SentinelOne EDR
Configure the data connectors for SentinelOne EDR.
In this guide, you will integrate your SentinelOne EDR environment with Radiant.
After you complete integrating the SentinelOne data connectors, add the SentinelOne action connector to enable one-click containment and remediation tasks in Radiant.
At the end of this configuration, you will provide Radiant Security with the following values:
API Token
Queue URL for the S3 bucket
API Base URL (console URL). For example:
https://usea1-swprd1.sentinelone.net
Prerequisites
Create a service user in SentinelOne
Log into your SentinelOne console with an Admin role account.
Hover your cursor over the SentinelOne logo to open the navigation pane.
Select Settings and then click the USERS tab.
In the navigation pane, select Service Users.
From the Actions drop-down list, select Create New Service User.
In the dialog box, fill in the service account information with the following:
Name:
radiant_api_service
Description:
Radiant Security API Service Account
Expiration Date:
1 Years
Click Next.
If you manage multiple customers:
Under Select Scope of Access, click Site.
Select the site that belongs to the customer that you are configuring monitoring for.
If you do not manage multiple customers:
Under Select Scope of Access, click Account.
Select the account that the user should have access to.
From the role type drop-down list, select Viewer.
Click Create User to save the newly created user.
In the API Token dialog box, copy the API Token value to provide to Radiant Security.
Important note: Be sure to document and store the API token value carefully, as it cannot be retrieved later. This will be provided to Radiant Security in the next section.
Create a destination S3 bucket
From the AWS console, select the S3 service.
Click Create bucket to create a new bucket.
Select your preferred region and give the destination bucket a unique name. Note this name down for later.
Under Object Ownership, select the ACLs enabled option.
Click Create bucket to complete the bucket creation.
Configure the destination S3 bucket
Select the bucket from the list of S3 buckets.
Click the Permissions tab.
Edit the bucket policy and paste in the following, making sure to replace
<BUCKET-NAME>
with the name of the bucket containing the Cloud Funnel logs:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::649384204969:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<BUCKET-NAME>/*"
}
]
}
Click Save changes.
Configure the permission needed for SentinelOne Cloud Funnel to write files to your bucket. On the Permissions tab of your bucket, scroll down to Access Control List (ACL) and click Edit.
Click Add grantee.
Enter SentinelOne’s canonical ID:
c768943f39940f1a079ee0948ab692883824dcb6049cdf3d7725691bf4f31cbb
Select the checkboxes for List and Write objects, and click Save changes.
Important note: For FedRAMP environments, use this canonical ID instead: 3b40642cbf594ff39a8a280afad55c79b098dce84031ed23f3e104dc983eede2
Create and configure a notification queue for the S3 bucket
Important note: Make sure that the queue name conforms to the format provided; otherwise, the integration will not work.
Select SQS from the list of AWS services.
Click Create queue.
Give the queue the name:
radiant-security-cloud-funnel-connector-<tenant-name>
and replace<tenant-name>
with your organization name.Ensure that the Configuration values match the following:
Visibility timeout:
11 Minutes
Delivery delay:
0 Seconds
Recieve message wait time:
0 Seconds
Message retention period:
4 Days
Maximum message size:
256 KB
In the Access policy section, copy the Resource value and save it.
Replace the Access policy with the following, be sure to replace each
<resource>
value with the Resource value you copied from step 5:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:SendMessage",
"Resource": "<resource>",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::*"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::649384204969:root"
},
"Action": [
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueAttributes"
],
"Resource": "<resource>"
}
]
}
Click Create queue to create the queue.
Copy the value in the URL section of the queue page and store it for later use. This will be the Queue URL that you’ll provide to Radiant Security when you create the credential for the SentinelOne Cloud Funnel connector.
Return to the S3 service and select the bucket from the list of S3 buckets.
Click the Properties tab and scroll down to Event notifications.
Click Create event notification.
In the Name field enter:
radiant-security-cloud-funnel-connector
In the Event types section, select the All object create events checkbox.
In the Destination section, select SQS queue and select your created queue from the drop-down or, copy the ARN/resource ID that you previously saved.
Click Save changes to submit the changes.
