Fortinet Document Library

Version:


Table of Contents

2.0.0
Copy Link

About the connector

SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.

This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 5.1.1-58

SentinelOne Build Version Tested on: v2.0.0-EA#115

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the SentinelOne Connector in version 2.0.0:

  • Added the following new operations and playbooks:
    • Create Query And Get Query ID
    • Get Query Status
    • Get Events
    • Get Events By Type
    • Cancel Running Query
    • Get Application Network Connections
    • Get Application Forensic Details
    • Export Forensics Application
    • Get Threat Seen on Network
    • Get Threat Network Connections
    • Threat Forensic Details
    • Export Threat
    • Get Application Forensics
    • Get Threat Forensics
    • Get Application Count
    • Get CVEs
    • Export Applications Risk
    • Get Applications
    • Get Application CVEs
  • Renamed the following operations:
    • List of Applications Installed on Agents to Get Agent Application
    • List of Processes Running on Agents to Get Agent Process
  • Removed the Commission Agent operation.

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:

yum install cyops-connector-sentinelone

Prerequisites to configuring the connector

  • You must have the URL of the SentinelOne REST endpoint to which you will connect and perform the automated operations and credentials (username-password pair) to access that endpoint.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the SentinelOne connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the SentinelOne endpoint to which you will connect and perform the automated operations.
Username Username to access the SentinelOne endpoint for using the API endpoint.
Important: The minimum role required for the user to use the API endpoint is "Site Viewer".
Password Password to access the SentinelOne endpoint.
Verify SSL Verify SSL connection to the SentinelOne API endpoint.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Agents Retrieves a list of agents attached to an account from SentinelOne based on the input parameters you have specified. list_agents  
Investigation
Agent Action Actions that you want to perform on an agent in Sentinel One based on the action, agent IDs and other input parameters you have specified. isolate_agent
Containment
Reconnect Agent  Reconnects a disconnected agent to the network in SentinelOne based on the input parameters you have specified. reconnect_agent
Remediation
Get Agent Passphrase Retrieves an agent's passphrase to uninstall an offline agent in SentinelOne based on the agent ID you have specified. agent_passphrase
Miscellaneous
Get Agent Application Retrieves a list of applications installed on an agent in SentinelOne based on the agent ID you have specified. list_applications  
Investigation
Get Agent Process Retrieves a list of processes running on an agent in SentinelOne based on the agent ID you have specified. list_processes  
Investigation
Broadcast Message to Agent Broadcasts a message to a specified agent system or a list of agent systems in SentinelOne based on the agent ID, message, and other input parameters you have specified. broadcast_message
Miscellaneous
Initiate Agent Scan Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. scan_agent  
Investigation
Abort Agent Scan Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. abort_scan  
Investigation
Get Hash Details Retrieve the details for a specified hash from SentinelOne based on the Hash ID you have specified.  hash_details
Investigation
Get Threat Details Retrieve the details for a specified threat from SentinelOne based on the threat ID you have specified. threat_details
Investigation
Mitigate Threat Mitigates identified threats in the SentinelOne system based on the threat ID, action and other input parameters you have specified. mitigate_threats
Remediation
Mark Threat as Benign Marks an identified threat as safe in SentinelOne based on the threat ID, target scope, and other input parameters you have specified. mark_threat_as_benign
Remediation
Fetch Agents Logs Retrieves logs from agents system to the SentinelOne cloud based on the input parameters you have specified. fetch_logs  
Investigation
Get Agent Count Retrieves the count of agents in SentinelOne filtered by the input parameters you have specified. agent_count  
Miscellaneous
List All Threats List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. list_threats  
Investigation
Create Query And Get Query ID Starts a deep visibility Query and retrieves the Query ID from SentinelOne based on the query, date range, and other input parameters you have specified. create_query
Investigation
Get Query Status Retrieves the status of the deep visibility query from SentinelOne based on the query ID you have specified. get_query_status
Investigation
Get Events Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID and other input parameters you have specified. get_events
Investigation
Get Events By Type Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID, event type, and other input parameters you have specified. get_events_by_type
Investigation
Cancel Running Query Stops a deep visibility query that is running on SentinelOne based on the query ID you have specified. cancel_running_query
Investigation
Get Application Network Connections Retrieves network connections for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. application_forensic_connections
Investigation
Get Application Forensic Details Retrieves detailed forensics data for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. application_forensic_details
Investigation
Export Forensics Application Exports forensics application, in the CSV or JSON formation, for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. export_forensics_application
Investigation
Get Threat Seen on Network Retrieves "seen on network" details for a specific threat in SentinelOne based on the threat ID and other input parameters you have specified. threat_seen_on_network
Investigation
Get Threat Network Connections Retrieves network connections for a specific threat on SentinelOne based on the threat ID and other input parameters you have specified. threat_forensic_connections
Investigation
Threat Forensic Details Retrieves detailed forensics data for a specific threat on SentinelOne based on the threat ID you have specified. threat_forensic_details
Investigation
Export Threat Exports threats along with its associated events, in the CSV or JSON formation, for a specific threat on SentinelOne based on the threat ID and export format you have specified. export_forensics_threat
Investigation
Get Application Forensics Retrieves forensics data for a specific application on SentinelOne based on the application ID and other input parameters you have specified. application_forensics
Investigation
Get Threat Forensics Retrieves forensics data for a specific threat on SentinelOne based on the threat ID and export format you have specified. threat_forensics
Investigation
Free Text  Retrieves a metadata list of all the available free-text filters in SentinelOne free_text_filters
Investigation
Get Application Count Retrieves the count of applications from SentinelOne number of applications by risk level or filters and other input parameters you have specified. get_application_count
Investigation
Get CVEs Retrieves all known CVEs for applications from SentinelOne based on the input parameters you have specified.
Note: This is available for complete SKU only.
get_cve
Investigation
Export Applications Risk Exports installed applications and CVE list from SentinelOne based on the input parameters you have specified. export_applications_risk
Investigation
Get Applications Retrieves a list of all installed applications per endpoint, including risk levels, from SentinelOne based on the input parameters you have specified.
Note: This is available for complete SKU only.
get_applications
Investigation
Get Application CVEs Retrieves all known CVEs for a specific application, along with application and endpoint information, from SentinelOne based on the application ID you have specified.
Note: This is available for complete SKU only.
get_application_cve
Investigation

operation: Get Agents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB) Retrieve only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) Retrieve only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than Retrieve only those agents whose core count is lesser than given input from SentinelOne.
Agent Core Count Greater Than Retrieve only those agents whose core count is greater than given input from SentinelOne.
Is Active Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs that you want to retrieve from SentinelOne.
Computer Name Like Retrieve only those agents who match the specified name from SentinelOne.
Agent Version Version of the agent that you want to retrieve from SentinelOne.
Limit Maximum number of results, per page, that this operation should return.
Skip Records Skips the specified number of results from the total results.
Network Status Select the network status of the agent that you want to retrieve from SentinelOne. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

A customized JSON output that is formatted for easy reference is the output for all the operations.

The output contains the following populated JSON schema:
{
     "agentVersion": "",
     "allowRemoteShell": "",
     "modelName": "",
     "encryptedApplications": "",
     "cpuId": "",
     "totalMemory": "",
     "lastLoggedInUserName": "",
     "activeDirectory": {
         "computerMemberOf": [],
         "lastUserMemberOf": [],
         "computerDistinguishedName": "",
         "lastUserDistinguishedName": ""
     },
     "siteId": "",
     "uuid": "",
     "coreCount": "",
     "machineType": "",
     "osType": "",
     "createdAt": "",
     "osStartTime": "",
     "groupIp": "",
     "networkInterfaces": [
         {
             "inet6": [],
             "name": "",
             "inet": [],
             "id": "",
             "physical": ""
         }
     ],
     "cpuCount": "",
     "appsVulnerabilityStatus": "",
     "registeredAt": "",
     "scanStatus": "",
     "infected": "",
     "isPendingUninstall": "",
     "licenseKey": "",
     "lastActiveDate": "",
     "groupId": "",
     "osRevision": "",
     "osName": "",
     "groupName": "",
     "mitigationModeSuspicious": "",
     "consoleMigrationStatus": "",
     "isUpToDate": "",
     "osUsername": "",
     "updatedAt": "",
     "osArch": "",
     "domain": "",
     "activeThreats": "",
     "accountId": "",
     "inRemoteShellSession": "",
     "locations": [],
     "scanAbortedAt": "",
     "mitigationMode": "",
     "userActionsNeeded": [],
     "id": "",
     "isActive": "",
     "externalIp": "",
     "siteName": "",
     "scanStartedAt": "",
     "locationType": "",
     "isUninstalled": "",
     "networkStatus": "",
     "isDecommissioned": "",
     "computerName": "",
     "scanFinishedAt": "",
     "accountName": "",
     "externalId": ""
}

operation: Agent Action

Input parameters

Parameter Description
Action Select the action that you want to perform on the specified agent in SentinelOne. You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent.
Agent IDs List of comma-separated agent IDs on which you want to perform actions in SentinelOne.
Group IDs (Optional) List of comma-separated agent's group IDs on which you want to perform actions in SentinelOne.
Is Decommissioned Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Decommissioned".
Is Uninstalled Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Uninstalled".

Output

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Reconnect Agent

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB): Reconnects only those agents to the network in SentinelOne whose memory size is lesser than the given input.
Agent Memory Greater Than (GB) Reconnects only those agents to the network in SentinelOne whose memory size is greater than the given input.
Agent Core Count Less Than Reconnects only those agents to the network in SentinelOne whose core count is lesser than the given input.
Agent Core Count Greater Than Reconnects only those agents to the network in SentinelOne whose core count is greater than the given input.
Is Active Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Active".
Is Infected Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs that you want to reconnect to the SentinelOne network.
Computer Name Like Reconnects only those agents to the network in SentinelOne who match the specified computer name.
Agent Version Version of the agent that you want to reconnect to the SentinelOne network.
OS Type Select the OS type of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON contains a Success message of agents reconnected back into the network.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Get Agent Passphrase

Input parameters

Parameter Description
Agent ID ID of the agent whose passphrase who want to retrieve from SentinelOne. The passphrase that can be used to delete an offline agent from SentinelOne.

Output

The JSON contains a string output with the passphrase that can be used to delete an offline agent.

