Integrate SentinelOne Cloud Funnel with Red Canary
- 10 Dec 2024
- 7 Minutes to read
- PDF
Integrate SentinelOne Cloud Funnel with Red Canary
- Updated on 10 Dec 2024
- 7 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
SentinelOne Cloud Funnel represents a significant advancement in data sharing capabilities, providing a robust foundation for enhanced threat detection and response. By integrating this powerful tool with Red Canary’s advanced threat hunting and incident response capabilities, organizations can significantly strengthen their security posture.
Prerequisites
The prerequisites for a Red Canary SentinelOne Cloud Funnel integration vary according to your existing configuration. Red Canary offers two methods to integrate with SentinelOne, depending on how Cloud Funnel is currently configured. Choose the strategy that aligns with your existing data handling to ensure that SentinelOne data flows seamlessly to Red Canary.
Integration Method 1: Cloud Funnel exports to Red Canary's AWS S3 Bucket
This is the most common and straightforward approach, allowing SentinelOne data to be sent directly to Red Canary. The following prerequisites must be met:
Your SentinelOne user account must have Admin level access
Cloud Funnel must be enabled in your SentinelOne account to support the data export (see below)
You must have Alert State sync enabled on your SentinelOne external alert source
Integration Method 2: Cloud Funnel exports to a non-Red Canary AWS S3 Bucket
If your SentinelOne Cloud Funnel is already forwarding data to an AWS S3 bucket and you want Red Canary to retrieve it from there, additional AWS permissions are required. Please note that this integration method may result in increased AWS costs, as well as a more complex and time-intensive integration process. The following prerequisites must be met:
Your SentinelOne user account must have Admin level access
Cloud Funnel must be enabled in your SentinelOne account to support the data export (see below)
You must have Alert State sync enabled on your SentinelOne external alert source
The following AWS Permissions must be set to facilitate data flow:
Create SNS Topics for data event notifications to Red Canary
Create IAM Roles to securely manage access between AWS resources
Set S3 Bucket Notifications to trigger Red Canary data ingestion upon new data uploads
How to make sure Cloud Funnel is enabled
Log in to the SentinelOne Management Console.
On the navigation menu, click Settings then go to the Accounts tab and click the
action next to the account being integrated with Red Canary.
On the Edit Account page, review the Add-ons section.
If the Cloud Funnel option is visible, make sure it’s selected
If the Cloud Funnel option isn’t visible, reach out to whomever you purchased your licenses through and request that they purchase and enable Cloud Funnel
action next to the account being integrated with Red Canary.
Add the integration
From your Red Canary homepage, go to the Integrations page then click Add Integration.
On the Add integration dialog, search for the SentinelOne with Cloud Funnel integration then click Configure.
On the Red Canary configuration page, enter a name for the integration.
1. Choose the scope of the integration
On the Red Canary configuration page, set the scope of the integration to be either Account or Site.
Account - Ingest and monitor data from your entire SentinelOne tenant
Site - Ingest and monitor data from a single site within your SentinelOne tenant
Click Next.
2. Provide the SentinelOne account details
In the SentinelOne Management Console, make a note of the SentinelOne Management API Host URL from the browser address bar. For example:
https://usea1-canaria.sentinelone.netOn the navigation menu, click Settings then go to the Accounts tab or the Sites tab and click on the account or site you’re integrating.
On the navigation menu, click Sentinels then go to the Account Info or Site Info tab and copy the Account ID or Site ID.
On the Red Canary configuration page:
Enter the SentinelOne Management API Host URL in the API Host field.
Paste the copied ID into the Account ID or Site ID field.
Click Next.
3. Choose your Cloud Funnel configuration
3a. Is Cloud Funnel already configured for your SentinelOne Account?
Select the option that best matches your current data routing:
No - Choose this option if you’re following Integration Method 1 and Cloud Funnel isn’t already configured. For an Account-scoped integration, Red Canary will configure Cloud Funnel for you. For a Site-scoped integration, you must follow the the steps in 3b. Enable Cloud Funnel to manually configure your SentinelOne site.
Yes, Cloud Funnel already exports to Red Canary's rc-sentinelone-us-east-2 AWS S3 Bucket - Choose this option if you’re following Integration Method 1 and Cloud Funnel is already configured (for example, if you’re onboarding additional sites).
