topic Re: Sentinel One Integration with Splunk in Splunk Enterprise

Sentinel One Integration with Splunk

azer271 — Sat, 08 Feb 2025 16:23:19 GMT

Hi. I am new to Splunk and SentinelOne. Here is what I've done so far:

I need to forward logs from SentinelOne to a single Splunk instance. Since it is a single instance, I installed the Splunk CIM Add-on and the SentinelOne App. (which is mentioned in the Installation of the app. https://splunkbase.splunk.com/app/5433 )

In the SentinelOne App of the Splunk instance, I changed the search index to sentinelone in Application Configuration. I already created the index for testing purpose. In the API configuration, I added the url which is xxx-xxx-xxx.sentinelone.net and the api token. It is generated by adding a new service user in SentinelOne and clicking generate API token. The scope is global. I am not sure if its the correct API token.

Moreover, I am not sure which channel I need to pick in SentinelOne inputs in Application Configuration(SentineOne App), such as Agents/Activities/Applications etc. How do I know which channel do i need to forward or i just add all channels?

Clicking the application health overview, there is no data ingest of items. Using this SPL index=_internal sourcetype="sentinelone*" sourcetype="sentinelone:modularinput" does not show any action=saving_checkpoint, which means no data.

Any help/documentation for the setup would be helpful. I would like to know the reason for no data and how to fix it. Thank you.

Re: Sentinel One Integration with Splunk

kiran_panchavat — Sun, 09 Feb 2025 05:41:12 GMT

@azer271

To verify, you can test the API connection by using Postman or curl

curl -X GET "https://xxx-xxx-xxx.sentinelone.net/web/api/v2.1/info" -H "Authorization: APIToken"

If you get a successful response, the API token is valid.

If logs are missing, check API permissions, and any firewall restrictions.

Re: Sentinel One Integration with Splunk

kiran_panchavat — Sun, 09 Feb 2025 05:44:56 GMT

@azer271 Check the internal logs:

index=_internal *sentinelone*

Re: Sentinel One Integration with Splunk

aplura_llc_supp — Mon, 10 Feb 2025 14:40:28 GMT

According to your screenshot, the inputs are "DISABLED". The checkmark follows typical Splunk inputs as "disabled == checked". Uncheck those inputs, and you should see data flow.

Thanks!

Re: Sentinel One Integration with Splunk

azer271 — Tue, 11 Feb 2025 14:56:31 GMT

The inputs are unchecked now. disabled = 0 in local/inputs.conf as well. 443/tcp is allowed in firewall.

There is still no data. Is there anything I am missing? Thank you everyone for your help!

API Token Post Request:

internal log:

Re: Sentinel One Integration with Splunk

molla — Wed, 26 Mar 2025 15:00:48 GMT

Hi @azer271,
have you solved the issue?

I'm also having the same.

Re: Sentinel One Integration with Splunk

azer271 — Fri, 28 Mar 2025 12:56:51 GMT

I solved the issue by unchecking the inputs in the app, since they are disabled by default and making sure the API permissions in Sentinel One. In my case, i just create a new service user in Sentinel One and use the api generated from the service user. The user has the scope of access to the site.