Hi. I am new to Splunk and SentinelOne. Here is what I've done so far:
I need to forward logs from SentinelOne to a single Splunk instance. Since it is a single instance, I installed the Splunk CIM Add-on and the SentinelOne App. (which is mentioned in the Installation of the app. https://splunkbase.splunk.com/app/5433 )
In the SentinelOne App of the Splunk instance, I changed the search index to sentinelone in Application Configuration. I already created the index for testing purpose. In the API configuration, I added the url which is xxx-xxx-xxx.sentinelone.net and the api token. It is generated by adding a new service user in SentinelOne and clicking generate API token. The scope is global. I am not sure if its the correct API token.
Moreover, I am not sure which channel I need to pick in SentinelOne inputs in Application Configuration(SentineOne App), such as Agents/Activities/Applications etc. How do I know which channel do i need to forward or i just add all channels?
Clicking the application health overview, there is no data ingest of items. Using this SPL index=_internal sourcetype="sentinelone*" sourcetype="sentinelone:modularinput" does not show any action=saving_checkpoint, which means no data.
Any help/documentation for the setup would be helpful. I would like to know the reason for no data and how to fix it. Thank you.
The inputs are unchecked now. disabled = 0 in local/inputs.conf as well. 443/tcp is allowed in firewall.
There is still no data. Is there anything I am missing? Thank you everyone for your help!
API Token Post Request:
internal log:
