AlienVault® USM Anywhere™


When you configure SentinelOne to send log data to USM Anywhere, you can use the SentinelOne plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor SentinelOne
Device Type Endpoint Security
Connection Type Syslog

Integrating SentinelOne

Before you configure the SentinelOne integration, you must have the IP Address of the USM Anywhere Sensor.

Note: The procedure below is for the SentinelOne on-premises Virtual Appliance.

To configure SentinelOne to send Syslog messages to USM Anywhere

  1. From the SentinelOne Management Console, click Settings and open the INTEGRATIONS tab.
  2. Click the SYSLOG subtab.
  3. In the Host field, specify the USM Anywhere Sensor IP Address : 514
  4. For the Threat information format option, select cef.

Plugin Enablement

The SentinelOne plugin automatically processes all messages when the raw message contains "\|SentinelOne\|".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • destination_service_name
  • destination_userid
  • device_event_category
  • event_description
  • event_name
  • event_receipt_time
  • event_severity
  • file_hash
  • file_path
  • plugin_device
  • plugin_device_type
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_process_commandline
  • source_username

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.