SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.
This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents.
Connector Version: 3.0.0
FortiSOAR™ Version Tested on: 5.1.1-58
SentinelOne Build Version Tested on: v2.0.0-EA#115
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the SentinelOne Connector in version 3.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:
yum install cyops-connector-sentinelone
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the SentinelOne connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the SentinelOne endpoint to which you will connect and perform the automated operations. |
API Token | API token that is required to access the SentinelOne REST endpoint. Important: The minimum role required for the user to use the API endpoint is "Site Viewer". |
API Version | Version of the API that you are using to access the SentinelOne REST endpoint. |
Verify SSL | Verify SSL connection to the SentinelOne API endpoint. By default, this option is set as T rue . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Agents | Retrieves a list of agents attached to an account from SentinelOne based on the input parameters you have specified. | list_agents Investigation |
Agent Action | Actions that you want to perform on an agent in Sentinel One based on the action, agent IDs and other input parameters you have specified. | isolate_agent Containment |
Reconnect Agent | Reconnects a disconnected agent to the network in SentinelOne based on the input parameters you have specified. | reconnect_agent Remediation |
Get Agent Passphrase | Retrieves an agent's passphrase to uninstall an offline agent in SentinelOne based on the agent ID you have specified. | agent_passphrase Miscellaneous |
Get Agent Application | Retrieves a list of applications installed on an agent in SentinelOne based on the agent ID you have specified. | list_applications Investigation |
Get Agent Process | Retrieves a list of processes running on an agent in SentinelOne based on the agent ID you have specified. | list_processes Investigation |
Broadcast Message to Agent | Broadcasts a message to a specified agent system or a list of agent systems in SentinelOne based on the agent ID, message, and other input parameters you have specified. | broadcast_message Miscellaneous |
Initiate Agent Scan | Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. | scan_agent Investigation |
Abort Agent Scan | Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. | abort_scan Investigation |
Get Hash Details | Retrieve the details for a specified hash from SentinelOne based on the Hash ID you have specified. | hash_details Investigation |
Get Threat Details | Retrieve the details for a specified threat from SentinelOne based on the threat ID you have specified. | threat_details Investigation |
Mitigate Threat | Mitigates identified threats in the SentinelOne system based on the threat ID, action and other input parameters you have specified. | mitigate_threats Remediation |
Mark Threat as Benign | Marks an identified threat as safe in SentinelOne based on the threat ID, target scope, and other input parameters you have specified. | mark_threat_as_benign Remediation |
Fetch Agents Logs | Retrieves logs from agents system to the SentinelOne cloud based on the input parameters you have specified. | fetch_logs Investigation |
Get Agent Count | Retrieves the count of agents in SentinelOne filtered by the input parameters you have specified. | agent_count Miscellaneous |
List All Threats | List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. | list_threats Investigation |
Create Query And Get Query ID | Starts a deep visibility Query and retrieves the Query ID from SentinelOne based on the query, date range, and other input parameters you have specified. | create_query Investigation |
Get Query Status | Retrieves the status of the deep visibility query from SentinelOne based on the query ID you have specified. | get_query_status Investigation |
Get Events | Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID and other input parameters you have specified. | get_events Investigation |
Get Events By Type | Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID, event type, and other input parameters you have specified. | get_events_by_type Investigation |
Cancel Running Query | Stops a deep visibility query that is running on SentinelOne based on the query ID you have specified. | cancel_running_query Investigation |
Get Application Network Connections | Retrieves network connections for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. | application_forensic_connections Investigation |
Get Application Forensic Details | Retrieves detailed forensics data for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. | application_forensic_details Investigation |
Export Forensics Application | Exports forensics application, in the CSV or JSON formation, for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. | export_forensics_application Investigation |
Get Threat Seen on Network | Retrieves "seen on network" details for a specific threat in SentinelOne based on the threat ID and other input parameters you have specified. | threat_seen_on_network Investigation |
Get Threat Network Connections | Retrieves network connections for a specific threat on SentinelOne based on the threat ID and other input parameters you have specified. | threat_forensic_connections Investigation |
Threat Forensic Details | Retrieves detailed forensics data for a specific threat on SentinelOne based on the threat ID you have specified. | threat_forensic_details Investigation |
Export Threat | Exports threats along with its associated events, in the CSV or JSON formation, for a specific threat on SentinelOne based on the threat ID and export format you have specified. | export_forensics_threat Investigation |
Get Application Forensics | Retrieves forensics data for a specific application on SentinelOne based on the application ID and other input parameters you have specified. | application_forensics Investigation |
Get Threat Forensics | Retrieves forensics data for a specific threat on SentinelOne based on the threat ID and export format you have specified. | threat_forensics Investigation |
Free Text | Retrieves a metadata list of all the available free-text filters in SentinelOne | free_text_filters Investigation |
Get Application Count | Retrieves the count of applications from SentinelOne number of applications by risk level or filters and other input parameters you have specified. | get_application_count Investigation |
Get CVEs | Retrieves all known CVEs for applications from SentinelOne based on the input parameters you have specified. Note: This is available for complete SKU only. |
get_cve Investigation |
Export Applications Risk | Exports installed applications and CVE list from SentinelOne based on the input parameters you have specified. | export_applications_risk Investigation |
Get Applications | Retrieves a list of all installed applications per endpoint, including risk levels, from SentinelOne based on the input parameters you have specified. Note: This is available for complete SKU only. |
get_applications Investigation |
Get Application CVEs | Retrieves all known CVEs for a specific application, along with application and endpoint information, from SentinelOne based on the application ID you have specified. Note: This is available for complete SKU only. |
get_application_cve Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB) | Retrieve only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | Retrieve only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | Retrieve only those agents whose core count is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve only those agents whose core count is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs that you want to retrieve from SentinelOne. |
Computer Name Like | Retrieve only those agents who match the specified name from SentinelOne. |
Agent Version | Version of the agent that you want to retrieve from SentinelOne. |
Limit | Maximum number of results, per page, that this operation should return. |
Skip Records | Skips the specified number of results from the total results. |
Network Status | Select the network status of the agent that you want to retrieve from SentinelOne. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The output contains the following populated JSON schema:
{
"agentVersion": "",
"allowRemoteShell": "",
"modelName": "",
"encryptedApplications": "",
"cpuId": "",
"totalMemory": "",
"lastLoggedInUserName": "",
"activeDirectory": {
"computerMemberOf": [],
"lastUserMemberOf": [],
"computerDistinguishedName": "",
"lastUserDistinguishedName": ""
},
"siteId": "",
"uuid": "",
"coreCount": "",
"machineType": "",
"osType": "",
"createdAt": "",
"osStartTime": "",
"groupIp": "",
"networkInterfaces": [
{
"inet6": [],
"name": "",
"inet": [],
"id": "",
"physical": ""
}
],
"cpuCount": "",
"appsVulnerabilityStatus": "",
"registeredAt": "",
"scanStatus": "",
"infected": "",
"isPendingUninstall": "",
"licenseKey": "",
"lastActiveDate": "",
"groupId": "",
"osRevision": "",
"osName": "",
"groupName": "",
"mitigationModeSuspicious": "",
"consoleMigrationStatus": "",
"isUpToDate": "",
"osUsername": "",
"updatedAt": "",
"osArch": "",
"domain": "",
"activeThreats": "",
"accountId": "",
"inRemoteShellSession": "",
"locations": [],
"scanAbortedAt": "",
"mitigationMode": "",
"userActionsNeeded": [],
"id": "",
"isActive": "",
"externalIp": "",
"siteName": "",
"scanStartedAt": "",
"locationType": "",
"isUninstalled": "",
"networkStatus": "",
"isDecommissioned": "",
"computerName": "",
"scanFinishedAt": "",
"accountName": "",
"externalId": ""
}
Parameter | Description |
---|---|
Action | Select the action that you want to perform on the specified agent in SentinelOne. You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent. |
Agent IDs | List of comma-separated agent IDs on which you want to perform actions in SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's group IDs on which you want to perform actions in SentinelOne. |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Decommissioned". |
Is Uninstalled | Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Uninstalled". |
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Reconnects only those agents to the network in SentinelOne whose memory size is lesser than the given input. |
Agent Memory Greater Than (GB) | Reconnects only those agents to the network in SentinelOne whose memory size is greater than the given input. |
Agent Core Count Less Than | Reconnects only those agents to the network in SentinelOne whose core count is lesser than the given input. |
Agent Core Count Greater Than | Reconnects only those agents to the network in SentinelOne whose core count is greater than the given input. |
Is Active | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Active". |
Is Infected | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs that you want to reconnect to the SentinelOne network. |
Computer Name Like | Reconnects only those agents to the network in SentinelOne who match the specified computer name. |
Agent Version | Version of the agent that you want to reconnect to the SentinelOne network. |
OS Type | Select the OS type of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON contains a Success
message of agents reconnected back into the network.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Agent ID | ID of the agent whose passphrase who want to retrieve from SentinelOne. The passphrase that can be used to delete an offline agent from SentinelOne. |
The JSON contains a string output with the passphrase that can be used to delete an offline agent.
The output contains the following populated JSON schema:
{
"lastLoggedInUserName": "",
"passphrase": "",
"domain": "",
"id": "",
"computerName": "",
"uuid": ""
}
Parameter | Description |
---|---|
Agent Id | ID of the agent whose list of installed applications you want to retrieve from SentinelOne. |
The JSON contains a list of application objects including information such as name, installation date, about the applications installed on the specified agent.
The output contains the following populated JSON schema:
{
"name": "",
"version": "",
"size": "",
"publisher": "",
"installedDate": ""
}
Parameter | Description |
---|---|
Agent Id | ID of the agent whose list of running applications you want to retrieve from SentinelOne. |
The JSON contains a list of running processes along with the process details for the specified agent.
The output contains the following populated JSON schema:
{
"cpuUsage": "",
"memoryUsage": "",
"pid": "",
"executablePath": "",
"startTime": "",
"processName": ""
}
Parameter | Description |
---|---|
Message | Message that you want to broadcast to an agent or a list of agents in SentinelOne. |
Agent IDs | List of comma-separated agent IDs in SentinelOne to whom you want to broadcast the specified message. |
Agent Memory Less Than (GB) | (Optional) Broadcast the message to only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | (Optional) Broadcast the message to only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | (Optional) Broadcast the message to only those agents whose core count is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | (Optional) Broadcast the message to only those agents whose core count is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Active". |
Is Infected | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Decommissioned". |
Computer Name Like | (Optional) Broadcast the message to only those agents match the specified computer name on SentinelOne. |
Agent Version | Version of the agent to whom you want to broadcast the message |
OS Type | Select the OS type of the agent in the SentinelOne network to whom you want to broadcast the message. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne to whom you want to broadcast the message. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB) | Initiates a scan only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | Initiates a scan only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | Initiates a scan only those agents whose core count is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | Initiates a scan only those agents whose core count is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Active". |
Is Infected | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs on which you want to initiate a scan in SentinelOne. |
Computer Name Like | Initiate the scan only on those agents that match the specified computer name. |
Agent Version | Version of the agent on which you want to initiate a scan. |
OS Type | Select the OS type of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB) | Aborts the scan only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | Aborts the scan only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | Aborts the scan only those agents whose core count size is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | Aborts the scan only those agents whose core count size is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Active". |
Is Infected | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs on which you want to abort the scan in SentinelOne. |
Computer Name Like | Abort the scan only on those agents that match the specified computer name. |
Agent Version | Version of the agent on which you want to abort the scan. |
OS Type | Select the OS type of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Hash ID | ID (SHA1 only) of the hash whose details you want to retrieve from SentinelOne. |
The JSON contains the details of the specified hash ID.
The output contains the following populated JSON schema:
{
"rank": ""
}
Parameter | Description |
---|---|
Threat Id | ID of the threat whose details you want to retrieve from SentinelOne. |
The JSON contains the details of the specified threat ID.
The output contains the following populated JSON schema:
{
"cloudVerdict": "",
"agentDomain": "",
"fileIsDotNet": "",
"id": "",
"maliciousProcessArguments": "",
"accountId": "",
"fromScan": "",
"agentId": "",
"fileCreatedDate": "",
"maliciousGroupId": "",
"markedAsBenign": "",
"isInteractiveSession": "",
"siteName": "",
"classifierName": "",
"fileExtensionType": "",
"indicators": [],
"classificationSource": "",
"classification": "",
"createdAt": "",
"mitigationStatus": "",
"description": "",
"agentOsType": "",
"filePath": "",
"agentInfected": "",
"fileObjectId": "",
"username": "",
"threatAgentVersion": "",
"browserType": "",
"fileContentHash": "",
"fileDisplayName": "",
"publisher": "",
"rank": "",
"isPartialStory": "",
"engines": [],
"threatName": "",
"annotation": "",
"certId": "",
"accountName": "",
"isCertValid": "",
"collectionId": "",
"fileSha256": "",
"resolved": "",
"updatedAt": "",
"agentIsDecommissioned": "",
"agentIsActive": "",
"agentVersion": "",
"agentIp": "",
"agentComputerName": "",
"fromCloud": "",
"fileIsExecutable": "",
"createdDate": "",
"siteId": "",
"fileIsSystem": "",
"annotationUrl": "",
"whiteningOptions": [],
"agentMachineType": "",
"agentNetworkStatus": "",
"mitigationMode": "",
"mitigationReport": {
"quarantine": {
"status": ""
},
"kill": {
"status": ""
},
"rollback": {
"status": ""
},
"remediate": {
"status": ""
},
"network_quarantine": {
"status": ""
}
},
"fileMaliciousContent": "",
"fileVerificationType": ""
}
Parameter | Description |
---|---|
Action | Select the action that you want to perform on the specified threat. You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation. |
Threat ID | ID of the threat on which you want to take the specified action. |
Content Hash | (Optional) Hash ID of the file associated with the threat that requires mitigation. |
Threat Name | (Optional) Name of the threat that requires mitigation. |
Agent ID | (Optional) ID of the agent on which the threat has been identified. |
Limit Records | (Optional) Maximum number of results, per page, that this operation should return. |
From Scan | Select this option if the threat was detected as a result of a scan. |
The JSON contains a message about the threat being mitigated.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Target Scope | Scope of the target that you want to mark as safe in SentinelOne. |
Threat Id | ID of the threat that you want to mark as safe in SentinelOne. |
Content Hash | (Optional) Hash ID of the file associated with the threat that you want to mark as safe in SentinelOne. |
Threat Name | (Optional) Name of the threat that requires to be marked as safe in SentinelOne.. |
Agent Id | (Optional) ID of the agent on which the threat has been identified. |
Limit Records | (Optional) Maximum number of results, per page, that this operation should return. |
From Scan | Select this option if the threat was detected as a result of a scan. |
The JSON contains a message about the threat being marked as safe.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB) | Retrieve logs of only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | Retrieve logs of only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | Retrieve logs of only those agents whose core count is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve logs of only those agents whose core count is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs whose logs you want to retrieve from SentinelOne. |
Computer Name Like | Retrieve logs of only those agents who match the specified computer name. |
Agent Version | Version of the agent whose logs you want to retrieve from SentinelOne. |
OS Type | Select the OS type of the agent in SentinelOne whose logs you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne whose logs you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents whose logs are fetched after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Retrieve counts of only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | Retrieve counts of only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | Retrieve counts of only those agents whose core count is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve counts of only those agents whose core count is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs whose count you want to retrieve from SentinelOne |
Computer Name Like | Retrieve count of only those agents who match the specified computer name. |
Agent Version | Version of the agents whose counts you want to retrieve from SentinelOne. |
OS Type | Select the OS type of the agent in SentinelOne whose counts you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne whose counts you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting |
The JSON output contains the number of available agents.
The output contains the following populated JSON schema:
{
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Content Hash | Hash ID of the file associated with the threat. |
Threat Name | Name of the threat that you want to search for on all agents on SentinelOne. |
Agent ID | ID of the agent whose threats you want to list. |
Limit Records | Maximum number of results, per page, that this operation should return. |
Skip Records | Skips the specified number of results from the total results. |
From Scan | Select this option if the threat was detected as a result of a scan. |
The JSON contains the objects of the threats that are found after the query is successfully run.
