# SentinelOne Cloud Funnel In this guide, you will integrate SentinelOne Cloud Funnel with Radiant in order to sync SentinelOne EDR telemetry. {% hint style="warning" %} Unless you have specific needs to sync all your EDR telemetry data into Radiant Log Management, it is recommended to use the [SentinelOne Singularity Data Lake integration](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/sentinelone-singularity-data-lake) instead of SentinelOne Cloud Funnel. {% endhint %} {% hint style="info" %} This connector brings EDR telemetry but no alerts nor sensors info. For syncing alerts and sensors info, please also integrate with [SentinelOne Deep Visibility](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/sentinelone-deep-visibility). {% endhint %} At the end of this configuration, you will provide Radiant Security with the following values: * **Queue URL** ### Prerequisites * [ ] Admin role for the SentinelOne environment that you want to connect to Radiant ### Create a destination S3 bucket {% hint style="info" %} **Note:** If you are already exporting Cloud Funnel logs to an existing bucket, or if Radiant Security is providing a bucket for you, you can skip this section. {% endhint %} 1. From the AWS console, select the S3 service. 2. Click **Create bucket** to create a new bucket. 3. Select your preferred region and give the destination bucket a unique name. Note this name down for later. 4. Under **Object Ownership**, select the **ACLs enabled** option. 5. Click **Create bucket** to complete the bucket creation. ### Configure the destination S3 bucket {% hint style="info" %} **Note:** If Radiant Security is providing a bucket for you, you can skip this section and the **Create and configure a notification queue for the S3 bucket** section. {% endhint %} 1. Select the bucket from the list of S3 buckets. 2. Click the **Permissions** tab. 3. Edit the bucket policy and paste in the following, making sure to replace `` with the name of the bucket containing the Cloud Funnel logs: {% hint style="info" %} If you are an E.U. tenant, replace `649384204969` in the statement below by `076657324990` {% endhint %} {% code overflow="wrap" %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::649384204969:root" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::/*" } ] } ``` {% endcode %} 4. Click **Save changes**. 5. Configure the permission needed for SentinelOne Cloud Funnel to write files to your bucket. On the **Permissions** tab of your bucket, scroll down to **Access Control List (ACL)** and click **Edit**.
6. Click **Add grantee.** 7. Enter SentinelOne’s canonical ID: `c768943f39940f1a079ee0948ab692883824dcb6049cdf3d7725691bf4f31cbb` 8. Select the checkboxes for **List** and **Write** objects, and click **Save changes.**
{% hint style="warning" %} **Important note:** For FedRAMP environments, use this canonical ID instead: `3b40642cbf594ff39a8a280afad55c79b098dce84031ed23f3e104dc983eede2` {% endhint %} ### Create and configure a notification queue for the S3 bucket {% hint style="warning" %} **Important note**: Make sure that the queue name conforms to the format provided; otherwise, the integration will not work. {% endhint %} 1. Select **SQS** from the list of AWS services. 2. Click **Create** **queue**. 3. Give the queue the name: `radiant-security-cloud-funnel-connector-` and replace `` with your organization name. 4. Ensure that the **Configuration** values match the following: * **Visibility timeout:** `11 Minutes` * **Delivery delay:** `0 Seconds` * **Receive message wait time:** `0 Seconds` * **Message retention period:** `4 Days` * **Maximum message size:** `256 KB`
5. In the **Access** **policy** section, copy the **Resource** value and save it. 6. Replace the **Access** **policy** with the following, be sure to replace each **``** value with the **Resource** value you copied from step 5: {% hint style="info" %} If you are an E.U. tenant, replace `649384204969` in the statement below by `076657324990` {% endhint %} {% code overflow="wrap" %} ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "SQS:SendMessage", "Resource": "", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:s3:::*" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::649384204969:root" }, "Action": [ "SQS:ReceiveMessage", "SQS:DeleteMessage", "SQS:GetQueueAttributes" ], "Resource": "" } ] } ``` {% endcode %} 7. Click **Create** **queue** to create the queue. 8. Copy the value in the **URL** section of the queue page and store it for later use. This will be the **Queue** **URL** that you’ll provide to Radiant Security when you create the credential for the SentinelOne Cloud Funnel connector. 9. Return to the S3 service and select the bucket from the list of S3 buckets. 10. Click the **Properties** tab and scroll down to **Event** **notifications**. 11. Click **Create** **event** **notification**. 12. In the **Name** field enter: `radiant-security-cloud-funnel-connector` 13. In the **Event types** section, select the **All object create events** checkbox. 14. In the **Destination** section, select **SQS queue** and select your created queue from the drop-down or, copy the ARN/resource ID that you previously saved. 15. Click **Save** **changes** to submit the changes. ### Enable Cloud Funnel 1. Make note of the name of the S3 bucket destination for Cloud Funnel. 2. Log into your SentinelOne console with an **Admin** role account. 3. Hover your cursor over the SentinelOne logo to open the navigation pane. 4. Select **Settings** and then click the **INTEGRATIONS** tab. 5. In the navigation pane, select **Cloud Funnel**. 6. From the **Cloud Providers** drop-down, select **AWS (Amazon Web Services).** 7. In the **S3 bucket name** field, paste the destination S3 bucket name that you noted in step 1. 8. Click **Validate** to ensure SentinelOne has access to the bucket. 9. Select the **Enable Telemetry** **Streaming** checkbox. 10. Add the query filter `endpoint.name = *` to the filter box. 11. Click the **Validate** button to ensure the query is valid. 12. Click the **Save** button. ### Add the Cloud Funnel data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, select **Settings** > **Data Connectors** and click **+ Add Connector**. 3. Search for and select the **SentinelOne CloudFunnel** option from the list and then click **Data Feeds**. 4. Click **Credentials.** 5. Give the credential an identifiable name (e.g. `SentinelOne Cloud Funnel Credentials`). 6. Under **Required** **Credentials**, paste in the **Queue URL** that you copied from the previous section. 7. Click **Add Connector** to save the changes. #### What data Cloud Funnel collects Cloud Funnel collects telemetry data *only*. To collect alerts and sensors information, you must pair Cloud Funnel with a [SentinelOne Deep Visibility integration](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/sentinelone-deep-visibility). {% hint style="info" %} :plug: To add the **action connector** in Radiant, please refer to the specific guide: [SentinelOne](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/sentinelone-deep-visibility/execute-response-actions-with-sentinelone). {% endhint %}