About the connector
SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.
This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents.
Version information
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with SentinelOne Build Number: v2.0.0-EA#115 and later
Installing the connector
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of the SentinelOne REST endpoint to which you will connect and perform the automated operations and credentials to access that endpoint.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the SentinelOne connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Host Name |
Host name of the SentinelOne endpoint to which you will connect and perform the automated operations. |
| Username |
Username to access the SentinelOne endpoint for using the API endpoint. |
| Password |
Password to access the SentinelOne endpoint. |
| Verify SSL |
Verify SSL connection to the SentinelOne API endpoint.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get Agents |
Retrieves a list of agents attached to an account. |
list_agents
Investigation |
| Agent Action |
Supports actions that can be performed on an agent.
You must select Agent Action from the Action drop-down list and then select one of the following actions from the Action drop-down list in the Inputs section:
Isolate Agent Network: Disconnects an agent from the network.
Decommission Agent: Decommissions an agent.
Uninstall Agent: Uninstalls agent software from the list of agents.
Shutdown Agent: Shutdowns an agent's system. |
isolate_agent
Containment |
| Reconnect Agent Network |
Reconnects a disconnected agent to the network. |
reconnect_agent
Remediation |
| Commission Agent |
Commissions a decommissioned agent. |
commission_agent
Remediation |
| Get Agent Passphrase |
Retrieves an agent's passphrase to uninstall an offline agent. |
agent_passphrase
Miscellaneous |
| List of Applications Installed on Agents |
Retrieves a list of applications installed on an agent. |
list_applications
Investigation |
| List of Processes Running on Agents |
Retrieves a list of processes running on an agent. |
list_processes
Investigation |
| Broadcast Message to Agent |
Broadcast a message to a specified agent system or a list of agent systems |
broadcast_message
Miscellaneous |
| Initiate Agent Scan |
Initiates scanning on a specified agent system. |
scan_agent
Investigation |
| Abort Agent Scan |
Aborts scanning on an agent system. |
abort_scan
Investigation |
| Get Hash Details |
Retrieve the details for a specified hash. |
hash_details
Investigation |
| Get Threat Details |
Retrieves details of a threat. |
threat_details
Investigation |
| Mitigate Threats |
Mitigates identified threats in the system. |
mitigate_threats
Remediation |
| Mark Threat as Benign |
Marks an identified threat as safe. |
mark_threat_as_benign
Remediation |
| Fetch Agents Logs |
Fetches logs from agents system to the SentinelOne cloud. |
fetch_logs
Investigation |
| Get Agent Count |
Retrieves the count of agents on a specified time, filtered by several parameters that you have specified. |
agent_count
Miscellaneous |
| List All Threats |
List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. |
list_threats
Investigation |
operation: Get Agents
Input parameters
| Parameter |
Description |
| Agent Memory Less Than (GB): |
Memory size of the agent is lesser than given input. |
| Agent Memory Greater Than (GB) |
Memory size of the agent is greater than given input. |
| Agent Core Count Less Than |
Core count of agents is lesser than given input. |
| Agent Core Count Greater Than |
Core count of agents is greater than given input. |
| Active Status |
Active status of the agent. |
| Infected Status |
Infected status of the agent. |
| Include Decommissioned |
Include decommissioned status. |
| Is Decommissioned |
Is the current state decommissioned. |
| Agent ID's (comma-separated list) |
List of comma-separated agent ids. |
| Exclude Agent ID's (comma-separated list) |
List of comma-separated agent ids that are to be excluded. |
| Computer Name Like |
Agent that matches the specified name. |
| Agent Version |
Version of the agent. |
| Skip Records |
Skips the specified number of results from the total results. |
| Limit Records |
Limits the results to the specified number. |
| Network Status |
Current network status of the agent. |
Output
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON output contains a list of agents that are being monitored by the central account.
Following image displays a sample output:
operation: Agent Action
Input parameters
| Parameter |
Description |
| Action |
Action to be performed.
