This article covers how to configure Endpoint Detection and Response (EDR) and SentinelOne Alerts in Chronicle.
Endpoint security software that defends every endpoint against every type of attack, at every stage in the threat life-cycle.
Chronicle Data Types & Collection Method
Data Type | Method |
SENTINELONE_EDR | Syslog CEF2 |
SENTINELONE_DV | Kafka Queue Subscription |
Prerequisites
- API token
- Management URL (The management URL will usually be in the format https://organisation_name.sentinelone.net/web)
- Confirm API version (usually 2.1)
Configuring Endpoint Detection & Response (EDR)
Obtain an API token from SentinelOne for a new user with appropriate permissions levels.
The API access key can be generated in the SentinelOne dashboard.
- Click My User, top right of screen.
2. Click on Generate API token.
3. Copy or Click Download and save the API token.
For Example:
Authorization: C2TWj3qxLhlQZAXjtfUyk7TPUfqBokdnzffE7Ik5e7alW6fy30TifqQ8YK5M9KsNxKqiKEdzfTfg3fh4
Configuring SentinelOne Alerts in Chronicle
- After copying the details and the blob service URI, Open Chronicle and select FEEDS in settings option.
2. Select source type and Log type as mentioned below and click NEXT.
3. Paste the Authorization and API Hostname in the blanks.
4. Click Submit
Comments
0 comments
Please sign in to leave a comment.