Skip to main content

Workflow Template: Initial SentinelOne Case Creation from DataConnector

Creates a case from Threats and Alerts received from the SentinelOne DataConnector.

The "Initial SentinelOne Case Creation from DataConnector" workflow template streamlines incident management by automatically creating detailed cases from SentinelOne alerts and threats. It categorizes events into alerts and threats, mapping relevant data such as rule names, severity, and MITRE techniques into Torq cases. This process enhances Endpoint Detection and Response (EDR) by ensuring comprehensive case documentation with observables, custom fields, and markdown tables, facilitating efficient incident response and case management.

Take Me to the Template

Trigger

Use Cases

Case Management , Endpoint Detection and Response (EDR) , Example

Workflow Breakdown

  1. Receives SentinelOne Threats and Alerts streamed from the DataConnector trigger.

  2. Routes by event type for a different field mapping.

  3. Alerts map rule/process fields, Threats extract MITRE techniques.

  4. Creates a tagged case with observables, custom fields, and markdown tables for both types.

Vendors

Utils, Torq Cases

Related Articles
Workflow Template: Create Cases from SentinelOne Events found in Azure Sentinel
Workflow Template: Create Torq Cases from SentinelOne Threats Reported in Chronicle
Workflow Template: Poll for new SentinelOne Threats and Open a Torq Case
Workflow Template: Initial CrowdStrike Case Creation
Workflow Template: Initial SentinelOne Case Creation
Did this answer your question?