SentinelOne is a comprehensive enterprise security platform that provides threat detection, hunting, and response features that enable organizations to discover vulnerabilities and protect IT operations. It provides edge-to-edge protection for assets within an enterprise’s IT architecture.
1. Installation #
In order to integrate SentinelOne:
- Enable syslog integration from the SentinelOne console.
- Specify the host and port (wazuh-clientname:514 for cloud-to-cloud collection and ip:2515 for an on-premise collector). The ip:2515 should the ip (example: 192.168.X.X) where Logstash has been installed.
- Enable TLS (do not upload any certificate or key).
- Specify CEF 2 format.
- Get your SentinelOne account ID (query for AccountId) or find it in Sentinels menu. Alternatively, you can obtain a siteId for.

If you are using cloud-to-cloud integration, in LogSentinel SIEM:
- Create a new data source.
- Set the syslog identification param name to «accountId» and syslog identification param value to the accountId you obtained in the last step below.
- Alternatively, set the parameter name to «siteId» and the value to the siteId value obtained above.
2. Logstash Configuration #
We must change Logstash to properly receive and filter SentinelOne logs. This configuration is necessary for on-premise. You can skip this section if you have cloud-to-cloud environment.
The installation of Logstash and its service is located in the ‘Apolo Analytics’ folder, at the default address: ‘C:\Program Files\Apolo Analytics’.
- We will enter the folder of ‘C:\Program Files\Apolo Analytics\logstash-version. Where we will find the following files:

- The file that we will need to modify is ‘logstash.conf’ located in the previous location which will have a configuration similar to the following.
input {
udp {
port => 5144
}
}
filter {
}
output {
stdout {
codec => "line"
}
tcp {
codec => "line"
port => 514
host => "wazuh-nomclientempresa.apoloanalytics.com"
}
}
- We will need to add in the input the following configurations:
For cef2 format:
input {
syslog {
port => 2515
codec => cef
syslog_field => "syslog"
grok_pattern => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} CUSTOM GROK HERE"
}
}
For line or json format change to: codec => json or codec => line