Cloud SIEM for SentinelOne Endpoint Protection

Click here for the most updated version of this documentation.


Blumira’s cloud SIEM platform integrates with SentinelOne to detect cybersecurity threats and provide an actionable response to remediate when a threat is detected on an endpoint.


When configured, the Blumira integration with SentinelOne will stream SentinelOne logs and alerts to the Blumira service for threat detection and actionable response.

Note: Data is collected from the time of a successful integration configuration onward. Past logs are not collected by Blumira.


Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.


Free Trial


You can integrate Blumira with SentinelOne to send security event logs and alerts to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.

Before you begin

Before setting up a SentinelOne cloud connector, you must gather the following SentinelOne authentication credentials:

  • API Token
  • Management URL
  • One of the following:
    • (Optional) Account ID
    • (Optional) Site ID
      Important: MSPs must include a Site ID to filter logs to a specific customer account, otherwise Blumira will ingest all customer logs for the MSP SentinelOne account. Only one Site ID can be used per Cloud Connector, but you can create multiple SentinelOne connectors. When Site ID is used, there is no need to enter an Account ID.

Follow these steps to gather the necessary credentials:

  1. Log in to the SentinelOne Management Console.
  2. Navigate to Settings > Users.
  3. In the list of users, click the row of the user who is or will be associated with the API Token used in Blumira feeds.
     In SentinelOne, API Tokens are at the user level, and there can be multiple tokens across the account. Consider in advance which user will hold the token, or add a generic user specifically for creating the API token for your Blumira integration.
  4. On the user detail screen, do one of the following steps to obtain the API Token to be used in later steps:
    • If a token has never been generated for the user, click Generate.
    • If you already generated an API token for this user, click Options > Regenerate API TokenCaution: This will invalidate the existing token for this user, so any applications connected using the token will stop working.
  5. Copy and save your organization’s Management URL, which is the URL specific to your organization when you are logged in to SentinelOne.
  6. To obtain the Site ID, go to Settings > Sites, click a site name in the Sites list, click Site Info, and then copy and save the Site ID.

Screen Shot 2022-04-08 at 11.13.36 AM.png

  1. (Optional) In very rare instances, the Account ID is also needed to improve Blumira’s log collection. To obtain the Account ID, go to Sentinels > Account Info, then copy and save the Account ID. If you are unsure, leave this field blank in the Blumira cloud connector.

Providing your SentinelOne credentials to Blumira

Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration’s configuration parameters, you can then enable Blumira to collect your logs.

To configure your integration with Blumira Cloud Connector:

  1. In the Blumira app, go to the Cloud Connectors page (Settings > Cloud Connectors).
  2. Click + Add Cloud Connector.
  3. In the Available Cloud Connectors window, click the connector that you want to add.
  4. If you want to change the name of the Cloud Connector, type the new name in the Cloud Connector Name box.
  5. Enter the API credentials that you collected in the “Before you begin” section above.
  6. Click Connect.
  7. On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
    Important: If you previously deployed a Module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.