Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            SentinelOne Configuration

            Modified on Tue, 23 Jul at 4:34 PM

            TABLE OF CONTENTS

            1.0 Overview

            ADR can ingest logs from SentinelOne using an API token or by sending syslogs to the ADR CCE VM.


            2.0 Configuration (via API)

            1. In the SentinelOne management console, go to Settings and then click Users.
            2. Click on the Admin that will be used to generate the API token.
            3. Click Generate next to API token.
            4. Click on the Copy API token link.
               
            5. On the APE dashboard, navigate to Settings -> Provisioning -> Add-on Configuration.
               
            6. Click the Add button, scroll down to SentinelOne, then click the Next button.

               
            7. Fill in the fields as follows, then click the Save button.
              • Device: Use the device type 'SentinelOne'.
              • Name: Choose an arbitrary name. It can be the same as the Device type.
              • CCE Host: Enter the IP address of your CCE.
              • Access ID/ User Name: Leave blank.
              • Password/Secret Key: Enter the API token previously copied in step 4.
              • Config: Use a JSON formatted string:
                {"host": "<your_management_url>", "account_type": "<user_account_type>"}
                • <your_management_url>: Enter your SentinelOne management URL (without https://).
                • <user_account_type>: The value can be either “service” or “console”. “console” is the default if none provided.

             

            3.0 Configuration (TCP over TLS)

            Follow the steps below to set up SentinelOne configuration to send logs to ADR CCE VM. Note that these steps are not necessary if you have already configured the system to use an API token in the previous section.

            1. Open the SentinelOne Administrator Console.
            2. Select your site.
            3. On the left side menu, click the slider icon [⊶] to open the settings menu.
            4. Select the INTEGRATIONS tab.
              1. Under Types, select SYSLOG.
              2. Toggle the button to enable Syslog.
              3. Under Host, enter your CCE VM IP address and port 514.
              4. Under TLS, enable TLS.
              5. Under Formatting, select CEF2.
              6. Save changes.
            5. Configure SentinelOne to send notifications.
              1. Open the NOTIFICATIONS tab.
              2. Under Notification Types, check all options under Syslog notifications.
                Note: We recommend enabling all notification options to send Syslogs. However, this setting is optional.


             

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0