Capture Client is the unified client offering from SonicWall that includes the best-in-class NGAV and endpoint threat management technology from SentinelOne. As part of this offering, SonicWall also offers support for integration with multiple 3rd party log management and security operations platforms (SIEM/XDR/MDR) through the out of the box integrations supported with SentinelOne by various vendors. All 3rd party integrations typically involve one or both of the following mechanisms:
Log Collection via Syslog
Integration via SentinelOne APIs (only for Capture Client Premier customers)
Note: If you would like to take advantage of this capability, please consult with your platform vendor if they support SentinelOne out of the box before attempting these integrations. SonicWall does not offer any custom integration features or services.
To enable log collection via Syslog for a single Tenant
Login to the Capture Client console
Change your scope to the tenant whose logs you want to integrate with the platform
Navigate to Management -> Tenant Settings
In the wizard, on Step 3, configure the Syslog Settings on the screen as shown below:
To enable log collection via Syslog for an Account
For multi-tenant administrators that have access to the Account scope, this setting can be enforced at the account level for ALL tenants by using the “Inheritance” switch on this screen. To configure the Syslog settings at the Account scope, change to the Account scope and navigate to Management -> Syslog Settings, as in the screen below:
To enable integration via SentinelOne APIs
The following instructions are only available to users that have at least 1 tenant licensed for Capture Client Premier. Please note that use of integration via APIs feature means that you accept SentinelOne’s Terms of Service
Create a new MSW user specifically for the API integration – recommended for audit purposes
Ensure that the user has been configured with the right permissions based on what needs to be integrated
Please refer to documentation from the platform you’re integrating with. Most integrations will require Admin permissions – SentinelOne offers other roles, but SonicWall only supports the Admin and Viewer roles at this time.
If multiple tenants need to be integrated, ensure that the new user has been added to the relevant User Groups in MSW to give them access to all applicable tenants
If you have access to the Account scope and will require integration with ALL tenants in your Account, then please reach out to SonicWall Support to enable the new user as an Account Administrator.
Login to the Capture Client console with the new user
Click on the profile logo for the user and select the option “Generate S1 API Token”, like in the image here
Make sure to copy the API token and store it securely on the next popup screen. And make a note of the expiry date
SonicWall will not be monitoring the expiry of the token and when it does expire, you will need to regenerate a new token.
You can also revoke the token at any time from the user profile menu, if it has been compromised.