SentinelOne Dashboards for Singularity Operations Center

Overview

This guide will help you set up and utilize SentinelOne Dashboards, which offer powerful data insights for monitoring and analyzing your network traffic. Whether you're a security analyst, network administrator, or IT professional, these dashboards will help you easily visualize and track your network's security status.

---

Installation and Configuration

Parser Configuration

Installing Parsers through Marketplace

-- TBD --

Installing Parsers through Github Repository

Note: Follow these steps if you prefer to use the GitHub repository for installation instead of marketplace. If you have already installed the parsers, please skip these steps.

Step 1: In the Singularity Operations Center, go to Policy and Settings Section from the bottom left corner.

Step 2: From the policy and settings sections, search for Parsers and you’ll see that in the Products Section.

Step 3: Click on the parsers section and you will see the list of inbuilt as well as created parsers.

Step 4: Now, for adding new parser click on Add parser button from the top right corner and you will see a prompt for adding the parser name and click on Ok which will create the parser.

Step 5: After adding a new parser with log name head over to the parsers folder in github repo and search for that specific log file and copy the code from that file and paste it in below highlighted section.

Step 6: After adding the copied code from the github repo, click on Save File and the parser will be added which you can see in Parsers sections.

 

Configuring and Adding a generic parser

Note: SentinelOne currently supports 25 different log parsers. If you need to add a parser for a new log type that is not included in the existing list, you can follow the steps outlined below to configure and integrate a parser for that log type.

How to use generic parser?

To use the generic parser, first complete steps 1 to 4 from the Installing Parsers Through GitHub Repository section, and then proceed with the following steps.

After creating the parser, copy the code from the corelight-generic parser and paste it in the parser which you have created and add more details as per your requirement and then save the parser.

Data Collection

To ingest data into SentinelOne Singularity Data Lake, follow the steps provided in the SentinelOne documentation under (Singularity Marketplace → Marketplace Ingestion Integrations → Corelight Zeek Network Security Parser Integration with SentinelOne).

Note: If you are installing the parsers from GitHub repo make sure to update the sourcetype template as "corelight-$LOG-dev"

Configure Lookup Files

For populating dashboards, we need some of the configurations files (i.e Lookup files), which we need to add.

Step 1: In the Singularity Operations Center, go to Policy and Settings Section from the bottom left corner.

Step 2: From the policy and settings sections, search for Configurations files and you’ll see that in Products Section.

Step 3: Head over to configuration files and you'll see the list of configuration files.

Step 4: In that click on New File and add create all the files with the same names as mentioned in the lookups folder in github repository.

Step 5: After creating files with the same names as mentioned in github repository, also copy the lookup files content and save each file.

Once this is done, all the lookup files will be created.

---

Step-by-Step Guide for Using SentinelOne Dashboards

Step 1: Log into Singularity Operations Center

1. Open your web browser and go to the Singularity Operations Center login page.
2. Enter your login credentials (username and password).
3. Click Login to enter the platform.

Step 2: Access the Dashboards Section

1. Once you're logged in, find the Dashboards section in the navigation menu. This section allows you to manage and view all the available dashboards.

2. Click on the Dashboards option to proceed.

   

Step 3: Select Your Connection and Site

1. Choose Your Connection: In the top-left corner, you'll find a drop-down menu labeled Select Connection. Here, choose the connection that you want to monitor.

2. Select Your Site: Once you've selected the connection, you will see a list of sites associated with that connection. Choose the site you want to analyze.

   

Step 4: Navigate to the Data Lake Section

1. After selecting the site, you will be taken to the Data Lake section, which is where all the data (network traffic, events, etc.) is stored and analyzed.

   

2. View Existing Dashboards: Here, you will see a list of existing dashboards that are already available for analysis.

   

Step 5: Create a New Dashboard

1. Click on New Dashboard: To create a new dashboard, click on the New Dashboard button located at the top right corner of the screen.

   

2. Name Your Dashboard: A pop-up window will prompt you to enter a name for the new dashboard (e.g., "Security Posture, etc").

3. Click Create: Once you've named your dashboard, click Create to generate the new dashboard.

   

Step 6: Edit the Dashboard

1. Dashboard is Empty: The new dashboard will initially be empty, which means you will need to configure it with relevant widgets and data sources.

   

2. Edit JSON Configuration: To customize the dashboard, click the three dots (menu icon) at the top-right corner of the dashboard page and select Edit JSON from the dropdown menu.

   

3. Replace JSON Code: A window will open where you can modify the JSON configuration. Replace the existing code with the pre-provided dashboard file from the github repository. This will populate your dashboard with the correct widgets and data sources.

   

4. Save the File: After making changes, click Save File at the bottom-right corner to apply the configuration.

   

5. Once the JSON file is saved, the dashboard will be populated and it will display a variety of charts, graphs, and data visualizations.

---