Red Canary’s integration with the SentinelOne Singularity Engine begins with Red Canary connecting to SentinelOne through a data-streaming product called Cloud Funnel. This process was created in partnership between Red Canary and SentinelOne's engineering teams. 

While most SentinelOne integrations are focused on the alerts generated by the platform, Red Canary’s low-level integration ingests both the alerts and raw telemetry generated by the SentinelOne Sentinel Agent. This telemetry is processed and analyzed by the Red Canary platform and then by our Cyber Incident Response Team (CIRT) to confirm and investigate threats while eliminating false positives.

This combination of SentinelOne, telemetry, and Red Canary’s detection and response delivers the best security outcomes for SentinelOne users.

How it works

Red Canary and SentinelOne leverage Cloud Funnel to stream deep visibility telemetry from SentinelOne into the Red Canary engine. In addition, Cloud Funnel is an XDR data lake that utilizes an Amazon S3 Bucket that enables Red Canary to tap into your telemetry stream. 

Note: Cloud Funnel 2.0 only allows 1 outside third-party connection that Red Canary utilizes. 

Getting started

Your Red Canary team can help you step through the process of connecting your existing SentinelOne environment to Red Canary. Don’t have SentinelOne? Don’t worry: we can also work with you to get it provisioned and running!

• OS Support for SentinelOne and details about their product bundles

What are the automatic functionalities available with SentinelOne & Red Canary?

Currently, we only offer notification, ban file hashes (IOC), isolate and de-isolate functions as automation features. 

What kind of data does Red Canary process?

We receive all the data collected by your SentinelOne agents, as well as a number of system events generated by the SentinelOne Singularity platform. Telemetry that is visible in SentinelOne Deep Visibility (Endpoint telemetry) is used for detection purposes, whereas several system events become audit logs in the Red Canary platform.

What happens to my SentinelOne alerts when I activate Red Canary?

Every alert generated by SentinelOne's detection rules is consumed by Red Canary and provided to you in the Alerts feature of the Red Canary platform. Red Canary’s investigation of these alerts is currently pending as we standardize alert ingestion. Alerts are reviewed by Red Canary's CIRT, which adds additional context to confirmed alerts to accelerate your response.