Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sentinel One bidirectional integration (tech preview) #4534

Closed
caitlinbetz opened this issue Jan 2, 2024 · 1 comment
Closed

Sentinel One bidirectional integration (tech preview) #4534

caitlinbetz opened this issue Jan 2, 2024 · 1 comment
Assignees
@joepeeples
Labels
Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management v8.12.0

Comments

@caitlinbetz
Copy link

caitlinbetz commented Jan 2, 2024
edited
Loading

First release of our bidirectional integration work - https://github.com/elastic/security-team/issues/6200

There are a handful of steps users must take to ensure they are able to successfully take action on Sentinel One hosts (for the initial tech preview release in 8.12, the only action is to isolate / release a host). We want to make sure we have a page that walks through the full configuration requirements.

Prerequesites:

  • Should have active running S1 agents

High level steps:

  1. Ensure there is an agent policy created (Fleet) that will be responsible for pulling S1 data)
  2. Add and configure the Sentinel One integration to policy
  3. Create a security detection rule to get elastic alerts for Sentinel One alerts
    • logs-sentinel_one.alert*
  4. Create a connector for Sentinel One
@caitlinbetz caitlinbetz added Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management v8.12.0 labels Jan 2, 2024
@joepeeples joepeeples self-assigned this Jan 2, 2024
@joepeeples joepeeples mentioned this issue Jan 3, 2024
Closed
@joepeeples
Copy link
Contributor

#4312 already existed to track docs work on the SentinelOne integration, so I copied the info from this issue to that one, and will close this. Follow #4312 for further updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joepeeples joepeeples

Labels
Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management v8.12.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@caitlinbetz @joepeeples