How to connect Stand Alone Elastic Agent to SentinelOne and Logstash?

I am trying to make a connection from our SentinelOne environment to our existing Logstash server where we process data. We do not use Fleet or Elasticsearch. It seems that we could use Elastic Agent for this connection but I can't find documentation that covers how to connect Elastic Agent to SentinelOne. I thought that using Elastic Agent would be similar to how we connect Filebeat to our Microsoft 365 account and connect with AuditBeat between Linux servers and Logstash.

Could someone please describe the configuration of elastic-agent.yml to connect to SentinelOne and then to Logstash? If someone could provide a copy of a elastic-agent.yml file that connects from SentinelOne to Logstash, then I could just replace the values for my SentinelOne and Logstash server. Or good documentation on configuring stand alone Elastic Agent would also be appreciated.

Can you provide a little more context of what you want to do? It is a little confusing.

Elastic Agent is heavily integrated with Elasticsearch, all the agent integrations need Elasticsearch to run the ingest pipelines, if you do not have Elasticsearch it is not clear why you would want to use the Agent.

The documentation for stand-alone Elastic Agent is basically non-existent.

However, if you want to use the input of the Elastic Agent SentinelOne integration to get the data from the APIs and send it to your Logstash so you can process and send to another place, it would be way easier to use just Filebeat with the httpjson input, you can copy and adapt the httpjson input that the Elastic Agent uses for and configure it on your filebeat.

For example this is the httpjson input for the activity endpoint, a similar filebeat httpjson input would be something like this:

- type: httpjson
  interval: 10m
  request.method: GET
  request.url: sentinel-one-api-endpoint/web/api/v2.1/activities
    - set:
        target: header.Authorization
        value: 'ApiToken your-api'
    - set:
        target: url.params.limit
        value: '100'
    - set:
        target: url.params.sortBy
        value: 'createdAt'
    - set:
        target: url.params.sortOrder
        value: 'asc'
    - set:
        target: url.params.createdAt__gte
        value: '[[formatDate (parseDate .cursor.last_create_at)]]'
        default: '[[formatDate (now (parseDuration "-24h"))]]'
    - set:
        target: url.params.cursor
        value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[end]]'
        fail_on_template_error: true
      value: '[[.last_event.createdAt]]'

But you need to test it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.