IBM Security QRadar SOAR

 View Only
  • 1.  QRadar SOAR integration with SentinelOne EDR

    Posted Thu April 28, 2022 05:09 PM
    Hello community, 

    I`m newbie with QRadar SOAR and I have some questions. I made an integration between SOAR and Sentinel One EDR using application from App Exchange portal. I want to try simple workflows as shutdown agent or restart, but I don`t know how to "set" agent ID in SOAR.  I can`t find information (guides, videos. tuts) about this integration. 
    I will appreciate if someone shares his experience with this.

    Thank you.

    ------------------------------
    Galin Gospodinov
    ------------------------------


  • 2.  RE: QRadar SOAR integration with SentinelOne EDR

    Posted Tue May 03, 2022 08:55 AM
    Hi Galin

    The SentinelOne app polls on threats using the threat endpoint in SentinelOne and creates incidents.  When an incident in SOAR some artifacts are created from the threat. Also when the incident is created, a data table with information on the agent is created and from there you can perform the functions on the agent like shutdown, scan disk, etc. 

    To test the app I opened a malware sample on the agent which caused the incident to escalate to SOAR.

    There should be a README in the app.zip...here is a pointer to in in the public github https://github.com/ibmresilient/resilient-community-apps/tree/master/fn_sentinelone .

    Let me know if you have any more questions.

    AnnMarie


    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 3.  RE: QRadar SOAR integration with SentinelOne EDR

    Posted Tue May 03, 2022 09:29 AM
    Hi Ann,

    I did everything step-by-step that you write in you post and we received an incident in SOAR (Thank you!), but only one time. After that we stopped receiving incidents from SentinelOne, but  everything works fine - App is "Ready for Use", SOAR is working.  

    What should be the problem ? 

    Thank you.

    ------------------------------
    Galin Gospodinov
    ------------------------------



  • 4.  RE: QRadar SOAR integration with SentinelOne EDR

    Posted Tue May 03, 2022 09:52 AM
    So you open malware multiple times on the same agent, but you only see 1 incident show up in SOAR?

    Can you download the logs and see if there are any errors?

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 5.  RE: QRadar SOAR integration with SentinelOne EDR

    Posted Tue May 03, 2022 10:01 AM
    I have two agents (agent-1, agent-2).  First I tried with agent-1 and I received an incident in SOAR. After that I tried with agent-2 and didn`t receive an incident, so I thought that the problem is with the agent and open different malware on agent-1 and didn`t receive an incident. 

    There is no errors in logs. the status is ready for use, the test configuration is successful. 


    ------------------------------
    Galin Gospodinov
    ------------------------------



  • 6.  RE: QRadar SOAR integration with SentinelOne EDR

    Posted Tue May 03, 2022 10:13 AM
    Can you put the following line in the app.config at the bottom and restart:

    loglevel = DEBUG

    Maybe more information will show up in the log file?
    I would need to look at the logs to see what is coming back from SentinelOne REST API calls.

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------