Hi It seems there is some confusion in this thread. Please see the below docs from SentinelOne. I believe there is duplicate of functionality between the apps. (See the Details tab of https://splun...
See more...
Hi It seems there is some confusion in this thread. Please see the below docs from SentinelOne. I believe there is duplicate of functionality between the apps. (See the Details tab of https://splunkbase.splunk.com/app/5433) The reason you see API inputs on the different apps is due to the duplication in functionality, e.g. the SentinelOne app is able to pull data and also interact with SentinelOne via alert actions, however its not recommended to run on a searchhead unless its a single instance deployment, in which case you would use the SentinelOne app on the SH configured with the API so you can utilise the Alert Actions, and the IA-sentintelone app for the inputs on a HF, does that make sense? Deployment Guide Note: Do not install Add-Ons and Apps on the same system. Single Instance (8.X) (Pre-requisite) Splunk CIM Add-on Only the SentinelOne App (sentinelone_app_for_splunk) Single Instance + Heavy Forwarder (8.X) Single Instance: (Pre-requisite) Splunk CIM Add-on SentinelOne App (sentinelone_app_for_splunk) Heavy Forwarder: IA-sentinelone_app_for_splunk (IA-sentinelone_app_for_splunk) Distributed deployment (8.x) Heavy Forwarder: IA-sentinelone_app_for_splunk (IA-sentinelone_app_for_splunk) Search Head: (Pre-requisite) `Splunk CIM Add-on https://splunkbase.splunk.com/app/1621/`_ SentinelOne App (sentinelone_app_for_splunk) Indexer: TA-sentinelone_app_for_splunk (TA-sentinelone_app_for_splunk) Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing