The following response actions are available for SentinelOne in the Red Canary Automation interface:
Ban File Hashes (IOC)
Ban IP Addresses (IOC)
Isolate Endpoint
Deisolate Endpoint
Delete/Capture Files (IOC)
The Collect Forensics and Delete/Capture Files actions each require you to activate an add-on in SentinelOne.
Red Canary Response Action | Required SentinelOne Add-on |
|---|---|
Collect Forensics | RemoteOps Forensics |
Delete/Capture Files (IOC) | Remote Script Orchestration |
You can activate these add-ons in SentinelOne as follows:
Log in to your SentinelOne Management Console.
On the navigation menu, click Settings, then go to the Sites tab and locate the account integrated with Red Canary.
Check the box next to the account, then select Edit site from the Actions dropdown.
Scroll down to the Add-ons section and select the add-on you want to activate (Remote Script Orchestration or RemoteOps Forensics).
Note: If these add-ons aren’t listed for your site, you’ll need to contact SentinelOne to request them.
Click Save Changes.