Link
Search

image

NeQter Labs How to Guides

SentinelOne

Step 1:

Log in to the NeQter Appliance and go to the NeQter Settings > Inputs page.

Step 2:

Add the following inputs for SentinelOne individually by clicking on the Add input button, then filling out the form with the input name of your choice, one of the IPs listed below, and SentinalOne selected as the manufacturer. At the end of this step, each input should have a unique ip from the list below.

  • 52.200.100.203
  • 3.213.115.5
  • 54.211.159.31
  • 54.160.219.31
  • 52.4.126.188
  • 54.211.162.22
  • 52.2.239.24

image

Step 3:

Log on to your SentinelOne environment and go to INTEGRATIONS > Notifications and Data Forwarding.

Step 4:

On the Firewall / Router, setup a Dynamic NAT rule to have port 6514 traffic from the IPs listed under Step 2 pointed to neqter’s ip address. Keep source ip and port the same.

Step 5:

Go to the Syslog Configuration Tab. Enable syslog then go to the host field and enter your network ip address (this would be the outside address of your network you are forwarding logs from) and enter for the port 6514 after it. Next, change the Information Format to CEF2 and once this is all set, enable TLS and then press Test Connection (do not worry about entering certificates), after running this if it is able to send a log to neqter the Save button should be available to be clicked and then click on that to finish.

If after a few minutes the Save button is still unavailable, check your settings on both your Firewall and NeQter and verify everything is configured correctly. If you’re still having trouble, please reach out to NeQter support for further assistance.

Step 6:

Enable Sentinel One in NeQter by going to NeQter Settings > Dashboards and toggle the “enable” switch.

image

If the steps above is followed you should see SentinelOne Traffic within 24 hours at most. Please create a ticket here if further help is needed.