Skip to main content
All CollectionsTemplatesIntermediate
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow Template
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow Template

Search on a schedule for SentinelOnes detections in Azure Sentinel and open a Torq case for each alert and threat.

Updated over a month ago

This workflow template automates the detection and case management process for potential security threats detected by SentinelOne within Azure Sentinel. On a scheduled basis, the workflow queries Azure Sentinel for new SentinelOne events, transforms the log data into a structured format, and dynamically creates a case in Torq for each alert and threat. Each case will be enriched with observables and custom field data, facilitating an integrated and efficient incident response within your security ecosystem.

Take Me to the Template

Use Cases

Case Management , Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Query Azure Sentinel on a schedule to find new SentinelOne detections

  2. Transform results from the query mapping columns and rows as a single list.

  3. Open a Torq case with the details from each alert and threat, and create observables and custom fields as part of the Torq case

Vendors

Utils, SentinelOne, Microsoft 365, Torq, Torq Cases, Azure Log Analytics

Workflow Output

A Torq case populated with a description, observables, and custom fields.

Related Articles
Open a TheHive case triggered by SentinelOne findings - Workflow Template
Enrich SentinelOne Threat Finding and Run Singularity XDR Search - Workflow Template
Download a File from a SentinelOne Threat ID - Workflow Template
Create Cases from Crowdstrike Detections found in Splunk - Workflow Template
Create Torq Cases from SentinelOne Threats Reported in Chronicle - Workflow Template
Did this answer your question?