Ingest raw EDR event data from SentinelOne DeepVisibility into Cortex XSIAM.
Cortex XSIAM enables ingestion of raw EDR event data from SentinelOne DeepVisibility, streamed via Cloud Funnel to Amazon S3. In addition to all standard SIEM capabilities, this integration unlocks some advanced Cortex XSIAM features, enabling comprehensive analysis of data from all sources, enhanced detection and response, and deeper visibility into SentinelOne data.
Key benefits include:
Querying all raw event data received from SentinelOne using XQL.
Querying critical modeled and unified EDR data via the
xdr_data
dataset.Enriching incident and alert investigations with relevant context.
Grouping alerts with alerts from other sources to accelerate the scoping process of incidents, and to cut investigation time.
Leveraging the data for analytics-based detection.
Utilizing the data for rule-based detection, including correlation rules, BIOC, and IOC.
Leveraging the data within playbooks for incident response.
When Cortex XSIAM begins receiving EDR events from SentinelOne, it automatically creates a new dataset labeled sentinelone_deep_visibility_raw
, allowing you to query all SentinelOne events using XQL. For example XQL queries, refer to the in-app XQL Library.
In addition, Cortex XSIAM parses and maps critical data into the xdr_data
dataset and XDM data model, enabling unified querying and investigation across all supported EDR vendors' data and unlocking key benefits like stitching and advanced analytics. While mapped data from all supported EDR vendors, including SentinelOne DeepVisibility, will be available in the xdr_data
dataset, it's important to note that third-party EDR data present some limitations.
Third-party agents, including SentinelOne, typically provide less data compared to our native agents, and do not include the same level of optimization for causality analysis and cloud-based analytics. Furthermore, external EDR rate limits and filters might restrict the availability of critical data required for comprehensive analytics. As a result, only a subset of our analytics-based detectors will function with third-party EDR data.
We are continuously enhancing our support and using advanced techniques to enrich missing third-party data, while somehow replicating some proprietary functionalities available with our agents. This approach maximizes value for our customers using third-party EDRs within existing constraints. However, it’s important to recognize that the level of comprehensiveness achieved with our native agents cannot be matched, as much of the logic happens on the agent itself. These capabilities are unique, and are not found in typical SIEMs. Many of them, along with their underlying logic, are patented by Palo Alto Networks. Therefore, they should be regarded as added value beyond standard SIEM functionalities for customers who are not using our agents.
Danger
The SentinelOne DeepVisibility logs that will be collected by your dedicated Amazon S3 bucket must adhere to the following guidelines:
Each log file must use the 1 log per line format as multi-line format is not supported.
The log format must be compressed as gzip or uncompressed.
For best performance, we recommend limiting each file size to up to 50 MB (compressed).
The minimum AWS permissions required for an Amazon S3 bucket and Amazon Simple Queue Service (SQS) are:
Amazon S3 bucket:
GetObject
SQS:
ChangeMessageVisibility
,ReceiveMessage
, andDeleteMessage
Determine how you want to provide access to Cortex XSIAM to your logs and to perform API operations. You have the following options:
Designate an AWS IAM user, where you will need to know the Account ID for the user and have the relevant permissions to create an access key/id for the relevant IAM user. If you do not have a designated AWS IAM user configured yet, instructions for this are included in the following procedures.
Create an assumed role in AWS to delegate permissions to a Cortex XSIAM AWS service. This role grants Cortex XSIAM access to your flow logs. This is the Assumed Role option mentioned later in the procedures that follow. To create an assumed role for Cortex XSIAM, see Create an assumed role.
For more information about assumed roles, see Creating a role to delegate permissions to an AWS service.
To collect Amazon S3 logs that use server-side encryption (SSE), the user role must have an IAM policy that states that Cortex XSIAM has kms:Decrypt permissions. With this permission, Amazon S3 automatically detects if a bucket is encrypted and decrypts it. If you want to collect encrypted logs from different accounts, you must have the decrypt permissions for the user role also in the key policy for the master account Key Management Service (KMS). For more information, see Allowing users in other accounts to use a KMS key.