fbpx

Cloud SIEM for SentinelOne Endpoint Protection

Blumira’s cloud SIEM platform integrates with SentinelOne to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected on an endpoint.

 

When configured, the Blumira integration with SentinelOne will stream SentinelOne logs and alerts to the Blumira service for threat detection and actionable response.

 

 

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

 

Free Trial

Overview

You can integrate Blumira with SentinelOne to send security event logs and alerts to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.

Before you begin

Before setting up a SentinelOne cloud connector, you must gather the following SentinelOne authentication credentials:

  • API Token
  • Management URL
  • One of the following:
    • (Optional) Account ID
    • (Optional) Site ID
      Important: MSPs must include a Site ID to filter logs to a specific customer account, otherwise Blumira will ingest all customer logs for the MSP SentinelOne account. Only one Site ID can be used per Cloud Connector, but you can create multiple SentinelOne connectors. When Site ID is used, there is no need to enter an Account ID.

Follow these steps to gather the necessary credentials:

  1. Log in to the SentinelOne Management Console.
  2. Navigate to Settings > Users.
  3. In the list of users, click the row of the user who is or will be associated with the API Token used in Blumira feeds.
    Note:
     In SentinelOne, API Tokens are at the user level, and there can be multiple tokens across the account. Consider in advance which user will hold the token, or add a generic user specifically for creating the API token for your Blumira integration.
  4. On the user detail screen, do one of the following steps to obtain the API Token to be used in later steps:
    • If a token has never been generated for the user, click Generate.
      mceclip3.png
    • If you already generated an API token for this user, click Options > Regenerate API TokenCaution: This will invalidate the existing token for this user, so any applications connected using the token will stop working.
      mceclip4.png
  5. Copy and save your organization’s Management URL, which is the URL specific to your organization when you are logged in to SentinelOne.
  6. Navigate to Sentinels > Account Info.
  7. Copy and save the Account ID.
    mceclip5.png
  8. (Optional) To obtain the Site ID:
    1. Navigate to Settings > Sites.
    2. Click a site name in the Sites list.
    3. Go to Site Info.
    4. Copy and save Site ID.Screen Shot 2022-04-08 at 11.13.36 AM.png

Providing your SentinelOne credentials to Blumira

Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration’s configuration parameters, you can then enable Blumira to collect your logs.

To configure your integration with Blumira Cloud Connector:

  1. In the Blumira app, go to the Cloud Connectors page (Settings > Cloud Connectors).
  2. Click + Add Cloud Connector.
  3. In the Available Cloud Connectors window, click the connector that you want to add.
  4. If you want to change the name of the Cloud Connector, type the new name in the Cloud Connector Name box.
  5. Enter the API credentials that you collected in the “Before you begin” section above.
  6. Click Connect.
  7. On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
    Important: If you previously deployed a Module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.