- 29 Aug 2024
- 3 Minutes to read
- PDF
Integrate SentinelOne Cloud Funnel 2.0 with Red Canary
- Updated on 29 Aug 2024
- 3 Minutes to read
- PDF
SentinelOne Cloud Funnel 2.0 represents a significant advancement in data sharing capabilities, providing a robust foundation for enhanced threat detection and response. By integrating this powerful tool with Red Canary’s advanced threat hunting and incident response capabilities, organizations can significantly strengthen their security posture.
To integrate SentinelOne Cloud Funnel 2.0 with Red Canary, follow the procedure from beginning to end.
Prerequisites
Your SentinelOne user must have admin level access
Your SentinelOne tenant must have Cloud Funnel 2.0 enabled
You must have Alert State sync enabled on your SentinelOne external alert sourceEnsure that Cloud Funnel 2.0 is enabled in your SentinelOne account.
Step 1: SentinelOne–Validate that Cloud Funnel 2.0 is available and enabled in SentinelOne
Login to your SentinelOne admin account.
From the SentinelOne navigation menu, click Settings.
Click the Accounts tab, and then click the (action) next to the account being integrated with Red Canary.
In the edit account page, review the Add-ons section.
If visible, select Cloud Funnel.
If Cloud Funnel is not visible, submit a support case to SentinelOne to request that they make Cloud Funnel 2.0 visible in your account.
Click Save Changes.
Step 2: SentinelOne–Provide Red Canary access to your SentinelOne environment
Red Canary requires access to your SentinelOne account for our customer security operations team to provide quality service.
Login to your SentinelOne admin account.
From the SentinelOne navigation menu, select the account you want Red Canary to access.
Click SETTINGS.
Click the USERS tab.
Click Console Users.
Click the Actions dropdown.
Click Add New User.
For the Full Name field, enter Red Canary Access.
For the Email Address field, enter the email provided by Red Canary via email.
Click Next.
From the Access Level section, select the appropriate level of access, Site or Account.
Type and then select the account or site name that Red Canary is gaining access to.
From the viewer dropdown, select Admin.
Click Create User.
Note: Once the service account is created, Red Canary will create an additional Viewer level service account for our Customer Security Operations (CSO) team. If you have purchased Active Remediation, Red Canary will also create an Incident Response (IR) Team level service account.
Step 3: SentinelOne–Locate your SentinelOne Credentials
You will need three pieces of information in order to connect SentinelOne Cloud Funnel 2.0 to Red Canary.
Login to your SentinelOne admin account.
From your address bar, copy the URL, and then save your SentinelOne Management API Host. You’ll use this in a later step.
Example: https://usea1-100-abc.sentinelone.net
From the SentinelOne navigation menu, click Sentinels.
Click the ACCOUNT INFO tab. You’ll use this in a later step.
Copy and then save the Account ID. You’ll use this in a later step.
From the SentinelOne navigation menu, click Settings.
Click your user profile dropdown, and then click My User.
Click the Options dropdown.
Click Generate API Token.
Copy and then save the API Token. You’ll use this in a later step.
Click Close.
Step 4: Red Canary–Enter your SentinelOne credentials
Enter your SentinelOne credentials to configure telemetry streaming in Red Canary.
From your Red Canary homepage, click Integrations. If you do not see the required integration, click See all integrations.
In the search bar, type and then select SentinelOne with Cloud Funnel 2.0.
Click Configure.
Enter your SentinelOne Management Account ID from Step 3.5.
Enter your SentinelOne Management API Token from Step 3.10.
Enter your SentinelOne Management API Host from Step 3.2.
Select a SentinelOne Account Type.
This will most likely be an Account Type of Account for most integrations. However, if the configured tenant is set up as a site level tenant, select Site.
Click Save.
Note: API credentials expire every 30 days. Red Canary utilizes automation that updates the API for the SentinelOne telemetry integration as well as the Singularity alert source integration.