SentinelOne Deep Visibility
SentinelOne Deep Visibility extends the SentinelOne EDR to provide full visibility into endpoint data. Its patented kernel-based monitoring allows a near real-time search across endpoints for all indicators of compromise (IOC) to empower security teams to augment real-time threat detection capabilities with a powerful tool that enables threat hunting.
This setup guide will show you how to pull events produced by SentinelOne Deep Visibility on SEKOIA.IO.
SentinelOne Deep Visibility logs
SentinelOne Deep Visibility logs provides in-depth logs that are useful for detection and investigation purposes.
Important: Please contact your point of contact at SentinelOne in order to subscribe to this option and collect the required technical information to retrieve those logs via a SentinelOne Kafka.
No additional installation or configuration on the agents is needed.
Please find bellow a short list of activities that are available for security supervision thanks to SentinelOne Deep Visibility logs:
- File Modification
- File Creation
- File Deletion
- Process Creation
- Process Exit
- Process Termination
- Command line arguments
- DNS Query
- TCPv4 Connection
- TCPv4 Listen
- HTTP Request
- Registry Key Security Changed
- Registry Value Modified
- Registry Value Delete
- Scheduled Task Update
- Scheduled Task Start
- Scheduled Task Trigger
Setup a SentinelOne Kafka server
To collect the SentinelOne Deep Visibility logs, the API format is not appropriate due to the Sentinel rate limits and high amount of logs to be pulled from SentinelOne instance. Thus SentinelOne have a solution using Kafka technology which can be delivered after a subscription with SentinelOne.
Important: If you have multiple SentinelOne Management Consoles, you must subscribe to a Kafka topic for each one.
Compared to the API connection with standard SentinelOne logs, there is no time limitation of the secrets to collect the logs wia Kafka.
Create a SentinelOne Deep Visibility intake
In the SEKOIA.IO Operation Center:
- Click on the
- Search for
SentinelOne Deep Visibilityby navigating the page or using the search bar.
Createon the relevant object.
- Fulfil the
Nameof your intake that will be displayed, the related
- Fulfil the SentinelOne information that you collected with your SentinelOne Point of Contact:
Enjoy your events
Once the configuration has been done on Sekoia side, you can go to the events page to watch your incoming events.