Investigate unresolved SentinelOne Threats

In this Five-minute flow, we walk through how Tines automatically pulls unresolved SentinelOne threats on a daily schedule, deduplicates incidents, and creates detailed Jira tickets — so nothing slips through the cracks.

What You'll See

• Fetch unresolved SentinelOne threats from the last 24 hours via the SentinelOne API
• Check whether any threats exist before continuing — stopping the flow early if there's nothing to action
• Split the returned alerts into individual events for per-threat processing
• Deduplicate incidents by comparing against past events using threat name, file hash, agent ID, and file path
• Automatically create a formatted Jira ticket for each net-new threat, populated with full threat and agent details

Perfect For

• SOC analysts managing daily endpoint alerts: Teams using SentinelOne who need a consistent, automated way to track unresolved threats without manual triage
• Security engineers building detection workflows: Teams looking to reduce alert fatigue by filtering out duplicate incidents before they reach a ticketing system
• IT security teams bridging endpoint and ticketing tools: Teams that use both SentinelOne and Jira and want a reliable daily sync between the two without custom scripting

Requirements

• SentinelOne — active account with API access enabled
• Jira — active instance with a project set up (this story uses a project with the key SEC)
• Credentials:
  • ◦ sentinelone — SentinelOne API key
  • ◦ jira — Jira API key
• Resources:
  • ◦ sentinelone_server — your SentinelOne domain URL
  • ◦ jira_domain — your Jira instance domain
  • ◦ jira_username — the Jira username associated with your API key
• No prior Tines experience required