The "QuickAction - Fetch a File from Device on SentinelOne" workflow template streamlines the process of retrieving files from endpoint devices for case management and threat analysis. Designed for security analysts, this workflow allows users to select files from a specified path or alert evidence, download them securely, and attach them to cases with detailed notes. It enhances Endpoint Detection and Response (EDR) and threat intelligence enrichment by automating file retrieval and documentation, ensuring efficient incident response and threat hunting.
Use Cases
Case Management , Endpoint Detection and Response (EDR) , Threat Hunting , Threat Intelligence Enrichment
Workflow Breakdown
The analyst can choose a specific file path or files from the alert's evidence.
Submits the action and, if necessary, waits a predefined time for the agent to come online.
Fetch the file from the Endpoint Device and download it encrypted, using a predefined password.
Attaches the file to the case and adds a note with the result of the action.
Vendors
Utils, SentinelOne, Torq Cases
Tips
Use the "QuickAction - Analyze Attachment Files in Sandbox" template to perform dynamic malware analysis across multiple sandbox technologies simultaneously.