SentinelOne Endpoint Detection and Response

SentinelOne Endpoint Detection and Response (EDR) is agent-based threat detection software that can address malware, exploit, and insider attacks on your network. InsightIDR features a SentinelOne event source that you can configure to parse SentinelOne EDR logs for virus infection documents.

You can learn more about SentinelOne EDR on their product website:

https://www.sentinelone.com/

This SentinelOne event source configuration involves the following steps:

  1. Configure SentinelOne EDR to Send Logs to InsightIDR
  2. Configure the SentinelOne Event Source in InsightIDR

Configure SentinelOne EDR to Send Logs to InsightIDR

Before you configure the SentinelOne event source in InsightIDR, you need to configure SentineIOne EDR to send its logs to your collector. Consult your SentinelOne product documentation for instructions on how to do this:

https://www.sentinelone.com/support/

Configure the SentinelOne Event Source in InsightIDR

After you’ve configured SentinelOne to send its logs to your collector, you can configure the event source in InsightIDR.

To configure this SentinelOne event source:

  1. From your InsightIDR dashboard, expand your left menu and click the Data Collection tab.
  2. On the “Data Collection Management” screen, expand the Setup Event Source dropdown and click Add Event Source.
  3. In the “Add Event Source” category window, browse to the “Security Data” section and click Virus Scan. The “Add Event Source” panel appears.
  4. Select your configured collector from the dropdown list. This should be the same collector that you configured SentinelOne to target for log ingestion.
  5. Expand the “Event Source” dropdown and select SentinelOne EDR.
  6. If desired, you can give your event source a custom name for reference purposes.
  7. Choose the timezone that matches the location of your event source logs.
  8. If desired, check the provided box to send unfiltered logs.
  9. Select a collection method and specify a port.
  10. If desired, you can choose to encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  11. Click Save when finished.