I’ve got Sentinel one feeds installed for sometime as follows:
- Cloudfunnel for all the agents procexec (via s3 buckets
- Alert feeds via api
Recently, I started to use SentinelOne new SOC UI and I realized they have new rules/detections (“platform Detections and Alerts”). I enabled many of these detections based on my environment for they are not enabled by default. Performed a few tests and they fired as expected, I can see them on the S1 Console, yet, on Google Secops, none of my feeds seems to receive any of these new “platform detections /alerts”. the old custom and malware detections seems to be fine though.
I opened a case with S1 and they are thinking that perhaps the current S1 alert api feed setup still not updated to get these new “platform detections” .
Do any have any idea if this is case? if so, how do I proceed to get Google SecOps update their Alert feed connection to support these new alerts?
Thanks,
Eric
Thank you for that update and clarification!
If you are ingesting DV telemetry, this would be using our Cloud Funnel Feature. However, if you are using an API token to gather Alert telemetry into Google Secops, this would be using the API.
The platform rules feature is only available in the new SOC UI console. Due to this, you would have the use the Unified Alerts GraphQL API: https://community.sentinelone.com/s/article/000010170
I would suggest reaching out to Google Secops Support to see if they can perform a GraphQL query call within their platform to gather Platform detection rule alert events.
Kind Regards,
