Login
      Contents x
      How Red Canary Works with SentinelOne
      • 15 Jul 2024
      • 4 Minutes to read
      • PDF
      Contents

      How Red Canary Works with SentinelOne

      • Updated on 15 Jul 2024
      • 4 Minutes to read
      • PDF
      Article summary

      Red Canary’s integration with the SentinelOne Singularity Engine begins with Red Canary connecting to SentinelOne through a data-streaming product called Cloud Funnel. This process was created in partnership between Red Canary and SentinelOne's engineering teams. 

      While most SentinelOne integrations are focused on the alerts generated by the platform, Red Canary’s low-level integration ingests both the alerts and raw telemetry generated by the SentinelOne Sentinel Agent. This telemetry is processed and analyzed by the Red Canary platform and then by our Cyber Incident Response Team (CIRT) to confirm and investigate threats while eliminating false positives.

      This combination of SentinelOne, telemetry, and Red Canary’s detection and response delivers the best security outcomes for SentinelOne users.

      Red Canary and SentinelOne leverage Cloud Funnel to stream deep visibility telemetry from SentinelOne into the Red Canary engine. In addition, Cloud Funnel is an XDR data lake that utilizes an Amazon S3 Bucket that enables Red Canary to tap into your telemetry stream.

      Your Red Canary team can help you step through the process of connecting your existing SentinelOne environment to Red Canary. Don’t have SentinelOne? Don’t worry: we can also work with you to get it provisioned and running!

      Note: Cloud Funnel 2.0 only allows one outside third-party connection that Red Canary utilizes. 

      FAQ

      What are the automatic functionalities available with SentinelOne & Red Canary?

      Currently, we only offer notification, ban file hashes (IOC), isolate and de-isolate functions as automation features. 

      What kind of data does Red Canary process?

      We receive all the data collected by your SentinelOne agents, as well as a number of system events generated by the SentinelOne Singularity platform. Telemetry that is visible in SentinelOne Deep Visibility (Endpoint telemetry) is used for detection purposes, whereas several system events become audit logs in the Red Canary platform.

      What happens to my SentinelOne alerts when I activate Red Canary?

      Every alert generated by SentinelOne's detection rules is consumed by Red Canary and provided to you in the Alerts feature of the Red Canary platform. Red Canary’s investigation of these alerts is currently pending as we standardize alert ingestion. Alerts are reviewed by Red Canary's CIRT, which adds additional context to confirmed alerts to accelerate your response.

      Note: SentinelOne no longer supports Windows OS 2003, 2008, and Windows 7 on their premier sensor. These operating sensors can no longer send telemetry to Red Canary. We advise that you upgrade your operating system to one that supports your premier sensor.

      If upgrading or migrating to a new operating system is not immediately available, we recommend you decommission the endpoint within Red Canary. Learn more about how to Decommission Endpoints.

      What are the networking requirements for SentinelOne?

      When you deploy SentinelOne sensors, you want to know all of the associated network requirements so that your sensors communicate properly and behave as expected. This list does not include Red Canary's IPs.

      How do I deploy my Virtual Desktop Infrastructure? 

      • To learn more about installing deploying your VDI, click here

      • To learn more about installing Windows Agents on VM or VDI, click here.

      How do I install SentinelOne Agents for Windows?

      Note: The links below only work for customers leveraging Red Canary’s SentinelOne environment. If customers leverage their own environment, then they need to navigate to their OneBox help menu at the top of the SentinelOne OneBox OR leverage their access to community.sentinelone.com.

      • To learn more about installing SentinelOne Agents for Windows, copy and paste the link below into a new browser window: 

        • https://usea1-redcanary.sentinelone.net/docs/en/installing-on-windows-endpoints.html

      How do I install SentinelOne Agents for macOS?

      Note: The links below only work for customers leveraging Red Canary’s SentinelOne environment. If customers leverage their own environment, then they need to navigate to their OneBox help menu at the top of the SentinelOne OneBox OR leverage their access to community.sentinelone.com.

      • To learn more about installing SentinelOne Agents for macOS, copy and paste the link below into a new browser window: 

        • https://usea1-redcanary.sentinelone.net/docs/en/installing-on-macos-endpoints.html 

      How do I install SentinelOne Agents for macOS with Jamf?

      Note: The links below only work for customers leveraging Red Canary’s SentinelOne environment. If customers leverage their own environment, then they need to navigate to their OneBox help menu at the top of the SentinelOne OneBox OR leverage their access to community.sentinelone.com.

      • To learn more about installing SentinelOne Agents for macOS with Jamf, copy and paste the link below into a new browser window: 

        • https://usea1-redcanary.sentinelone.net/docs/en/installing-and-upgrading-macos-agents-with-jamf.html

      How do I uninstall EDR Agents from the Command Line Interface (CLI)?

      Note: The links below only work for customers leveraging Red Canary’s SentinelOne environment. If customers leverage their own environment, then they need to navigate to their OneBox help menu at the top of the SentinelOne OneBox OR leverage their access to community.sentinelone.com.

      • To learn more about uninstalling EDR Agents for the CLI, copy and paste the link below into a new browser window: 

        • https://usea1-redcanary.sentinelone.net/docs/en/uninstalling-agents-from-the-cli.html

      How do I uninstall EDR Agents from the Management Console (MC)?

      Note: The links below only work for customers leveraging Red Canary’s SentinelOne environment. If customers leverage their own environment, then they need to navigate to their OneBox help menu at the top of the SentinelOne OneBox OR leverage their access to community.sentinelone.com.

      • To learn more about uninstalling EDR Agents for the MC, copy and paste the link below into a new browser window: 

        • https://usea1-redcanary.sentinelone.net/docs/en/uninstalling-agents-from-themanagement.html#uninstalling-agents-from-themanagement-console

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout