SentinelOne Destination

This product is not supported for your selected Datadog site. ().
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください
次で利用可能:

Logs

Use Observability Pipelines’ SentinelOne destination to send logs to SentinelOne.

Setup

Set up the SentinelOne destination and its environment variables when you set up a pipeline. The information below is configured in the pipelines UI.

Set up the destination

  1. Select your SentinelOne logs environment in the dropdown menu.
  2. Optionally, toggle the switch to enable Buffering Options. Enable a configurable buffer on your destination to ensure intermittent latency or an outage at the destination doesn’t create immediate backpressure, and allow events to continue to be ingested from your source. Disk buffers can also increase pipeline durability by writing logs to disk, ensuring buffered logs persist through a Worker restart. See Configurable buffers for destinations for more information.
    • If left unconfigured, your destination uses a memory buffer with a capacity of 500 events.
    • To configure a buffer on your destination:
      1. Select the buffer type you want to set (Memory or Disk).
      2. Enter the buffer size and select the unit.
        • Maximum memory buffer size is 128 GB.
        • Maximum disk buffer size is 500 GB.

Set the environment variables

  • SentinelOne write access token:
    • Stored in the environment variable DD_OP_DESTINATION_SENTINEL_ONE_TOKEN.

View logs in a SentinelOne cluster

After you’ve set up the pipeline to send logs to the SentinelOne destination, you can view the logs in a SentinelOne cluster:

  1. Log into the S1 console.
  2. Navigate to the Singularity Data Lake (SDL) “Search” page. To access it from the console, click on “Visibility” on the left menu to go to SDL, and make sure you’re on the “Search” tab.
  3. Make sure the filter next to the search bar is set to All Data.
  4. This page shows the logs you sent from Observability Pipelines to SentinelOne.

How the destination works

Event batching

A batch of events is flushed when one of these parameters is met. See event batching for more information.

Max EventsMax BytesTimeout (seconds)
None1,000,0001

Further reading

お役に立つドキュメント、リンクや記事:

Optimize EDR logs and route them to SentinelOne with Observability PipelinesBLOG more more