SentinelOne is a cloud-based endpoint security platform that helps security and IT teams to protect information assets and accelerate incident response. Panther can collect, normalize, and monitor SentinelOne System Logs to help you identify suspicious activity in real time. Your normalized data is then retained to power future security investigations in a serverless data lake powered by Snowflake.
Use Cases for SentinelOne Logs
Panther supports pulling both API Activity logs and Cloud Funnel Deep Visibility logs from SentinelOne. Common SIEM use cases for these log types include:
- Gaining insights into DNS requests and activities across the network
- Correlating activity, such as lateral movement and callbacks, with other threat indicators
- Collecting valuable insights when endpoints exist beyond traditional perimeters
- Uncovering organizational blind spots with full visibility into key assets on the network
Onboarding SentinelOne with Panther
Panther supports pulling Activities logs by pulling from the /web/api/v2.1/activities endpoint from SentinelOne's API, or by integrating with the SentinelOne Cloud Funnel. To set up a new SentinelOne Cloud Funnel source in Panther, users can simply send Deep Visibility logs to an AWS S3 Bucket, and add the S3 Bucket as a data source in Panther.
To onboard SentinelOne API Activity Logs in Panther, users can create a SentinelOne Service User and API Token, create a new SentinelOne API Source in Panther, and configure the API source using Panther’s console.
For more details on onboarding SentinelOne logs or for supported log schema, you can view our SentinelOne documentation here.
Parsing, Normalizing, & Analyzing Logs
As Panther ingests SentinelOne audit logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows security teams to write detections, identify anomalies, and conduct investigations on logs in the context of days, weeks, or months of data.
Panther applies normalization fields to all log records, which standardizes names for attributes and allows you to correlate data across all log sources - not just SentinelOne. You can use Panther’s various search tools - such as Data Explorer, Indicator Search, and Query Builder - to investigate your normalized logs for suspicious activity or vulnerabilities. For more on querying and searching normalized log data in Panther, check out our documentation on Investigations & Search.
Detection as Code
With Panther, your team won’t be confined to rigid detection rules or proprietary languages as seen in most legacy SIEMs. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detection logic for your security team.
A number of pre-built detections are available in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for SentinelOne logs here.
Panther generates alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of alerts for your security team. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are categorized under five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring or monitoring SentinelOne logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.
You can view our detailed documentation on configuring and monitoring SentinelOne logs here, or customers can join the Panther Community to share best practices or custom detections for monitoring SentinelOne.
The Ideal SIEM Integration for SentinelOne
With Panther, you don’t have to accept limitations with SIEM detections, waste time and effort on operational overhead, or pay skyrocketing costs to keep up with the growth of cloud app data. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering powerful detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, practical, and scalable SIEM solution for SentinelOne, request a demo today.