- Integration Points
- Event Types
- Settings for Access Credentials
- Sample Events
|Method||Information Discovered||Metrics Collected||Logs Collected||Used for|
|Syslog||Host name, Reporting IP||None||System and Security Events (e.g., file blocked)||Security monitoring|
In ADMIN > Device Support > Event, Search for "SentinelOne" to see the event types associated with this device.
No specific rules are written for SentinelOne but generic end point rules apply.
No specific reports are written for SentinelOne but generic end point rules apply.
Configure SentinelOne system to send logs to FortiSIEM in the supported format (see Sample Events).
Settings for Access Credentials
<14>CEF:0|SentinelOne|Mgmt|Windows 7|21|Threat marked as resolved|1|rt=Jun 05 2017 09:29:17 uuid=586e7cc578207a3f75361073 fileHash=4b9c5fe8ead300a0be2dbdbcdbd193591451c8b4 filePath=\Device\HarddiskVolume2\Windows\AutoKMS\AutoKMS.exe
<14>CEF:0|SentinelOne|Mgmt|184.108.40.206|65|user initiated a fetch full report command to the agent DT-Virus7|1|rt=#arcsightDate(Jun 06 2017 09:29:17) suser=xyz duid=c29ca0cee8a0a989321495b78b1d256ab7189144 cat=SystemEvent