Login
      Contents x
      How Red Canary Works with SentinelOne
      • 13 Jan 2025
      • 4 Minutes to read
      • PDF
      Contents

      How Red Canary Works with SentinelOne

      • Updated on 13 Jan 2025
      • 4 Minutes to read
      • PDF
      Article summary

      Red Canary’s integration with the SentinelOne Singularity Engine begins with Red Canary connecting to SentinelOne through a data-streaming product called Cloud Funnel. This process was created in partnership between Red Canary and SentinelOne's engineering teams.

      While most SentinelOne integrations are focused on the alerts generated by the platform, Red Canary’s low-level integration ingests both the alerts and raw telemetry generated by the SentinelOne Sentinel Agent. This telemetry is processed and analyzed by the Red Canary platform and then by our Cyber Incident Response Team (CIRT) to confirm and investigate threats while eliminating false positives.

      This combination of SentinelOne, telemetry, and Red Canary’s detection and response delivers the best security outcomes for SentinelOne users.

      Red Canary and SentinelOne leverage Cloud Funnel to stream deep visibility telemetry from SentinelOne into the Red Canary engine. In addition, Cloud Funnel is an XDR data lake that utilizes an Amazon S3 Bucket that enables Red Canary to tap into your telemetry stream.

      Your Red Canary team can help you step through the process of connecting your existing SentinelOne environment to Red Canary. Don’t have SentinelOne? Don’t worry: we can also work with you to get it provisioned and running!

      Architectural Diagram

      FAQ

      What are the automation functions available with SentinelOne & Red Canary?

      Currently, we offer notification, ban file hashes (IOC), isolate, and de-isolate functions as automation features.

      What kind of data does Red Canary process?

      We receive all the data collected by your SentinelOne agents, as well as a number of system events generated by the SentinelOne Singularity platform. Telemetry that is visible in SentinelOne Deep Visibility (Endpoint telemetry) is used for detection purposes, whereas several system events become audit logs in the Red Canary platform.

      What happens to my SentinelOne alerts when I activate Red Canary?

      Every alert generated by SentinelOne's detection rules is consumed by Red Canary and provided to you in the Alerts feature of the Red Canary platform. Alerts are reviewed by Red Canary's Cyber Incident Response Team (CIRT), which adds additional context to confirmed alerts to accelerate your response.

      Note: SentinelOne no longer supports Windows OS 2003, 2008, and Windows 7 on their premier sensor. These operating sensors can no longer send telemetry to Red Canary. We advise that you upgrade your operating system to one that supports your premier sensor.

      If upgrading or migrating to a new operating system is not immediately available, we recommend you decommission the endpoint within Red Canary. See Decommission Endpoints for details.

      What are the networking requirements for SentinelOne?

      If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following document to learn about the network requirements for your sensors to communicate properly and behave as expected:

      Services and Ports for Management

      (If you’re leveraging your own environment, you can find the document via the Help link in the SentinelOne top menu.)

      How do I deploy my Virtual Desktop Infrastructure?

      If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following documents to learn more about installing installing, deploying, and configuring your VDI:

      VDI and VM deployment
      Installing Windows Agents on VM or VDI

      (If you’re leveraging your own environment, you can find the documents via the Help link in the SentinelOne top menu.)

      How do I install SentinelOne Agents for Windows?

      If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following document to learn more about installing SentinelOne Agents for Windows:

      Installing Agents on Windows Endpoints

      (If you’re leveraging your own environment, you can find the document via the Help link in the SentinelOne top menu.)

      How do I install SentinelOne Agents for macOS?

      If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following document to learn more about installing SentinelOne Agents for macOS:

      Installing Agents on macOS Endpoints

      (If you’re leveraging your own environment, you can find the document via the Help link in the SentinelOne top menu.)

      How do I install SentinelOne Agents for macOS with Jamf?

      If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following document to learn more about installing SentinelOne Agents for macOS with Jamf:

      Installing and Upgrading macOS Agents with Jamf

      (If you’re leveraging your own environment, you can find the document via the Help link in the SentinelOne top menu.)

      How do I uninstall EDR Agents from the Command Line Interface (CLI)?

      If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following document to learn more about uninstalling EDR Agents from the CLI:

      Uninstalling Agents from the CLI

      (If you’re leveraging your own environment, you can find the document via the Help link in the SentinelOne top menu.)

      How do I uninstall EDR Agents from the Management Console (MC)?

      If you’re leveraging Red Canary’s SentinelOne environment, log in to the Management Console and read the following document to learn more about uninstalling EDR Agents from the MC:

      Uninstalling Agents from the Management Console

      (If you’re leveraging your own environment, you can find the document via the Help link in the SentinelOne top menu.)

      Can Red Canary assist with setting up SentinelOne Cloud Funnel to export its data to my own S3 bucket?

      Setting up SentinelOne Cloud Funnel to export its data to a customer-owned S3 bucket is an advanced configuration that is dependent on your individual cloud environment. Red Canary does not provide assistance with this setup. If you have any questions or encounter issues, we recommend reaching out to SentinelOne Support for guidance and to ensure your SentinelOne account is properly configured before integrating it with Red Canary.

      Was this article helpful?
      What's Next
      PRODUCTS
      OPEN SOURCE
      PLATFORM
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout