Configuring SentinelOne Log Ingestion
To configure your SentinelOne endpoint protection system to send logs to Stellar Cyber:
Use our example as a guideline, as you might be using a different software version.
During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.
-
Log in to SentinelOne.
-
Click INTEGRATIONS.
-
Click SYSLOG.
-
Enable SYSLOG.
-
For the Host, enter the IP address of the data sensor.
-
For the port, enter 5175.
As an alternative to forwarding traffic directly to 5175, you could use the generic syslog port (514 or 6514) and create a port relay entry on the sensor to relay the traffic to 5175 internally. Refer to Using the Port Relay Feature to Minimize Open Ports for details.
-
Optionally enable TLS. If you do so, then under Certificate, click Upload. This sends the sensor CA certificate to SentinelOne.
-
For Formatting, choose CEF2.
-
Click Save.