SentinelOne

Step 1: Create a New Source

In the Scanner UI, go to the Collect tab.

• From the Overview page click the '+' icon in the upper right corner

• Select create new Collect Rule

• Click Select a Source Type.

• Choose SentinelOne.

• Choose the specific SentinelOne log type (the instructions below apply to all log types).

You’ll be prompted to choose an Ingest Method:

• Select API Pull.

• Then, choose a Destination: Select Scanner.

Click Next.

Step 2: Configure the Source

Set a Display Name, such as my-sentinelone-logs.

Click Next.

Step 3: Authenticate with SentinelOne

• If you’ve previously created an SentinelOne connection, select it from the list.

• Otherwise, select New SentinelOne Connection and fill in the required fields:

  • Connection Name: Give the connection a recognizable name.

  • Base URL: eg. https://usea1-partners.sentinelone.net

  • API Token: Generate this from your SentinelOne console.

Click Next.

Step 4: Configure the Destination

• Choose the S3 Bucket where the raw SentinelOne logs should be stored.

• (Optional) Enter a Key Prefix to organize the data path in your bucket.

• Choose the Scanner Index where logs will be made searchable.

• Leave the Source Label as sentinelone:<log_type>.

Click Next.

Step 5: Transform and Enrich

• (Optional) Add additional transformation or enrichment steps if needed.

Click Next.

Step 6: Timestamp Extraction

Leave the default setting. Different log types have different timestamp fields.

Click Next.

Step 7: Review and Create

• Review all configuration settings.

• Click Create Source.

What Happens Next

Once created:

• Scanner will poll the SentinelOne API every 5 minutes.

• New events will be written to your S3 bucket, under the specified key prefix.

• Logs will then be indexed for search and detections using your selected Scanner index.