The output contains the following populated JSON schema:
{
     "lastLoggedInUserName": "",
     "passphrase": "",
     "domain": "",
     "id": "",
     "computerName": "",
     "uuid": ""
}

operation: Get Agent Application

Input parameters

Parameter Description
Agent Id ID of the agent whose list of installed applications you want to retrieve from SentinelOne.

Output

The JSON contains a list of application objects including information such as name, installation date, about the applications installed on the specified agent.

The output contains the following populated JSON schema:
{
     "name": "",
     "version": "",
     "size": "",
     "publisher": "",
     "installedDate": ""
}

operation: Get Agent Process

Input parameters

Parameter Description
Agent Id ID of the agent whose list of running applications you want to retrieve from SentinelOne.

Output

The JSON contains a list of running processes along with the process details for the specified agent.

The output contains the following populated JSON schema:
{
     "cpuUsage": "",
     "memoryUsage": "",
     "pid": "",
     "executablePath": "",
     "startTime": "",
     "processName": ""
}

operation: Broadcast Message to Agent

Input parameters

Parameter Description
Message Message that you want to broadcast to an agent or a list of agents in SentinelOne.
Agent IDs List of comma-separated agent IDs in SentinelOne to whom you want to broadcast the specified message.
Agent Memory Less Than (GB) (Optional) Broadcast the message to only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) (Optional) Broadcast the message to only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than (Optional) Broadcast the message to only those agents whose core count is lesser than given input from SentinelOne.
Agent Core Count Greater Than (Optional) Broadcast the message to only those agents whose core count is greater than given input from SentinelOne.
Is Active  Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Active".
Is Infected Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Decommissioned".
Computer Name Like (Optional) Broadcast the message to only those agents match the specified computer name on SentinelOne.
Agent Version Version of the agent to whom you want to broadcast the message
OS Type Select the OS type of the agent in the SentinelOne network to whom you want to broadcast the message. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne to whom you want to broadcast the message. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Initiate Agent Scan

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB) Initiates a scan only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) Initiates a scan only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than Initiates a scan only those agents whose core count is lesser than given input from SentinelOne.
Agent Core Count Greater Than Initiates a scan only those agents whose core count is greater than given input from SentinelOne.
Is Active  Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Active". 
Is Infected  Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Infected". 
Is Decommissioned Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Decommissioned". 
Agent IDs List of comma-separated agent IDs on which you want to initiate a scan in SentinelOne.
Computer Name Like Initiate the scan only on those agents that match the specified computer name.
Agent Version Version of the agent on which you want to initiate a scan.
OS Type Select the OS type of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Abort Agent Scan

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB) Aborts the scan only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) Aborts the scan only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than Aborts the scan only those agents whose core count size is lesser than given input from SentinelOne.
Agent Core Count Greater Than Aborts the scan only those agents whose core count size is greater than given input from SentinelOne.
Is Active Select this checkbox if the status of the agent on which you want to abort the scan is set as "Active". 
Is Infected Select this checkbox if the status of the agent on which you want to abort the scan is set as "Infected". 
Is Decommissioned Select this checkbox if the status of the agent on which you want to abort the scan is set as "Decommissioned". 
Agent IDs List of comma-separated agent IDs on which you want to abort the scan in SentinelOne.
Computer Name Like Abort the scan only on those agents that match the specified computer name.
Agent Version Version of the agent on which you want to abort the scan.
OS Type Select the OS type of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Get Hash Details

Input parameters

Parameter Description
Hash ID ID (SHA1 only) of the hash whose details you want to retrieve from SentinelOne.

Output

The JSON contains the details of the specified hash ID.

The output contains the following populated JSON schema:
{
     "rank": ""
}

operation: Get Threat Details

Input parameters

Parameter Description
Threat Id ID of the threat whose details you want to retrieve from SentinelOne.

Output

The JSON contains the details of the specified threat ID.

The output contains the following populated JSON schema:
{
     "cloudVerdict": "",
     "agentDomain": "",
     "fileIsDotNet": "",
     "id": "",
     "maliciousProcessArguments": "",
     "accountId": "",
     "fromScan": "",
     "agentId": "",
     "fileCreatedDate": "",
     "maliciousGroupId": "",
     "markedAsBenign": "",
     "isInteractiveSession": "",
     "siteName": "",
     "classifierName": "",
     "fileExtensionType": "",
     "indicators": [],
     "classificationSource": "",
     "classification": "",
     "createdAt": "",
     "mitigationStatus": "",
     "description": "",
     "agentOsType": "",
     "filePath": "",
     "agentInfected": "",
     "fileObjectId": "",
     "username": "",
     "threatAgentVersion": "",
     "browserType": "",
     "fileContentHash": "",
     "fileDisplayName": "",
     "publisher": "",
     "rank": "",
     "isPartialStory": "",
     "engines": [],
     "threatName": "",
     "annotation": "",
     "certId": "",
     "accountName": "",
     "isCertValid": "",
     "collectionId": "",
     "fileSha256": "",
     "resolved": "",
     "updatedAt": "",
     "agentIsDecommissioned": "",
     "agentIsActive": "",
     "agentVersion": "",
     "agentIp": "",
     "agentComputerName": "",
     "fromCloud": "",
     "fileIsExecutable": "",
     "createdDate": "",
     "siteId": "",
     "fileIsSystem": "",
     "annotationUrl": "",
     "whiteningOptions": [],
     "agentMachineType": "",
     "agentNetworkStatus": "",
     "mitigationMode": "",
     "mitigationReport": {
         "quarantine": {
             "status": ""
         },
         "kill": {
             "status": ""
         },
         "rollback": {
             "status": ""
         },
         "remediate": {
             "status": ""
         },
         "network_quarantine": {
             "status": ""
         }
     },
     "fileMaliciousContent": "",
     "fileVerificationType": ""
}

operation: Mitigate Threat

Input parameters

Parameter Description
Action Select the action that you want to perform on the specified threat. You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation.
Threat ID ID of the threat on which you want to take the specified action.
Content Hash (Optional) Hash ID of the file associated with the threat that requires mitigation.
Threat Name (Optional) Name of the threat that requires mitigation.
Agent ID (Optional) ID of the agent on which the threat has been identified.
Limit Records (Optional) Maximum number of results, per page, that this operation should return.
From Scan Select this option if the threat was detected as a result of a scan.

Output

The JSON contains a message about the threat being mitigated.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Mark Threat as Benign

Input parameters

Parameter Description
Target Scope Scope of the target that you want to mark as safe in SentinelOne.
Threat Id ID of the threat that you want to mark as safe in SentinelOne.
Content Hash (Optional) Hash ID of the file associated with the threat that you want to mark as safe in SentinelOne.
Threat Name (Optional) Name of the threat that requires to be marked as safe in SentinelOne..
Agent Id (Optional) ID of the agent on which the threat has been identified.
Limit Records (Optional) Maximum number of results, per page, that this operation should return.
From Scan Select this option if the threat was detected as a result of a scan.

Output

The JSON contains a message about the threat being marked as safe.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Fetch Agents Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB) Retrieve logs of only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) Retrieve logs of only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than Retrieve logs of only those agents whose core count is lesser than given input from SentinelOne.
Agent Core Count Greater Than Retrieve logs of only those agents whose core count is greater than given input from SentinelOne.
Is Active Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs whose logs you want to retrieve from SentinelOne.
Computer Name Like Retrieve logs of only those agents who match the specified computer name.
Agent Version Version of the agent whose logs you want to retrieve from SentinelOne.
OS Type Select the OS type of the agent in SentinelOne whose logs you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne whose logs you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents whose logs are fetched after the query is successfully run.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Get Agent Count

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB): Retrieve counts of only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) Retrieve counts of only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than Retrieve counts of only those agents whose core count is lesser than given input from SentinelOne.
Agent Core Count Greater Than Retrieve counts of only those agents whose core count is greater than given input from SentinelOne.
Is Active Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs whose count you want to retrieve from SentinelOne
Computer Name Like Retrieve count of only those agents who match the specified computer name.
Agent Version Version of the agents whose counts you want to retrieve from SentinelOne.
OS Type Select the OS type of the agent in SentinelOne whose counts you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne whose counts you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting

Output

The JSON output contains the number of available agents.

The output contains the following populated JSON schema:
{
     "total": ""
}

operation: List All Threats

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Content Hash Hash ID of the file associated with the threat.
Threat Name Name of the threat that you want to search for on all agents on SentinelOne.
Agent ID ID of the agent whose threats you want to list.
Limit Records Maximum number of results, per page, that this operation should return.
Skip Records Skips the specified number of results from the total results.
From Scan Select this option if the threat was detected as a result of a scan.

Output

The JSON contains the objects of the threats that are found after the query is successfully run.

The output contains the following populated JSON schema:
{
     "cloudVerdict": "",
     "agentDomain": "",
     "fileIsDotNet": "",
     "id": "",
     "maliciousProcessArguments": "",
     "accountId": "",
     "fromScan": "",
     "agentId": "",
     "fileCreatedDate": "",
     "maliciousGroupId": "",
     "markedAsBenign": "",
     "isInteractiveSession": "",
     "siteName": "",
     "classifierName": "",
     "fileExtensionType": "",
     "indicators": [],
     "classificationSource": "",
     "classification": "",
     "createdAt": "",
     "mitigationStatus": "",
     "description": "",
     "agentOsType": "",
     "filePath": "",
     "agentInfected": "",
     "fileObjectId": "",
     "username": "",
     "threatAgentVersion": "",
     "browserType": "",
     "fileContentHash": "",
     "fileDisplayName": "",
     "publisher": "",
     "rank": "",
     "isPartialStory": "",
     "engines": [],
     "threatName": "",
     "annotation": "",
     "certId": "",
     "accountName": "",
     "isCertValid": "",
     "collectionId": "",
     "fileSha256": "",
     "resolved": "",
     "updatedAt": "",
     "agentIsDecommissioned": "",
     "agentIsActive": "",
     "agentVersion": "",
     "agentIp": "",
     "agentComputerName": "",
     "fromCloud": "",
     "fileIsExecutable": "",
     "createdDate": "",
     "siteId": "",
     "fileIsSystem": "",
     "annotationUrl": "",
     "whiteningOptions": [],
     "agentMachineType": "",
     "agentNetworkStatus": "",
     "mitigationMode": "",
     "mitigationReport": {
         "quarantine": {
             "status": ""
         },
         "kill": {
             "status": ""
         },
         "rollback": {
             "status": ""
         },
         "remediate": {
             "status": ""
         },
         "network_quarantine": {
             "status": ""
         }
     },
     "fileMaliciousContent": "",
     "fileVerificationType": ""
}

operation: Create Query And Get Query ID

Input parameters

Parameter Description
Query Query that is a free-text search term  that will match applicable attributes (sub-string match) in Sentinel one based on which you want to retrieve the query ID from SentinelOne
From Date Start date of query from when you want to retrieve the query ID from SentinelOne.
To Date End date of query till when you want to retrieve the query ID from SentinelOne.
Group IDs (Optional) List of comma-separated agent's group IDs based on which you want to retrieve the query ID from SentinelOne.
Tenant Select this checkbox to indicate a tenant scope in the query.
Query Type (Optional) Type of the query used by deep visibility in SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts based on which you want to retrieve the query ID from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites based on which you want to retrieve the query ID from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "queryId": ""
}

operation: Get Query Status

Input parameters

Parameter Description
Query ID ID of the query whose status you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.

