Configuring SentinelOne Log Ingestion

To configure your SentinelOne endpoint protection system to send logs to Stellar Cyber:

Use our example as a guideline, as you might be using a different software version.

During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.

1. Log in to SentinelOne.

2. Click INTEGRATIONS.

3. Click SYSLOG.

   

4. Enable SYSLOG.

5. For the Host, enter the IP address of the data sensor.

6. For the port, enter 5175.

   As an alternative to forwarding traffic directly to 5175, you could use the generic syslog port (514 or 6514) and create a port relay entry on the sensor to relay the traffic to 5175 internally. Refer to Using the Port Relay Feature to Minimize Open Ports for details.

7. Optionally enable TLS. If you do so, then under Certificate, click Upload. This sends the sensor CA certificate to SentinelOne.

8. For Formatting, choose CEF2.

9. Click Save.