Collect SentinelOne Alert logs

This document describes how you can collect SentinelOne Alert logs by setting up a Google Security Operations feed and how log fields map to Google SecOps Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations overview .

A typical deployment consists of SentinelOne Alert and the Google SecOps feed configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

• SentinelOne: The product from which you collect logs.

• Google SecOps feed: The Google SecOps feed that fetches logs from SentinelOne and writes logs to Google SecOps.

• Google SecOps: Google SecOps retains and analyzes the logs from SentinelOne.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the SENTINELONE_ALERT ingestion label.

Before you begin

Make sure you have the following prerequisites:

• An active Singularity Complete subscription for SentinelOne. Refer to Platform Packages for additional details.
• GET Alerts and GET Threats API v2.1
• An Admin role for the Global or Account level. To get an Admin role, contact your administrator user.
• Administrator rights to install the SentinelOne agent. To get administrator rights, contact your administrator user.

How to set up SentinelOne:

To generate an API token, follow these steps: 1. In the SentinelOne management console, go to Settings, and then click Users. 1. Click the Admin userfor which you want to generate the API token. 1. Click Actions> API token operations> Generate API token. You need this API token to populate Authentication HTTP headersin the Google SecOps platform.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

• SIEM Settings > Feeds > Add New Feed
• Content Hub > Content Packs > Get Started

How to set up the SentinelOne Alerts feed

1. Click the SentinelOnepack.
2. Locate the SentinelOne Alertslog type.
3. Specify the values for the following fields:
   • Source Type: Third Party API (recommended)
   • Authentication HTTP headers: Enter the API token you generated in the SentinelOne platform.
   • API hostname: SentinelOne platform hostname
   • Initial start time: Time to start fetching the alerts from
   • Is alert API subscribed: Whether the alert AOI is subscribed to by the customer

   Advanced options

• Feed Name: A prepopulated value that identifies the feed.
• Asset Namespace: Namespace associated with the feed.
• Ingestion Labels: Labels applied to all events from this feed.

1. Click Create feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

Supported SentinelOne Alert log types

The SentinelOne Alert parser supports alert and threat log types.

Supported SentinelOne Alert log formats

The SentinelOne Alert parser supports logs in both JSON and CEF formats.

Supported SentinelOne Alert Sample Logs

• JSON

   {
      "accountId": "1235512064263015539",
      "accountName": "dummy",
      "agentComputerName": "dummy",
      "agentDomain": "WORKGROUP",
      "agentId": "1245680559492378683",
      "agentInfected": false,
      "agentIp": "198.51.100.0",
      "agentIsActive": false,
      "agentIsDecommissioned": true,
      "agentMachineType": "server",
      "agentNetworkStatus": "disconnecting",
      "agentOsType": "windows",
      "agentVersion": "21.6.2.272",
      "annotation": "Automatically resolved by SentinelOne Console",
      "automaticallyResolved": true,
      "browserType": null,
      "certId": "",
      "classification": "Malware",
      "classificationSource": "Static",
      "classifierName": "MANUAL",
      "cloudVerdict": null,
      "collectionId": "1251555311751427932",
      "commandId": "1251555264615838432",
      "createdAt": "2022-09-03T19:36:59.540349Z",
      "createdDate": "2021-09-23T19:36:57.867000Z",
      "description": "malware detected - not mitigated yet (cmd.exe (interactive session))",
      "engines": [
        "manual"
      ],
      "external_ticket_id": null,
      "fileContentHash": "c3d10d8d9fce936e5ca32f930f20c8e703619f71",
      "fileCreatedDate": null,
      "fileDisplayName": "Unknown file",
      "fileExtensionType": "None",
      "fileIsDotNet": null,
      "fileIsExecutable": false,
      "fileIsSystem": false,
      "fileMaliciousContent": null,
      "fileObjectId": "3EFA3EFA3EFA3EFA",
      "filePath": "/home/gitlab-runner/webshell_hits/old.hits-go-here/fedcd896ef45bf145d7e880edd4e5390.dll",
      "fileSha256": null,
      "fileVerificationType": "NotSigned",
      "fromCloud": false,
      "fromScan": false,
      "id": "1251555311717873499",
      "indicators": [
        {
          "categoryName": "test Hiding/Stealthiness",
          "description": "This binary may have Anti-sandboxing capabilities to evade detection in sandbox tools",
          "id": 126
        },
        {
          "categoryName": "Hiding/Stealthiness",
          "description": "sample desc There are signs of a backdoor in the PE header",
          "id": 127
        },
        {
          "categoryName": "Test category name Hiding/Stealthiness",
          "description": "This binary might try to schedule a task or modify a scheduled task",
          "id": 129
        }
      ],
      "initiatedBy": "dvCommand",
      "initiatedByDescription": "Deep Visibility Command",
      "initiatingUserId": "1245152494739966182",
      "isCertValid": false,
      "isInteractiveSession": true,
      "isPartialStory": false,
      "maliciousGroupId": "DEA2CA314B3AB7E4",
      "maliciousProcessArguments": "",
      "markedAsBenign": true,
      "mitigationMode": "protect",
      "mitigationReport": {
        "kill": {
          "status": "success"
        },
        "network_quarantine": {
          "status": null
        },
        "quarantine": {
          "status": "success"
        },
        "remediate": {
          "status": null
        },
        "rollback": {
          "status": null
        },
        "unquarantine": {
          "status": null
        }
      },
      "mitigationStatus": "mitigated",
      "publisher": "",
      "rank": null,
      "resolved": true,
      "siteId": "1235512064330124404",
      "siteName": "Default site",
      "threatAgentVersion": "21.6.2.272",
      "threatName": "cmd.exe (interactive session)",
      "updatedAt": "2021-10-23T20:34:15.668440Z",
      "username": "dummy\\\\Administrator",
      "whiteningOptions": []
    } 
  

• CEF

   <86>Nov  5 11:53:06 abcdefg sshd[1475549]: reprocess config line 158: Deprecated option RhostsRSAAuthentication 
  

Field mapping reference

This section explains how the Google SecOps parser maps SentinelOne Alert fields to Google SecOps Unified Data Model (UDM) fields.

Field mapping reference: Event Identifier to Event Type

Field mapping reference: SENTINELONE_ALERT

The following table lists the log fields of the SENTINELONE_ALERT log type and their corresponding UDM fields.

What's next

• Data ingestion to Google Security Operations

Need more help? Get answers from Community members and Google SecOps professionals.