SentinelOne - Audit

Deployment Guide
Date Published: 9/3/2021
Securonix Proprietary Statement

This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any
third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.

The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their
respective owners.

Securonix Copyright Statement

This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any
medium, without the prior written authorization of Securonix.

However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and
reference.

Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional
warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without
the written permission of Securonix.

Copyright © 2021 Securonix. All rights reserved.

Contact Information

Securonix
5080 Spectrum Drive, Suite 950W
Addison, TX 75001
(855) 732-6649

SNYPR Deployment Guide 2

Revision History

Release Date Change History

9/3/2021 Updated the document with minor editorial changes.

SNYPR Deployment Guide 3

Table of Contents

Introduction 5
About SentinelOne 5
Supported Collection Method 5
Format 5
Functionality 5
SentinelOne Configuration 5
Configuration in SNYPR 7
Verify the Job 13

SNYPR Deployment Guide 4

Introduction

Introduction
This Deployment Guide provides information on how to configure SentinelOne to
send Audit data to SNYPR.

About SentinelOne
SentinelOne provides endpoint security software that defends every endpoint against
every type of attack, at every stage in the threat lifecycle.

Supported Collection Method

The collection method is API.

Format
The format is JSON.

Functionality
In SNYPR, resource groups (datasources) are categorized by functionality. The
functionality determines what content is available when you import the datasource.
For more information about Device Categorization, see the Data Dictionary.

The functionality of SentinelOne is Cloud Antivirus / Malware / EDR.

SentinelOne Configuration
Complete the following steps to configure SentinelOne to generate tokens required to
collect Audit events in SNYPR.

SNYPR Deployment Guide 5

SentinelOne Configuration

1. Logon to the Sentinel One Management Console using the Administrator

username for the account.

2. Copy and save the URL of your login.

3.
Note: The host URL  information will be similar to the following: https://usa-
partners.sentinelone.net/

4. In the Management Console, click Settings > USERS.

5. Select your admin user account and click Generate API token.

6. Copy and save the token displayed.

SNYPR Deployment Guide 6

Configuration in SNYPR

Configuration in SNYPR
To configure Unix in SNYPR, complete the following steps:

1. Login to SNYPR.
2. Navigate to Menu > Add Data > Activity.
3. Click + and select Add Data for Existing Device Type.
4. Click the Vendor drop-down and select the following information:
l Vendors: SentinelOne
l Device Type: SentinelOne - Activities
l Collection Method: sentinelone

SNYPR Deployment Guide 7

Configuration in SNYPR

5. Choose an ingester from the drop-down list.

SNYPR Deployment Guide 8

Configuration in SNYPR

7. Complete the following information in the Device Information section:

l Datasource Name

l Specify timezone for activity logs by clicking the drop-down and selecting a
timezone.

8. In the Collection Method widget, perform the following:

a. Enter the URL copied from the step 2 of the SentinelOne Configuration section
in the Base URL column.
b. Provide the token captured under step 6 of the section above in the API Token
column.

SNYPR Deployment Guide 9

 Configuration in SNYPR

c. Select Activities in the Logs drop-down list.

9. Click Get Preview on the top right of the screen to view the data.

10. Click Save & Next until you reach the Identity Attribution page.
11. Click + > Add New Correlation Rule.

SNYPR Deployment Guide 10

 Configuration in SNYPR

12. Enter a descriptive name for the correlation rule.

13. Provide the following parameters to create a correlation rule:

SNYPR Deployment Guide 11

 Configuration in SNYPR

l User Attribute
l Operation
l Parameter
l Condition
l Separator

Example: User Attribute: firstname | Operation: None | Condition: And |

Separator: . (period) + User Attribute: lastname | Operation: None | Condition:
And. This correlation rule will correlate users to activity accounts with the
format: firstname.lastname.

14. Scroll to the bottom of the screen and click Save.

15. Click Save & Next.
16. Select Do you want to schedule this job for future? in the Job Scheduling
Information section and configure to run every 15 minutes:

SNYPR Deployment Guide 12

 Configuration in SNYPR

17. Click Save & Run.

You will be automatically be directed to the Job Monitor screen.

Verify the Job

Upon a successful import, the event data will be available for searching in Spotter. To
search events in Spotter, complete the following steps:

1. Navigate to Menu > Security Center > Spotter.

2. Verify that the datasource you ingested is listed under the Available Datasources
section.

SNYPR Deployment Guide 13