The output contains the following populated JSON schema:
{
"cloudVerdict": "",
"agentDomain": "",
"fileIsDotNet": "",
"id": "",
"maliciousProcessArguments": "",
"accountId": "",
"fromScan": "",
"agentId": "",
"fileCreatedDate": "",
"maliciousGroupId": "",
"markedAsBenign": "",
"isInteractiveSession": "",
"siteName": "",
"classifierName": "",
"fileExtensionType": "",
"indicators": [],
"classificationSource": "",
"classification": "",
"createdAt": "",
"mitigationStatus": "",
"description": "",
"agentOsType": "",
"filePath": "",
"agentInfected": "",
"fileObjectId": "",
"username": "",
"threatAgentVersion": "",
"browserType": "",
"fileContentHash": "",
"fileDisplayName": "",
"publisher": "",
"rank": "",
"isPartialStory": "",
"engines": [],
"threatName": "",
"annotation": "",
"certId": "",
"accountName": "",
"isCertValid": "",
"collectionId": "",
"fileSha256": "",
"resolved": "",
"updatedAt": "",
"agentIsDecommissioned": "",
"agentIsActive": "",
"agentVersion": "",
"agentIp": "",
"agentComputerName": "",
"fromCloud": "",
"fileIsExecutable": "",
"createdDate": "",
"siteId": "",
"fileIsSystem": "",
"annotationUrl": "",
"whiteningOptions": [],
"agentMachineType": "",
"agentNetworkStatus": "",
"mitigationMode": "",
"mitigationReport": {
"quarantine": {
"status": ""
},
"kill": {
"status": ""
},
"rollback": {
"status": ""
},
"remediate": {
"status": ""
},
"network_quarantine": {
"status": ""
}
},
"fileMaliciousContent": "",
"fileVerificationType": ""
}
Parameter | Description |
---|---|
Query | Query that is a free-text search term that will match applicable attributes (sub-string match) in Sentinel one based on which you want to retrieve the query ID from SentinelOne |
From Date | Start date of query from when you want to retrieve the query ID from SentinelOne. |
To Date | End date of query till when you want to retrieve the query ID from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's group IDs based on which you want to retrieve the query ID from SentinelOne. |
Tenant | Select this checkbox to indicate a tenant scope in the query. |
Query Type | (Optional) Type of the query used by deep visibility in SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts based on which you want to retrieve the query ID from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites based on which you want to retrieve the query ID from SentinelOne. |
The output contains the following populated JSON schema:
{
"queryId": ""
}
Parameter | Description |
---|---|
Query ID | ID of the query whose status you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
The output contains the following populated JSON schema:
{
"progressStatus": "",
"responseState": ""
}
Parameter | Description |
---|---|
Query ID | ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
Limit Records | (Optional) Maximum number of results, per page, that this operation should return. |
Skip Records | (Optional) Skips the specified number of results from the total results. |
Cursor | (Optional) Cursor position returned by the last request. You can use this parameter instead of using Skip Records parameter. Cursor currently supports Sort By with createdAt , pid , and processStartTime . |
Sort Order | (Optional) Sorting order of the result (events), choose between Ascending or Descending. |
Sort By | (Optional) Name of the field on which you want to sort the result (events). |
Sub Query | (Optional) Name of the field on which you want to sort the result (events). |
The output contains the following populated JSON schema:
{
"agentVersion": "",
"agentNetworkStatus": "",
"fileId": "",
"indicatorDescription": "",
"eventType": "",
"dstIp": "",
"relatedToThreat": "",
"processImagePath": "",
"processName": "",
"processUniqueKey": "",
"parentProcessUniqueKey": "",
"processGroupId": "",
"eventSubType": "",
"processUserName": "",
"networkMethod": "",
"processDisplayName": "",
"processSubSystem": "",
"parentProcessName": "",
"createdAt": "",
"srcPort": "",
"agentIp": "",
"tid": "",
"agentOs": "",
"oldFileSha1": "",
"agentDomain": "",
"agentIsDecommissioned": "",
"registryPath": "",
"oldFileMd5": "",
"sha256": "",
"fileSha256": "",
"parentProcessIsMalicious": "",
"indicatorMetadata": "",
"networkUrl": "",
"processImageSha1Hash": "",
"oldFileSha256": "",
"user": "",
"md5": "",
"agentInfected": "",
"loginsBaseType": "",
"processStartTime": "",
"forensicUrl": "",
"oldFileName": "",
"dnsResponse": "",
"srcIp": "",
"indicatorCategory": "",
"rpid": "",
"processIsMalicious": "",
"taskName": "",
"dnsRequest": "",
"loginsUserName": "",
"indicatorName": "",
"agentUuid": "",
"agentMachineType": "",
"registryId": "",
"parentProcessGroupId": "",
"processIntegrityLevel": "",
"fileFullName": "",
"signer": "",
"processSessionId": "",
"processCmd": "",
"taskPath": "",
"parentPid": "",
"agentId": "",
"id": "",
"fileMd5": "",
"networkSource": "",
"siteName": "",
"agentGroupId": "",
"agentName": "",
"parentProcessStartTime": "",
"dstPort": "",
"trueContext": "",
"fileSha1": "",
"threatStatus": "",
"agentIsActive": "",
"direction": "",
"pid": "",
"sha1": ""
}
Parameter | Description |
---|---|
Query ID | ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
Event Type | Event type by which you want to filter the results (events). You can choose between the following event types: Events, File, Ip, Url, Dns, Process, Registry, Scheduled task, Logins, or Indicators. |
Limit Records | (Optional) Maximum number of results, per page, that this operation should return. |
Skip Records | (Optional) Skips the specified number of results from the total results. |
Cursor | (Optional) Cursor position returned by the last request. You can use this parameter instead of using Skip Records parameter. Cursor currently supports Sort By with createdAt , pid , and processStartTime . |
Sort Order | (Optional) Sorting order of the result (events), choose between Ascending or Descending. |
Sort By | (Optional) Name of the field on which you want to sort the result (events). |
Sub Query | (Optional) Name of the field on which you want to sort the result (events). |
The output contains the following populated JSON schema:
{
"data": {
"agentVersion": "",
"agentNetworkStatus": "",
"fileId": "",
"indicatorDescription": "",
"eventType": "",
"dstIp": "",
"relatedToThreat": "",
"processImagePath": "",
"processName": "",
"processUniqueKey": "",
"parentProcessUniqueKey": "",
"processGroupId": "",
"eventSubType": "",
"processUserName": "",
"networkMethod": "",
"processDisplayName": "",
"processSubSystem": "",
"parentProcessName": "",
"createdAt": "",
"srcPort": "",
"agentIp": "",
"tid": "",
"agentOs": "",
"oldFileSha1": "",
"agentDomain": "",
"agentIsDecommissioned": "",
"registryPath": "",
"oldFileMd5": "",
"sha256": "",
"fileSha256": "",
"parentProcessIsMalicious": "",
"indicatorMetadata": "",
"networkUrl": "",
"processImageSha1Hash": "",
"oldFileSha256": "",
"user": "",
"md5": "",
"agentInfected": "",
"loginsBaseType": "",
"processStartTime": "",
"forensicUrl": "",
"oldFileName": "",
"dnsResponse": "",
"srcIp": "",
"indicatorCategory": "",
"rpid": "",
"processIsMalicious": "",
"taskName": "",
"dnsRequest": "",
"loginsUserName": "",
"indicatorName": "",
"agentUuid": "",
"agentMachineType": "",
"registryId": "",
"parentProcessGroupId": "",
"processIntegrityLevel": "",
"fileFullName": "",
"signer": "",
"processSessionId": "",
"processCmd": "",
"taskPath": "",
"parentPid": "",
"agentId": "",
"id": "",
"fileMd5": "",
"networkSource": "",
"siteName": "",
"agentGroupId": "",
"agentName": "",
"parentProcessStartTime": "",
"dstPort": "",
"trueContext": "",
"fileSha1": "",
"threatStatus": "",
"agentIsActive": "",
"direction": "",
"pid": "",
"sha1": ""
},
"pagination": {
"totalItems": "",
"nextCursor": ""
}
}
Parameter | Description |
---|---|
Query ID | ID of a deep visibility query that you want to stop in SentinelOne. When you create a query in SentinelOne you get its QueryID. |
The output contains the following populated JSON schema:
{
"success": ""
}
Parameter | Description |
---|---|
Application ID | ID of the agent application whose network connection you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites whose application network connection you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose application network connection you want to retrieve from SentinelOne. |
Country Code | (Optional) Country code whose application network connection you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose network connection you want to retrieve from SentinelOne. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Application ID | ID of the agent application whose forensic details you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites whose application forensic details you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose application forensic details you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose application forensic details you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"success": "",
"result": {
"fetch_story_error_at": "",
"seen_on_network": "",
"graph": "",
"process_display_name": "",
"summary_overview": {
"network": {
"connections": "",
"dns": ""
},
"file": {
"write": "",
"create": "",
"delete": ""
},
"registry": {
"security": "",
"persistence": "",
"stealth": ""
}
},
"summary": "",
"application_id": "",
"agent": "",
"process_created_at": "",
"category_scores": "",
"application_duration": "",
"last_event_seen_at": "",
"application_created": "",
"raw_data": "",
"fetch_story_status": "",
"fetch_story_sent_at": "",
"process": {
"username": "",
"executable_file_id": "",
"created_date": "",
"is_primary": "",
"bundle_id": "",
"display_name": "",
"is_root": "",
"pid": "",
"object_id": ""
},
"file": {
"content_hash": "",
"is_system": "",
"created_date": "",
"size": "",
"display_name": "",
"permission": "",
"path": "",
"object_id": ""
}
}
}
Parameter | Description |
---|---|
Application ID | ID of the agent application whose forensic application you want to export in the CSV/JSON format from SentinelOne. |
Export Format | Format in which you want to export the forensic application. You can choose between the following formats: CSV or JSON. |
Site IDs | (Optional) List of comma-separated agent's sites whose forensic application you want to export from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose forensic application you want to export from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's acoounts whose forensic application you want to export from SentinelOne. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Threat ID | ID of the threat whose "seen on network data" you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites whose "seen on network data" you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose "seen on network data" you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's account whose "seen on network data" you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"agent_version": "",
"description": "",
"created_date": "",
"meta_data": {
"updated_at": "",
"created_at": ""
},
"id": "",
"malicious_group_id": "",
"resolved": "",
"status": "",
"from_cloud": "",
"agent": ""
}
Parameter | Description |
---|---|
Threat ID | ID of the threat whose network connection you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites whose network connection you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose network connection you want to retrieve from SentinelOne. |
