Configuring SentinelOne Log Ingestion

To configure your SentinelOne endpoint protection system to send logs to Stellar Cyber:

Use our example as a guideline, as you might be using a different software version.

During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products might only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.

1. Log in to SentinelOne.

2. Select INTEGRATIONS.

3. Select SYSLOG.

   

4. Enable SYSLOG.

5. For the Host, enter the IP address of the Modular Sensor.

6. For the port, enter 5175.

   As an alternative to forwarding traffic directly to 5175, you could use the generic syslog port (514 or 6514) and create a port relay entry on the sensor to relay the traffic to 5175 internally. Refer to Using the Port Relay Feature to Minimize Open Ports for details.

7. Optionally enable TLS.

   If you do so, then under Certificate, select Upload. This sends the CA certificate for the Select to SentinelOne.

8. For Formatting, choose CEF2.

9. Select Save.