Prerequisites
-
The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
-
Requires an API Key, obtained during the steps outlined in Configure the SentinelOne Portal.
-
System Monitor version 7.20 or higher is installed.
-
JSON Parsing is enabled. For more information, refer to Configure Beats for JSON Parsing.
-
The following port is open:
|
Direction |
Port |
Protocol |
Source |
|---|---|---|---|
|
Outbound |
443 |
HTTPS |
SentinelOne Beat |
Initialize the Beat
-
To confirm the Open Collector is running, run the following command:
./lrctl statusYou should see the open_collector and metrics as shown in the following graphic:
If the Open Collector is not running correctly, see Troubleshoot the Open Collector in the Open Collector Installation and User Guide.
-
In the Open Collector, run the following command:
./lrctl sentinelonebeat start -
Enter a unique identifier for the beat instance.
-
Enter the SentinelOne API URL.
The following URLs are supported for this Beat:
https://<your sentinelone domain>/web/api/v2.1/activities
https://<your sentinelone domain>/web/api/v2.1/cloud-detection/alerts
https://<your sentinelone domain>/web/api/v2.1/device-control/events
https://<your sentinelone domain>/web/api/v2.1/exclusions
https://<your sentinelone domain>/web/api/v2.1/threats
-
Enter the API Token (Bearer Token) obtained during the steps outlined in Configure the SentinelOne Portal.
-
(Optional.) Enter any unique Site IDs from which you would like to collect.
Site IDs are optional, and can be left blank by pressing 'c' on the keyboard.
-
Enter the hostname or IP and Port Number of the Sysmon JSON Parser.
-
Press Enter.
The beat starts successfully, and displays the following output:
