Skip to content

SentinelOne

Endpoint security software that defends every endpoint against every type of attack, at every stage in the threat lifecycle.

Chronicle Data Types & Collection Method

Data Type Method
SENTINELONE_EDR Syslog CEF2
SENTINELONE_DV Kafka Queue Subscription

Configuration - Endpoint Detection & Response (EDR)

SentinelOne can provide focused endpoint telemetry data via the syslog integration.

  1. In the SentinelOne management console, navigate to Settings
  2. Select a Scope: All Sites (Global)
  3. In the Settings view, select Notifications
  4. In Notification Types, select Administrative
  5. Select the Syslog box for each Administrative Notification except for scan new agents changed and full disk scan operations sentinelone---notifications

  6. In the Settings view, select Integrations

  7. In Types, select SYSLOG
  8. Toggle on the SYSLOG box
  9. In the Host field enter the hostname and port provided by Cyderes
  10. Select Use TLS secure connection

    • If this is not selected, UDP is used by default
  11. In Formatting, select CEF2 sentinelone---syslog-host

  12. Select TEST

  13. If the test passed, select SAVE

Configuration - Deep Visibility

SentinelOne can provide full endpoint telemetry data from a feature called Deep Visibility/Hermes. SentinelOne provides a Kafka queue with the event data which Cyderes can subscribe to. More information can be found on their support page:

https://support.sentinelone.com/hc/en-us/articles/360026565994-Subscribing-to-Your-Events-Using-the-Deep-Visibility-Exporter-Hermes-

  1. Once the Deep Visibility/Hermes license has been purchased, request the Kafka integration information from S1
  2. Open the email from S1 which contains a link to a dead-drop page along with temporary access credentials sentinelone---email sentinelone---deaddrop

    • The access credentials in the email have a 24 hour expiration, so please do this step as soon as possible or request the credentials be reset and resent if they've already expired
  3. Retrieve the following information from the page above and provide to Cyderes to complete the integration

    • Kafka Topic Name
    • Kafka Broker Address
    • Consumer Username
    • Consumer Password