Integration Guide - Netsurion

© Copyright Netsurion. All Rights Reserved. 1

Integration Guide

Integrating SentinelOne

Publication Date:

September 1, 2021


Abstract This guide provides instructions to configure or retrieve SentinelOne events using EventTracker application.

This will collect the logs from SentinelOne cloud like user activity,threat details, etc. After EventTracker is

configured to collect and parse these logs, dashboard and reports can be configured to monitor

SentinelOne.

Scope

The configuration details in this guide are consistent with EventTracker version v9.x or above and

SentinelOne.

Audience

Administrators who are assigned the task to monitor SentinelOne using EventTracker.


Table of Contents Table of Contents 3

1. Overview 4

2. Prerequisites 4

3. Generate API Token for SentinelOne 4

4. Configuring SentinelOne to Forward Logs to EventTracker 5

5. EventTracker Knowledge Pack 6

5.1 Flex Reports 6

5.2 Alerts 9

5.3 Dashboards 9

6. Importing SentinelOne Knowledge Pack into EventTracker 14

6.1 Alerts 15

6.2 Token Template 16

6.3 Knowledge Object 17

6.4 Flex Reports 18

6.5 Dashboard 20

7. Verifying SentinelOne Knowledge Pack in EventTracker 22

7.1 Alerts 22

7.2 Token Template 22

7.3 Knowledge Object 23

7.4 Flex Reports 23

About Netsurion 24

Contact Us 24


1. Overview SentinelOne is a next-generation endpoint security product used to protect against all threat vectors. Keeps

known and unknown malware and other bad programs out of endpoints

EventTracker collects the events from SentinelOne API and filters it out to get some critical event types for

creating reports, dashboards, and alerts. These are considered as knowledge Packs and helps you to analyze

and manage the SentinelOne easily.

2. Prerequisites

• EventTracker agent should be installed in a host system/ server.

• PowerShell 5.0 should be installed on the host system/ server.

• User should have administrative privilege on host system/ server to run PowerShell.

• User must have viewer role on the SentinelOne console.

3. Generate API Token for SentinelOne 1. Login into Sentinelone Console with viewer role User.

2. Click on drop down and select My User.

3. Click on the Generate button for getting API Token.

Note: Note the API Token for using it in next steps.


4. Configuring SentinelOne to Forward Logs to EventTracker The steps provided below will help to configure the EventTracker to receive events from SentinelOne API.

1. Get the SentinelOneIntegrator.exe executable file from the link. 2. After the executable application is received, run the application with administrator privilege.

3. After running the integrator, fill-in the given fields.

• URL: SentinelOne console URL

• API Token: SentinelOne Viewer Role user token

4. Once the required details have been filled, Validate API Token button will enable.

5. Click on the Validate API Token button to validate the given details.

https://downloads.eventtracker.com/kp-integrator/ETS_SentinelOne_Integrator.exe


6. Upon successful validation, a message pops-up, click OK.

7. Click Finish in the form bottom to complete the configuration.

8. Upon successful configuration it will display the message box as shown below.

5. EventTracker Knowledge Pack After the logs are received by EventTracker knowledge packs can be configured into EventTracker.

The following knowledge packs are available in EventTracker to support SentinelOne.

5.1 Flex Reports

• SentinelOne - Management Activity Details– This report will generate a detailed view of activities

happened in the SentinelOne by the users.

• SentinelOne - Scan Activity Details– This report will generate a detailed view of the scan activities like

scan started, aborted on agent.


• SentinelOne - Firewall Control Activity– This report will generate a detailed view of the activity

related to firewall activity like firewall rule applied on the traffic.

• SentinelOne - Device Control Activity– This report will generate a detailed view of activities related

to the external device connected or disconnected and the rule applied on the event and their action.

• SentinelOne - User Login and Logout Details– This report will generate a detailed view of activities

related to user login and logout on SentinelOne console.


• SentinelOne - Threat Activity Details– This report will generate a detailed view of activities related to

the threat activities like new threat mitigated, new threat suspicious, process marked as threat, threat

killed by policy.


• SentinelOne - User Management Details– This report will generate a detailed view of activities

related to user management, i.e., user added, user deleted, user modified, etc.

5.2 Alerts

• SentinelOne - Threat Activity Detected: This alert will be triggered in the event of any threat related

activity like new threat detected, suspicious process dejected have been detected.

• SentinelOne - Threat Not Mitigated: This alert will be triggered in the event of any threat action have

been failed.

• SentinelOne - USB Activity Detected: This alert will be triggered when external devices have been

connected to the systems which has been detected by the device control.

