Use Torq's workflow to seamlessly manage threat detection and response via Slack and Singularity XDR. This template enables security analysts to receive file signatures through Slack, perform a detailed signature hunt in Singularity XDR within a defined timeframe, and take swift remediation actions, such as initiating scans or blocking suspicious hashes. It streamlines the threat hunting process and response, enhancing your endpoint detection and response efficacy while saving valuable investigation time.
Trigger
Slack
Optional Triggers
Webhook,"Microsoft Teams"
Use Cases
Endpoint Detection and Response (EDR)
Workflow Breakdown
Receive a Slack command with platform and SHA1 hash
Ask the analyst to define the timeframe for the query or let the question defaults to 7 days.
Initiate a Singularity XDR Query to Threat Hunt for the Signature.
Go over the affected agents/hosts.
Fetch data such as type of activities and command line executions for the analyst.
Ask the analyst to choose a remediation action such as notify, scan, open a case or add the IP to tSentinel One Blocklist.
Open a case, add observable and link to previous similar cases.
If owner is found in Slack, reach out to them directly, to notify bedore scanning the computer.
Retrieve information from either Jamf(MacOS) or Intune(Windows).
Scan the endpoint/host with a full disk scan.
Add the Hash to the blacklist for the platform if it does not exist.
Vendors
Slack, Utils, SentinelOne, Jamf, Microsoft 365, Torq Cases, Singularity XDR
Workflow Output
Success/Failure via Slack
Tips
Update the first set workflow parameters step with your integration names, Slack channel, and SentinelOne site id