Skip to main content

QuickAction - Connect or Disconnect a SentinelOne Agent - Workflow Template

Quickly connect or disconnect SentinelOne agents using a single QuickAction command.

Updated this week

The "QuickAction - Connect or Disconnect a SentinelOne Agent" workflow template streamlines network management for SOC teams by enabling rapid connection or disconnection of SentinelOne agents through a single QuickAction command. This efficient process enhances incident response capabilities, allowing analysts to swiftly manage agent statuses based on real-time threat assessments, ensuring optimal network security and operational continuity.

Take Me to the Template

Use Cases

Case Management

Workflow Breakdown

  1. Trigger workflow via QuickAction.

  2. Receive agent ID and desired action (connect/disconnect).

  3. Query current agent status in SentinelOne, and submits a disconnection or connection request.

  4. Monitor for success or failure response.

Vendors

Utils, SentinelOne, Torq Cases

Workflow Output

Returns the agent hostname, action taken (connect/disconnect), and operation status (success/failure).

Tips

  • Use the "Poll for new SentinelOne Threats and Open a Torq Case" template to ensure correct custom field creation.

Related Articles
Workflow Template: Create Cases from SentinelOne Events found in Azure Sentinel
Workflow Template: Create Torq Cases from SentinelOne Threats Reported in Chronicle
Workflow Template: Poll for new SentinelOne Threats and Open a Torq Case
Workflow Template: Initial SentinelOne Case Creation
QuickAction - Scan Device on SentinelOne - Workflow Template
Did this answer your question?