This workflow template provides a solution for automating the detection and case management of SentinelOne threats identified within Google Chronicle. It operates on a scheduled basis to actively query Chronicle for new SentinelOne threat reports. When new threats are detected, it extracts the threat details from SentinelOne, and then creates a Torq case attaching the relevant agent and threat information. Moreover, observables related to the threat are added to the case for enhanced context. The workflow also intelligently links related cases by matching SentinelOne agent IDs and SHA1 hashes of the threat, ensuring streamlined case management and investigation.
Use Cases
Case Management , Endpoint Detection and Response (EDR)
Workflow Breakdown
Query Google Chronicle on a schedule for SentinelOne Threats
If new SentinelOne threats are found, pull the details from SentinelOne
Open a Torq case and add the details from the agent and the threat to the case
Add any observable that is found in the threat to the case
Check to see if any other case matches the SentinelOne agent id and SHA1 hash of the threat. If a match is found link the cases.
Vendors
Utils, SentinelOne, Torq, Torq Cases, Google Chronicle
Workflow Output
A Torq case with the relevant information from SentinelOne