Skip to content

Collect SentinelOne logs

In order to integrate SentinelOne:

  • enable syslog integration from the SentinelOne console
  • specify the host and port (syslog.logsentinel.com:515 for cloud-to-cloud collection and :2515 for an on-premise collector)
  • enable TLS (do not upload any certificate or key)
  • specify CEF 2 format
  • get your SentinelOne account ID (query for AccountId) or find it in Sentinels menu. Alternatively, you can obtain a siteId for

SentinelOne

If you are using cloud-to-cloud integration, in LogSentinel SIEM:

  • create a new data source
  • set the syslog identification param name to "accountId" and syslog identification param value to the accountId you obtained in the last step below.
  • alternatively, set the parameter name to "siteId" and the value to the siteId value obtained above