Output

The output contains the following populated JSON schema:
{
     "progressStatus": "",
     "responseState": ""
}

operation: Get Events

Input parameters

Parameter Description
Query ID ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.
Limit Records (Optional) Maximum number of results, per page, that this operation should return.
Skip Records (Optional) Skips the specified number of results from the total results.
Cursor (Optional) Cursor position returned by the last request. You can use this parameter instead of using Skip Records parameter. Cursor currently supports Sort By with createdAt, pid, and processStartTime.
Sort Order (Optional) Sorting order of the result (events), choose between Ascending or Descending.
Sort By (Optional) Name of the field on which you want to sort the result (events).
Sub Query (Optional) Name of the field on which you want to sort the result (events).

Output

The output contains the following populated JSON schema:
{
     "agentVersion": "",
     "agentNetworkStatus": "",
     "fileId": "",
     "indicatorDescription": "",
     "eventType": "",
     "dstIp": "",
     "relatedToThreat": "",
     "processImagePath": "",
     "processName": "",
     "processUniqueKey": "",
     "parentProcessUniqueKey": "",
     "processGroupId": "",
     "eventSubType": "",
     "processUserName": "",
     "networkMethod": "",
     "processDisplayName": "",
     "processSubSystem": "",
     "parentProcessName": "",
     "createdAt": "",
     "srcPort": "",
     "agentIp": "",
     "tid": "",
     "agentOs": "",
     "oldFileSha1": "",
     "agentDomain": "",
     "agentIsDecommissioned": "",
     "registryPath": "",
     "oldFileMd5": "",
     "sha256": "",
     "fileSha256": "",
     "parentProcessIsMalicious": "",
     "indicatorMetadata": "",
     "networkUrl": "",
     "processImageSha1Hash": "",
     "oldFileSha256": "",
     "user": "",
     "md5": "",
     "agentInfected": "",
     "loginsBaseType": "",
     "processStartTime": "",
     "forensicUrl": "",
     "oldFileName": "",
     "dnsResponse": "",
     "srcIp": "",
     "indicatorCategory": "",
     "rpid": "",
     "processIsMalicious": "",
     "taskName": "",
     "dnsRequest": "",
     "loginsUserName": "",
     "indicatorName": "",
     "agentUuid": "",
     "agentMachineType": "",
     "registryId": "",
     "parentProcessGroupId": "",
     "processIntegrityLevel": "",
     "fileFullName": "",
     "signer": "",
     "processSessionId": "",
     "processCmd": "",
     "taskPath": "",
     "parentPid": "",
     "agentId": "",
     "id": "",
     "fileMd5": "",
     "networkSource": "",
     "siteName": "",
     "agentGroupId": "",
     "agentName": "",
     "parentProcessStartTime": "",
     "dstPort": "",
     "trueContext": "",
     "fileSha1": "",
     "threatStatus": "",
     "agentIsActive": "",
     "direction": "",
     "pid": "",
     "sha1": ""
}

operation: Get Events By Type

Input parameters

Parameter Description
Query ID ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.
Event Type Event type by which you want to filter the results (events). You can choose between the following event types: Events, File, Ip, Url, Dns, Process, Registry, Scheduled task, Logins, or Indicators.
Limit Records (Optional) Maximum number of results, per page, that this operation should return.
Skip Records (Optional) Skips the specified number of results from the total results.
Cursor (Optional) Cursor position returned by the last request. You can use this parameter instead of using Skip Records parameter. Cursor currently supports Sort By with createdAt, pid, and processStartTime.
Sort Order (Optional) Sorting order of the result (events), choose between Ascending or Descending.
Sort By (Optional) Name of the field on which you want to sort the result (events).
Sub Query (Optional) Name of the field on which you want to sort the result (events).

Output

The output contains the following populated JSON schema:
{
     "data": {
         "agentVersion": "",
         "agentNetworkStatus": "",
         "fileId": "",
         "indicatorDescription": "",
         "eventType": "",
         "dstIp": "",
         "relatedToThreat": "",
         "processImagePath": "",
         "processName": "",
         "processUniqueKey": "",
         "parentProcessUniqueKey": "",
         "processGroupId": "",
         "eventSubType": "",
         "processUserName": "",
         "networkMethod": "",
         "processDisplayName": "",
         "processSubSystem": "",
         "parentProcessName": "",
         "createdAt": "",
         "srcPort": "",
         "agentIp": "",
         "tid": "",
         "agentOs": "",
         "oldFileSha1": "",
         "agentDomain": "",
         "agentIsDecommissioned": "",
         "registryPath": "",
         "oldFileMd5": "",
         "sha256": "",
         "fileSha256": "",
         "parentProcessIsMalicious": "",
         "indicatorMetadata": "",
         "networkUrl": "",
         "processImageSha1Hash": "",
         "oldFileSha256": "",
         "user": "",
         "md5": "",
         "agentInfected": "",
         "loginsBaseType": "",
         "processStartTime": "",
         "forensicUrl": "",
         "oldFileName": "",
         "dnsResponse": "",
         "srcIp": "",
         "indicatorCategory": "",
         "rpid": "",
         "processIsMalicious": "",
         "taskName": "",
         "dnsRequest": "",
         "loginsUserName": "",
         "indicatorName": "",
         "agentUuid": "",
         "agentMachineType": "",
         "registryId": "",
         "parentProcessGroupId": "",
         "processIntegrityLevel": "",
         "fileFullName": "",
         "signer": "",
         "processSessionId": "",
         "processCmd": "",
         "taskPath": "",
         "parentPid": "",
         "agentId": "",
         "id": "",
         "fileMd5": "",
         "networkSource": "",
         "siteName": "",
         "agentGroupId": "",
         "agentName": "",
         "parentProcessStartTime": "",
         "dstPort": "",
         "trueContext": "",
         "fileSha1": "",
         "threatStatus": "",
         "agentIsActive": "",
         "direction": "",
         "pid": "",
         "sha1": ""
     },
     "pagination": {
         "totalItems": "",
         "nextCursor": ""
     }
}

operation: Cancel Running Query

Input parameters

Parameter Description
Query ID ID of a deep visibility query that you want to stop in SentinelOne. When you create a query in SentinelOne you get its QueryID.

Output

The output contains the following populated JSON schema:
{
     "success": ""
}

operation: Get Application Network Connections

Input parameters

Parameter Description
Application ID ID of the agent application whose network connection you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites whose application network connection you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose application network connection you want to retrieve from SentinelOne.
Country Code (Optional) Country code whose application network connection you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose network connection you want to retrieve from SentinelOne.

Output

The output contains a non-dictionary value.

operation: Get Application Forensic Details

Input parameters

Parameter Description
Application ID ID of the agent application whose forensic details you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites whose application forensic details you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose application forensic details you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose application forensic details you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "result": {
         "fetch_story_error_at": "",
         "seen_on_network": "",
         "graph": "",
         "process_display_name": "",
         "summary_overview": {
             "network": {
                 "connections": "",
                 "dns": ""
             },
             "file": {
                 "write": "",
                 "create": "",
                 "delete": ""
             },
             "registry": {
                 "security": "",
                 "persistence": "",
                 "stealth": ""
             }
         },
         "summary": "",
         "application_id": "",
         "agent": "",
         "process_created_at": "",
         "category_scores": "",
         "application_duration": "",
         "last_event_seen_at": "",
         "application_created": "",
         "raw_data": "",
         "fetch_story_status": "",
         "fetch_story_sent_at": "",
         "process": {
             "username": "",
             "executable_file_id": "",
             "created_date": "",
             "is_primary": "",
             "bundle_id": "",
             "display_name": "",
             "is_root": "",
             "pid": "",
             "object_id": ""
         },
         "file": {
             "content_hash": "",
             "is_system": "",
             "created_date": "",
             "size": "",
             "display_name": "",
             "permission": "",
             "path": "",
             "object_id": ""
         }
     }
}

operation: Export Forensics Application

Input parameters

Parameter Description
Application ID ID of the agent application whose forensic application you want to export in the CSV/JSON format from SentinelOne.
Export Format Format in which you want to export the forensic application. You can choose between the following formats: CSV or JSON.
Site IDs (Optional) List of comma-separated agent's sites whose forensic application you want to export from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose forensic application you want to export from SentinelOne.
Account IDs (Optional) List of comma-separated agent's acoounts whose forensic application you want to export from SentinelOne.

Output

The output contains a non-dictionary value.

operation: Get Threat Seen on Network

Input parameters

Parameter Description
Threat ID ID of the threat whose "seen on network data" you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites whose "seen on network data" you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose "seen on network data" you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's account whose "seen on network data" you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "agent_version": "",
     "description": "",
     "created_date": "",
     "meta_data": {
         "updated_at": "",
         "created_at": ""
     },
     "id": "",
     "malicious_group_id": "",
     "resolved": "",
     "status": "",
     "from_cloud": "",
     "agent": ""
}

operation: Get Threat Network Connections

Input parameters

Parameter Description
Threat ID ID of the threat whose network connection you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites whose network connection you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose network connection you want to retrieve from SentinelOne.
Country Code (Optional) Country code whose network connection you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose network connection you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:


{
     "message": ""
}

operation: Threat Forensic Details

Input parameters

Parameter Description
Threat ID ID of the threat whose forensic details you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "result": {
         "policy_id": "",
         "agent_version": "",
         "occurred_at": "",
         "graph": {
             "edges_summary": [],
             "node_sets": {}
         },
         "file_hash": "",
         "file_display_name": "",
         "file_created_at": "",
         "agent": "",
         "category_scores": [],
         "publisher": "",
         "raw_data": {
             "edges": [],
             "nodes": {
                 "6ADE07922117100C": {
                     "agent_version": "",
                     "in_threat": "",
                     "malicious_content": "",
                     "agent_uuid": "",
                     "meta_data": {
                         "updated_at": "",
                         "count": "",
                         "created_at": ""
                     },
                     "has_reputation": "",
                     "group_id": "",
                     "event_type": "",
                     "object_id": "",
                     "data": {
                         "path": "",
                         "is_system": "",
                         "created_date": "",
                         "is_executable": "",
                         "verification_type": "",
                         "extension_type": "",
                         "size": "",
                         "object_id": "",
                         "content_hash": "",
                         "permission": ""
                     }
                 }
             }
         },
         "indicators": [],
         "cert_id": "",
         "is_cert_valid": ""
     }
}

operation: Export Threat

Input parameters

Parameter Description
Threat ID ID of the threat whose threats along with its associated events you want to export in the CSV, JSON, or RAW format from SentinelOne.
Export Format Format in which you want to export the threat data. You can choose between the following formats: CSV, RAW, or JSON.

Output

The output contains the following populated JSON schema:
{
     "threat_details": {
         "description": "",
         "id": "",
         "created_at": "",
         "agent": ""
     },
     "events": [],
     "agent_details": {
         "external_ip": "",
         "registered_at": "",
         "agent_version_current": "",
         "computer_name": "",
         "last_active_date": "",
         "agent_version_at_threat_time": "",
         "group_ip": "",
         "domain": "",
         "cpu": "",
         "os": ""
     },
     "file_details": {
         "size": "",
         "created_at": "",
         "id": "",
         "display_name": "",
         "permission": "",
         "content_hash": ""
     },
     "reputation": {
         "rank": ""
     }
}

operation: Get Application Forensics

Input parameters

Parameter Description
Application ID ID of the agent application whose forensic data you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites whose application forensic data you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose application forensic data you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose application forensic data you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "result": {
         "process_created_at": "",
         "seen_on_network": "",
         "process": {
             "username": "",
             "executable_file_id": "",
             "created_date": "",
             "is_primary": "",
             "bundle_id": "",
             "display_name": "",
             "is_root": "",
             "pid": "",
             "object_id": ""
         },
         "file": {
             "content_hash": "",
             "is_system": "",
             "created_date": "",
             "size": "",
             "display_name": "",
             "permission": "",
             "path": "",
             "object_id": ""
         },
         "process_display_name": "",
         "fetch_story_status": "",
         "agent": "",
         "malicious_process_arguments": "",
         "application_id": "",
         "application_created": ""
     }
}

operation: Get Threat Forensics

Input parameters

Parameter Description
Threat ID ID of the threat for which you want to retrieve the forensic data.
Site IDs (Optional) List of comma-separated agent's sites whose threat data you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose threat data you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose threat data you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "result": {
         "seen_on_network": "",
         "occurred_at": "",
         "file_display_name": "",
         "marked_as_benign": "",
         "classifier_name": "",
         "mitigation_status": "",
         "file_created_at": "",
         "file_path": "",
         "classification_source": "",
         "classification": "",
         "mitigation_report": {
             "quarantine": {
                 "status": ""
             },
             "rollback": {
                 "status": ""
             },
             "remediate": {
                 "status": ""
             },
             "network_quarantine": {
                 "status": ""
             },
             "kill": {
                 "status": ""
             }
         },
         "threat_id": "",
         "whitening_options": [],
         "threat_created": "",
         "malicious_group_id": "",
         "in_quarantine": "",
         "file_content_hash": "",
         "file_hash": "",
         "malicious_process_arguments": "",
         "annotation_url": "",
         "agent": "",
         "from_scan": "",
         "annotation": "",
         "file_description": "",
         "resolved": "",
         "mitigation_actions": []
     }
}

operation: Free Text 

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "title": "",
     "key": "",
     "autoComplete": ""
}

operation: Get Application Count

Input parameters

Parameter Description
Get Count By Filter based on which you want to retrieve the application count from SentinelOne. You can choose between Risk Levels or Filters. By default, this is set as Risk Level.
Site IDs (Optional) List of comma-separated agent's sites whose application count you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose application count you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose application count you want to retrieve from SentinelOne.
Agent Machine Types (Optional) Type of agent machine whose application count you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs (Optional) List of comma-separated application IDs accounts whose application count you want to retrieve, per filter value, from SentinelOne.
Application Types (Optional) Type of application whose application count you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Is Decommissioned Select this checkbox if the status of the agent whose application count you want to retrieve from SentinelOne is set as "Decommissioned".
Risk Levels (Optional) Level of risks whose application count you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
OS Types (Optional) Type of OS whose application count you want to retrieve from SentinelOne. You can choose between the following os types: Macos, Windows_Legacy, Linux. or Windows.
Extra Parameters (Optional) Additional request parameters in the JSON format.

Output

The output contains the following populated JSON schema:
{
     "title": "",
     "key": "",
     "values": [
         {
             "count": "",
             "title": "",
             "value": ""
         }
     ]
}

operation: Get CVEs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Limit Records Maximum number of results, per page, that this operation should return.
Skip Count Select this option to avoid calculating the total number of results, which results in speeding up the execution time.
Sort Order Sorting order of the results, choose between Ascending or Descending.
Sort By Name of the field on which you want to sort the result. You can choose between the following fields: ID, PublishedAt, AgentID, or ApplicationID.
Internal CVE IDs List of comma-separated internal CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne.
Global CVE IDs List of comma-separated global CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne.
Count Only Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne.
Extra Parameters Additional request parameters in the JSON format.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "publishedAt": "",
         "link": "",
         "id": "",
         "score": "",
         "riskLevel": "",
         "updatedAt": "",
         "cveId": "",
         "createdAt": "",
         "description": ""
     }
}

operation: Export Applications Risk

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Site IDs List of comma-separated agent's site IDs to export application risks from SentinelOne.
Group IDs List of comma-separated agent's group IDs to export application risks from SentinelOne.
Account IDs List of comma-separated agent's account IDs to export application risks from SentinelOne.
Size Between Size range of the application between which you want to filter the application risks. You can specify the size range in bytes from 1024 to 104856.
Agent Machine Types Type of agent machine whose application risks you want to export from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs ID of the agent application whose installed applications and CVEs list you want to export from SentinelOne.
Application Types Type of application whose application risks you want to export from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Is Decommissioned Select this checkbox if the status of the agent whose application risks you want to export from SentinelOne is set as "Decommissioned".
Risk Levels Level of risks whose application risks you want to export from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
OS Types Type of OS whose application risks you want to export from SentinelOne. You can choose between the following os types: Macos, Windows Legacy, Linux, or Windows.
Extra Parameters Additional request parameters in the JSON format.

Output

No output schema is available at this time.

operation: Get Applications

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Limit Records Maximum number of results, per page, that this operation should return.
Skip Count Select this option to avoid calculating the total number of results, which results in speeding up the execution time.
Sort Order Sorting order of the results, choose between Ascending or Descending.
Agent Machine Types Type of endpoint machine whose applications you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs ID of the agent application whose installed applications you want to retrieve from SentinelOne
Is Decommissioned Select this checkbox if the status of the agent whose applications you want to retrieve from SentinelOne is set as "Decommissioned".
Application Types Type of application whose applications you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Risk Levels Level of risks whose applications you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
Sort By Name of the field on which you want to sort the result. You can choose between the following fields: ID, InstallAt, Type, Name, Publisher, Version, Size, AgentComputerName. or Risklevel.
Count Only Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne.
OS Types Type of OS whose applications you want to retrieve from SentinelOne. You can choose between the following os types: Macos, Windows Legacy, Linux, or Windows.
Extra Parameters Additional request parameters in the JSON format.

Output

The output contains the following populated JSON schema:
{
     "agentInfected": "",
     "agentNetworkStatus": "",
     "installedAt": "",
     "signed": "",
     "size": "",
     "type": "",
     "updatedAt": "",
     "agentComputerName": "",
     "name": "",
     "agentOsType": "",
     "version": "",
     "publisher": "",
     "agentMachineType": "",
     "id": "",
     "agentVersion": "",
     "osType": "",
     "createdAt": "",
     "agentDomain": "",
     "agentId": "",
     "agentIsDecommissioned": "",
     "riskLevel": "",
     "agentUuid": "",
     "agentIsActive": ""
}

operation: Get Application CVEs

Input parameters

Parameter Description
Application ID ID of the agent application whose application CVEs you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "agentInfected": "",
     "agentNetworkStatus": "",
     "installedAt": "",
     "signed": "",
     "size": "",
     "type": "",
     "updatedAt": "",
     "agentComputerName": "",
     "name": "",
     "agentOsType": "",
     "version": "",
     "publisher": "",
     "agentMachineType": "",
     "id": "",
     "agentVersion": "",
     "osType": "",
     "createdAt": "",
     "cves": [],
     "agentDomain": "",
     "agentId": "",
     "agentIsDecommissioned": "",
     "riskLevel": "",
     "agentUuid": "",
     "agentIsActive": ""
}

Included playbooks

The Sample - SentinelOne - 2.0.0 playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.

