Endpoint Logs
      Back to home
      1. Radiant Help Center
      2. Getting Started
      3. Endpoint Logs

      SentinelOne Cloud Funnel

      Configure the connector for SentinelOne (Cloud Funnel).

      Overview

      In this guide, you will create a service account and generate API credentials in SentinelOne to ingest endpoint alerts and events in Radiant Security.

      At the end of this configuration, you will provide Radiant Security with the following values:

      • API Token
      • Queue URL for the S3 bucket
      • API Base URL (console URL). For example: https://usea1-swprd1.sentinelone.net

      To do this, you’ll need to complete the following steps:

      Prerequisites

      Admin role for the SentinelOne environment that you want to connect to Radiant Security.

      Create a service user in SentinelOne

      1. Log into your SentinelOne console with an Admin role account.
      2. Hover your mouse pointer under the SentinelOne logo to open the navigation pane.
      3. Select Settings and then click the USERS tab.
      4. In the navigation pane, select Service Users.
      5. From the Actions drop-down list, select Create New Service User.
      6. In the dialog box, fill in the service account information with the following:
        1. Name: radiant_api_service
        2. Description: Radiant Security API Service Account
        3. Expiration Date: 1 Years
      7. Click Next.
      8. If you manage multiple customers:
        1. Under Select Scope of Access, click Site.
        2. Select the site that belongs to the customer that you are configuring monitoring for.
      9. If you do not manage multiple customers:
        1. Under Select Scope of Access, click Account.
        2. Select the account that the user should have access to.
      10. From the role type drop-down list, select Viewer.
      11. Click Create User to save the newly created user.
      12. In the API Token dialog box, copy the API Token value to provide to Radiant Security.

      Important note: Be sure to document and store the API token value carefully, as it cannot be retrieved later. This will be provided to Radiant Security in the next step. 

      Create a destination S3 bucket

      Note: If you are already exporting Cloud Funnel logs to an existing bucket or Radiant Security is providing a bucket for you, you can skip this section.

      1. From the AWS console, select the S3 service.
      2. Click Create bucket to make a new bucket.
      3. Select your preferred region and give the destination bucket a unique name. Note this name down for later.
      4. Under Object Ownership, select the ACLs enabled option.
      5. Click Create bucket to complete the bucket creation.
      6. To grant SentinelOne access to the bucket, refer to their help guide page How To Configure Your Amazon S3 Bucket to obtain their AWS account ID.

      Grant Radiant Security permissions to the S3 bucket

      Note: If Radiant Security is providing a bucket for you, you can skip this section and the following section.

      1. Select the bucket from the list of S3 buckets.
      2. Click the Permissions tab.
      3. Edit the Bucket policy and add the following statement. Be sure to replace the value <BUCKET-NAME> with the name of the bucket containing the Cloud Funnel logs: 
        {

            "Version": "2012-10-17",

            "Statement": [

                {

                    "Effect": "Allow",

                    "Principal": {

                        "AWS": "arn:aws:iam::649384204969:root"

                    },

                    "Action": "s3:GetObject",

                    "Resource": "arn:aws:s3:::<BUCKET-NAME>/*"

                }

            ]

        }
      4. Click Save changes.

      Create and configure a notification queue for the S3 bucket

      Important note: Be sure that the queue name conforms to the format provided, as the integration will not work otherwise.

      1. Select SQS from the list of AWS services.

      2. Click Create queue.

      3. Give the queue the name: radiant-security-cloud-funnel-connector-<tenant-name> and replace <tenant-name> with your organization name.

