So this app has three parts IA, TA, and main App itself. Installed IA on a forwarder, TA on the Cluster Master, and App - on the search head. All three have API configuration options. So where we enter API settings? I hardly imagine entering on all three.
Also testing API on a API dev tool indicated that we have to append "ApiToken" at the beginning of the key. Hopefully that is the way to enter it for the S1 App also.
Hi It seems there is some confusion in this thread. Please see the below docs from SentinelOne. I believe there is duplicate of functionality between the apps.
(See the Details tab of https://splunkbase.splunk.com/app/5433)
The reason you see API inputs on the different apps is due to the duplication in functionality, e.g. the SentinelOne app is able to pull data and also interact with SentinelOne via alert actions, however its not recommended to run on a searchhead unless its a single instance deployment, in which case you would use the SentinelOne app on the SH configured with the API so you can utilise the Alert Actions, and the IA-sentintelone app for the inputs on a HF, does that make sense?
Note: Do not install Add-Ons and Apps on the same system.
Single Instance (8.X)
(Pre-requisite) Splunk CIM Add-on
Only the SentinelOne App (sentinelone_app_for_splunk)
Single Instance + Heavy Forwarder (8.X)
Single Instance:
(Pre-requisite) Splunk CIM Add-on
SentinelOne App (sentinelone_app_for_splunk)
Heavy Forwarder: IA-sentinelone_app_for_splunk (IA-sentinelone_app_for_splunk)
Distributed deployment (8.x)
Heavy Forwarder: IA-sentinelone_app_for_splunk (IA-sentinelone_app_for_splunk)
Search Head:
(Pre-requisite) `Splunk CIM Add-on https://splunkbase.splunk.com/app/1621/`_
SentinelOne App (sentinelone_app_for_splunk)
Indexer: TA-sentinelone_app_for_splunk (TA-sentinelone_app_for_splunk)
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
Yes I agree, its very confusing but I think they mean not on the same host, as they will conflict, but for a distributed "deployment" you install app the apps but in different places.
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
I think for distributed systems we have to install all: IA, TA, and the app. I think when they say " Do not install Add-Ons and Apps on the same system" They mean not on a same host.
Thank you for the response. Unfortunately doesn't answer to my specific question.
@qq-stan Recently we have integrated SentinelOne with Splunk, we installed SentinelOne app on the SH https://splunkbase.splunk.com/app/5433 & configured the data inputs directly on the search head. However, in a clustered environment, it is recommended to configure the data inputs on a heavy forwarder and install the SentinelOne app on the search heads for dashboards and visualization.
Have you installed IA and TA as well?
@qq-stan No i haven't installed that.
https://splunkbase.splunk.com/app/6056 - This is for SOAR on-prem/SOAR cloud not for Splunk Enterprise.
Check out Splunk base:
https://splunkbase.splunk.com/app/5433
Note: Installing the SentinelOne TA or IA on the same node as the App may result in instability or errors
Don't configure the inputs in all three instances, If you have heavy forwarder create the data inputs on that.