  • Abort Agent Scan
  • Agent Action
  • Broadcast Message to Agent
  • Cancel Running Query 
  • Create Query And Get Query ID
  • Export Applications Risk
  • Export Forensics Application
  • Export Threat
  • Fetch Agent Logs
  • Free Text 
  • Get Agent Application
  • Get Agent Count
  • Get Agent Passphrase
  • Get Agent Process
  • Get Agents
  • Get Application Count
  • Get Application CVEs
  • Get Application Forensic Details
  • Get Application Forensics
  • Get Application Network Connections
  • Get Applications
  • Get CVEs
  • Get Events
  • Get Event By Type
  • Get Hash Details
  • Get Query Status
  • Get Threat Details
  • Get Threat Forensics
  • Get Threat Network Connections
  • Get Threat Seen on Network
  • Initiate Agent Scan
  • List All Threats
  • Mark Threat as Benign
  • Mitigate Threat
  • Reconnect Agent
  • Threat Forensic Details

Troubleshooting

Connection refusal while requesting to run the wrapper

This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.

Resolution:

Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.

Playbook fails after the ingestion is triggered

There are many reasons for a playbook failure, for example, if a required field is null in the target module record, or there are problems with the Playbook Appliance keys.

Resolution:

Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact CyberSponse support for further assistance.

About the connector

SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.

This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 5.1.1-58

SentinelOne Build Version Tested on: v2.0.0-EA#115

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the SentinelOne Connector in version 2.0.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:

yum install cyops-connector-sentinelone

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the SentinelOne connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the SentinelOne endpoint to which you will connect and perform the automated operations.
Username Username to access the SentinelOne endpoint for using the API endpoint.
Important: The minimum role required for the user to use the API endpoint is "Site Viewer".
Password Password to access the SentinelOne endpoint.
Verify SSL Verify SSL connection to the SentinelOne API endpoint.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Agents Retrieves a list of agents attached to an account from SentinelOne based on the input parameters you have specified. list_agents  
Investigation
Agent Action Actions that you want to perform on an agent in Sentinel One based on the action, agent IDs and other input parameters you have specified. isolate_agent
Containment
Reconnect Agent  Reconnects a disconnected agent to the network in SentinelOne based on the input parameters you have specified. reconnect_agent
Remediation
Get Agent Passphrase Retrieves an agent's passphrase to uninstall an offline agent in SentinelOne based on the agent ID you have specified. agent_passphrase
Miscellaneous
Get Agent Application Retrieves a list of applications installed on an agent in SentinelOne based on the agent ID you have specified. list_applications  
Investigation
Get Agent Process Retrieves a list of processes running on an agent in SentinelOne based on the agent ID you have specified. list_processes  
Investigation
Broadcast Message to Agent Broadcasts a message to a specified agent system or a list of agent systems in SentinelOne based on the agent ID, message, and other input parameters you have specified. broadcast_message
Miscellaneous
Initiate Agent Scan Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. scan_agent  
Investigation
Abort Agent Scan Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. abort_scan  
Investigation
Get Hash Details Retrieve the details for a specified hash from SentinelOne based on the Hash ID you have specified.  hash_details
Investigation
Get Threat Details Retrieve the details for a specified threat from SentinelOne based on the threat ID you have specified. threat_details
Investigation
Mitigate Threat Mitigates identified threats in the SentinelOne system based on the threat ID, action and other input parameters you have specified. mitigate_threats
Remediation
Mark Threat as Benign Marks an identified threat as safe in SentinelOne based on the threat ID, target scope, and other input parameters you have specified. mark_threat_as_benign
Remediation
Fetch Agents Logs Retrieves logs from agents system to the SentinelOne cloud based on the input parameters you have specified. fetch_logs  
Investigation
Get Agent Count Retrieves the count of agents in SentinelOne filtered by the input parameters you have specified. agent_count  
Miscellaneous
List All Threats List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. list_threats  
Investigation
Create Query And Get Query ID Starts a deep visibility Query and retrieves the Query ID from SentinelOne based on the query, date range, and other input parameters you have specified. create_query
Investigation
Get Query Status Retrieves the status of the deep visibility query from SentinelOne based on the query ID you have specified. get_query_status
Investigation
Get Events Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID and other input parameters you have specified. get_events
Investigation
Get Events By Type Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID, event type, and other input parameters you have specified. get_events_by_type
Investigation
Cancel Running Query Stops a deep visibility query that is running on SentinelOne based on the query ID you have specified. cancel_running_query
Investigation
Get Application Network Connections Retrieves network connections for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. application_forensic_connections
Investigation
Get Application Forensic Details Retrieves detailed forensics data for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. application_forensic_details
Investigation
Export Forensics Application Exports forensics application, in the CSV or JSON formation, for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. export_forensics_application
Investigation
Get Threat Seen on Network Retrieves "seen on network" details for a specific threat in SentinelOne based on the threat ID and other input parameters you have specified. threat_seen_on_network
Investigation
Get Threat Network Connections Retrieves network connections for a specific threat on SentinelOne based on the threat ID and other input parameters you have specified. threat_forensic_connections
Investigation
Threat Forensic Details Retrieves detailed forensics data for a specific threat on SentinelOne based on the threat ID you have specified. threat_forensic_details
Investigation
Export Threat Exports threats along with its associated events, in the CSV or JSON formation, for a specific threat on SentinelOne based on the threat ID and export format you have specified. export_forensics_threat
Investigation
Get Application Forensics Retrieves forensics data for a specific application on SentinelOne based on the application ID and other input parameters you have specified. application_forensics
Investigation
Get Threat Forensics Retrieves forensics data for a specific threat on SentinelOne based on the threat ID and export format you have specified. threat_forensics
Investigation
Free Text  Retrieves a metadata list of all the available free-text filters in SentinelOne free_text_filters
Investigation
Get Application Count Retrieves the count of applications from SentinelOne number of applications by risk level or filters and other input parameters you have specified. get_application_count
Investigation
Get CVEs Retrieves all known CVEs for applications from SentinelOne based on the input parameters you have specified.
Note: This is available for complete SKU only.
get_cve
Investigation
Export Applications Risk Exports installed applications and CVE list from SentinelOne based on the input parameters you have specified. export_applications_risk
Investigation
Get Applications Retrieves a list of all installed applications per endpoint, including risk levels, from SentinelOne based on the input parameters you have specified.
Note: This is available for complete SKU only.
get_applications
Investigation
Get Application CVEs Retrieves all known CVEs for a specific application, along with application and endpoint information, from SentinelOne based on the application ID you have specified.
Note: This is available for complete SKU only.
get_application_cve
Investigation

operation: Get Agents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB) Retrieve only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) Retrieve only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than Retrieve only those agents whose core count is lesser than given input from SentinelOne.
Agent Core Count Greater Than Retrieve only those agents whose core count is greater than given input from SentinelOne.
Is Active Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs that you want to retrieve from SentinelOne.
Computer Name Like Retrieve only those agents who match the specified name from SentinelOne.
Agent Version Version of the agent that you want to retrieve from SentinelOne.
Limit Maximum number of results, per page, that this operation should return.
Skip Records Skips the specified number of results from the total results.
Network Status Select the network status of the agent that you want to retrieve from SentinelOne. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

A customized JSON output that is formatted for easy reference is the output for all the operations.

The output contains the following populated JSON schema:
{
     "agentVersion": "",
     "allowRemoteShell": "",
     "modelName": "",
     "encryptedApplications": "",
     "cpuId": "",
     "totalMemory": "",
     "lastLoggedInUserName": "",
     "activeDirectory": {
         "computerMemberOf": [],
         "lastUserMemberOf": [],
         "computerDistinguishedName": "",
         "lastUserDistinguishedName": ""
     },
     "siteId": "",
     "uuid": "",
     "coreCount": "",
     "machineType": "",
     "osType": "",
     "createdAt": "",
     "osStartTime": "",
     "groupIp": "",
     "networkInterfaces": [
         {
             "inet6": [],
             "name": "",
             "inet": [],
             "id": "",
             "physical": ""
         }
     ],
     "cpuCount": "",
     "appsVulnerabilityStatus": "",
     "registeredAt": "",
     "scanStatus": "",
     "infected": "",
     "isPendingUninstall": "",
     "licenseKey": "",
     "lastActiveDate": "",
     "groupId": "",
     "osRevision": "",
     "osName": "",
     "groupName": "",
     "mitigationModeSuspicious": "",
     "consoleMigrationStatus": "",
     "isUpToDate": "",
     "osUsername": "",
     "updatedAt": "",
     "osArch": "",
     "domain": "",
     "activeThreats": "",
     "accountId": "",
     "inRemoteShellSession": "",
     "locations": [],
     "scanAbortedAt": "",
     "mitigationMode": "",
     "userActionsNeeded": [],
     "id": "",
     "isActive": "",
     "externalIp": "",
     "siteName": "",
     "scanStartedAt": "",
     "locationType": "",
     "isUninstalled": "",
     "networkStatus": "",
     "isDecommissioned": "",
     "computerName": "",
     "scanFinishedAt": "",
     "accountName": "",
     "externalId": ""
}

operation: Agent Action

Input parameters

Parameter Description
Action Select the action that you want to perform on the specified agent in SentinelOne. You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent.
Agent IDs List of comma-separated agent IDs on which you want to perform actions in SentinelOne.
Group IDs (Optional) List of comma-separated agent's group IDs on which you want to perform actions in SentinelOne.
Is Decommissioned Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Decommissioned".
Is Uninstalled Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Uninstalled".

Output

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Reconnect Agent

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB): Reconnects only those agents to the network in SentinelOne whose memory size is lesser than the given input.
Agent Memory Greater Than (GB) Reconnects only those agents to the network in SentinelOne whose memory size is greater than the given input.
Agent Core Count Less Than Reconnects only those agents to the network in SentinelOne whose core count is lesser than the given input.
Agent Core Count Greater Than Reconnects only those agents to the network in SentinelOne whose core count is greater than the given input.
Is Active Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Active".
Is Infected Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs that you want to reconnect to the SentinelOne network.
Computer Name Like Reconnects only those agents to the network in SentinelOne who match the specified computer name.
Agent Version Version of the agent that you want to reconnect to the SentinelOne network.
OS Type Select the OS type of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON contains a Success message of agents reconnected back into the network.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Get Agent Passphrase

Input parameters

Parameter Description
Agent ID ID of the agent whose passphrase who want to retrieve from SentinelOne. The passphrase that can be used to delete an offline agent from SentinelOne.

Output

The JSON contains a string output with the passphrase that can be used to delete an offline agent.

