SentinelOne Collector Plugin - 5thColumn/Revolver-wiki-archive GitHub Wiki

Description

The SentinelOne Collector Plugin will gather activity and threat events that have been reported to your SentinelOne console every five minutes and deliver them to BOSS.

Configuration Instructions

  1. Navigate to your SentinelOne console and log into your account. Once logged in, note the value in the address bar between https:// and /dashboard (this is your SentinelOne Console URL).
  2. At the top right corner of the page, click on your name, then click "My User".
  3. In the box that appears, click the Generate link to the right of the "API Token" label. Note the expiration date, then download the token file to a secure location. You will need to regenerate the API token and update it in your Revolver plugin configuration before the expiration date in order to ensure uninterrupted service of the plugin.
  4. Close the box, then click the question-mark logo near the top right corner of the page. Click About.
  5. If the version name begins with the letter K or after (i.e. L, M, etc.), your API version is 2.1. Otherwise, your API version is 2.0.
  6. Log into your Revolver instance and go to "Manage Plugins".
  7. Select the drop-down next to SentinelOne Collector to expand the section to see the fields required for configuration.
  8. Insert the keys SentinelOne Console URL (from Step 1), API Token (from Step 3), and API Version (from Step 5) into the appropriate fields and select Configure.
  9. You will receive a notification that the plugin is in the process of being configured. After a few moments, you will receive a second notification that the plugin has been configured and is ready for use. Note: If you receive an error notice after configuring the plugin, select Configure again. If the error persists, contact the support team.

Release Notes

Current Version: 1.0