Collect SentinelOne logs

In order to integrate SentinelOne:

• enable syslog integration from the SentinelOne console
• specify the host and port (syslog.logsentinel.com:515 for cloud-to-cloud collection and :2515 for an on-premise collector)
• enable TLS (do not upload any certificate or key)
• specify CEF 2 format
• get your SentinelOne account ID (query for AccountId) or find it in Sentinels menu. Alternatively, you can obtain a siteId for

If you are using cloud-to-cloud integration, in LogSentinel SIEM:

• create a new data source
• set the syslog identification param name to "accountId" and syslog identification param value to the accountId you obtained in the last step below.
• alternatively, set the parameter name to "siteId" and the value to the siteId value obtained above