. Do these steps if you want to issue responses from Infinity XDR/XPR on Singularity Endpoint.

  1. Log in to the SentinelOne web portal.

  2. Go to Settings > Users and then click Roles.

  3. Create a new role or use an existing one, such as IR Team.

    If you are creating a new role, ensure that it includes permissions for Endpoint Threats and Unquarantine.

  4. Create a Service User:

    1. Go to Service Users and click Create New User.

    2. Enter the user details and in the Role section, assign the new user to the IR Team role or the custom role created in the previous step.

  5. Enable API Token Generation:

    1. Open the user details.

    2. From the Actions list, select API Token Operations > Allow API Token Generation.

  6. Generate the API token and copy it.

    Important - The token is valid for 30 days. You must regenerate it after this period.

To integrate Singularity Endpoint in Infinity XDR/XPR Administrator Portal:

  1. Log in to the Infinity XDR/XPR Administrator Portal and go to Settings > Integrations.

  2. In the Singularity Endpoint widget, click Integrate.

    The Singularity Endpoint Integration window appears.

  3. In the Log Integration section, click Download all to download the zip file that includes these certificates:

    • checkpoint-syslogs-cert.pem

    • checkpoint-syslogs-key.pem

    • checkpoint-syslogs-ca.pem

  4. Click Next.

  5. (Optional) To issue responses on Singularity Endpoint, in the API Integration section:

    1. In the Access token field, enter the API token copied from the SentinelOne web portal.

    2. In the Base URL field, enter the SentinelOne URL for your account, in this format:

      account-name.sentinelone.net

      where account-name is the name of your account in SentinelOne web portal.

  6. Click Finish.

    The widget shows Inactive status until Infinity XDR/XPR begins receiving logs from Singularity Endpoint.

    After that, the status changes to Active or Partially active, depending on whether you have configured API integration.

  7. To check if the integration is successful:

    • In the Integrated products section:

      • If you have configured API integration, verify if Singularity Endpoint is listed as Active.

      • If you have not configured API integration, verify if Singularity Endpoint is listed as Partially active.

        To configure API integration, click the link in the tooltip or click and then click Edit API credentials.

      • If the access token expired, the integration status appears as Partially active.

        To make it active, you must generate a new API token in the SentinelOne web portal and then re-configure API integration.

    • Go to the Overview page and in the Connectivity widget, verify if Singularity Endpoint is listed as connected.

Regenerating the Certificate

If you revoke a certificate, you must regenerate and upload the certificate to the SentinelOne portal within two days.

  1. Log in to the Infinity XDR/XPR Administrator Portal:

    1. Go to Settings > Integrations.

    2. In the Singularity Endpoint widget, click .

    3. Click Regenerate Certificate.

      The Singularity Endpoint Integration window appears.

    4. Perform steps 3 to 7 in Integrating SentinelOne with Infinity XDR/XPR.

Deleting the Integration

  1. Go to Settings > Integrations.

  2. In the Singularity Endpoint widget, click .

  3. Click Delete.

    The Delete Integration window appears.

  4. Click Yes.

Supported Preventive Actions

When Infinity XDR/XPR detects any malicious activity that involves SentinelOne Endpoint, it generates an incident and recommends preventive actions to mitigate it. The supported preventive action is to isolate the affected host.

To view the recommended preventive actions for the incident:

  1. Go to Incidents page and click the incident title or hover over the incident and click >.

  2. In the incident Overview page, go to Prevention widget.

    The system shows the recommended preventive actions in the Recommendations section.

  3. To isolate the host, click Isolate.

  4. Click Yes.

    The host will be disconnected from the network.