Hi team!
I just started using Insight Connect and the first workflow I am trying to develop is directly related to SentinelOne. I’ve seen the post made in the past regarding “Get Threats” but unfortunately it did not really help me.
I was able to setup the trigger and it is running without errors but I am not able to get the data as desired.
I am trying to understand how I can setup this workflow to get specific data based on the ThreatName so we can create procedures on the next steps for that same threat.
So in practical terms I want all new threats named (e.g)shove.exe to be populated and with the next action step change the status to Resolved.
So far I’ve use as well the SentinelOne plugin available by setting “Get Threat Summary” but is retrieving an immense output (big file).
Isn’t the trigger suppose to get the threats? How can I selectively set which variables to be populated in the output?
thanks in advance,
//Bruno
The SentinelOne trigger will capture all of your threats. If you are only wanting to perform automation for a specific threat you would need a decision step that checks to see if the Threat Name matches whatever you are looking for.
The decision step could have two paths. For simplicity I chose Yes and No. I set the default path to no, and define the logic for yes as seen in the screenshot below:
If you open the variable picker (the Blue + icon) you have a list of variables to choose from. Type name and you can see all the variables that contain the word name. If the title is what you want as your filtering criteria you can try threatName.
To then update the threat to resolved if it matches that criteria, you would choose the appropriate SentinelOne steps needed to update the threat. I believe before you can resolve an incident you have to update the analyst verdict. So you need two additional steps. Update Analyst Verdict, then Update Incident Status.
Those steps require Incident ID as an array so that you can close out more than one incident at a time, but the trigger outputs Incident ID as a string so you will need to add your variable inside of square brackets and quotations [“”]
This is a very basic workflow for what you are looking for. Feel free to download, import, and modify to better suit your needs. I created a parameter for Threat Name. If you know the exact title you want to match off of you can use that parameter to input it into the decision step.
SentinelOne Threats.icon (42.4 KB)
Thanks a lot for your help, it was very helpful! And I highly appreciate the extense response.
My main question was more about the setup of the trigger itself and perhaps my issue resides in that specific step. As setup in the “Decision Path” you state [threat].[threatName]:
Please bear in mind that this is very new to me so excuse my ignorance. When creating the workflow from scratch and selecting the SentinelOne Plugin it shows the “Get Threats” and the following options:
When testing the workflow there are no output results and I know that the specific threat I am doing the lookup is present in my sentinelone console threat log. Even using more than one condition such as (e.g) "{{[“SentinelOne Trigger”].[threat].[fileExtensionType]}} = “File extension” still have no results.
Under an experiment I setup another trigger as an “Action” using the JSON “GET Threats” from the API doc from SentinelOne and selecting “Get Summary Threats” it is actually generating results when testing the workflow, but its pulling ALL the data which is around 42k results.
So I wonder, am I supposed to get any output results in the trigger itself or the data would solely be populated in the next step “Create Decision” ? And if so, and resourcing exactly from your example you would suggest that the issue is in the API call itself?
Once again, thanks for the help.
