Hi,
I'm new to splunk. We use SplunkCloud 8.2.
I install the SentinelOne App for splunk v5.1.3.
Many dashboard are working fine, but not all.
At "YOURS".splunkcloud.com/en-US/app/sentinelone_app_for_splunk/s1_threats_overview, there is a Panel for "Active Threats (raw)". The associate search is :
eventtype=sentinelone_threats (host="*") (siteName="*") NOT threatInfo.incidentStatus="resolved" AND threatInfo.mitigationStatus="active"
Seems "sentinelone_threats" eventtype doesn't exist.
I search over all index (index=*), don't find this eventtype.
My SentinelOne seems weel configured, API connection is OK, I configure all channels, but I don't have this eventtype.
Any idea?
Thanks