You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent. |
| Agent ID's (comma-separated list) |
ID of the agents separated by commas. |
| Group Id's (comma separated list) |
ID of the agents' groups separated by commas. |
| Is Decommissioned |
Agents' decommissioned status. |
| Is Unistalled |
Agents' uninstall status. |
Output
If you select Isolate Agent Network as the input action then the JSON output contains the number of agents that get isolated after the query is successfully run.
Following image displays a sample output:
If you select Decommission Agent as the input action then the JSON output contains the number of users that are decommissioned after the query is successfully run.
Following image displays a sample output:
If you select Uninstall Agent as the input action then the JSON output contains the number of agents that are uninstalled after the query is successfully run.
Following image displays a sample output:
If you select Shutdown Agent as the input action then the JSON output contains the number of agents that are affected by the shutdown operation after the query is successfully run.
Following image displays a sample output:
operation: Reconnect Agent Network
Input parameters
| Parameter |
Description |
| Agent Memory Less Than (GB): |
Memory size of the agent is lesser than given input. |
| Agent Memory Greater Than (GB) |
Memory size of the agent is greater than given input. |
| Agent Core Count Less Than |
Core count of agents is lesser than given input. |
| Agent Core Count Greater Than |
Core count of agents is greater than given input. |
| Active Status |
Active status of the agent. |
| Infected Status |
Infected status of the agent. |
| Include Decommissioned |
Include decommissioned status. |
| Is Decommissioned |
Is the current state decommissioned. |
| Agent ID's (comma-separated list) |
List of comma-separated agent ids. |
| Exclude Agent ID's (comma-separated list) |
List of comma-separated agent ids that are to be excluded. |
| Computer Name Like |
Agent that matches the specified name. |
| Agent Version |
Version of the agent. |
| OS Type |
Type of the OS used by the agent. |
| Skip Records |
Skips the specified number of results from the total results. |
| Limit Records |
Limits the results to the specified number. |
| Network Status |
Current network status of the agent. |
Output
The JSON contains a Success message of agents reconnected back into the network.
Following image displays a sample output:
operation: Commission Agent
Input parameters
| Parameter |
Description |
| Agent Id |
ID of the agent you want to recommission. |
Output
The JSON contains a Success message of the commissioning of the specified agent, or an Error message containing the reason for failure if the commissioning is not successful.
Following image displays a sample output:
operation: Get Agent Passphrase
Input parameters
| Parameter |
Description |
| Agent Id |
ID of the agent whose passphrase who want to retrieve. |
Output
The JSON contains a string output with the passphrase that can be used to delete an offline agent.
Following image displays a sample output:
operation: List of Applications Installed on Agents
Input parameters
| Parameter |
Description |
| Agent Id |
ID of the agent for which you want to retrieve the list of installed applications. |
Output
The JSON contains a list of application objects including information such as name, installation date, about the applications installed on the specified agent.
Following image displays a sample output:
operation: List of Processes Running on Agents
Input parameters
| Parameter |
Description |
| Agent Id |
ID of the agent for which you want to retrieve the list of running processes. |
Output
The JSON contains a list of running processes along with the process details for the specified agent.
Following image displays a sample output:
operation: Broadcast Message to Agent
Input parameters
| Parameter |
Description |
| Message |
Message that you want to broadcast to an agent or a list of agents. |
| Agent Memory Less Than (GB): |
Memory size of the agent is lesser than given input. |
| Agent Memory Greater Than (GB) |
Memory size of the agent is greater than given input. |
| Agent Core Count Less Than |
Core count of agents is lesser than given input. |
| Agent Core Count Greater Than |
Core count of agents is greater than given input. |
| Active Status |
Active status of the agent. |
| Infected Status |
Infected status of the agent. |
| Include Decommissioned |
Include decommissioned status. |
| Is Decommissioned |
Is the current state decommissioned. |
| Agent ID's (comma-separated list) |
List of comma-separated agent ids. |
| Exclude Agent ID's (comma-separated list) |
List of comma-separated agent ids that are to be excluded. |
| Computer Name Like |
Agent that matches the specified name. |
| Agent Version |
Version of the agent. |
| OS Type |
Type of the OS used by the agent. |
| Skip Records |
Skips the specified number of results from the total results. |
| Limit Records |
Limits the results to the specified number. |
| Network Status |
Current network status of the agent. |
Output
The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.
