Skip to main content
All CollectionsTemplatesIntermediate
Blacklist SHA1 Hashes on Multiple SentinelOne Sites - Workflow Template
Blacklist SHA1 Hashes on Multiple SentinelOne Sites - Workflow Template

Blacklists a list of Hashes in one site or multiple sites, if no Site list is provided, Hashes are added to all active sites.

Updated over 6 months ago

This workflow template streamlines the process of blacklisting SHA1 file hashes across SentinelOne sites. It employs a systematic approach of ensuring that each Site ID is valid and active, checks if the file hash provided is SHA1 (as only SHA1 hashes are supported in the Blacklist), and subsequently adds the hash to the Blacklist. If no list of sites is specified, the hash is added to all active sites. This workflow is essential for bolstering cybersecurity by automating the blacklisting of identified malicious SHA1 hashes to prevent potential threats.

Take Me to the Template

Optional Triggers

"This workflow is intended to be used as a nested function."

Use Cases

Example

Workflow Breakdown

  1. Verifies each Site ID to be from valid and active Site.

  2. Checks that file hash is SHA1. Only SHA1 hash is supported in the Blacklist.

  3. Add the Hash to the Blacklist if it is not already blacklisted.

Vendors

Utils, SentinelOne

Workflow Output

Valid SHA1 hashes are blacklisted in active valid sites. Errors are collected when Hash and Sites IDs are not valid, or when there is already a blacklisted entry.

Tips

Automate Blacklisting of External IoCs

Related Articles
Create Exclusions on Multiple SentinelOne Sites - Workflow Template
Whitelist SHA1 Hashes on Multiple SentinelOne Sites - Workflow Template
Threat Hunt for a Specified SHA1 Signature in SingularityXDR - Workflow Template
Download a File from a SentinelOne Endpoint - Workflow Template
Download a File from a SentinelOne Threat ID - Workflow Template
Did this answer your question?