SentinelOne Sandbox Integration Configuration

SCENARIO

SentinelOne detects suspicious files but automated malware analysis requires sandbox integration. Manually uploading files to VirusTotal, Joe Sandbox, or Any.run is time-consuming and breaks investigation workflows. Organizations need automated sandbox submission integrated directly into the threat investigation process.

Use this guide when you need to:

• Automatically submit suspicious files to sandbox platforms for behavioral analysis
• Integrate VirusTotal, Joe Sandbox, Any.run, or Cuckoo Sandbox with SentinelOne
• View sandbox results directly in SentinelOne console
• Automate malware classification and IOC extraction
• Reduce manual analyst effort in threat investigations

Business Impact:

• Automated malware analysis: Files analyzed without manual upload
• Faster threat classification: Results in minutes vs. hours
• IOC extraction: Automatic collection of network IOCs, file artifacts
• MITRE ATT&CK mapping: Sandbox results mapped to ATT&CK techniques

REQUIREMENTS & ASSUMPTIONS

Prerequisites:

• SentinelOne Singularity Complete license
• Sandbox platform accounts:
  • VirusTotal API key (free tier: 4 requests/minute, paid: unlimited)
  • Joe Sandbox account and API key
  • Any.run account (optional)
  • Cuckoo Sandbox instance (self-hosted, optional)

Supported Sandbox Platforms:

• ✅ VirusTotal (malware detection, quick analysis)
• ✅ Joe Sandbox (in-depth behavioral analysis)
• ✅ Any.run (interactive malware analysis)
• ✅ Cuckoo Sandbox (self-hosted, full control)

PROCESS

Step 1: Configure VirusTotal integration

1. Obtain VirusTotal API key:

   • Sign up at https://www.virustotal.com
   • Navigate to Profile → API Key
   • Copy API key

2. Configure in SentinelOne:

   • Console → Settings → Integrations → Sandbox
   • Click + Add Sandbox Integration
   • Select VirusTotal

3. Enter configuration:

   • Name: VirusTotal
   • API Key: <YOUR_VIRUSTOTAL_API_KEY>
   • Auto-Submit: ✅ Enabled (auto-submit suspicious files)
   • Submit Threshold: High-severity threats only (or all threats)

4. Test integration:

   • Click Test Connection
   • Should return "Connection successful"

5. Save configuration

Result: VirusTotal integration active. Suspicious files auto-submitted for analysis.

Step 2: Configure Joe Sandbox integration

1. Obtain Joe Sandbox API key:

   • Sign up at https://www.joesandbox.com
   • Navigate to Account → API Key

2. Configure in SentinelOne:

   • Console → Settings → Integrations → Sandbox
   • Click + Add Sandbox Integration
   • Select Joe Sandbox

3. Enter configuration:

   • Name: Joe Sandbox
   • API Key: <YOUR_JOE_API_KEY>
   • API URL: https://jbxcloud.joesecurity.org/api/v2/
   • Analysis Type: Full analysis (or quick scan)
   • Auto-Submit: ✅ Enabled

4. Test and save

Result: Joe Sandbox integration active for in-depth malware analysis.

Step 3: View sandbox results in console

After sandbox analysis completes (2-10 minutes):

1. Navigate to Console → Threats → [Threat Details]
2. Click Sandbox Analysis tab

Sandbox Report Displays:

• Detection Ratio: 58/70 vendors (VirusTotal)
• Malware Family: TrickBot banking trojan
• Behavior Summary:
  • Process injection detected
  • Registry persistence created
  • Network C2 callbacks to 198.51.100.75:443
• MITRE ATT&CK: T1055 (Process Injection), T1071 (C2 Protocol)
• Extracted IOCs:
  • IP addresses
  • Domains
  • File hashes of dropped files
  • Registry keys created

3. Export sandbox report:
   • Click Export → PDF
   • Include in incident response documentation

Result: Complete malware analysis visible in SentinelOne console without leaving platform.

Step 4: Automate sandbox submission workflows

Workflow 1: Auto-submit all high-severity threats

Configuration:
- Threat Severity: High or Critical
- Auto-Submit: ✅ VirusTotal + Joe Sandbox
- Action: Submit immediately upon detection

Workflow 2: Analyst-initiated sandbox submission

Configuration:
- Threat Severity: Any
- Auto-Submit: ❌ Disabled
- Analyst clicks "Submit to Sandbox" button manually

Workflow 3: Batch sandbox submission

# Submit multiple files to sandbox via API
param(
    [string]$ApiToken,
    [string]$ConsoleUrl,
    [array]$ThreatIds
)
 
foreach ($threatId in $ThreatIds) {
    $body = @{
        data = @{
            sandboxType = "virustotal"
        }
    } | ConvertTo-Json
 
    Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/threats/$threatId/sandbox-submit" -Headers @{"Authorization"="ApiToken $ApiToken"} -Method Post -Body $body
}

VERIFICATION

Verify sandbox integration:

1. Test connection: Console → Settings → Integrations → Sandbox → Test Connection → Success

2. Submit test file:

   • Download EICAR test file: https://www.eicar.org/download-anti-malware-testfile/
   • Upload to test endpoint
   • SentinelOne detects → Auto-submits to sandbox
   • Verify results appear in Sandbox Analysis tab

TROUBLESHOOTING

Issue: Sandbox submission fails

Solutions:

1. Check API key validity: Test key directly on sandbox platform
2. Verify rate limits: VirusTotal free tier has rate limits (4 req/min)
3. Check file size: Files >100 MB may fail
4. Verify network access: SentinelOne console must reach sandbox APIs

REFERENCES

• VirusTotal API Documentation
• Joe Sandbox API Documentation

Document Version: 1.0 Last Updated: 2025-11-26

Related Reading

• Invoke SentinelOne Threat Hunt
• SentinelOne Control vs Complete Feature Comparison
• SentinelOne Deep Visibility Threat Hunting