SentinelOne STAR Rules

We are collecting S1 events via API however STAR events are only available via syslog. Is anyone successfully collecting STAR events in IDR as I am not sure on how to send syslog from S1 to my on-prem IDR collector.

Do I have to open a port in my perimeter firewall or is there a way I can send S1 syslog directly to the IDR cloud platform?


InsightIDR doesn’t have a way to directly ingest syslog to the platform. So the method to get the logs in is as you suggested – sending through your on-prem collector. You likely will have to open a port on your perimeter firewall to allow for that.

Another potential option may be to stand up a collector in a cloud environment, and send the syslogs there.

I took a quick look at some STAR docs, and although this is the Elastic docs page, it does make mention of STAR events showing up in an API enabled data stream. Is there maybe some way to configure SentinelOne to get those logs all in the same stream that can be used by an API?


:frowning: 'm not seeing anything in the API documentation via STAR or Custom Rules AKA STAR. I guess I’d have to setup another collect in the cloud or open a port for syslog… :frowning: