Problems integrating wazuh with SentinelOne
315 views
Skip to first unread message
Jose Peredo
May 1, 2024, 3:47:16 AM5/1/24
to Wazuh | Mailing List
Hello
I am integrating my wazuh server with my SentinelOne console. I have followed the steps in this link: https://wazuh.com/blog/integrating-sentinelone-xdr-with-wazuh/
My wazuh server version is: App version: 4.7.3 App revision: 02
I'm doing the integration through the SentinelOne API. But for some reason in the wazuh console I do not see the generated events that are observed in the SentinelOne console
I see that the sentinelone.json file (located in /var/log) is generated every minute and I see that it has content from the sentinelOne console events... but it is not reflected in the wazuh console.
Could someone help me by telling me what I might be missing... or how the information from the sentinelone.json file is read by wazuh to be able to display it in its console?
I am integrating my wazuh server with my SentinelOne console. I have followed the steps in this link: https://wazuh.com/blog/integrating-sentinelone-xdr-with-wazuh/
My wazuh server version is: App version: 4.7.3 App revision: 02
I'm doing the integration through the SentinelOne API. But for some reason in the wazuh console I do not see the generated events that are observed in the SentinelOne console
Attached is a screenshot of the contents of the sentinelone.json file.
Stuti Gupta
May 1, 2024, 5:28:28 AM5/1/24
to Wazuh | Mailing List
Hello Jose Peredo,
Could you please execute the following command to verify if the Wazuh server is monitoring the file var/log/Sentinelone.json?
cat /var/ossec/logs/ossec.log | grep Sentinelone.json
In the documentation, it states that the file /var/log/sentinelone.log is being monitored, but you mentioned /var/log/sentinelone.json. Please ensure that the path or name of the file is correct. If your file is indeed /var/log/sentinelone.json, then please add the following lines to the ossec.conf file of the Wazuh manager:
<localfile>
<log_format>json</log_format>
<location>/var/log/sentinelone.json</location>
</localfile>
After making this change, restart the Wazuh manager using the command: systemctl restart wazuh-manager
Additionally, you need to check the /var/ossec/logs/archives/archives.json log to see if the event is captured there. If it is, you will need to create custom rules so that the event matches the rules and triggers an alert on the Wazuh dashboard. Ensure that all your logs are enabled for this purpose. You can refer to https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#enabling-the-wazuh-archives for enabling Wazuh archives, and for creating rules and decoders from scratch, please refer to https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Regards
Could you please execute the following command to verify if the Wazuh server is monitoring the file var/log/Sentinelone.json?
cat /var/ossec/logs/ossec.log | grep Sentinelone.json
In the documentation, it states that the file /var/log/sentinelone.log is being monitored, but you mentioned /var/log/sentinelone.json. Please ensure that the path or name of the file is correct. If your file is indeed /var/log/sentinelone.json, then please add the following lines to the ossec.conf file of the Wazuh manager:
<localfile>
<log_format>json</log_format>
<location>/var/log/sentinelone.json</location>
</localfile>
After making this change, restart the Wazuh manager using the command: systemctl restart wazuh-manager
Additionally, you need to check the /var/ossec/logs/archives/archives.json log to see if the event is captured there. If it is, you will need to create custom rules so that the event matches the rules and triggers an alert on the Wazuh dashboard. Ensure that all your logs are enabled for this purpose. You can refer to https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#enabling-the-wazuh-archives for enabling Wazuh archives, and for creating rules and decoders from scratch, please refer to https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Regards
Reply all
Reply to author
Forward
0 new messages