We are providing you with the steps to integrate your SentinelOne (Via API) with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ).
Step 1. Navigate to Provisioning by clicking on the Provisioning tab located in the top menu bar of the application.
Step 2. Drop down Add on devices by clicking on the downward-facing arrow next to the 'Add on devices' option in the menu.
In the SentinelOne Cloud console, you must generate an API token.
To create an API token:
In the SentinelOne management console, go to Settings, and then click Users.
Click on the Admin user for which you generate the API token.
Click Generate next to API Token.
To add the SentinelOne API method support follow the steps that are mentioned below.
Device: Select the name of the device 'SentinelOne' in this section.
Name: We can take anything here according to our interest(mini. 3 character).
CCE Host: Enter the CCE IP.
Password/Secret Key: Enter API Token.
Config: Now in valid JSON Format in the last field your management url(without https://) needs to be given for the SentinelOne. Please refer below example:
{"host": "<your_management_url>", "account_type": "<user_account_type>"}
Note: User Account Type value can be either service or console. And console is default if none provided.
Click on the Save button.
STEP 1:Log in to UI >> SYSTEM
STEP 2: >> Logs and flows collection status
STEP 3: >>To verify the source device IP from the UI:
Log in to the user interface
Navigate to the "SYSTEM" section
Look for the "SOURCE DEVICE IP"
Check the IP address that is displayed
Compare the IP address displayed against the expected source device IP
This will allow you to ensure that the system is properly identifying the source device IP and that it matches the expected IP address..
