The SA-SentinelOneDevices is another supporting add-on to make it easier to get started with the Asset & Identity framework for Splunk Enterprise Security (ES). Similar to the SA-CrowdstrikeDevices, this new add-on takes the data ingested from SentinelOne and allows it to be directly utilized within Splunk ES.

App Setup

The setup is easy and can be accomplished in just a few short steps.

  1. Bring in device data using the SentinelOne App For Splunk.
  2. Install SA-SentinelOneDevices to an Enterprise Security search head.
  3. Update the default search macro if the index you are using for the 1. SentinelOne device data is not index=sentinelone.

Additional configurations can be made (and are recommended), but most of the work is taken care of automatically!


This add-on is developed and maintained under my personal GitHub account and is not affiliated with or sanctioned by the Splunk or SentinelOne teams. If you are familiar with Splunk on a technical level, feel free to fork the GitHub branch and submit a pull request. If not, you can submit an issue or feature request.

This app has passed Splunk AppInspect and is cloud ready.

This post is licensed under CC BY 4.0 by the author.