Skip to content

SentinelOne

Endpoint security software that defends every endpoint against every type of attack, at every stage in the threat lifecycle.

Chronicle Data Types

  • Alert
  • EDR

Configuration - Syslog

CYDERES prefers the forwarding of alerts from SentinelOne's syslog options.

  1. In the SentinelOne management console, navigate to Settings
  2. Select a Scope: All Sites (Global)
  3. In the Settings view, click Integrations

  4. Click SYSLOG sentinelone---syslog-host

  5. If Syslog is not enabled, move the toggle to enable it

  6. In Host enter the hostname and port provided to you by CYDERES
  7. Select Use TLS secure connection. If you do not select this, UDP is used by default
  8. In Formatting, select the log format: CEF2
  9. Click TEST
  10. If the test passed, click SAVE

Configuration - Deep Visibility

SentinelOne can provide full endpoint telemetry data from a feature called Deep Visibility/Hermes. SentinelOne provides a Kafka queue with the event data which CYDERES can subscribe to. More information can be found on their support page:

https://support.sentinelone.com/hc/en-us/articles/360026565994-Subscribing-to-Your-Events-Using-the-Deep-Visibility-Exporter-Hermes-

  1. Once the Deep Visibility/Hermes license has been purchased, SentinelOne will provide the following:

    • Kafka Topic Name
    • Kafka Broker address
    • Consumer Username
    • Consumer Password

Gather Information

Provide the following information to CYDERES for implementation.

  • Kafka Topic Name
  • Kafka Broker address
  • Consumer Username
  • Consumer Password