SentinelOne - Get Vulnerability Summary for Assets
This incident response workflow allows you to identify and document vulnerabilities of hosts in an incident using SentinelOne from a playbook or using an automation rule. When using this workflow in a playbook, the user selects which hosts to identify vulnerabilities for. When using this workflow with an incident automation rule, the identification is done for all targets involved in the incident.
Description
This incident response workflow allows you to identify and document vulnerabilities of hosts in an incident using SentinelOne from a playbook or using an automation rule. When using this workflow in a playbook, the user selects which hosts to identify vulnerabilities for. When using this workflow with an incident automation rule, the identification is done for all targets involved in the incident.
Note: This workflow will only report the first 100 vulnerabilities for a given asset.
Target: SentinelOne - v2.1
Steps:
- Detect the start type and extract the supported observables
- Check if any supported observables were found (if not, end the workflow)
- For each observable:
- Check this observable's type:
- If an agent ID, try to get the agent data and set the local data variable
- If a hostname, IP address, or MAC address, then update corresponding variables and attempt to search for the agent
- Parse the host OS details and computer name
- Fetch the CVEs and update the workflow results
- Check this observable's type:
This workflow requires the following targets to be available before it can be run.
Integration targets
- SentinelOne