Use Observability Pipelines’ SentinelOne destination to send logs to SentinelOne.
Setup
Set up the SentinelOne destination and its environment variables when you set up a pipeline. The information below is configured in the pipelines UI.
Set up the destination
Select your SentinelOne logs environment in the dropdown menu.
Set the environment variables
- SentinelOne write access token:
- Stored as the environment variable:
DD_OP_DESTINATION_SENTINEL_ONE_TOKEN
View logs in a SentinelOne cluster
After you’ve set up the pipeline to send logs to the SentinelOne destination, you can view the logs in a SentinelOne cluster:
- Log into the S1 console.
- Navigate to the Singularity Data Lake (SDL) “Search” page. To access it from the console, click on “Visibility” on the left menu to go to SDL, and make sure you’re on the “Search” tab.
- Make sure the filter next to the search bar is set to All Data.
- This page shows the logs you sent from Observability Pipelines to SentinelOne.
How the destination works
Event batching
A batch of events is flushed when one of these parameters is met. See event batching for more information.
| Max Events | Max Bytes | Timeout (seconds) |
|---|
| None | 1,000,000 | 1 |
