Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.

This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with SentinelOne Build Number: v2.0.0-EA#115 and later

 


Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the SentinelOne REST endpoint to which you will connect and perform the automated operations and credentials to access that endpoint.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the SentinelOne connector and click Configure to configure the following parameters:

 

Parameter Description
Host Name Host name of the SentinelOne endpoint to which you will connect and perform the automated operations.
Username Username to access the SentinelOne endpoint for using the API endpoint.
Password Password to access the SentinelOne endpoint.
Verify SSL Verify SSL connection to the SentinelOne API endpoint.
By default, this option is set as True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Agents Retrieves a list of agents attached to an account. list_agents  
Investigation
Agent Action Supports actions that can be performed on an agent.
You must select Agent Action from the Action drop-down list and then select one of the following actions from the Action drop-down list in the Inputs section:
Isolate Agent Network: Disconnects an agent from the network.
Decommission Agent: Decommissions an agent.
Uninstall Agent: Uninstalls agent software from the list of agents.
Shutdown Agent: Shutdowns an agent's system.
isolate_agent
Containment
Reconnect Agent Network Reconnects a disconnected agent to the network.     reconnect_agent
Remediation
Commission Agent Commissions a decommissioned agent. commission_agent
Remediation
Get Agent Passphrase Retrieves an agent's passphrase to uninstall an offline agent. agent_passphrase
Miscellaneous
List of Applications Installed on Agents Retrieves a list of applications installed on an agent. list_applications  
Investigation
List of Processes Running on Agents Retrieves a list of processes running on an agent. list_processes  
Investigation
Broadcast Message to Agent Broadcast a message to a specified agent system or a list of agent systems broadcast_message
Miscellaneous
Initiate Agent Scan Initiates scanning on a specified agent system. scan_agent  
Investigation
Abort Agent Scan Aborts scanning on an agent system. abort_scan  
Investigation
Get Hash Details Retrieve the details for a specified hash. hash_details
Investigation
Get Threat Details Retrieves details of a threat. threat_details
Investigation
Mitigate Threats Mitigates identified threats in the system. mitigate_threats
Remediation
Mark Threat as Benign Marks an identified threat as safe. mark_threat_as_benign
Remediation
Fetch Agents Logs Fetches logs from agents system to the SentinelOne cloud. fetch_logs  
Investigation
Get Agent Count Retrieves the count of agents on a specified time, filtered by several parameters that you have specified. agent_count  
Miscellaneous
List All Threats List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. list_threats  
Investigation

 

 

operation: Get Agents

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

A customized JSON output that is formatted for easy reference is the output for all the operations.

The JSON output contains a list of agents that are being monitored by the central account.

Following image displays a sample output:

 

Sample output of the Get Agents operation

 

operation: Agent Action

Input parameters

 

Parameter Description
Action Action to be performed.
You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent.
Agent ID's (comma-separated list) ID of the agents separated by commas.
Group Id's (comma separated list) ID of the agents' groups separated by commas.
Is Decommissioned Agents' decommissioned status.
Is Unistalled Agents' uninstall status.

 

Output

If you select Isolate Agent Network as the input action then the JSON output contains the number of agents that get isolated after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Isolate Agent Network operation

 

If you select Decommission Agent as the input action then the JSON output contains the number of users that are decommissioned after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Decommission Agent operation

 

If you select Uninstall Agent as the input action then the JSON output contains the number of agents that are uninstalled after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Uninstall Agent operation

 

If you select Shutdown Agent as the input action then the JSON output contains the number of agents that are affected by the shutdown operation after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Shutdown Agent operation

 

operation: Reconnect Agent Network

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON contains a Success message of agents reconnected back into the network.

Following image displays a sample output:

 

Sample output of the Reconnect Agent Network operation

 

operation: Commission Agent

Input parameters

 

Parameter Description
Agent Id ID of the agent you want to recommission.

 

Output

The JSON contains a Success message of the commissioning of the specified agent, or an Error message containing the reason for failure if the commissioning is not successful.

Following image displays a sample output:

Sample output of the Commission Agent operation

 

operation: Get Agent Passphrase

Input parameters

 

Parameter Description
Agent Id ID of the agent whose passphrase who want to retrieve.

 

Output

The JSON contains a string output with the passphrase that can be used to delete an offline agent.

Following image displays a sample output:

 

Sample output of the Get Agent Passphrase operation

 

operation: List of Applications Installed on Agents

Input parameters

 

Parameter Description
Agent Id ID of the agent for which you want to retrieve the list of installed applications.

