Skip to main content

Hi,

We are currently ingesting SentinelOne alert logs into SecOps. For this integration, we initially selected the Admin role from the default SentinelOne roles. However, our customer has raised concerns about this choice due to compliance reasons — specifically, they prefer not to assign full admin rights just for log collection.

Does anyone have recommendations on which default role would be best suited for this purpose, following best practices? Alternatively, could anyone share which specific permissions should be enabled to allow log access while maintaining a minimal permission approach?

Here are the list of default roles:
-Admin, C level, IR Team, Viewer, IT, SOC

Thanks in advance!

Hi 


Can you please share if this is SIEM or SOAR, ingestion method(s) used and if SOAR which version of SentinelOne connector you are using.


 


Thanks

Hello @yasinmnk ,

The below mentioned steps are for SIEM integration, I hope this is what you were asking about.

As per my knowledge you just need to do the following steps with permissions:
- Create a service user.
- Select Scope of Access as "Site".
- Assign the "Viewer" role permission and "Confirm Action".
- Generate API token and rest you can proceed with feed in google secops.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.