This article leads you through the process of integrating SentinelOne Cloud Funnel 2.0 with Red Canary. Follow the procedure from beginning to end.

Prerequisites

Your SentinelOne user must have admin level access
Your SentinelOne tenant must have Cloud Funnel 2.0 enabled
You must have Alert State sync enabled on your SentinelOne external alert source

Step 1: SentinelOne–Validate that Cloud Funnel 2.0 is available and enabled in SentinelOne

Ensure that Cloud Funnel 2.0 is enabled in your SentinelOne account.

Login to your SentinelOne admin account.
From the SentinelOne navigation menu, click Settings.
Click the Accounts tab, and then click the pencil icon (action) next to the account being integrated with Red Canary.
In the edit account page, review the Add-ons section.
1. If visible, select Cloud Funnel.
2. If Cloud Funnel is not visible, submit a support case to SentinelOne to request that they make Cloud Funnel 2.0 available in your account.
Click Save Changes.

Red Canary requires access to your SentinelOne account for our customer security operations team to provide quality service.

Login to your SentinelOne admin account.
From the SentinelOne navigation menu, select the account you want Red Canary to have access to.
Click SETTINGS.
Click the USERS tab.
Click Console Users.
Click the Actions dropdown.
Click Add New User.
For the Full Name field, enter Red Canary Access.
For the Email Address field, enter the email provided by Red Canary via email.
Click Next.
From the Access Level section, select the appropriate level of access, Site or Account.
Type and then select the account or site name that Red Canary is gaining access to.
From the viewer dropdown, select Admin.
Click Create User.
Note: Once the service account is created, Red Canary will create an additional Viewer level service account for our Customer Security Operations (CSO) team. If you have purchased Active Remediation, Red Canary will also create an Incident Response (IR) Team level service account.

You will need three pieces of information in order to connect SentinelOne Cloud Funnel 2.0 to Red Canary.

Login to your SentinelOne admin account.
From your address bar, copy the URL, and then save your SentinelOne Management API Host. You’ll use this in a later step.
Example: https://usea1-100-abc.sentinelone.net
From the SentinelOne navigation menu, click Sentinels.
Click the ACCOUNT INFO tab. You’ll use this in a later step.
Copy and then save the Account ID. You’ll use this in a later step.
From the SentinelOne navigation menu, click Settings.
Click your user profile dropdown, and then click My User.
Click the Options dropdown.
Click Generate API Token.
Copy and then save the API Token. You’ll use this in a later step.
Click Close.

Enter your SentinelOne credentials to configure telemetry streaming in Red Canary.

From your Red Canary homepage, click Integrations.
From the Integrations section, locate and then click the security product you want to integrate with Red Canary.
Note: If you do not see your security product listed, click See all integrations.
In the search bar, type and then select your third-party security source.
Continue onto the next step by configuring your third-party security source in Red Canary.
Note: Your third-party security source may require that you contact Red Canary to configure.
Enter your SentinelOne Management Account ID from Step 3.5.
Enter your SentinelOne Management API Token from Step 3.10.
Enter your SentinelOne Management API Host from Step 3.2.
Select a SentinelOne Account Type.
- This will most likely be an Account Type of "Account" for most integrations. However, if the configured tenant is set up as a site level tenant, select "Site."
Click Save.