Global
Africa
South Africa
Albania
Australia
Austria
Bosnia Herzegovina
Bulgaria
Canada
Canada FR
Croatia
Czech Republic
Denmark
Estonia
Finland 
Finland (English)
France
Germany
Hong Kong
Hungary
Iceland
India
Indonesia
Ireland
Israel
Italy
Kosovo
Latvia
Lithuania
Malaysia
Middle East
Montenegro
Netherlands
New Zealand
North Macedonia
Norway
Philippines
Poland
Portugal
Romania
Saudi Arabia
Serbia
Singapore
Slovakia
Slovenija
Spain
Sweden
Switzerland DE
Switzerland FR
Thailand
Turkey
USA
Ukraine
United Kingdom
Vietnam
When threats make the light go blink
A tiny demo with big XDR energy
Why let alerts have all the fun?
Security teams and partners all share the same challenge:
They’re flooded with alerts, short-handed on analysts, and constantly pressured to do more with less.
SentinelOne already provides exceptional endpoint protection and rich telemetry. But the real magic comes when you can turn detection into immediate action.
In this post, I’ll walk you through a small but powerful project our team built: an automated workflow where a SentinelOne threat triggers a physical indicator light connected to a Raspberry Pi, orchestrated through n8n.
It’s simple. It’s visible. And it’s perfect for partner demos, workshops, and security storytelling.
Behind the scenes of the cyber lightshow
To build a meaningful demonstration, the team started with a strong XDR foundation.
We ingested multiple types of telemetry to give SentinelOne a broad and accurate view of activity across the environment. This included:
-
- FortiSASE logs for endpoint and network traffic
- Windows Event Logs for system-level events and authentication data
Once this telemetry flowed into the XDR platform, SentinelOne began correlating the signals with the use of correlation rules. Instead of scattered alerts, we gained consolidated incidents with clear context.
When clues connect themselves
A user connects through FortiSASE, and the session produces unusual outbound traffic. Around the same time, the Windows endpoint logs showed multiple failed authentication attempts followed by a suspicious PowerShell process. By themselves, these events might be easy to overlook. Together, they reveal a consistent pattern: a likely credential-stuffing attempt followed by remote code execution.
SentinelOne correlates these data points into a single, high-confidence incident. This enriched incident becomes the starting point for automation.
Xplained
AI-SIEM and HyperAutomation combine detection, correlation, orchestration, and response into one continuous loop. This demo showcases that loop in a tangible way.
-
- SentinelOne detects and correlates activity, generating an incident with clear context.
- A webhook sends that incident directly to n8n, removing any delay between detection and response.
- n8n translates the incident, extracts key details, and decides what action to take.
- The workflow calls a small API service on a Raspberry Pi, which controls a physical indicator lamp.
- The lamp reacts, making the automated response visible in real time.
The lamp represents the output layer in the loop. In real environments, the same logic could isolate endpoints, disable accounts, trigger containment rules, or update downstream systems.
The value lies in the pattern: detect, correlate, automate, visualize.
A small lamp with big security lessons
This small project represents a much larger idea. HyperAutomation isn’t about replacing analysts. It’s about making their time count. By letting the system perform routine or time-sensitive steps automatically, analysts can focus on complex investigations instead of mechanical tasks.
For partners, this demo also serves as a powerful asset:
-
- It highlights SentinelOne’s integration capabilities
- It shows how quickly detection becomes action
- It offers an engaging, repeatable workshop experience
- It demonstrates real automation without heavy infrastructure
If you would like to build the setup yourself please reach out and use this repo as guidance: https://github.com/Jverbist/S1-hyperautomation
