This document outlines a working configuration for shipping SentinelOne events into Humio via the Syslog integration. These events are the high-level SentinelOne events that can be configured via “Notifications” in SentinelOne. They’re not the low-level events available via the SentinelOne Hermes integration — those can be set up using our Kafka Connect).
For this integration, we recommend an intermediate data shipper, as SentinelOne can only make the events available via Syslog over UDP. Although theoretically can be sent directly to Humio using Ingest Listeners, it’s not recommended to have ingest listener ports open over the internet. Plus, it’s not a feature available for Humio Cloud.
https://cloud.humio.com, but these same steps apply to a self-managed Humio instance.
The first step is to create a repository — although this is optional. For the example here, we’ll use a “sandbox” repository.
You will, though, have to create a new parser. It will parse the JSON data sent by Vector, the CEF message from SentinelOne, and extract the correct timestamp from each event.
parseJson(field=@rawstring) | parseCEF(field=message) | findTimestamp(field=message)
In this example the parser was saved as “CEF”. See the screenshot in Figure 1 here.
Now create a new ingest token and link it to the parser. Be sure to make a copy of the token since you will need it when you configure vector next.
For the purposes of this article, we’ll use Vector (vector.dev) as the intermediate agent. Below is the contents we’ll use in the vector configuration. It will receive plain syslog entries over UDP.
In a production configuration it is strongly recommended to protect this with client SSL certificates. Creating and managing SSL certificates is out of scope of this article. Please see SentinelOne’s documentation on how to do this.
The below was configured on an EC2 node in AWS running CentOS 8.2. That AWS instance had a security group allowing inbound UDP traffic on port 514 (the standard syslog port).
# Global data directory data_dir = "/var/lib/vector" # Vector's API for introspection [api] enabled = true address = "127.0.0.1:8686" # Plain syslog source [sources.syslog] type = "syslog" address = "0.0.0.0:514" mode = "udp" # Output to Humio Cloud [sinks.out] type = "humio_logs" inputs = ["syslog"] compression = "gzip" endpoint = "https://cloud.humio.com" token = "aa960b28-NNNN-XXXX-YYYY-00c8ed4a4c4b"
This configuration file above is a minimal working vector configuration. You should review the vector documentation in detail to get the optimal settings for your environment.
endpoint is the path to your Humio instance: the example above is based on Humio’s EMEA Cloud service. The
token is the token from within Humio that you configured in Configure Humio
Notice that for the Administrative settings, we have all of the notifications checked for Syslog. This is so that everything generated for Syslog will be set to Humio.
You can see in the screenshot in Figure 3 that we set a few values: We set Your syslog host to the AWS EC2 public DNS name and port number. We disabled TLS. Tthis should be configured in production use cases. Finally, we chose in the Formatting section, for information formatting, the CEF option.
When you have all of the values you want set, you can click on the large Test button to generate a sample syslog event.
Once this is configured you should see events from SentinelOne appearing in Humio. If that doesn’t happen there are a few things to check: Has an event that is enabled for syslog notifications occurred since the syslog integration was configured? If the “Test” message arrives, but no other events then it’s most likely an event has not occurred, or notifications are not enabled for the events. Is UDP traffic able to get to vector? You can test this using netcat, for example:
$ echo test | nc -u vector.server.com 514
The results should look like the screenshot in Figure 4 here.