SA-SentinelOneDevices

The SA-SentinelOneDevices is another supporting add-on to make it easier to get started with the Asset & Identity framework for Splunk Enterprise Security (ES). Similar to the SA-CrowdstrikeDevices, this new add-on takes the data ingested from SentinelOne and allows it to be directly utilized within Splunk ES.

App Setup

The setup is easy and can be accomplished in just a few short steps.

1. Bring in device data using the SentinelOne App For Splunk.
2. Install SA-SentinelOneDevices to an Enterprise Security search head.
3. Update the default search macro if the index you are using for the 1. SentinelOne device data is not index=sentinelone.

Additional configurations can be made (and are recommended), but most of the work is taken care of automatically!

Resources

This add-on is developed and maintained under my personal GitHub account and is not affiliated with or sanctioned by the Splunk or SentinelOne teams. If you are familiar with Splunk on a technical level, feel free to fork the GitHub branch and submit a pull request. If not, you can submit an issue or feature request.

This app has passed Splunk AppInspect and is cloud ready.

• Splunkbase: https://splunkbase.splunk.com/app/6612
• GitHub: https://github.com/ZachChristensen28/SA-SentinelOneDevices
• Documentation: https://splunk-sa-sentinelone.ztsplunker.com/
• Prerequisites: https://splunk-sa-sentinelone.ztsplunker.com/quickstart/prerequisites/