Hi. I am new to Splunk and SentinelOne. Here is what I've done so far:
I need to forward logs from SentinelOne to a single Splunk instance. Since it is a single instance, I installed the Splunk CIM Add-on and the SentinelOne App. (which is mentioned in the Installation of the app. https://splunkbase.splunk.com/app/5433 )
In the SentinelOne App of the Splunk instance, I changed the search index to sentinelone in Application Configuration. I already created the index for testing purpose. In the API configuration, I added the url which is xxx-xxx-xxx.sentinelone.net and the api token. It is generated by adding a new service user in SentinelOne and clicking generate API token. The scope is global. I am not sure if its the correct API token.
Moreover, I am not sure which channel I need to pick in SentinelOne inputs in Application Configuration(SentineOne App), such as Agents/Activities/Applications etc. How do I know which channel do i need to forward or i just add all channels?
Clicking the application health overview, there is no data ingest of items. Using this SPL index=_internal sourcetype="sentinelone*" sourcetype="sentinelone:modularinput" does not show any action=saving_checkpoint, which means no data.
Any help/documentation for the setup would be helpful. I would like to know the reason for no data and how to fix it. Thank you.
According to your screenshot, the inputs are "DISABLED". The checkmark follows typical Splunk inputs as "disabled == checked". Uncheck those inputs, and you should see data flow.
Thanks!
The inputs are unchecked now. disabled = 0 in local/inputs.conf as well. 443/tcp is allowed in firewall.
There is still no data. Is there anything I am missing? Thank you everyone for your help!
API Token Post Request:
internal log:
@azer271 Check the internal logs:
index=_internal *sentinelone*
To verify, you can test the API connection by using Postman or curl
curl -X GET "https://xxx-xxx-xxx.sentinelone.net/web/api/v2.1/info" -H "Authorization: APIToken"
If you get a successful response, the API token is valid.
If logs are missing, check API permissions, and any firewall restrictions.