SentinelOne Destination

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.
이용 가능:

Logs

Use Observability Pipelines’ SentinelOne destination to send logs to SentinelOne.

Setup

Set up the SentinelOne destination and its environment variables when you set up a pipeline. The information below is configured in the pipelines UI.

Set up the destination

  1. Select your SentinelOne logs environment in the dropdown menu.
  2. Optionally, toggle the switch to enable Buffering Options. Enable a configurable buffer on your destination to ensure intermittent latency or an outage at the destination doesn’t create immediate backpressure, and allow events to continue to be ingested from your source. Disk buffers can also increase pipeline durability by writing logs to disk, ensuring buffered logs persist through a Worker restart. See Configurable buffers for destinations for more information.
    • If left unconfigured, your destination uses a memory buffer with a capacity of 500 events.
    • To configure a buffer on your destination:
      1. Select the buffer type you want to set (Memory or Disk).
      2. Enter the buffer size and select the unit.
        • Maximum memory buffer size is 128 GB.
        • Maximum disk buffer size is 500 GB.

Set the environment variables

  • SentinelOne write access token:
    • Stored in the environment variable DD_OP_DESTINATION_SENTINEL_ONE_TOKEN.

View logs in a SentinelOne cluster

After you’ve set up the pipeline to send logs to the SentinelOne destination, you can view the logs in a SentinelOne cluster:

  1. Log into the S1 console.
  2. Navigate to the Singularity Data Lake (SDL) “Search” page. To access it from the console, click on “Visibility” on the left menu to go to SDL, and make sure you’re on the “Search” tab.
  3. Make sure the filter next to the search bar is set to All Data.
  4. This page shows the logs you sent from Observability Pipelines to SentinelOne.

How the destination works

Event batching

A batch of events is flushed when one of these parameters is met. See event batching for more information.

Max EventsMax BytesTimeout (seconds)
None1,000,0001

Further reading

추가 유용한 문서, 링크 및 기사:

Optimize EDR logs and route them to SentinelOne with Observability PipelinesBLOG more more