Introduction
Recorded Future's Collective Insights is a new type of Recorded Future analytics, providing clients with a complete view of what threats matter to an organization. Collective Insights enables Recorded Future’s clients to analyze detected incidents to create an intelligence resource for use in two ways:
- Collective Insights provides clients with a comprehensive view of detections across their infrastructure and controls.
- Anonymized data can be used to create visualizations and analytics comparing threat vectors and the entire threat landscape for your enterprise anonymously compared to specific industries and geographies.
For more information on Recorded Future’s Collective Insights, please see the Getting Started with Collective Insights page for more information.
- Threat ID
- Indicator
- Timestamp
Getting Started
There are 2 different deployment modes for setting up Collective Insights for SentinelOne:
1. Hosted service - In this mode, the connector for ingesting detections from SentinelOne is hosted at Recorded Future which pulls detections from SentinelOne.
2. Scripted solution - In this mode, the connector for ingesting detections from SentinelOne is deployed as a script at customer's environment which pushes detections from SentinelOne.
Install via the Integration Center (Preferred)
To enable the Recorded Future integration for SentinelOne, navigate to the Integration Center in the left-hand menu.
Click the SentinelOne tile.
You will see additional details and resources for the integration. Click the blue Set up button.
Note: You must be an administrator to see the Set up button.
Enter the requested information in the modal that displays.
- Connector Name: Collective Insights Connector For SentinelOne
-
SentinelOne Authentication
- Instance URL: URL shown in browser address bar when logged into SentinelOne XDR
- API Key: Located in SentinelOne XDR, under User > My User
-
Detection Parameters
- Only Fetch Analyst-Verified Events (unchecked by default)
- Connector Update Frequency: The Update Frequency refers to the duration of time that Recorded Future will pause between updates. This can be set to hours, minutes, or days. Note that Recorded Future will poll for updates based on this frequency, but for all new events since the last time queried. The default (suggested) frequency is every 30 minutes.
-
Initial Import
- Detections Created Last: The duration of historical information that Recorded Future will pull based on the initial setup. The default range is 1 day; ranges longer than the previous 24 hours may cause delays in the setup process
Click Activate.
Steps to deploy Scripted Solution (Advanced)
Attached to this article is a script (S1-Collective_Insights.py) that maps SentinelOne detections to Recorded Future's Collective Insights data model. The script will make API requests to build JSON objects for each IOC from SentinelOne with supporting evidence to be sent to the Recorded Future Collective Insights API. It will check for MITRE ATT&CK codes are available for each IOC as part of the JSON upload. You will need the following to run this script:
- A valid Recorded Future collective insights API Key (email support@recordedfuture.com to request this)
- A SentinelOne API Key
- A SentinelOne Endpoint URL
- Update the script to set the S1 API endpoint URL and S1 API token
- Add your Recorded Future API Token to the script
- The script will be hosted by the client. To maximize analysis using Collective Insights, it is recommended that a cron job is set up to run the script at least once an hour to pull the latest events from SentinelOne to the Recorded Future Collective Insights API.
-
- The script by default will collect detections from the past day. If you are running this more often, change this line to represent the interval between runs. For example, if running hourly, change (days=1) to (hours=1)
FAQ
1. How do I create the API Key in SentinelOne for Collective Insights ?
When logged into SentinelOne, go to the Management console and navigate to Settings -> Users -> Current User and click on "Generate API Token." Copy the generated API token to be reused for deployment.
2. What permissions are needed for this API Key for Collective Insights ?
The default Viewer permissions suffice to access detections from SentinelOne.
3. Why don't I see any detections or why do I see a mismatch in the number of threats between SentinelOne and the Detection Trends dashboard?
Not all threats from SentinelOne make it to the Collective Insights. The following criteria has to match in order for a threat in SentinelOne to be sent to Collective Insights:
- There should be threat information section inside the threat in SentinelOne
- There should be atleast one non-null value in sha1, sha256 or md5 under threat information (Order of precedence - sha256, sha1, md5)
4. Why don't I see any MITRE codes related to my SentinelOne threats in the Detection Activity dashboard?
The following criteria has to match in order for MITRE codes in threats under SentinelOne to be reflected in Detection Activity dashboard:
- There should be a non-null indicators array inside the threat in SentinelOne
- There should be non-null tactics available inside the indicator objects under the indicators array
5. Which IP addresses need to be whitelisted to allow communication from the hosted service to SentinelOne?
The traffic from the following IP addresses from AWS, which are dedicated to Recorded Future, need to be whitelisted to allow communication from the hosted service:
- 52.204.27.85
- 54.198.55.229
- 54.156.251.192
- 34.235.48.77
6. How do I set up a connector under a suborg within a multiorg environment?
To set up a connector under a specific suborg, switch to that particular suborg and create a connector following the same process mentioned here. Note: This requires Enterprise Admin permissions.