All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SentinelOne and Ubiquity

radko
Explorer
Wednesday

Hello. I have a task to set up monitoring in splunk for SentinelOne (agents) and Ubiquity. I have zero experience with them. From checking thoroughly the app in splunkbase https://splunkbase.splunk.com/app/5433 I can't understand, how am I supposed to set it up and most importantly what steps are to be made on the side of SentinelOne to even send data to splunk. Have in mind that we have outside firm that manages sentinel and on our environment we only get the agents. To put it short I don't understand SentinelOne, I don't manage it and I want to know if there is something to request from the people that manage it (setting, configuration to be made on their side).  I've seen in another topic that I only need to install the splunk app because I will be using an all in one installation for it.

For Ubiquity I see there used to be an app but it is no longer supported it seams. What is my best approach there? Should I also have requirements for the Ubiquity managing team to do some setup in order to connect to our splunk or something else?

Thank you,

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Wednesday

About the SentinelOne app - it is built by a third party so I wouldn't expect too much of it in terms of  quality. Not to diss anyone, it's just that people who don't work with Splunk normally can - for example - just happily assume that there are no more complicated environments than all-in-one splunk installations. This particular app seem to contain everything (from inputs to dashboards) in a single app which is not a good practice.  This makes you have to ship different versions of the same app to different tiers with varying configurations instead of just pushing a TA here, an app there... Not very pretty.

Anyway, SentinelOne is - as far as I remember - a solution with cloud console so the inputs work in pull mode - they just execute an API dump of the data from your cloud tenant. So depending on your architecture, you have to install the app on your SH tier to have properly defined field extractions and other search-time knowledge objects. You also need to install the app on your HF and define input(s) pulling the data.  There doesn't seem to be much documentation available about this app apart from what is in the "details" section on splunkbase so configuring this app with .conf files might be tricky - another thing showing that creators don't work with Splunk much - they expect you to configure everything using webui.

For the Ubiquiti - it's a brand and there are many different solutions provided by them - APs, switches, routers. I suppose they produce different kinds of logs. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...