What Red Canary automation actions are available for SentinelOne?
Currently, the following automation actions are available for SentinelOne:
Ban File Hashes (IOC)
Ban IP Addresses (IOC)
Isolate Endpoint
Deisolate Endpoint
Collect Forensics
Delete/Capture Files (IOC)
See Response Actions for SentinelOne for more details.
What kind of SentinelOne data does Red Canary process?
We receive all the data collected by your SentinelOne agents, as well as a number of system events generated by the SentinelOne Singularity platform. Telemetry that is visible in SentinelOne Deep Visibility (Endpoint telemetry) is used for detection purposes, whereas several system events become audit logs in the Red Canary platform.
What happens to my SentinelOne alerts when I activate Red Canary?
Every alert generated by SentinelOne's detection rules is consumed by Red Canary and provided to you in the Alerts feature of the Red Canary platform. Alerts are reviewed by Red Canary's Cyber Incident Response Team (CIRT), who add additional context to confirmed alerts to accelerate your response.
What are the networking requirements for SentinelOne?
If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following document to learn about the network requirements for your sensors to communicate properly and behave as expected:
Services and Ports for Management
If you’re using your own environment, you can find the document via the Help link in the SentinelOne top menu.
How do I deploy my Virtual Desktop Infrastructure?
If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following documents to learn more about installing installing, deploying, and configuring your VDI:
VDI and VM deployment
Installing Windows Agents on VM or VDI
If you’re using your own environment, you can find these documents via the Help link in the SentinelOne top menu.
How do I install SentinelOne Agents?
If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following documents to learn more about installing SentinelOne Agents:
Installing Agents on Windows Endpoints
Installing Agents on macOS Endpoints
Installing and Upgrading macOS Agents with Jamf
If you’re using your own environment, you can find these documents via the Help link in the SentinelOne top menu.
How do I uninstall EDR Agents from the Command Line Interface (CLI)?
If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following documents to learn more about uninstalling EDR Agents from the CLI or via the Management Console:
Uninstalling Agents from the CLI
Uninstalling Agents from the Management Console
If you’re leveraging your own environment, you can find these documents via the Help link in the SentinelOne top menu.
Can Red Canary assist with setting up SentinelOne Cloud Funnel to export its data to my own S3 bucket?
Setting up SentinelOne Cloud Funnel to export its data to a customer-owned S3 bucket is an advanced configuration that is dependent on your individual cloud environment. Red Canary does not provide assistance with this setup. If you have any questions or encounter issues, we recommend reaching out to SentinelOne Support for guidance and to ensure your SentinelOne account is properly configured before integrating it with Red Canary.
Why don’t I land on the search results page when I follow a SentinelOne link in the Red Canary portal?
The Red Canary platform provides links to the source EDR platform that make it easy to investigate noted entities and activities. For SentinelOne, you must follow these steps in order to be successfully redirected with the appropriate query parameters set when you click a link in Red Canary.
Log in to the SentinelOne Management Console, open the user profile dropdown in the menubar, then click My User.
In the Feature Preferences section, make sure Change Deep Visibility Mode is set to “Enhanced.”
Navigate to the Enhanced Visibility page.
Visiting this page will update your browser cookies to enable subsequent redirects from Red Canary to SentinelOne.
How do I compare my active endpoints in Red Canary to SentinelOne
Sensor performance, network communication issues, endpoint performance, or network communication issues can affect whether your Red Canary endpoint count and SentinelOne endpoint count match up. It may also be possible, however unlikely, that there is some type of communication issue between the SentinelOne Server and Red Canary. It’s always a good idea to check these numbers to ensure that Red Canary is receiving telemetry from the number of endpoints you expect from SentinelOne.
To count active endpoints in Red Canary:
Go to the Endpoints page in the Red Canary portal.
In the search bar, enter
last_checkin_time:with today’s date.
This gives you the number of endpoints that have checked in with Red Canary so far today. You’ll use this number to compare to the number of endpoints being monitored in SentinelOne. Note that the Last Check In Time is in UTC when comparing your results to SentinelOne.
To count active endpoints in SentinelOne:
In the SentinelOne Management console, click Sentinels on the navigation menu and go to the Endpoints tab.
Click in the Select filters field, and then click View More Filters.
Deselect any default filters then select Connected to Management,
Click Back to filters.
A new Connected to Management panel displays with metrics for Yes and No.
The Yes metric shows you the number of endpoints considered Connected to Management and actively checking in with the SentinelOne server. This is the number to compare to Red Canary.
Troubleshooting:
If you notice a large disparity between the number of active endpoints in Red Canary compared to SentinelOne, examine the endpoints in SentinelOne. Here are a few things to look for:
Is the endpoint online?
Is the Red Canary sensor running on the endpoint?
Is the Red Canary sensor communicating with SentinelOne?
If you discover that a sensor isn’t communicating or isn’t connected to SentinelOne, review SentinelOne’s help documentation. To access the help documentation, log in to SentinelOne, click the question mark icon, and then select Help. If you need additional assistance, please submit a request with Red Canary Support.
Why do I have a large number of endpoints reporting as not sending telemetry?
The Deep Visibility feature is what collects and sends endpoint data to SentinelOne, and by extension to Red Canary. SentinelOne uses policy inheritance to control settings throughout the account/site/group structure. If you have a site or group that has policy inheritance disabled, then any changes made at the account level, like enabling Deep Visibility, will not be inherited.
To correct this, you’ll need to enable policy inheritance in SentinelOne.
In the SentinelOne Management console, click Sentinels on the navigation menu and go to the Policy tab.
In the Deep Visibility section, make sure Enable Deep Visibility is turned on and enable everything except Data Masking.
Click the Event Type Configuration link and enable all the options in the File section.
Note
Make sure Data Masking is disabled. Also, leaving any boxes unchecked under Event Type Configuration will trigger a status failure in Red Canary.