Fortinet black logo

SentinelOne v3.1.0

Copy Link
Copy Doc ID 7422c32d-39a7-11ed-9d74-fa163e15d75b:412

About the connector

SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.

This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents, etc.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling threats from SentinelOne. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 3.1.0

FortiSOAR™ Version Tested on: 7.2.1-1021

SentinelOne API Versions Tested on: v2.0.0-EA#115, v2.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 3.1.0

Following enhancements have been made to the SentinelOne connector in version 3.1.0:

  • Added the ability to configure data ingestion (using the Data Ingestion Wizard). The Data Ingestion Wizard also supports multiple configurations specified on the Configurations tab of the SentinelOne connector, ensuring respective global variables based on the selected configuration are used while ingesting data.
  • Added support for both the 2.0 and 2.1 SentinelOne V2 API versions is provided in this version of the connector.
  • Added input parameters for the following operations:
    • Get Agents
    • Get Agent Passphrase
    • List All Threats
    • Get CVEs
  • The following deprecated operations, in both the v2.0 and v2.1 of the SentinelOne API, are removed from the connector:
    • Get Application Network Connections
    • Get Application Forensic Details
    • Get Application Forensics
    • Export Forensics Application
    • Get Threat Network Connections
  • The following operations have been deprecated in the v2.1 of the SentinelOne API version; however it is yet supported in v2.0 of the SentinelOne API version, and hence have been retained in this version of the connector:
    • Threat Forensic Details
    • Get Threat Forensics
    • Export Threat
    • Get Threat Seen on Network

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sentinelone

Prerequisites to configuring the connector

  • You must have the URL of the SentinelOne REST endpoint to which you will connect and perform the automated operations and the API Token used to access that SentinelOne REST endpoint.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the SentinelOne REST endpoint.

Minimum Permissions Required

  • Not Applicable

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SentinelOne connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL of the SentinelOne REST endpoint to which you will connect and perform the automated operations.
API Token Specify the API token that is required to access the SentinelOne REST endpoint.
Important: The minimum role required for the user to use the API endpoint is "Site Viewer".
API Version Specify the version of the API that you are using to access the SentinelOne REST endpoint.
Verify SSL Verify SSL connection to the SentinelOne API endpoint.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations:

Function Description Annotation and Category
Get Agents Retrieves a list of agents attached to an account from SentinelOne based on the input parameters you have specified. list_agents
Investigation
Agent Action Actions that you want to perform on an agent in Sentinel One based on the action, agent IDs, and other input parameters you have specified. isolate_agent
Containment
Reconnect Agent Reconnects a disconnected agent to the network in SentinelOne based on the input parameters you have specified. reconnect_agent
Remediation
Get Agent Passphrase Retrieves an agent's passphrase to uninstall an offline agent in SentinelOne based on the agent ID you have specified. agent_passphrase
Miscellaneous
Get Agent Application Retrieves a list of applications installed on an agent in SentinelOne based on the agent ID you have specified. list_applications
Investigation
Get Agent Process Retrieves a list of processes running on an agent in SentinelOne based on the agent ID you have specified. list_processes
Investigation
Broadcast Message to Agent Broadcasts a message to a specified agent system or a list of agent systems in SentinelOne based on the agent ID, message, and other input parameters you have specified. broadcast_message
Miscellaneous
Initiate Agent Scan Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. scan_agent
Investigation
Abort Agent Scan Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. abort_scan
Investigation
Get Hash Details Retrieve the details for a specified hash from SentinelOne based on the Hash ID you have specified. hash_details
Investigation
Get Threat Details Retrieve the details for a specified threat from SentinelOne based on the threat ID you have specified. threat_details
Investigation
Mitigate Threat Mitigates identified threats in the SentinelOne system based on the threat ID, action, and other input parameters you have specified. mitigate_threats
Remediation
Mark Threat as Benign Marks an identified threat as safe in SentinelOne based on the threat ID, target scope, and other input parameters you have specified. mark_threat_as_benign
Remediation
Fetch Agents Logs Retrieves logs from the agent's system to the SentinelOne cloud based on the input parameters you have specified. fetch_logs
Investigation
Get Agent Count Retrieves the count of agents in SentinelOne filtered by the input parameters you have specified. agent_count
Miscellaneous
List All Threats List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. list_threats
Investigation
Fetch Threats List all threats or specific threats identified by SentinelOne on agents filtered by the input parameters you have specified. fetch_threats
Investigation
Create Query And Get Query ID Starts a deep visibility Query and retrieves the Query ID from SentinelOne based on the query, date range, and other input parameters you have specified. create_query
Investigation
Get Query Status Retrieves the status of the deep visibility query from SentinelOne based on the query ID you have specified. get_query_status
Investigation
Get Events Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID and other input parameters you have specified. get_events
Investigation
Get Events By Type Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID, event type, and other input parameters you have specified. get_events_by_type
Investigation
Cancel Running Query Stops a deep visibility query that is running on SentinelOne based on the query ID you have specified. cancel_running_query
Investigation
Get Threat Seen on Network Retrieves "seen on network" details for a specific threat in SentinelOne based on the threat ID and other input parameters you have specified. threat_seen_on_network
Investigation
Threat Forensic Details Retrieves detailed forensics data for a specific threat on SentinelOne based on the threat ID you have specified. threat_forensic_details
Investigation
Export Threat Exports threats along with its associated threats, in the CSV or JSON formation, for a specific threat on SentinelOne based on the threat ID and export format you have specified. export_forensics_threat
Investigation
Get Threat Forensics Retrieves forensics data for a specific threat on SentinelOne based on the threat ID and export format you have specified. threat_forensics
Investigation
Free Text Retrieves a metadata list of all the available free-text filters in SentinelOne free_text_filters
Investigation
Get Application Count Retrieves the count of applications from SentinelOne number of applications by risk level or filters and other input parameters you have specified. get_application_count
Investigation
Get CVEs Retrieves all known CVEs for applications from SentinelOne based on the input parameters you have specified.
Note: This is available for complete SKU only.
get_cve
Investigation
Export Applications Risk Exports installed applications and CVE list from SentinelOne based on the input parameters you have specified. This operation also creates an 'Attachment' record in FortiSOAR, export_applications_risk
Investigation
Get Applications Retrieves a list of all installed applications per endpoint, including risk levels, from SentinelOne based on the input parameters you have specified.
Note: This is available for complete SKU only.
get_applications
Investigation
Get Application CVEs Retrieves all known CVEs for a specific application, along with application and endpoint information, from SentinelOne, based on the application ID you have specified.
Note: This is available for complete SKU only.
get_application_cve
Investigation

operation: Get Agents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent IDs List of comma-separated agent IDs that you want to retrieve from SentinelOne.
Is Active Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Decommissioned".
Computer Name Like Retrieve only those agents who match the specified name from SentinelOne.
Agent Memory Less Than (MB) Retrieve only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) Retrieve only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than Retrieve only those agents whose core count is lesser than the given input from SentinelOne.
Agent Core Count Greater Than Retrieve only those agents whose core count is greater than the given input from SentinelOne.
Agent Version The version of the agent that you want to retrieve from SentinelOne.
Network Status Select the network status of the agent that you want to retrieve from SentinelOne. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.
Limit Records The maximum number of results, per page, that this operation should return.
Offset Skips the specified number of results (0-1000) from the total results.
Cursor The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne.

Output

A customized JSON output that is formatted for easy reference is the output for all the operations.

The output contains the following populated JSON schema:

Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"activeDirectory": {
"computerDistinguishedName": "",
"computerMemberOf": [],
"lastUserDistinguishedName": "",
"lastUserMemberOf": []
},
"activeThreats": "",
"agentVersion": "",
"allowRemoteShell": "",
"appsVulnerabilityStatus": "",
"computerName": "",
"consoleMigrationStatus": "",
"coreCount": "",
"cpuCount": "",
"cpuId": "",
"createdAt": "",
"domain": "",
"encryptedApplications": "",
"externalId": "",
"externalIp": "",
"groupId": "",
"groupIp": "",
"groupName": "",
"id": "",
"inRemoteShellSession": "",
"infected": "",
"installerType": "",
"isActive": "",
"isDecommissioned": "",
"isPendingUninstall": "",
"isUninstalled": "",
"isUpToDate": "",
"lastActiveDate": "",
"lastIpToMgmt": "",
"lastLoggedInUserName": "",
"licenseKey": "",
"locationType": "",
"locations": [
{
"id": "",
"name": "",
"scope": ""
}
],
"machineType": "",
"mitigationMode": "",
"mitigationModeSuspicious": "",
"modelName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"networkStatus": "",
"osArch": "",
"osName": "",
"osRevision": "",
"osStartTime": "",
"osType": "",
"osUsername": "",
"rangerStatus": "",
"rangerVersion": "",
"registeredAt": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"threatRebootRequired": "",
"totalMemory": "",
"updatedAt": "",
"userActionsNeeded": [],
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

Output schema when 'API Version' === v2.1
{
"data": [
{
"accountId": "",
"accountName": "",
"activeDirectory": {
"computerDistinguishedName": "",
"computerMemberOf": [],
"lastUserDistinguishedName": "",
"lastUserMemberOf": []
},
"activeThreats": "",
"agentVersion": "",
"allowRemoteShell": "",
"appsVulnerabilityStatus": "",
"cloudProviders": {},
"computerName": "",
"consoleMigrationStatus": "",
"coreCount": "",
"cpuCount": "",
"cpuId": "",
"createdAt": "",
"detectionState": "",
"domain": "",
"encryptedApplications": "",
"externalId": "",
"externalIp": "",
"firewallEnabled": "",
"firstFullModeTime": "",
"groupId": "",
"groupIp": "",
"groupName": "",
"id": "",
"inRemoteShellSession": "",
"infected": "",
"installerType": "",
"isActive": "",
"isDecommissioned": "",
"isPendingUninstall": "",
"isUninstalled": "",
"isUpToDate": "",
"lastActiveDate": "",
"lastIpToMgmt": "",
"lastLoggedInUserName": "",
"licenseKey": "",
"locationEnabled": "",
"locationType": "",
"locations": [
{
"id": "",
"name": "",
"scope": ""
}
],
"machineType": "",
"mitigationMode": "",
"mitigationModeSuspicious": "",
"modelName": "",
"networkInterfaces": [
{
"gatewayIp": "",
"gatewayMacAddress": "",
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"networkQuarantineEnabled": "",
"networkStatus": "",
"operationalState": "",
"operationalStateExpiration": "",
"osArch": "",
"osName": "",
"osRevision": "",
"osStartTime": "",
"osType": "",
"osUsername": "",
"rangerStatus": "",
"rangerVersion": "",
"registeredAt": "",
"remoteProfilingState": "",
"remoteProfilingStateExpiration": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"serialNumber": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"tags": {
"sentinelone": [
{
"assignedAt": "",
"assignedBy": "",
"assignedById": "",
"id": "",
"key": "",
"value": ""
}
]
},
"threatRebootRequired": "",
"totalMemory": "",
"updatedAt": "",
"userActionsNeeded": [],
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Agent Action

Input parameters

Parameter Description
Action Select the action that you want to perform on the specified agent in SentinelOne. You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent.
Agent IDs List of comma-separated agent IDs on which you want to perform actions in SentinelOne.
Group IDs (Optional) List of comma-separated agent's group IDs on which you want to perform actions in SentinelOne.
Is Decommissioned Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Decommissioned".
Is Uninstalled Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Uninstalled".

