Skip to main content

Download a File from a SentinelOne Endpoint - Workflow Template

Downloads a file from a Sentinel One agent given an AgentID a file path and a password. File does not need to be part of an Incident.

Updated yesterday

This workflow template facilitates secure file retrieval from SentinelOne endpoints, enhancing Endpoint Detection and Response (EDR) capabilities. By automating the process of requesting, encrypting, and downloading files from agents, it supports threat hunting and intelligence enrichment. The workflow ensures files are accessible either privately within Torq or via a shareable link, optimizing threat analysis and response efficiency.

Take Me to the Template

Optional Triggers

["This workflow is intended to work as a nested workflow/function"]

Use Cases

Endpoint Detection and Response (EDR) , Function , Threat Hunting , Threat Intelligence Enrichment

Workflow Breakdown

  1. Request Agent status by AgentID

  2. Request the Agent to upload a file to SentinelOne Management given a file path and a password.

  3. Downloads the file from SentinelOne Management and stores it as a file in Torq

  4. If Agent is not active, workflow will wait a period of time until the agent is able to upload the file.

Vendors

Utils, SentinelOne

Workflow Output

Output contains the URL of the file inside Torq as a private or shareable link, file integrity hashes and the password if it was generated by the workflow.

Tips

  • If no password is provided, one will be generated per file.

  • Customize the waiting and checking period using context variables.

Related Articles
Workflow Template: Download a File from a SentinelOne Threat ID
Workflow Template: Create Cases from SentinelOne Events found in Azure Sentinel
Workflow Template: Create Torq Cases from SentinelOne Threats Reported in Chronicle
Workflow Template: QuickAction - Fetch a File from Device on MS Defender Endpoint
QuickAction - Scan Device on SentinelOne - Workflow Template
Did this answer your question?