 

Output

The JSON contains a list of application objects including information such as name, installation date, about the applications installed on the specified agent.

Following image displays a sample output:

 

Sample output of the List of Applications Installed on Agents operation

 

operation: List of Processes Running on Agents

Input parameters

 

Parameter Description
Agent Id ID of the agent for which you want to retrieve the list of running processes.

 

Output

The JSON contains a list of running processes along with the process details for the specified agent.

Following image displays a sample output:

 

Sample output of the List of Processes Running on Agents operation

 

operation: Broadcast Message to Agent

Input parameters

 

Parameter Description
Message Message that you want to broadcast to an agent or a list of agents.
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Broadcast Message to Agent operation

 

operation: Initiate Agent Scan

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.

Following image displays a sample output:

Sample output of the Initiate Agent Scan operation

 

operation: Abort Agent Scan

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Abort Agent Scan operation

 

operation: Get Hash Details

Input parameters

 

Parameter Description
Hash Id Hash ID (sha1 only) of the agent for which you want to retrieve details.

 

Output

The JSON contains the details of the specified hash ID.

Following image displays a sample output:

 

Sample output of the Get Hash Details operation

 

operation: Get Threat Details

Input parameters

 

Parameter Description
Threat Id ID of the threat for which you want to retrieve details.

 

Output

The JSON contains the details of the specified threat ID.

Following image displays a sample output:

 

Sample output of the Get Threat Details operation

 

operation: Mitigate Threats

Input parameters

 

Parameter Description
Action Action to be taken on the threat.
You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation.
Threat Id ID of the threat on which the action needs to be taken.
Content Hash Hash ID of the file associated with the threat.
Threat Name Name of the threat that requires mitigation.
Agent Id ID of the agent on which the threat has been identified.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
From Scan Whether the threat was detected as a result of a scan.
Is Hidden Whether the threat is hidden.

 

Output

The JSON contains a message about the threat being mitigated.

Following image displays a sample output:

 

Sample output of the Mitigate Threats operation

 

operation: Mark Threat as Benign

Input parameters

 

Parameter Description
Threat Id ID of the threat that requires to be marked as safe.
Content Hash Hash ID of the file associated with the threat.
Threat Name Name of the threat that requires to be marked as safe.
Agent Id ID of the agent on which the threat had been identified.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
From Scan Whether the threat was detected as a result of a scan.
Is Hidden Whether the threat is hidden.

 

Output

The JSON contains a message about the threat being marked as safe.

Following image displays a sample output:

 

Sample output of the Mark Threat as Benign operation

 

operation: Fetch Agents Logs

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON output contains the number of agents whose logs are fetched after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Fetch Agents Logs operation

 

operation: Get Agent Count

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON output contains the number of available agents.

Following image displays a sample output:

 

Sample output of the Get Agent Count operation

 

operation: List All Threats

Input parameters

 

Parameter Description
Content Hash Hash ID of the file associated with the threat.
Threat Name Name of the threat that you want to search for on all agents.
Agent Id ID of the agent for which you want to list all the threats.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
From Scan Whether the threat was detected as a result of a scan.
Is Hidden Whether the threat is hidden.

 

Output

The JSON contains the objects of the threats that are found after the query is successfully run.

Following image displays a sample output:

 

Sample output of the List all Threats operation

 

Included playbooks

The Sample - SentinelOne - 1.0.0 playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.

  • Abort Agent Scan
  • Broadcast Message to Agent
  • Decommission Agent
  • Fetch Agent Logs
  • Get Agent Count
  • Get Agent Passphrase
  • Get Agents
  • Get Hash Details
  • Get Threat Details
  • Initiate Agent Scan
  • Isolate Agent Network
  • List All Threat
  • List of Applications Installed on Agents
  • List of Processes Running on Agents
  • Mark Threat as Benign
  • Mitigate Threat
  • Commission Agent
  • Reconnect Agent Network
  • Shutdown Agent
  • Uninstall Agent

Troubleshooting

Connection refusal while requesting to run the wrapper

This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.

Resolution:

Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.

 

Playbook fails after the ingestion is triggered

There are many reasons for a playbook failure, for example, if a required field is null in the target module record, or there are problems with the Playbook Appliance keys.

Resolution:

Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.

 

About the connector

SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.