Output

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Reconnect Agent

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (MB): Reconnects only those agents to the network in SentinelOne whose memory size is lesser than the given input.
Agent Memory Greater Than (MB) Reconnects only those agents to the network in SentinelOne whose memory size is greater than the given input.
Agent Core Count Less Than Reconnects only those agents to the network in SentinelOne whose core count is lesser than the given input.
Agent Core Count Greater Than Reconnects only those agents to the network in SentinelOne whose core count is greater than the given input.
Is Active Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Active".
Is Infected Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs that you want to reconnect to the SentinelOne network.
Computer Name Like Reconnects only those agents to the network in SentinelOne who match the specified computer name.
Agent Version The version of the agent that you want to reconnect to the SentinelOne network.
OS Type Select the OS type of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON contains a Success message of agents reconnected back into the network.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Get Agent Passphrase

Input parameters

Parameter Description
Agent ID The ID of the agent whose passphrase you want to retrieve from SentinelOne. The passphrase that can be used to delete an offline agent from SentinelOne.
Cursor (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Additional Fields (Optional) Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne.

Output

The JSON contains a string output with the passphrase that can be used to delete an offline agent.

The output contains the following populated JSON schema:
{
"data": [
{
"computerName": "",
"domain": "",
"id": "",
"lastLoggedInUserName": "",
"passphrase": "",
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Get Agent Application

Input parameters

Parameter Description
Agent ID The ID of the agent whose list of installed applications you want to retrieve from SentinelOne.

Output

The JSON contains a list of application objects including information such as name, installation date, etc., about the applications installed on the specified agent.

The output contains the following populated JSON schema:
[
{

"name": "",
"size": "",
"version": "",
"publisher": "",
"installedDate": ""
}
]

operation: Get Agent Process

Input parameters

Parameter Description
Agent Id The ID of the agent whose list of running applications you want to retrieve from SentinelOne.

Output

The JSON contains a list of running processes along with the process details for the specified agent.

The output contains the following populated JSON schema:
[
{

"cpuUsage": "",
"memoryUsage": "",
"pid": "",
"executablePath": "",
"startTime": "",
"processName": ""
}
]

operation: Broadcast Message to Agent

Input parameters

Parameter Description
Message The message that you want to broadcast to an agent or a list of agents in SentinelOne.
Agent IDs List of comma-separated agent IDs in SentinelOne to whom you want to broadcast the specified message.
Agent Memory Less Than (MB) (Optional) Broadcast the message to only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) (Optional) Broadcast the message to only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than (Optional) Broadcast the message to only those agents whose core count is lesser than the given input from SentinelOne.
Agent Core Count Greater Than (Optional) Broadcast the message to only those agents whose core count is greater than the given input from SentinelOne.
Is Active Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Active".
Is Infected Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Decommissioned".
Computer Name Like (Optional) Broadcast the message to only those agents that match the specified computer name on SentinelOne.
Agent Version The version of the agent to whom you want to broadcast the message
OS Type Select the OS type of the agent in the SentinelOne network to whom you want to broadcast the message. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne to whom you want to broadcast the message. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Initiate Agent Scan

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (MB) Initiates a scan only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) Initiates a scan only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than Initiates a scan only those agents whose core count is lesser than the given input from SentinelOne.
Agent Core Count Greater Than Initiates a scan only those agents whose core count is greater than the given input from SentinelOne.
Is Active Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Active".
Is Infected Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs on which you want to initiate a scan in SentinelOne.
Computer Name Like Initiate the scan only on those agents that match the specified computer name.
Agent Version The version of the agent on which you want to initiate a scan.
OS Type Select the OS type of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Abort Agent Scan

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (MB) Aborts the scan only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) Aborts the scan only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than Aborts the scan only those agents whose core count size is lesser than the given input from SentinelOne.
Agent Core Count Greater Than Aborts the scan only those agents whose core count size is greater than the given input from SentinelOne.
Is Active Select this checkbox if the status of the agent on which you want to abort the scan is set as "Active".
Is Infected Select this checkbox if the status of the agent on which you want to abort the scan is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent on which you want to abort the scan is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs on which you want to abort the scan in SentinelOne.
Computer Name Like Abort the scan only on those agents that match the specified computer name.
Agent Version The version of the agent on which you want to abort the scan.
OS Type Select the OS type of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Get Hash Details

Input parameters

Parameter Description
Hash ID The ID (SHA1 only) of the hash whose details you want to retrieve from SentinelOne.

Output

The JSON contains the details of the specified hash ID.

The output contains the following populated JSON schema:
{
"rank": ""
}

operation: Get Threat Details

Input parameters

Parameter Description
Threat Id The ID of the threat whose details you want to retrieve from SentinelOne.

Output

The JSON contains the details of the specified threat ID.

The output contains the following populated JSON schema:

Output schema when 'API Version' === v2.0
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}

Output schema when 'API Version' === v2.1
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}

operation: Mitigate Threat

Input parameters

Parameter Description
Action Select the action that you want to perform on the specified threat. You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation.
Threat ID The ID of the threat on which you want to take the specified action.
Content Hash (Optional) The Hash ID of the file associated with the threat that requires mitigation.
Threat Name (Optional) Name of the threat that requires mitigation.
Agent ID (Optional) The ID of the agent on which the threat has been identified.
Limit Records (Optional) The maximum number of results, per page, that this operation should return.
From Scan Select this option if the threat was detected as a result of a scan.

Output

The JSON contains a message about the threat being mitigated.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Mark Threat as Benign

Input parameters

Parameter Description
Target Scope Scope of the target that you want to mark as safe in SentinelOne.
Threat Id The ID of the threat that you want to mark as safe in SentinelOne.
Content Hash (Optional) The Hash ID of the file associated with the threat that you want to mark as safe in SentinelOne.
Threat Name (Optional) Name of the threat that requires to be marked as safe in SentinelOne..
Agent Id (Optional) The ID of the agent on which the threat has been identified.
Limit Records (Optional) The maximum number of results, per page, that this operation should return.
From Scan Select this option if the threat was detected as a result of a scan.

Output

The JSON contains a message about the threat being marked as safe.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Fetch Agents Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (MB) Retrieve logs of only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) Retrieve logs of only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than Retrieve logs of only those agents whose core count is lesser than the given input from SentinelOne.
Agent Core Count Greater Than Retrieve logs of only those agents whose core count is greater than the given input from SentinelOne.
Is Active Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs whose logs you want to retrieve from SentinelOne.
Computer Name Like Retrieve logs of only those agents who match the specified computer name.
Agent Version The version of the agent whose logs you want to retrieve from SentinelOne.
OS Type Select the OS type of the agent in SentinelOne whose logs you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne whose logs you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents whose logs are fetched after the query is successfully run.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Get Agent Count

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (MB) Retrieve counts of only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) Retrieve counts of only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than Retrieve counts of only those agents whose core count is lesser than the given input from SentinelOne.
Agent Core Count Greater Than Retrieve counts of only those agents whose core count is greater than the given input from SentinelOne.
Is Active Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs whose count you want to retrieve from SentinelOne
Computer Name Like Retrieve the count of only those agents who match the specified computer name.
Agent Version The version of the agents whose counts you want to retrieve from SentinelOne.
OS Type Select the OS type of the agent in SentinelOne whose counts you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne whose counts you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting

Output

The JSON output contains the number of available agents.

The output contains the following populated JSON schema:
{
"total": ""
}

operation: List All Threats

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent ID The ID of the agent whose threats you want to list.
Created After Specify the Datetime using which you want to filter the result set to only include only those items that have been created after the specified timestamp.
Updated After Specify the Datetime using which you want to filter the result set to only include only those items that have been updated after the specified timestamp.
Content Hash The Hash ID of the file associated with the threat.
Threat Name The name of the threat that you want to search for on all agents on SentinelOne.
Limit Records The maximum number of results, per page, that this operation should return.
Offset Skips the specified number of results (0-1000) from the total results.
Cursor The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne.

Output

The JSON contains the objects of the threats that are found after the query is successfully run.

The output contains the following populated JSON schema:

Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

Output schema when 'API Version' === v2.1
{
"data": [
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Fetch Threats

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Created After Specify the Datetime using which you want to filter the result set to only include only those items that have been created after the specified timestamp.
Updated After Specify the Datetime using which you want to filter the result set to only include only those items that have been updated after the specified timestamp.
Query A query is a free-text search term that you can use to match applicable attributes (sub-string match) in SentinelOne based on which you want to retrieve the threats from SentinelOne.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne.

Output

The output contains the following populated JSON schema:

Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

Output schema when 'API Version' === v2.1
{
"data": [
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Create Query And Get Query ID

Input parameters

Parameter Description
Query A query is a free-text search term that you can use to match applicable attributes (sub-string match) in SentinelOne based on which you want to retrieve the query ID from SentinelOne
From Date The start date of the query from when you want to retrieve the query ID from SentinelOne.
To Date The end date of the query till when you want to retrieve the query ID from SentinelOne.
Group IDs (Optional) List of comma-separated agent's group IDs based on which you want to retrieve the query ID from SentinelOne.
Tenant Select this checkbox to indicate a tenant scope in the query.
Query Type (Optional) Type of query used by deep visibility in SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts based on which you want to retrieve the query ID from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites based on which you want to retrieve the query ID from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"queryId": "",
"queryModeInfo": {
"lastActivatedAt": "",
"mode": ""
}
}

operation: Get Query Status

Input parameters

Parameter Description
Query ID The ID of the query whose status you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.

