The "Open a TheHive case triggered by SentinelOne findings" workflow automates the process of incident detection and response by continuously monitoring SentinelOne for the latest incidents. Upon detection of a file, the workflow carries out a thorough investigation by cross-referencing the file's hash with intelligence from VirusTotal and Recorded Future. It then proceeds to create a comprehensive case within TheHive, integrating observables, tasks, and Tactics, Techniques, and Procedures (TTPs). If the analysis reveals a high probability of malicious intent, the affected endpoint can be isolated from the network, thereby mitigating the threat swiftly. Additionally, the case is updated with follow-up actions, ensuring a thorough and organized response to the security incident.
Use Cases
Endpoint Detection and Response (EDR) , Threat Intelligence Enrichment
Workflow Breakdown
Polls SentinelOne frequently to get the last Incidents.
For each file detected, lookup the its has against VirusTotal and Recorded Future
Create a case at TheHive adding observables and TTPs.
Evaluate the amount of malicious verdicts to define if the Endpoint should be disconnected from network.
Update case with a followup task.
Vendors
Utils, VirusTotal, HTTP, SentinelOne, TheHive, Recorded Future
Workflow Output
At the end of the workflows a new Threat Incident with enrichment can be found at TheHive, this case consolidates
Tips
Different Threat Intelligence vendors can be added or replace the existing ones