How to connect Stand Alone Elastic Agent to SentinelOne and Logstash?

toman · July 18, 2023, 10:07pm

I am trying to make a connection from our SentinelOne environment to our existing Logstash server where we process data. We do not use Fleet or Elasticsearch. It seems that we could use Elastic Agent for this connection but I can't find documentation that covers how to connect Elastic Agent to SentinelOne. I thought that using Elastic Agent would be similar to how we connect Filebeat to our Microsoft 365 account and connect with AuditBeat between Linux servers and Logstash.

Could someone please describe the configuration of elastic-agent.yml to connect to SentinelOne and then to Logstash? If someone could provide a copy of a elastic-agent.yml file that connects from SentinelOne to Logstash, then I could just replace the values for my SentinelOne and Logstash server. Or good documentation on configuring stand alone Elastic Agent would also be appreciated.

leandrojmp · July 19, 2023, 4:29am

Can you provide a little more context of what you want to do? It is a little confusing.

Elastic Agent is heavily integrated with Elasticsearch, all the agent integrations need Elasticsearch to run the ingest pipelines, if you do not have Elasticsearch it is not clear why you would want to use the Agent.

The documentation for stand-alone Elastic Agent is basically non-existent.

However, if you want to use the input of the Elastic Agent SentinelOne integration to get the data from the APIs and send it to your Logstash so you can process and send to another place, it would be way easier to use just Filebeat with the httpjson input, you can copy and adapt the httpjson input that the Elastic Agent uses for and configure it on your filebeat.

For example this is the httpjson input for the activity endpoint, a similar filebeat httpjson input would be something like this:

filebeat.inputs:
- type: httpjson
  interval: 10m
  request.method: GET
  request.url: sentinel-one-api-endpoint/web/api/v2.1/activities
  request.transforms:
    - set:
        target: header.Authorization
        value: 'ApiToken your-api'
    - set:
        target: url.params.limit
        value: '100'
    - set:
        target: url.params.sortBy
        value: 'createdAt'
    - set:
        target: url.params.sortOrder
        value: 'asc'
    - set:
        target: url.params.createdAt__gte
        value: '[[formatDate (parseDate .cursor.last_create_at)]]'
        default: '[[formatDate (now (parseDuration "-24h"))]]'
  response.pagination:
    - set:
        target: url.params.cursor
        value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[end]]'
        fail_on_template_error: true
  cursor:
    last_create_at:
      value: '[[.last_event.createdAt]]'
  response.split:
    target: body.data

But you need to test it.

system · August 16, 2023, 4:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
HELP, Interconnecting SentinelOne with Elasticsearch SIEM	7	565	June 20, 2023
SentinelOne Integration Elasticsearch elastic-agent , integrations	4	1639	August 19, 2022
What is Elastic agent? Elastic Agent	7	597	November 24, 2022
How do I use Elastic Agent to send log data to Logstash? Elastic Agent	8	3640	April 20, 2023
Elastic agent and filebeat installation in windows PC Elastic Agent filebeat	2	289	November 27, 2022

How to connect Stand Alone Elastic Agent to SentinelOne and Logstash?

Related topics