Skip to main content

SentinelOne

SentinelOne platform delivers the defenses to prevent, detect, and undo—known and unknown—threats. This integration allows you to send logs from your SentinelOne applications to your Logz.io SIEM account.

Before you begin, you'll need:

  • SentinelOne installed
  • Filebeat installed
  • Root access
Install the SentinelOne certificate on your Filebeat server

SentinelOne sends encrypted data, so you'll need to create a dedicated SentinelOne certificate to decrypt the logs by the Filebeat server.

sudo mkdir /etc/filebeat/certificates
sudo openssl req -newkey rsa:2048 -nodes \
-keyout /etc/filebeat/certificates/SentinelOne.key -x509 \
-days 365 \
-out /etc/filebeat/certificates/SentinelOne.crt
Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor. Copy and paste the code block below, overwriting the previous content.

note

Filebeat requires a file extension specified for the log input.

This code block adds SentinelOne as an input and sets Logz.io as the output.

# ... Filebeat inputs
filebeat.inputs:
- type: tcp
max_message_size: 10MiB
host: "0.0.0.0:6514"
ssl.enabled: true
ssl.certificate: "/etc/filebeat/certificates/SentinelOne.crt"
ssl.key: "/etc/filebeat/certificates/SentinelOne.key"
ssl.verification_mode: none
fields:
logzio_codec: json
token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
type: sentinel_one
fields_under_root: true
- type: udp
max_message_size: 10MiB
host: "0.0.0.0:6514"
ssl.enabled: true
ssl.certificate: "/etc/filebeat/certificates/SentinelOne.crt"
ssl.key: "/etc/filebeat/certificates/SentinelOne.key"
ssl.verification_mode: none
fields:
logzio_codec: json
token: <<LOG-SHIPPING-TOKEN>>
type: sentinel_one
fields_under_root: true
filebeat.registry.path: /var/lib/filebeat
#The following processors are to ensure compatibility with version 7
processors:
- rename:
fields:
- from: "agent"
to: "beat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true
### Outputs
output:
logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>):

  • Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

  • Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe.

  • Replace the host port with your syslog port details. The above example has host: "0.0.0.0:9000" but you should change it to your specifics.

note

One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Configure SentinelOne to send logs to Logzio

Open the SentinelOne Admin Console. Configure SentinelOne to send logs to your Syslog server.

  1. Select your site.
  2. In the left side menu, click the slider icon [⊶] to open the Settings menu.
  3. Open the INTEGRATIONS tab, and fill in the details:
    1. Under Types, select SYSLOG.
    2. Toggle the button to enable SYSLOG.
    3. Host - Enter your public SYSLOG server IP address and port.
    4. Formatting - Select CEF2.
    5. Save your changes.

SentinelOne Admin Console configuration

Configure SentinelOne to send notifications

In the same screen, open the NOTIFICATIONS tab, and fill in the details:

Under Notification Types, check all options under Syslog notifications.

We recommend enabling all notification options to send Syslog logs. Still, it is optional. Note that if you leave some Syslog notification options disabled, it may interfere with Logz.io's detection rules.

SentinelOne Admin Console configuration

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see Filebeat troubleshooting.