# SentinelOne

### Step 1: Create a New Source

In the Scanner UI, go to the Collect tab.

* From the Overview page click the '+' icon in the upper right corner
* Select create new **Collect Rule**
* Click **Select a Source Type**.
* Choose **SentinelOne**.
* Choose the specific SentinelOne log type (the instructions below apply to all log types).

You’ll be prompted to choose an Ingest Method:

* Select **API Pull**.
* Then, choose a Destination: Select **Scanner**.

Click Next.

### Step 2: Configure the Source

Set a Display Name, such as `my-sentinelone-logs`.

Click Next.

### Step 3: Authenticate with SentinelOne

* If you’ve previously created an SentinelOne connection, select it from the list.
* Otherwise, select **New SentinelOne Connection** and fill in the required fields:
  * Connection Name: Give the connection a recognizable name.
  * Base URL: eg. `https://usea1-partners.sentinelone.net`
  * API Token: Generate this from your SentinelOne console.

Click Next.

### Step 4: Configure the Destination

* Choose the S3 Bucket where the raw SentinelOne logs should be stored.
* (Optional) Enter a Key Prefix to organize the data path in your bucket.
* Choose the Scanner Index where logs will be made searchable.
* Leave the Source Label as `sentinelone:<log_type>`.

Click Next.

### Step 5: Transform and Enrich

* (Optional) Add additional transformation or enrichment steps if needed.

Click Next.

### Step 6: Timestamp Extraction

Leave the default setting. Different log types have different timestamp fields.

Click Next.

### Step 7: Review and Create

* Review all configuration settings.
* Click **Create Source**.

### What Happens Next

Once created:

* Scanner will poll the SentinelOne API every **5 minutes**.
* New events will be written to your S3 bucket, under the specified key prefix.
* Logs will then be indexed for search and detections using your selected Scanner index.