Integrating with 3rd Party Syslog and Threat Detection Platforms

Capture Client is the unified client offering from SonicWall that includes the best-in-class NGAV and endpoint threat management technology from SentinelOne. As part of this offering, SonicWall also offers support for integration with multiple 3rd party log management and security operations platforms (SIEM/XDR/MDR) through the out of the box integrations supported with SentinelOne by various vendors. All 3rd party integrations typically involve one or both of the following mechanisms:

1. Log Collection via Syslog
2. Integration via SentinelOne APIs (only for Capture Client Premier customers)

Note: If you would like to take advantage of this capability, please consult with your platform vendor if they support SentinelOne out of the box before attempting these integrations. SonicWall does not offer any custom integration features or services.

To enable log collection via Syslog for a single Tenant

1. Login to the Capture Client console
2. Change your scope to the tenant whose logs you want to integrate with the platform
3. Navigate to Management -> Tenant Settings
4. In the wizard, on Step 3, configure the Syslog Settings on the screen as shown below:

To enable log collection via Syslog for an Account

1. For multi-tenant administrators that have access to the Account scope, this setting can be enforced at the account level for ALL tenants by using the “Inheritance” switch on this screen. To configure the Syslog settings at the Account scope, change to the Account scope and navigate to Management -> Syslog Settings, as in the screen below:

    

To enable integration via SentinelOne APIs

The following instructions are only available to users that have at least 1 tenant licensed for Capture Client Premier. But Capture Client Advanced users are required to reach out to our support team to get the working API details. Please note that the use of integration via APIs feature means that you accept SentinelOne’s Terms of Service

1. Create a new MSW user specifically for the API integration – recommended for audit purposes
2. Ensure that the user has been configured with the right permissions based on what needs to be integrated
   1. Please refer to documentation from the platform you’re integrating with. Most integrations will require Admin permissions – SentinelOne offers other roles, but SonicWall only supports the Admin and Viewer roles at this time. 
   2. If multiple tenants need to be integrated, ensure that the new user has been added to the relevant User Groups in MSW to give them access to all applicable tenants
   3. If you have access to the Account scope and will require integration with ALL tenants in your Account, then please reach out to SonicWall Support to enable the new user as an Account Administrator.
3. Login to the Capture Client console with the new user
4. Click on the profile logo for the user and select the option “Generate S1 API Token”, like in the image here
5. Make sure to copy the API token and store it securely on the next popup screen. And make a note of the expiry date
   1. SonicWall will not be monitoring the expiry of the token and when it does expire, you will need to regenerate a new token.
   2. You can also revoke the token at any time from the user profile menu, if it has been compromised.