Skip to content

SentinelOne

Endpoint security software that defends every endpoint against every type of attack, at every stage in the threat lifecycle.

Chronicle Data Types & Collection Method

Data Type Method
SENTINELONE_EDR Syslog CEF2
SENTINELONE_DV AWS S3

Configuration - Endpoint Detection & Response (EDR)

SentinelOne can provide focused endpoint telemetry data via the syslog integration.

  1. In the SentinelOne management console, at the Account level, navigate to Settings > Notifications
  2. Under Notification Types, select All
  3. Select the Syslog checkbox for each type of Notification except scan new agents changed and full disk scan operations. sentinelone---notifications
  4. Once this is completed, in the Settings view, select Integrations.
  5. Under Types, select SYSLOG.
  6. Toggle on the Enable Syslog radio button.
  7. In the Host field enter the hostname and port provided by Cyderes
  8. Select Use TLS secure connection
    • If this is not selected, UDP is used by default, which is not recommended or supported for these logs.
  9. Under Formatting, select CEF2 sentinelone---syslog-host
  10. Select TEST
  11. If the test passed, select SAVE

Configuration - Automated Health Check Service User

For Managed EDR customers, Cyderes offers an automated Health Check dashboard in your customer portal. To perform this integration, a properly scoped Service User will need to be created.

  1. In the SentinelOne management console at the Account level, navigate to Settings > Users > Service Users
  2. Click Actions and select Create New Service User.
  3. Use the following values to create a new Service User:
    • Name - YourCustomerName-API-HealthReview
    • Description - Cyderes Health Review API Key-view only
    • Expiration - 2 years
    • Click Next
  4. On the Select Scope of Access screen, select Account. Note that if your User Account has access to multiple Customer accounts, there will be multiple Customer accounts listed here.
  5. Check the box next to the correct Customer Account.
  6. Ensure the Viewer role is selected for this Service User.
  7. Click Create User. You maybe prompted to re-authenticate. If so, re-authenticate and click Confirm Action.
  8. The Service User’s API Token will be shown. Ensure you copy the value before clicking Close or you will need to recreate the Service User.
  9. Provide this API Token and Console URL to the Cyderes Managed Endpoint team using a secure method such as Secure Email.

Configuration - Singularity Cloud Funnel

Singularity Cloud Funnel is a feature of SentinelOne that enables the secure streaming of XDR data to a cloud storage provider for use in SIEM and SOAR tools, and other security workflows.

Singularity Cloud Funnel

Singularity Cloud Funnel Data Sheet

To complete the integration between Cyderes and Singularity Cloud Funnel, follow the AWS S3 Bucket or Google Cloud Storage guide.

Info

It is important to note that an additional license needs to be purchased from SentinelOne in order to use the Singularity Cloud Funnel feature.