SentinelOne is a cybersecurity company that specializes in providing endpoint security solutions using artificial intelligence (AI) and machine learning to detect and protect against advanced threats.
- Endpoint Protection Platform (EPP): Advanced Endpoint Protection Platform that uses AI and machine learning to detect and prevent a wide range of cyber threats, including malware, ransomware, fileless attacks, and zero-day exploits.
- Behavioral AI: Analyze the behavior of processes and applications in real-time, identifying and stopping malicious activities and suspicious behavior before they can cause harm.
- Autonomous Response: Automatically respond to detected threats and contain them without human intervention.
- Deep Visibility: The platform offers deep visibility into endpoints, providing security teams with insights into threat patterns and attack vectors for effective incident investigation and response.
- IoT Security: SentinelOne extends its endpoint protection capabilities to Internet of Things (IoT) and connected devices, securing a wide range of endpoints in modern digital environments.
Ingesting SentinelOne Security Events
The SentinelOne integration involves defining a Syslog Forwarder via the SentinelOne console.
The configuration parameters that need to be defined are:
- The remote (SIEM) syslog receiver FQDN/IP Address.
- The remote (SIEM) syslog receiver TCP port to be used to forward events.
- A client certificate (public and private keys) to be used for TLS Mutual Auth against the syslog receiver.
The syslog forwarder config can be found under the Integrations section in SentinelOne management console:
The Notifications tab will allow selecting all the alerts and events that should be forwarded to the remote syslog/SIEM:
Visualizations and Events Details