How Red Canary Works with SentinelOne
- 18 Nov 2025
- 4 Minutes to read
- PDF
How Red Canary Works with SentinelOne
- Updated on 18 Nov 2025
- 4 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Red Canary’s integration with the SentinelOne Singularity Engine begins with Red Canary connecting to SentinelOne through a data-streaming product called Cloud Funnel. Created in partnership between Red Canary and SentinelOne's engineering teams, Cloud Funnel allows us to stream deep-visibility telemetry from SentinelOne into the Red Canary engine. In addition, Cloud Funnel is an XDR data lake that utilizes an Amazon S3 Bucket to enable Red Canary to tap into your telemetry stream.
While most SentinelOne integrations are focused on the alerts generated by the platform, Red Canary’s low-level integration ingests both the alerts and raw telemetry generated by the SentinelOne Sentinel Agent. This telemetry is processed and analyzed by the Red Canary platform and then by our Cyber Incident Response Team (CIRT) to confirm and investigate threats while eliminating false positives. This combination of SentinelOne, telemetry, and Red Canary’s detection and response delivers the best security outcomes for SentinelOne users.
Integration Methods
For maximum flexibility, Red Canary gives you two ways to integrate with SentinelOne.
Integration Method 1: Cloud Funnel exports to Red Canary's AWS S3 Bucket
SentinelOne data is sent directly to Red Canary.
Integration Method 2: Cloud Funnel exports to a non-Red Canary AWS S3 Bucket
Red Canary retrieves SentinelOne data from your own AWS S3 bucket.
For more details about these two integration methods, see Integrate SentinelOne Cloud Funnel with Red Canary.
FAQ
What Red Canary automation actions are available for SentinelOne?
Currently, the following automation actions are available for SentinelOne:
Ban File Hashes (IOC)
Ban IP Addresses (IOC)
Isolate Endpoint
Deisolate Endpoint
Collect Forensics
Note that the Collect Forensics action requires you to activate an add-on in SentinelOne. See Collect a Forensics Package for more information.
What kind of SentinelOne data does Red Canary process?
We receive all the data collected by your SentinelOne agents, as well as a number of system events generated by the SentinelOne Singularity platform. Telemetry that is visible in SentinelOne Deep Visibility (Endpoint telemetry) is used for detection purposes, whereas several system events become audit logs in the Red Canary platform.
What happens to my SentinelOne alerts when I activate Red Canary?
Every alert generated by SentinelOne's detection rules is consumed by Red Canary and provided to you in the Alerts feature of the Red Canary platform. Alerts are reviewed by Red Canary's Cyber Incident Response Team (CIRT), who add additional context to confirmed alerts to accelerate your response.
What are the networking requirements for SentinelOne?
If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following document to learn about the network requirements for your sensors to communicate properly and behave as expected:
Services and Ports for Management
If you’re using your own environment, you can find the document via the Help link in the SentinelOne top menu.
How do I deploy my Virtual Desktop Infrastructure?
If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following documents to learn more about installing installing, deploying, and configuring your VDI:
VDI and VM deployment
Installing Windows Agents on VM or VDI
If you’re using your own environment, you can find these documents via the Help link in the SentinelOne top menu.
How do I install SentinelOne Agents?
If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following documents to learn more about installing SentinelOne Agents:
Installing Agents on Windows Endpoints
Installing Agents on macOS Endpoints
Installing and Upgrading macOS Agents with Jamf
If you’re using your own environment, you can find these documents via the Help link in the SentinelOne top menu.
How do I uninstall EDR Agents from the Command Line Interface (CLI)?
If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following documents to learn more about uninstalling EDR Agents from the CLI or via the Management Console:
Uninstalling Agents from the CLI
Uninstalling Agents from the Management Console
If you’re leveraging your own environment, you can find these documents via the Help link in the SentinelOne top menu.
Can Red Canary assist with setting up SentinelOne Cloud Funnel to export its data to my own S3 bucket?
Setting up SentinelOne Cloud Funnel to export its data to a customer-owned S3 bucket is an advanced configuration that is dependent on your individual cloud environment. Red Canary does not provide assistance with this setup. If you have any questions or encounter issues, we recommend reaching out to SentinelOne Support for guidance and to ensure your SentinelOne account is properly configured before integrating it with Red Canary.
Why don’t I land on the search results page when I follow a SentinelOne link in the Red Canary portal?
The Red Canary platform provides links to the source EDR platform that make it easy to investigate noted entities and activities. For SentinelOne, you must follow these steps in order to be successfully redirected with the appropriate query parameters set when you click a link in Red Canary.
Log in to the SentinelOne Management Console, open the user profile dropdown in the menubar, then click My User.
In the Feature Preferences section, make sure Change Deep Visibility Mode is set to “Enhanced.”
Navigate to the Enhanced Visibility page.
Visiting this page will update your browser cookies to enable subsequent redirects from Red Canary to SentinelOne.
Was this article helpful?