Initialize the SentinelOne Beat

Prerequisites

• The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.

• Requires an API Key, obtained during the steps outlined in Configure the SentinelOne Portal.

• System Monitor version 7.20 or higher is installed.

• JSON Parsing is enabled. For more information, refer to Configure Beats for JSON Parsing.

• The following port is open:

Initialize the Beat

1. To confirm the Open Collector is running, run the following command:

   CODE

   ./lrctl status

   You should see the open_collector and metrics as shown in the following graphic:

   

   If the Open Collector is not running correctly, see Troubleshoot the Open Collector in the Open Collector Installation and User Guide.

2. In the Open Collector, run the following command:

   CODE

   ./lrctl sentinelonebeat start

3. Enter a unique identifier for the beat instance.

   

4. Enter the SentinelOne API URL.

   

The following URLs are supported for this Beat:

https://<your sentinelone domain>/web/api/v2.1/activities

https://<your sentinelone domain>/web/api/v2.1/cloud-detection/alerts

https://<your sentinelone domain>/web/api/v2.1/device-control/events

https://<your sentinelone domain>/web/api/v2.1/exclusions

https://<your sentinelone domain>/web/api/v2.1/threats

5. Enter the API Token (Bearer Token) obtained during the steps outlined in Configure the SentinelOne Portal.

6. (Optional.) Enter any unique Site IDs from which you would like to collect.

Site IDs are optional, and can be left blank by pressing 'c' on the keyboard.

7. Enter the hostname or IP of the Open Collector.

8. Enter the port number of the Open Collector.

9. Press Enter.
   The beat starts successfully, and displays the following output: