SentinelOne AI SIEM
The SentinelOne SIEM HEC(HTTP Event Collector) logs destination forwards security events and operational telemetry to SentinelOne's Singularity AI SIEM platform via HTTP Event Collector(HEC) endpoints, supporting multiple encoding formats, Bearer token authentication, and regional data routing with customizable field mapping.
Purpose
The Observo AI SentinelOne SIEM HEC Logs destination forwards security events and operational telemetry to SentinelOne's Singularity platform for advanced threat analytics and automated incident response. This connector streamlines security data aggregation, threat correlation, and automated response workflows within SentinelOne's AI-driven security operations center, enabling organizations to centralize threat intelligence and accelerate security incident resolution.
Prerequisites
Before configuring the SentinelOne HEC Logs destination in Observo AI, ensure the following requirements are met to facilitate seamless data forwarding:
SentinelOne Configuration
SentinelOne Instance Access: Valid credentials and access to SentinelOne management console
HTTP Event Collector Configuration:
Endpoint URL: The base URL of the SentinelOne instance (must include http or https scheme)
API Token: Generate HEC token in SentinelOne for data ingestion authentication
Data Collection Settings: Configure the SentinelOne data collector to accept incoming events from Observo AI
Protocol Selection: Choose between event endpoint (metadata in payload) or raw endpoint (metadata as query parameters)
Index/Collection Configuration: Verify target index or collection exists and token has write permissions
How to Get API Key:
Log into SentinelOne Management Console
Navigate to Policy & Settings → Singularity AI SIEM → API Keys
Generate a new API Key or retrieve an existing one for HEC authentication
Copy and securely store the API Key for use in Observo AI configuration
Network and Connectivity
Firewall Rules: Configure firewall rules to allow outbound traffic from Observo AI to the SentinelOne endpoints.
Integration
To configure SentinelOne AI SIEM HEC Logs as a destination in Observo AI, follow these steps:
Access Observo AI Destinations:
Navigate to the Destinations tab in the Observo AI interface.
Click on the "Add Destination" button and select "Create New".
Choose "S1 HEC Logs" from the list of available destinations.
General Settings:
Name: Provide a unique identifier for the destination (e.g.,
sentinelone-hec-prod-1).Description (Optional): Add a description for the destination.
Endpoint: The base URL of the SentinelOne instance. The scheme (
httporhttps) must be specified. No path should be included since the paths are configured separately.Default Token: SentinelOne HEC token for authentication. If an event has a token set in its secrets (
splunk_hec_token), it will override the default token configured here.Host Key: Overrides the name of the log field used to grab the hostname to send to SentinelOne HEC. Default: host
Index: The name of the index to send events to. If not specified, the default index defined within SentinelOne is used.
Examples{{ host }}
security_index
Timestamp Key: Overrides the name of the log field used to grab the timestamp to send to SentinelOne HEC. When set to "", timestamp is not set in the events sent to SentinelOne HEC.
Examplestimestamp
event_time
Acknowledgement (Optional):
Acknowledgements Enabled (False): Whether or not end-to-end acknowledgements are enabled. When enabled, any source connected to this supporting end-to-end acknowledgements will wait for events to be acknowledged by the destination before acknowledging them at the source.
Acknowledgements Indexer Acknowledgements Enabled (True): Controls if the destination will integrate with SentinelOne HEC indexer acknowledgements for end-to-end acknowledgements.
Acknowledgements Max Pending Acks: Maximum number of pending acknowledgements from events sent to the SentinelOne HEC collector. Once reached, the destination will begin applying backpressure.
Acknowledgements Query Interval (Seconds): The amount of time in seconds to wait between queries to the SentinelOne HEC indexer acknowledgement endpoint. Default: 10
Acknowledgements Retry Limit: Maximum number of times an acknowledgement ID will be queried for its status. Default: 30
Encoding:
Encoding Codec: The codec to use for encoding events. Default: JSON Encoding.
OptionsSub-OptionsJSON Encoding
Pretty JSON (False): Format JSON with indentation and line breaks for better readability.
logfmt Encoding
Standard logfmt format for structured logging
Apache Avro Encoding
Avro Schema (Required): Specify the Apache Avro schema definition. Example:
{ "type": "record", "name": "log", "fields": [{ "name": "message", "type": "string" }] }Newline Delimited JSON Encoding
NDJSON format with one JSON object per line
No encoding
Pass through data without encoding
Plain text encoding
Simple text format
Parquet
Include Raw Log (False): Capture complete log message as additional field (observo_record) Parquet Schema (Required): Enter parquet schema for encoding
Common Event Format (CEF)
CEF Device Event Class ID (Required): Unique event identifier (max 1023 chars) CEF Device Product (Required): Product name (max 63 chars) CEF Device Vendor (Required): Vendor name (max 63 chars) CEF Device Version (Required): Product version (max 31 chars) CEF Name (Required): Human-readable event description (max 512 chars) CEF Severity (Required): Event importance (0-10) CEF Version: Specification version (0.1 or 1.x) CEF Extensions: Custom key-value pairs
CSV Format
CSV Fields (Required): Field names for CSV columns CSV Buffer Capacity: Buffer size in bytes (default: 8192) CSV Delimiter: Field separator (default: ",") Enable Double Quote Escapes (True): Escape quotes by doubling CSV Escape Character: Escape character when double_quote disabled CSV Quote Character: Character for quoting fields CSV Quoting Style: When to use quotes (always/necessary/never/non_numeric)
Protocol Buffers
Protobuf Message Type (Required): Fully qualified message type Protobuf Descriptor File (Required): Path to .desc file
Graylog Extended Log Format (GELF)
GELF format for structured logging
Encoding Avro Schema (Optional): The Avro schema definition for applicable encoding types.
