SentinelOne Endpoint Detection and Response

SentinelOne Endpoint Detection and Response (EDR) is agent-based threat detection software that can address malware, exploits, and insider attacks on your network.

InsightIDR supports the configuration of SentinelOne as an event source, which parses SentinelOne EDR logs into the Virus Alert log set. There is more than one way to configure SentinelOne EDR in InsightIDR. We provide the steps to send logs through the API, however you can also use syslog.

To set up SentinelOne Endpoint Detection and Response:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure SentinelOne Endpoint Detection and Response to send data to InsightIDR.
  3. Configure InsightIDR to collect data from the event source.
  4. Test the configuration.

You can also:

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the third-party vendor's product documentation.

Requirements

Before you can set up SentineOne EDR, you'll need:

  • A SentinelOne account with admin access

Configure SentinelOne Endpoint Detection and Response to send data to InsightIDR

To ensure InsightIDR can receive data from SentinelOne Endpoint Detection and Response (EDR), you must configure your event source.

This task is only required if you're using the API collection method. If you are using another collection method and are not sure how to set it up, contact SentinelOne Customer Support at: https://www.sentinelone.com/support

To obtain credentials from SentinelOne:

  1. In your SentinelOne environment, sign into the Management Console as an admin-level user.
  2. Go to Settings > Users > Service Users.
  3. Create a new service user to generate a token.
  4. Take note of the expiration date that you set for the service user. The service user is time-limited.
  5. Take note of the API key.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

Task 1: Select SentinelOne

  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
  • Search for SentinelOne Endpoint Detection and Response in the event sources search bar.
  • In the Product Type filter, select Virus Scan.
  1. Select SentinelOne Endpoint Detection and Response.

Task 2: Set up your collection method

There are two methods of collecting data from SentinelOne Endpoint Detection and Response; through a cloud connection or through a collector.

New credentials are required for cloud event sources

You cannot reuse existing on-premise credentials to create a cloud connection with this event source. You must create new credentials.

Use the Cloud Connection method
  1. In the Add Event Source panel, select Run On Cloud.
  2. Name the event source. This will become the name of the log that contains the event data in Log Search.
  3. Optionally, select the option to send unparsed data.
  4. Click Add a New Connection.
  5. In the Create a Cloud Connection screen, enter a name for the new connection.
  6. In the Instance field, add the subdomain for your SentinelOne instance. For example, if the URL for your SentinelOne instance is https://usea1011.sentinelone.net, then enter usea1-011.
  7. In the Credentials section, add new credentials for API Key:
  1. Click Save Connection.
  2. Click Save.
Use the Collector method
  1. In the Add Event Source panel, select Run On Collector.
  2. Name the event source. This will be the name of the log that contains the event data in Log Search.
  3. Choose the timezone that matches the location of your event source logs.
  4. Optionally, choose to send unparsed data.
  5. Optionally, Select your Attribution Source preference:
  • Use IDR engine if possible; if not, sue event log
  • Use event log if possible; if not, use IDR engine
  • Use IDR engine only
  • Use event log only
  1. Select a collection method:
  • If you choose the SentinelOne EDR API method:
    • Create a new credential. In the Name field, enter a name for the credential and, in the API Key field, enter the SentinelOne API key you previously generated.
    • Take note of the SentinelOne API URL, which appears in the address bar of your browser when you are logged into the SentinelOne Management Console. For example, usea1-partners.sentinelone.net.
  • If you choose the Listen on Network Port method: - Specify the Port number and a Protocol. - (Optional) If you choose TCP, encrypt the event source by downloading the Rapid7 Certificate.
  • If you choose the Log Aggregator method:
    • Select your Log Aggregator format.
    • Specify the Port number and a Protocol.
    • (Optional) If you choose TCP, encrypt the event source by downloading the Rapid7 Certificate.
  • If you choose the Tail File method:
    • Create a new credential. Enter a name for the credential in the Name field.
    • Enter the Subdomain and Token/Secret.
  • If you choose the Watch Directory method:
    • Create a new credential. Enter a name for the credential in the Name field.
    • Enter your Username and Password.
    • Enter a valid UNC path.
  1. Click Save.

