SentinelOne is a comprehensive enterprise security platform that provides threat detection, hunting, and response features that enable organizations to discover vulnerabilities and protect IT operations. It provides edge-to-edge protection for assets within an enterprise’s IT architecture.

1. Installation #

In order to integrate SentinelOne:

  • Enable syslog integration from the SentinelOne console.
  • Specify the host and port (wazuh-clientname:514 for cloud-to-cloud collection and ip:2515 for an on-premise collector). The ip:2515 should the ip (example: 192.168.X.X) where Logstash has been installed.
  • Enable TLS (do not upload any certificate or key).
  • Specify CEF 2 format.
  • Get your SentinelOne account ID (query for AccountId) or find it in Sentinels menu. Alternatively, you can obtain a siteId for.

If you are using cloud-to-cloud integration, in LogSentinel SIEM:

  • Create a new data source.
  • Set the syslog identification param name to «accountId» and syslog identification param value to the accountId you obtained in the last step below.
  • Alternatively, set the parameter name to «siteId» and the value to the siteId value obtained above.

2. Logstash Configuration #

We must change Logstash to properly receive and filter SentinelOne logs. This configuration is necessary for on-premise. You can skip this section if you have cloud-to-cloud environment.

The installation of Logstash and its service is located in the ‘Apolo Analytics’ folder, at the default address: ‘C:\Program Files\Apolo Analytics’.

  • We will enter the folder of ‘C:\Program Files\Apolo Analytics\logstash-version.  Where we will find the following files:

  • The file that we will need to modify is ‘logstash.conf’ located in  the previous location which will have a configuration similar to the following.
input {
   udp {
      port => 5144
filter {

output {
   stdout {
      codec => "line"
tcp {
      codec => "line"
      port => 514
      host => ""
  • We will need to add in the input the following configurations:

For cef2 format:

input {
	syslog {
		port => 2515
		codec => cef
		syslog_field => "syslog"
		grok_pattern => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} CUSTOM GROK HERE"

For line or json format change to: codec => json or codec => line

Updated on enero 26, 2023