Skip to main content
All CollectionsTemplatesIntermediate
Create Torq Cases from SentinelOne Threats Reported in Chronicle - Workflow Template
Create Torq Cases from SentinelOne Threats Reported in Chronicle - Workflow Template

On a schedule query Google Chronicle for new SentinelOne threats and open a Torq case with the relevant agent and threat details

Updated over a month ago

This workflow template provides a solution for automating the detection and case management of SentinelOne threats identified within Google Chronicle. It operates on a scheduled basis to actively query Chronicle for new SentinelOne threat reports. When new threats are detected, it extracts the threat details from SentinelOne, and then creates a Torq case attaching the relevant agent and threat information. Moreover, observables related to the threat are added to the case for enhanced context. The workflow also intelligently links related cases by matching SentinelOne agent IDs and SHA1 hashes of the threat, ensuring streamlined case management and investigation.

Use Cases

Case Management , Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Query Google Chronicle on a schedule for SentinelOne Threats

  2. If new SentinelOne threats are found, pull the details from SentinelOne

  3. Open a Torq case and add the details from the agent and the threat to the case

  4. Add any observable that is found in the threat to the case

  5. Check to see if any other case matches the SentinelOne agent id and SHA1 hash of the threat. If a match is found link the cases.

Vendors

Utils, SentinelOne, Torq, Torq Cases, Google Chronicle

Workflow Output

A Torq case with the relevant information from SentinelOne

Did this answer your question?