Country Code | (Optional) Country code whose network connection you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose network connection you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"message": ""
}
Parameter | Description |
---|---|
Threat ID | ID of the threat whose forensic details you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"result": {
"policy_id": "",
"agent_version": "",
"occurred_at": "",
"graph": {
"edges_summary": [],
"node_sets": {}
},
"file_hash": "",
"file_display_name": "",
"file_created_at": "",
"agent": "",
"category_scores": [],
"publisher": "",
"raw_data": {
"edges": [],
"nodes": {
"6ADE07922117100C": {
"agent_version": "",
"in_threat": "",
"malicious_content": "",
"agent_uuid": "",
"meta_data": {
"updated_at": "",
"count": "",
"created_at": ""
},
"has_reputation": "",
"group_id": "",
"event_type": "",
"object_id": "",
"data": {
"path": "",
"is_system": "",
"created_date": "",
"is_executable": "",
"verification_type": "",
"extension_type": "",
"size": "",
"object_id": "",
"content_hash": "",
"permission": ""
}
}
}
},
"indicators": [],
"cert_id": "",
"is_cert_valid": ""
}
}
Parameter | Description |
---|---|
Threat ID | ID of the threat whose threats along with its associated events you want to export in the CSV, JSON, or RAW format from SentinelOne. |
Export Format | Format in which you want to export the threat data. You can choose between the following formats: CSV, RAW, or JSON. |
The output contains the following populated JSON schema:
{
"threat_details": {
"description": "",
"id": "",
"created_at": "",
"agent": ""
},
"events": [],
"agent_details": {
"external_ip": "",
"registered_at": "",
"agent_version_current": "",
"computer_name": "",
"last_active_date": "",
"agent_version_at_threat_time": "",
"group_ip": "",
"domain": "",
"cpu": "",
"os": ""
},
"file_details": {
"size": "",
"created_at": "",
"id": "",
"display_name": "",
"permission": "",
"content_hash": ""
},
"reputation": {
"rank": ""
}
}
Parameter | Description |
---|---|
Application ID | ID of the agent application whose forensic data you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites whose application forensic data you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose application forensic data you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose application forensic data you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"success": "",
"result": {
"process_created_at": "",
"seen_on_network": "",
"process": {
"username": "",
"executable_file_id": "",
"created_date": "",
"is_primary": "",
"bundle_id": "",
"display_name": "",
"is_root": "",
"pid": "",
"object_id": ""
},
"file": {
"content_hash": "",
"is_system": "",
"created_date": "",
"size": "",
"display_name": "",
"permission": "",
"path": "",
"object_id": ""
},
"process_display_name": "",
"fetch_story_status": "",
"agent": "",
"malicious_process_arguments": "",
"application_id": "",
"application_created": ""
}
}
Parameter | Description |
---|---|
Threat ID | ID of the threat for which you want to retrieve the forensic data. |
Site IDs | (Optional) List of comma-separated agent's sites whose threat data you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose threat data you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose threat data you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"result": {
"seen_on_network": "",
"occurred_at": "",
"file_display_name": "",
"marked_as_benign": "",
"classifier_name": "",
"mitigation_status": "",
"file_created_at": "",
"file_path": "",
"classification_source": "",
"classification": "",
"mitigation_report": {
"quarantine": {
"status": ""
},
"rollback": {
"status": ""
},
"remediate": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"kill": {
"status": ""
}
},
"threat_id": "",
"whitening_options": [],
"threat_created": "",
"malicious_group_id": "",
"in_quarantine": "",
"file_content_hash": "",
"file_hash": "",
"malicious_process_arguments": "",
"annotation_url": "",
"agent": "",
"from_scan": "",
"annotation": "",
"file_description": "",
"resolved": "",
"mitigation_actions": []
}
}
None.
The output contains the following populated JSON schema:
{
"title": "",
"key": "",
"autoComplete": ""
}
Parameter | Description |
---|---|
Get Count By | Filter based on which you want to retrieve the application count from SentinelOne. You can choose between Risk Levels or Filters. By default, this is set as Risk Level. |
Site IDs | (Optional) List of comma-separated agent's sites whose application count you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose application count you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose application count you want to retrieve from SentinelOne. |
Agent Machine Types | (Optional) Type of agent machine whose application count you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | (Optional) List of comma-separated application IDs accounts whose application count you want to retrieve, per filter value, from SentinelOne. |
Application Types | (Optional) Type of application whose application count you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Is Decommissioned | Select this checkbox if the status of the agent whose application count you want to retrieve from SentinelOne is set as "Decommissioned". |
Risk Levels | (Optional) Level of risks whose application count you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
OS Types | (Optional) Type of OS whose application count you want to retrieve from SentinelOne. You can choose between the following os types: Macos, Windows_Legacy, Linux. or Windows. |
Extra Parameters | (Optional) Additional request parameters in the JSON format. |
The output contains the following populated JSON schema:
{
"title": "",
"key": "",
"values": [
{
"count": "",
"title": "",
"value": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit Records | Maximum number of results, per page, that this operation should return. |
Skip Count | Select this option to avoid calculating the total number of results, which results in speeding up the execution time. |
Sort Order | Sorting order of the results, choose between Ascending or Descending. |
Sort By | Name of the field on which you want to sort the result. You can choose between the following fields: ID, PublishedAt, AgentID, or ApplicationID. |
Internal CVE IDs | List of comma-separated internal CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne. |
Global CVE IDs | List of comma-separated global CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne. |
Count Only | Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne. |
Extra Parameters | Additional request parameters in the JSON format. |
The output contains the following populated JSON schema:
{
"data": {
"publishedAt": "",
"link": "",
"id": "",
"score": "",
"riskLevel": "",
"updatedAt": "",
"cveId": "",
"createdAt": "",
"description": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Site IDs | List of comma-separated agent's site IDs to export application risks from SentinelOne. |
Group IDs | List of comma-separated agent's group IDs to export application risks from SentinelOne. |
Account IDs | List of comma-separated agent's account IDs to export application risks from SentinelOne. |
Size Between | Size range of the application between which you want to filter the application risks. You can specify the size range in bytes from 1024 to 104856. |
Agent Machine Types | Type of agent machine whose application risks you want to export from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | ID of the agent application whose installed applications and CVEs list you want to export from SentinelOne. |
Application Types | Type of application whose application risks you want to export from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Is Decommissioned | Select this checkbox if the status of the agent whose application risks you want to export from SentinelOne is set as "Decommissioned". |
Risk Levels | Level of risks whose application risks you want to export from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
OS Types | Type of OS whose application risks you want to export from SentinelOne. You can choose between the following os types: Macos, Windows Legacy, Linux, or Windows. |
Extra Parameters | Additional request parameters in the JSON format. |
No output schema is available at this time.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit Records | Maximum number of results, per page, that this operation should return. |
Skip Count | Select this option to avoid calculating the total number of results, which results in speeding up the execution time. |
Sort Order | Sorting order of the results, choose between Ascending or Descending. |
Agent Machine Types | Type of endpoint machine whose applications you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | ID of the agent application whose installed applications you want to retrieve from SentinelOne |
Is Decommissioned | Select this checkbox if the status of the agent whose applications you want to retrieve from SentinelOne is set as "Decommissioned". |
Application Types | Type of application whose applications you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Risk Levels | Level of risks whose applications you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
Sort By | Name of the field on which you want to sort the result. You can choose between the following fields: ID, InstallAt, Type, Name, Publisher, Version, Size, AgentComputerName. or Risklevel. |
Count Only | Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne. |
OS Types | Type of OS whose applications you want to retrieve from SentinelOne. You can choose between the following os types: Macos, Windows Legacy, Linux, or Windows. |
Extra Parameters | Additional request parameters in the JSON format. |
The output contains the following populated JSON schema:
{
"agentInfected": "",
"agentNetworkStatus": "",
"installedAt": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"agentComputerName": "",
"name": "",
"agentOsType": "",
"version": "",
"publisher": "",
"agentMachineType": "",
"id": "",
"agentVersion": "",
"osType": "",
"createdAt": "",
"agentDomain": "",
"agentId": "",
"agentIsDecommissioned": "",
"riskLevel": "",
"agentUuid": "",
"agentIsActive": ""
}
Parameter | Description |
---|---|
Application ID | ID of the agent application whose application CVEs you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"agentInfected": "",
"agentNetworkStatus": "",
"installedAt": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"agentComputerName": "",
"name": "",
"agentOsType": "",
"version": "",
"publisher": "",
"agentMachineType": "",
"id": "",
"agentVersion": "",
"osType": "",
"createdAt": "",
"cves": [],
"agentDomain": "",
"agentId": "",
"agentIsDecommissioned": "",
"riskLevel": "",
"agentUuid": "",
"agentIsActive": ""
}
The Sample - SentinelOne - 3.0.0
playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.
This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.
Resolution:
Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.
There are many reasons for a playbook failure, for example, if a required field is null
in the target module record, or there are problems with the Playbook Appliance keys.
Resolution:
Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration
page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact CyberSponse support for further assistance.
SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.
This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents.
