search

TracecatHQ / tracecat

The open source Tines / Splunk SOAR alternative.
https://tracecat.com
GNU Affero General Public License v3.0
2.34k stars 159 forks source link

Add new SentinelOne actions: lookup by username, hostname, isolate, unisolate #263

Closed mattdurant closed 1 month ago

mattdurant commented 1 month ago

Description

This adds additional actions to the existing Sentinel One integration:

These are common response actions for an EDR product; as an example, based on an alert, you could lookup a hostname or username to find which machines they are active on, then isolate those which would block all connections except the communication channel that the EDR tool uses to communicate with it's control plane.

Related Tickets & Documents

No open issues for this

Screenshots/Recordings

N/A

Steps to QA

I tested this by creating a workflow that looked up an agent, performed an isolation, and then performed an unisolation and confirmed in Sentinel One that all actions took place correctly.

[optional] What gif best describes this PR?

mattdurant commented 1 month ago

This can't be merged yet, I didn't add the new actions to the init.py file in the edr directory, will do in a minute

mattdurant commented 1 month ago

Ready for review