Test the configuration

The event IDs that InsightIDR parses are:

  • Activities events
  • Device Control Events
  • Threats events

To test that event data is flowing into InsightIDR:

  1. Once your connection is created, view the connection test details to determine if the event types can be successfully accessed.
  2. From the Data Collection Management page, open the Event Sources tab.
  3. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  4. Wait approximately 7 minutes, then open Log Search.

Next, verify that log entries are appearing in Log Search:

  1. In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. SentinelOne Endpoint Detection and Response logs should flow into these log sets:
  • Activities
  • Device Control Events
  • Threats
  1. Select the log sets and the logs within them.
  2. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 mins. The keys and values that are displayed are helpful to know when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log set(s): Activities, Device Control Events, and Threats.

Here is a typical log entry that is created by the event source:

Syslog event

 
1
<11>CEF:0|SentinelOne|Mgmt|OS X|2009|Quarantine failed|1|fileHash=3b1c74da6992c7c3344877f64b90350cc3d26ba9 filePath=/private/var/folders/myFolder/abcdefghijklmnop/Q/update.latgjkr ip=71.81.171.21 cat=SystemEvent suser=QWERT1234 rt=#arcsightDate(Thu, 18 Jul 2019, 04:01:25 UTC) activityID=672713391235496404 activityType=2009 accountId=558367143096221698 accountName=Rapid 7 Institute of Institutionary Research notificationScope=SITE
 
1
<12>CEF:0|SentinelOne|Mgmt|Windows 10|19|New active threat - machine ZXCVPOIU4209|1|rt=2019-07-18 23:09:33.339840 fileHash=841be03a8cd3ea0b928b78057938c80cee381ef7 filePath=\Device\Disk\Downloads\WinPython-64bit-1.2.3.4\Python.exe cat=SystemEvent activityID=673291264933600452 activityType=19 accountId=558367143096221698 accountName=Rapid 7 Institute of Institutionary Research notificationScope=SITE

Activities event

 
1
{
2
  "accountId": "225494730938493804",
3
  "groupName": "string",
4
  "description": "string",
5
  "createdAt": "2018-02-27T04:49:26.257525Z",
6
  "data": {
7
    "computer_name": "COMP_1234",
8
    "username": "my_user"
9
  },
10
  "activityUuid": "string",
11
  "hash": "string",
12
  "secondaryDescription": "string",
13
  "threatId": "225494730938493804",
14
  "updatedAt": "2018-02-27T04:49:26.257525Z",
15
  "osFamily": "linux",
16
  "activityType": "integer",
17
  "primaryDescription": "string",
18
  "comments": "string",
19
  "agentUpdatedVersion": "2.5.1.1320",
20
  "groupId": "225494730938493804",
21
  "accountName": "string",
22
  "siteName": "string",
23
  "agentId": "225494730938493804",
24
  "userId": "225494730938493804",
25
  "siteId": "225494730938493804",
26
  "id": "225494730938493804"
27
}

Device Control event

 
1
{
2
  "interface": "USB",
3
  "profileUuids": "string",
4
  "lastLoggedInUserName": "janedoe3",
5
  "computerName": "JOHN-WIN-4125",
6
  "vendorId": "02",
7
  "createdAt": "2018-02-27T04:49:26.257525Z",
8
  "serviceClass": "02",
9
  "ruleId": "225494730938493804",
10
  "updatedAt": "2018-02-27T04:49:26.257525Z",
11
  "eventId": "string",
12
  "deviceName": "string",
13
  "minorClass": "string",
14
  "deviceClass": "02h",
15
  "eventTime": "2018-02-27T04:49:26.257525Z",
16
  "lmpVersion": "string",
17
  "productId": "02",
18
  "accessPermission": "Read-Only",
19
  "deviceId": "02",
20
  "agentId": "225494730938493804",
21
  "uId": "02",
22
  "eventType": "string",
23
  "id": "225494730938493804"
24
}