Connector Version: 3.0.0
FortiSOAR™ Version Tested on: 5.1.1-58
SentinelOne Build Version Tested on: v2.0.0-EA#115
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the SentinelOne Connector in version 3.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:
yum install cyops-connector-sentinelone
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the SentinelOne connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the SentinelOne endpoint to which you will connect and perform the automated operations. |
API Token | API token that is required to access the SentinelOne REST endpoint. Important: The minimum role required for the user to use the API endpoint is "Site Viewer". |
API Version | Version of the API that you are using to access the SentinelOne REST endpoint. |
Verify SSL | Verify SSL connection to the SentinelOne API endpoint. By default, this option is set as T rue . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Agents | Retrieves a list of agents attached to an account from SentinelOne based on the input parameters you have specified. | list_agents Investigation |
Agent Action | Actions that you want to perform on an agent in Sentinel One based on the action, agent IDs and other input parameters you have specified. | isolate_agent Containment |
Reconnect Agent | Reconnects a disconnected agent to the network in SentinelOne based on the input parameters you have specified. | reconnect_agent Remediation |
Get Agent Passphrase | Retrieves an agent's passphrase to uninstall an offline agent in SentinelOne based on the agent ID you have specified. | agent_passphrase Miscellaneous |
Get Agent Application | Retrieves a list of applications installed on an agent in SentinelOne based on the agent ID you have specified. | list_applications Investigation |
Get Agent Process | Retrieves a list of processes running on an agent in SentinelOne based on the agent ID you have specified. | list_processes Investigation |
Broadcast Message to Agent | Broadcasts a message to a specified agent system or a list of agent systems in SentinelOne based on the agent ID, message, and other input parameters you have specified. | broadcast_message Miscellaneous |
Initiate Agent Scan | Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. | scan_agent Investigation |
Abort Agent Scan | Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. | abort_scan Investigation |
Get Hash Details | Retrieve the details for a specified hash from SentinelOne based on the Hash ID you have specified. | hash_details Investigation |
Get Threat Details | Retrieve the details for a specified threat from SentinelOne based on the threat ID you have specified. | threat_details Investigation |
Mitigate Threat | Mitigates identified threats in the SentinelOne system based on the threat ID, action and other input parameters you have specified. | mitigate_threats Remediation |
Mark Threat as Benign | Marks an identified threat as safe in SentinelOne based on the threat ID, target scope, and other input parameters you have specified. | mark_threat_as_benign Remediation |
Fetch Agents Logs | Retrieves logs from agents system to the SentinelOne cloud based on the input parameters you have specified. | fetch_logs Investigation |
Get Agent Count | Retrieves the count of agents in SentinelOne filtered by the input parameters you have specified. | agent_count Miscellaneous |
List All Threats | List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. | list_threats Investigation |
Create Query And Get Query ID | Starts a deep visibility Query and retrieves the Query ID from SentinelOne based on the query, date range, and other input parameters you have specified. | create_query Investigation |
Get Query Status | Retrieves the status of the deep visibility query from SentinelOne based on the query ID you have specified. | get_query_status Investigation |
Get Events | Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID and other input parameters you have specified. | get_events Investigation |
Get Events By Type | Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID, event type, and other input parameters you have specified. | get_events_by_type Investigation |
Cancel Running Query | Stops a deep visibility query that is running on SentinelOne based on the query ID you have specified. | cancel_running_query Investigation |
Get Application Network Connections | Retrieves network connections for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. | application_forensic_connections Investigation |
Get Application Forensic Details | Retrieves detailed forensics data for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. | application_forensic_details Investigation |
Export Forensics Application | Exports forensics application, in the CSV or JSON formation, for a specific agent application on SentinelOne based on the application ID and other input parameters you have specified. | export_forensics_application Investigation |
Get Threat Seen on Network | Retrieves "seen on network" details for a specific threat in SentinelOne based on the threat ID and other input parameters you have specified. | threat_seen_on_network Investigation |
Get Threat Network Connections | Retrieves network connections for a specific threat on SentinelOne based on the threat ID and other input parameters you have specified. | threat_forensic_connections Investigation |
Threat Forensic Details | Retrieves detailed forensics data for a specific threat on SentinelOne based on the threat ID you have specified. | threat_forensic_details Investigation |
Export Threat | Exports threats along with its associated events, in the CSV or JSON formation, for a specific threat on SentinelOne based on the threat ID and export format you have specified. | export_forensics_threat Investigation |
Get Application Forensics | Retrieves forensics data for a specific application on SentinelOne based on the application ID and other input parameters you have specified. | application_forensics Investigation |
Get Threat Forensics | Retrieves forensics data for a specific threat on SentinelOne based on the threat ID and export format you have specified. | threat_forensics Investigation |
Free Text | Retrieves a metadata list of all the available free-text filters in SentinelOne | free_text_filters Investigation |
Get Application Count | Retrieves the count of applications from SentinelOne number of applications by risk level or filters and other input parameters you have specified. | get_application_count Investigation |
Get CVEs | Retrieves all known CVEs for applications from SentinelOne based on the input parameters you have specified. Note: This is available for complete SKU only. |
get_cve Investigation |
Export Applications Risk | Exports installed applications and CVE list from SentinelOne based on the input parameters you have specified. | export_applications_risk Investigation |
Get Applications | Retrieves a list of all installed applications per endpoint, including risk levels, from SentinelOne based on the input parameters you have specified. Note: This is available for complete SKU only. |
get_applications Investigation |
Get Application CVEs | Retrieves all known CVEs for a specific application, along with application and endpoint information, from SentinelOne based on the application ID you have specified. Note: This is available for complete SKU only. |
get_application_cve Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB) | Retrieve only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | Retrieve only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | Retrieve only those agents whose core count is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve only those agents whose core count is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs that you want to retrieve from SentinelOne. |
Computer Name Like | Retrieve only those agents who match the specified name from SentinelOne. |
Agent Version | Version of the agent that you want to retrieve from SentinelOne. |
Limit | Maximum number of results, per page, that this operation should return. |
Skip Records | Skips the specified number of results from the total results. |
Network Status | Select the network status of the agent that you want to retrieve from SentinelOne. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The output contains the following populated JSON schema:
{
"agentVersion": "",
"allowRemoteShell": "",
"modelName": "",
"encryptedApplications": "",
"cpuId": "",
"totalMemory": "",
"lastLoggedInUserName": "",
"activeDirectory": {
"computerMemberOf": [],
"lastUserMemberOf": [],
"computerDistinguishedName": "",
"lastUserDistinguishedName": ""
},
"siteId": "",
"uuid": "",
"coreCount": "",
"machineType": "",
"osType": "",
"createdAt": "",
"osStartTime": "",
"groupIp": "",
"networkInterfaces": [
{
"inet6": [],
"name": "",
"inet": [],
"id": "",
"physical": ""
}
],
"cpuCount": "",
"appsVulnerabilityStatus": "",
"registeredAt": "",
"scanStatus": "",
"infected": "",
"isPendingUninstall": "",
"licenseKey": "",
"lastActiveDate": "",
"groupId": "",
"osRevision": "",
"osName": "",
"groupName": "",
"mitigationModeSuspicious": "",
"consoleMigrationStatus": "",
"isUpToDate": "",
"osUsername": "",
"updatedAt": "",
"osArch": "",
"domain": "",
"activeThreats": "",
"accountId": "",
"inRemoteShellSession": "",
"locations": [],
"scanAbortedAt": "",
"mitigationMode": "",
"userActionsNeeded": [],
"id": "",
"isActive": "",
"externalIp": "",
"siteName": "",
"scanStartedAt": "",
"locationType": "",
"isUninstalled": "",
"networkStatus": "",
"isDecommissioned": "",
"computerName": "",
"scanFinishedAt": "",
"accountName": "",
"externalId": ""
}
Parameter | Description |
---|---|
Action | Select the action that you want to perform on the specified agent in SentinelOne. You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent. |
Agent IDs | List of comma-separated agent IDs on which you want to perform actions in SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's group IDs on which you want to perform actions in SentinelOne. |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Decommissioned". |
Is Uninstalled | Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Uninstalled". |
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Reconnects only those agents to the network in SentinelOne whose memory size is lesser than the given input. |
Agent Memory Greater Than (GB) | Reconnects only those agents to the network in SentinelOne whose memory size is greater than the given input. |
Agent Core Count Less Than | Reconnects only those agents to the network in SentinelOne whose core count is lesser than the given input. |
Agent Core Count Greater Than | Reconnects only those agents to the network in SentinelOne whose core count is greater than the given input. |
Is Active | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Active". |
Is Infected | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs that you want to reconnect to the SentinelOne network. |
Computer Name Like | Reconnects only those agents to the network in SentinelOne who match the specified computer name. |
Agent Version | Version of the agent that you want to reconnect to the SentinelOne network. |
OS Type | Select the OS type of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON contains a Success
message of agents reconnected back into the network.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Agent ID | ID of the agent whose passphrase who want to retrieve from SentinelOne. The passphrase that can be used to delete an offline agent from SentinelOne. |
The JSON contains a string output with the passphrase that can be used to delete an offline agent.