The output contains the following populated JSON schema:
{
     "lastLoggedInUserName": "",
     "passphrase": "",
     "domain": "",
     "id": "",
     "computerName": "",
     "uuid": ""
}

operation: Get Agent Application

Input parameters

Parameter Description
Agent Id ID of the agent whose list of installed applications you want to retrieve from SentinelOne.

Output

The JSON contains a list of application objects including information such as name, installation date, about the applications installed on the specified agent.

The output contains the following populated JSON schema:
{
     "name": "",
     "version": "",
     "size": "",
     "publisher": "",
     "installedDate": ""
}

operation: Get Agent Process

Input parameters

Parameter Description
Agent Id ID of the agent whose list of running applications you want to retrieve from SentinelOne.

Output

The JSON contains a list of running processes along with the process details for the specified agent.

The output contains the following populated JSON schema:
{
     "cpuUsage": "",
     "memoryUsage": "",
     "pid": "",
     "executablePath": "",
     "startTime": "",
     "processName": ""
}

operation: Broadcast Message to Agent

Input parameters

Parameter Description
Message Message that you want to broadcast to an agent or a list of agents in SentinelOne.
Agent IDs List of comma-separated agent IDs in SentinelOne to whom you want to broadcast the specified message.
Agent Memory Less Than (GB) (Optional) Broadcast the message to only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) (Optional) Broadcast the message to only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than (Optional) Broadcast the message to only those agents whose core count is lesser than given input from SentinelOne.
Agent Core Count Greater Than (Optional) Broadcast the message to only those agents whose core count is greater than given input from SentinelOne.
Is Active  Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Active".
Is Infected Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Decommissioned".
Computer Name Like (Optional) Broadcast the message to only those agents match the specified computer name on SentinelOne.
Agent Version Version of the agent to whom you want to broadcast the message
OS Type Select the OS type of the agent in the SentinelOne network to whom you want to broadcast the message. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne to whom you want to broadcast the message. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Initiate Agent Scan

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB) Initiates a scan only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) Initiates a scan only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than Initiates a scan only those agents whose core count is lesser than given input from SentinelOne.
Agent Core Count Greater Than Initiates a scan only those agents whose core count is greater than given input from SentinelOne.
Is Active  Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Active". 
Is Infected  Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Infected". 
Is Decommissioned Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Decommissioned". 
Agent IDs List of comma-separated agent IDs on which you want to initiate a scan in SentinelOne.
Computer Name Like Initiate the scan only on those agents that match the specified computer name.
Agent Version Version of the agent on which you want to initiate a scan.
OS Type Select the OS type of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Abort Agent Scan

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB) Aborts the scan only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) Aborts the scan only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than Aborts the scan only those agents whose core count size is lesser than given input from SentinelOne.
Agent Core Count Greater Than Aborts the scan only those agents whose core count size is greater than given input from SentinelOne.
Is Active Select this checkbox if the status of the agent on which you want to abort the scan is set as "Active". 
Is Infected Select this checkbox if the status of the agent on which you want to abort the scan is set as "Infected". 
Is Decommissioned Select this checkbox if the status of the agent on which you want to abort the scan is set as "Decommissioned". 
Agent IDs List of comma-separated agent IDs on which you want to abort the scan in SentinelOne.
Computer Name Like Abort the scan only on those agents that match the specified computer name.
Agent Version Version of the agent on which you want to abort the scan.
OS Type Select the OS type of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Get Hash Details

Input parameters

Parameter Description
Hash ID ID (SHA1 only) of the hash whose details you want to retrieve from SentinelOne.

Output

The JSON contains the details of the specified hash ID.

The output contains the following populated JSON schema:
{
     "rank": ""
}

operation: Get Threat Details

Input parameters

Parameter Description
Threat Id ID of the threat whose details you want to retrieve from SentinelOne.

Output

The JSON contains the details of the specified threat ID.

The output contains the following populated JSON schema:
{
     "cloudVerdict": "",
     "agentDomain": "",
     "fileIsDotNet": "",
     "id": "",
     "maliciousProcessArguments": "",
     "accountId": "",
     "fromScan": "",
     "agentId": "",
     "fileCreatedDate": "",
     "maliciousGroupId": "",
     "markedAsBenign": "",
     "isInteractiveSession": "",
     "siteName": "",
     "classifierName": "",
     "fileExtensionType": "",
     "indicators": [],
     "classificationSource": "",
     "classification": "",
     "createdAt": "",
     "mitigationStatus": "",
     "description": "",
     "agentOsType": "",
     "filePath": "",
     "agentInfected": "",
     "fileObjectId": "",
     "username": "",
     "threatAgentVersion": "",
     "browserType": "",
     "fileContentHash": "",
     "fileDisplayName": "",
     "publisher": "",
     "rank": "",
     "isPartialStory": "",
     "engines": [],
     "threatName": "",
     "annotation": "",
     "certId": "",
     "accountName": "",
     "isCertValid": "",
     "collectionId": "",
     "fileSha256": "",
     "resolved": "",
     "updatedAt": "",
     "agentIsDecommissioned": "",
     "agentIsActive": "",
     "agentVersion": "",
     "agentIp": "",
     "agentComputerName": "",
     "fromCloud": "",
     "fileIsExecutable": "",
     "createdDate": "",
     "siteId": "",
     "fileIsSystem": "",
     "annotationUrl": "",
     "whiteningOptions": [],
     "agentMachineType": "",
     "agentNetworkStatus": "",
     "mitigationMode": "",
     "mitigationReport": {
         "quarantine": {
             "status": ""
         },
         "kill": {
             "status": ""
         },
         "rollback": {
             "status": ""
         },
         "remediate": {
             "status": ""
         },
         "network_quarantine": {
             "status": ""
         }
     },
     "fileMaliciousContent": "",
     "fileVerificationType": ""
}

operation: Mitigate Threat

Input parameters

Parameter Description
Action Select the action that you want to perform on the specified threat. You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation.
Threat ID ID of the threat on which you want to take the specified action.
Content Hash (Optional) Hash ID of the file associated with the threat that requires mitigation.
Threat Name (Optional) Name of the threat that requires mitigation.
Agent ID (Optional) ID of the agent on which the threat has been identified.
Limit Records (Optional) Maximum number of results, per page, that this operation should return.
From Scan Select this option if the threat was detected as a result of a scan.

Output

The JSON contains a message about the threat being mitigated.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Mark Threat as Benign

Input parameters

Parameter Description
Target Scope Scope of the target that you want to mark as safe in SentinelOne.
Threat Id ID of the threat that you want to mark as safe in SentinelOne.
Content Hash (Optional) Hash ID of the file associated with the threat that you want to mark as safe in SentinelOne.
Threat Name (Optional) Name of the threat that requires to be marked as safe in SentinelOne..
Agent Id (Optional) ID of the agent on which the threat has been identified.
Limit Records (Optional) Maximum number of results, per page, that this operation should return.
From Scan Select this option if the threat was detected as a result of a scan.

Output

The JSON contains a message about the threat being marked as safe.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Fetch Agents Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB) Retrieve logs of only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) Retrieve logs of only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than Retrieve logs of only those agents whose core count is lesser than given input from SentinelOne.
Agent Core Count Greater Than Retrieve logs of only those agents whose core count is greater than given input from SentinelOne.
Is Active Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs whose logs you want to retrieve from SentinelOne.
Computer Name Like Retrieve logs of only those agents who match the specified computer name.
Agent Version Version of the agent whose logs you want to retrieve from SentinelOne.
OS Type Select the OS type of the agent in SentinelOne whose logs you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne whose logs you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents whose logs are fetched after the query is successfully run.

The output contains the following populated JSON schema:
{
     "affected": ""
}

operation: Get Agent Count

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (GB): Retrieve counts of only those agents whose memory size is lesser than given input from SentinelOne.
Agent Memory Greater Than (GB) Retrieve counts of only those agents whose memory size is greater than given input from SentinelOne.
Agent Core Count Less Than Retrieve counts of only those agents whose core count is lesser than given input from SentinelOne.
Agent Core Count Greater Than Retrieve counts of only those agents whose core count is greater than given input from SentinelOne.
Is Active Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs whose count you want to retrieve from SentinelOne
Computer Name Like Retrieve count of only those agents who match the specified computer name.
Agent Version Version of the agents whose counts you want to retrieve from SentinelOne.
OS Type Select the OS type of the agent in SentinelOne whose counts you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne whose counts you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting

Output

The JSON output contains the number of available agents.

The output contains the following populated JSON schema:
{
     "total": ""
}

operation: List All Threats

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Content Hash Hash ID of the file associated with the threat.
Threat Name Name of the threat that you want to search for on all agents on SentinelOne.
Agent ID ID of the agent whose threats you want to list.
Limit Records Maximum number of results, per page, that this operation should return.
Skip Records Skips the specified number of results from the total results.
From Scan Select this option if the threat was detected as a result of a scan.

Output

The JSON contains the objects of the threats that are found after the query is successfully run.

The output contains the following populated JSON schema:
{
     "cloudVerdict": "",
     "agentDomain": "",
     "fileIsDotNet": "",
     "id": "",
     "maliciousProcessArguments": "",
     "accountId": "",
     "fromScan": "",
     "agentId": "",
     "fileCreatedDate": "",
     "maliciousGroupId": "",
     "markedAsBenign": "",
     "isInteractiveSession": "",
     "siteName": "",
     "classifierName": "",
     "fileExtensionType": "",
     "indicators": [],
     "classificationSource": "",
     "classification": "",
     "createdAt": "",
     "mitigationStatus": "",
     "description": "",
     "agentOsType": "",
     "filePath": "",
     "agentInfected": "",
     "fileObjectId": "",
     "username": "",
     "threatAgentVersion": "",
     "browserType": "",
     "fileContentHash": "",
     "fileDisplayName": "",
     "publisher": "",
     "rank": "",
     "isPartialStory": "",
     "engines": [],
     "threatName": "",
     "annotation": "",
     "certId": "",
     "accountName": "",
     "isCertValid": "",
     "collectionId": "",
     "fileSha256": "",
     "resolved": "",
     "updatedAt": "",
     "agentIsDecommissioned": "",
     "agentIsActive": "",
     "agentVersion": "",
     "agentIp": "",
     "agentComputerName": "",
     "fromCloud": "",
     "fileIsExecutable": "",
     "createdDate": "",
     "siteId": "",
     "fileIsSystem": "",
     "annotationUrl": "",
     "whiteningOptions": [],
     "agentMachineType": "",
     "agentNetworkStatus": "",
     "mitigationMode": "",
     "mitigationReport": {
         "quarantine": {
             "status": ""
         },
         "kill": {
             "status": ""
         },
         "rollback": {
             "status": ""
         },
         "remediate": {
             "status": ""
         },
         "network_quarantine": {
             "status": ""
         }
     },
     "fileMaliciousContent": "",
     "fileVerificationType": ""
}

operation: Create Query And Get Query ID

Input parameters

Parameter Description
Query Query that is a free-text search term  that will match applicable attributes (sub-string match) in Sentinel one based on which you want to retrieve the query ID from SentinelOne
From Date Start date of query from when you want to retrieve the query ID from SentinelOne.
To Date End date of query till when you want to retrieve the query ID from SentinelOne.
Group IDs (Optional) List of comma-separated agent's group IDs based on which you want to retrieve the query ID from SentinelOne.
Tenant Select this checkbox to indicate a tenant scope in the query.
Query Type (Optional) Type of the query used by deep visibility in SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts based on which you want to retrieve the query ID from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites based on which you want to retrieve the query ID from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "queryId": ""
}

operation: Get Query Status

Input parameters

Parameter Description
Query ID ID of the query whose status you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.

