Introducing SA-SentinelOneDevices for Splunk Enterprise Security

Introducing SA-SentinelOneDevices for Splunk Enterprise Security. Quickly populate your asset database with data from SentinelOne.

A supporting add-on for Splunk Enterprise Security.
A supporting add-on for Splunk Enterprise Security.

The SA-SentinelOneDevices is another supporting add-on to make it easier to get started with the Asset & Identity framework for Splunk Enterprise Security (ES). Similar to the SA-CrowdstrikeDevices, this new add-on takes the data ingested from SentinelOne and allows it to be directly utilized within Splunk ES.

App Setup

The setup is easy and can be accomplished in just a few short steps.

  1. Bring in device data using the SentinelOne App For Splunk.
  2. Install SA-SentinelOneDevices to an Enterprise Security search head.
  3. Update the default search macro if the index you are using for the SentinelOne device data is not index=sentinelone.

Additional configurations can be made (and are recommended), but most of the work is taken care of automatically!

Resources

This add-on is developed and maintained under my personal GitHub account and is not affiliated with or sanctioned by the Splunk or SentinelOne teams. If you are familiar with Splunk on a technical level, feel free to fork the GitHub branch and submit a pull request. If not, you can submit an issue or feature request.

This app has passed Splunk AppInspect and is cloud ready.

Splunkbase: https://splunkbase.splunk.com/app/6612
GitHub: https://github.com/ZachChristensen28/SA-SentinelOneDevices
Documentation: https://splunk-sa-sentinelone.ztsplunker.com/
Prerequisites: https://splunk-sa-sentinelone.ztsplunker.com/quickstart/prerequisites/

SA-SentinelOneDevices example
Example output from SA-SentinelOneDevices