Skip to main content
All CollectionsTemplatesIntermediate
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow Template
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow Template

Search on a schedule for SentinelOnes detections in Azure Sentinel and open a Torq case for each alert and threat.

Updated over a month ago

This workflow template automates the detection and case management process for potential security threats detected by SentinelOne within Azure Sentinel. On a scheduled basis, the workflow queries Azure Sentinel for new SentinelOne events, transforms the log data into a structured format, and dynamically creates a case in Torq for each alert and threat. Each case will be enriched with observables and custom field data, facilitating an integrated and efficient incident response within your security ecosystem.

Use Cases

Case Management , Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Query Azure Sentinel on a schedule to find new SentinelOne detections

  2. Transform results from the query mapping columns and rows as a single list.

  3. Open a Torq case with the details from each alert and threat, and create observables and custom fields as part of the Torq case

Vendors

Utils, SentinelOne, Microsoft 365, Torq, Torq Cases, Azure Log Analytics

Workflow Output

A Torq case populated with a description, observables, and custom fields.

Did this answer your question?