Ingesting SentinelOne Security Events

The SentinelOne integration involves defining a Syslog Forwarder via the SentinelOne console.

The configuration parameters that need to be defined are:

• The remote (SIEM) syslog receiver FQDN/IP Address.
• The remote (SIEM) syslog receiver TCP port to be used to forward events.
• A client certificate (public and private keys) to be used for TLS Mutual Auth against the syslog receiver.

The syslog forwarder config can be found under the Integrations section in SentinelOne management console:

In the syslog host section provide the public FQDN firehose.mycompany.com.

Define the TCP port provided by SOCFortress staff.

Select “Use TLS secure connection” and upload the following certificates:

• The rootCA public key (rootCA.mycompany.local.crt) available under your Onehub account.
• The TLS client certificate, public and pribake keys (syslog_client.mycompany.local.pem and syslog_client.mycompany.local.key)

NOTE: Before Testing conn ectivity, ensure that firewall rules in your on-prem firewall are in place (see next)

Finally, select RFC-5424 as the log format.

Inbound firewall rules.

SentinelOne will forward alerts and events using their cloud endpoints as the source IP(s). Ensure that the following firewall rule is defined in your edge firewall:

NOTE: If not sure about what SRC IPs / Cloud EndPoints SentinelOne will use according to your region, ask SentinelOne's support.

Defining events and alerts to be forwarded.

The Notifications tab will allow selecting all the alerts and events that should be forwarded to the remote syslog/SIEM: