The "Enrich SentinelOne Incident with Threat Intelligence from Intezer" workflow template is designed for security teams to enhance threat detection and response actions. With this workflow, a SentinelOne webhook triggers the process when a new threat is detected. It gathers threat details from Intezer, enriches SentinelOne incident data, and may initiate an Intezer Live Agent scan on a Windows device if deemed necessary. Results and updates are then communicated back through Slack for real-time incident tracking and resolution.

Trigger

SentinelOne

Use Cases

Endpoint Detection and Response (EDR) , Threat Intelligence Enrichment

Workflow Breakdown

Setup the remote script in SentinelOne using the documentation link on the workflow
The workflow is triggered from the Singularity Webhook from SentinelOne.
Gather data from Intezer on the threat and start a Singularity XDR Search for the hash.
If the threat is found on a Windows device to be Malicious or Suspicious, ask if a Intezer Live scan should be run
If the answer is yes, run the remote script in SentinelOne and gather the results
Update the Slack channel and threat incident with the relevant details

Vendors

Slack, Utils, SentinelOne, Intezer Analyze, Singularity XDR

Workflow Output

Updated threat enrichment to SentinelOne and Integer Live Agent scan of the endpoint.

Tips

Make sure to setup the remote script in SentinelOne for Intezer based on the documentation link on the workflow","The example script can be found on in the second step of the workflow

Open a TheHive case triggered by SentinelOne findings - Workflow Template

Handle High Level CNC Threat Detected on Network (Armis) - Workflow Template

Threat Hunt for a Specified SHA1 Signature in SingularityXDR - Workflow Template

Enrich SentinelOne Threat Finding and Run Singularity XDR Search - Workflow Template

Download a File from a SentinelOne Threat ID - Workflow Template