SentinelOne Connector

the sentinelone connector enables automated interaction with sentinelone's endpoint protection capabilities, facilitating real time threat detection and response sentinelone delivers autonomous endpoint protection through a single agent that successfully prevents, detects, responds, and hunts attacks across all major vectors the sentinelone turbine connector for swimlane turbine enables security teams to automate threat detection and response actions, such as adding notes to threats, broadcasting messages to agents, and managing blacklist items by integrating with sentinelone, users can streamline their security operations, reduce response times, and enhance their overall security posture within the swimlane turbine platform purpose of the use case use case overview the "ransomware detection and response" playbook is designed to automatically detect, contain, and respond to ransomware threats detected by sentinelone by isolating the infected endpoint, notifying it teams, and coordinating further scans and updates, this playbook minimizes the spread of ransomware and speeds up remediation objective protect the network by rapidly responding to ransomware alerts, reducing the risk of infection spreading to other systems, and ensuring prompt remediation and documentation playbook workflow explanation step 1 webhook – sentinelone alert description the playbook is initiated when a ransomware alert is generated by sentinelone, which sends the alert data to swimlane through a webhook purpose serves as the entry point for the playbook, ensuring that the response is triggered immediately upon detection configuration notes configure the webhook to capture key alert details such as affected endpoint, malware type, and threat level step 2 enrichment – ioc search (swimlane integration) description swimlane performs an ioc (indicator of compromise) search through integrated threat intelligence sources to validate the ransomware signature and enrich the alert with additional context purpose provides more information on the threat, such as associated ips, file hashes, or domains, aiding in assessing the threat level and response configuration notes integrate external threat intelligence feeds within swimlane to enhance enrichment accuracy and relevance step 3 condition – if malicious description this condition checks if the ransomware alert is confirmed to be malicious based on enrichment data purpose ensures the playbook only proceeds with containment actions if the threat is verified, minimizing false positives configuration notes set criteria based on threat intelligence scoring or specific indicators confirming malicious activity step 4a true path – create incident (servicenow) description swimlane creates a new incident in servicenow to document the ransomware event and all subsequent actions purpose logs the incident for audit and reporting purposes, ensuring that all actions taken are recorded in the case configuration notes customize incident fields to capture details such as endpoint information, threat level, and timestamps of actions taken step 5 isolate endpoint (sentinelone) description swimlane instructs sentinelone to isolate the affected endpoint, disconnecting it from the network to prevent lateral spread purpose contains the ransomware by isolating the endpoint, reducing the risk of infection spreading to other devices configuration notes configure isolation options in sentinelone to ensure that all necessary network connections are blocked step 6 notify it (slack or teams) description swimlane sends an alert to the it team via slack or microsoft teams, informing them of the endpoint isolation and providing details of the ransomware incident purpose keeps the it team informed of containment actions, ensuring they are aware and can assist as needed configuration notes customize the notification to include a summary of the incident, isolation status, and contact information for escalation step 7 initiate scan (sentinelone) description swimlane triggers a full scan on the isolated endpoint through sentinelone to detect and remove any remaining threats purpose ensures that any remnants of the ransomware or additional malware are removed from the infected endpoint configuration notes schedule the scan to run immediately, prioritizing thoroughness to confirm the endpoint is clean before reintegration step 8 update security incident (servicenow) description after the scan, swimlane updates the incident in servicenow with the scan results, including any findings or confirmation that the endpoint is secure purpose completes the incident record with the final scan results, ensuring comprehensive documentation of the ransomware response configuration notes ensure all relevant data is added, such as the date and time of the scan, findings, and confirmation of remediation prerequisites api key authentication url endpoint url for the sentinelone management api api token a valid api token from sentinelone to authenticate requests obtaining an api token navigate to the sentinel one portal select your user in the upper right corner of the menu select the menu by your user account name, then select my user a modal will pop up displaying your account information select generate to generate a new api token and copy the value into the swimlane asset capabilities the sentinelone integration provides the following capabilities add threat note broadcast message connect agents create blacklist item create exclusion create power query and get query id deep visibility create query and get query id deep visibility get events by query id delete blocklist item delete threat note disconnect agents download from cloud fetch files fetch threat file get activities get agent applications get agents get alerts get blocklist items get groups get hash get rogues settings get sites get threat analysis get threat appearences get threat events get threat notes get threat timeline get threats initiate scan mitigate threats new firewall rule ping a power query update alert analyst verdict update alert incident update threat analyst verdict update threat external ticket id update threat incident update threat note initiate scan action full disk scan finds dormant suspicious activity, threats, and compliance violations, that are then mitigated according to the policy it scans the local file system full disk scan does not inspect drives that require user credentials (such as network drives) or external drives full disk scan does not work on hashes it does not check each file against the blacklist if the static ai determines a file is suspicious, the agent calculates its hash and sees if the hash is in the blacklist if a file is executed, all aspects of the process are inspected, including hash based analysis and blacklist checks full disk scan can run when the endpoint is offline, but when it is connected to the management, it can use the most updated cloud data to improve detection create firewall rule to keep it simple for the user, this action currently only supports adding remote hosts to a firewall rule should this action need to be expanded to support others, please contact swimlane support about deep visibility queries for complete query syntax, see query syntax in the knowledge base https //support sentinelone com or the console help notes the api documentation can be found on your sentinel one instance by doing the following select the arrow next to your user in the top right of the navigation bar select api doc and a new tab of the api documentation will open this connector was last tested against product version api v2 1