Output

The output contains the following populated JSON schema:
{
"progressStatus": "",
"queryModeInfo": {
"lastActivatedAt": "",
"mode": ""
},
"responseState": "",
"warnings": ""
}

operation: Get Events

Input parameters

Parameter Description
Query ID The ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.
Limit Records (Optional) The maximum number of results, per page, that this operation should return.
Offset (Optional) Skips the specified number of results (0-1000) from the total results.
Cursor (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Sort By (Optional) Name of the field on which you want to sort the result (events).
Sort Order (Optional) The sorting order of the results (events), you can choose between Ascending or Descending.
Sub Query (Optional) The sub-query that you want to run on the already pulled data.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"accountId": "",
"activeContentFileId": "",
"activeContentHash": "",
"activeContentPath": "",
"activeContentSignedStatus": "",
"activeContentType": "",
"agentDomain": "",
"agentGroupId": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentName": "",
"agentNetworkStatus": "",
"agentOs": "",
"agentTimestamp": "",
"agentUuid": "",
"agentVersion": "",
"childProcCount": "",
"containerId": "",
"containerImage": "",
"containerLabels": "",
"containerName": "",
"createdAt": "",
"crossProcCount": "",
"crossProcDupRemoteProcHandleCount": "",
"crossProcDupThreadHandleCount": "",
"crossProcOpenProcCount": "",
"crossProcOutOfStorylineCount": "",
"crossProcThreadCreateCount": "",
"dnsCount": "",
"endpointMachineType": "",
"endpointName": "",
"endpointOs": "",
"eventIndex": "",
"eventRepetitionCount": "",
"eventTime": "",
"eventType": "",
"fileIsExecutable": "",
"fileMd5": "",
"fileSha256": "",
"id": "",
"indicatorBootConfigurationUpdateCount": "",
"indicatorEvasionCount": "",
"indicatorExploitationCount": "",
"indicatorGeneralCount": "",
"indicatorInfostealerCount": "",
"indicatorInjectionCount": "",
"indicatorPersistenceCount": "",
"indicatorPostExploitationCount": "",
"indicatorRansomwareCount": "",
"indicatorReconnaissanceCount": "",
"isAgentVersionFullySupportedForPg": "",
"isAgentVersionFullySupportedForPgMessage": "",
"k8sClusterName": "",
"k8sControllerLabels": "",
"k8sControllerName": "",
"k8sControllerType": "",
"k8sNamespace": "",
"k8sNamespaceLabels": "",
"k8sNode": "",
"k8sPodLabels": "",
"k8sPodName": "",
"lastActivatedAt": "",
"metaEventName": "",
"moduleCount": "",
"netConnCount": "",
"netConnInCount": "",
"netConnOutCount": "",
"objectType": "",
"osSrcChildProcCount": "",
"osSrcCrossProcCount": "",
"osSrcCrossProcDupRemoteProcHandleCount": "",
"osSrcCrossProcDupThreadHandleCount": "",
"osSrcCrossProcOpenProcCount": "",
"osSrcCrossProcOutOfStorylineCount": "",
"osSrcCrossProcThreadCreateCount": "",
"osSrcDnsCount": "",
"osSrcIndicatorBootConfigurationUpdateCount": "",
"osSrcIndicatorEvasionCount": "",
"osSrcIndicatorExploitationCount": "",
"osSrcIndicatorGeneralCount": "",
"osSrcIndicatorInfostealerCount": "",
"osSrcIndicatorInjectionCount": "",
"osSrcIndicatorPersistenceCount": "",
"osSrcIndicatorPostExploitationCount": "",
"osSrcIndicatorRansomwareCount": "",
"osSrcIndicatorReconnaissanceCount": "",
"osSrcModuleCount": "",
"osSrcNetConnCount": "",
"osSrcNetConnInCount": "",
"osSrcNetConnOutCount": "",
"osSrcProcActiveContentFileId": "",
"osSrcProcActiveContentHash": "",
"osSrcProcActiveContentPath": "",
"osSrcProcActiveContentSignedStatus": "",
"osSrcProcActiveContentType": "",
"osSrcProcBinaryisExecutable": "",
"osSrcProcCmdLine": "",
"osSrcProcDisplayName": "",
"osSrcProcImageMd5": "",
"osSrcProcImagePath": "",
"osSrcProcImageSha1": "",
"osSrcProcImageSha256": "",
"osSrcProcIntegrityLevel": "",
"osSrcProcIsNative64Bit": "",
"osSrcProcIsRedirectCmdProcessor": "",
"osSrcProcIsStorylineRoot": "",
"osSrcProcName": "",
"osSrcProcParentActiveContentFileId": "",
"osSrcProcParentActiveContentHash": "",
"osSrcProcParentActiveContentPath": "",
"osSrcProcParentActiveContentSignedStatus": "",
"osSrcProcParentActiveContentType": "",
"osSrcProcParentCmdLine": "",
"osSrcProcParentDisplayName": "",
"osSrcProcParentImageMd5": "",
"osSrcProcParentImagePath": "",
"osSrcProcParentImageSha1": "",
"osSrcProcParentImageSha256": "",
"osSrcProcParentIntegrityLevel": "",
"osSrcProcParentIsNative64Bit": "",
"osSrcProcParentIsRedirectCmdProcessor": "",
"osSrcProcParentIsStorylineRoot": "",
"osSrcProcParentName": "",
"osSrcProcParentPid": "",
"osSrcProcParentPublisher": "",
"osSrcProcParentReasonSignatureInvalid": "",
"osSrcProcParentSessionId": "",
"osSrcProcParentSignedStatus": "",
"osSrcProcParentStartTime": "",
"osSrcProcParentStorylineId": "",
"osSrcProcParentUid": "",
"osSrcProcParentUser": "",
"osSrcProcPid": "",
"osSrcProcPublisher": "",
"osSrcProcReasonSignatureInvalid": "",
"osSrcProcRelatedToThreat": "",
"osSrcProcSessionId": "",
"osSrcProcSignedStatus": "",
"osSrcProcStartTime": "",
"osSrcProcStorylineId": "",
"osSrcProcSubsystem": "",
"osSrcProcUid": "",
"osSrcProcUser": "",
"osSrcProcVerifiedStatus": "",
"osSrcRegistryChangeCount": "",
"osSrcTgtFileCreationCount": "",
"osSrcTgtFileDeletionCount": "",
"osSrcTgtFileModificationCount": "",
"parentPid": "",
"parentProcessName": "",
"parentProcessStartTime": "",
"parentProcessUniqueKey": "",
"pid": "",
"processCmd": "",
"processDisplayName": "",
"processGroupId": "",
"processImagePath": "",
"processImageSha1Hash": "",
"processIntegrityLevel": "",
"processIsRedirectedCommandProcessor": "",
"processIsWow64": "",
"processName": "",
"processRoot": "",
"processSessionId": "",
"processStartTime": "",
"processSubSystem": "",
"processUniqueKey": "",
"publisher": "",
"registryChangeCount": "",
"relatedToThreat": "",
"retentionPeriod": "",
"rpid": "",
"signatureSignedInvalidReason": "",
"signedStatus": "",
"siteId": "",
"siteName": "",
"srcProcActiveContentFileId": "",
"srcProcActiveContentHash": "",
"srcProcActiveContentPath": "",
"srcProcActiveContentSignedStatus": "",
"srcProcActiveContentType": "",
"srcProcBinaryisExecutable": "",
"srcProcCmdLine": "",
"srcProcDisplayName": "",
"srcProcImageMd5": "",
"srcProcImagePath": "",
"srcProcImageSha1": "",
"srcProcImageSha256": "",
"srcProcIntegrityLevel": "",
"srcProcIsNative64Bit": "",
"srcProcIsRedirectCmdProcessor": "",
"srcProcIsStorylineRoot": "",
"srcProcName": "",
"srcProcParentActiveContentFileId": "",
"srcProcParentActiveContentHash": "",
"srcProcParentActiveContentPath": "",
"srcProcParentActiveContentSignedStatus": "",
"srcProcParentActiveContentType": "",
"srcProcParentCmdLine": "",
"srcProcParentDisplayName": "",
"srcProcParentImageMd5": "",
"srcProcParentImagePath": "",
"srcProcParentImageSha1": "",
"srcProcParentImageSha256": "",
"srcProcParentIntegrityLevel": "",
"srcProcParentIsNative64Bit": "",
"srcProcParentIsRedirectCmdProcessor": "",
"srcProcParentIsStorylineRoot": "",
"srcProcParentName": "",
"srcProcParentPid": "",
"srcProcParentProcUid": "",
"srcProcParentPublisher": "",
"srcProcParentReasonSignatureInvalid": "",
"srcProcParentSessionId": "",
"srcProcParentSignedStatus": "",
"srcProcParentStartTime": "",
"srcProcParentStorylineId": "",
"srcProcParentUid": "",
"srcProcParentUser": "",
"srcProcPid": "",
"srcProcPublisher": "",
"srcProcReasonSignatureInvalid": "",
"srcProcRelatedToThreat": "",
"srcProcRpid": "",
"srcProcSessionId": "",
"srcProcSignedStatus": "",
"srcProcStartTime": "",
"srcProcStorylineId": "",
"srcProcSubsystem": "",
"srcProcTid": "",
"srcProcUid": "",
"srcProcUser": "",
"srcProcVerifiedStatus": "",
"storyline": "",
"tgtFileCreationCount": "",
"tgtFileDeletionCount": "",
"tgtFileModificationCount": "",
"tgtPid": "",
"tgtProcAccessRights": "",
"tgtProcActiveContentFileId": "",
"tgtProcActiveContentHash": "",
"tgtProcActiveContentPath": "",
"tgtProcActiveContentSignedStatus": "",
"tgtProcActiveContentType": "",
"tgtProcBinaryisExecutable": "",
"tgtProcCmdLine": "",
"tgtProcDisplayName": "",
"tgtProcImageMd5": "",
"tgtProcImagePath": "",
"tgtProcImageSha1": "",
"tgtProcImageSha256": "",
"tgtProcIntegrityLevel": "",
"tgtProcIsNative64Bit": "",
"tgtProcIsRedirectCmdProcessor": "",
"tgtProcIsStorylineRoot": "",
"tgtProcName": "",
"tgtProcPid": "",
"tgtProcPublisher": "",
"tgtProcReasonSignatureInvalid": "",
"tgtProcRelation": "",
"tgtProcSessionId": "",
"tgtProcSignedStatus": "",
"tgtProcStartTime": "",
"tgtProcStorylineId": "",
"tgtProcSubsystem": "",
"tgtProcUid": "",
"tgtProcUser": "",
"tgtProcVerifiedStatus": "",
"tiOriginalEventId": "",
"tiOriginalEventIndex": "",
"tiOriginalEventTraceId": "",
"tid": "",
"tiindicatorRelatedEventTime": "",
"traceId": "",
"trueContext": "",
"user": "",
"verifiedStatus": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Get Events By Type

Input parameters

Parameter Description
Query ID The ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.
Event Type Event type by which you want to filter the results (events). You can choose between the following event types: Events, File, Ip, Url, Dns, Process, Registry, Scheduled task, Logins, or Indicators.
Limit Records (Optional) The maximum number of results, per page, that this operation should return.
Offset (Optional) Skips the specified number of results (0-1000) from the total results.
Cursor (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Sort Order (Optional) The sorting order of the results (events), you can choose between Ascending or Descending.
Sort By (Optional) Name of the field on which you want to sort the result (events).
Sub Query (Optional) The sub-query that you want to run on the already pulled data.

