Integrating SentinelOne

To integrate SentinelOne, do the following procedures:

• To configure Syslog forwarding from SentinelOne EPP
• To find your SentinelOne Site token
• To set up Barracuda XDR Dashboard 

To configure Syslog forwarding from SentinelOne EPP

1. In address bar of a browser, enter the SentinelOne Management Console URL provided by the SentinelOne support team (For example, https://<DomainName>.sentinelone.net/dashboard, where <DomainName> is the domain name of your SentinelOne account).

2. Log in to the SentinelOne Management Console as an Administrator.

3. If you are a Site or Account Admin, you must select a Site to open Settings.

   This configuration is done by site. You can only integrate one site per XDR Dashboard.

4. Click Settings.

5. Click Notifications.

6. In the Syslog column, ensure all Syslog settings are selected. (See the sample screenshot below.)
   

7. In the SentinelOne Management Console, click Settings > Integrations > Syslog. Ensure Formatting is set to CEF2.
   

8. In Your syslog host, enter the following:

   • US: sentinel-us-ingest.skout-build.com

   • EU: sentinel-eu-ingest.skout-build.com

9. In the textbox, after the ":", type 6514.

10. Check the Use TLS Secure Connection box.

11. Click Test.

12. Click Save.

    Notify Barracuda XDR that you have configured Syslog forwarding.

To find your SentinelOne site ID

1. In a web browser, navigate to https://<DomainName>.sentinelone.net/dashboard, where <DomainName> is the domain name of your SentinelOne account.
2. In the left navigation bar, click Sentinels.
   
3. Click the name of the site.
   
4. Scroll to the right and click Site Info.
   
5. Copy the site ID to use in the To set up Barracuda XDR Dashboard procedure, below.
   

To set up Barracuda XDR Dashboard

1. In Barracuda XDR Dashboard, click Administration > Integrations
2. On the SentinelOne card, click Setup.
3. Select Enabled.
   
4. In the Site Id field, paste the Site ID you copied in the previous procedure.
5. Click Save.