Run the `recon ps` command found on the following technote to get the SentinelOne App ID.
https://www.ibm.com/support/pages/node/6189903
Example, Let's assume your SentinelOne App ID is 1204.
Then, verify if you see all the logs by listing out the log directory. (On console or on apphost you have one)
ls -l /store/docker/volumes/qapp-1204/log/
You should see all the longs in the above directory. Go ahead and create a tarball out of it.
tar cfvz SentinelOne-QRadar-App-Log.tgz /store/docker/volumes/qapp-1204/log/
something like that. Hope it helps.
#QRadar#Support#SupportMigration