Output

The output contains the following populated JSON schema:
{
"data": {
"agentGroupId": "",
"indicatorCategory": "",
"indicatorDescription": "",
"agentUuid": "",
"fileId": "",
"loginsBaseType": "",
"processName": "",
"agentIp": "",
"threatStatus": "",
"processSubSystem": "",
"direction": "",
"processImagePath": "",
"agentIsActive": "",
"agentVersion": "",
"parentProcessName": "",
"agentInfected": "",
"indicatorMetadata": "",
"processIsMalicious": "",
"srcPort": "",
"user": "",
"processStartTime": "",
"siteName": "",
"agentName": "",
"md5": "",
"sha1": "",
"registryId": "",
"fileSha1": "",
"id": "",
"sha256": "",
"processCmd": "",
"networkMethod": "",
"indicatorName": "",
"parentProcessGroupId": "",
"taskName": "",
"srcIp": "",
"registryPath": "",
"parentPid": "",
"parentProcessUniqueKey": "",
"agentMachineType": "",
"dnsResponse": "",
"tid": "",
"processSessionId": "",
"networkUrl": "",
"eventSubType": "",
"createdAt": "",
"dstPort": "",
"processUserName": "",
"agentDomain": "",
"fileSha256": "",
"processDisplayName": "",
"agentNetworkStatus": "",
"loginsUserName": "",
"signer": "",
"rpid": "",
"taskPath": "",
"pid": "",
"processIntegrityLevel": "",
"oldFileMd5": "",
"relatedToThreat": "",
"oldFileSha1": "",
"processGroupId": "",
"networkSource": "",
"fileMd5": "",
"oldFileSha256": "",
"agentOs": "",
"oldFileName": "",
"eventType": "",
"agentIsDecommissioned": "",
"parentProcessStartTime": "",
"processImageSha1Hash": "",
"trueContext": "",
"parentProcessIsMalicious": "",
"dnsRequest": "",
"fileFullName": "",
"dstIp": "",
"processUniqueKey": "",
"forensicUrl": "",
"agentId": ""
},
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Cancel Running Query

Input parameters

Parameter Description
Query ID The ID of a deep visibility query that you want to stop in SentinelOne. When you create a query in SentinelOne you get its QueryID.

Output

The output contains the following populated JSON schema:
{
"success": ""
}

operation: Get Threat Seen on Network

Input parameters

Parameter Description
Threat ID The ID of the threat whose "seen on network data" you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent sites whose "seen on network data" you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent groups whose "seen on network data" you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent accounts whose "seen on network data" you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"agent_version": "",
"description": "",
"created_date": "",
"meta_data": {
"updated_at": "",
"created_at": ""
},
"id": "",
"malicious_group_id": "",
"resolved": "",
"status": "",
"from_cloud": "",
"agent": ""
}

operation: Threat Forensic Details

Input parameters

Parameter Description
Threat ID The ID of the threat whose forensic details you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"result": {
"policy_id": "",
"agent_version": "",
"occurred_at": "",
"graph": {
"edges_summary": [],
"node_sets": {}
},
"file_hash": "",
"file_display_name": "",
"file_created_at": "",
"agent": "",
"category_scores": [],
"publisher": "",
"raw_data": {
"edges": [],
"nodes": {
"6ADE07922117100C": {
"agent_version": "",
"in_threat": "",
"malicious_content": "",
"agent_uuid": "",
"meta_data": {
"updated_at": "",
"count": "",
"created_at": ""
},
"has_reputation": "",
"group_id": "",
"event_type": "",
"object_id": "",
"data": {
"path": "",
"is_system": "",
"created_date": "",
"is_executable": "",
"verification_type": "",
"extension_type": "",
"size": "",
"object_id": "",
"content_hash": "",
"permission": ""
}
}
}
},
"indicators": [],
"cert_id": "",
"is_cert_valid": ""
}
}

operation: Export Threat

Input parameters

Parameter Description
Threat ID The ID of the threat whose threats along with its associated threats you want to export in the CSV, JSON, or RAW format from SentinelOne.
Export Format The format in which you want to export the threat data. You can choose between the following formats: CSV, RAW, or JSON.

Output

The output contains the following populated JSON schema:
{
"threat_details": {
"description": "",
"id": "",
"created_at": "",
"agent": ""
},
"threats": [],
"agent_details": {
"external_ip": "",
"registered_at": "",
"agent_version_current": "",
"computer_name": "",
"last_active_date": "",
"agent_version_at_threat_time": "",
"group_ip": "",
"domain": "",
"cpu": "",
"os": ""
},
"file_details": {
"size": "",
"created_at": "",
"id": "",
"display_name": "",
"permission": "",
"content_hash": ""
},
"reputation": {
"rank": ""
}
}

operation: Get Threat Forensics

Input parameters

Parameter Description
Threat ID The ID of the threat for which you want to retrieve the forensic data.
Site IDs (Optional) List of comma-separated agent sites whose threat data you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent groups whose threat data you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent accounts whose threat data you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"result": {
"seen_on_network": "",
"occurred_at": "",
"file_display_name": "",
"marked_as_benign": "",
"classifier_name": "",
"mitigation_status": "",
"file_created_at": "",
"file_path": "",
"classification_source": "",
"classification": "",
"mitigation_report": {
"quarantine": {
"status": ""
},
"rollback": {
"status": ""
},
"remediate": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"kill": {
"status": ""
}
},
"threat_id": "",
"whitening_options": [],
"threat_created": "",
"malicious_group_id": "",
"in_quarantine": "",
"file_content_hash": "",
"file_hash": "",
"malicious_process_arguments": "",
"annotation_url": "",
"agent": "",
"from_scan": "",
"annotation": "",
"file_description": "",
"resolved": "",
"mitigation_actions": []
}
}

operation: Free Text

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"title": "",
"key": "",
"autoComplete": ""
}

operation: Get Application Count

Input parameters

Parameter Description
Get Count By Filter based on which you want to retrieve the application count from SentinelOne. You can choose between Risk Levels or Filters. By default, this is set as Risk Level.
Site IDs (Optional) List of comma-separated agent sites whose application count you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent groups whose application count you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent accounts whose application count you want to retrieve from SentinelOne.
Agent Machine Types (Optional) Type of agent machine whose application count you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs (Optional) List of comma-separated application IDs accounts whose application count you want to retrieve, per filter value, from SentinelOne.
Application Types (Optional) Type of application whose application count you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Is Decommissioned Select this checkbox if the status of the agent whose application count you want to retrieve from SentinelOne is set as "Decommissioned".
Risk Levels (Optional) Level of risks whose application count you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
OS Types (Optional) Type of OS whose application count you want to retrieve from SentinelOne. You can choose between the following OS types: MacOS, Windows_Legacy, Linux. or Windows.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve application counts from SentinelOne.

Output

The output contains the following populated JSON schema:

Output schema when you choose "Get Count By" as "Risk Levels":
{
"enableNegation": "",
"key": "",
"title": "",
"values": [
{
"count": "",
"title": "",
"value": ""
}
]
}

Output schema when you choose "Get Count By" as "Filters":
{
"enableNegation": "",
"disableSorting": "",
"key": "",
"title": "",
"values": [
{
"count": "",
"title": "",
"value": ""
}
]
}

operation: Get CVEs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Internal CVE IDs List of comma-separated internal CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne.
Global CVE IDs List of comma-separated global CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne.
Limit Records The maximum number of results, per page, that this operation should return.
Skip Count Select this option to avoid calculating the total number of results, which results in speeding up the execution time.
Sort By Name of the field on which you want to sort the result. You can choose between the following fields: ID, PublishedAt, AgentID, or ApplicationID.
Sort Order The sorting order of the results (CVEs), you can choose between Ascending or Descending.
Count Only Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne.
Cursor The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"createdAt": "",
"cveId": "",
"description": "",
"id": "",
"link": "",
"publishedAt": "",
"riskLevel": "",
"score": "",
"updatedAt": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Export Applications Risk

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Site IDs List of comma-separated agent site IDs to export application risks from SentinelOne.
Group IDs List of comma-separated agent group IDs to export application risks from SentinelOne.
Account IDs List of comma-separated agent account IDs to export application risks from SentinelOne.
Size Between Size range of the application between which you want to filter the application risks. You can specify the size range in bytes from 1024 to 104856.
Agent Machine Types Type of agent machine whose application risks you want to export from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs The ID of the agent application whose installed applications and CVEs list you want to export from SentinelOne.
Application Types Type of application whose application risks you want to export from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Is Decommissioned Select this checkbox if the status of the agent whose application risks you want to export from SentinelOne is set as "Decommissioned".
Risk Levels Level of risks whose application risks you want to export from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
OS Types Type of OS whose application risks you want to export from SentinelOne. You can choose between the following os types: MacOS, Windows Legacy, Linux, or Windows.
Additional Fields Additional fields, in the JSON format, based on which you want to export application risks from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}

operation: Get Applications

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Limit Records The maximum number of results, per page, that this operation should return.
Skip Count Select this option to avoid calculating the total number of results, which results in speeding up the execution time.
Sort Order The sorting order of the results (applications), you can choose between Ascending or Descending.
Agent Machine Types Type of endpoint machine whose applications you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs The ID of the agent application whose installed applications you want to retrieve from SentinelOne
Is Decommissioned Select this checkbox if the status of the agent whose applications you want to retrieve from SentinelOne is set as "Decommissioned".
Application Types Type of application whose applications you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Risk Levels Level of risks whose applications you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
Sort By Name of the field on which you want to sort the result. You can choose between the following fields: ID, InstallAt, Type, Name, Publisher, Version, Size, AgentComputerName. or RiskLevel.
Count Only Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne.
OS Types Type of OS whose applications you want to retrieve from SentinelOne. You can choose between the following os types: MacOS, Windows Legacy, Linux, or Windows.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve applications from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOperationalState": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"createdAt": "",
"id": "",
"installedAt": "",
"name": "",
"osType": "",
"publisher": "",
"riskLevel": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"version": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Get Application CVEs

Input parameters

Parameter Description
Application ID The ID of the agent application whose application CVEs you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"agentInfected": "",
"agentNetworkStatus": "",
"installedAt": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"agentComputerName": "",
"name": "",
"agentOsType": "",
"version": "",
"publisher": "",
"agentMachineType": "",
"id": "",
"agentVersion": "",
"osType": "",
"createdAt": "",
"cves": [],
"agentDomain": "",
"agentId": "",
"agentIsDecommissioned": "",
"riskLevel": "",
"agentUuid": "",
"agentIsActive": ""
}

Included playbooks

The Sample - SentinelOne - 3.1.0 playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.

  • > SentinelOne > Fetch Threats
  • SentinelOne > Ingest
  • Abort Agent Scan
  • Agent Action
  • Broadcast Message To Agent
  • Cancel Running Query
  • Create Query And Get Query ID
  • Export Applications Risk
  • Export Threat
  • Fetch Agents Logs
  • Fetch Threats
  • Free Text Filters
  • Get Agent Application
  • Get Agent Count
  • Get Agent Passphrase
  • Get Agent Process
  • Get Agents
  • Get Application CVEs
  • Get Application Count
  • Get Applications
  • Get CVEs
  • Get Events
  • Get Events By Type
  • Get Hash Details
  • Get Query Status
  • Get Threat Details
  • Get Threat Forensics
  • Get Threat Seen on Network
  • Initiate Agent Scan
  • List All Threats
  • Mark Threat As Benign
  • Mitigate Threat
  • Reconnect Agent
  • Threat Forensic Details

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling threats from SentinelOne. Currently, "threats" in SentinelOne have been mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming SentinelOne "threats" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data from SentinelOne into FortiSOAR. It also lets you pull some sample data from SentinelOne using which you can define the mapping of data between SentinelOne and FortiSOAR. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the SentinelOne threat.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the SentinelOne connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between SentinelOne data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch SentinelOne data.
    Users can choose to pull data from SentinelOne by specifying the last X minutes in which the threats have been created or updated in SentinelOne. The fetched data is used to create a mapping between the SentinelOne data and FortiSOAR™ alerts.

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of a SentinelOne threat to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the agentIp parameter of a SentinelOne threat to the Source IP parameter of a FortiSOAR™ alert, click the Source IP Time field and then click the agentIp field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.

  4. (Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to SentinelOne, so that the content gets pulled from the SentinelOne integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from SentinelOne every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

Troubleshooting

Connection refusal while requesting to run the wrapper

This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.

Resolution:

Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.

Playbook fails after the ingestion is triggered

There are many reasons for a playbook failure, for example, if a required field is null in the target module record, or there are problems with the Playbook Appliance keys.

Resolution:

Investigate the reason for failure using the 'Executed Playbook Logs'. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.

Previous
Next

About the connector

SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.

This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents, etc.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling threats from SentinelOne. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 3.1.0

FortiSOAR™ Version Tested on: 7.2.1-1021

SentinelOne API Versions Tested on: v2.0.0-EA#115, v2.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 3.1.0

Following enhancements have been made to the SentinelOne connector in version 3.1.0:

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sentinelone

Prerequisites to configuring the connector

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SentinelOne connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server URL Specify the URL of the SentinelOne REST endpoint to which you will connect and perform the automated operations.
API Token Specify the API token that is required to access the SentinelOne REST endpoint.
Important: The minimum role required for the user to use the API endpoint is "Site Viewer".
API Version Specify the version of the API that you are using to access the SentinelOne REST endpoint.
Verify SSL Verify SSL connection to the SentinelOne API endpoint.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations:

Function Description Annotation and Category
Get Agents Retrieves a list of agents attached to an account from SentinelOne based on the input parameters you have specified. list_agents
Investigation
Agent Action Actions that you want to perform on an agent in Sentinel One based on the action, agent IDs, and other input parameters you have specified. isolate_agent
Containment
Reconnect Agent Reconnects a disconnected agent to the network in SentinelOne based on the input parameters you have specified. reconnect_agent
Remediation
Get Agent Passphrase Retrieves an agent's passphrase to uninstall an offline agent in SentinelOne based on the agent ID you have specified. agent_passphrase
Miscellaneous
Get Agent Application Retrieves a list of applications installed on an agent in SentinelOne based on the agent ID you have specified. list_applications
Investigation
Get Agent Process Retrieves a list of processes running on an agent in SentinelOne based on the agent ID you have specified. list_processes
Investigation
Broadcast Message to Agent Broadcasts a message to a specified agent system or a list of agent systems in SentinelOne based on the agent ID, message, and other input parameters you have specified. broadcast_message
Miscellaneous
Initiate Agent Scan Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. scan_agent
Investigation
Abort Agent Scan Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. abort_scan
Investigation
Get Hash Details Retrieve the details for a specified hash from SentinelOne based on the Hash ID you have specified. hash_details
Investigation
Get Threat Details Retrieve the details for a specified threat from SentinelOne based on the threat ID you have specified. threat_details
Investigation
Mitigate Threat Mitigates identified threats in the SentinelOne system based on the threat ID, action, and other input parameters you have specified. mitigate_threats
Remediation
Mark Threat as Benign Marks an identified threat as safe in SentinelOne based on the threat ID, target scope, and other input parameters you have specified. mark_threat_as_benign
Remediation
Fetch Agents Logs Retrieves logs from the agent's system to the SentinelOne cloud based on the input parameters you have specified. fetch_logs
Investigation
Get Agent Count Retrieves the count of agents in SentinelOne filtered by the input parameters you have specified. agent_count
Miscellaneous
List All Threats List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. list_threats
Investigation
Fetch Threats List all threats or specific threats identified by SentinelOne on agents filtered by the input parameters you have specified. fetch_threats
Investigation
Create Query And Get Query ID Starts a deep visibility Query and retrieves the Query ID from SentinelOne based on the query, date range, and other input parameters you have specified. create_query
Investigation
Get Query Status Retrieves the status of the deep visibility query from SentinelOne based on the query ID you have specified. get_query_status
Investigation
Get Events Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID and other input parameters you have specified. get_events
Investigation
Get Events By Type Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID, event type, and other input parameters you have specified. get_events_by_type
Investigation
Cancel Running Query Stops a deep visibility query that is running on SentinelOne based on the query ID you have specified. cancel_running_query
Investigation
Get Threat Seen on Network Retrieves "seen on network" details for a specific threat in SentinelOne based on the threat ID and other input parameters you have specified. threat_seen_on_network
Investigation
Threat Forensic Details Retrieves detailed forensics data for a specific threat on SentinelOne based on the threat ID you have specified. threat_forensic_details
Investigation
Export Threat Exports threats along with its associated threats, in the CSV or JSON formation, for a specific threat on SentinelOne based on the threat ID and export format you have specified. export_forensics_threat
Investigation
Get Threat Forensics Retrieves forensics data for a specific threat on SentinelOne based on the threat ID and export format you have specified. threat_forensics
Investigation
Free Text Retrieves a metadata list of all the available free-text filters in SentinelOne free_text_filters
Investigation
Get Application Count Retrieves the count of applications from SentinelOne number of applications by risk level or filters and other input parameters you have specified. get_application_count
Investigation
Get CVEs Retrieves all known CVEs for applications from SentinelOne based on the input parameters you have specified.
Note: This is available for complete SKU only.
get_cve
Investigation
Export Applications Risk Exports installed applications and CVE list from SentinelOne based on the input parameters you have specified. This operation also creates an 'Attachment' record in FortiSOAR, export_applications_risk
Investigation
Get Applications Retrieves a list of all installed applications per endpoint, including risk levels, from SentinelOne based on the input parameters you have specified.
Note: This is available for complete SKU only.
get_applications
Investigation
Get Application CVEs Retrieves all known CVEs for a specific application, along with application and endpoint information, from SentinelOne, based on the application ID you have specified.
Note: This is available for complete SKU only.
get_application_cve
Investigation

operation: Get Agents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent IDs List of comma-separated agent IDs that you want to retrieve from SentinelOne.
Is Active Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Decommissioned".
Computer Name Like Retrieve only those agents who match the specified name from SentinelOne.
Agent Memory Less Than (MB) Retrieve only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) Retrieve only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than Retrieve only those agents whose core count is lesser than the given input from SentinelOne.
Agent Core Count Greater Than Retrieve only those agents whose core count is greater than the given input from SentinelOne.
Agent Version The version of the agent that you want to retrieve from SentinelOne.
Network Status Select the network status of the agent that you want to retrieve from SentinelOne. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.
Limit Records The maximum number of results, per page, that this operation should return.
Offset Skips the specified number of results (0-1000) from the total results.
Cursor The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne.

Output

A customized JSON output that is formatted for easy reference is the output for all the operations.

The output contains the following populated JSON schema:

Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"activeDirectory": {
"computerDistinguishedName": "",
"computerMemberOf": [],
"lastUserDistinguishedName": "",
"lastUserMemberOf": []
},
"activeThreats": "",
"agentVersion": "",
"allowRemoteShell": "",
"appsVulnerabilityStatus": "",
"computerName": "",
"consoleMigrationStatus": "",
"coreCount": "",
"cpuCount": "",
"cpuId": "",
"createdAt": "",
"domain": "",
"encryptedApplications": "",
"externalId": "",
"externalIp": "",
"groupId": "",
"groupIp": "",
"groupName": "",
"id": "",
"inRemoteShellSession": "",
"infected": "",
"installerType": "",
"isActive": "",
"isDecommissioned": "",
"isPendingUninstall": "",
"isUninstalled": "",
"isUpToDate": "",
"lastActiveDate": "",
"lastIpToMgmt": "",
"lastLoggedInUserName": "",
"licenseKey": "",
"locationType": "",
"locations": [
{
"id": "",
"name": "",
"scope": ""
}
],
"machineType": "",
"mitigationMode": "",
"mitigationModeSuspicious": "",
"modelName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"networkStatus": "",
"osArch": "",
"osName": "",
"osRevision": "",
"osStartTime": "",
"osType": "",
"osUsername": "",
"rangerStatus": "",
"rangerVersion": "",
"registeredAt": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"threatRebootRequired": "",
"totalMemory": "",
"updatedAt": "",
"userActionsNeeded": [],
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

Output schema when 'API Version' === v2.1
{
"data": [
{
"accountId": "",
"accountName": "",
"activeDirectory": {
"computerDistinguishedName": "",
"computerMemberOf": [],
"lastUserDistinguishedName": "",
"lastUserMemberOf": []
},
"activeThreats": "",
"agentVersion": "",
"allowRemoteShell": "",
"appsVulnerabilityStatus": "",
"cloudProviders": {},
"computerName": "",
"consoleMigrationStatus": "",
"coreCount": "",
"cpuCount": "",
"cpuId": "",
"createdAt": "",
"detectionState": "",
"domain": "",
"encryptedApplications": "",
"externalId": "",
"externalIp": "",
"firewallEnabled": "",
"firstFullModeTime": "",
"groupId": "",
"groupIp": "",
"groupName": "",
"id": "",
"inRemoteShellSession": "",
"infected": "",
"installerType": "",
"isActive": "",
"isDecommissioned": "",
"isPendingUninstall": "",
"isUninstalled": "",
"isUpToDate": "",
"lastActiveDate": "",
"lastIpToMgmt": "",
"lastLoggedInUserName": "",
"licenseKey": "",
"locationEnabled": "",
"locationType": "",
"locations": [
{
"id": "",
"name": "",
"scope": ""
}
],
"machineType": "",
"mitigationMode": "",
"mitigationModeSuspicious": "",
"modelName": "",
"networkInterfaces": [
{
"gatewayIp": "",
"gatewayMacAddress": "",
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"networkQuarantineEnabled": "",
"networkStatus": "",
"operationalState": "",
"operationalStateExpiration": "",
"osArch": "",
"osName": "",
"osRevision": "",
"osStartTime": "",
"osType": "",
"osUsername": "",
"rangerStatus": "",
"rangerVersion": "",
"registeredAt": "",
"remoteProfilingState": "",
"remoteProfilingStateExpiration": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"serialNumber": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"tags": {
"sentinelone": [
{
"assignedAt": "",
"assignedBy": "",
"assignedById": "",
"id": "",
"key": "",
"value": ""
}
]
},
"threatRebootRequired": "",
"totalMemory": "",
"updatedAt": "",
"userActionsNeeded": [],
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Agent Action

Input parameters

Parameter Description
Action Select the action that you want to perform on the specified agent in SentinelOne. You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent.
Agent IDs List of comma-separated agent IDs on which you want to perform actions in SentinelOne.
Group IDs (Optional) List of comma-separated agent's group IDs on which you want to perform actions in SentinelOne.
Is Decommissioned Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Decommissioned".
Is Uninstalled Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Uninstalled".

