SentinelOne is an Endpoint Detection and Response (EDR) solution.
This setup guide will show you how to pull events produced by SentinelOne EDR on SEKOIA.IO.
SentinelOne EDR logs
By using the standard SentinelOne EDR logs collection by API, you will be provided with high level information thus limiting detection and investigation capacities for any third party solution.
Please find bellow a limited list of field types that are available with SentinelOne default EDR logs:
- Information about the Endpoint
- Information about the SentinelOne agent installed
- Activity type and its description
And depending on the context of the log, additional content could be available, such as:
- Process information
- Network information
- File information
For advanced log collection, we suggest you to use SentinelOne Deep Visibility kafka option, as described here.
Create an API token
To collect the SentinelOne logs, you must generate an API token from the SentinelOne Management Console
Important: If you have multiple SentinelOne Management Consoles, you must generate an API Token for each one.
The API token you generate is time limited. To regenerate a new token (and invalidate the old one), log in with the dedicated SentinelOne account. You do not need to create a new account.
- In the SentinelOne management console, go to
Settings, and then click
- Click on the
Admin userfor which you want to generate the API token.
Note: A user with a role of "Site Admin" can mitigate threats from the SEKOIA.IO. A user with a role of "Site Viewer" can view threats but cannot take action. Note: You can generate a token only for your own user.
Generatenext to API Token. It shows the token string and the date that the token expires.
- Copy the token or click
Downloadto save it.
Create a SentinelOne intake
In the SEKOIA.IO Operation Center:
- Click on the
- Search for
SentinelOneby navigating the page or using the search bar.
Createon the relevant object.
- Fulfil the
Nameof your intake that will be displayed, the related
- Fulfil the SentinelOne
API tokenpreviously downloaded and the related
Enjoy your events
Once the configuration has been done on Sekoia side, you can go to the events page to watch your incoming events.