Use Case: SentinelOne Audit Events

This document outlines a working configuration for shipping SentinelOne events into LogScale via the Syslog integration. These events are the high-level SentinelOne events that can be configured via "Notifications" in SentinelOne. They're not the low-level events available via the SentinelOne Hermes integration — those can be set up using our Kafka Connect Log Format.

For this integration, we recommend an intermediate log shipper, as SentinelOne can only make the events available via Syslog over UDP. Although theoretically can be sent directly to LogScale using Ingest Listeners, it's not recommended to have ingest listener ports open over the internet. Plus, it's not a feature available for Hosted LogScale.

Configuration

Configuration

Figure 33. Configuration


To begin, you'll need to configure LogScale to receive incoming data from SentinelOne. In this example, we're configuring https://cloud.humio.com, but these same steps apply to a self-managed LogScale instance.

The first step is to create a repository — although this is optional. For the example here, we'll use a "sandbox" repository.

You will, though, have to create a new parser. It will parse the JSON data sent by Vector, the CEF message from SentinelOne, and extract the correct timestamp from each event.

logscale
parseJson(field=@rawstring) 
| 
parseCEF(field=message) 
| 
findTimestamp(field=message)

In this example the parser was saved as "CEF". See the screenshot in Figure 1 here.

Now create a new ingest token and link it to the parser. Be sure to make a copy of the token since you will need it when you configure vector next.

Configure Vector

For the purposes of this article, we'll use Vector (vector.dev) as the intermediate agent. Below is the contents we'll use in the vector configuration. It will receive plain syslog entries over UDP.

In a production configuration it is strongly recommended to protect this with client SSL certificates. Creating and managing SSL certificates is out of scope of this article. Please see SentinelOne's documentation on how to do this.

The below was configured on an EC2 node in AWS running CentOS 8.2. That AWS instance had a security group allowing inbound UDP traffic on port 514 (the standard syslog port).

ini
# Global data directory
data_dir = "/var/lib/vector"

# Vector's API for introspection
[api]
enabled = true
address = "127.0.0.1:8686"

# Plain syslog source
[sources.syslog]
type = "syslog"
address = "0.0.0.0:514"
mode = "udp"

# Output to Hosted LogScale
[sinks.out]
type = "humio_logs"
inputs = ["syslog"]
compression = "gzip"
endpoint = "https://cloud.humio.com"
token = "aa960b28-NNNN-XXXX-YYYY-00c8ed4a4c4b"

This configuration file above is a minimal working vector configuration. You should review the vector documentation in detail to get the optimal settings for your environment.

The endpoint is the path to your LogScale instance: the example above is based on LogScale's EMEA Cloud service. The token is the token from within LogScale that you configured in Configure LogScale

Setup Notifications

Setup Notifications

Figure 34. Setup Notifications


SentinelOne requires you to configure which events should trigger notifications to the Syslog integration. You can find the notifications settings under your site, Settings → Notifications will present a screen like the one you see here in Figure 2.

Notice that for the Administrative settings, we have all of the notifications checked for Syslog. This is so that everything generated for Syslog will be set to LogScale.

Enable Syslog Integration in SentinelOne
Enable Syslog Integration in SentinelOne

Figure 35. Enable Syslog Integration in SentinelOne


Configure the outbound Syslog settings in SentinelOne to start sending new notifications to LogScale. This can be accessed in SentinelOne under your site, Settings → Integrations.

You can see in the screenshot in Figure 3 that we set a few values: We set Your syslog host to the AWS EC2 public DNS name and port number. We disabled TLS. This should be configured in production use cases. Finally, we chose in the Formatting section, for information formatting, the CEF option.

When you have all of the values you want set, you can click on the large Test button to generate a sample syslog event.

Results and Troubleshooting

Once this is configured you should see events from SentinelOne appearing in LogScale. If that doesn't happen there are a few things to check: Has an event that is enabled for syslog notifications occurred since the syslog integration was configured? If the "Test" message arrives, but no other events then it's most likely an event has not occurred, or notifications are not enabled for the events.

Is UDP traffic able to get to vector? You can test this using netcat, for example:

logscale
$ echo test 
| nc -u vector.server.com 514
Results and Troubleshooting

Figure 36. Results and Troubleshooting


You should check if vector is seeing your data. You can do this for incoming and outgoing events in Vector by executing the following from the command-line:

logscale
vector top

The results should look like the screenshot in Figure 4 here.