SentinelOne Logs

Overview

Panther supports the following log types from SentinelOne:

• API Activity logs

  • Panther supports pulling Activities logs by pulling from the /web/api/v2.1/activities endpoint from SentinelOne's API.

  • The Activities endpoint is available on all paid SentinelOne plans.

• Cloud Funnel Deep Visibility 2.0 logs

  • Panther supports pulling logs by integrating with the SentinelOne Cloud Funnel.

How to onboard SentinelOne API Activity logs to Panther

The instructions below apply to SentinelOne API Activity logs. For instructions on how to onboard SentinelOne Cloud Funnel logs, see the next section: How to onboard SentinelOne Deep Visibility logs to Panther.

Prerequisites

• You will need an API Token from a Service User that has the Viewer role in your SentinelOne account.

  • If you do not have an API Token from a Service User yet, you can create one by following the steps in Create a SentinelOne Service User + API Token.

Create a SentinelOne Service User + API Token

1. Log in to your SentinelOne Dashboard.

2. In the left sidebar menu, click Settings.

3. At the top of the Settings page, click the Users tab.

   
4. On the left side of the Users page, click Service Users.

5. Click the Actions dropdown, then click Create New Service User.

   
6. On the "Create New Service User" page, enter a name and a description, choose an expiration date, then click Next.

7. On the "Select Scope of Access" page, configure the following:

   • Access Level: Account

   • Account selected: Ensure you have selected the correct account and that the role is set to Viewer.

8. Click Create User.

9. Copy the API Token and store it in a secure location, as you will need to provide to Panther in the next part of the log source onboarding process.

Create a new SentinelOne API source in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for “SentinelOne API,” then click its tile.

4. Click Create New.

5. In the slide-out panel, click Start Setup.

   
6. Configure the SentinelOne API source:

   • Name: Enter a descriptive name for the source, e.g., SentinelOne API

   • SentinelOne API Organization: Enter the subdomain of your SentinelOne account. To find this value, log in to your SentinelOne Dashboard and copy the subdomain from the URL.

     • For example, if your dashboard URL is https://example-domain.sentinelone.net/dashboard, your subdomain would be example-domain.

   • API Token: Enter the token of your Service User that you copied in the previous steps of this documentation.

     
7. Click Setup. You will be directed to a success screen:

   

   • You can optionally enable one or more Detection Packs.

   • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

     

How to onboard SentinelOne Cloud Funnel Deep Visibility logs to Panther

1. Set up your Data Transport in the Panther Console.

   • Follow Panther’s documentation on how to configure AWS S3 as a Data Transport.

2. Configure SentinelOne to push logs to the Data Transport source.

   • See SentinelOne's documentation on how to push logs to AWS S3.

Supported log types

SentinelOne.Activity

Activity events from the SentinelOne API.

SentinelOne.DeepVisibility2

Deep Visibility 2.0 events from the SentinelOne services.