Hi,
We have some critical issue with the SendinelOne Cloud Funnel setup that supposed to be seamless. It is too seamless as not producing any data. Funnel is configured correctly towards a GCP bucket and we can search through Datalake, all validated. From SIEM side it is set as SentinelOne Singularity Cloud Funnel but there is no data coming in at all. Any hints ? Thanks
Hi @tbankuti Thank you for your post and sorry to hear you're experiencing this. If this is a critical issue and you need technical assistance right away, we suggest you contact Google Support. If this is something where the Community experts can help with, and you don't mind waiting for a response, would you please share more details and some examples of what you're experiencing so we can better assist? Thanks
Hi, seems like the issue was caused by missing information from integration document between SIEM and SentinelOne as nowhere mentioned that a Query needs to be added to the CloudFunnel integration part to make it work. It was assumed that part is for refining data only but actually a query needs to be entered to make it work and it wasn't mentioned anywhere.
There is document on this> Collect SentinelOne Cloud Funnel logs
https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-sentinelone-cf
Assume the missing part is the from the sentinelone side which you need to enable "Telemetry Streaming" with a query filter?
Let me know so I can raise an internal request to get the document updated.
https://xxxx.sentinelone.net/soc-docs/en/how-to-enable-cloud-funnel-streaming.html##
(domain hashed to hide my tenant)
Note in that document the part that talks about Cloud Funnel Support? (
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.