Encoding Metric Tag Values: Controls how metric tag values are encoded.
Tag values will be exposed as single strings (default)
Tags exposed as arrays of strings
Encoding Timestamp Format: Format used for timestamp fields.
RFC 3339 timestamp
Unix timestamp
Fields to exclude from serialization: List of fields that are excluded from the encoded event.
Request Configuration:
Request Concurrency: Configuration for outbound request concurrency. Default: Adaptive concurrency.
OptionsDescriptionAdaptive concurrency
Adjusts parallelism based on system load
A fixed concurrency of 1
Processes one task at a time only
Request Rate Limit Duration Secs: The time window used for the rate_limit_num option. Default: 1
Request Rate Limit Num: The maximum number of requests allowed within the rate_limit_duration_secs time window.
Request Retry Attempts: The maximum number of retries to make for failed requests. The default represents an infinite number of retries.
Request Retry Initial Backoff Secs: The amount of time to wait in seconds before attempting the first retry for a failed request. Default: 1
Request Retry Max Duration Secs: The maximum amount of time to wait between retries. Default: 3600
Request Timeout Secs: The time a request waits before being aborted. Default: 60
Request Headers: Custom HTTP request headers to include with each request.
Batching Configuration:
Batch Max Bytes: The maximum size of a batch that will be processed by the destination. This is based on the uncompressed size of the batched events, before they are serialized/compressed.
Batch Max Events: The maximum size of a batch before it is flushed.
Batch Timeout Secs: The maximum age of a batch before it is flushed. Default: 1.0
TLS Configuration (Optional):
TLS CA: The CA certificate provided as an inline string in PEM format.
TLS CRT: The certificate as a string in PEM format.
TLS Key: The key provided as a string in PEM format.
TLS Verify Certificate (False): Enables certificate verification. Do NOT set this to false unless you understand the risks of not verifying the validity of certificates.
TLS Verify Hostname (False): Enables hostname verification. Do NOT set this to false unless you understand the risks of not verifying the remote hostname.
Buffering Configuration (Optional):
Buffer Type: Specifies the buffering mechanism for event delivery.
OptionsDescriptionMemory
High-Performance, in-memory buffering Max Events: Maximum number of events allowed in the buffer. Default: 500 When Full: Event handling behavior when buffer is full. - Block: Wait for free space in the buffer - Drop Newest: Drop the event instead of waiting
Disk
Lower-Performance, persistent disk buffering Max Bytes Size: Maximum bytes allowed in buffer. Must be at least 268435488 When Full: Event handling behavior when buffer is full. - Block: Wait for free space in the buffer - Drop Newest: Drop the event instead of waiting
Advanced Settings (Optional):
Compression: Compression algorithm to use for the request body. Default: No compression
OptionsDescriptionGzip compression
DEFLATE compression with headers
No compression
Data transmitted in original form
Zlib compression
DEFLATE format with minimal wrapper
Endpoint Target: SentinelOne HEC endpoint configuration.
OptionsEvent endpoint (Metadata sent with event payload)
Raw endpoint (Metadata as query parameters)
Source: The source of events sent to this destination. This is typically the filename the logs originated from. If unset, the SentinelOne collector will set it.
Examples{{ file }}
/var/log/security
TCP:9514
Sourcetype: The sourcetype of events sent to this destination. If unset, SentinelOne will default to
httpevent.Examples{{ sourcetype }}
_json
Path: Change the default HEC path. If unset, Observo will default to
/services/collector/event?isParsed=trueor/services/collector/rawdepending on endpoint target. Default:/services/collector/event?isParsed=trueExample/app/sentinelone/hec
Save and Test Configuration:
Save the configuration settings.
Send sample data from Observo AI and verify its ingestion in SentinelOne.
Troubleshooting
If issues arise with the SentinelOne HEC Logs destination in Observo AI, use the following steps to diagnose and resolve them:
Verify Configuration Settings
Ensure that the Endpoint URL, Default Token, Index, and Source Type are correctly entered and match the SentinelOne setup.
Confirm that the SentinelOne HEC input is enabled and configured to accept data from Observo AI.
Check Authentication
Verify that the HEC Token is valid and has the necessary permissions to write to the specified index.
Ensure that the token has not expired or been revoked.
Validate Data Format and Schema
Ensure that the data sent from Observo AI matches the expected format and schema in SentinelOne.
If using custom source types, verify that they are properly configured in SentinelOne.
Network and Connectivity
Ensure that Observo AI can reach the SentinelOne HEC endpoint over the network.
If using firewalls or proxies, verify their configurations to allow necessary traffic.
Common Error Messages
"Authorization failed": Indicates invalid or missing HEC Token. Verify the token's validity and permissions.
"Index not found": Check that the specified index exists in SentinelOne and that the token has write permissions.
"No data ingested": Confirm that data is being sent and matches the expected format.
Best Practices:
Use HTTPS with TLS for secure data transmission
Configure appropriate field mappings for optimal search and analytics
Test connectivity and data flow before deploying to production
Use compression to optimize bandwidth usage for large data volumes
Last updated
Was this helpful?