Author | SentinelOne and Aplura, LLC. |
App Version | 5.1.6 |
App Build | 0 |
Vendor Products | SentinelOne Cloud |
Has index-time operations | false |
Creates an index | false |
Implements summarization | If configured, the Data model will generate accelerations. |
SentinelOne allows a SentinelOne administrator or analyst interact with the SentinelOne product.
https://www.sentinelone.com/legal/terms-of-service/
Copyright 2020, Sentinel Labs, Inc.
This app includes the following scripts:
Diag.py | This is to assist in diag creation for support. |
cim_actions.py | Splunk Alert Actions Support script |
s1_client.py | Class to allow access to S1 in support of Mod inputs and Alert actions |
s1_upgrader.py | Modular input run on startup to check and upgrade the app. |
sentinelone.py | Modular Input script file. |
AlertAction.py | Helper file for Alert Actions |
ModularInput.py | Helper file for Modular Inputs |
Utilities.py | Helper file for Utilities |
version.py | Technical Version of the app. |
sentinelone-network-control.py | This is the script for the Network Control adaptive alert action. |
sentinelone-threat-control.py | This is the script for the Threat Control adaptive alert action. |
sentinelone-cmd_agent_action.py | This is the script for the Agent Control custom command. |
sentinelone-cmd_threat_action.py | This is the script for the Threat Control custom command. |
Version 5.1.6 of SentinelOne has the following known issues:
hotfix to allow the IA/TA to have the correct logging configuration file
added field filtering to Modular Input
updated Manage Agents to use correct agent id field, and better verbiage on errors.
increased base limit of api pulls to 1000 (200 for groups API)
added a Logging tab to enable log levels on configured items via UI.
removed guid from Modular Input logging file name.
updated app.conf for simple trigger reloads
updated Application Configuration Page to correctly update API token
updated Application Configuration Page to simplify base index configuration
updated Diag collection to account for non-standard Splunk install locations
Updated dashboards to be compliant with v1.1 SimpleXML and jquery 3.5
Better error management and reporting within modular inputs
Fixed Proxy issues with modular inputs
New Features
Dashboard - Manage Agents Overview
Dashboard - Manage Threats Overview
Adaptive Alert - Network Control
Adaptive Alert - Threat Control
Custom Command - agentaction
Custom Command - threataction
Version 5.1.6 of SentinelOne is compatible with:
Splunk Enterprise versions | 8.0, 8.1, 8.2 |
Platforms | Splunk Enterprise, Splunk Cloud |
Access questions and answers specific to SentinelOne at https://answers.splunk.com . Be sure to tag your question with the name of the app: SentinelOne.
Support Email:
ptr-svc-acct
@sentinelone
.com
Support Offered: Splunk Answers, Community Engagement, Email
If a support representative asks for it, a support diagnostic file can be generated. Use the following command to generate the file. Send the resulting file to support.
$SPLUNK_HOME/bin/splunk diag --collect=app:sentinelone_app_for_splunk
This file should be collected on the node/instance that is presenting with an issue. If a Heavy Forwarder is being used for inputs, but no data is being collected, perform the command on the Heavy Forwarder. If the alert actions or search commands are not working, run the diagnostic on the Search Head(s) in question.
This section provides some tips for troubleshooting the SentinelOne application.
Enable debug logging for modular inputs, alert actions, and custom commands
Copy default/log.cfg
to local/log.cfg
. Edit local/log.cfg
and change the logging level for each component to DEBUG to get debugging messages
Specific logging names can be found using index=_internal action=logger_name
Examples
[sentinelone_app_for_splunk] modularinput=DEBUG restclient=DEBUG utilities=DEBUG kenny_loggins=WARN sentinelone=DEBUG s1_client=DEBUG sentinelone-threat-control=DEBUG sentinelone-network-control=DEBUG sentinelone_cmd_threat_action=DEBUG
Application Configuration
If nothing appears under the Application Configuration header on the application configuration dashboard you can check for web page errors
Firefox: Tools, Web Developer, Web Developer Tools
. Errors will display in the console tab
Chrome: Customize and control Google option (right hand corner of the address bar), More Tools, Developer Tools
Helpful searches
SentinelOne creates several log files that reside in $SPLUNK_HOME/var/log. These are indexed in to the Splunk environment in the _internal index. To view these log files you can run the following search:
> index=_internal source="*sentinelone*"
The base index contains a sourcetype sentinelone:error that contains error information from the modular input and alert actions. This search will retrieve these logs:
> eventtype=sentinelone_base_index sourcetype="*error*"
Common Issues
Some of the common issues include:
Proxy Error. Check that the proxy settings are correct.
> index=_internal source="*sentinelone*" ProxyError
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Download SentinelOne at https://splunkbase.splunk.com/app/5433/.
Note: Installing the SentinelOne TA or IA on the same node as the App may result in instability or errors.
