Splunk Enterprise

Sentinel One Integration with Splunk

azer271
Explorer

Hi. I am new to Splunk and SentinelOne. Here is what I've done so far:

I need to forward logs from SentinelOne to a single Splunk instance. Since it is a single instance, I installed the Splunk CIM Add-on and the SentinelOne App. (which is mentioned in the Installation of the app. https://splunkbase.splunk.com/app/5433 )

In the SentinelOne App of the Splunk instance, I changed the search index to sentinelone in Application Configuration. I already created the index for testing purpose. In the API configuration, I added the url which is xxx-xxx-xxx.sentinelone.net and the api token. It is generated by adding a new service user in SentinelOne and clicking generate API token. The scope is global. I am not sure if its the correct API token.

Moreover, I am not sure which channel I need to pick in SentinelOne inputs in Application Configuration(SentineOne App), such as Agents/Activities/Applications etc. How do I know which channel do i need to forward or i just add all channels?

azer271_0-1739031342871.png

Clicking the application health overview, there is no data ingest of items. Using this SPL index=_internal sourcetype="sentinelone*" sourcetype="sentinelone:modularinput" does not show any action=saving_checkpoint, which means no data.

azer271_1-1739031391390.png

Any help/documentation for the setup would be helpful. I would like to know the reason for no data and how to fix it. Thank you.

Tags (1)
0 Karma

aplura_llc_supp
Path Finder

According to your screenshot, the inputs are "DISABLED". The checkmark follows typical Splunk inputs as "disabled == checked". Uncheck those inputs, and you should see data flow.

Thanks!

azer271
Explorer

The inputs are unchecked now. disabled = 0 in local/inputs.conf as well. 443/tcp is allowed in firewall.

azer271_2-1739285589369.png

 

azer271_0-1739285388274.png

There is still no data. Is there anything I am missing? Thank you everyone for your help!

API Token Post Request:

azer271_3-1739285753628.png

internal log:

azer271_1-1739285466722.png

 

0 Karma

kiran_panchavat
Influencer

@azer271 Check the internal logs:

index=_internal *sentinelone*
I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

kiran_panchavat
Influencer

@azer271 

To verify, you can test the API connection by using Postman or curl

curl -X GET "https://xxx-xxx-xxx.sentinelone.net/web/api/v2.1/info" -H "Authorization: APIToken"

If you get a successful response, the API token is valid.

If logs are missing, check API permissions,  and any firewall restrictions.

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...