SentinelOne and Phantom Integration

SOC teams find themselves drowning in constant streams of alerts, logs, and data in managing incident response lifecycles. Automation is increasingly the answer in complex security environments to enhance analyst productivity.
Leveraging SentinelOne EPP and Phantom, practitioners can combine the pre-execution, on-execution, and post-execution threat convictions and response actions of SentinelOne with the automation, orchestration, and case management capabilities of the Phantom SecOps Platform, resulting in one scalable workflow.


The SentinelOne and Phantom Integration

The partnership enables customers to easily integrate autonomous endpoint protection into existing security architectures. The joint solution empowers enterprise Security Operations Centers (SOC) to anticipate and automatically block attacks on endpoints from a single view in conjunction with their other tools. SentinelOne provides more than 200 APIs – the most of any endpoint company – enabling customers to integrate and unify security assets within their environment.

 The Phantom platform integrates existing security technologies, providing a layer of connective tissue between them, automating repetitive tasks and orchestrating multiple concurrent workflows. SentinelOne uses artificial intelligence to deliver autonomous endpoint protection and automatically eliminates threats in real time. The joint solution helps customers rapidly manage the security lifecycle to stop damaging cyber attacks.  

In addition to the robust number of APIs, the SentinelOne Phantom app provides support for ten proactive actions that security teams can use to protect endpoints through Phantom. These actions go far beyond simply providing information and actually allows admins to do everything from scanning endpoints for dormant threats and blocking hashes to quarantining endpoints and mitigating threats.


  • Automate incident response and security policy through actions, playbooks, & cases
  • Reduce time spent investigating threats
  • Improve security analyst productivity by automating key tasks and shortening times to resolution
  • Ingest and triage activity, event, and alert data from SentinelOne  into Phantom
  • Trigger Phantom playbooks (python scripts) to run and check security policy actions from SentinelOne; create custom playbooks in Phantom’s Visual Editor
  • Enrich incident data like IP, hashes, filenames, URLs, process detail, etc. using SentinelOne Deep Visibility telemetry from within Phantom playbooks
  • Respond by orchestrating SentinelOne convictions, including system rollback, in conjunction with other Phantom security solution apps and playbooks, all tracked and managed in Phantom’s case management

How to get it

Existing customers can download the SentinelOne application from the Phantom app

Get in touch with the SentinelOne and Phantom integration experts

Request a demo