Why Smart SOAR is the Best SOAR for SentinelOne

D3 Security’s integration with SentinelOne offers an end-to-end solution for incident response teams. The video below shows an example of ingesting threats from SentinelOne, triaging them through Smart SOAR’s event playbook, then enriching and responding to escalated events.

Out-of-the-box, Smart SOAR users can choose from over 40 SentinelOne commands. These commands cover case management, data enrichment, incident response, and recovery.

The commands used in this demo are:

  • Fetch Event
  • Get Agent Info
  • Get Agent Applications
  • Get Sites
  • List Accounts
  • Create Query
  • Get Events
  • Block Hash
  • Disconnect Agent from Network
  • Initiate Scan
  • Mitigate Threats
  • Connect Agents to Network
  • Update Threat Incident

Triage with the Event Playbook

Smart SOAR Integration with SentinelOne - Event Playbook Overview

Once an event has been ingested from SentinelOne, the event playbook parses it to see if the threat has been mitigated by the analyst or not. If it has been mitigated, it’s automatically dismissed and no further automations are executed. If it has not been mitigated, the event playbook searches for existing, open incidents that have affected the same agent. If a match is found, it will attach the event to the existing incident. If not, it will escalate the incoming event as its own incident.

Enrichment & Response with the Incident Playbook

Smart SOAR Integration with SentinelOne - Four key stages in the playbook

The SentinelOne incident playbook has four main stages:

  1. Enrichment
  2. Correlation
  3. Eradication, and
  4. Recovery


Smart SOAR Integration with SentinelOne - Enrichment Workflow

The enrichment section uses a nested playbook that can be easily added to other playbooks. The link icon to the right of the task name shows that there is a workflow underneath. By expanding on the nested playbook we can see the commands that run behind the scenes.

Get Additional Agent Details

Smart SOAR Integration with SentinelOne - Get Additional Agent Details

This workflow searches for sites that the involved user has been active on. It also searches for accounts associated with the target device and any applications running on that device. Then, the playbook parses the results and summarizes them for the analyst to review.

Smart SOAR Integration with SentinelOne - Playbook Task Details

Agent Applications



Once the enrichment stage is done, the playbook:

  1. Searches for related events in SentinelOne using a dynamic Deep Visibility Query.
  2. Searches D3’s incident database for related incidents, and
  3. Collects user activity logs from Active Directory.

Smart SOAR Integration with SentinelOne - Correlation

Deep Visibility Query

Smart SOAR Integration with SentinelOne - Deep Visibility Query

This nested playbook creates a deep visibility query to search for related alerts in SentinelOne and adds them to the D3 incident if they’re found.

The query is built using dynamic paths that point to fields in the original alert. Here you can see we’ve created two variables. One for SrcProcName and the other for TgtProcName:

Smart SOAR Integration with SentinelOne - Deep Visibility Query code

You can see the values populated when the command is executed with real data:


Once enrichment is complete and the investigation team has reviewed the data, they can proceed with eradication.

Smart SOAR Integration with SentinelOne - Eradication workflow

The interaction task prompts the analyst to determine which remediation actions they would like to take. After marking true or false in the inputs, their response will be recorded and the correct path in the conditional tasks will trigger:

Smart SOAR Integration with SentinelOne - Playbook Task Details view

Input prompt

Smart SOAR Integration with SentinelOne - Inputs recorded by conditional tasks

Inputs recorded by conditional tasks.


Smart SOAR Integration with SentinelOne - Recovery workflow

Finally, agent information is collected to see if there are active threats found by SentinelOne. If none are found, the playbook reconnects the agent back to the network, closes the D3 incident, and closes the threat in SentinelOne for synchronicity.


D3 and SentinelOne make a powerful combination that helps users quickly find indicators of false positives, dismiss them, and run eradication activities in the devices that pose serious risks.

A typical workflow takes 60-90 minutes. With D3’s integration to SentinelOne this same workflow takes 5-10 minutes. At the same time, D3 is always updating our SentinelOne integration to keep you at the edge of what’s possible.

Social Icon
Pierre Noujeim

Pierre Noujeim is a Product Marketing Manager with a cyber security engineering background. Having implemented SOAR at enterprise organizations as well as for D3's MSSP partners, Pierre has rich and varied insight into integrations, use cases and the cyber security vendor landscape. A dedicated product marketer, Pierre represents D3 at analyst briefings, webinar workshops and industry conferences such as RSA and Black Hat.