SentinelOne Integration
Forward database audit events to SentinelOne Singularity platform. Correlate database activity with endpoint detection for unified XDR threat visibility and Storyline analysis.
XDR Platform
Unified detection across endpoints, cloud, and now database activity for complete visibility.
Deep Visibility
Query database events alongside endpoint telemetry for comprehensive threat hunting.
Storylines
Automatic attack chain correlation linking database access to endpoint behavior.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "sentinelone-prod") |
| provider | select | Yes | sentinelone | SIEM provider - select "SentinelOne" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| console_url | string | Yes | - | SentinelOne console URL (e.g., "https://usea1.sentinelone.net") |
| api_token | password | Yes | - | SentinelOne API token with event ingestion permissions |
2 SentinelOne-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| site_id | string | No | - | Target site ID for events (optional, defaults to account level) |
| account_id | string | Yes | - | SentinelOne account ID |
| event_source | string | No | DBaudit | Event source identifier for Deep Visibility |
| custom_detection | boolean | No | true | Create custom detection rules from critical events |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 100 | Number of events per batch (1-1000) |
| flush_interval_seconds | number | No | 30 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
Setup Instructions
1
Create API Token
Generate an API token in SentinelOne with required permissions.
# Create API Token in SentinelOne:
# 1. Log in to SentinelOne Management Console
# 2. Navigate to Settings → Users
# 3. Select your user or create a service account
# 4. Go to Options → API Token Operations
# 5. Click "Generate API Token"
# 6. Copy the generated token
# Required API permissions:
# - Remote Script Orchestration
# - Deep Visibility
# - Custom Detection Rules (optional)
# - Threat Intelligence (for correlation)
# Console URL depends on your region:
# - US East: https://usea1.sentinelone.net
# - US West: https://uswe1.sentinelone.net
# - EU: https://euce1.sentinelone.net
# - APAC: https://apac1.sentinelone.net
2
Test API Connection
Verify the API token and console URL are working correctly.
# Test SentinelOne API connection
curl -X GET "https://usea1.sentinelone.net/web/api/v2.1/system/status" \
-H "Authorization: ApiToken YOUR_API_TOKEN" \
-H "Content-Type: application/json"
# Get account info
curl -X GET "https://usea1.sentinelone.net/web/api/v2.1/accounts" \
-H "Authorization: ApiToken YOUR_API_TOKEN" \
-H "Content-Type: application/json"
# Test event ingestion (Custom Events API)
curl -X POST "https://usea1.sentinelone.net/web/api/v2.1/cloud-detection/events" \
-H "Authorization: ApiToken YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"data": [{
"eventType": "Custom",
"eventSource": "DBaudit",
"customFields": {"test": "event"}
}]
}'
3
Configure in DB Audit
Add the SentinelOne integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select SentinelOne as the provider
- Enter your console URL and API token
- Enter your account ID and optional site ID
- Select event types to forward
- Test the connection and save
4
Create Custom Detection Rules (Optional)
Create custom detection rules for database security threats.
// SentinelOne Custom Detection Rule
// Singularity → Custom Detection Rules → Add Rule
Rule Name: DB Audit - Suspicious Data Exfiltration
Description: Detects queries returning large amounts of sensitive data
// Query
EventType = "Custom"
AND EventSource = "DBaudit"
AND CustomFields.action_type = "SELECT"
AND CustomFields.rows_affected > 10000
AND CustomFields.contains_pii = true
// Rule Configuration
Severity: High
MITRE ATT&CK:
- Tactic: Collection (TA0009)
- Technique: Data from Information Repositories (T1213)
// Response Actions (Optional)
- Create Threat
- Notify SOC Team
- Isolate endpoint (if client IP matches agent)
// Alert Details
Include in alert:
- CustomFields.actor_user
- CustomFields.database
- CustomFields.client_ip
- CustomFields.rows_affected
Event Format
Events are sent to SentinelOne as custom events with structured data.
{
"eventType": "Custom",
"eventSource": "DBaudit",
"eventTime": "2024-01-15T10:30:45.123Z",
"accountId": "123456789",
"siteId": "987654321",
"customFields": {
"event_type": "audit_event",
"severity": "warning",
"database": "production-postgres",
"db_type": "postgresql",
"db_host": "db.example.com",
"actor_user": "app_user",
"client_ip": "10.0.1.50",
"application": "backend-api",
"action_type": "SELECT",
"object": "customers",
"schema": "public",
"statement": "SELECT * FROM customers WHERE...",
"rows_affected": 1500,
"contains_pii": true,
"data_types": ["email", "phone"]
},
"description": "Database audit event: SELECT on customers (1500 rows)"
}
Deep Visibility Queries
Use these queries to hunt for database-related threats in SentinelOne Deep Visibility.
// Deep Visibility Queries for DB Audit events
// All DB Audit events
EventType = "Custom" AND EventSource = "DBaudit"
// Filter by severity
EventType = "Custom" AND EventSource = "DBaudit" AND CustomFields.severity = "critical"
// Large data access patterns
EventType = "Custom" AND EventSource = "DBaudit"
AND CustomFields.action_type = "SELECT"
AND CustomFields.rows_affected > 10000
// Specific user activity
EventType = "Custom" AND EventSource = "DBaudit"
AND CustomFields.actor_user = "app_user"
// Failed authentication attempts
EventType = "Custom" AND EventSource = "DBaudit"
AND CustomFields.event_type = "auth_failure"
// PII access events
EventType = "Custom" AND EventSource = "DBaudit"
AND CustomFields.contains_pii = true
// Correlation with endpoint events
EventType IN ("Custom", "Process")
AND (
(EventSource = "DBaudit" AND CustomFields.client_ip = "10.0.1.50")
OR (SourceIP = "10.0.1.50")
)
Storyline Correlation Example
SentinelOne automatically correlates database events with endpoint activity into unified storylines.
// SentinelOne Storyline Correlation
// Threat Intelligence → Storylines
// Database activity correlated with endpoint behavior:
1. User authenticates to database server
- EventSource: DBaudit
- Event: auth_success
- User: app_user
- Client IP: 10.0.1.50
2. Large data query executed
- EventSource: DBaudit
- Event: SELECT query
- Rows: 15000
- Contains PII: true
3. Endpoint file write detected
- EventSource: SentinelOne Agent
- Event: File Created
- Path: C:\Users\app_user\data_export.csv
- Size: 2.5 MB
- Process: python.exe
4. Network exfiltration attempt
- EventSource: SentinelOne Agent
- Event: DNS Query
- Domain: suspicious-upload.com
// Automatic threat correlation creates unified storyline
Troubleshooting
Authentication failed (401)
Verify the API token is valid and not expired. Tokens may need to be regenerated periodically.
Account/Site ID not found
Check the account ID in Settings → Account Info. Site ID is optional but must be valid if provided.
Events not appearing in Deep Visibility
Custom events may take a few minutes to be indexed. Ensure the event source filter is set to "DBaudit".
Wrong console URL
Ensure the console URL matches your region. The URL should not include trailing slashes or paths.
Ready to Integrate with SentinelOne?
Start forwarding database audit events to Singularity in minutes.