Single Instance (8.X)
(Pre-requisite) Splunk CIM Add-on
Only the SentinelOne App (sentinelone_app_for_splunk)
Single Instance + Heavy Forwarder (8.X)
Single Instance:
(Pre-requisite) Splunk CIM Add-on
SentinelOne App (sentinelone_app_for_splunk)
Heavy Forwarder: IA-sentinelone_app_for_splunk (IA-sentinelone_app_for_splunk)
Distributed deployment (8.x)
Heavy Forwarder: IA-sentinelone_app_for_splunk (IA-sentinelone_app_for_splunk)
Search Head:
(Pre-requisite) Splunk CIM Add-on
SentinelOne App (sentinelone_app_for_splunk)
Indexer: TA-sentinelone_app_for_splunk (TA-sentinelone_app_for_splunk)
Splunk Cloud
This extension introduces new sourcetypes that are more inline with best practices. If the extension is being upgraded from an exisiting version of the SentinelOne app, these instructions can be followed to allow overlap of the data sources. Each of the different sourcetype will follow the same procedure to enable searching on the old data, concurrent with the new data.
The steps are as follows, and should be done in local/eventtypes.conf
:
sentinelone_legacy_index
with the index that contains the legacy data.Update and enable the sentinelone_legacy_agents
event type.
Add sentinelone_legacy_agents
to the sentinelone_agents
event type
eventtype IN (sentinelone_updated_agents, sentinelone_legacy_agents)
Update and enable the sentinelone_legacy_threats
event type.
Add sentinelone_legacy_threats
to the sentinelone_threats
event type
eventtype IN (sentinelone_updated_threats, sentinelone_legacy_threats)
Update and enable the sentinelone_legacy_activities
event type.
Add sentinelone_legacy_activities
to the sentinelone_activities
event type
eventtype IN (sentinelone_updated_activities, sentinelone_legacy_activities)
Update and enable the sentinelone_legacy_groups
event type.
Add sentinelone_legacy_groups
to the sentinelone_groups
event type
eventtype IN (sentinelone_updated_groups, sentinelone_legacy_groups)
SentinelOne is configured from the Application Configuration
menu option under the Administration
menu.
SentinelOne includes the following macros that control dashboard searches.
SentinelOne includes the following dashboards.
Application Configuration
Application Health Overview (under the Administration menu option)
Network
Threats
Manage Agents Overview
Manage Threats Overview
SentinelOne includes the following saved searches. These searches need to be run in order to populate the management host and site name dropdowns on the dashboards. Fields from these lookups are also used in the dashboard panels.
sentinelone_groups_lookup_generation
Search for populating the groups lookup with site id and site name
This should be enabled prior to enabling the inputs
It may need to be run on a one-time basis over all time to do the initial import of groups.
sentinelone_lookup_generation
Search for populating the agents lookup
This should be enabled prior to enabling the inputs
It may need to be run on a one-time basis over all time to do the initial import of agents.
SentinelOne includes the following channels for the SentinelOne inputs. Make sure the interval lengths are reviewed prior to enablement.
Applications
Groups
Threats
Agents
Activities
SentinelOne includes the ability to include or exclude fields that should be included when retrieving SentinelOne Inputs. Field filtering is configured under the Application Configuration
dashboard on the Fields
tab. You may specify fields that should be included for a channel or fields that should be excluded for a channel. If no filtering is defined for a channel all fields will be included by default.
SentinelOne includes the following adaptive alert actions.
Network Control
Allows the Splunk admin to manage the network status for an agent.
Action
Management Host
Site ID
Agent ID
Threat Control
Allows the Splunk admin to configure the incident status and analyst verdict for a threat.
Incident Status
Unresolved, In Progress, or Resolved
In order to set the incident status to resolved a verdict must be specified
Analyst Verdict
Management Host
Site ID
Threat ID
SentinelOne includes the following custom commands.
agentaction
Allows the Splunk admin to manage the network status for an agent.
action_type
management
site_id
agent_id
Sample Usage
index=sentinelone sourcetype="sentinelone:channel:agents" | fields id siteId | eval siteId=siteId."", management="testhost.sentinelone.net" | stats values(*) as * by id | sentineloneagentaction action_type=connect
threataction
Allows the Splunk admin to configure the incident status and analyst verdict for a threat.
status
Incident status
Unresolved, In Progress, or Resolved
In order to set the incident status to resolved a verdict must be specified
verdict
management
site_id
threat_id
Sample Usage
index=sentinelone sourcetype="sentinelone:channel:threats" | fields id siteId | eval siteId=siteId."", management="testhost.sentinelone.net" | stats values(*) as * by id | sentinelonethreataction status=resolved verdict=false_positive
SentinelOne includes the following health checks in the Monitoring Console health check list(default/checklist.conf
).
The SentinelOne contains the following lookup files.
SentinelOne does not include an event generator.
Summary Indexing: No
Data Model Acceleration: No
Report Acceleration: No
SentinelOne includes an updater to assist in upgrades to the app. It is a modular input with stanza s1_upgrader://DF945543-967A-4488-975E-757F4D5E2B41
.
Version 5.1.6 of SentinelOne incorporates the following Third-party software or third-party services.
Added field filtering to data ingestion
Logging
tab to enable log levels on configured items via UI.Updated proxy setting configurations to support multiple proxy types. Updated dashboards for jQuery 3.5 compatibility requirements.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.