Output

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Reconnect Agent

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (MB): Reconnects only those agents to the network in SentinelOne whose memory size is lesser than the given input.
Agent Memory Greater Than (MB) Reconnects only those agents to the network in SentinelOne whose memory size is greater than the given input.
Agent Core Count Less Than Reconnects only those agents to the network in SentinelOne whose core count is lesser than the given input.
Agent Core Count Greater Than Reconnects only those agents to the network in SentinelOne whose core count is greater than the given input.
Is Active Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Active".
Is Infected Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs that you want to reconnect to the SentinelOne network.
Computer Name Like Reconnects only those agents to the network in SentinelOne who match the specified computer name.
Agent Version The version of the agent that you want to reconnect to the SentinelOne network.
OS Type Select the OS type of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON contains a Success message of agents reconnected back into the network.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Get Agent Passphrase

Input parameters

Parameter Description
Agent ID The ID of the agent whose passphrase you want to retrieve from SentinelOne. The passphrase that can be used to delete an offline agent from SentinelOne.
Cursor (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Additional Fields (Optional) Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne.

Output

The JSON contains a string output with the passphrase that can be used to delete an offline agent.

The output contains the following populated JSON schema:
{
"data": [
{
"computerName": "",
"domain": "",
"id": "",
"lastLoggedInUserName": "",
"passphrase": "",
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Get Agent Application

Input parameters

Parameter Description
Agent ID The ID of the agent whose list of installed applications you want to retrieve from SentinelOne.

Output

The JSON contains a list of application objects including information such as name, installation date, etc., about the applications installed on the specified agent.

The output contains the following populated JSON schema:
[
{

"name": "",
"size": "",
"version": "",
"publisher": "",
"installedDate": ""
}
]

operation: Get Agent Process

Input parameters

Parameter Description
Agent Id The ID of the agent whose list of running applications you want to retrieve from SentinelOne.

Output

The JSON contains a list of running processes along with the process details for the specified agent.

The output contains the following populated JSON schema:
[
{

"cpuUsage": "",
"memoryUsage": "",
"pid": "",
"executablePath": "",
"startTime": "",
"processName": ""
}
]

operation: Broadcast Message to Agent

Input parameters

Parameter Description
Message The message that you want to broadcast to an agent or a list of agents in SentinelOne.
Agent IDs List of comma-separated agent IDs in SentinelOne to whom you want to broadcast the specified message.
Agent Memory Less Than (MB) (Optional) Broadcast the message to only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) (Optional) Broadcast the message to only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than (Optional) Broadcast the message to only those agents whose core count is lesser than the given input from SentinelOne.
Agent Core Count Greater Than (Optional) Broadcast the message to only those agents whose core count is greater than the given input from SentinelOne.
Is Active Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Active".
Is Infected Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Decommissioned".
Computer Name Like (Optional) Broadcast the message to only those agents that match the specified computer name on SentinelOne.
Agent Version The version of the agent to whom you want to broadcast the message
OS Type Select the OS type of the agent in the SentinelOne network to whom you want to broadcast the message. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne to whom you want to broadcast the message. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Initiate Agent Scan

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (MB) Initiates a scan only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) Initiates a scan only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than Initiates a scan only those agents whose core count is lesser than the given input from SentinelOne.
Agent Core Count Greater Than Initiates a scan only those agents whose core count is greater than the given input from SentinelOne.
Is Active Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Active".
Is Infected Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs on which you want to initiate a scan in SentinelOne.
Computer Name Like Initiate the scan only on those agents that match the specified computer name.
Agent Version The version of the agent on which you want to initiate a scan.
OS Type Select the OS type of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Abort Agent Scan

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (MB) Aborts the scan only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) Aborts the scan only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than Aborts the scan only those agents whose core count size is lesser than the given input from SentinelOne.
Agent Core Count Greater Than Aborts the scan only those agents whose core count size is greater than the given input from SentinelOne.
Is Active Select this checkbox if the status of the agent on which you want to abort the scan is set as "Active".
Is Infected Select this checkbox if the status of the agent on which you want to abort the scan is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent on which you want to abort the scan is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs on which you want to abort the scan in SentinelOne.
Computer Name Like Abort the scan only on those agents that match the specified computer name.
Agent Version The version of the agent on which you want to abort the scan.
OS Type Select the OS type of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Get Hash Details

Input parameters

Parameter Description
Hash ID The ID (SHA1 only) of the hash whose details you want to retrieve from SentinelOne.

Output

The JSON contains the details of the specified hash ID.

The output contains the following populated JSON schema:
{
"rank": ""
}

operation: Get Threat Details

Input parameters

Parameter Description
Threat Id The ID of the threat whose details you want to retrieve from SentinelOne.

Output

The JSON contains the details of the specified threat ID.

The output contains the following populated JSON schema:

Output schema when 'API Version' === v2.0
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}

Output schema when 'API Version' === v2.1
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}

operation: Mitigate Threat

Input parameters

Parameter Description
Action Select the action that you want to perform on the specified threat. You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation.
Threat ID The ID of the threat on which you want to take the specified action.
Content Hash (Optional) The Hash ID of the file associated with the threat that requires mitigation.
Threat Name (Optional) Name of the threat that requires mitigation.
Agent ID (Optional) The ID of the agent on which the threat has been identified.
Limit Records (Optional) The maximum number of results, per page, that this operation should return.
From Scan Select this option if the threat was detected as a result of a scan.

Output

The JSON contains a message about the threat being mitigated.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Mark Threat as Benign

Input parameters

Parameter Description
Target Scope Scope of the target that you want to mark as safe in SentinelOne.
Threat Id The ID of the threat that you want to mark as safe in SentinelOne.
Content Hash (Optional) The Hash ID of the file associated with the threat that you want to mark as safe in SentinelOne.
Threat Name (Optional) Name of the threat that requires to be marked as safe in SentinelOne..
Agent Id (Optional) The ID of the agent on which the threat has been identified.
Limit Records (Optional) The maximum number of results, per page, that this operation should return.
From Scan Select this option if the threat was detected as a result of a scan.

Output

The JSON contains a message about the threat being marked as safe.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Fetch Agents Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (MB) Retrieve logs of only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) Retrieve logs of only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than Retrieve logs of only those agents whose core count is lesser than the given input from SentinelOne.
Agent Core Count Greater Than Retrieve logs of only those agents whose core count is greater than the given input from SentinelOne.
Is Active Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs whose logs you want to retrieve from SentinelOne.
Computer Name Like Retrieve logs of only those agents who match the specified computer name.
Agent Version The version of the agent whose logs you want to retrieve from SentinelOne.
OS Type Select the OS type of the agent in SentinelOne whose logs you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne whose logs you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting.

Output

The JSON output contains the number of agents whose logs are fetched after the query is successfully run.

The output contains the following populated JSON schema:
{
"affected": ""
}

operation: Get Agent Count

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent Memory Less Than (MB) Retrieve counts of only those agents whose memory size is lesser than the given input from SentinelOne.
Agent Memory Greater Than (MB) Retrieve counts of only those agents whose memory size is greater than the given input from SentinelOne.
Agent Core Count Less Than Retrieve counts of only those agents whose core count is lesser than the given input from SentinelOne.
Agent Core Count Greater Than Retrieve counts of only those agents whose core count is greater than the given input from SentinelOne.
Is Active Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active".
Is Infected Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected".
Is Decommissioned Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned".
Agent IDs List of comma-separated agent IDs whose count you want to retrieve from SentinelOne
Computer Name Like Retrieve the count of only those agents who match the specified computer name.
Agent Version The version of the agents whose counts you want to retrieve from SentinelOne.
OS Type Select the OS type of the agent in SentinelOne whose counts you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux.
Network Status Select the network status of the agent in the SentinelOne whose counts you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting

Output

The JSON output contains the number of available agents.

The output contains the following populated JSON schema:
{
"total": ""
}

operation: List All Threats

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Agent ID The ID of the agent whose threats you want to list.
Created After Specify the Datetime using which you want to filter the result set to only include only those items that have been created after the specified timestamp.
Updated After Specify the Datetime using which you want to filter the result set to only include only those items that have been updated after the specified timestamp.
Content Hash The Hash ID of the file associated with the threat.
Threat Name The name of the threat that you want to search for on all agents on SentinelOne.
Limit Records The maximum number of results, per page, that this operation should return.
Offset Skips the specified number of results (0-1000) from the total results.
Cursor The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne.

Output

The JSON contains the objects of the threats that are found after the query is successfully run.

The output contains the following populated JSON schema:

Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

Output schema when 'API Version' === v2.1
{
"data": [
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Fetch Threats

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Created After Specify the Datetime using which you want to filter the result set to only include only those items that have been created after the specified timestamp.
Updated After Specify the Datetime using which you want to filter the result set to only include only those items that have been updated after the specified timestamp.
Query A query is a free-text search term that you can use to match applicable attributes (sub-string match) in SentinelOne based on which you want to retrieve the threats from SentinelOne.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne.

Output

The output contains the following populated JSON schema:

Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

Output schema when 'API Version' === v2.1
{
"data": [
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Create Query And Get Query ID

Input parameters

Parameter Description
Query A query is a free-text search term that you can use to match applicable attributes (sub-string match) in SentinelOne based on which you want to retrieve the query ID from SentinelOne
From Date The start date of the query from when you want to retrieve the query ID from SentinelOne.
To Date The end date of the query till when you want to retrieve the query ID from SentinelOne.
Group IDs (Optional) List of comma-separated agent's group IDs based on which you want to retrieve the query ID from SentinelOne.
Tenant Select this checkbox to indicate a tenant scope in the query.
Query Type (Optional) Type of query used by deep visibility in SentinelOne.
Account IDs (Optional) List of comma-separated agent's accounts based on which you want to retrieve the query ID from SentinelOne.
Site IDs (Optional) List of comma-separated agent's sites based on which you want to retrieve the query ID from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"queryId": "",
"queryModeInfo": {
"lastActivatedAt": "",
"mode": ""
}
}

operation: Get Query Status

Input parameters

Parameter Description
Query ID The ID of the query whose status you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.

