You can integrate Blumira with SentinelOne to send security event logs and alerts to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.
Note: Data is collected from the time of a successful integration configuration onward. Past logs are not collected by Blumira.
Before you begin
Before setting up a SentinelOne Cloud Connector, you must gather the following SentinelOne authentication credentials:
- API Token
- Management URL
- Site ID
Recommended: Use a SentinelOne service user account for the integration instead of using a console user account to generate the API Token. Console users' API tokens expire after 30 days, whereas you can set the desired expiration for a service account.
Important: If your SentinelOne API Token is generated for a console user (such as an MSP) who has access to multiple SentinelOne sites, you must include a Site ID to narrow the scope of logs collected by Blumira to the appropriate site-level data. If you do not provide the Site ID, then the cloud connector will fetch logs from every SentinelOne site that the user is authorized to view. Use a service user account to avoid this problem.
To gather the necessary credentials:
- Log in to the SentinelOne Management Console.
- Navigate to Settings > Users > Service Users.
- Under Actions, click Create New Service User.
- In the Create New Service User window, type a name and optional description for the service user, then select an expiration date for the API token.
- Click Next.
In the Select Scope of Access window, set the preferred account or site access for the service user.
- Copy and save the API Token for later steps.
- Click Create User.
- Copy and save your organization’s Management URL, which is the URL specific to your organization when you are logged in to SentinelOne (i.e., example.sentinelone.net).
- To obtain the Site ID, go to Settings > Sites, click a site name, click Site Info, and then copy and save the Site ID.
- (Optional) In very rare instances, the Account ID is also needed to improve Blumira's log collection. To obtain the Account ID, go to Sentinels > Account Info, then copy and save the Account ID. If you are unsure, leave this field blank in the Blumira Cloud Connector.
Providing your SentinelOne credentials to Blumira
Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.
To configure the Blumira Cloud Connector:
- In the Blumira app, navigate to Settings > Cloud Connectors.
- Click + Add Cloud Connector.
- In the Available Cloud Connectors window, click the connector that you want to add.
- If you want to change the name of the connector, type the new name in the Cloud Connector Name box.
- Enter the credentials that you collected in the previous steps.
- Click Connect.
- On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
Important: If you previously deployed a sensor module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.