Initialize the SentinelOne Beat

Prerequisites

• The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.

• Requires an API Key, obtained during the steps outlined in Configure the SentinelOne Portal.

• System Monitor version 7.20 or higher is installed.

• JSON Parsing is enabled. For more information, refer to Configure Beats for JSON Parsing.

• The following port is open:

Initialize the Beat via the Web Console (Recommended)

1. Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.

2. Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.

3. Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.

Initialize the Beat via Command Line (Legacy)

1. To confirm the Open Collector is running, run the following command:

   ./lrctl status
   

   You should see the open_collector and metrics versions.
   If the Open Collector is not running correctly, see Troubleshoot the Open Collector in the Open Collector Installation and User Guide.

2. In the Open Collector, run the following command:

   ./lrctl sentinelonebeat start
   

3. Enter a unique identifier for the beat instance.

4. Enter the SentinelOne API URL.

5. Enter the API Token (Bearer Token) obtained during the steps outlined in Configure the SentinelOne Portal.

6. (Optional.) Enter any unique Site IDs from which you would like to collect.

7. Enter the hostname or IP and Port Number of the Sysmon JSON Parser.

8. Press Enter.
   The beat starts successfully.