This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with SentinelOne Build Number: v2.0.0-EA#115 and later

 


Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the SentinelOne connector and click Configure to configure the following parameters:

 

Parameter Description
Host Name Host name of the SentinelOne endpoint to which you will connect and perform the automated operations.
Username Username to access the SentinelOne endpoint for using the API endpoint.
Password Password to access the SentinelOne endpoint.
Verify SSL Verify SSL connection to the SentinelOne API endpoint.
By default, this option is set as True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Agents Retrieves a list of agents attached to an account. list_agents  
Investigation
Agent Action Supports actions that can be performed on an agent.
You must select Agent Action from the Action drop-down list and then select one of the following actions from the Action drop-down list in the Inputs section:
Isolate Agent Network: Disconnects an agent from the network.
Decommission Agent: Decommissions an agent.
Uninstall Agent: Uninstalls agent software from the list of agents.
Shutdown Agent: Shutdowns an agent's system.
isolate_agent
Containment
Reconnect Agent Network Reconnects a disconnected agent to the network.     reconnect_agent
Remediation
Commission Agent Commissions a decommissioned agent. commission_agent
Remediation
Get Agent Passphrase Retrieves an agent's passphrase to uninstall an offline agent. agent_passphrase
Miscellaneous
List of Applications Installed on Agents Retrieves a list of applications installed on an agent. list_applications  
Investigation
List of Processes Running on Agents Retrieves a list of processes running on an agent. list_processes  
Investigation
Broadcast Message to Agent Broadcast a message to a specified agent system or a list of agent systems broadcast_message
Miscellaneous
Initiate Agent Scan Initiates scanning on a specified agent system. scan_agent  
Investigation
Abort Agent Scan Aborts scanning on an agent system. abort_scan  
Investigation
Get Hash Details Retrieve the details for a specified hash. hash_details
Investigation
Get Threat Details Retrieves details of a threat. threat_details
Investigation
Mitigate Threats Mitigates identified threats in the system. mitigate_threats
Remediation
Mark Threat as Benign Marks an identified threat as safe. mark_threat_as_benign
Remediation
Fetch Agents Logs Fetches logs from agents system to the SentinelOne cloud. fetch_logs  
Investigation
Get Agent Count Retrieves the count of agents on a specified time, filtered by several parameters that you have specified. agent_count  
Miscellaneous
List All Threats List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. list_threats  
Investigation

 

 

operation: Get Agents

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

A customized JSON output that is formatted for easy reference is the output for all the operations.

The JSON output contains a list of agents that are being monitored by the central account.

Following image displays a sample output:

 

Sample output of the Get Agents operation

 

operation: Agent Action

Input parameters

 

Parameter Description
Action Action to be performed.
You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent.
Agent ID's (comma-separated list) ID of the agents separated by commas.
Group Id's (comma separated list) ID of the agents' groups separated by commas.
Is Decommissioned Agents' decommissioned status.
Is Unistalled Agents' uninstall status.

 

Output

If you select Isolate Agent Network as the input action then the JSON output contains the number of agents that get isolated after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Isolate Agent Network operation

 

If you select Decommission Agent as the input action then the JSON output contains the number of users that are decommissioned after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Decommission Agent operation

 

If you select Uninstall Agent as the input action then the JSON output contains the number of agents that are uninstalled after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Uninstall Agent operation

 

If you select Shutdown Agent as the input action then the JSON output contains the number of agents that are affected by the shutdown operation after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Shutdown Agent operation

 

operation: Reconnect Agent Network

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON contains a Success message of agents reconnected back into the network.

Following image displays a sample output:

 

Sample output of the Reconnect Agent Network operation

 

operation: Commission Agent

Input parameters

 

Parameter Description
Agent Id ID of the agent you want to recommission.

 

Output

The JSON contains a Success message of the commissioning of the specified agent, or an Error message containing the reason for failure if the commissioning is not successful.

Following image displays a sample output:

Sample output of the Commission Agent operation

 

operation: Get Agent Passphrase

Input parameters

 

Parameter Description
Agent Id ID of the agent whose passphrase who want to retrieve.

 

Output

The JSON contains a string output with the passphrase that can be used to delete an offline agent.

Following image displays a sample output:

 

Sample output of the Get Agent Passphrase operation

 

operation: List of Applications Installed on Agents

Input parameters

 

Parameter Description
Agent Id ID of the agent for which you want to retrieve the list of installed applications.

 

Output

The JSON contains a list of application objects including information such as name, installation date, about the applications installed on the specified agent.

