Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

SentinelOne

Integration Points

Method Information Discovered Metrics Collected Logs Collected Used for
Syslog Host name, Reporting IP None System and Security Events (e.g., file blocked) Security monitoring

Event Types

In ADMIN > Device Support > Event, Search for "SentinelOne" to see the event types associated with this device.

Rules

No specific rules are written for SentinelOne but generic end point rules apply.

Reports

No specific reports are written for SentinelOne but generic end point rules apply.

Configuration

Configure SentinelOne system to send logs to FortiSIEM in the supported format (see Sample Events).

Settings for Access Credentials

None required.

Sample Events

<14>CEF:0|SentinelOne|Mgmt|Windows 7|21|Threat marked as resolved|1|rt=Jun 05 2017 09:29:17 uuid=586e7cc578207a3f75361073 fileHash=4b9c5fe8ead300a0be2dbdbcdbd193591451c8b4 filePath=\Device\HarddiskVolume2\Windows\AutoKMS\AutoKMS.exe

 

<14>CEF:0|SentinelOne|Mgmt|1.1.1.1|65|user initiated a fetch full report command to the agent DT-Virus7|1|rt=#arcsightDate(Jun 06 2017 09:29:17) suser=xyz duid=c29ca0cee8a0a989321495b78b1d256ab7189144 cat=SystemEvent

SentinelOne

Integration Points

Method Information Discovered Metrics Collected Logs Collected Used for
Syslog Host name, Reporting IP None System and Security Events (e.g., file blocked) Security monitoring

Event Types

In ADMIN > Device Support > Event, Search for "SentinelOne" to see the event types associated with this device.

Rules

No specific rules are written for SentinelOne but generic end point rules apply.

Reports

No specific reports are written for SentinelOne but generic end point rules apply.

Configuration

Configure SentinelOne system to send logs to FortiSIEM in the supported format (see Sample Events).

Settings for Access Credentials

None required.

Sample Events

<14>CEF:0|SentinelOne|Mgmt|Windows 7|21|Threat marked as resolved|1|rt=Jun 05 2017 09:29:17 uuid=586e7cc578207a3f75361073 fileHash=4b9c5fe8ead300a0be2dbdbcdbd193591451c8b4 filePath=\Device\HarddiskVolume2\Windows\AutoKMS\AutoKMS.exe

 

<14>CEF:0|SentinelOne|Mgmt|1.1.1.1|65|user initiated a fetch full report command to the agent DT-Virus7|1|rt=#arcsightDate(Jun 06 2017 09:29:17) suser=xyz duid=c29ca0cee8a0a989321495b78b1d256ab7189144 cat=SystemEvent