This workflow template automates the detection and case management process for potential security threats detected by SentinelOne within Azure Sentinel. On a scheduled basis, the workflow queries Azure Sentinel for new SentinelOne events, transforms the log data into a structured format, and dynamically creates a case in Torq for each alert and threat. Each case will be enriched with observables and custom field data, facilitating an integrated and efficient incident response within your security ecosystem.
Use Cases
Case Management , Endpoint Detection and Response (EDR)
Workflow Breakdown
Query Azure Sentinel on a schedule to find new SentinelOne detections
Transform results from the query mapping columns and rows as a single list.
Open a Torq case with the details from each alert and threat, and create observables and custom fields as part of the Torq case
Vendors
Utils, SentinelOne, Microsoft 365, Torq, Torq Cases, Azure Log Analytics
Workflow Output
A Torq case populated with a description, observables, and custom fields.