Output

The output contains the following populated JSON schema:
{
"progressStatus": "",
"queryModeInfo": {
"lastActivatedAt": "",
"mode": ""
},
"responseState": "",
"warnings": ""
}

operation: Get Events

Input parameters

Parameter Description
Query ID The ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.
Limit Records (Optional) The maximum number of results, per page, that this operation should return.
Offset (Optional) Skips the specified number of results (0-1000) from the total results.
Cursor (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Sort By (Optional) Name of the field on which you want to sort the result (events).
Sort Order (Optional) The sorting order of the results (events), you can choose between Ascending or Descending.
Sub Query (Optional) The sub-query that you want to run on the already pulled data.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"accountId": "",
"activeContentFileId": "",
"activeContentHash": "",
"activeContentPath": "",
"activeContentSignedStatus": "",
"activeContentType": "",
"agentDomain": "",
"agentGroupId": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentName": "",
"agentNetworkStatus": "",
"agentOs": "",
"agentTimestamp": "",
"agentUuid": "",
"agentVersion": "",
"childProcCount": "",
"containerId": "",
"containerImage": "",
"containerLabels": "",
"containerName": "",
"createdAt": "",
"crossProcCount": "",
"crossProcDupRemoteProcHandleCount": "",
"crossProcDupThreadHandleCount": "",
"crossProcOpenProcCount": "",
"crossProcOutOfStorylineCount": "",
"crossProcThreadCreateCount": "",
"dnsCount": "",
"endpointMachineType": "",
"endpointName": "",
"endpointOs": "",
"eventIndex": "",
"eventRepetitionCount": "",
"eventTime": "",
"eventType": "",
"fileIsExecutable": "",
"fileMd5": "",
"fileSha256": "",
"id": "",
"indicatorBootConfigurationUpdateCount": "",
"indicatorEvasionCount": "",
"indicatorExploitationCount": "",
"indicatorGeneralCount": "",
"indicatorInfostealerCount": "",
"indicatorInjectionCount": "",
"indicatorPersistenceCount": "",
"indicatorPostExploitationCount": "",
"indicatorRansomwareCount": "",
"indicatorReconnaissanceCount": "",
"isAgentVersionFullySupportedForPg": "",
"isAgentVersionFullySupportedForPgMessage": "",
"k8sClusterName": "",
"k8sControllerLabels": "",
"k8sControllerName": "",
"k8sControllerType": "",
"k8sNamespace": "",
"k8sNamespaceLabels": "",
"k8sNode": "",
"k8sPodLabels": "",
"k8sPodName": "",
"lastActivatedAt": "",
"metaEventName": "",
"moduleCount": "",
"netConnCount": "",
"netConnInCount": "",
"netConnOutCount": "",
"objectType": "",
"osSrcChildProcCount": "",
"osSrcCrossProcCount": "",
"osSrcCrossProcDupRemoteProcHandleCount": "",
"osSrcCrossProcDupThreadHandleCount": "",
"osSrcCrossProcOpenProcCount": "",
"osSrcCrossProcOutOfStorylineCount": "",
"osSrcCrossProcThreadCreateCount": "",
"osSrcDnsCount": "",
"osSrcIndicatorBootConfigurationUpdateCount": "",
"osSrcIndicatorEvasionCount": "",
"osSrcIndicatorExploitationCount": "",
"osSrcIndicatorGeneralCount": "",
"osSrcIndicatorInfostealerCount": "",
"osSrcIndicatorInjectionCount": "",
"osSrcIndicatorPersistenceCount": "",
"osSrcIndicatorPostExploitationCount": "",
"osSrcIndicatorRansomwareCount": "",
"osSrcIndicatorReconnaissanceCount": "",
"osSrcModuleCount": "",
"osSrcNetConnCount": "",
"osSrcNetConnInCount": "",
"osSrcNetConnOutCount": "",
"osSrcProcActiveContentFileId": "",
"osSrcProcActiveContentHash": "",
"osSrcProcActiveContentPath": "",
"osSrcProcActiveContentSignedStatus": "",
"osSrcProcActiveContentType": "",
"osSrcProcBinaryisExecutable": "",
"osSrcProcCmdLine": "",
"osSrcProcDisplayName": "",
"osSrcProcImageMd5": "",
"osSrcProcImagePath": "",
"osSrcProcImageSha1": "",
"osSrcProcImageSha256": "",
"osSrcProcIntegrityLevel": "",
"osSrcProcIsNative64Bit": "",
"osSrcProcIsRedirectCmdProcessor": "",
"osSrcProcIsStorylineRoot": "",
"osSrcProcName": "",
"osSrcProcParentActiveContentFileId": "",
"osSrcProcParentActiveContentHash": "",
"osSrcProcParentActiveContentPath": "",
"osSrcProcParentActiveContentSignedStatus": "",
"osSrcProcParentActiveContentType": "",
"osSrcProcParentCmdLine": "",
"osSrcProcParentDisplayName": "",
"osSrcProcParentImageMd5": "",
"osSrcProcParentImagePath": "",
"osSrcProcParentImageSha1": "",
"osSrcProcParentImageSha256": "",
"osSrcProcParentIntegrityLevel": "",
"osSrcProcParentIsNative64Bit": "",
"osSrcProcParentIsRedirectCmdProcessor": "",
"osSrcProcParentIsStorylineRoot": "",
"osSrcProcParentName": "",
"osSrcProcParentPid": "",
"osSrcProcParentPublisher": "",
"osSrcProcParentReasonSignatureInvalid": "",
"osSrcProcParentSessionId": "",
"osSrcProcParentSignedStatus": "",
"osSrcProcParentStartTime": "",
"osSrcProcParentStorylineId": "",
"osSrcProcParentUid": "",
"osSrcProcParentUser": "",
"osSrcProcPid": "",
"osSrcProcPublisher": "",
"osSrcProcReasonSignatureInvalid": "",
"osSrcProcRelatedToThreat": "",
"osSrcProcSessionId": "",
"osSrcProcSignedStatus": "",
"osSrcProcStartTime": "",
"osSrcProcStorylineId": "",
"osSrcProcSubsystem": "",
"osSrcProcUid": "",
"osSrcProcUser": "",
"osSrcProcVerifiedStatus": "",
"osSrcRegistryChangeCount": "",
"osSrcTgtFileCreationCount": "",
"osSrcTgtFileDeletionCount": "",
"osSrcTgtFileModificationCount": "",
"parentPid": "",
"parentProcessName": "",
"parentProcessStartTime": "",
"parentProcessUniqueKey": "",
"pid": "",
"processCmd": "",
"processDisplayName": "",
"processGroupId": "",
"processImagePath": "",
"processImageSha1Hash": "",
"processIntegrityLevel": "",
"processIsRedirectedCommandProcessor": "",
"processIsWow64": "",
"processName": "",
"processRoot": "",
"processSessionId": "",
"processStartTime": "",
"processSubSystem": "",
"processUniqueKey": "",
"publisher": "",
"registryChangeCount": "",
"relatedToThreat": "",
"retentionPeriod": "",
"rpid": "",
"signatureSignedInvalidReason": "",
"signedStatus": "",
"siteId": "",
"siteName": "",
"srcProcActiveContentFileId": "",
"srcProcActiveContentHash": "",
"srcProcActiveContentPath": "",
"srcProcActiveContentSignedStatus": "",
"srcProcActiveContentType": "",
"srcProcBinaryisExecutable": "",
"srcProcCmdLine": "",
"srcProcDisplayName": "",
"srcProcImageMd5": "",
"srcProcImagePath": "",
"srcProcImageSha1": "",
"srcProcImageSha256": "",
"srcProcIntegrityLevel": "",
"srcProcIsNative64Bit": "",
"srcProcIsRedirectCmdProcessor": "",
"srcProcIsStorylineRoot": "",
"srcProcName": "",
"srcProcParentActiveContentFileId": "",
"srcProcParentActiveContentHash": "",
"srcProcParentActiveContentPath": "",
"srcProcParentActiveContentSignedStatus": "",
"srcProcParentActiveContentType": "",
"srcProcParentCmdLine": "",
"srcProcParentDisplayName": "",
"srcProcParentImageMd5": "",
"srcProcParentImagePath": "",
"srcProcParentImageSha1": "",
"srcProcParentImageSha256": "",
"srcProcParentIntegrityLevel": "",
"srcProcParentIsNative64Bit": "",
"srcProcParentIsRedirectCmdProcessor": "",
"srcProcParentIsStorylineRoot": "",
"srcProcParentName": "",
"srcProcParentPid": "",
"srcProcParentProcUid": "",
"srcProcParentPublisher": "",
"srcProcParentReasonSignatureInvalid": "",
"srcProcParentSessionId": "",
"srcProcParentSignedStatus": "",
"srcProcParentStartTime": "",
"srcProcParentStorylineId": "",
"srcProcParentUid": "",
"srcProcParentUser": "",
"srcProcPid": "",
"srcProcPublisher": "",
"srcProcReasonSignatureInvalid": "",
"srcProcRelatedToThreat": "",
"srcProcRpid": "",
"srcProcSessionId": "",
"srcProcSignedStatus": "",
"srcProcStartTime": "",
"srcProcStorylineId": "",
"srcProcSubsystem": "",
"srcProcTid": "",
"srcProcUid": "",
"srcProcUser": "",
"srcProcVerifiedStatus": "",
"storyline": "",
"tgtFileCreationCount": "",
"tgtFileDeletionCount": "",
"tgtFileModificationCount": "",
"tgtPid": "",
"tgtProcAccessRights": "",
"tgtProcActiveContentFileId": "",
"tgtProcActiveContentHash": "",
"tgtProcActiveContentPath": "",
"tgtProcActiveContentSignedStatus": "",
"tgtProcActiveContentType": "",
"tgtProcBinaryisExecutable": "",
"tgtProcCmdLine": "",
"tgtProcDisplayName": "",
"tgtProcImageMd5": "",
"tgtProcImagePath": "",
"tgtProcImageSha1": "",
"tgtProcImageSha256": "",
"tgtProcIntegrityLevel": "",
"tgtProcIsNative64Bit": "",
"tgtProcIsRedirectCmdProcessor": "",
"tgtProcIsStorylineRoot": "",
"tgtProcName": "",
"tgtProcPid": "",
"tgtProcPublisher": "",
"tgtProcReasonSignatureInvalid": "",
"tgtProcRelation": "",
"tgtProcSessionId": "",
"tgtProcSignedStatus": "",
"tgtProcStartTime": "",
"tgtProcStorylineId": "",
"tgtProcSubsystem": "",
"tgtProcUid": "",
"tgtProcUser": "",
"tgtProcVerifiedStatus": "",
"tiOriginalEventId": "",
"tiOriginalEventIndex": "",
"tiOriginalEventTraceId": "",
"tid": "",
"tiindicatorRelatedEventTime": "",
"traceId": "",
"trueContext": "",
"user": "",
"verifiedStatus": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Get Events By Type

Input parameters

Parameter Description
Query ID The ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID.
Event Type Event type by which you want to filter the results (events). You can choose between the following event types: Events, File, Ip, Url, Dns, Process, Registry, Scheduled task, Logins, or Indicators.
Limit Records (Optional) The maximum number of results, per page, that this operation should return.
Offset (Optional) Skips the specified number of results (0-1000) from the total results.
Cursor (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Sort Order (Optional) The sorting order of the results (events), you can choose between Ascending or Descending.
Sort By (Optional) Name of the field on which you want to sort the result (events).
Sub Query (Optional) The sub-query that you want to run on the already pulled data.

Output

The output contains the following populated JSON schema:
{
"data": {
"agentGroupId": "",
"indicatorCategory": "",
"indicatorDescription": "",
"agentUuid": "",
"fileId": "",
"loginsBaseType": "",
"processName": "",
"agentIp": "",
"threatStatus": "",
"processSubSystem": "",
"direction": "",
"processImagePath": "",
"agentIsActive": "",
"agentVersion": "",
"parentProcessName": "",
"agentInfected": "",
"indicatorMetadata": "",
"processIsMalicious": "",
"srcPort": "",
"user": "",
"processStartTime": "",
"siteName": "",
"agentName": "",
"md5": "",
"sha1": "",
"registryId": "",
"fileSha1": "",
"id": "",
"sha256": "",
"processCmd": "",
"networkMethod": "",
"indicatorName": "",
"parentProcessGroupId": "",
"taskName": "",
"srcIp": "",
"registryPath": "",
"parentPid": "",
"parentProcessUniqueKey": "",
"agentMachineType": "",
"dnsResponse": "",
"tid": "",
"processSessionId": "",
"networkUrl": "",
"eventSubType": "",
"createdAt": "",
"dstPort": "",
"processUserName": "",
"agentDomain": "",
"fileSha256": "",
"processDisplayName": "",
"agentNetworkStatus": "",
"loginsUserName": "",
"signer": "",
"rpid": "",
"taskPath": "",
"pid": "",
"processIntegrityLevel": "",
"oldFileMd5": "",
"relatedToThreat": "",
"oldFileSha1": "",
"processGroupId": "",
"networkSource": "",
"fileMd5": "",
"oldFileSha256": "",
"agentOs": "",
"oldFileName": "",
"eventType": "",
"agentIsDecommissioned": "",
"parentProcessStartTime": "",
"processImageSha1Hash": "",
"trueContext": "",
"parentProcessIsMalicious": "",
"dnsRequest": "",
"fileFullName": "",
"dstIp": "",
"processUniqueKey": "",
"forensicUrl": "",
"agentId": ""
},
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Cancel Running Query

Input parameters

Parameter Description
Query ID The ID of a deep visibility query that you want to stop in SentinelOne. When you create a query in SentinelOne you get its QueryID.

