SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.
This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with SentinelOne Build Number: v2.0.0-EA#115 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the SentinelOne connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Host Name | Host name of the SentinelOne endpoint to which you will connect and perform the automated operations. |
Username | Username to access the SentinelOne endpoint for using the API endpoint. |
Password | Password to access the SentinelOne endpoint. |
Verify SSL | Verify SSL connection to the SentinelOne API endpoint. By default, this option is set as T rue . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Agents | Retrieves a list of agents attached to an account. | list_agents Investigation |
Agent Action | Supports actions that can be performed on an agent. You must select Agent Action from the Action drop-down list and then select one of the following actions from the Action drop-down list in the Inputs section:Isolate Agent Network: Disconnects an agent from the network. Decommission Agent: Decommissions an agent. Uninstall Agent: Uninstalls agent software from the list of agents. Shutdown Agent: Shutdowns an agent's system. |
isolate_agent Containment |
Reconnect Agent Network | Reconnects a disconnected agent to the network. | reconnect_agent Remediation |
Commission Agent | Commissions a decommissioned agent. | commission_agent Remediation |
Get Agent Passphrase | Retrieves an agent's passphrase to uninstall an offline agent. | agent_passphrase Miscellaneous |
List of Applications Installed on Agents | Retrieves a list of applications installed on an agent. | list_applications Investigation |
List of Processes Running on Agents | Retrieves a list of processes running on an agent. | list_processes Investigation |
Broadcast Message to Agent | Broadcast a message to a specified agent system or a list of agent systems | broadcast_message Miscellaneous |
Initiate Agent Scan | Initiates scanning on a specified agent system. | scan_agent Investigation |
Abort Agent Scan | Aborts scanning on an agent system. | abort_scan Investigation |
Get Hash Details | Retrieve the details for a specified hash. | hash_details Investigation |
Get Threat Details | Retrieves details of a threat. | threat_details Investigation |
Mitigate Threats | Mitigates identified threats in the system. | mitigate_threats Remediation |
Mark Threat as Benign | Marks an identified threat as safe. | mark_threat_as_benign Remediation |
Fetch Agents Logs | Fetches logs from agents system to the SentinelOne cloud. | fetch_logs Investigation |
Get Agent Count | Retrieves the count of agents on a specified time, filtered by several parameters that you have specified. | agent_count Miscellaneous |
List All Threats | List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. | list_threats Investigation |
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON output contains a list of agents that are being monitored by the central account.
Following image displays a sample output:
Parameter | Description |
---|---|
Action | Action to be performed. You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent. |
Agent ID's (comma-separated list) | ID of the agents separated by commas. |
Group Id's (comma separated list) | ID of the agents' groups separated by commas. |
Is Decommissioned | Agents' decommissioned status. |
Is Unistalled | Agents' uninstall status. |
If you select Isolate Agent Network as the input action then the JSON output contains the number of agents that get isolated after the query is successfully run.
Following image displays a sample output:
If you select Decommission Agent as the input action then the JSON output contains the number of users that are decommissioned after the query is successfully run.
Following image displays a sample output:
If you select Uninstall Agent as the input action then the JSON output contains the number of agents that are uninstalled after the query is successfully run.
Following image displays a sample output:
If you select Shutdown Agent as the input action then the JSON output contains the number of agents that are affected by the shutdown operation after the query is successfully run.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON contains a Success
message of agents reconnected back into the network.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Id | ID of the agent you want to recommission. |
The JSON contains a Success
message of the commissioning of the specified agent, or an Error
message containing the reason for failure if the commissioning is not successful.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Id | ID of the agent whose passphrase who want to retrieve. |
The JSON contains a string output with the passphrase that can be used to delete an offline agent.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Id | ID of the agent for which you want to retrieve the list of installed applications. |
The JSON contains a list of application objects including information such as name, installation date, about the applications installed on the specified agent.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Id | ID of the agent for which you want to retrieve the list of running processes. |
The JSON contains a list of running processes along with the process details for the specified agent.
Following image displays a sample output:
Parameter | Description |
---|---|
Message | Message that you want to broadcast to an agent or a list of agents. |
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.
Following image displays a sample output:
Parameter | Description |
---|---|
Hash Id | Hash ID (sha1 only) of the agent for which you want to retrieve details. |
The JSON contains the details of the specified hash ID.
Following image displays a sample output:
Parameter | Description |
---|---|
Threat Id | ID of the threat for which you want to retrieve details. |
The JSON contains the details of the specified threat ID.
Following image displays a sample output:
Parameter | Description |
---|---|
Action | Action to be taken on the threat. You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation. |
Threat Id | ID of the threat on which the action needs to be taken. |
Content Hash | Hash ID of the file associated with the threat. |
Threat Name | Name of the threat that requires mitigation. |
Agent Id | ID of the agent on which the threat has been identified. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
From Scan | Whether the threat was detected as a result of a scan. |
Is Hidden | Whether the threat is hidden. |
The JSON contains a message about the threat being mitigated.
Following image displays a sample output:
Parameter | Description |
---|---|
Threat Id | ID of the threat that requires to be marked as safe. |
Content Hash | Hash ID of the file associated with the threat. |
Threat Name | Name of the threat that requires to be marked as safe. |
Agent Id | ID of the agent on which the threat had been identified. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
From Scan | Whether the threat was detected as a result of a scan. |
Is Hidden | Whether the threat is hidden. |
The JSON contains a message about the threat being marked as safe.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON output contains the number of agents whose logs are fetched after the query is successfully run.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON output contains the number of available agents.
Following image displays a sample output:
Parameter | Description |
---|---|
Content Hash | Hash ID of the file associated with the threat. |
Threat Name | Name of the threat that you want to search for on all agents. |
Agent Id | ID of the agent for which you want to list all the threats. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
From Scan | Whether the threat was detected as a result of a scan. |
Is Hidden | Whether the threat is hidden. |
The JSON contains the objects of the threats that are found after the query is successfully run.
Following image displays a sample output:
The Sample - SentinelOne - 1.0.0
playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.
This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.
Resolution:
Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.
There are many reasons for a playbook failure, for example, if a required field is null
in the target module record, or there are problems with the Playbook Appliance keys.
Resolution:
Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration
page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.
SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.
This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with SentinelOne Build Number: v2.0.0-EA#115 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the SentinelOne connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Host Name | Host name of the SentinelOne endpoint to which you will connect and perform the automated operations. |
Username | Username to access the SentinelOne endpoint for using the API endpoint. |
Password | Password to access the SentinelOne endpoint. |
Verify SSL | Verify SSL connection to the SentinelOne API endpoint. By default, this option is set as T rue . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Agents | Retrieves a list of agents attached to an account. | list_agents Investigation |
Agent Action | Supports actions that can be performed on an agent. You must select Agent Action from the Action drop-down list and then select one of the following actions from the Action drop-down list in the Inputs section:Isolate Agent Network: Disconnects an agent from the network. Decommission Agent: Decommissions an agent. Uninstall Agent: Uninstalls agent software from the list of agents. Shutdown Agent: Shutdowns an agent's system. |
isolate_agent Containment |
Reconnect Agent Network | Reconnects a disconnected agent to the network. | reconnect_agent Remediation |
Commission Agent | Commissions a decommissioned agent. | commission_agent Remediation |
Get Agent Passphrase | Retrieves an agent's passphrase to uninstall an offline agent. | agent_passphrase Miscellaneous |
List of Applications Installed on Agents | Retrieves a list of applications installed on an agent. | list_applications Investigation |
List of Processes Running on Agents | Retrieves a list of processes running on an agent. | list_processes Investigation |
Broadcast Message to Agent | Broadcast a message to a specified agent system or a list of agent systems | broadcast_message Miscellaneous |
Initiate Agent Scan | Initiates scanning on a specified agent system. | scan_agent Investigation |
Abort Agent Scan | Aborts scanning on an agent system. | abort_scan Investigation |
Get Hash Details | Retrieve the details for a specified hash. | hash_details Investigation |
Get Threat Details | Retrieves details of a threat. | threat_details Investigation |
Mitigate Threats | Mitigates identified threats in the system. | mitigate_threats Remediation |
Mark Threat as Benign | Marks an identified threat as safe. | mark_threat_as_benign Remediation |
Fetch Agents Logs | Fetches logs from agents system to the SentinelOne cloud. | fetch_logs Investigation |
Get Agent Count | Retrieves the count of agents on a specified time, filtered by several parameters that you have specified. | agent_count Miscellaneous |
List All Threats | List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. | list_threats Investigation |
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON output contains a list of agents that are being monitored by the central account.
Following image displays a sample output:
Parameter | Description |
---|---|
Action | Action to be performed. You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent. |
Agent ID's (comma-separated list) | ID of the agents separated by commas. |
Group Id's (comma separated list) | ID of the agents' groups separated by commas. |
Is Decommissioned | Agents' decommissioned status. |
Is Unistalled | Agents' uninstall status. |
If you select Isolate Agent Network as the input action then the JSON output contains the number of agents that get isolated after the query is successfully run.
