According to the SentinelOne Upgrade Documentation for v3.6, they are suggesting the following:
Distributed deployment (8.x)
Heavy Forwarder: IA-sentinelone_app_for_splunk (IA-sentinelone_app_for_splunk)
Search Head:
(Pre-requisite) Splunk CIM Add-on
SentinelOne App (sentinelone_app_for_splunk)
Indexer: TA-sentinelone_app_for_splunk (TA-sentinelone_app_for_splunk)Question: Does the "IA-sentinelone_app" need to be installed on the HF? Can the TA-sentinelone be installed on the HF instead? Note: The customer does not want index time extractions.