Skip to main content
All CollectionsTemplatesIntermediate
Open a TheHive case triggered by SentinelOne findings - Workflow Template
Open a TheHive case triggered by SentinelOne findings - Workflow Template

Retrieve latest threats from SentinelOne and enrich using third party vendors, open a case at TheHIVE with observables, tasks and TTPs.

Updated over 7 months ago

The "Open a TheHive case triggered by SentinelOne findings" workflow automates the process of incident detection and response by continuously monitoring SentinelOne for the latest incidents. Upon detection of a file, the workflow carries out a thorough investigation by cross-referencing the file's hash with intelligence from VirusTotal and Recorded Future. It then proceeds to create a comprehensive case within TheHive, integrating observables, tasks, and Tactics, Techniques, and Procedures (TTPs). If the analysis reveals a high probability of malicious intent, the affected endpoint can be isolated from the network, thereby mitigating the threat swiftly. Additionally, the case is updated with follow-up actions, ensuring a thorough and organized response to the security incident.

Use Cases

Endpoint Detection and Response (EDR) , Threat Intelligence Enrichment

Workflow Breakdown

  1. Polls SentinelOne frequently to get the last Incidents.

  2. For each file detected, lookup the its has against VirusTotal and Recorded Future

  3. Create a case at TheHive adding observables and TTPs.

  4. Evaluate the amount of malicious verdicts to define if the Endpoint should be disconnected from network.

  5. Update case with a followup task.

Vendors

Utils, VirusTotal, HTTP, SentinelOne, TheHive, Recorded Future

Workflow Output

At the end of the workflows a new Threat Incident with enrichment can be found at TheHive, this case consolidates

Tips

Different Threat Intelligence vendors can be added or replace the existing ones

Did this answer your question?