The output contains the following populated JSON schema:
{
"lastLoggedInUserName": "",
"passphrase": "",
"domain": "",
"id": "",
"computerName": "",
"uuid": ""
}
Parameter | Description |
---|---|
Agent Id | ID of the agent whose list of installed applications you want to retrieve from SentinelOne. |
The JSON contains a list of application objects including information such as name, installation date, about the applications installed on the specified agent.
The output contains the following populated JSON schema:
{
"name": "",
"version": "",
"size": "",
"publisher": "",
"installedDate": ""
}
Parameter | Description |
---|---|
Agent Id | ID of the agent whose list of running applications you want to retrieve from SentinelOne. |
The JSON contains a list of running processes along with the process details for the specified agent.
The output contains the following populated JSON schema:
{
"cpuUsage": "",
"memoryUsage": "",
"pid": "",
"executablePath": "",
"startTime": "",
"processName": ""
}
Parameter | Description |
---|---|
Message | Message that you want to broadcast to an agent or a list of agents in SentinelOne. |
Agent IDs | List of comma-separated agent IDs in SentinelOne to whom you want to broadcast the specified message. |
Agent Memory Less Than (GB) | (Optional) Broadcast the message to only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | (Optional) Broadcast the message to only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | (Optional) Broadcast the message to only those agents whose core count is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | (Optional) Broadcast the message to only those agents whose core count is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Active". |
Is Infected | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Decommissioned". |
Computer Name Like | (Optional) Broadcast the message to only those agents match the specified computer name on SentinelOne. |
Agent Version | Version of the agent to whom you want to broadcast the message |
OS Type | Select the OS type of the agent in the SentinelOne network to whom you want to broadcast the message. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne to whom you want to broadcast the message. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB) | Initiates a scan only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | Initiates a scan only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | Initiates a scan only those agents whose core count is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | Initiates a scan only those agents whose core count is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Active". |
Is Infected | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs on which you want to initiate a scan in SentinelOne. |
Computer Name Like | Initiate the scan only on those agents that match the specified computer name. |
Agent Version | Version of the agent on which you want to initiate a scan. |
OS Type | Select the OS type of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB) | Aborts the scan only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | Aborts the scan only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | Aborts the scan only those agents whose core count size is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | Aborts the scan only those agents whose core count size is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Active". |
Is Infected | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs on which you want to abort the scan in SentinelOne. |
Computer Name Like | Abort the scan only on those agents that match the specified computer name. |
Agent Version | Version of the agent on which you want to abort the scan. |
OS Type | Select the OS type of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Hash ID | ID (SHA1 only) of the hash whose details you want to retrieve from SentinelOne. |
The JSON contains the details of the specified hash ID.
The output contains the following populated JSON schema:
{
"rank": ""
}
Parameter | Description |
---|---|
Threat Id | ID of the threat whose details you want to retrieve from SentinelOne. |
The JSON contains the details of the specified threat ID.
The output contains the following populated JSON schema:
{
"cloudVerdict": "",
"agentDomain": "",
"fileIsDotNet": "",
"id": "",
"maliciousProcessArguments": "",
"accountId": "",
"fromScan": "",
"agentId": "",
"fileCreatedDate": "",
"maliciousGroupId": "",
"markedAsBenign": "",
"isInteractiveSession": "",
"siteName": "",
"classifierName": "",
"fileExtensionType": "",
"indicators": [],
"classificationSource": "",
"classification": "",
"createdAt": "",
"mitigationStatus": "",
"description": "",
"agentOsType": "",
"filePath": "",
"agentInfected": "",
"fileObjectId": "",
"username": "",
"threatAgentVersion": "",
"browserType": "",
"fileContentHash": "",
"fileDisplayName": "",
"publisher": "",
"rank": "",
"isPartialStory": "",
"engines": [],
"threatName": "",
"annotation": "",
"certId": "",
"accountName": "",
"isCertValid": "",
"collectionId": "",
"fileSha256": "",
"resolved": "",
"updatedAt": "",
"agentIsDecommissioned": "",
"agentIsActive": "",
"agentVersion": "",
"agentIp": "",
"agentComputerName": "",
"fromCloud": "",
"fileIsExecutable": "",
"createdDate": "",
"siteId": "",
"fileIsSystem": "",
"annotationUrl": "",
"whiteningOptions": [],
"agentMachineType": "",
"agentNetworkStatus": "",
"mitigationMode": "",
"mitigationReport": {
"quarantine": {
"status": ""
},
"kill": {
"status": ""
},
"rollback": {
"status": ""
},
"remediate": {
"status": ""
},
"network_quarantine": {
"status": ""
}
},
"fileMaliciousContent": "",
"fileVerificationType": ""
}
Parameter | Description |
---|---|
Action | Select the action that you want to perform on the specified threat. You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation. |
Threat ID | ID of the threat on which you want to take the specified action. |
Content Hash | (Optional) Hash ID of the file associated with the threat that requires mitigation. |
Threat Name | (Optional) Name of the threat that requires mitigation. |
Agent ID | (Optional) ID of the agent on which the threat has been identified. |
Limit Records | (Optional) Maximum number of results, per page, that this operation should return. |
From Scan | Select this option if the threat was detected as a result of a scan. |
The JSON contains a message about the threat being mitigated.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Target Scope | Scope of the target that you want to mark as safe in SentinelOne. |
Threat Id | ID of the threat that you want to mark as safe in SentinelOne. |
Content Hash | (Optional) Hash ID of the file associated with the threat that you want to mark as safe in SentinelOne. |
Threat Name | (Optional) Name of the threat that requires to be marked as safe in SentinelOne.. |
Agent Id | (Optional) ID of the agent on which the threat has been identified. |
Limit Records | (Optional) Maximum number of results, per page, that this operation should return. |
From Scan | Select this option if the threat was detected as a result of a scan. |
The JSON contains a message about the threat being marked as safe.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB) | Retrieve logs of only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | Retrieve logs of only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | Retrieve logs of only those agents whose core count is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve logs of only those agents whose core count is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs whose logs you want to retrieve from SentinelOne. |
Computer Name Like | Retrieve logs of only those agents who match the specified computer name. |
Agent Version | Version of the agent whose logs you want to retrieve from SentinelOne. |
OS Type | Select the OS type of the agent in SentinelOne whose logs you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne whose logs you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents whose logs are fetched after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (GB): | Retrieve counts of only those agents whose memory size is lesser than given input from SentinelOne. |
Agent Memory Greater Than (GB) | Retrieve counts of only those agents whose memory size is greater than given input from SentinelOne. |
Agent Core Count Less Than | Retrieve counts of only those agents whose core count is lesser than given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve counts of only those agents whose core count is greater than given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs whose count you want to retrieve from SentinelOne |
Computer Name Like | Retrieve count of only those agents who match the specified computer name. |
Agent Version | Version of the agents whose counts you want to retrieve from SentinelOne. |
OS Type | Select the OS type of the agent in SentinelOne whose counts you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne whose counts you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting |
The JSON output contains the number of available agents.
The output contains the following populated JSON schema:
{
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Content Hash | Hash ID of the file associated with the threat. |
Threat Name | Name of the threat that you want to search for on all agents on SentinelOne. |
Agent ID | ID of the agent whose threats you want to list. |
Limit Records | Maximum number of results, per page, that this operation should return. |
Skip Records | Skips the specified number of results from the total results. |
From Scan | Select this option if the threat was detected as a result of a scan. |
The JSON contains the objects of the threats that are found after the query is successfully run.