Output

The output contains the following populated JSON schema:
{
     "progressStatus": "",
     "responseState": ""
}

operation: Get Events

Input parameters

Parameter Description
Query ID ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.
Limit Records (Optional) Maximum number of results, per page, that this operation should return.
Skip Records (Optional) Skips the specified number of results from the total results.
Cursor (Optional) Cursor position returned by the last request. You can use this parameter instead of using Skip Records parameter. Cursor currently supports Sort By with createdAt, pid, and processStartTime.
Sort Order (Optional) Sorting order of the result (events), choose between Ascending or Descending.
Sort By (Optional) Name of the field on which you want to sort the result (events).
Sub Query (Optional) Name of the field on which you want to sort the result (events).

Output

The output contains the following populated JSON schema:
{
     "agentVersion": "",
     "agentNetworkStatus": "",
     "fileId": "",
     "indicatorDescription": "",
     "eventType": "",
     "dstIp": "",
     "relatedToThreat": "",
     "processImagePath": "",
     "processName": "",
     "processUniqueKey": "",
     "parentProcessUniqueKey": "",
     "processGroupId": "",
     "eventSubType": "",
     "processUserName": "",
     "networkMethod": "",
     "processDisplayName": "",
     "processSubSystem": "",
     "parentProcessName": "",
     "createdAt": "",
     "srcPort": "",
     "agentIp": "",
     "tid": "",
     "agentOs": "",
     "oldFileSha1": "",
     "agentDomain": "",
     "agentIsDecommissioned": "",
     "registryPath": "",
     "oldFileMd5": "",
     "sha256": "",
     "fileSha256": "",
     "parentProcessIsMalicious": "",
     "indicatorMetadata": "",
     "networkUrl": "",
     "processImageSha1Hash": "",
     "oldFileSha256": "",
     "user": "",
     "md5": "",
     "agentInfected": "",
     "loginsBaseType": "",
     "processStartTime": "",
     "forensicUrl": "",
     "oldFileName": "",
     "dnsResponse": "",
     "srcIp": "",
     "indicatorCategory": "",
     "rpid": "",
     "processIsMalicious": "",
     "taskName": "",
     "dnsRequest": "",
     "loginsUserName": "",
     "indicatorName": "",
     "agentUuid": "",
     "agentMachineType": "",
     "registryId": "",
     "parentProcessGroupId": "",
     "processIntegrityLevel": "",
     "fileFullName": "",
     "signer": "",
     "processSessionId": "",
     "processCmd": "",
     "taskPath": "",
     "parentPid": "",
     "agentId": "",
     "id": "",
     "fileMd5": "",
     "networkSource": "",
     "siteName": "",
     "agentGroupId": "",
     "agentName": "",
     "parentProcessStartTime": "",
     "dstPort": "",
     "trueContext": "",
     "fileSha1": "",
     "threatStatus": "",
     "agentIsActive": "",
     "direction": "",
     "pid": "",
     "sha1": ""
}

operation: Get Events By Type

Input parameters

Parameter Description
Query ID ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.
Event Type Event type by which you want to filter the results (events). You can choose between the following event types: Events, File, Ip, Url, Dns, Process, Registry, Scheduled task, Logins, or Indicators.
Limit Records (Optional) Maximum number of results, per page, that this operation should return.
Skip Records (Optional) Skips the specified number of results from the total results.
Cursor (Optional) Cursor position returned by the last request. You can use this parameter instead of using Skip Records parameter. Cursor currently supports Sort By with createdAt, pid, and processStartTime.
Sort Order (Optional) Sorting order of the result (events), choose between Ascending or Descending.
Sort By (Optional) Name of the field on which you want to sort the result (events).
Sub Query (Optional) Name of the field on which you want to sort the result (events).

Output

The output contains the following populated JSON schema:
{
     "data": {
         "agentVersion": "",
         "agentNetworkStatus": "",
         "fileId": "",
         "indicatorDescription": "",
         "eventType": "",
         "dstIp": "",
         "relatedToThreat": "",
         "processImagePath": "",
         "processName": "",
         "processUniqueKey": "",
         "parentProcessUniqueKey": "",
         "processGroupId": "",
         "eventSubType": "",
         "processUserName": "",
         "networkMethod": "",
         "processDisplayName": "",
         "processSubSystem": "",
         "parentProcessName": "",
         "createdAt": "",
         "srcPort": "",
         "agentIp": "",
         "tid": "",
         "agentOs": "",
         "oldFileSha1": "",
         "agentDomain": "",
         "agentIsDecommissioned": "",
         "registryPath": "",
         "oldFileMd5": "",
         "sha256": "",
         "fileSha256": "",
         "parentProcessIsMalicious": "",
         "indicatorMetadata": "",
         "networkUrl": "",
         "processImageSha1Hash": "",
         "oldFileSha256": "",
         "user": "",
         "md5": "",
         "agentInfected": "",
         "loginsBaseType": "",
         "processStartTime": "",
         "forensicUrl": "",
         "oldFileName": "",
         "dnsResponse": "",
         "srcIp": "",
         "indicatorCategory": "",
         "rpid": "",
         "processIsMalicious": "",
         "taskName": "",
         "dnsRequest": "",
         "loginsUserName": "",
         "indicatorName": "",
         "agentUuid": "",
         "agentMachineType": "",
         "registryId": "",
         "parentProcessGroupId": "",
         "processIntegrityLevel": "",
         "fileFullName": "",
         "signer": "",
         "processSessionId": "",
         "processCmd": "",
         "taskPath": "",
         "parentPid": "",
         "agentId": "",
         "id": "",
         "fileMd5": "",
         "networkSource": "",
         "siteName": "",
         "agentGroupId": "",
         "agentName": "",
         "parentProcessStartTime": "",
         "dstPort": "",
         "trueContext": "",
         "fileSha1": "",
         "threatStatus": "",
         "agentIsActive": "",
         "direction": "",
         "pid": "",
         "sha1": ""
     },
     "pagination": {
         "totalItems": "",
         "nextCursor": ""
     }
}

operation: Cancel Running Query

Input parameters

Parameter Description
Query ID ID of a deep visibility query that you want to stop in SentinelOne. When you create a query in SentinelOne you get its QueryID.

Output

The output contains the following populated JSON schema:
{
     "success": ""
}

operation: Get Application Network Connections

Input parameters

Parameter Description
Application ID ID of the agent application whose network connection you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites whose application network connection you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose application network connection you want to retrieve from SentinelOne.
Country Code (Optional) Country code whose application network connection you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose network connection you want to retrieve from SentinelOne.

Output

The output contains a non-dictionary value.

operation: Get Application Forensic Details

Input parameters

Parameter Description
Application ID ID of the agent application whose forensic details you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites whose application forensic details you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose application forensic details you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose application forensic details you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "result": {
         "fetch_story_error_at": "",
         "seen_on_network": "",
         "graph": "",
         "process_display_name": "",
         "summary_overview": {
             "network": {
                 "connections": "",
                 "dns": ""
             },
             "file": {
                 "write": "",
                 "create": "",
                 "delete": ""
             },
             "registry": {
                 "security": "",
                 "persistence": "",
                 "stealth": ""
             }
         },
         "summary": "",
         "application_id": "",
         "agent": "",
         "process_created_at": "",
         "category_scores": "",
         "application_duration": "",
         "last_event_seen_at": "",
         "application_created": "",
         "raw_data": "",
         "fetch_story_status": "",
         "fetch_story_sent_at": "",
         "process": {
             "username": "",
             "executable_file_id": "",
             "created_date": "",
             "is_primary": "",
             "bundle_id": "",
             "display_name": "",
             "is_root": "",
             "pid": "",
             "object_id": ""
         },
         "file": {
             "content_hash": "",
             "is_system": "",
             "created_date": "",
             "size": "",
             "display_name": "",
             "permission": "",
             "path": "",
             "object_id": ""
         }
     }
}

operation: Export Forensics Application

Input parameters

Parameter Description
Application ID ID of the agent application whose forensic application you want to export in the CSV/JSON format from SentinelOne.
Export Format Format in which you want to export the forensic application. You can choose between the following formats: CSV or JSON.
Site IDs (Optional) List of comma-separated agent's sites whose forensic application you want to export from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose forensic application you want to export from SentinelOne.
Account IDs (Optional) List of comma-separated agent's acoounts whose forensic application you want to export from SentinelOne.

