HELP, Interconnecting SentinelOne with Elasticsearch

Hello, I need your help :face_holding_back_tears::face_holding_back_tears:

I am a SOC analyst, and I want to interconnect SentinelOne with ELK SIEM.
Could you help me to know if you have a tuto or clear documentation explaining all the steps please?

Thanks in advance

Welcome to our community! :smiley:

Do you mean SentinelOne | Elastic docs?

Hello :smiling_face:, Thank you very much for your answer.

I have already consulted this doc, unfortunately, it just shows how to generate the sentinelone api. But does not show the steps for interconnection.:pensive:

I got this working by deploying the SentinelOne integration to one of my fleet managed Elastic Agents.

Did you manage to make the connection? Following which documentation please? With each necessary step

Thank you in advance

  1. Install Elastic Agent on a Windows PC using scripted commands provided when you create an Elastic Agent integration Install Fleet-managed Elastic Agents | Fleet and Elastic Agent Guide [8.7] | Elastic (If you are in a test environment without certificates setup, you will have to add --insecure to the last command)
  2. Troubleshoot any issues with the agent until it has a status of Healthy and you see CPU and Memory usage reported
  3. Deploy the SentinelOne integration and choose the same agent policy as the one used by the Elastic Agent
  4. If that doesn't work, run .\elastic-agent inspect and make sure the outputs shown are correct. I had to modify the Fleet settings to update with the correct hosts Fleet UI settings | Fleet and Elastic Agent Guide [8.7] | Elastic

Thank you a lot for your answer.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.