This integration provides the ability to get events and alerts to help evaluate potential security risks, understand the effectiveness of your team collaboration, and diagnose any configuration problems. This critical information is displayed centrally and helps detect anomalous activities that could indicate a security breach based on the collection and analysis of endpoint data, network traffic, and user behavior.
In the screenshot below, we can see a KQL Query to get the 100 most recent events and alerts from a selected data source.
Please note, to get all events and alerts combined, use the events_all table instead of default events.
And here’s a result of running a query.
How to set up this integration
The ingestion of SentinelOne Alerts is supported by our Universal RESTAPI Connector, and the ingestion of SentinelOne Cloud Funnel Events is supported by our AWS S3 RESTAPI Connector.
(Please, note: this documentation offers the configuration options for Universal RESTAPI only. )
To configure these integrations, navigate to adding a new data source in your QRadar environment. You will need one data source created for each connector type.
Configuring the Universal REST API to collect Alerts
When setting up Alert Configuration with UREST, follow the prompts to enter the system or application that events are collected from—in our case, it is SentinelOne ActiveEDR.
Choose event connection method and type an identifier for this data source. The Data Collector is where this data source's connector configuration runs. It collects the data source’s events.
Continue by following the same logic when adding Connector details, such as the workflow and parameter values. SentinelOne Cloud Funnel has the ability to export events to Amazon S3 Buckets. To ingest events from this location, we need to make a separate log source using the AWS S3 RESTAPI Protocol.
Configuring the Amazon AWS S3 Connector to collect Events
When creating a log source and parsing events for AWS REST API protocol, choose the corresponding connector type.
After that, enter the SQS Queue URL to receive notifications for ObjectCreate events from S3, along with region name, S3 collection method and event format.
Once you begin the authentication configuration step, enter the Access Key ID that’s required to access the AWS S3 bucket, the secret key and authentication method.
To configure the S3 bucket and SQS as source events, follow the steps outlined here. Sending new events to a cluster is triggered by uploading a new JSON file to S3 bucket.
When making these announcements, I can't close out without recognizing and thanking our engineering team, led by Michael Richards, working tirelessly behind the curtain. At IBM Security, we have a tight-knit partnership between product management, engineering and design. So, to deliver you the interconnected portfolio of products, our development teams lay the groundwork for the successful security products you use today.
Happy threat hunting,
Olga