SentinelOne Audit Events to Humio

This document outlines a working configuration for shipping SentinelOne events into Humio via the Syslog integration. These events are the high-level SentinelOne events that can be configured via “Notifications” in SentinelOne. They’re not the low-level events available via the SentinelOne Hermes integration — those can be set up using our Kafka Connect).

For this integration, we recommend an intermediate data shipper, as SentinelOne can only make the events available via Syslog over UDP. Although theoretically can be sent directly to Humio using Ingest Listeners, it’s not recommended to have ingest listener ports open over the internet. Plus, it’s not a feature available for Humio Cloud.

Configure Humio

Figure 1

To begin, you’ll need to configure Humio to receive incoming data from SentinelOne. In this example, we’re configuring https://cloud.humio.com, but these same steps apply to a self-managed Humio instance.

The first step is to create a repository — although this is optional. For the example here, we’ll use a “sandbox” repository.

You will, though, have to create a new parser. It will parse the JSON data sent by Vector, the CEF message from SentinelOne, and extract the correct timestamp from each event.

parseJson(field=@rawstring) |
parseCEF(field=message) |
findTimestamp(field=message)

In this example the parser was saved as “CEF”. See the screenshot in Figure 1 here.

Now create a new ingest token and link it to the parser. Be sure to make a copy of the token since you will need it when you configure vector next.

Configure Vector

For the purposes of this article, we’ll use Vector (vector.dev) as the intermediate agent. Below is the contents we’ll use in the vector configuration. It will receive plain syslog entries over UDP.

In a production configuration it is strongly recommended to protect this with client SSL certificates. Creating and managing SSL certificates is out of scope of this article. Please see SentinelOne’s documentation on how to do this.

The below was configured on an EC2 node in AWS running CentOS 8.2. That AWS instance had a security group allowing inbound UDP traffic on port 514 (the standard syslog port).

# Global data directory
data_dir = "/var/lib/vector"

# Vector's API for introspection
[api]
enabled = true
address = "127.0.0.1:8686"

# Plain syslog source
[sources.syslog]
  type = "syslog"
  address = "0.0.0.0:514"
  mode = "udp"

# Output to Humio Cloud
[sinks.out]
  type = "humio_logs"
  inputs = ["syslog"]
  compression = "gzip"
  endpoint = "https://cloud.humio.com"
  token = "aa960b28-NNNN-XXXX-YYYY-00c8ed4a4c4b"

This configuration file above is a minimal working vector configuration. You should review the vector documentation in detail to get the optimal settings for your environment.

The endpoint is the path to your Humio instance: the example above is based on Humio’s EMEA Cloud service. The token is the token from within Humio that you configured in Configure Humio

Setup Notifications in SentinelOne

Figure 2

SentinelOne requires you to configure which events should trigger notifications to the Syslog integration. You can find the notifications settings under your site, Settings → Notifications. This will present a screen like the one you see here in Figure 2.

Notice that for the Administrative settings, we have all of the notifications checked for Syslog. This is so that everything generated for Syslog will be set to Humio.


Enable Syslog Integration in SentinelOne

Figure 3

Configure the outbound Syslog settings in SentinelOne to start sending new notifications to Humio. This can be accessed in SentinelOne under your site, Settings → Integrations.

You can see in the screenshot in Figure 3 that we set a few values: We set Your syslog host to the AWS EC2 public DNS name and port number. We disabled TLS. Tthis should be configured in production use cases. Finally, we chose in the Formatting section, for information formatting, the CEF option.

When you have all of the values you want set, you can click on the large Test button to generate a sample syslog event.

Results and Troubleshooting

Once this is configured you should see events from SentinelOne appearing in Humio. If that doesn’t happen there are a few things to check: Has an event that is enabled for syslog notifications occurred since the syslog integration was configured? If the “Test” message arrives, but no other events then it’s most likely an event has not occurred, or notifications are not enabled for the events.

Is UDP traffic able to get to vector? You can test this using netcat, for example:

$ echo test | nc -u vector.server.com 514

Figure 4
You should check if vector is seeing your data. You can do this for incoming and outgoing events in Vector by executing the following from the command-line:

vector top

The results should look like the screenshot in Figure 4 here.