Yes, Cloud Funnel already exports to a non-Red Canary AWS S3 Bucket - Choose this option if you’re following Integration Method 2 (your data is sent to an existing S3 bucket in your AWS account) For the additional required setup, follow the steps in 3b. Record information about the AWS S3 bucket where Cloud Funnel is already exporting data to and 3c. Provision an AWS IAM role that Red Canary will assume to read from the above AWS S3 bucket.
When you’ve completed any optional steps, click Next.
3b. Enable Cloud Funnel
OPTIONAL
You only need to complete this step if you’re doing a Site-scoped integration and Cloud Funnel isn’t already configured for your SentinelOne account.
Follow the instructions to configure Cloud Funnel in the SentinelOne Management Console.
When done, check the I’ve enabled Cloud Funnel box.
3b. Record information about the AWS S3 bucket where Cloud Funnel is already exporting data to
OPTIONAL
You only need to complete this step if Cloud Funnel already exports to a non-Red Canary AWS S3 Bucket (Integration Method 2).
Enter the details for your Cloud Funnel AWS S3 bucket and SNS Topic. For more information, please see the AWS documentation.
3c. Provision an AWS IAM role that Red Canary will assume to read from the above AWS S3 bucket
OPTIONAL
You only need to complete this step if Cloud Funnel already exports to a non-Red Canary AWS S3 Bucket (Integration Method 2).
Select either CloudFormation or Terraform to generate a template you can use to provision an AWS IAM role that will allow Red Canary to read from the S3 bucket you configured in Step 3b.
These permissions are required for the following purposes:Permission
Needed for…
S3 bucket permissions requested on the provided bucket
s3:GetObjectAttributes
Fetching information about data in the bucket
s3:GetObject
Fetching data in the bucket
s3:ListBucket
Listing data in the bucket in case of troubleshooting or replay
s3:GetBucketNotification
Listing bucket SNS notification configurations in case of troubleshooting
s3:GetBucketLocation
Retrieving information about the bucket in order to fetch bucket data
SNS topic permissions requested on the provided topic
sns:Subscribe
Creating a subscription on the topic (limited in the policy to only allow subscriptions to SNS topics in the Red Canary AWS account)
sns:ListSubscriptionsByTopic
Seeing if our queues are subscribed to the topic
sns:ConfirmSubscription
Confirming subscriptions after they’ve been created
sns:Unsubscribe
Removing subscriptions to the SNS topic in case of decomissioning
Once the IAM role is set up in AWS, check the I’ve provisioned the IAM role red-canary-partner-access-s1cf with appropriate permissions box.
These permissions are required for the following purposes:4. Create and provide Red Canary with an API token
NOTE
The SentinelOne user for this step must have permission to generate API tokens. Please see the SentinelOne documentation for more information. The integration will no longer function if the user who created the token is disabled or has their permissions changed.
If you’re a consulting partner, your integration process for this step will be different. Please follow your partner provisioning documentation.
In the SentinelOne Management Console, open your user profile dropdown then click My User.
Open the Actions dropdown and select API Token Operations>Generate API Token.
NOTE
The SentinelOne Management Console might prompt you for 2FA authentication in order to generate the token.
Click the link to copy the API Token.
On the Red Canary configuration page, paste the copied token into the API Token field.
Click Next.
NOTE
SentinelOne API tokens expire every 30 days. Red Canary will automatically renew the token via a service account.
5. Create a SentinelOne user account for Red Canary
Red Canary needs access to a SentinelOne Admin-level account in order to monitor the integration. Once the Admin account is created, Red Canary will automatically add an additional Viewer-level service account for our Customer Security Operations (CSO) team. If you’ve purchased Active Remediation, Red Canary will also create an Incident Response (IR) Team service account. These accounts will access your environment using the fewest permissions possible.
NOTE
If you’re a consulting partner, your integration process for this step will be different. Please follow your partner provisioning documentation.
On the Red Canary configuration page, locate the Full Name and Email Address values.
In the SentinelOne Management Console, click Settings on the navigation menu and go to the Users tab.
Select Console Users, then select Add New User from the Actions dropdown.
Create the new user by copying the Full Name and Email Address values from the Red Canary integration page. For example:
Red Canary Accesssvc-s1+canariacorp@redcanary.com
Click Next.
On the Select Scope of Access screen, choose the appropriate level of access (Account or Site).
Select the account or site that Red Canary is gaining access to then change Viewer to Admin in the user type dropdown.
Click Create User.
On the Red Canary configuration page, check the I’ve created the user box.
Click Save to complete the configuration.
Was this article helpful?
