Ingest Logs
Prerequisite
Logpoint: v6.7.0 or later
Install SentinelOne
Download the .pak file from the Marketplace.
Go to Settings >> System Settings from the navigation bar of Logpoint.
Click Applications.
Click Import.
Browse to the downloaded .pak file.
Click Upload.
After installation, verify the integration appears under Settings >> System Settings >> Plugins
Configure SentinelOne
Configuring a Repo
Go to Settings >> Configuration in the navigation bar, then click Repos.
Click Add.
Enter a Repo Name.
Select a Repo Path to store incoming logs.
Set a Retention Day to keep logs in a repository before they are automatically deleted. You can add and remove multiple Repo Paths and Retention Days.
Select a Remote LogPoint and set an Available for (day).
Click Submit.
Adding a Normalization Policy
Go to Settings >> Configuration in the navigation bar, then click Normalization Policies.
Click Add.
Enter a Policy Name.
In Compiled Normalizer, select SentinelOneCompiledNormalizer.
Click Submit.
Configuring a Processing Policy
Go to Settings >> Configuration from the navigation bar and click Processing Policies.
Click Add.
Enter a Policy Name.
Select the previously created normalization policy.
Select the Enrichment Policy.
Select the Routing Policy.
Adding SentinelOne as a Device in Logpoint
Go to Settings >> Configuration in the navigation bar, then click Devices.
Click Add.
Enter a device Name.
Enter the SentinelOne server IP address(es).
Select the Device Groups.
Select an appropriate Log Collection Policy for the logs.
Select a collector or a forwarder from the Distributed Collector drop-down.
It is optional to select the Device Groups, the Log Collection Policy, and the Distributed Collector.
Select a Time Zone. The device's time zone must match its log source.
Configure the Risk Values for Confidentiality, Integrity, and Availability used to calculate the risk levels of the alerts generated from the device.
Click Submit.
Configuring the Syslog Collector for SentinelOne
To send logs to Logpoint using Syslog Collector, use the Logpoint CA certificate as the server certificate in SentinelOne and do not provide a Client certificate/key.
The Logpoint CA certificate is located here: /opt/makalu/etc/remote_connection/certificates/ca.crt
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add icon from Actions of the previously added device.
Click Syslog Collector.
Select Syslog Parser as Parser.
Select the previously created Processing Policy.
Select the Charset.
In Proxy Server, select None
Click Submit.

Verify Ingestion
Check Log Ingestion
Use the following query to verify SentinelOne logs are being ingested and normalized:
Verify Data Flow
Monitor Log Volume: Verify expected log volumes are being processed.
Validate Normalization: Confirm logs are correctly parsed and normalized using the SentinelOneCompiledNormalizer.
Last updated
Was this helpful?