How To Automate Incident Response with SentinelOne and Torq

One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We team up with leading security vendors to combine forces to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.

In this post, we’ll talk about how the enterprise-grade Torq Hyperautomation platform integrates with SentinelOne to level up your organization’s SOC workflows with autonomous incident response

Here are the top three Torq and SentinelOne automations:

Enrich SentinelOne Incidents With Threat Intelligence From Intezer

Essentially, this workflow allows you to poll incidents in SentinelOne, and for each unresolved threat, it provides threat enrichment from Intezer with an optional Live Agent Endpoint Scan.

First, it will poll for recent threats in SentinelOne that are not resolved on a scheduled interval – for example one day. Each unresolved incident file hash will be queried against Intezer and the results will be provided in the notes of the threat.

A SentinelOne deep visibility query will also run to gather how many other instances of this hash have been found in the environment.

If the results from Intezer indicate a malicious or suspicious result, the customer’s Slack channel will be asked if an Intezer Live Scan is desired. If the answer is yes, the workflow will execute a remote script to install the Live Scan agent, run the scan, and gather the results of the scan, placing the results into the Slack channel and SentinelOne notes on the threat.

Threat Hunt for a Specified SHA1 Signature (SentinelOne) and Search Within SentinelOne XDR Solution for the Malicious File(s)

Using this workflow, you can receive a file signature from Slack and hunt for the signature across EDR agents, notify the owners of the endpoint, and kick off a scan of the device. 

Here’s how it works:

  • Receive a Slack command with platform and SHA1 hash
  • Add the hash to the blacklist for the platform if it does not exist
  • Initiate a Deep Visibility query to threat hunt for the signature
  • Go over the affected agents/hosts
  • Retrieve the information from either Jamf or Intune
  • If the owner is found in Slack, reach out to them directly, otherwise update the Slack channel
  • Scan the endpoint/host with a full disk scan

From there, you can search in SentinelOne’s XDR solution for the malicious files. 

Enrich SentinelOne Findings With Threat Intelligence

This workflow retrieves the latest threats from SentinelOne on a schedule (say, every five minutes). And for each threat found, it retrieves the signatures of the files involved. 

Then, for each file, it queries VirusTotal and Recorded Future for analysis then updates the notes on the threat in SentinelOne with the results.

You can also run a deep visibility query on SentinelOne for other results for the same file hash and add the deep visibility count to the notes for the threat in SentinelOne.

Those are just three of the myriad integrations Torq offers with SentinelOne for autonomous incident response. Stay tuned for more installments of our Hyperautomation Cheat Codes series where we’ll examine more integrations and automations with other key partners to help you level up your cybersecurity.

Ready to see Torq in action? Click here to get a demo.