Following image displays a sample output:
If you select Decommission Agent as the input action then the JSON output contains the number of users that are decommissioned after the query is successfully run.
Following image displays a sample output:
If you select Uninstall Agent as the input action then the JSON output contains the number of agents that are uninstalled after the query is successfully run.
Following image displays a sample output:
If you select Shutdown Agent as the input action then the JSON output contains the number of agents that are affected by the shutdown operation after the query is successfully run.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON contains a Success
message of agents reconnected back into the network.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Id | ID of the agent you want to recommission. |
The JSON contains a Success
message of the commissioning of the specified agent, or an Error
message containing the reason for failure if the commissioning is not successful.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Id | ID of the agent whose passphrase who want to retrieve. |
The JSON contains a string output with the passphrase that can be used to delete an offline agent.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Id | ID of the agent for which you want to retrieve the list of installed applications. |
The JSON contains a list of application objects including information such as name, installation date, about the applications installed on the specified agent.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Id | ID of the agent for which you want to retrieve the list of running processes. |
The JSON contains a list of running processes along with the process details for the specified agent.
Following image displays a sample output:
Parameter | Description |
---|---|
Message | Message that you want to broadcast to an agent or a list of agents. |
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.
Following image displays a sample output:
Parameter | Description |
---|---|
Hash Id | Hash ID (sha1 only) of the agent for which you want to retrieve details. |
The JSON contains the details of the specified hash ID.
Following image displays a sample output:
Parameter | Description |
---|---|
Threat Id | ID of the threat for which you want to retrieve details. |
The JSON contains the details of the specified threat ID.
Following image displays a sample output:
Parameter | Description |
---|---|
Action | Action to be taken on the threat. You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation. |
Threat Id | ID of the threat on which the action needs to be taken. |
Content Hash | Hash ID of the file associated with the threat. |
Threat Name | Name of the threat that requires mitigation. |
Agent Id | ID of the agent on which the threat has been identified. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
From Scan | Whether the threat was detected as a result of a scan. |
Is Hidden | Whether the threat is hidden. |
The JSON contains a message about the threat being mitigated.
Following image displays a sample output:
Parameter | Description |
---|---|
Threat Id | ID of the threat that requires to be marked as safe. |
Content Hash | Hash ID of the file associated with the threat. |
Threat Name | Name of the threat that requires to be marked as safe. |
Agent Id | ID of the agent on which the threat had been identified. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
From Scan | Whether the threat was detected as a result of a scan. |
Is Hidden | Whether the threat is hidden. |
The JSON contains a message about the threat being marked as safe.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON output contains the number of agents whose logs are fetched after the query is successfully run.
Following image displays a sample output:
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Memory size of the agent is lesser than given input. |
Agent Memory Greater Than (GB) | Memory size of the agent is greater than given input. |
Agent Core Count Less Than | Core count of agents is lesser than given input. |
Agent Core Count Greater Than | Core count of agents is greater than given input. |
Active Status | Active status of the agent. |
Infected Status | Infected status of the agent. |
Include Decommissioned | Include decommissioned status. |
Is Decommissioned | Is the current state decommissioned. |
Agent ID's (comma-separated list) | List of comma-separated agent ids. |
Exclude Agent ID's (comma-separated list) | List of comma-separated agent ids that are to be excluded. |
Computer Name Like | Agent that matches the specified name. |
Agent Version | Version of the agent. |
OS Type | Type of the OS used by the agent. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
Network Status | Current network status of the agent. |
The JSON output contains the number of available agents.
Following image displays a sample output:
Parameter | Description |
---|---|
Content Hash | Hash ID of the file associated with the threat. |
Threat Name | Name of the threat that you want to search for on all agents. |
Agent Id | ID of the agent for which you want to list all the threats. |
Skip Records | Skips the specified number of results from the total results. |
Limit Records | Limits the results to the specified number. |
From Scan | Whether the threat was detected as a result of a scan. |
Is Hidden | Whether the threat is hidden. |
The JSON contains the objects of the threats that are found after the query is successfully run.
Following image displays a sample output:
The Sample - SentinelOne - 1.0.0
playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.
This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.
Resolution:
Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.
There are many reasons for a playbook failure, for example, if a required field is null
in the target module record, or there are problems with the Playbook Appliance keys.
Resolution:
Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration
page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.