SentinelOne Integration

A Guide about integrating your QRadar Syslog server to collect SentinelOne logs.

To integrate your Syslog server:

  1. Open a supported browser on a computer with an active connection to the Internet (or to the OnPrem Management). 

    For a list of supported browsers, see System Requirements.

  2. In the browser address bar, enter the management console URL provided by the SentinelOne support team (for example, ).
  3. Enter your username and password, and click Login

    If you want to create a new user for QRadar integration, follow the steps in Creating New Management Console Users and then log in to the new user.

    Note: A user with a role of Site Admin can mitigate threats from the QRadar Console. A user with a role of Site Viewer can view threats but cannot take action.

  4. In the SentinelOne Management Console, click Settings.
  5. If you are a Site or Account Admin, you must select one Site to open Settings.
  6. Click SYSLOG.
  7. Click Enable SYSLOG.
  8. In Host, enter the QRadar FQDN or IP address, and its listening port (514 or 6514).
  9. To use SSL or TLS channel authentication and privacy, click Use SSL secure connection.

    If you do not select this, UDP is used.

      1. In Certificate, you can upload server and client certificates to verify client/server authorization between the SentinelOne Management (client) and the syslog server (server). These options only show if Use SSL secure connection is selected. Passphrase certificates are not supported. Make sure you know how the Syslog server is configured, and that you have the correct certificates from that configuration.

        - Server certificate - Select and upload a certificate to verify the syslog server identity.
        - Client certificate - Select and upload a certificate to verify the SentinelOne Management     as a client of the syslog server. Use a certificate file with a client key. A Client certificate is       necessary if the server requires client authentication.
        - Client key - Select and upload the client key of a client/server key pair. A Client key is necessary, along with a Client certificate, if the server requires client authentication.

        To find the QRadar certificate and key files:

        -  Using an SSH session, login to the QRadar Console as root user.
        -  Run: cd /opt/qradar/conf/trusted_certificates/
        -  Extract: syslog-tls.cert and syslog-tls.key.
  10. In Formatting, select CEF2. This format is required to enable integration with the SentinelOne DSM.

  11. To verify connectivity with your QRadar server, click TEST to send a test trap.
  12. If the test passed, click SAVE.