Skip to main content

SentinelOne - Cloud SIEM

This section has instructions for collecting SentinelOne log messages for CEF and Syslog ingest and sending them to Sumo Logic to be ingested by Cloud SIEM.

To collect data such as activities, agents, and threats, use the SentinelOne Mgmt API Source.

Step 1: Configure collection

In this step, you configure a Cloud Syslog Source to collect SentinelOne log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to Configure a Cloud Syslog Source below. Otherwise, create a new collector as described in Configure a Hosted Collector below, and then create the Cloud Syslog Source on the collector.

Configure a Hosted Collector

  1. Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
    New UI. In the top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection.
  2. Click Add Collector.
  3. Click Hosted Collector.
  4. The Add Hosted Collector popup appears.
    Add hosted collector
  5. Name. Provide a Name for the Collector.
  6. Description. (Optional)
  7. Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called _sourceCategory
  8. Fields
    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is _siemForward and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
    2. If all sources in this collector will be Sentinel One sources, add an additional field with key _parser; set the value to:
      • /Parsers/System/SentinelOne/SentinelOne CEF if your logs are in CEF format.
      • /Parsers/System/SentinelOne/SentinelOne Syslog if your logs are in Syslog format.

Configure a Cloud Syslog Source

  1. Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
    New UI. In the top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection
  2. Navigate to the Hosted Collector where you want to create the source.
  3. On the Collectors page, click Add Source next to the Hosted Collector.
  4. Select Cloud Syslog
  5. The page refreshes.
    Cloud syslog source
  6. Name. Enter a name for the source. 
  7. Description. (Optional) 
  8. Source Host. (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called _sourceHost.
  9. Source Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called _sourceCategory. Make a note of the source category. You’ll supply it in Step 2 below.
  10. Fields
    1. If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is _siemForward and value is true.
    2. If you have not configured the collector to parse all sources in the collector with the same parser, click the +Add Field link, and add a field whose name is _parser; set the value to:
      • /Parsers/System/SentinelOne/SentinelOne CEF if your logs are in CEF format.
      • /Parsers/System/SentinelOne/SentinelOne Syslog if your logs are in Syslog format.
  11. Click Save.
  12. Make a note of the Token and Host that are displayed. You’ll supply them in Step 2 below.

Step 2: Configure SentinelOne

In this step you configure SentinelOne to send log messages to the Sumo Logic platform. If you have a SentinelOne account, you can follow directions on the SentinelOne Support knowledge base, or the instructions in Step 2 of Collecting Logs for SentinelOne topic.

Step 3: Verify ingestion

In this step, you verify that your logs are successfully making it into Cloud SIEM. 

  1. Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
    New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings.
  2. On the Log Mappings tab search for "SentinelOne" and check the Records columns.
  3. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for SentinelOne security records.
    SentinelOne search  
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.