Ensure prompt handling of cyber threats by utilizing the "Download a File from a SentinelOne Threat ID" workflow template in Torq. This essential procedure for Endpoint Detection and Response (EDR) streamlines the secure extraction of flagged files for investigation. It starts by configuring SentinelOne URLs, checks the validity of the threat ID, and ensures the agent is online. If the agent is offline, the workflow waits for a set duration for reconnection. Files are fetched from the online agent and securely stored within Torq, either privately or with a shareable link if required. This efficient process aids cybersecurity teams in promptly responding to and analyzing potential threats within their digital environments.
Optional Triggers
"This workflow is intended to be used a a Function"
Use Cases
Endpoint Detection and Response (EDR)
Workflow Breakdown
Setup the SentinelOne URL in the Workflow Context to match your environment
Verify the Threat ID is valid and the agent is online so the file can be downloaded
If Agent is not online, workflow will wait for a specific range of time to wait for the agent to be reachable.
Fetch the file from the agent, and save it as a private or public file in Torq.
Vendors
Utils, SentinelOne
Workflow Output
Output contains filename, hashes and URL for the file as a private or public link.