SOCFortress Integrations — SentinelOne EndPoint Protection

SOCFortress
2 min readAug 5, 2023

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of SentinelOne security events using a single pane of glass.

About SentinelOne

SentinelOne is a cybersecurity company that specializes in providing endpoint security solutions using artificial intelligence (AI) and machine learning to detect and protect against advanced threats.

SentinelOne’s features:

  • Endpoint Protection Platform (EPP): Advanced Endpoint Protection Platform that uses AI and machine learning to detect and prevent a wide range of cyber threats, including malware, ransomware, fileless attacks, and zero-day exploits.
  • Behavioral AI: Analyze the behavior of processes and applications in real-time, identifying and stopping malicious activities and suspicious behavior before they can cause harm.
  • Autonomous Response: Automatically respond to detected threats and contain them without human intervention.
  • Deep Visibility: The platform offers deep visibility into endpoints, providing security teams with insights into threat patterns and attack vectors for effective incident investigation and response.
  • IoT Security: SentinelOne extends its endpoint protection capabilities to Internet of Things (IoT) and connected devices, securing a wide range of endpoints in modern digital environments.

Ingesting SentinelOne Security Events

The SentinelOne integration involves defining a Syslog Forwarder via the SentinelOne console.

The configuration parameters that need to be defined are:

  • The remote (SIEM) syslog receiver FQDN/IP Address.
  • The remote (SIEM) syslog receiver TCP port to be used to forward events.
  • A client certificate (public and private keys) to be used for TLS Mutual Auth against the syslog receiver.

The syslog forwarder config can be found under the Integrations section in SentinelOne management console:

The Notifications tab will allow selecting all the alerts and events that should be forwarded to the remote syslog/SIEM:

Visualizations and Events Details

Alerts summary:

Events table:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).