Following image displays a sample output:
operation: Initiate Agent Scan
Input parameters
| Parameter |
Description |
| Agent Memory Less Than (GB): |
Memory size of the agent is lesser than given input. |
| Agent Memory Greater Than (GB) |
Memory size of the agent is greater than given input. |
| Agent Core Count Less Than |
Core count of agents is lesser than given input. |
| Agent Core Count Greater Than |
Core count of agents is greater than given input. |
| Active Status |
Active status of the agent. |
| Infected Status |
Infected status of the agent. |
| Include Decommissioned |
Include decommissioned status. |
| Is Decommissioned |
Is the current state decommissioned. |
| Agent ID's (comma-separated list) |
List of comma-separated agent ids. |
| Exclude Agent ID's (comma-separated list) |
List of comma-separated agent ids that are to be excluded. |
| Computer Name Like |
Agent that matches the specified name. |
| Agent Version |
Version of the agent. |
| OS Type |
Type of the OS used by the agent. |
| Skip Records |
Skips the specified number of results from the total results. |
| Limit Records |
Limits the results to the specified number. |
| Network Status |
Current network status of the agent. |
Output
The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.
Following image displays a sample output:
operation: Abort Agent Scan
Input parameters
| Parameter |
Description |
| Agent Memory Less Than (GB): |
Memory size of the agent is lesser than given input. |
| Agent Memory Greater Than (GB) |
Memory size of the agent is greater than given input. |
| Agent Core Count Less Than |
Core count of agents is lesser than given input. |
| Agent Core Count Greater Than |
Core count of agents is greater than given input. |
| Active Status |
Active status of the agent. |
| Infected Status |
Infected status of the agent. |
| Include Decommissioned |
Include decommissioned status. |
| Is Decommissioned |
Is the current state decommissioned. |
| Agent ID's (comma-separated list) |
List of comma-separated agent ids. |
| Exclude Agent ID's (comma-separated list) |
List of comma-separated agent ids that are to be excluded. |
| Computer Name Like |
Agent that matches the specified name. |
| Agent Version |
Version of the agent. |
| OS Type |
Type of the OS used by the agent. |
| Skip Records |
Skips the specified number of results from the total results. |
| Limit Records |
Limits the results to the specified number. |
| Network Status |
Current network status of the agent. |
Output
The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.
Following image displays a sample output:
operation: Get Hash Details
Input parameters
| Parameter |
Description |
| Hash Id |
Hash ID (sha1 only) of the agent for which you want to retrieve details. |
Output
The JSON contains the details of the specified hash ID.
Following image displays a sample output:
operation: Get Threat Details
Input parameters
| Parameter |
Description |
| Threat Id |
ID of the threat for which you want to retrieve details. |
Output
The JSON contains the details of the specified threat ID.
Following image displays a sample output:
operation: Mitigate Threats
Input parameters
| Parameter |
Description |
| Action |
Action to be taken on the threat.
You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation. |
| Threat Id |
ID of the threat on which the action needs to be taken. |
| Content Hash |
Hash ID of the file associated with the threat. |
| Threat Name |
Name of the threat that requires mitigation. |
| Agent Id |
ID of the agent on which the threat has been identified. |
| Skip Records |
Skips the specified number of results from the total results. |
| Limit Records |
Limits the results to the specified number. |
| From Scan |
Whether the threat was detected as a result of a scan. |
| Is Hidden |
Whether the threat is hidden. |
Output
The JSON contains a message about the threat being mitigated.
Following image displays a sample output:
operation: Mark Threat as Benign
Input parameters
| Parameter |
Description |
| Threat Id |
ID of the threat that requires to be marked as safe. |
| Content Hash |
Hash ID of the file associated with the threat. |
| Threat Name |
Name of the threat that requires to be marked as safe. |
| Agent Id |
ID of the agent on which the threat had been identified. |
| Skip Records |
Skips the specified number of results from the total results. |
| Limit Records |
Limits the results to the specified number. |
| From Scan |
Whether the threat was detected as a result of a scan. |
| Is Hidden |
Whether the threat is hidden. |
Output
The JSON contains a message about the threat being marked as safe.