5.3 Dashboards • SentinelOne Top Management Activities By User


• SentinelOne Scan Activities

• SentinelOne Scan Activities By Scan Status


• SentinelOne Firewall Block Event By Agent Machine

• SentinelOne Firewall Block Event By Remote IP


• SentinelOne Device Control Activity

• SentinelOne Top Threat Activity


• SentinelOne Top Threat Activity By Category

• SentinelOne User Login Activities


• SentinelOne User Login Activities By User Type

• SentinelOne Daywise Login activities

6. Importing SentinelOne Knowledge Pack into EventTracker NOTE: Import knowledge pack items in the following sequence.

• Alerts

• Token Template

• Knowledge Objects

• Flex Reports


• Dashboard

1. Launch the EventTracker Control Panel.

2. Double click Export-Import Utility.

3. Click the Import tab.

6.1 Alerts

1. Click Alert option, and then click the browse button

2. Navigate to the location having a file with the extension .isalt and then click on the Import button.


3. EventTracker displays a success message.

6.2 Token Template

1. Login to the EventTracker Console.

2. Click on Admin >> Parsing Rules.


3. Click on Template and click import configuration Symbol.

4. Locate the .ettd file and click on import.

5. Templates are imported now successfully.

6.3 Knowledge Object

1. Click Knowledge objects under the Admin option in the EventTracker page.

2. Click on the Import object icon.


3. A pop-up box will appear, click Browse in that and navigate to the file path with extension .etko

button.

4. List of available knowledge object will appear. Select the relevant files and click on Import button.

6.4 Flex Reports

1. In EventTracker Control Panel, select Export/ Import utility and select the Import tab. Then, click

Reports option, and Choose New (*.etcrx).


2. After you have selected New (*.etcrx), a new pop-up window will appear. Click on the Select File

button and navigate to the file path with a file having the extension .etcrx.

3. Select all the relevant files and then click on the Import button .

4. EventTracker displays a success message:


6.5 Dashboard

1. Login to EventTracker.

2. Navigate to Dashboard → My Dashboard.

3. In My Dashboard, Click Import Button.

4. Select the browse button and navigate to file path where Dashboard file is saved and click on Upload

button.

5. After completed, choose Select All and click on Import Button.


6. Click Customize dashlet button as shown below.

7. Put a text on Search bar: SentinelOne and then select the SentinelOne Dash-lets and the click Add.


7. Verifying SentinelOne Knowledge Pack in EventTracker

7.1 Alerts 1. In the EventTracker web interface, click the Admin dropdown, and then click Alerts. 2. In search box enter SentinelOne and then click the Search button.

EventTracker displays an alert related to SentinelOne.

7.2 Token Template

1. Login to the EventTracker.

2. Click on Admin >> Parsing Rules.

3. Click on Template and search for SentinelOne.


7.3 Knowledge Object 1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.

2. In the Knowledge Object tree, expand the SentinelOne group folder to view the imported Knowledge objects.

7.4 Flex Reports 1. In the EventTracker web interface, click the Reports menu, and then select the Report Configuration.

2. In Reports Configuration pane, select the Defined option.

3. Click on the SentinelOne group folder to view the imported reports.


About Netsurion

Flexibility and security within the IT environment are two of the most important factors driving business today. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach of combining purpose-built technology and an ISO-certified security operations center gives customers the ultimate flexibility to adapt and grow, all while maintaining a secure environment.

Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerability scanning, intrusion detection and more; all delivered as a managed or co-managed service. Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multi-location businesses that optimize network security, agility, resilience, and compliance f or branch locations. Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has the model to help drive your business forward. To learn more visit netsurion.com or follow us on Twitter or LinkedIn. Netsurion is #19 among MSSP Alert’s 2020 Top 250 MSSPs.

Contact Us Corporate Headquarters

Netsurion

Trade Centre South

100 W. Cypress Creek Rd

Suite 530

Fort Lauderdale, FL 33309

Contact Numbers

EventTracker Enterprise SOC: 877-333-1433 (Option 2)

EventTracker Enterprise for MSP’s SOC: 877-333-1433 (Option 3)

EventTracker Essentials SOC: 877-333-1433 (Option 4)

EventTracker Software Support: 877-333-1433 (Option 5)

https://www.netsurion.com/eventtracker-support

https://www.netsurion.com/managed-threat-protection

https://www.netsurion.com/secure-edge-networking

https://www.netsurion.com/

https://twitter.com/netsurion

https://www.linkedin.com/company/netsurion/

https://www.netsurion.com/news/netsurion-named-to-2020-mssp-alert-top-250-managed-security-services-providers-list

https://www.netsurion.com/eventtracker-support

Date post:	29-May-2022
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times

Integration Guide - Netsurion

Documents