      4. Ensure that the Configuration values match the following:
        • Visibility timeout: 11 Minutes
        • Delivery delay 0 Seconds
        • Recieve message wait time: 0 Seconds
        • Message retention period: 4 Days
        • Maximum message size: 256 KBUntitled
      5. In the Access policy section, copy the Resource value and save it.
      6. Replace the Access policy with the following, be sure to replace each Resource value with the Resource value you copied from step 5: 
        {

          "Version": "2012-10-17",

          "Statement": [

            {

              "Effect": "Allow",

              "Principal": "*",

              "Action": "SQS:SendMessage",

              "Resource": "arn:aws:sqs:us-west-2:491085242886:radiant-security-cloud-funnel-connector-brlabs",

              "Condition": {

                "ArnLike": {

                  "aws:SourceArn": "arn:aws:s3:::*"

                }

              }

            },

            {

              "Effect": "Allow",

              "Principal": {

                  "AWS": "arn:aws:iam::649384204969:root"

              },

              "Action": "SQS:ReceiveMessage",

              "Resource": "arn:aws:sqs:us-west-2:491085242886:radiant-security-cloud-funnel-connector-brlabs"

            },

            {

              "Effect": "Allow",

              "Principal": {

                  "AWS": "arn:aws:iam::649384204969:root"

              },

              "Action": "SQS:DeleteMessage",

              "Resource": "arn:aws:sqs:us-west-2:491085242886:radiant-security-cloud-funnel-connector-brlabs"

            },

            {

              "Effect": "Allow",

              "Principal": {

                  "AWS": "arn:aws:iam::649384204969:root"

              },

              "Action": "SQS:GetQueueAttributes",

              "Resource": "arn:aws:sqs:us-west-2:491085242886:radiant-security-cloud-funnel-connector-brlabs"

            }

          ]

        }
      7. Click Create queue to create the queue.
      8. Copy the value in the URL section of the queue page and store it for later use. This will be the Queue URL that you’ll provide to Radiant Security when you create the credential for the SentinelOne Cloud Funnel connector.
      9. Return to the S3 service and select the bucket from the list of S3 buckets.
      10. Click the Properties tab and scroll down to Event notifications.
      11. Click Create event notification.
      12. In the Name field enter: radiant-security-cloud-funnel-connector
      13. In the Event types section, select the All object create events checkbox.
      14. In the Destination section, select SQS queue and select your created queue from the drop-down or, copy the ARN/resource ID that you previously saved.
      15. Click Save changes to submit the changes.

      Enable Cloud Funnel

      Note: Depending on your configuration, the S3 destination bucket will be created by you or provided to you by Radiant Security.

      1. Make note of the name of the S3 bucket destination for Cloud Funnel.
      2. Log into your SentinelOne console with an Admin role account.
      3. Hover your mouse pointer under the SentinelOne logo to open the navigation pane.
      4. Select Settings and then click the INTEGRATIONS tab.
      5. In the navigation pane, select Cloud Funnel.
      6. From the Cloud Providers drop-down, select AWS (Amazon Web Services).
      7. In the S3 bucket name field, paste the destination S3 bucket name that you noted in step 1.
      8. Click Validate to ensure SentinelOne has access to the bucket.
      9. Select the Enable Telemetry Streaming checkbox.
      10. Add the query filter endpoint.name = * to the filter box.
      11. Click the Validate button to ensure the query is valid.
      12. Click the Save button.

      Add the connector in Radiant Security

      1. Log in to Radiant Security.

      2. From the navigation menu, select Settings > Data Connectors and click + Add Connector.

      3. Select the SentinelOne CloudFunnel vendor from the list and click Data Feeds and then Credentials.Screenshot 2024-03-18 at 11.17.01

      4. Give the credential an identifiable name (like SentinelOne Cloud Funnel Credentials).
      5. Under Required Credentials, add the Queue URL that you copied from the previous section.
      6. Click Add Connector to save the changes.

      Necessary alerts and devices info

      Cloud Funnel only brings in telemetry but no alerts or device information. Therefore, it must be coupled with the SentinelOne connector (or another EDR, in cross-EDR scenarios). To collect SentinelOne alerts and devices data and configure the action connector to enable one-click mitigation tasks, follow the instructions in our SentinelOne (Deep Visibility) guide.

      Note: At the Select your data feeds step, select only Deep Visibility Alerts and don’t select SentinelOne, since the Cloud Funnel connector will already be collecting Endpoint Events.

      We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai 

       

      Last updated: 2024-08-23