Threats event

 
1
{
2
  "indicators": [
3
    {
4
      "ids": [
5
        {
6
          "type": "integer",
7
          "format": "int32"
8
        }
9
      ],
10
      "category": "string",
11
      "tactics": [
12
        {
13
          "source": "string",
14
          "name": "string",
15
          "techniques": [
16
            {
17
              "link": "string",
18
              "name": "string"
19
            }
20
          ]
21
        }
22
      ],
23
      "categoryId": "integer",
24
      "description": "string"
25
    }
26
  ],
27
  "threatInfo": {
28
    "confidenceLevel": "malicious",
29
    "initiatingUserId": "225494730938493804",
30
    "md5": "string",
31
    "rebootRequired": "boolean",
32
    "certificateId": "string",
33
    "initiatedByDescription": {
34
      "readOnly": true,
35
      "description": "Initiated by description"
36
    },
37
    "failedActions": "boolean",
38
    "incidentStatus": "unresolved",
39
    "macroModules": [
40
      {
41
        "moduleName": "string",
42
        "sha1": "string"
43
      }
44
    ],
45
    "processUser": "string",
46
    "analystVerdict": "undefined",
47
    "collectionId": "225494730938493804",
48
    "detectionType": "static",
49
    "automaticallyResolved": "boolean",
50
    "createdAt": "2018-02-27T04:49:26.257525Z",
51
    "initiatedBy": "agent_policy",
52
    "mitigatedPreemptively": "boolean",
53
    "incidentStatusDescription": {
54
      "readOnly": true,
55
      "description": "Incident status description"
56
    },
57
    "mitigationStatus": "not_mitigated",
58
    "reachedEventsLimit": "boolean",
59
    "fileVerificationType": "string",
60
    "originatorProcess": "string",
61
    "externalTicketId": "string",
62
    "threatId": "225494730938493804",
63
    "updatedAt": "2018-02-27T04:49:26.257525Z",
64
    "isFileless": {
65
      "readOnly": true,
66
      "description": "Is fileless"
67
    },
68
    "storyline": "a00637fa-e18d-9b80-e803-f370524f8085",
69
    "pendingActions": "boolean",
70
    "browserType": "string",
71
    "analystVerdictDescription": {
72
      "readOnly": true,
73
      "description": "Analyst verdict description"
74
    },
75
    "initiatingUsername": "string",
76
    "isValidCertificate": "boolean",
77
    "threatName": "string",
78
    "fileExtension": "string",
79
    "externalTicketExists": {
80
      "readOnly": true,
81
      "description": "External ticket exists"
82
    },
83
    "publisherName": "string",
84
    "detectionEngines": [
85
      "reputation",
86
      "pre_execution"
87
    ],
88
    "mitigationStatusDescription": {
89
      "readOnly": true,
90
      "description": "Mitigation status description"
91
    },
92
    "engines": [
93
      "reputation",
94
      "pre_execution"
95
    ],
96
    "sha256": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c",
97
    "identifiedAt": "2018-02-27T04:49:26.257525Z",
98
    "filePath": {
99
      "readOnly": true,
100
      "description": "File path"
101
    },
102
    "classificationSource": "Cloud",
103
    "fileExtensionType": "string",
104
    "fileSize": "integer",
105
    "maliciousProcessArguments": "string",
106
    "cloudFilesHashVerdict": "string",
107
    "sha1": "ddd5030a3d029f3845fc1052419829f08f312240",
108
    "rootProcessUpn": "string",
109
    "classification": "string"
110
  },
111
  "whiteningOptions": [
112
    {
113
      "type": "string"
114
    }
115
  ],
116
  "mitigationStatus": [
117
    {
118
      "reportId": "225494730938493804",
119
      "agentSupportsReport": "boolean",
120
      "groupNotFound": "boolean",
121
      "latestReport": "string",
122
      "actionsCounters": {
123
        "notFound": "integer",
124
        "pendingReboot": "integer",
125
        "failed": "integer",
126
        "total": "integer",
127
        "success": "integer"
128
      },
129
      "mitigationStartedAt": "2018-02-27T04:49:26.257525Z",
130
      "mitigationEndedAt": "2018-02-27T04:49:26.257525Z",
131
      "action": "kill",
132
      "status": "success",
133
      "lastUpdate": "2018-02-27T04:49:26.257525Z"
134
    }
135
  ],
136
  "kubernetesInfo": {
137
    "controllerName": "string",
138
    "namespace": "string",
139
