SentinelOne Plugin - Service Accounts Don't Connect

jschlenker · December 1, 2022, 4:08pm

The current version of SentinelOne has implemented Service Users for the purpose of bypassing the 2FA and email requirement on an account.

Unfortunately, per my discussion with SentinelOne support, the Service Users do not “log in” to the console the way that a user account API token does.

Using Postman, I can perform the calls using the Service User, but the Iconn script fails when I attempt to use the Service User.

My user API token worked, however. It should be relatively obvious why that isn’t an ideal solution.

Here is the error from the Connections panel when using the Service User’s API token:

Connect: Connecting…
Trying to authenticate with API version 2.1
API v2.1 failed… trying v2.0
‘NoneType’ object has no attribute ‘get’
Traceback (most recent call last):
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-4.7.4-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 376, in handle_step
output = self.start_step(
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-4.7.4-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 461, in start_step
connection = self.connection_cache.get(message_body[“connection”], logger)
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-4.7.4-py3.8.egg/insightconnect_plugin_runtime/connection.py”, line 49, in get
conn.connect(parameters)
File “/usr/local/lib/python3.8/site-packages/sentinelone_rapid7_plugin-7.1.0-py3.8.egg/komand_sentinelone/connection/connection.py”, line 61, in connect
self.token, self.api_version = self.get_auth_token()
File “/usr/local/lib/python3.8/site-packages/sentinelone_rapid7_plugin-7.1.0-py3.8.egg/komand_sentinelone/connection/connection.py”, line 87, in get_auth_token
token = response.json().get(DATA_FIELD).get(“token”)
AttributeError: ‘NoneType’ object has no attribute ‘get’

darrick_hall2 · December 1, 2022, 4:38pm

Thank you for sharing this. The work to make this authentication method an option for the SentinelOne plugin is currently underway. When it is complete I will update this thread.

darrick_hall2 · December 19, 2022, 4:08pm

Wanted to provide a quick update:

SentinelOne Version 8.0 has been released today.

Authentication methods currently supported by the SentinelOne plugin:

Service User Role Plugin (Supported on Plugin Version 8.0 & later) - This is the latest authentication role created within the SentinelOne platform. This role does not allow direct SentinelOne console login. To create this connection within InsightConnect you need an API key, and the SentinelOne Platform URL.
API Authentication (Supported on Plugin Version 7.0 & later) - This replaced basic auth as the authentication method earlier this year. In order to utilize this method you will need an email address, API key, and SentinelOne Platform URL.

@jschlenker if you utilize the service role and have any feedback or run into any issues please don’t hesitate to reach out. Thank you again for bringing this to our attention.

jschlenker · December 19, 2022, 5:06pm

I have updated my two related workflows to use the 8.0 plugin, and tested them both. They are working with the new authentication method.

Thank you!