SentinelOne Cloud Funnel

Configure the data connector for SentinelOne Cloud Funnel.

In this guide, you will integrate SentinelOne Cloud Funnel with Radiant in order to sync SentinelOne EDR telemetry.

Unless you have specific needs to sync all your EDR telemetry data into Radiant Log Management, it is recommended to use the SentinelOne Singularity Data Lake integration instead of SentinelOne Cloud Funnel.

This connector brings EDR telemetry but no alerts nor sensors info. For syncing alerts and sensors info, please also integrate with SentinelOne Deep Visibility.

At the end of this configuration, you will provide Radiant Security with the following values:

  • Queue URL

Prerequisites

Create a destination S3 bucket

Note: If you are already exporting Cloud Funnel logs to an existing bucket, or if Radiant Security is providing a bucket for you, you can skip this section.

  1. From the AWS console, select the S3 service.

  2. Click Create bucket to create a new bucket.

  3. Select your preferred region and give the destination bucket a unique name. Note this name down for later.

  4. Under Object Ownership, select the ACLs enabled option.

  5. Click Create bucket to complete the bucket creation.

Configure the destination S3 bucket

Note: If Radiant Security is providing a bucket for you, you can skip this section and the Create and configure a notification queue for the S3 bucket section.

  1. Select the bucket from the list of S3 buckets.

  2. Click the Permissions tab.

  3. Edit the bucket policy and paste in the following, making sure to replace <BUCKET-NAME> with the name of the bucket containing the Cloud Funnel logs:

  1. Click Save changes.

  2. Configure the permission needed for SentinelOne Cloud Funnel to write files to your bucket. On the Permissions tab of your bucket, scroll down to Access Control List (ACL) and click Edit.

  3. Click Add grantee.

  4. Enter SentinelOne’s canonical ID: c768943f39940f1a079ee0948ab692883824dcb6049cdf3d7725691bf4f31cbb

  5. Select the checkboxes for List and Write objects, and click Save changes.

Important note: For FedRAMP environments, use this canonical ID instead: 3b40642cbf594ff39a8a280afad55c79b098dce84031ed23f3e104dc983eede2

Create and configure a notification queue for the S3 bucket

Important note: Make sure that the queue name conforms to the format provided; otherwise, the integration will not work.

  1. Select SQS from the list of AWS services.

  2. Click Create queue.

  3. Give the queue the name: radiant-security-cloud-funnel-connector-<tenant-name> and replace <tenant-name> with your organization name.

  4. Ensure that the Configuration values match the following:

    • Visibility timeout: 11 Minutes

    • Delivery delay: 0 Seconds

    • Receive message wait time: 0 Seconds

    • Message retention period: 4 Days

    • Maximum message size: 256 KB

  5. In the Access policy section, copy the Resource value and save it.

  6. Replace the Access policy with the following, be sure to replace each <resource> value with the Resource value you copied from step 5:

  1. Click Create queue to create the queue.

  2. Copy the value in the URL section of the queue page and store it for later use. This will be the Queue URL that you’ll provide to Radiant Security when you create the credential for the SentinelOne Cloud Funnel connector.

  3. Return to the S3 service and select the bucket from the list of S3 buckets.

  4. Click the Properties tab and scroll down to Event notifications.

  5. Click Create event notification.

  6. In the Name field enter: radiant-security-cloud-funnel-connector

  7. In the Event types section, select the All object create events checkbox.

  8. In the Destination section, select SQS queue and select your created queue from the drop-down or, copy the ARN/resource ID that you previously saved.

  9. Click Save changes to submit the changes.

Enable Cloud Funnel

  1. Make note of the name of the S3 bucket destination for Cloud Funnel.

  2. Log into your SentinelOne console with an Admin role account.

  3. Hover your cursor over the SentinelOne logo to open the navigation pane.

  4. Select Settings and then click the INTEGRATIONS tab.

  5. In the navigation pane, select Cloud Funnel.

  6. From the Cloud Providers drop-down, select AWS (Amazon Web Services).

  7. In the S3 bucket name field, paste the destination S3 bucket name that you noted in step 1.

  8. Click Validate to ensure SentinelOne has access to the bucket.

  9. Select the Enable Telemetry Streaming checkbox.

  10. Add the query filter endpoint.name = * to the filter box.

  11. Click the Validate button to ensure the query is valid.

  12. Click the Save button.

Add the Cloud Funnel data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, select Settings > Data Connectors and click + Add Connector.

  3. Search for and select the SentinelOne CloudFunnel option from the list and then click Data Feeds.

  4. Click Credentials.

  5. Give the credential an identifiable name (e.g. SentinelOne Cloud Funnel Credentials).

  6. Under Required Credentials, paste in the Queue URL that you copied from the previous section.

  7. Click Add Connector to save the changes.

What data Cloud Funnel collects

Cloud Funnel collects telemetry data only. To collect alerts and sensors information, you must pair Cloud Funnel with a SentinelOne Deep Visibility integration.

To add the action connector in Radiant, please refer to the specific guide: SentinelOne.

PreviousSalt SecurityNextSentinelOne Deep Visibility

Last updated