Skip to content

anyrun/anyrun-integration-sentinelone

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
static
static
 
 
utils
utils
 
 
.env_example
.env_example
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
connector-anyrun-feed.py
connector-anyrun-feed.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

ANY.RUN logo

ANY.RUN Threat Intelligence Feeds Integration with SentinelOne

The integration delivers fresh, high-confidenceiness-confidence IOCs directly from ANY.RUN’s Threat Intelligence Feeds (TI Feeds) to SentinelOne. It allows you to catch the latest malware & phishing attacks early for better security, empowering faster detection and response.

All data comes from threat investigations performed in ANY.RUN's malware analysis sandbox by 15,000 SOC teams and 500,000 analysts worldwide. This makes it 99% unique, relevant, and reliable. Further filtering and enrichment with threat context produces high-quality, noise-free threat intelligence.

Use Cases & Functionality

1. Early Detection of New Attacks

IOCs (IPs, URLs, and domains) are delivered to TI Feeds in real time, as soon as they are detected in ANY.RUN’s Interactive Sandbox. This ensures early identification of threats and expanded coverage of the latest attacks.

The connector enables scheduled automatic import of IOCs. You can configure how often you’d like to retrieve new feeds to SentinelOne:

  • Once a minute
  • Once an hour
  • Once a day

Outcome: Identify new threats before they strike and take preventive action.

2. Wider Threat Coverage and Reduced False Positives

The TI Feeds connector supplies your SentinelOne environment with up-to-date threat intelligence by automatically handling updates and revocations from threat feeds, reducing false positives and keeping you aligned with the latest threats.

Outcome: More efficient monitoring and accurate incident triage through high-confidence indicators.

3. Seamless Integration and Interoperability

The connector enables automated import and update of relevant IOCs into SentinelOne, as well as data mapping and validation for compatibility with the Singularity Threat Intelligence format.

Outcome: Better threat detection and response within your existing environment.

Installation Guide

Clone this project

$ git clone [email protected]:anyrun/anyrun-integration-sentinelone.git

Jump into the project directory

$ cd anyrun-integration-sentinelone

Create and fill the .env config. See "Setup secrets" and "Generate Basic Authentication token" sections below

$ cp .env_example .env

Run the script using two of the following ways:

$ docker-compose up --build
$ python3 -m venv venv
$ source venv/bin/scripts/activate
$ pip install -r requirements.txt
$ python3 connector-anyrun-feed.py

Setup secrets

Go to Sentinel One

Click Profile & Preferencies

img.png

Click Generate API Token in the profile actions

img_1.png

Use API-KEY as the value for the environment variable: SENTINEL_API_TOKEN

Go to the Policy & Settings tab

Then open Accounts or Sites tab to obtain the system identifier

img_2.png

Use is as the value for the environment variables: SENTINEL_ACCOUNT_IDS or SENTINEL_SITE_IDS

Generate Basic Authentication token

To obtain your Basic Authentication token, please contact your ANY.RUN account manager directly or fill out the request form.

  • Use the Basic Authentication token as the value for the environment variable: ANYRUN_BASIC_TOKEN

Support

This is an ANY.RUN supported connector. If you need help, contact [email protected].

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages