SentinelOne Endpoint Detection and Response

SentinelOne Endpoint Detection and Response (EDR) is agent-based threat detection software that can address malware, exploits, and insider attacks on your network.

InsightIDR supports the configuration of SentinelOne as an event source, which parses SentinelOne EDR logs into the Virus Alert log set. There is more than one way to configure SentinelOne EDR in InsightIDR. We provide the steps to send logs through the API, however you can also use Syslog.

To set up SentinelOne, you’ll need to:

  1. Review Before you Begin
  2. Configure SentinelOne EDR in InsightIDR
  3. Verify the Configuration
  4. Log Examples

You can learn more about SentinelOne EDR by visiting their product website: https://www.sentinelone.com/

Before you Begin

Before you configure the SentinelOne event source in InsightIDR, you need to review the requirements and configure SentineIOne EDR to send its logs to your collector.

Review the Requirements

If you are using the SentinelOne API collection method, you’ll need an API key that the integration can use to access the SentinelOne EDR API. You must have admin-level user access to create the key.

Configure SentinelOne EDR to Send Logs to InsightIDR

This task is only required if you're using the API collection method. If you are using another collection method and are not sure how to set it up, contact SentinelOne Customer Support at: https://www.sentinelone.com/support/

To obtain credentials from SentinelOne:

  1. In your SentinelOne environment, sign into the Management Console as an admin-level user.
  2. Go to Settings > Users > Service Users.
  3. Create a new service user to generate a token.
  4. Take note of the expiration date that you set for the service user. The service user is time-limited.
  5. Take note of the API key.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for SentinelOne EDR in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the SentinelOne EDR event source tile.
  4. Choose the timezone that matches the location of your event source logs.
  5. (Optional) Select Send Unparsed Logs.
  6. Select a collection method:
    • If you choose the SentinelOne EDR API method:
      • Create a new credential. In the Name field, enter a name for the credential and, in the API Key field, enter the SentinelOne API key you previously generated.
      • Take note of the SentinelOne API URL, which appears in the address bar of your browser when you are logged into the SentinelOne Management Console. For example, usea1-partners.sentinelone.net.
    • If you choose the Listen on Network Port method:
      • Specify the Port number and a Protocol.
      • (Optional) If you choose TCP, encrypt the event source by downloading the Rapid7 Certificate.
    • If you choose the Log Aggregator method:
      • Select your Log Aggregator format.
      • Specify the Port number and a Protocol.
      • (Optional) If you choose TCP, encrypt the event source by downloading the Rapid7 Certificate.
    • If you choose the Tail File method:
      • Create a new credential. Enter a name for the credential in the Name field.
      • Enter the Subdomain and Token/Secret.
    • If you choose the Watch Directory method:
      • Create a new credential. Enter a name for the credential in the Name field.
      • Enter your Username and Password.
      • Enter a valid UNC path.
  7. Click Save.

Verify the Configuration

To view your SentinelOne logs in the collector:

  1. In the new event source, click View Raw Log. If log messages appear in the box, it indicates that logs are flowing to the Collector.
  2. From the left menu, select Log Search.
  3. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or SentinelOne if you did not name the event source. SentinelOne logs flow into the Virus Alert log set.

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Example Logs

Syslog event examples

1
<11>CEF:0|SentinelOne|Mgmt|OS X|2009|Quarantine failed|1|fileHash=3b1c74da6992c7c3344877f64b90350cc3d26ba9 filePath=/private/var/folders/myFolder/abcdefghijklmnop/Q/update.latgjkr ip=71.81.171.21 cat=SystemEvent suser=QWERT1234 rt=#arcsightDate(Thu, 18 Jul 2019, 04:01:25 UTC) activityID=672713391235496404 activityType=2009 accountId=558367143096221698 accountName=Rapid 7 Institute of Institutionary Research notificationScope=SITE
1
<12>CEF:0|SentinelOne|Mgmt|Windows 10|19|New active threat - machine ZXCVPOIU4209|1|rt=2019-07-18 23:09:33.339840 fileHash=841be03a8cd3ea0b928b78057938c80cee381ef7 filePath=\Device\Disk\Downloads\WinPython-64bit-1.2.3.4\Python.exe cat=SystemEvent activityID=673291264933600452 activityType=19 accountId=558367143096221698 accountName=Rapid 7 Institute of Institutionary Research notificationScope=SITE
1
<13>CEF:0|SentinelOne|Mgmt|Windows 10|672481513257659769|New Suspicious threat detected - machine ASDF1011|1|fileHash=de71d039bebdf92cbd678f7a500ea1c05345af00 filePath=\Device\ADisk\Acrobat Pro 2034\Acrobat.exe cat=SystemEvent rt=Wed, 17 Jul 2019, 20:20:43 UTC uuid=558367240437629206 activityID=672481513257659769 activityType=4002 accountId=558367143096221698 accountName=Rapid 7 Institute of Institutionary Research notificationScope=SITE

API malware event example

1
{
2
"agentDetectionInfo":
3
{
4
"accountId": "1234567890",
5
"accountName": "Sanitised Inc",
6
"agentDetectionState": null,
7
"agentDomain": "WORKGROUP",
8
"agentIpV4": "12.3.4.5",
9
"agentIpV6": "fe80::1234:5678:90ab:cdef",
10
"agentLastLoggedInUpn": null,
11
"agentLastLoggedInUserMail": null,
12
"agentLastLoggedInUserName": "IEUser",
13
"agentMitigationMode": "protect",
14
"agentOsName": "Windows 10 Enterprise Evaluation",
15
"agentOsRevision": "17763",
16
"agentRegisteredAt": "2022-04-29T18:46:40.851802Z",
17
"agentUuid": "1234567890123456789012345",
18
"agentVersion": "12.3.4.5678",
19
"cloudProviders":
20
{},
21
"externalIp": "123.45.678.900",
22
"groupId": "123456789012345",
23
"groupName": "Default Group",
24
"siteId": "123456789012345",
25
"siteName": "Default site"
26
},
27
"agentRealtimeInfo":
28
{
29
"accountId": "1234567890",
30
"accountName": "Sanitised Inc",
31
"activeThreats": 0,
32
"agentComputerName": "MSEDGEWIN10",
33
"agentDecommissionedAt": null,
34
"agentDomain": "WORKGROUP",
35
"agentId": "1234567890123456789012345",
36
"agentInfected": false,
37
"agentIsActive": false,
38
"agentIsDecommissioned": false,
39
"agentMachineType": "laptop",
40
"agentMitigationMode": "protect",
41
"agentNetworkStatus": "connecting",
42
"agentOsName": "Windows 10 Enterprise Evaluation",
43
"agentOsRevision": "17763",
44
"agentOsType": "windows",
45
"agentUuid": "1234567890123456789012345",
46
"agentVersion": "21.6.6.1200",
47
"groupId": "1234567890123456789012345",
48
"groupName": "Default Group",
49
"networkInterfaces":
50
[
51
{
52
"id": "1409531098540103561",
53
"inet":
54
[
55
"10.0.2.15"
56
],
57
"inet6":
58
[
59
"fe80::c50d:519f:96a4:e108"
60
],
61
"name": "Ethernet",
62
"physical": "08:00:27:e6:e5:59"
63
}
64
],
65
"operationalState": "na",
66
"rebootRequired": false,
67
"scanAbortedAt": null,
68
"scanFinishedAt": null,
69
"scanStartedAt": "2022-04-29T18:46:56.040926Z",
70
"scanStatus": "started",
71
"siteId": "1378345865320874345",
72
"siteName": "Default site",
73
"storageName": null,
74
"storageType": null,
75
"userActionsNeeded":
76
[]
77
},
78
"containerInfo":
79
{
80
"id": null,
81
"image": null,
82
"labels": null,
83
"name": null
84
},
85
"id": "1409534553765796012",
86
"indicators":
87
[],
88
"kubernetesInfo":
89
{
90
"cluster": null,
91
"controllerKind": null,
92
"controllerLabels": null,
93
"controllerName": null,
94
"namespace": null,
95
"namespaceLabels": null,
96
"node": null,
97
"pod": null,
98
"podLabels": null
99
},
100
"mitigationStatus":
101
[
102
{
103
"action": "quarantine",
104
"actionsCounters":
105
{
106
"failed": 0,
107
"notFound": 0,
108
"pendingReboot": 0,
109
"success": 1,
110
"total": 1
111
},
112
"agentSupportsReport": true,
113
"groupNotFound": false,
114
"lastUpdate": "2022-04-29T18:53:32.967237Z",
115
"latestReport": "/threats/mitigation-report/1409534555577735350",
116
"mitigationEndedAt": "2022-04-29T18:53:32.369000Z",
117
"mitigationStartedAt": "2022-04-29T18:53:32.369000Z",
118
"status": "success"
119
},
120
{
121
"action": "kill",
122
"actionsCounters": null,
123
"agentSupportsReport": true,
124
"groupNotFound": false,
125
"lastUpdate": "2022-04-29T18:53:32.855004Z",
126
"latestReport": null,
127
"mitigationEndedAt": "2022-04-29T18:53:32.849041Z",
128
"mitigationStartedAt": "2022-04-29T18:53:32.849040Z",
129
"status": "success"
130
}
131
],
132
"threatInfo":
133
{
134
"analystVerdict": "true_positive",
135
"analystVerdictDescription": "True positive",
136
"automaticallyResolved": false,
137
"browserType": null,
138
"certificateId": "",
139
"classification": "Malware",
140
"classificationSource": "Static",
141
"cloudFilesHashVerdict": "black",
142
"collectionId": "433377870883088367",
143
"confidenceLevel": "malicious",
144
"createdAt": "2022-04-29T18:53:32.750603Z",
145
"detectionEngines":
146
[
147
{
148
"key": "pre_execution",
149
"title": "On-Write Static AI"
150
}
151
],
152
"detectionType": "static",
153
"engines":
154
[
155
"On-Write DFI"
156
],
157
"externalTicketExists": false,
158
"externalTicketId": null,
159
"failedActions": false,
160
"fileExtension": "COM",
161
"fileExtensionType": "Executable",
162
"filePath": "\\Device\\HarddiskVolume1\\Users\\IEUser\\Desktop\\eicar.com",
163
"fileSize": 68,
164
"fileVerificationType": "NotSigned",
165
"identifiedAt": "2022-04-29T18:53:32.369000Z",
166
"incidentStatus": "unresolved",
167
"incidentStatusDescription": "Unresolved",
168
"initiatedBy": "agent_policy",
169
"initiatedByDescription": "Agent Policy",
170
"initiatingUserId": null,
171
"initiatingUsername": null,
172
"isFileless": false,
173
"isValidCertificate": false,
174
"maliciousProcessArguments": null,
175
"md5": null,
176
"mitigatedPreemptively": false,
177
"mitigationStatus": "mitigated",
178
"mitigationStatusDescription": "Mitigated",
179
"originatorProcess": "notepad.exe",
180
"pendingActions": false,
181
"processUser": "IEUser",
182
"publisherName": "",
183
"reachedEventsLimit": false,
184
"rebootRequired": false,
185
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
186
"sha256": null,
187
"storyline": "93B01EE00BE6D8B6",
188
"threatId": "1409534553765796012",
189
"threatName": "eicar.com",
190
"updatedAt": "2022-05-13T12:18:38.662800Z"
191
},
192
"whiteningOptions":
193
[
194
"path",
195
"hash"
196
]
197
}