Skip to main content
All CollectionsTemplatesIntermediate
Threat Hunt for a Specified SHA1 Signature in SingularityXDR - Workflow Template
Threat Hunt for a Specified SHA1 Signature in SingularityXDR - Workflow Template

Receive a file signature from Slack and hunt for the signature in Singularity XDR, notify owners of the endpoint, kick off scan of devices.

Updated over a week ago

Use Torq's workflow to seamlessly manage threat detection and response via Slack and Singularity XDR. This template enables security analysts to receive file signatures through Slack, perform a detailed signature hunt in Singularity XDR within a defined timeframe, and take swift remediation actions, such as initiating scans or blocking suspicious hashes. It streamlines the threat hunting process and response, enhancing your endpoint detection and response efficacy while saving valuable investigation time.

Trigger

Slack

Optional Triggers

Webhook,"Microsoft Teams"

Use Cases

Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Receive a Slack command with platform and SHA1 hash

  2. Ask the analyst to define the timeframe for the query or let the question defaults to 7 days.

  3. Initiate a Singularity XDR Query to Threat Hunt for the Signature.

  4. Go over the affected agents/hosts.

  5. Fetch data such as type of activities and command line executions for the analyst.

  6. Ask the analyst to choose a remediation action such as notify, scan, open a case or add the IP to tSentinel One Blocklist.

  7. Open a case, add observable and link to previous similar cases.

  8. If owner is found in Slack, reach out to them directly, to notify bedore scanning the computer.

  9. Retrieve information from either Jamf(MacOS) or Intune(Windows).

  10. Scan the endpoint/host with a full disk scan.

  11. Add the Hash to the blacklist for the platform if it does not exist.

Vendors

Slack, Utils, SentinelOne, Jamf, Microsoft 365, Torq Cases, Singularity XDR

Workflow Output

Success/Failure via Slack

Tips

Update the first set workflow parameters step with your integration names, Slack channel, and SentinelOne site id

Did this answer your question?