SentinelOne is a comprehensive enterprise security platform that provides threat detection, hunting, and response features that enable organizations to discover vulnerabilities and protect IT operations. It provides edge-to-edge protection for assets within an enterprise’s IT architecture.

1. Installation

In order to integrate SentinelOne:

  • Enable syslog integration from the SentinelOne console.
  • Specify the host and port (wazuh-clientname:514 for cloud-to-cloud collection and ip:2515 for an on-premise collector). The ip:2515 should the ip (example: 192.168.X.X) where Logstash has been installed.
  • Enable TLS (do not upload any certificate or key).
  • Specify CEF 2 format.
  • Get your SentinelOne account ID (query for AccountId) or find it in Sentinels menu. Alternatively, you can obtain a siteId for.

If you are using cloud-to-cloud integration, in LogSentinel SIEM:

  • Create a new data source.
  • Set the syslog identification param name to «accountId» and syslog identification param value to the accountId you obtained in the last step below.
  • Alternatively, set the parameter name to «siteId» and the value to the siteId value obtained above.

2. Logstash Configuration

We must change Logstash to properly receive and filter SentinelOne logs. This configuration is necessary for on-premise. You can skip this section if you have cloud-to-cloud environment.

The installation of Logstash and its service is located in the ‘Apolo Analytics’ folder, at the default address: ‘C:\Program Files\Apolo Analytics’.

  • We will enter the folder of ‘C:\Program Files\Apolo Analytics\logstash-version.  Where we will find the following files:

  • The file that we will need to modify is ‘logstash.conf’ located in  the previous location which will have a configuration similar to the following.
input {
   udp {
      port => 5144
filter {

output {
   stdout {
      codec => "line"
tcp {
      codec => "line"
      port => 514
      host => ""
  • We will need to add in the input the following configurations:

For cef2 format:

input {
	syslog {
		port => 2515
		codec => cef
		syslog_field => "syslog"
		grok_pattern => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} CUSTOM GROK HERE"

For line or json format change to: codec => json or codec => line

Updated on enero 26, 2023