The output contains the following populated JSON schema:
{
"cloudVerdict": "",
"agentDomain": "",
"fileIsDotNet": "",
"id": "",
"maliciousProcessArguments": "",
"accountId": "",
"fromScan": "",
"agentId": "",
"fileCreatedDate": "",
"maliciousGroupId": "",
"markedAsBenign": "",
"isInteractiveSession": "",
"siteName": "",
"classifierName": "",
"fileExtensionType": "",
"indicators": [],
"classificationSource": "",
"classification": "",
"createdAt": "",
"mitigationStatus": "",
"description": "",
"agentOsType": "",
"filePath": "",
"agentInfected": "",
"fileObjectId": "",
"username": "",
"threatAgentVersion": "",
"browserType": "",
"fileContentHash": "",
"fileDisplayName": "",
"publisher": "",
"rank": "",
"isPartialStory": "",
"engines": [],
"threatName": "",
"annotation": "",
"certId": "",
"accountName": "",
"isCertValid": "",
"collectionId": "",
"fileSha256": "",
"resolved": "",
"updatedAt": "",
"agentIsDecommissioned": "",
"agentIsActive": "",
"agentVersion": "",
"agentIp": "",
"agentComputerName": "",
"fromCloud": "",
"fileIsExecutable": "",
"createdDate": "",
"siteId": "",
"fileIsSystem": "",
"annotationUrl": "",
"whiteningOptions": [],
"agentMachineType": "",
"agentNetworkStatus": "",
"mitigationMode": "",
"mitigationReport": {
"quarantine": {
"status": ""
},
"kill": {
"status": ""
},
"rollback": {
"status": ""
},
"remediate": {
"status": ""
},
"network_quarantine": {
"status": ""
}
},
"fileMaliciousContent": "",
"fileVerificationType": ""
}
Parameter | Description |
---|---|
Query | Query that is a free-text search term that will match applicable attributes (sub-string match) in Sentinel one based on which you want to retrieve the query ID from SentinelOne |
From Date | Start date of query from when you want to retrieve the query ID from SentinelOne. |
To Date | End date of query till when you want to retrieve the query ID from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's group IDs based on which you want to retrieve the query ID from SentinelOne. |
Tenant | Select this checkbox to indicate a tenant scope in the query. |
Query Type | (Optional) Type of the query used by deep visibility in SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts based on which you want to retrieve the query ID from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites based on which you want to retrieve the query ID from SentinelOne. |
The output contains the following populated JSON schema:
{
"queryId": ""
}
Parameter | Description |
---|---|
Query ID | ID of the query whose status you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
The output contains the following populated JSON schema:
{
"progressStatus": "",
"responseState": ""
}
Parameter | Description |
---|---|
Query ID | ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
Limit Records | (Optional) Maximum number of results, per page, that this operation should return. |
Skip Records | (Optional) Skips the specified number of results from the total results. |
Cursor | (Optional) Cursor position returned by the last request. You can use this parameter instead of using Skip Records parameter. Cursor currently supports Sort By with createdAt , pid , and processStartTime . |
Sort Order | (Optional) Sorting order of the result (events), choose between Ascending or Descending. |
Sort By | (Optional) Name of the field on which you want to sort the result (events). |
Sub Query | (Optional) Name of the field on which you want to sort the result (events). |
The output contains the following populated JSON schema:
{
"agentVersion": "",
"agentNetworkStatus": "",
"fileId": "",
"indicatorDescription": "",
"eventType": "",
"dstIp": "",
"relatedToThreat": "",
"processImagePath": "",
"processName": "",
"processUniqueKey": "",
"parentProcessUniqueKey": "",
"processGroupId": "",
"eventSubType": "",
"processUserName": "",
"networkMethod": "",
"processDisplayName": "",
"processSubSystem": "",
"parentProcessName": "",
"createdAt": "",
"srcPort": "",
"agentIp": "",
"tid": "",
"agentOs": "",
"oldFileSha1": "",
"agentDomain": "",
"agentIsDecommissioned": "",
"registryPath": "",
"oldFileMd5": "",
"sha256": "",
"fileSha256": "",
"parentProcessIsMalicious": "",
"indicatorMetadata": "",
"networkUrl": "",
"processImageSha1Hash": "",
"oldFileSha256": "",
"user": "",
"md5": "",
"agentInfected": "",
"loginsBaseType": "",
"processStartTime": "",
"forensicUrl": "",
"oldFileName": "",
"dnsResponse": "",
"srcIp": "",
"indicatorCategory": "",
"rpid": "",
"processIsMalicious": "",
"taskName": "",
"dnsRequest": "",
"loginsUserName": "",
"indicatorName": "",
"agentUuid": "",
"agentMachineType": "",
"registryId": "",
"parentProcessGroupId": "",
"processIntegrityLevel": "",
"fileFullName": "",
"signer": "",
"processSessionId": "",
"processCmd": "",
"taskPath": "",
"parentPid": "",
"agentId": "",
"id": "",
"fileMd5": "",
"networkSource": "",
"siteName": "",
"agentGroupId": "",
"agentName": "",
"parentProcessStartTime": "",
"dstPort": "",
"trueContext": "",
"fileSha1": "",
"threatStatus": "",
"agentIsActive": "",
"direction": "",
"pid": "",
"sha1": ""
}
Parameter | Description |
---|---|
Query ID | ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
Event Type | Event type by which you want to filter the results (events). You can choose between the following event types: Events, File, Ip, Url, Dns, Process, Registry, Scheduled task, Logins, or Indicators. |
Limit Records | (Optional) Maximum number of results, per page, that this operation should return. |
Skip Records | (Optional) Skips the specified number of results from the total results. |
Cursor | (Optional) Cursor position returned by the last request. You can use this parameter instead of using Skip Records parameter. Cursor currently supports Sort By with createdAt , pid , and processStartTime . |
Sort Order | (Optional) Sorting order of the result (events), choose between Ascending or Descending. |
Sort By | (Optional) Name of the field on which you want to sort the result (events). |
Sub Query | (Optional) Name of the field on which you want to sort the result (events). |
The output contains the following populated JSON schema:
{
"data": {
"agentVersion": "",
"agentNetworkStatus": "",
"fileId": "",
"indicatorDescription": "",
"eventType": "",
"dstIp": "",
"relatedToThreat": "",
"processImagePath": "",
"processName": "",
"processUniqueKey": "",
"parentProcessUniqueKey": "",
"processGroupId": "",
"eventSubType": "",
"processUserName": "",
"networkMethod": "",
"processDisplayName": "",
"processSubSystem": "",
"parentProcessName": "",
"createdAt": "",
"srcPort": "",
"agentIp": "",
"tid": "",
"agentOs": "",
"oldFileSha1": "",
"agentDomain": "",
"agentIsDecommissioned": "",
"registryPath": "",
"oldFileMd5": "",
"sha256": "",
"fileSha256": "",
"parentProcessIsMalicious": "",
"indicatorMetadata": "",
"networkUrl": "",
"processImageSha1Hash": "",
"oldFileSha256": "",
"user": "",
"md5": "",
"agentInfected": "",
"loginsBaseType": "",
"processStartTime": "",
"forensicUrl": "",
"oldFileName": "",
"dnsResponse": "",
"srcIp": "",
"indicatorCategory": "",
"rpid": "",
"processIsMalicious": "",
"taskName": "",
"dnsRequest": "",
"loginsUserName": "",
"indicatorName": "",
"agentUuid": "",
"agentMachineType": "",
"registryId": "",
"parentProcessGroupId": "",
"processIntegrityLevel": "",
"fileFullName": "",
"signer": "",
"processSessionId": "",
"processCmd": "",
"taskPath": "",
"parentPid": "",
"agentId": "",
"id": "",
"fileMd5": "",
"networkSource": "",
"siteName": "",
"agentGroupId": "",
"agentName": "",
"parentProcessStartTime": "",
"dstPort": "",
"trueContext": "",
"fileSha1": "",
"threatStatus": "",
"agentIsActive": "",
"direction": "",
"pid": "",
"sha1": ""
},
"pagination": {
"totalItems": "",
"nextCursor": ""
}
}
Parameter | Description |
---|---|
Query ID | ID of a deep visibility query that you want to stop in SentinelOne. When you create a query in SentinelOne you get its QueryID. |
The output contains the following populated JSON schema:
{
"success": ""
}
Parameter | Description |
---|---|
Application ID | ID of the agent application whose network connection you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites whose application network connection you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose application network connection you want to retrieve from SentinelOne. |
Country Code | (Optional) Country code whose application network connection you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose network connection you want to retrieve from SentinelOne. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Application ID | ID of the agent application whose forensic details you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites whose application forensic details you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose application forensic details you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose application forensic details you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"success": "",
"result": {
"fetch_story_error_at": "",
"seen_on_network": "",
"graph": "",
"process_display_name": "",
"summary_overview": {
"network": {
"connections": "",
"dns": ""
},
"file": {
"write": "",
"create": "",
"delete": ""
},
"registry": {
"security": "",
"persistence": "",
"stealth": ""
}
},
"summary": "",
"application_id": "",
"agent": "",
"process_created_at": "",
"category_scores": "",
"application_duration": "",
"last_event_seen_at": "",
"application_created": "",
"raw_data": "",
"fetch_story_status": "",
"fetch_story_sent_at": "",
"process": {
"username": "",
"executable_file_id": "",
"created_date": "",
"is_primary": "",
"bundle_id": "",
"display_name": "",
"is_root": "",
"pid": "",
"object_id": ""
},
"file": {
"content_hash": "",
"is_system": "",
"created_date": "",
"size": "",
"display_name": "",
"permission": "",
"path": "",
"object_id": ""
}
}
}
Parameter | Description |
---|---|
Application ID | ID of the agent application whose forensic application you want to export in the CSV/JSON format from SentinelOne. |
Export Format | Format in which you want to export the forensic application. You can choose between the following formats: CSV or JSON. |
Site IDs | (Optional) List of comma-separated agent's sites whose forensic application you want to export from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose forensic application you want to export from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's acoounts whose forensic application you want to export from SentinelOne. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Threat ID | ID of the threat whose "seen on network data" you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites whose "seen on network data" you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose "seen on network data" you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's account whose "seen on network data" you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"agent_version": "",
"description": "",
"created_date": "",
"meta_data": {
"updated_at": "",
"created_at": ""
},
"id": "",
"malicious_group_id": "",
"resolved": "",
"status": "",
"from_cloud": "",
"agent": ""
}
Parameter | Description |
---|---|
Threat ID | ID of the threat whose network connection you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites whose network connection you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose network connection you want to retrieve from SentinelOne. |