Output

The output contains the following populated JSON schema:
{
"success": ""
}

operation: Get Threat Seen on Network

Input parameters

Parameter Description
Threat ID The ID of the threat whose "seen on network data" you want to retrieve from SentinelOne.
Site IDs (Optional) List of comma-separated agent sites whose "seen on network data" you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent groups whose "seen on network data" you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent accounts whose "seen on network data" you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"agent_version": "",
"description": "",
"created_date": "",
"meta_data": {
"updated_at": "",
"created_at": ""
},
"id": "",
"malicious_group_id": "",
"resolved": "",
"status": "",
"from_cloud": "",
"agent": ""
}

operation: Threat Forensic Details

Input parameters

Parameter Description
Threat ID The ID of the threat whose forensic details you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"result": {
"policy_id": "",
"agent_version": "",
"occurred_at": "",
"graph": {
"edges_summary": [],
"node_sets": {}
},
"file_hash": "",
"file_display_name": "",
"file_created_at": "",
"agent": "",
"category_scores": [],
"publisher": "",
"raw_data": {
"edges": [],
"nodes": {
"6ADE07922117100C": {
"agent_version": "",
"in_threat": "",
"malicious_content": "",
"agent_uuid": "",
"meta_data": {
"updated_at": "",
"count": "",
"created_at": ""
},
"has_reputation": "",
"group_id": "",
"event_type": "",
"object_id": "",
"data": {
"path": "",
"is_system": "",
"created_date": "",
"is_executable": "",
"verification_type": "",
"extension_type": "",
"size": "",
"object_id": "",
"content_hash": "",
"permission": ""
}
}
}
},
"indicators": [],
"cert_id": "",
"is_cert_valid": ""
}
}

operation: Export Threat

Input parameters

Parameter Description
Threat ID The ID of the threat whose threats along with its associated threats you want to export in the CSV, JSON, or RAW format from SentinelOne.
Export Format The format in which you want to export the threat data. You can choose between the following formats: CSV, RAW, or JSON.

Output

The output contains the following populated JSON schema:
{
"threat_details": {
"description": "",
"id": "",
"created_at": "",
"agent": ""
},
"threats": [],
"agent_details": {
"external_ip": "",
"registered_at": "",
"agent_version_current": "",
"computer_name": "",
"last_active_date": "",
"agent_version_at_threat_time": "",
"group_ip": "",
"domain": "",
"cpu": "",
"os": ""
},
"file_details": {
"size": "",
"created_at": "",
"id": "",
"display_name": "",
"permission": "",
"content_hash": ""
},
"reputation": {
"rank": ""
}
}

operation: Get Threat Forensics

Input parameters

Parameter Description
Threat ID The ID of the threat for which you want to retrieve the forensic data.
Site IDs (Optional) List of comma-separated agent sites whose threat data you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent groups whose threat data you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent accounts whose threat data you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"result": {
"seen_on_network": "",
"occurred_at": "",
"file_display_name": "",
"marked_as_benign": "",
"classifier_name": "",
"mitigation_status": "",
"file_created_at": "",
"file_path": "",
"classification_source": "",
"classification": "",
"mitigation_report": {
"quarantine": {
"status": ""
},
"rollback": {
"status": ""
},
"remediate": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"kill": {
"status": ""
}
},
"threat_id": "",
"whitening_options": [],
"threat_created": "",
"malicious_group_id": "",
"in_quarantine": "",
"file_content_hash": "",
"file_hash": "",
"malicious_process_arguments": "",
"annotation_url": "",
"agent": "",
"from_scan": "",
"annotation": "",
"file_description": "",
"resolved": "",
"mitigation_actions": []
}
}

operation: Free Text

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"title": "",
"key": "",
"autoComplete": ""
}

operation: Get Application Count

Input parameters

Parameter Description
Get Count By Filter based on which you want to retrieve the application count from SentinelOne. You can choose between Risk Levels or Filters. By default, this is set as Risk Level.
Site IDs (Optional) List of comma-separated agent sites whose application count you want to retrieve from SentinelOne.
Group IDs (Optional) List of comma-separated agent groups whose application count you want to retrieve from SentinelOne.
Account IDs (Optional) List of comma-separated agent accounts whose application count you want to retrieve from SentinelOne.
Agent Machine Types (Optional) Type of agent machine whose application count you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs (Optional) List of comma-separated application IDs accounts whose application count you want to retrieve, per filter value, from SentinelOne.
Application Types (Optional) Type of application whose application count you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Is Decommissioned Select this checkbox if the status of the agent whose application count you want to retrieve from SentinelOne is set as "Decommissioned".
Risk Levels (Optional) Level of risks whose application count you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
OS Types (Optional) Type of OS whose application count you want to retrieve from SentinelOne. You can choose between the following OS types: MacOS, Windows_Legacy, Linux. or Windows.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve application counts from SentinelOne.

Output

The output contains the following populated JSON schema:

Output schema when you choose "Get Count By" as "Risk Levels":
{
"enableNegation": "",
"key": "",
"title": "",
"values": [
{
"count": "",
"title": "",
"value": ""
}
]
}

Output schema when you choose "Get Count By" as "Filters":
{
"enableNegation": "",
"disableSorting": "",
"key": "",
"title": "",
"values": [
{
"count": "",
"title": "",
"value": ""
}
]
}

operation: Get CVEs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Internal CVE IDs List of comma-separated internal CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne.
Global CVE IDs List of comma-separated global CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne.
Limit Records The maximum number of results, per page, that this operation should return.
Skip Count Select this option to avoid calculating the total number of results, which results in speeding up the execution time.
Sort By Name of the field on which you want to sort the result. You can choose between the following fields: ID, PublishedAt, AgentID, or ApplicationID.
Sort Order The sorting order of the results (CVEs), you can choose between Ascending or Descending.
Count Only Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne.
Cursor The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"createdAt": "",
"cveId": "",
"description": "",
"id": "",
"link": "",
"publishedAt": "",
"riskLevel": "",
"score": "",
"updatedAt": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Export Applications Risk

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Site IDs List of comma-separated agent site IDs to export application risks from SentinelOne.
Group IDs List of comma-separated agent group IDs to export application risks from SentinelOne.
Account IDs List of comma-separated agent account IDs to export application risks from SentinelOne.
Size Between Size range of the application between which you want to filter the application risks. You can specify the size range in bytes from 1024 to 104856.
Agent Machine Types Type of agent machine whose application risks you want to export from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs The ID of the agent application whose installed applications and CVEs list you want to export from SentinelOne.
Application Types Type of application whose application risks you want to export from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Is Decommissioned Select this checkbox if the status of the agent whose application risks you want to export from SentinelOne is set as "Decommissioned".
Risk Levels Level of risks whose application risks you want to export from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
OS Types Type of OS whose application risks you want to export from SentinelOne. You can choose between the following os types: MacOS, Windows Legacy, Linux, or Windows.
Additional Fields Additional fields, in the JSON format, based on which you want to export application risks from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}

operation: Get Applications

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Limit Records The maximum number of results, per page, that this operation should return.
Skip Count Select this option to avoid calculating the total number of results, which results in speeding up the execution time.
Sort Order The sorting order of the results (applications), you can choose between Ascending or Descending.
Agent Machine Types Type of endpoint machine whose applications you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server.
Application IDs The ID of the agent application whose installed applications you want to retrieve from SentinelOne
Is Decommissioned Select this checkbox if the status of the agent whose applications you want to retrieve from SentinelOne is set as "Decommissioned".
Application Types Type of application whose applications you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension.
Risk Levels Level of risks whose applications you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical.
Sort By Name of the field on which you want to sort the result. You can choose between the following fields: ID, InstallAt, Type, Name, Publisher, Version, Size, AgentComputerName. or RiskLevel.
Count Only Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne.
OS Types Type of OS whose applications you want to retrieve from SentinelOne. You can choose between the following os types: MacOS, Windows Legacy, Linux, or Windows.
Additional Fields Additional fields, in the JSON format, based on which you want to retrieve applications from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"data": [
{
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOperationalState": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"createdAt": "",
"id": "",
"installedAt": "",
"name": "",
"osType": "",
"publisher": "",
"riskLevel": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"version": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}

operation: Get Application CVEs

Input parameters

Parameter Description
Application ID The ID of the agent application whose application CVEs you want to retrieve from SentinelOne.

Output

The output contains the following populated JSON schema:
{
"agentInfected": "",
"agentNetworkStatus": "",
"installedAt": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"agentComputerName": "",
"name": "",
"agentOsType": "",
"version": "",
"publisher": "",
"agentMachineType": "",
"id": "",
"agentVersion": "",
"osType": "",
"createdAt": "",
"cves": [],
"agentDomain": "",
"agentId": "",
"agentIsDecommissioned": "",
"riskLevel": "",
"agentUuid": "",
"agentIsActive": ""
}

Included playbooks

The Sample - SentinelOne - 3.1.0 playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling threats from SentinelOne. Currently, "threats" in SentinelOne have been mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming SentinelOne "threats" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data from SentinelOne into FortiSOAR. It also lets you pull some sample data from SentinelOne using which you can define the mapping of data between SentinelOne and FortiSOAR. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the SentinelOne threat.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the SentinelOne connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between SentinelOne data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch SentinelOne data.
    Users can choose to pull data from SentinelOne by specifying the last X minutes in which the threats have been created or updated in SentinelOne. The fetched data is used to create a mapping between the SentinelOne data and FortiSOAR™ alerts.

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of a SentinelOne threat to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the agentIp parameter of a SentinelOne threat to the Source IP parameter of a FortiSOAR™ alert, click the Source IP Time field and then click the agentIp field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.

  4. (Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to SentinelOne, so that the content gets pulled from the SentinelOne integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from SentinelOne every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

Troubleshooting

Connection refusal while requesting to run the wrapper

This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.

Resolution:

Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.

Playbook fails after the ingestion is triggered

There are many reasons for a playbook failure, for example, if a required field is null in the target module record, or there are problems with the Playbook Appliance keys.

Resolution:

Investigate the reason for failure using the 'Executed Playbook Logs'. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.

Previous
Next