Output

The output contains a non-dictionary value.

operation: Get Threat Seen on Network

Input parameters

Parameter Description
Threat ID ID of the threat whose "seen on network data" you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites whose "seen on network data" you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose "seen on network data" you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's account whose "seen on network data" you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "agent_version": "",
     "description": "",
     "created_date": "",
     "meta_data": {
         "updated_at": "",
         "created_at": ""
     },
     "id": "",
     "malicious_group_id": "",
     "resolved": "",
     "status": "",
     "from_cloud": "",
     "agent": ""
}

operation: Get Threat Network Connections

Input parameters

Parameter Description
Threat ID ID of the threat whose network connection you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites whose network connection you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose network connection you want to retrieve from SentinelOne.
Country Code (Optional) Country code whose network connection you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose network connection you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:


{
     "message": ""
}

operation: Threat Forensic Details

Input parameters

Parameter Description
Threat ID ID of the threat whose forensic details you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "result": {
         "policy_id": "",
         "agent_version": "",
         "occurred_at": "",
         "graph": {
             "edges_summary": [],
             "node_sets": {}
         },
         "file_hash": "",
         "file_display_name": "",
         "file_created_at": "",
         "agent": "",
         "category_scores": [],
         "publisher": "",
         "raw_data": {
             "edges": [],
             "nodes": {
                 "6ADE07922117100C": {
                     "agent_version": "",
                     "in_threat": "",
                     "malicious_content": "",
                     "agent_uuid": "",
                     "meta_data": {
                         "updated_at": "",
                         "count": "",
                         "created_at": ""
                     },
                     "has_reputation": "",
                     "group_id": "",
                     "event_type": "",
                     "object_id": "",
                     "data": {
                         "path": "",
                         "is_system": "",
                         "created_date": "",
                         "is_executable": "",
                         "verification_type": "",
                         "extension_type": "",
                         "size": "",
                         "object_id": "",
                         "content_hash": "",
                         "permission": ""
                     }
                 }
             }
         },
         "indicators": [],
         "cert_id": "",
         "is_cert_valid": ""
     }
}

operation: Export Threat

Input parameters

Parameter Description
Threat ID ID of the threat whose threats along with its associated events you want to export in the CSV, JSON, or RAW format from SentinelOne.
Export Format Format in which you want to export the threat data. You can choose between the following formats: CSV, RAW, or JSON.

Output

The output contains the following populated JSON schema:
{
     "threat_details": {
         "description": "",
         "id": "",
         "created_at": "",
         "agent": ""
     },
     "events": [],
     "agent_details": {
         "external_ip": "",
         "registered_at": "",
         "agent_version_current": "",
         "computer_name": "",
         "last_active_date": "",
         "agent_version_at_threat_time": "",
         "group_ip": "",
         "domain": "",
         "cpu": "",
         "os": ""
     },
     "file_details": {
         "size": "",
         "created_at": "",
         "id": "",
         "display_name": "",
         "permission": "",
         "content_hash": ""
     },
     "reputation": {
         "rank": ""
     }
}

operation: Get Application Forensics

Input parameters

Parameter Description
Application ID ID of the agent application whose forensic data you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites whose application forensic data you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose application forensic data you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose application forensic data you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "success": "",
     "result": {
         "process_created_at": "",
         "seen_on_network": "",
         "process": {
             "username": "",
             "executable_file_id": "",
             "created_date": "",
             "is_primary": "",
             "bundle_id": "",
             "display_name": "",
             "is_root": "",
             "pid": "",
             "object_id": ""
         },
         "file": {
             "content_hash": "",
             "is_system": "",
             "created_date": "",
             "size": "",
             "display_name": "",
             "permission": "",
             "path": "",
             "object_id": ""
         },
         "process_display_name": "",
         "fetch_story_status": "",
         "agent": "",
         "malicious_process_arguments": "",
         "application_id": "",
         "application_created": ""
     }
}

operation: Get Threat Forensics

Input parameters

Parameter Description
Threat ID ID of the threat for which you want to retrieve the forensic data.
Site IDs (Optional) List of comma-separated agent's sites whose threat data you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose threat data you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose threat data you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "result": {
         "seen_on_network": "",
         "occurred_at": "",
         "file_display_name": "",
         "marked_as_benign": "",
         "classifier_name": "",
         "mitigation_status": "",
         "file_created_at": "",
         "file_path": "",
         "classification_source": "",
         "classification": "",
         "mitigation_report": {
             "quarantine": {
                 "status": ""
             },
             "rollback": {
                 "status": ""
             },
             "remediate": {
                 "status": ""
             },
             "network_quarantine": {
                 "status": ""
             },
             "kill": {
                 "status": ""
             }
         },
         "threat_id": "",
         "whitening_options": [],
         "threat_created": "",
         "malicious_group_id": "",
         "in_quarantine": "",
         "file_content_hash": "",
         "file_hash": "",
         "malicious_process_arguments": "",
         "annotation_url": "",
         "agent": "",
         "from_scan": "",
         "annotation": "",
         "file_description": "",
         "resolved": "",
         "mitigation_actions": []
     }
}

operation: Free Text 

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "title": "",
     "key": "",
     "autoComplete": ""
}

operation: Get Application Count

Input parameters

Parameter Description
Get Count By Filter based on which you want to retrieve the application count from SentinelOne. You can choose between Risk Levels or Filters. By default, this is set as Risk Level.
Site IDs (Optional) List of comma-separated agent's sites whose application count you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent's groups whose application count you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts whose application count you want to retrieve from SentinelOne.
Agent Machine Types (Optional) Type of agent machine whose application count you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs (Optional) List of comma-separated application IDs accounts whose application count you want to retrieve, per filter value, from SentinelOne.
Application Types (Optional) Type of application whose application count you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Is Decommissioned Select this checkbox if the status of the agent whose application count you want to retrieve from SentinelOne is set as "Decommissioned".
Risk Levels (Optional) Level of risks whose application count you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
OS Types (Optional) Type of OS whose application count you want to retrieve from SentinelOne. You can choose between the following os types: Macos, Windows_Legacy, Linux. or Windows.
Extra Parameters (Optional) Additional request parameters in the JSON format.

Output

The output contains the following populated JSON schema:
{
     "title": "",
     "key": "",
     "values": [
         {
             "count": "",
             "title": "",
             "value": ""
         }
     ]
}

operation: Get CVEs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Limit Records Maximum number of results, per page, that this operation should return.
Skip Count Select this option to avoid calculating the total number of results, which results in speeding up the execution time.
Sort Order Sorting order of the results, choose between Ascending or Descending.
Sort By Name of the field on which you want to sort the result. You can choose between the following fields: ID, PublishedAt, AgentID, or ApplicationID.
Internal CVE IDs List of comma-separated internal CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne.
Global CVE IDs List of comma-separated global CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne.
Count Only Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne.
Extra Parameters Additional request parameters in the JSON format.

Output

The output contains the following populated JSON schema:
{
     "data": {
         "publishedAt": "",
         "link": "",
         "id": "",
         "score": "",
         "riskLevel": "",
         "updatedAt": "",
         "cveId": "",
         "createdAt": "",
         "description": ""
     }
}

operation: Export Applications Risk

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Site IDs List of comma-separated agent's site IDs to export application risks from SentinelOne.
Group IDs List of comma-separated agent's group IDs to export application risks from SentinelOne.
Account IDs List of comma-separated agent's account IDs to export application risks from SentinelOne.
Size Between Size range of the application between which you want to filter the application risks. You can specify the size range in bytes from 1024 to 104856.
Agent Machine Types Type of agent machine whose application risks you want to export from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs ID of the agent application whose installed applications and CVEs list you want to export from SentinelOne.
Application Types Type of application whose application risks you want to export from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Is Decommissioned Select this checkbox if the status of the agent whose application risks you want to export from SentinelOne is set as "Decommissioned".
Risk Levels Level of risks whose application risks you want to export from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
OS Types Type of OS whose application risks you want to export from SentinelOne. You can choose between the following os types: Macos, Windows Legacy, Linux, or Windows.
Extra Parameters Additional request parameters in the JSON format.

Output

No output schema is available at this time.

operation: Get Applications

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Limit Records Maximum number of results, per page, that this operation should return.
Skip Count Select this option to avoid calculating the total number of results, which results in speeding up the execution time.
Sort Order Sorting order of the results, choose between Ascending or Descending.
Agent Machine Types Type of endpoint machine whose applications you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs ID of the agent application whose installed applications you want to retrieve from SentinelOne
Is Decommissioned Select this checkbox if the status of the agent whose applications you want to retrieve from SentinelOne is set as "Decommissioned".
Application Types Type of application whose applications you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Risk Levels Level of risks whose applications you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
Sort By Name of the field on which you want to sort the result. You can choose between the following fields: ID, InstallAt, Type, Name, Publisher, Version, Size, AgentComputerName. or Risklevel.
Count Only Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne.
OS Types Type of OS whose applications you want to retrieve from SentinelOne. You can choose between the following os types: Macos, Windows Legacy, Linux, or Windows.
Extra Parameters Additional request parameters in the JSON format.

Output

The output contains the following populated JSON schema:
{
     "agentInfected": "",
     "agentNetworkStatus": "",
     "installedAt": "",
     "signed": "",
     "size": "",
     "type": "",
     "updatedAt": "",
     "agentComputerName": "",
     "name": "",
     "agentOsType": "",
     "version": "",
     "publisher": "",
     "agentMachineType": "",
     "id": "",
     "agentVersion": "",
     "osType": "",
     "createdAt": "",
     "agentDomain": "",
     "agentId": "",
     "agentIsDecommissioned": "",
     "riskLevel": "",
     "agentUuid": "",
     "agentIsActive": ""
}

operation: Get Application CVEs

Input parameters

Parameter Description
Application ID ID of the agent application whose application CVEs you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
     "agentInfected": "",
     "agentNetworkStatus": "",
     "installedAt": "",
     "signed": "",
     "size": "",
     "type": "",
     "updatedAt": "",
     "agentComputerName": "",
     "name": "",
     "agentOsType": "",
     "version": "",
     "publisher": "",
     "agentMachineType": "",
     "id": "",
     "agentVersion": "",
     "osType": "",
     "createdAt": "",
     "cves": [],
     "agentDomain": "",
     "agentId": "",
     "agentIsDecommissioned": "",
     "riskLevel": "",
     "agentUuid": "",
     "agentIsActive": ""
}

Included playbooks

The Sample - SentinelOne - 2.0.0 playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.

Troubleshooting

Connection refusal while requesting to run the wrapper

This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.

Resolution:

Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.

Playbook fails after the ingestion is triggered

There are many reasons for a playbook failure, for example, if a required field is null in the target module record, or there are problems with the Playbook Appliance keys.

Resolution:

Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact CyberSponse support for further assistance.