# SentinelOne

### Step 1: Create a New Source

In the Scanner UI, go to the Collect tab.

* From the Overview page click the '+' icon in the upper right corner
* Select create new **Collect Rule**
* Click **Select a Source Type**.
* Choose **SentinelOne**.
* Choose the specific SentinelOne log type (the instructions below apply to all log types).

You’ll be prompted to choose an Ingest Method:

* Select **API Pull**.
* Then, choose a Destination: Select **Scanner**.

Click Next.

### Step 2: Configure the Source

Set a Display Name, such as `my-sentinelone-logs`.

Click Next.

### Step 3: Authenticate with SentinelOne

* If you’ve previously created an SentinelOne connection, select it from the list.
* Otherwise, select **New SentinelOne Connection** and fill in the required fields:
  * Connection Name: Give the connection a recognizable name.
  * Base URL: eg. `https://usea1-partners.sentinelone.net`
  * API Token: Generate this from your SentinelOne console.

Click Next.

### Step 4: Configure the Destination

* Choose the S3 Bucket where the raw SentinelOne logs should be stored.
* (Optional) Enter a Key Prefix to organize the data path in your bucket.
* Choose the Scanner Index where logs will be made searchable.
* Leave the Source Label as `sentinelone:<log_type>`.

Click Next.

### Step 5: Transform and Enrich

* (Optional) Add additional transformation or enrichment steps if needed.

Click Next.

### Step 6: Timestamp Extraction

Leave the default setting. Different log types have different timestamp fields.

Click Next.

### Step 7: Review and Create

* Review all configuration settings.
* Click **Create Source**.

### What Happens Next

Once created:

* Scanner will poll the SentinelOne API every **5 minutes**.
* New events will be written to your S3 bucket, under the specified key prefix.
* Logs will then be indexed for search and detections using your selected Scanner index.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/sentinelone.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.