According to the SentinelOne Upgrade Documentation for v3.6, they are suggesting the following:

• Distributed deployment (8.x)

  • Heavy Forwarder: IA-sentinelone_app_for_splunk (IA-sentinelone_app_for_splunk)

  • • Search Head:

      • (Pre-requisite) Splunk CIM Add-on

      • SentinelOne App (sentinelone_app_for_splunk)

  • Indexer: TA-sentinelone_app_for_splunk (TA-sentinelone_app_for_splunk)Question:  Does the "IA-sentinelone_app" need to be installed on the HF? Can the TA-sentinelone be installed on the HF instead?  Note: The customer does not want index time extractions.