Following image displays a sample output:

 

Sample output of the List of Applications Installed on Agents operation

 

operation: List of Processes Running on Agents

Input parameters

 

Parameter Description
Agent Id ID of the agent for which you want to retrieve the list of running processes.

 

Output

The JSON contains a list of running processes along with the process details for the specified agent.

Following image displays a sample output:

 

Sample output of the List of Processes Running on Agents operation

 

operation: Broadcast Message to Agent

Input parameters

 

Parameter Description
Message Message that you want to broadcast to an agent or a list of agents.
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Broadcast Message to Agent operation

 

operation: Initiate Agent Scan

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.

Following image displays a sample output:

Sample output of the Initiate Agent Scan operation

 

operation: Abort Agent Scan

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Abort Agent Scan operation

 

operation: Get Hash Details

Input parameters

 

Parameter Description
Hash Id Hash ID (sha1 only) of the agent for which you want to retrieve details.

 

Output

The JSON contains the details of the specified hash ID.

Following image displays a sample output:

 

Sample output of the Get Hash Details operation

 

operation: Get Threat Details

Input parameters

 

Parameter Description
Threat Id ID of the threat for which you want to retrieve details.

 

Output

The JSON contains the details of the specified threat ID.

Following image displays a sample output:

 

Sample output of the Get Threat Details operation

 

operation: Mitigate Threats

Input parameters

 

Parameter Description
Action Action to be taken on the threat.
You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation.
Threat Id ID of the threat on which the action needs to be taken.
Content Hash Hash ID of the file associated with the threat.
Threat Name Name of the threat that requires mitigation.
Agent Id ID of the agent on which the threat has been identified.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
From Scan Whether the threat was detected as a result of a scan.
Is Hidden Whether the threat is hidden.

 

Output

The JSON contains a message about the threat being mitigated.

Following image displays a sample output:

 

Sample output of the Mitigate Threats operation

 

operation: Mark Threat as Benign

Input parameters

 

Parameter Description
Threat Id ID of the threat that requires to be marked as safe.
Content Hash Hash ID of the file associated with the threat.
Threat Name Name of the threat that requires to be marked as safe.
Agent Id ID of the agent on which the threat had been identified.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
From Scan Whether the threat was detected as a result of a scan.
Is Hidden Whether the threat is hidden.

 

Output

The JSON contains a message about the threat being marked as safe.

Following image displays a sample output:

 

Sample output of the Mark Threat as Benign operation

 

operation: Fetch Agents Logs

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON output contains the number of agents whose logs are fetched after the query is successfully run.

Following image displays a sample output:

 

Sample output of the Fetch Agents Logs operation

 

operation: Get Agent Count

Input parameters

 

Parameter Description
Agent Memory Less Than (GB): Memory size of the agent is lesser than given input.
Agent Memory Greater Than (GB) Memory size of the agent is greater than given input.
Agent Core Count Less Than Core count of agents is lesser than given input.
Agent Core Count Greater Than Core count of agents is greater than given input.
Active Status Active status of the agent.
Infected Status Infected status of the agent.
Include Decommissioned Include decommissioned status.
Is Decommissioned Is the current state decommissioned.
Agent ID's (comma-separated list) List of comma-separated agent ids.
Exclude Agent ID's (comma-separated list) List of comma-separated agent ids that are to be excluded.
Computer Name Like Agent that matches the specified name.
Agent Version Version of the agent.
OS Type Type of the OS used by the agent.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
Network Status Current network status of the agent.

 

Output

The JSON output contains the number of available agents.

Following image displays a sample output:

 

Sample output of the Get Agent Count operation

 

operation: List All Threats

Input parameters

 

Parameter Description
Content Hash Hash ID of the file associated with the threat.
Threat Name Name of the threat that you want to search for on all agents.
Agent Id ID of the agent for which you want to list all the threats.
Skip Records Skips the specified number of results from the total results.
Limit Records Limits the results to the specified number.
From Scan Whether the threat was detected as a result of a scan.
Is Hidden Whether the threat is hidden.

 

Output

The JSON contains the objects of the threats that are found after the query is successfully run.

Following image displays a sample output:

 

Sample output of the List all Threats operation

 

Included playbooks

The Sample - SentinelOne - 1.0.0 playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.

Troubleshooting

Connection refusal while requesting to run the wrapper

This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.

Resolution:

Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.

 

Playbook fails after the ingestion is triggered

There are many reasons for a playbook failure, for example, if a required field is null in the target module record, or there are problems with the Playbook Appliance keys.

Resolution:

Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.