Hi Galin
The SentinelOne app polls on threats using the threat endpoint in SentinelOne and creates incidents. When an incident in SOAR some artifacts are created from the threat. Also when the incident is created, a data table with information on the agent is created and from there you can perform the functions on the agent like shutdown, scan disk, etc.
To test the app I opened a malware sample on the agent which caused the incident to escalate to SOAR.
There should be a README in the app.zip...here is a pointer to in in the public github
https://github.com/ibmresilient/resilient-community-apps/tree/master/fn_sentinelone .
Let me know if you have any more questions.
AnnMarie
------------------------------
AnnMarie Norcross
------------------------------
Original Message:
Sent: Thu April 28, 2022 03:15 PM
From: Galin Gospodinov
Subject: QRadar SOAR integration with SentinelOne EDR
Hello community,
I`m newbie with QRadar SOAR and I have some questions. I made an integration between SOAR and Sentinel One EDR using application from App Exchange portal. I want to try simple workflows as shutdown agent or restart, but I don`t know how to "set" agent ID in SOAR. I can`t find information (guides, videos. tuts) about this integration.
I will appreciate if someone shares his experience with this.
Thank you.
------------------------------
Galin Gospodinov
------------------------------