All Apps and Add-ons

SentinelOne app for Splunk API settings

qq-stan
Explorer

So this app has three parts IA, TA, and main App itself. Installed IA on a forwarder, TA on the Cluster Master, and App - on the search head. All three have API configuration options. So where we enter API settings? I hardly imagine entering on all three.

Labels (2)
0 Karma

qq-stan
Explorer

Also testing API on a API dev tool  indicated that we have to append "ApiToken" at the beginning of the key. Hopefully that is the way to enter it for the S1 App also.

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi  It seems there is some confusion in this thread. Please see the below docs from SentinelOne. I believe there is duplicate of functionality between the apps.
(See the Details tab of https://splunkbase.splunk.com/app/5433

The reason you see API inputs on the different apps is due to the duplication in functionality, e.g. the SentinelOne app is able to pull data and also interact with SentinelOne via alert actions, however its not recommended to run on a searchhead unless its a single instance deployment, in which case you would use the SentinelOne app on the SH configured with the API so you can utilise the Alert Actions, and the IA-sentintelone app for the inputs on a HF, does that make sense?

Deployment Guide

Note: Do not install Add-Ons and Apps on the same system.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

    Your feedback encourages the volunteers in this community to continue contributing

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Yes I agree, its very confusing but I think they mean not on the same host, as they will conflict, but for a distributed "deployment" you install app the apps but in different places.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

qq-stan
Explorer

I think for distributed systems we have to install all: IA, TA, and the app.  I think when they say " Do not install Add-Ons and Apps on the same system" They mean not on a same host.

0 Karma

qq-stan
Explorer

Thank you for the response. Unfortunately doesn't answer to my specific question.

0 Karma

kiran_panchavat
Champion

@qq-stan Recently we have integrated SentinelOne with Splunk, we installed SentinelOne app on the SH https://splunkbase.splunk.com/app/5433  & configured the data inputs directly on the search head. However, in a clustered environment, it is recommended to configure the data inputs on a heavy forwarder and install the SentinelOne app on the search heads for dashboards and visualization.

kiran_panchavat_0-1747626008858.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma

qq-stan
Explorer

Have you installed IA and TA as well?

0 Karma

kiran_panchavat
Champion

@qq-stan No i haven't installed that. 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma

kiran_panchavat
Champion

@qq-stan 

https://splunkbase.splunk.com/app/6056 - This is for SOAR on-prem/SOAR cloud not for Splunk Enterprise. 

Check out Splunk base:

https://splunkbase.splunk.com/app/5433

Note: Installing the SentinelOne TA or IA on the same node as the App may result in instability or errors

 

kiran_panchavat_0-1747624389069.png

Don't configure the inputs in all three instances, If you have heavy forwarder create the data inputs on that. 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...