SentinelOne Singularity Operations Center

LAST UPDATED: NOVEMBER 27, 2025

Overview

SentinelOne Singularity is an enterprise cybersecurity platform offering unified prevention, detection, and response across the security estate. It simplifies endpoint, cloud, and identity protection through one centralized, autonomous platform, making machine-speed decisions with static and behavioral AI. With AI SIEM, Singularity also ingests and analyzes massive security data in real time to deliver advanced threat detection and faster investigations.

D3 SOAR is providing REST operations to function with SentinelOne Singularity Operations Center.

SentinelOne Singularity Operations Center is available for use in:

D3 SOAR	V16.8.0+
Category	Endpoint Security
Deployment Options	Option II, Option IV

Known Limitations

The SentinelOne Singularity Operations Center API enforces a rate limit of 25 requests per second for each API token across all commands in this integration.

Refer to API rate limits for details.

Connection

Gather the following information to connect D3 SOAR to SentinelOne Singularity Operations Center.

Parameter	Description	Example
Server URL	The URL of the SentinelOne server.	https://usea1-partners.sentinelone.net
API Token	The API token used for authentication.	JnHs*****ug5S
API Version	The version of the API to use for the connection.	v2.1

READER NOTE

The Singularity™ Operations Center must be enabled to use this integration. Refer to How to opt in to the Singularity Operations Center for more information.

Permission Requirements

Each endpoint in the SentinelOne Singularity Operations Center API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command

Required Permissions

Fetch Event

Unified Alerts with View access enabled for all alert types:

STAR Alerts
Mobile Alerts
Identity Alerts
Generic Alerts
Endpoint Alerts

READER NOTE

The Unified Alerts > View permission is automatically selected when View permission is enabled for any alert type.

Test Connection

As SentinelOne Singularity Operations Center is using role-based access control (RBAC), the API Token is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the SentinelOne Singularity Operations Center console for each command in this integration.

Configuring SentinelOne Singularity Operations Center to Work with D3 SOAR

This section demonstrates how to:

Configure a role with the required permissions
Create a service user for API use
Assign the role to the service user
Generate an API token

For information on generating an API token for an existing console user, refer to this resource after authenticating.

Log into the SentinelOne Singularity Operations Center console with administrator privileges.
Navigate to Policy & Settings > Roles, then click the New Role button.
Configure the new role.
1. Enter a role name.
2. Search for and select the relevant permission category.
3. Enable the required permissions.
4. Click the Save button.
Select the Service Users tab, then click the New Service User button.
Configure the service user.
1. Enter a name.
2. Select the sites to access.
3. Search for and select the newly created role.
4. Click the Create Service User button.
Copy the displayed API token and store it securely.
Refer to step 3.i.2 in Configuring D3 SOAR to Work with SentinelOne Singularity Operations Center.

Configuring D3 SOAR to Work with SentinelOne Singularity Operations Center

Log in to D3 SOAR.
Find the SentinelOne Singularity Operations Center integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type SentinelOne Singularity Operations Center in the search box to find the integration, then click it to select it.
4. Click on the + Connection button on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to SentinelOne Singularity Operations Center.
1. Connection Name: The desired name for the connection.
2. Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
4. Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): The description for the connection.
6. Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
7. Configure User Permissions: Defines which users have access to the connection.
8. Active: The checkbox that enables the connection to be used when selected.
9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Input the Server URL.
  2. Input the API Token from the SentinelOne Singularity Operations Center platform. Refer to step 6 in Configuring SentinelOne Singularity Operations Center to Work with D3 SOAR.
  3. Input the API Version. The default value is v2.1.
10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
11. Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
1. Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

SentinelOne Singularity Operations Center includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command function, users can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the SentinelOne Singularity Operations Center API, refer to the SentinelOne Singularity Operations Center API reference. Users must authenticate to access the webpage.

READER NOTE

Certain permissions are required for each command. Refer to the Permission Requirements and Configuring SentinelOne Singularity Operations Center to Work with D3 SOAR sections for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:

Navigate to Configuration Application Settings. Select Date/Time Format.
Choose the desired date and time format, then click on the Save button.

The selected time format will now be visible when configuring Date/Time command input parameters.

Fetch Event

Ingests Singularity unified alerts into the vSOC platform as D3 events. The returned unified alerts are sorted by the specified Time Field in descending order.

