Get Started
Back to Templates

Create Detailed Security Tickets from SentinelOne Threats with MITRE Analysis

Created by

Created by: Anna Bui || annabuiplayground

Anna Bui

Last update

Last update 5 hours ago

Categories

Share

Automatically creates comprehensive Autotask security tickets when SentinelOne detects threats, transforming basic alerts into detailed incident records with full threat intelligence, MITRE ATT&CK analysis, and proper client routing for MSPs and IT teams.

Perfect for managed service providers who need rich security incident documentation with machine details, threat classification, and automatic assignment to security analysts.

Good to know

  • SentinelOne webhooks require manual triggering from the threat console - they don't automatically fire on detection
  • Autotask API has a 3-thread limit requiring rate limiting delays between requests
  • Each threat creates one ticket with external ID linking back to SentinelOne
  • Template includes advanced MITRE ATT&CK technique extraction and priority calculation

How it works

  • Receives SentinelOne threat webhook with complete threat intelligence payload
  • Extracts and organizes machine information including computer name, OS, IP addresses, and user details
  • Processes threat details with classification, confidence level, file paths, and SHA1 hashes
  • Analyzes MITRE ATT&CK indicators to identify tactics, techniques, and attack categories
  • Maps SentinelOne site IDs to correct Autotask client company accounts
  • Calculates ticket priority based on threat classification and confidence levels
  • Creates detailed Autotask tickets with structured threat information and automatic technician assignment

How to use

  • Configure SentinelOne webhook integration in Singularity Marketplace pointing to your n8n webhook URL
  • Set up Autotask API credentials with ticket creation permissions and note resource/queue IDs
  • Update Company Mapping node with your SentinelOne site ID to Autotask company ID mappings
  • Test integration by manually triggering webhook from SentinelOne threat console

Requirements

  • SentinelOne Singularity platform with admin access for webhook configuration
  • Autotask PSA system with API access and ticket creation permissions
  • Knowledge of client site IDs from SentinelOne and corresponding company IDs from Autotask

Customising this workflow

  • Modify priority calculation logic based on your organization's threat severity standards
  • Update technician assignment rules to route different threat types to specific security analysts
  • Add custom fields to capture additional SentinelOne data points in Autotask UDFs
  • Integrate with communication tools like Slack or Teams for immediate threat notifications
  • Extend with bi-directional sync to update SentinelOne when tickets are resolved