SentinelOne

Gain complete visibility into your endpoint data, network activity, DNS requests, and other security events with Panther’s SentinelOne integrations. Panther can collect, normalize, and analyze SentinelOne logs to help you identify suspicious activity in real time. Your normalized data is then retained to power future security investigations in a serverless data lake. Use Panther’s built in rules to monitor activity, or write your own detections to fit your internal business use cases.

Use Cases

Common security use cases for monitoring SentinelOne logs with Panther include:

• Monitoring security events and gaining insights into DNS requests and activities across the network
• Correlating activity, such as lateral movement and callbacks, with other threat indicators to gain deeper insights
• Collecting valuable insights when endpoints exist beyond traditional perimeters
• Uncovering organizational blind spots with full visibility into key assets on the network

How it Works

Panther supports pulling Activities logs by pulling from the /web/api/v2.1/activities endpoint from SentinelOne's API, or by integrating with the SentinelOne Cloud Funnel. To set up a new SentinelOne Cloud Funnel source in Panther, users can simply send Deep Visibility logs to an AWS S3 Bucket, and add the S3 Bucket as a data source in Panther.

To onboard SentinelOne API Activity Logs in Panther, users can create a SentinelOne Service User and API Token, create a new SentinelOne API Source in Panther, and configure the API source using Panther’s console. Both of the integrations are simple and fast, empowering security teams to:

• Parse, normalize, and analyze your SentinelOne log data in real-time.
• Send alerts to your configured destinations as rules are triggered.
• Search for normalized logs using Panther’s Data Explorer.

*Note that deprecation of CloudFunnel v1.0 is set for May 2023

You can learn more about Panther's supported log schema for SentinelOne here.