Skip to main content

API - SentinelOne Audit Logs

Jason Phelps
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: API Log Source
ENVIRONMENT: Sentinel One
SUMMARY: Configuration Guide for Sentinel One Activity Ingestion

Vendor Information

VendorSentinel One
Supported Model Name/Number 
Supported License Version(s) 
Collection MethodAPI / Syslog
Provider NameSyslog-SentinelOne
Additional Information 

Device Configuration Checklist

Create a Role for the Service User

  1. In the SentinelOne management console, go to Settings, select USERS, and then select Roles.
  2. Select the built-in Viewer role, then choose Duplicate Role in the Actions drop down menu
  1. Provide a name for the new user role (e.g. Huntress SIEM Integration) then select NEXT.
  2. Navigate to the following sections and add the noted permissions:
    1. Console Integrations (Edit, Create)
    2. Notification Settings (Edit, Create)

 

Create Service User

  1. In the SentinelOne management console, go to Settings, select USERS, and then select Service Users.
  2. Create a new Service User by specifying a name and an expiration date, then click Next.

The API token you generate is time-limited. To generate a new token (and invalidate the old one), you may need to copy the Service User. Please refer to the SentinelOne documentation for more information on how to perform these steps.

  1. On the Scope of Access screen, you will want to select Account in the Access Level section. This allows you to use a single token to map all SentinelOne Sites within Huntress. Otherwise, you will need to create multiple integrations and track the expiration of each token separately.
  2. Click Create User to obtain the API token.
  3. Securely copy the API token for the service user, then choose Close.

Create Huntress Integration

  1. Navigate to Huntress SIEM -> Source Management -> SentinelOne
  2. Select the green +Add button to create a new Sentinel One configuration. 

  3. Enter the details of the configuration as needed, including the API key obtained in the first two steps. Save the configuration. The Default Organization will be where logs that aren't endpoint or site-specific will be stored.

  4. After saving, you'll be directed to the Configure page where you will need to map the organizations between SentinelOne and Huntress. For each SentinelOne Site, select a Huntress equivalent organization from the dropdown.  Any data received from unmapped organizations will be discarded.

     

The License Count column will determine the number of data sources billed per mapped organization.

Any data received from SentinelOne for a Site that is not mapped will be discarded.

Once the organizations have been mapped, the SentinelOne configuration page will show the mapped log sources.

Related articles