Skip to content
KYRA MDR KYRA MDR Docs

SentinelOne Integration

Overview

SentinelOne provides autonomous endpoint protection with AI-powered detection and response. KYRA MDR collects SentinelOne threat and activity data via the Singularity API or syslog forwarding for centralized security operations.

Prerequisites

  • A KYRA MDR Collector installed and running
  • SentinelOne Management Console access
  • API token with Viewer or higher permissions
  • Network connectivity from the console to the collector

Configuration

Configure SentinelOne syslog forwarding:

  1. Log in to the SentinelOne Management Console
  2. Navigate to Settings > Integrations > Syslog
  3. Click Add Syslog Destination
  4. Configure:
SettingValue
HostYour KYRA Collector IP
Port514
ProtocolTCP
FormatCEF
NotificationsThreats, Activities
  1. Click Test to verify connectivity
  2. Click Save

SentinelOne API Integration

Use the SentinelOne Singularity API to query threats and activities:

Terminal window
# List recent threats
curl -s -X GET \
  "https://<CONSOLE>.sentinelone.net/web/api/v2.1/threats?limit=10&sortBy=createdAt&sortOrder=desc" \
  -H "Authorization: ApiToken <YOUR_API_TOKEN>" \
  -H "Content-Type: application/json" | jq '.data[] | {id, classification, agentComputerName, threatName, mitigationStatus}'


# Get threat details by ID
curl -s -X GET \
  "https://<CONSOLE>.sentinelone.net/web/api/v2.1/threats/<THREAT_ID>" \
  -H "Authorization: ApiToken <YOUR_API_TOKEN>" | jq .


# List recent activities (audit log)
curl -s -X GET \
  "https://<CONSOLE>.sentinelone.net/web/api/v2.1/activities?limit=20&sortBy=createdAt&sortOrder=desc" \
  -H "Authorization: ApiToken <YOUR_API_TOKEN>" | jq '.data[] | {activityType, primaryDescription, createdAt}'


# Get agent list
curl -s -X GET \
  "https://<CONSOLE>.sentinelone.net/web/api/v2.1/agents?limit=10" \
  -H "Authorization: ApiToken <YOUR_API_TOKEN>" | jq '.data[] | {computerName, osType, agentVersion, isActive, infected}'

Verify Syslog Reception

Terminal window
# On the KYRA Collector, verify incoming SentinelOne CEF events
sudo tcpdump -i any port 514 -A | grep -i "sentinelone\|S1"


# Check for CEF formatted events
tail -f /var/log/syslog | grep "CEF.*SentinelOne"

Collected Log Types

Log TypeDescriptionSecurity Use
ThreatsMalware and behavioral threat detectionsEndpoint threat response
ActivitiesAgent and management actionsOperational auditing
Deep VisibilityEndpoint telemetry dataThreat hunting, forensics
ApplicationApplication inventory eventsShadow IT, vulnerability context
Device ControlUSB and peripheral eventsData loss prevention
RangerNetwork discovery eventsAsset discovery

Troubleshooting

No syslog events: Verify the syslog destination is enabled and tested in the SentinelOne console. Check that the notification types are selected.

CEF parsing issues: Ensure the format is set to CEF (Common Event Format). KYRA MDR includes a SentinelOne CEF parser.

API rate limiting: The SentinelOne API has rate limits. If using API-based collection, configure appropriate polling intervals (recommended: 60 seconds).

Contact kyra@seekerslab.com for support.