    "podLabels": [
140
      {
141
        "type": "string"
142
      }
143
    ],
144
    "controllerKind": "string",
145
    "pod": "string",
146
    "cluster": "string",
147
    "node": "string",
148
    "namespaceLabels": [
149
      {
150
        "type": "string"
151
      }
152
    ],
153
    "controllerLabels": [
154
      {
155
        "type": "string"
156
      }
157
    ],
158
    "nodeLabels": [
159
      {
160
        "type": "string"
161
      }
162
    ],
163
    "isContainerQuarantine": "boolean"
164
  },
165
  "ecsInfo": {
166
    "type": "string",
167
    "taskDefinitionRevision": "string",
168
    "clusterName": "string",
169
    "serviceArn": "string",
170
    "taskArn": "string",
171
    "version": "string",
172
    "serviceName": "string",
173
    "taskDefinitionArn": "string",
174
    "taskAvailabilityZone": "string",
175
    "taskDefinitionFamily": "string"
176
  },
177
  "agentDetectionInfo": {
178
    "agentMitigationMode": "detect",
179
    "agentIpV4": "string",
180
    "agentOsRevision": "string",
181
    "agentVersion": "3.6.1.14",
182
    "groupId": "225494730938493804",
183
    "agentDetectionState": "string",
184
    "groupName": "string",
185
    "cloudProviders": "object",
186
    "siteId": "225494730938493804",
187
    "agentLastLoggedInUserMail": "string",
188
    "externalIp": "string",
189
    "agentIpV6": "string",
190
    "accountId": "225494730938493804",
191
    "agentUuid": "string",
192
    "agentRegisteredAt": "2018-02-27T04:49:26.257525Z",
193
    "agentOsName": "string",
194
    "agentLastLoggedInUserName": "janedoe3",
195
    "agentLastLoggedInUpn": "string",
196
    "agentDomain": "mybusiness.net",
197
    "siteName": "string",
198
    "accountName": "string"
199
  },
200
  "agentRealtimeInfo": {
201
    "rebootRequired": "boolean",
202
    "accountId": "225494730938493804",
203
    "groupName": "string",
204
    "scanFinishedAt": "2018-02-27T04:49:26.257525Z",
205
    "storageName": "string",
206
    "agentComputerName": "string",
207
    "agentUuid": "string",
208
    "agentInfected": "boolean",
209
    "agentVersion": "3.6.1.14",
210
    "agentOsType": "linux",
211
    "networkInterfaces": [
212
      {
213
        "inet6": [
214
          {
215
            "type": "string"
216
          }
217
        ],
218
        "name": "string",
219
        "physical": "00:25:96:FF:FE:12:34:56",
220
        "id": "225494730938493804",
221
        "inet": [
222
          {
223
            "type": "string"
224
          }
225
        ]
226
      }
227
    ],
228
    "agentDomain": "string",
229
    "scanAbortedAt": "2018-02-27T04:49:26.257525Z",
230
    "agentMitigationMode": "detect",
231
    "agentDecommissionedAt": "boolean",
232
    "storageType": "string",
233
    "operationalState": "string",
234
    "userActionsNeeded": [
235
      {
236
        "type": "string",
237
        "example": "none",
238
        "enum": [
239
          "none",
240
          "user_action_needed",
241
          "reboot_needed",
242
          "upgrade_needed",
243
          "incompatible_os",
244
          "unprotected",
245
          "rebootless_without_dynamic_detection",
246
          "extended_exclusions_partially_accepted",
247
          "reboot_required",
248
          "pending_deprecation",
249
          "ne_not_running",
250
          "ne_cf_not_active"
251
        ]
252
      }
253
    ],
254
    "agentOsRevision": "string",
255
    "groupId": "225494730938493804",
256
    "agentIsDecommissioned": "boolean",
257
    "accountName": "string",
258
    "agentIsActive": "boolean",
259
    "scanStatus": "none",
260
    "agentNetworkStatus": "connected",
261
    "siteName": "string",
262
    "agentOsName": "string",
263
    "activeThreats": "integer",
264
    "siteId": "225494730938493804",
265
    "scanStartedAt": "2018-02-27T04:49:26.257525Z",
266
    "agentId": "225494730938493804",
267
    "agentMachineType": "unknown"
268
  },
269
  "id": "225494730938493804",
270
  "containerInfo": {
271
    "labels": [
272
      {
273
        "type": "string"
274
      }
275
    ],
276
    "image": "string",
277
    "id": "string",
278
    "name": "string",
279
    "isContainerQuarantine": "boolean"
280
  }
281
}