Country Code | (Optional) Country code whose network connection you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose network connection you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"message": ""
}
Parameter | Description |
---|---|
Threat ID | ID of the threat whose forensic details you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"result": {
"policy_id": "",
"agent_version": "",
"occurred_at": "",
"graph": {
"edges_summary": [],
"node_sets": {}
},
"file_hash": "",
"file_display_name": "",
"file_created_at": "",
"agent": "",
"category_scores": [],
"publisher": "",
"raw_data": {
"edges": [],
"nodes": {
"6ADE07922117100C": {
"agent_version": "",
"in_threat": "",
"malicious_content": "",
"agent_uuid": "",
"meta_data": {
"updated_at": "",
"count": "",
"created_at": ""
},
"has_reputation": "",
"group_id": "",
"event_type": "",
"object_id": "",
"data": {
"path": "",
"is_system": "",
"created_date": "",
"is_executable": "",
"verification_type": "",
"extension_type": "",
"size": "",
"object_id": "",
"content_hash": "",
"permission": ""
}
}
}
},
"indicators": [],
"cert_id": "",
"is_cert_valid": ""
}
}
Parameter | Description |
---|---|
Threat ID | ID of the threat whose threats along with its associated events you want to export in the CSV, JSON, or RAW format from SentinelOne. |
Export Format | Format in which you want to export the threat data. You can choose between the following formats: CSV, RAW, or JSON. |
The output contains the following populated JSON schema:
{
"threat_details": {
"description": "",
"id": "",
"created_at": "",
"agent": ""
},
"events": [],
"agent_details": {
"external_ip": "",
"registered_at": "",
"agent_version_current": "",
"computer_name": "",
"last_active_date": "",
"agent_version_at_threat_time": "",
"group_ip": "",
"domain": "",
"cpu": "",
"os": ""
},
"file_details": {
"size": "",
"created_at": "",
"id": "",
"display_name": "",
"permission": "",
"content_hash": ""
},
"reputation": {
"rank": ""
}
}
Parameter | Description |
---|---|
Application ID | ID of the agent application whose forensic data you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites whose application forensic data you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose application forensic data you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose application forensic data you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"success": "",
"result": {
"process_created_at": "",
"seen_on_network": "",
"process": {
"username": "",
"executable_file_id": "",
"created_date": "",
"is_primary": "",
"bundle_id": "",
"display_name": "",
"is_root": "",
"pid": "",
"object_id": ""
},
"file": {
"content_hash": "",
"is_system": "",
"created_date": "",
"size": "",
"display_name": "",
"permission": "",
"path": "",
"object_id": ""
},
"process_display_name": "",
"fetch_story_status": "",
"agent": "",
"malicious_process_arguments": "",
"application_id": "",
"application_created": ""
}
}
Parameter | Description |
---|---|
Threat ID | ID of the threat for which you want to retrieve the forensic data. |
Site IDs | (Optional) List of comma-separated agent's sites whose threat data you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose threat data you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose threat data you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"result": {
"seen_on_network": "",
"occurred_at": "",
"file_display_name": "",
"marked_as_benign": "",
"classifier_name": "",
"mitigation_status": "",
"file_created_at": "",
"file_path": "",
"classification_source": "",
"classification": "",
"mitigation_report": {
"quarantine": {
"status": ""
},
"rollback": {
"status": ""
},
"remediate": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"kill": {
"status": ""
}
},
"threat_id": "",
"whitening_options": [],
"threat_created": "",
"malicious_group_id": "",
"in_quarantine": "",
"file_content_hash": "",
"file_hash": "",
"malicious_process_arguments": "",
"annotation_url": "",
"agent": "",
"from_scan": "",
"annotation": "",
"file_description": "",
"resolved": "",
"mitigation_actions": []
}
}
None.
The output contains the following populated JSON schema:
{
"title": "",
"key": "",
"autoComplete": ""
}
Parameter | Description |
---|---|
Get Count By | Filter based on which you want to retrieve the application count from SentinelOne. You can choose between Risk Levels or Filters. By default, this is set as Risk Level. |
Site IDs | (Optional) List of comma-separated agent's sites whose application count you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's groups whose application count you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts whose application count you want to retrieve from SentinelOne. |
Agent Machine Types | (Optional) Type of agent machine whose application count you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | (Optional) List of comma-separated application IDs accounts whose application count you want to retrieve, per filter value, from SentinelOne. |
Application Types | (Optional) Type of application whose application count you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Is Decommissioned | Select this checkbox if the status of the agent whose application count you want to retrieve from SentinelOne is set as "Decommissioned". |
Risk Levels | (Optional) Level of risks whose application count you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
OS Types | (Optional) Type of OS whose application count you want to retrieve from SentinelOne. You can choose between the following os types: Macos, Windows_Legacy, Linux. or Windows. |
Extra Parameters | (Optional) Additional request parameters in the JSON format. |
The output contains the following populated JSON schema:
{
"title": "",
"key": "",
"values": [
{
"count": "",
"title": "",
"value": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit Records | Maximum number of results, per page, that this operation should return. |
Skip Count | Select this option to avoid calculating the total number of results, which results in speeding up the execution time. |
Sort Order | Sorting order of the results, choose between Ascending or Descending. |
Sort By | Name of the field on which you want to sort the result. You can choose between the following fields: ID, PublishedAt, AgentID, or ApplicationID. |
Internal CVE IDs | List of comma-separated internal CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne. |
Global CVE IDs | List of comma-separated global CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne. |
Count Only | Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne. |
Extra Parameters | Additional request parameters in the JSON format. |
The output contains the following populated JSON schema:
{
"data": {
"publishedAt": "",
"link": "",
"id": "",
"score": "",
"riskLevel": "",
"updatedAt": "",
"cveId": "",
"createdAt": "",
"description": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Site IDs | List of comma-separated agent's site IDs to export application risks from SentinelOne. |
Group IDs | List of comma-separated agent's group IDs to export application risks from SentinelOne. |
Account IDs | List of comma-separated agent's account IDs to export application risks from SentinelOne. |
Size Between | Size range of the application between which you want to filter the application risks. You can specify the size range in bytes from 1024 to 104856. |
Agent Machine Types | Type of agent machine whose application risks you want to export from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | ID of the agent application whose installed applications and CVEs list you want to export from SentinelOne. |
Application Types | Type of application whose application risks you want to export from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Is Decommissioned | Select this checkbox if the status of the agent whose application risks you want to export from SentinelOne is set as "Decommissioned". |
Risk Levels | Level of risks whose application risks you want to export from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
OS Types | Type of OS whose application risks you want to export from SentinelOne. You can choose between the following os types: Macos, Windows Legacy, Linux, or Windows. |
Extra Parameters | Additional request parameters in the JSON format. |
No output schema is available at this time.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit Records | Maximum number of results, per page, that this operation should return. |
Skip Count | Select this option to avoid calculating the total number of results, which results in speeding up the execution time. |
Sort Order | Sorting order of the results, choose between Ascending or Descending. |
Agent Machine Types | Type of endpoint machine whose applications you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | ID of the agent application whose installed applications you want to retrieve from SentinelOne |
Is Decommissioned | Select this checkbox if the status of the agent whose applications you want to retrieve from SentinelOne is set as "Decommissioned". |
Application Types | Type of application whose applications you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Risk Levels | Level of risks whose applications you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
Sort By | Name of the field on which you want to sort the result. You can choose between the following fields: ID, InstallAt, Type, Name, Publisher, Version, Size, AgentComputerName. or Risklevel. |
Count Only | Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne. |
OS Types | Type of OS whose applications you want to retrieve from SentinelOne. You can choose between the following os types: Macos, Windows Legacy, Linux, or Windows. |
Extra Parameters | Additional request parameters in the JSON format. |
The output contains the following populated JSON schema:
{
"agentInfected": "",
"agentNetworkStatus": "",
"installedAt": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"agentComputerName": "",
"name": "",
"agentOsType": "",
"version": "",
"publisher": "",
"agentMachineType": "",
"id": "",
"agentVersion": "",
"osType": "",
"createdAt": "",
"agentDomain": "",
"agentId": "",
"agentIsDecommissioned": "",
"riskLevel": "",
"agentUuid": "",
"agentIsActive": ""
}
Parameter | Description |
---|---|
Application ID | ID of the agent application whose application CVEs you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"agentInfected": "",
"agentNetworkStatus": "",
"installedAt": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"agentComputerName": "",
"name": "",
"agentOsType": "",
"version": "",
"publisher": "",
"agentMachineType": "",
"id": "",
"agentVersion": "",
"osType": "",
"createdAt": "",
"cves": [],
"agentDomain": "",
"agentId": "",
"agentIsDecommissioned": "",
"riskLevel": "",
"agentUuid": "",
"agentIsActive": ""
}
The Sample - SentinelOne - 3.0.0
playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.
This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.
Resolution:
Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.
There are many reasons for a playbook failure, for example, if a required field is null
in the target module record, or there are problems with the Playbook Appliance keys.
Resolution:
Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration
page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact CyberSponse support for further assistance.