SentinelOne EDR
Table of contents
Fluency’s integration with SentinelOne has three portions:
- As a SIEM, Fluency has the ability to accept Syslog export from SentinelOne’s cloud portal.
- Fluency can also SentinelOne’s API to collector and tabulate Agents, Applications and Threats information in the Fluency Resources page.
- Lastly, Fluency can ingest and store SentinelOne’s CloudFunnel 2.0 (an addtional S1 add-on) feed, to provide deep insight and complete visibility.
Syslog Export
System Event Log configuration
The Syslog configuration page is found under the Settings section of the SentinelOne main menu.
Under the Integrations tab, navigate to the Syslog Section.
Toggle “Enable Syslog”, and complete the “Host” section of the page.
Syslog
The log server address is the designated Syslog URL of your Fluency server. The default normal Syslog port is UDP 514.
<company>.syslog.fluencysecurity.com
NOTE: This information can be found on the **Setup Review** page in the Fluency Portal.
Syslog w/ TLS
It is also possible to configure Syslog over TCP with TLS. In this case, the Syslog port changes to TCP 6514. A server certificate is also required.
Note: The CA cert file is also found and downloaded from the **Setup Review** page in the Fluency Portal.
For all Syslog export methods, the “CEF2” format should be selected.
Testing the configurations
Additionally, the “Test” button can be used to verify the connection.
Should the test be successful, click “Save” to complete the Syslog configuration.
Note: the Syslog setting can be configured either 'per site' or 'per account' in the SentinelOne portal. Choose the appropriate scope for your use-case.
API Integration
An API token from the SentinelOne portal is used by Fluency to provide API integration.
There are two methods to get an API token:
1) via an existing user, or 2) via a dedicated service account.
Existing User
To get an API token (attached to an existing user), select the User name, and choose My User in the upper right corner of the portal.
On this page, you can choose an option from the Actions dropdown to create or regenerate a new API token.
Dedicated Service Account
To create a dedicated service account, navigate to the Settings section of the SentinelOne main menu. Under the Users tab, navigate to the Service Users Section.
On this page, you can choose an option from the “Actions” dropdown to create a new user
Fill in the appropriate fields and choose “Next” to continue. It is suggested to choose a longer expiration period.
On the following page, select the appropriate “scope” (account/site) for your use-case. The API token will only require the Viewer persmission, as the Fluency integration is read-only.
Copy the shown API Token on the next page, and save it for use in Fluency.
Adding a Fluency plug-in for SentinelOne EDR
Login to the Fluency Cloud portal: https://<companyname>.cloud.fluencysecurity.com.
Open the Main Menu from the upper left-hand corner and choose the Cloud Integrations option under the Data Ingress section.
On the following page, navigate to the “Endpoint Management” section.
To Add an API, choose the Sentinelone icon from the group on the left side of the page to create a new endpoint:
NOTE: If an endpoint was setup previously, you can also select and modify it from the rigt side of the page.
In the pop-up window, enter “Customer”, “API Endpoint”, “API Token” and “Account IDs” and click “save” button to add the connector. The “API only” option is open now.
For example (an existing endpoint, on the right side of the page):
If you don’t choose the API only, it requires more information. “S3 bucket” and “SQL URL” are acquired from SentinelOne, reach out to Fluency support team.
Cloud Funnel 2.0
If available, the Cloud Funnel configuration page is found under the Settings section of the SentinelOne main menu.
Under the Integrations tab, navigate to the Cloud Funnel Section tp see it.
Page last updated: 2023 Aug 07 16:37:10 EDT