Input

Input Parameter	Required/Optional	Description	Example
Time Field	Optional	The time field used to ingest unified alerts. Valid options are: Detected At First Seen At Last Seen At By default, the value is set to Detected At.	Last Seen At
Start Time	Optional	The earliest time at which Singularity Unified Alerts are detected, last seen, or first seen (in UTC). The system ingests Singularity Unified Alerts that occur at or after this time. By default, the value is 24 hours before End Time.	2024-08-01 18:00:00
End Time	Optional	The latest time at which Singularity Unified Alerts are detected, last seen, or first seen (in UTC). The system ingests Singularity Unified Alerts that occur before this time. By default, the value is the current time.	2024-08-01 18:05:00
Number of Event(s) Fetched	Optional	The maximum number of Singularity Unified Alerts to return. The valid range is 1–10000. By default, all alerts that match the filter criteria are returned.	10
Alert Status	Optional	Queries Singularity Unified Alerts by status. Valid options are: New In Progress Resolved By default, all alerts are returned regardless of their status.	New
Alert Severity	Optional	Queries Singularity Unified Alerts by severity. Valid options are: Critical High Medium Low Info By default, all alerts are returned regardless of their severity.	High
Detection Product	Optional	Queries Singularity Unified Alerts by detection product. Valid options are: STAR EDR Identity Mobile Generic By default, all alerts are returned regardless of their detection product.	EDR
Confidence Level	Optional	Queries Singularity Unified Alerts by confidence level. Valid options are: Malicious Suspicious Not Specified By default, all alerts are returned regardless of their confidence level.	Malicious
Analyst Verdict	Optional	Queries Singularity Unified Alerts by analyst verdict. By default, all alerts are returned regardless of their analyst verdict.	True positive/Undefined
Additional Filters	Optional	Queries Singularity Unified Alerts by additional fields.	{ fieldId: "assetName", match: { value: "lab3-pc2" } } { fieldId: "storylineId", match: { value: "1B38*****FE72" } }

Output

To view the sample output data for all commands, refer to this article.

Fetch Event Field Mapping

See Field Mappings.

The SentinelOne Singularity Operations Center system integration includes pre-configured field mappings for the default event source.

The Default Event Source is the default system-provided set of field mappings applied when the fetch event command is executed. It includes a Main Event JSON Path, which is the JSONPath expression that points to the base array of event objects. The source field path continues from this array to locate the required data.

The Main Event JSON Path can be viewed by clicking on the Edit Event Source button.

Main Event JSON Path: $.data.alerts.edges
The data.alerts.edges array contains the event objects. Within each object, the key node.id denotes the Document ID field. As such, the full JSONPath expression to extract the Document ID is $.data.alerts.edges.node.id.

The pre-configured field mappings are detailed below:

Field Name	Source Field
Account Name	.node.realTime.scope.account.name
Agent Policy	.node.asset.policy
Agent UUID	.node.asset.agentUuid
Alert External ID	.node.externalId
Analyst Verdict	.node.analystVerdict
Asset Category	.node.asset.category
Asset ID	.node.asset.id
Asset Name	.node.asset.name
Asset Subcategory	.node.asset.subcategory
Assignee	.node.assignee.fullName
Assignee Email	.node.assignee.email
Attack Surfaces	.node.attackSurfaces
Classification	.node.classification
Cloud Account ID	.node.detectionTime.cloud.accountId
Cloud Image	.node.detectionTime.cloud.image
Cloud Location	.node.detectionTime.cloud.location
Cloud Provider	.node.detectionTime.cloud.cloudProvider
Confidence Level	.node.confidenceLevel
Detection Time Console IP	.node.detectionTime.asset.consoleIpAddress
Detection Time Last Logged In User	.node.detectionTime.asset.lastLoggedInUser
Domain	.node.detectionTime.asset.domain
First Seen Time	.node.firstSeenAt
Group Name	.node.realTime.scope.group.name
Last Logged In User	.node.asset.lastLoggedInUser
Last Seen Time	.node.lastSeenAt
Mitigation Status	.node.result
Site Name	.node.realTime.scope.site.name
Storyline ID	.node.storylineId
Target User	.node.detectionTime.targetUser.name
Target User Domain	.node.detectionTime.targetUser.domain
Alert Name	.node.name
Destination IP address	.node.detectionTime.asset.ipV4
Destination is IPv6 address	.node.detectionTime.asset.ipV6
Document ID	.node.id
File Hash MD5	.node.process.file.md5
File Hash SHA1	.node.process.file.sha1
File Hash SHA256	.node.process.file.sha256
Filepath	.node.process.file.path
Start Time	.node.detectedAt
Description	.node.description
Operating system	.node.asset.osVersion
Parent process name	.node.process.parentName
Process command line	.node.process.cmdLine
Severity	.node.severity
Source hostname	.node.attacker.host
Source IP address	.node.attacker.ip
Source type	.node.detectionSource.product
Status	.node.status

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Fetch Event failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne Singularity Operations Center portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized.

Error Sample Data

Fetch Event failed.

Status Code: 401.

Message: Unauthorized.

Test Connection

Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Output Type

Description

Return Data Type

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

More details about an error can be viewed in the Error tab.

String

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Test Connection failed. Failed to check the connector.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne Singularity Operations Center portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Unauthorized.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 401.

Message: Unauthorized.