Skip to main content

Workflow Template: Download a File from a SentinelOne Threat ID

Fetch a file from a SentinelOne Threat ID and encrypt it with the provided password with a link to download.

Updated this week

The "Download a File from a SentinelOne Threat ID" workflow template is designed for Endpoint Detection and Response (EDR) use cases. It automates the process of retrieving files associated with threats identified by SentinelOne. If the agent is offline, the workflow waits until it becomes reachable. Once the file is fetched, it can be saved as a private or public file in Torq, providing a secure and efficient method for threat analysis and incident response.

Take Me to the Template

Optional Triggers

["This workflow is intended to be used as a Function"]

Use Cases

Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Setup the SentinelOne URL in the Workflow Context to match your environment

  2. Verify the Threat ID is valid and the agent is online so the file can be downloaded

  3. If Agent is not online, workflow will wait for a specific range of time to wait for the agent to be reachable.

  4. Fetch the file from the agent, and save it as a private or public file in Torq.

Vendors

Utils, SentinelOne

Workflow Output

Output contains filename, hashes and URL for the file as a private or public link.

Related Articles
Workflow Template: Enrich SentinelOne Incident with Threat Intelligence from Intezer
Workflow Template: Download a File from a SentinelOne Endpoint
Workflow Template: Enrich SentinelOne Threat Finding and Run Singularity XDR Search
Workflow Template: Create Torq Cases from SentinelOne Threats Reported in Chronicle
Workflow Template: QuickAction - Fetch a File from Device on SentinelOne
Did this answer your question?