Following image displays a sample output:
operation: Fetch Agents Logs
Input parameters
| Parameter |
Description |
| Agent Memory Less Than (GB): |
Memory size of the agent is lesser than given input. |
| Agent Memory Greater Than (GB) |
Memory size of the agent is greater than given input. |
| Agent Core Count Less Than |
Core count of agents is lesser than given input. |
| Agent Core Count Greater Than |
Core count of agents is greater than given input. |
| Active Status |
Active status of the agent. |
| Infected Status |
Infected status of the agent. |
| Include Decommissioned |
Include decommissioned status. |
| Is Decommissioned |
Is the current state decommissioned. |
| Agent ID's (comma-separated list) |
List of comma-separated agent ids. |
| Exclude Agent ID's (comma-separated list) |
List of comma-separated agent ids that are to be excluded. |
| Computer Name Like |
Agent that matches the specified name. |
| Agent Version |
Version of the agent. |
| OS Type |
Type of the OS used by the agent. |
| Skip Records |
Skips the specified number of results from the total results. |
| Limit Records |
Limits the results to the specified number. |
| Network Status |
Current network status of the agent. |
Output
The JSON output contains the number of agents whose logs are fetched after the query is successfully run.
Following image displays a sample output:
operation: Get Agent Count
Input parameters
| Parameter |
Description |
| Agent Memory Less Than (GB): |
Memory size of the agent is lesser than given input. |
| Agent Memory Greater Than (GB) |
Memory size of the agent is greater than given input. |
| Agent Core Count Less Than |
Core count of agents is lesser than given input. |
| Agent Core Count Greater Than |
Core count of agents is greater than given input. |
| Active Status |
Active status of the agent. |
| Infected Status |
Infected status of the agent. |
| Include Decommissioned |
Include decommissioned status. |
| Is Decommissioned |
Is the current state decommissioned. |
| Agent ID's (comma-separated list) |
List of comma-separated agent ids. |
| Exclude Agent ID's (comma-separated list) |
List of comma-separated agent ids that are to be excluded. |
| Computer Name Like |
Agent that matches the specified name. |
| Agent Version |
Version of the agent. |
| OS Type |
Type of the OS used by the agent. |
| Skip Records |
Skips the specified number of results from the total results. |
| Limit Records |
Limits the results to the specified number. |
| Network Status |
Current network status of the agent. |
Output
The JSON output contains the number of available agents.
Following image displays a sample output:
operation: List All Threats
Input parameters
| Parameter |
Description |
| Content Hash |
Hash ID of the file associated with the threat. |
| Threat Name |
Name of the threat that you want to search for on all agents. |
| Agent Id |
ID of the agent for which you want to list all the threats. |
| Skip Records |
Skips the specified number of results from the total results. |
| Limit Records |
Limits the results to the specified number. |
| From Scan |
Whether the threat was detected as a result of a scan. |
| Is Hidden |
Whether the threat is hidden. |
Output
The JSON contains the objects of the threats that are found after the query is successfully run.
Following image displays a sample output:
Included playbooks
The Sample - SentinelOne - 1.0.0 playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.
- Abort Agent Scan
- Broadcast Message to Agent
- Decommission Agent
- Fetch Agent Logs
- Get Agent Count
- Get Agent Passphrase
- Get Agents
- Get Hash Details
- Get Threat Details
- Initiate Agent Scan
- Isolate Agent Network
- List All Threat
- List of Applications Installed on Agents
- List of Processes Running on Agents
- Mark Threat as Benign
- Mitigate Threat
- Commission Agent
- Reconnect Agent Network
- Shutdown Agent
- Uninstall Agent
Troubleshooting
Connection refusal while requesting to run the wrapper
This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.
Resolution:
Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.
Playbook fails after the ingestion is triggered
There are many reasons for a playbook failure, for example, if a required field is null in the target module record, or there are problems with the Playbook Appliance keys.
Resolution:
Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.
