Skip to main content
All CollectionsTemplatesIntermediate
Enrich SentinelOne Incident with Threat Intelligence from Intezer - Workflow Template
Enrich SentinelOne Incident with Threat Intelligence from Intezer - Workflow Template

Trigger from a Singularity Webhook on a new threat and provide threat enrichment from Intezer with optional Live Agent Endpoint Scan

Updated over 7 months ago

The "Enrich SentinelOne Incident with Threat Intelligence from Intezer" workflow template is designed for security teams to enhance threat detection and response actions. With this workflow, a SentinelOne webhook triggers the process when a new threat is detected. It gathers threat details from Intezer, enriches SentinelOne incident data, and may initiate an Intezer Live Agent scan on a Windows device if deemed necessary. Results and updates are then communicated back through Slack for real-time incident tracking and resolution.

Trigger

SentinelOne

Use Cases

Endpoint Detection and Response (EDR) , Threat Intelligence Enrichment

Workflow Breakdown

  1. Setup the remote script in SentinelOne using the documentation link on the workflow

  2. The workflow is triggered from the Singularity Webhook from SentinelOne.

  3. Gather data from Intezer on the threat and start a Singularity XDR Search for the hash.

  4. If the threat is found on a Windows device to be Malicious or Suspicious, ask if a Intezer Live scan should be run

  5. If the answer is yes, run the remote script in SentinelOne and gather the results

  6. Update the Slack channel and threat incident with the relevant details

Vendors

Slack, Utils, SentinelOne, Intezer Analyze, Singularity XDR

Workflow Output

Updated threat enrichment to SentinelOne and Integer Live Agent scan of the endpoint.

Tips

Make sure to setup the remote script in SentinelOne for Intezer based on the documentation link on the workflow","The example script can be found on in the second step of the workflow

Did this answer your question?