Enable Cloud Funnel
Make note of the name of the S3 bucket destination for Cloud Funnel.
Log into your SentinelOne console with an Admin role account.
Hover your cursor over the SentinelOne logo to open the navigation pane.
Select Settings and then click the INTEGRATIONS tab.
In the navigation pane, select Cloud Funnel.
From the Cloud Providers drop-down, select AWS (Amazon Web Services).
In the S3 bucket name field, paste the destination S3 bucket name that you noted in step 1.
Click Validate to ensure SentinelOne has access to the bucket.
Select the Enable Telemetry Streaming checkbox.
Add the query filter
endpoint.name = *
to the filter box.Click the Validate button to ensure the query is valid.
Click the Save button.
Add the CloudFunnel data connector in Radiant Security
Log in to Radiant Security.
From the navigation menu, select Settings > Data Connectors and click + Add Connector.
Search for and select the SentinelOne CloudFunnel option from the list and then click Data Feeds.
Click Credentials.
Give the credential an identifiable name (e.g.
SentinelOne Cloud Funnel Credentials
).Under Required Credentials, paste in the Queue URL that you copied from the previous section.
Click Add Connector to save the changes.
What data Cloud Funnel collects
Cloud Funnel collects telemetry data only. To collect alerts and device information, you must pair Cloud Funnel with the SentinelOne Deep Visibility Alerts connector using the instructions below.
Create a role and add the necessary permissions
Log into your SentinelOne console with an Admin role account.
Hover your cursor over the SentinelOne logo to open the navigation pane.
Select Settings and then click the USERS tab.
In the navigation pane, select Roles.
From the Actions drop-down menu, select New Role.
In the dialog box, fill in the following information:
Role Name:
Radiant Security Service Role
Description:
Radiant Security API Service Role
Find and add the following permissions to give Radiant Security access to read data:
Endpoints:
View
,View Threats
, andSearch on Deep Visibility
Endpoint Threats:
View
SDL Data:
View
andView EDR
SDL Search (Formerly Skylight):
View
This step is optional. Find and add the following permissions to give Radiant Security access to take certain actions in your environment:
Endpoints:
Disconnect from Network
andReconnect to Network
Blocklist:
View
,Edit
,Delete
, andCreate
Full Disk Scan:
Initiate Scan
andAbort Scan
Click Save.
Create a service user and generate the API token
Log into your SentinelOne console with an Admin role account.
Hover your cursor over the SentinelOne logo to open the navigation pane.
Select Settings and then click the USERS tab.
In the navigation pane, select Service Users.
From the Actions drop-down menu, select Create New Service User.
In the dialog box, fill in the service account information:
Name:
radiant_api_service
Description:
Radiant Security API Service Account
Expiration Date:
1 Years
Click Next.
If you manage multiple customers:
Under Select Scope of Access, click Site.
Select the site that belongs to the customer that you are configuring monitoring for.
If you do not manage multiple customers:
Under Select Scope of Access, click Account.
Select the account that the user should have access to.
From the role type drop-down menu, select the Radiant Security Service Role created in the previous steps.
Click Create User to save the newly created user.
In the API Token dialog box, copy the API Token value to provide to Radiant Security.
Important note: Be sure to copy and store the API token value carefully, as it cannot be retrieved later. This will be provided to Radiant Security in the next section.
Add the credentials in Radiant Security
Log in to Radiant Security.
From the navigation menu, select Settings > Credentials and click + Add Credential.
Select SentinelOne from the list and click Configure Credential.
Under Credential Name, give the credential an identifiable name (e.g.
SentinelOne Deep Visibility Credentials
).Under API Base URL, paste in your SentinelOne console base URL in the format
https://<host>.sentinelone.net
Under API Token, paste the token that you copied in a previous step.
Click Add Credential to save the changes.
Add the Deep Visibility data connector in Radiant Security
Log in to Radiant Security.
From the navigation menu, select Settings > Data Connectors and click + Add Connector.
Search for and select the SentinelOne option from the list and then click Data Feeds.
Select only the Deep Visibility Alerts data feed and click Credentials.
From the drop-down menu, select the SentintelOne credential that you created in the previous section.
Click Add Connector to save the changes.
Last updated