Introduction
Recorded Future collective insights is a new type of analytic, providing clients a complete view of what threats matters to an organization. Collective insights can aggregate detections across all client integrations to show trends across all detections to help TI and SecOps users better prevent and protect client networks by prioritizing their actions based on which detections and TTPs are most common across their networks. This article will walk through how to setup collective insights for SentinelOne using the Recorded Future collective insights API
Recorded Future also offers a push service configuration option to set up Collective Insights for SentinelOne. This configuration is maintained by Recorded Future and does not require the client to maintain a script. Please check the Recorded Future Collective Insights for SentinelOne [Push] article for instructions.
Setup Collective Insights with SentinelOne
Attached to this article is a script (S1-Collective_Insights.py) that maps SentinelOne detections to Recorded Future's collective insights data model. The script will make API requests to build JSON objects for each IOC from SentinelOne with supporting evidence to be sent to the Recorded Future Collective Insights API. It will check for MITRE ATT&CK codes are available for each IOC as part of the JSON upload. You will need the following to run this script:
- A valid Recorded Future collective insights API Key (email support@recordedfuture.com to request this)
- A SentinelOne API Key
- A SentinelOne Endpoint URL
- Update the script to set the S1 API endpoint URL and S1 API token
- Add your Recorded Future API Token to the script
- The script will hosted by the client. To maximize analysis using collective insights, it is recommended that a cron job is set up to run the script at least once an hour to pull the latest events from SentinelOne to the Recorded Future collective insights API.
-
- The script by default will collect detections from the past day. If you are running this more often, change this line to represent the interval between runs. For example, if running hourly, change (days=1) to (hours=1)
Results
Once the script has run at least once, collective insights results can be viewed in the Recorded Future UI in the SecOps Dashboard. The SecOps Dashboard panels in the UI will be populated displaying Detection Trends and Detection Activity (MITRE ATT&CK Heatmap).
Click into the detection trends and detection activity panels to see which detections are driving each analytic to gain insights to common attributes between all detections coming from SentinelOne.
Related Articles