All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SentinelOne app for Splunk API settings

qq-stan
Explorer
‎05-18-2025 07:45 PM

So this app has three parts IA, TA, and main App itself. Installed IA on a forwarder, TA on the Cluster Master, and App - on the search head. All three have API configuration options. So where we enter API settings? I hardly imagine entering on all three.

Labels (2)
Labels
0 Karma
Reply

qq-stan
Explorer
‎05-20-2025 09:26 PM

Also testing API on a API dev tool  indicated that we have to append "ApiToken" at the beginning of the key. Hopefully that is the way to enter it for the S1 App also.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-19-2025 12:38 AM

Hi  It seems there is some confusion in this thread. Please see the below docs from SentinelOne. I believe there is duplicate of functionality between the apps.
(See the Details tab of https://splunkbase.splunk.com/app/5433

The reason you see API inputs on the different apps is due to the duplication in functionality, e.g. the SentinelOne app is able to pull data and also interact with SentinelOne via alert actions, however its not recommended to run on a searchhead unless its a single instance deployment, in which case you would use the SentinelOne app on the SH configured with the API so you can utilise the Alert Actions, and the IA-sentintelone app for the inputs on a HF, does that make sense?

Deployment Guide

Note: Do not install Add-Ons and Apps on the same system.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

    Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-20-2025 11:40 PM

Yes I agree, its very confusing but I think they mean not on the same host, as they will conflict, but for a distributed "deployment" you install app the apps but in different places.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

qq-stan
Explorer
‎05-20-2025 11:38 PM

I think for distributed systems we have to install all: IA, TA, and the app.  I think when they say " Do not install Add-Ons and Apps on the same system" They mean not on a same host.

0 Karma
Reply

qq-stan
Explorer
‎05-18-2025 08:18 PM

Thank you for the response. Unfortunately doesn't answer to my specific question.

0 Karma
Reply

kiran_panchavat
Champion
‎05-18-2025 08:41 PM

@qq-stan Recently we have integrated SentinelOne with Splunk, we installed SentinelOne app on the SH https://splunkbase.splunk.com/app/5433  & configured the data inputs directly on the search head. However, in a clustered environment, it is recommended to configure the data inputs on a heavy forwarder and install the SentinelOne app on the search heads for dashboards and visualization.

kiran_panchavat_0-1747626008858.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

qq-stan
Explorer
‎05-18-2025 09:28 PM

Have you installed IA and TA as well?

0 Karma
Reply

kiran_panchavat
Champion
‎05-19-2025 12:43 AM

@qq-stan No i haven't installed that. 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Champion
‎05-18-2025 08:10 PM

@qq-stan 

https://splunkbase.splunk.com/app/6056 - This is for SOAR on-prem/SOAR cloud not for Splunk Enterprise. 

Check out Splunk base:

https://splunkbase.splunk.com/app/5433

Note: Installing the SentinelOne TA or IA on the same node as the App may result in instability or errors

 

kiran_panchavat_0-1747624389069.png

Don't configure the inputs in all three instances, If you have heavy forwarder create the data inputs on that. 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...