How lean IT teams alert admins automatically when 10 or more threats are detected on a device in 24 hours with Rippling IT

What you'll learn

• How to monitor threat activity across your fleet using Rippling Device Management

• How to use threat data from SentinelOne inside Workflow Studio

• How to build automated alerts when a device crosses a defined threat threshold

What you'll need

• Rippling IT with Device Management

• SentinelOne installed on your managed devices through Rippling

• Devices enrolled in Rippling MDM with the Rippling Agent installed

• Access to Workflow Studio

The problem

Security teams cannot manually review every threat that appears across a distributed device fleet. When employees work remotely, threats can accumulate quickly, especially if a device encounters suspicious files, malicious executables, or repeated attempts to run unsafe processes.

While SentinelOne can detect and mitigate threats, IT teams still need a way to understand when a device begins generating an unusual number of alerts. A cluster of threats within a short period often signals early compromise, misconfiguration, or other high-risk activity. Teams often discover these incidents only after someone reports a problem or during periodic reviews.

Without an automated alerting system tied to real-time threat data, IT risks missing the earliest signals on devices that require immediate attention.

The hypothesis

If threat data from SentinelOne is centralized in Rippling Device Management, and IT teams can use Workflow Studio to monitor that data automatically, then devices generating abnormal threat volume can be surfaced without manual reviews.

By alerting IT when a single device registers 10 or more threats within 24 hours, organizations can:

• Identify high-risk devices early

• Respond to suspicious activity before it escalates

• Reduce the time spent manually reviewing threat logs

• Improve incident response without adding new tools or headcount

This gives lean IT and security teams the visibility they need to take action quickly.

The solution

1. Use Rippling Device Management to monitor threats in one place

When you deploy SentinelOne through Rippling, threats detected on macOS and Windows devices appear automatically in the Devices app on the Threats tab. Rippling shows:

• The employee assigned to the device

• The device serial number

• When the threat was detected

• The threat level, such as suspicious or malicious

• The threat status, such as mitigated or not mitigated

• The last mitigation action, if one has been taken

Because devices must be MDM-enrolled and connected to Rippling, threat data stays up to date. This gives IT a single view of any device generating repeated threat activity.

2. Build a workflow that detects devices crossing your threshold

Workflow Studio lets you automate actions based on device, employee, and threat data stored in the Employee Graph. IT teams can build workflows that:

• Run on a fixed schedule, such as every hour or every day

• Query all devices with SentinelOne installed

• Filter for devices with a specified number of threats within the past 24 hours

• Narrow results using employee or device attributes

You can also filter by threat properties, such as suspicious or malicious, to focus on higher-risk activity. This turns the Threats tab into a real-time automation signal instead of a static list that requires manual checking.

3. Automatically notify IT when a device reaches 10 or more threats in 24 hours

Once the workflow identifies a device that meets your criteria, Rippling can automatically notify IT administrators, security leads, and the employee assigned to the device or their manager. Alerts can be sent through email, Slack, SMS, or as a Rippling task. Notifications can include a link to the threat details page, device owner information, and any recommended next steps. 

IT can then choose to take immediate action in the Devices app, such as:

• Killing a process

• Quarantining a threat

• Locking the device

• Soft wiping or full wiping of the device if required

• Assigning follow-up tasks

This ensures potential incidents are handled quickly and consistently.

The impact

✓ IT is alerted instantly when threat volume spikes on any device

✓ High-risk activity is identified without manual monitoring

✓ Small teams gain the visibility normally associated with dedicated security operations personnel

✓ Responses are more consistent and less dependent on someone checking dashboards

✓ Devices can be secured, isolated, or remediated before they escalate into larger problems

By connecting SentinelOne threat data to Rippling workflows, IT teams can detect unusual activity earlier and respond faster using the tools they already have.

FAQs