How Red Canary Works with SentinelOne
    • 20 Nov 2024
    • 4 Minutes to read
    • PDF

    How Red Canary Works with SentinelOne

    • PDF

    Article summary

    Red Canary’s integration with the SentinelOne Singularity Engine begins with Red Canary connecting to SentinelOne through a data-streaming product called Cloud Funnel. This process was created in partnership between Red Canary and SentinelOne's engineering teams. 

    While most SentinelOne integrations are focused on the alerts generated by the platform, Red Canary’s low-level integration ingests both the alerts and raw telemetry generated by the SentinelOne Sentinel Agent. This telemetry is processed and analyzed by the Red Canary platform and then by our Cyber Incident Response Team (CIRT) to confirm and investigate threats while eliminating false positives.

    This combination of SentinelOne, telemetry, and Red Canary’s detection and response delivers the best security outcomes for SentinelOne users.

    Red Canary and SentinelOne leverage Cloud Funnel to stream deep visibility telemetry from SentinelOne into the Red Canary engine. In addition, Cloud Funnel is an XDR data lake that utilizes an Amazon S3 Bucket that enables Red Canary to tap into your telemetry stream.

    Your Red Canary team can help you step through the process of connecting your existing SentinelOne environment to Red Canary. Don’t have SentinelOne? Don’t worry: we can also work with you to get it provisioned and running!

    Note: Cloud Funnel 2.0 only allows one outside third-party connection that Red Canary utilizes. 

    FAQ

    What are the automatic functionalities available with SentinelOne & Red Canary?

    Currently, we only offer notification, ban file hashes (IOC), isolate and de-isolate functions as automation features. 

    What kind of data does Red Canary process?

    We receive all the data collected by your SentinelOne agents, as well as a number of system events generated by the SentinelOne Singularity platform. Telemetry that is visible in SentinelOne Deep Visibility (Endpoint telemetry) is used for detection purposes, whereas several system events become audit logs in the Red Canary platform.

    What happens to my SentinelOne alerts when I activate Red Canary?

    Every alert generated by SentinelOne's detection rules is consumed by Red Canary and provided to you in the Alerts feature of the Red Canary platform. Red Canary’s investigation of these alerts is currently pending as we standardize alert ingestion. Alerts are reviewed by Red Canary's CIRT, which adds additional context to confirmed alerts to accelerate your response.

    Note: SentinelOne no longer supports Windows OS 2003, 2008, and Windows 7 on their premier sensor. These operating sensors can no longer send telemetry to Red Canary. We advise that you upgrade your operating system to one that supports your premier sensor.

    If upgrading or migrating to a new operating system is not immediately available, we recommend you decommission the endpoint within Red Canary. Learn more about how to Decommission Endpoints.

    What are the networking requirements for SentinelOne?

    When you deploy SentinelOne sensors, you want to know all of the associated network requirements so that your sensors communicate properly and behave as expected. This list does not include Red Canary's IPs.

    How do I deploy my Virtual Desktop Infrastructure? 

    • To learn more about installing deploying your VDI, click here

    • To learn more about installing Windows Agents on VM or VDI, click here.

    How do I install SentinelOne Agents for Windows?

    Note: The links below only work for customers leveraging Red Canary’s SentinelOne environment. If customers leverage their own environment, then they need to navigate to their OneBox help menu at the top of the SentinelOne OneBox OR leverage their access to community.sentinelone.com.

    • To learn more about installing SentinelOne Agents for Windows, copy and paste the link below into a new browser window: 

      • https://usea1-redcanary.sentinelone.net/docs/en/installing-on-windows-endpoints.html

    How do I install SentinelOne Agents for macOS?

    Note: The links below only work for customers leveraging Red Canary’s SentinelOne environment. If customers leverage their own environment, then they need to navigate to their OneBox help menu at the top of the SentinelOne OneBox OR leverage their access to community.sentinelone.com.

    • To learn more about installing SentinelOne Agents for macOS, copy and paste the link below into a new browser window: 

      • https://usea1-redcanary.sentinelone.net/docs/en/installing-on-macos-endpoints.html 

    How do I install SentinelOne Agents for macOS with Jamf?

    Note: The links below only work for customers leveraging Red Canary’s SentinelOne environment. If customers leverage their own environment, then they need to navigate to their OneBox help menu at the top of the SentinelOne OneBox OR leverage their access to community.sentinelone.com.

    • To learn more about installing SentinelOne Agents for macOS with Jamf, copy and paste the link below into a new browser window: 

      • https://usea1-redcanary.sentinelone.net/docs/en/installing-and-upgrading-macos-agents-with-jamf.html

    How do I uninstall EDR Agents from the Command Line Interface (CLI)?

    Note: The links below only work for customers leveraging Red Canary’s SentinelOne environment. If customers leverage their own environment, then they need to navigate to their OneBox help menu at the top of the SentinelOne OneBox OR leverage their access to community.sentinelone.com.

    • To learn more about uninstalling EDR Agents for the CLI, copy and paste the link below into a new browser window: 

      • https://usea1-redcanary.sentinelone.net/docs/en/uninstalling-agents-from-the-cli.html

    How do I uninstall EDR Agents from the Management Console (MC)?

    Note: The links below only work for customers leveraging Red Canary’s SentinelOne environment. If customers leverage their own environment, then they need to navigate to their OneBox help menu at the top of the SentinelOne OneBox OR leverage their access to community.sentinelone.com.

    Can Red Canary assist with setting up SentinelOne Cloud Funnel to export its data to my own S3 bucket?

    Setting up SentinelOne Cloud Funnel to export its data to a customer-owned S3 bucket is an advanced configuration that is dependent on that customer’s cloud environment. Red Canary does not provide assistance with this setup. If you have any questions or encounter issues, we recommend reaching out to SentinelOne Support for guidance and to ensure your SentinelOne account is properly configured before integrating it with Red Canary.


    Was this article helpful?