SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.
This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents, etc.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling threats from SentinelOne. For more information, see the Data Ingestion Support section.
Connector Version: 3.1.0
FortiSOAR™ Version Tested on: 7.2.1-1021
SentinelOne API Versions Tested on: v2.0.0-EA#115, v2.1
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the SentinelOne connector in version 3.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-sentinelone
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SentinelOne connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the SentinelOne REST endpoint to which you will connect and perform the automated operations. |
API Token | Specify the API token that is required to access the SentinelOne REST endpoint. Important: The minimum role required for the user to use the API endpoint is "Site Viewer". |
API Version | Specify the version of the API that you are using to access the SentinelOne REST endpoint. |
Verify SSL | Verify SSL connection to the SentinelOne API endpoint. By default, this option is set as T rue . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Agents | Retrieves a list of agents attached to an account from SentinelOne based on the input parameters you have specified. | list_agents Investigation |
Agent Action | Actions that you want to perform on an agent in Sentinel One based on the action, agent IDs, and other input parameters you have specified. | isolate_agent Containment |
Reconnect Agent | Reconnects a disconnected agent to the network in SentinelOne based on the input parameters you have specified. | reconnect_agent Remediation |
Get Agent Passphrase | Retrieves an agent's passphrase to uninstall an offline agent in SentinelOne based on the agent ID you have specified. | agent_passphrase Miscellaneous |
Get Agent Application | Retrieves a list of applications installed on an agent in SentinelOne based on the agent ID you have specified. | list_applications Investigation |
Get Agent Process | Retrieves a list of processes running on an agent in SentinelOne based on the agent ID you have specified. | list_processes Investigation |
Broadcast Message to Agent | Broadcasts a message to a specified agent system or a list of agent systems in SentinelOne based on the agent ID, message, and other input parameters you have specified. | broadcast_message Miscellaneous |
Initiate Agent Scan | Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. | scan_agent Investigation |
Abort Agent Scan | Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. | abort_scan Investigation |
Get Hash Details | Retrieve the details for a specified hash from SentinelOne based on the Hash ID you have specified. | hash_details Investigation |
Get Threat Details | Retrieve the details for a specified threat from SentinelOne based on the threat ID you have specified. | threat_details Investigation |
Mitigate Threat | Mitigates identified threats in the SentinelOne system based on the threat ID, action, and other input parameters you have specified. | mitigate_threats Remediation |
Mark Threat as Benign | Marks an identified threat as safe in SentinelOne based on the threat ID, target scope, and other input parameters you have specified. | mark_threat_as_benign Remediation |
Fetch Agents Logs | Retrieves logs from the agent's system to the SentinelOne cloud based on the input parameters you have specified. | fetch_logs Investigation |
Get Agent Count | Retrieves the count of agents in SentinelOne filtered by the input parameters you have specified. | agent_count Miscellaneous |
List All Threats | List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. | list_threats Investigation |
Fetch Threats | List all threats or specific threats identified by SentinelOne on agents filtered by the input parameters you have specified. | fetch_threats Investigation |
Create Query And Get Query ID | Starts a deep visibility Query and retrieves the Query ID from SentinelOne based on the query, date range, and other input parameters you have specified. | create_query Investigation |
Get Query Status | Retrieves the status of the deep visibility query from SentinelOne based on the query ID you have specified. | get_query_status Investigation |
Get Events | Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID and other input parameters you have specified. | get_events Investigation |
Get Events By Type | Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID, event type, and other input parameters you have specified. | get_events_by_type Investigation |
Cancel Running Query | Stops a deep visibility query that is running on SentinelOne based on the query ID you have specified. | cancel_running_query Investigation |
Get Threat Seen on Network | Retrieves "seen on network" details for a specific threat in SentinelOne based on the threat ID and other input parameters you have specified. | threat_seen_on_network Investigation |
Threat Forensic Details | Retrieves detailed forensics data for a specific threat on SentinelOne based on the threat ID you have specified. | threat_forensic_details Investigation |
Export Threat | Exports threats along with its associated threats, in the CSV or JSON formation, for a specific threat on SentinelOne based on the threat ID and export format you have specified. | export_forensics_threat Investigation |
Get Threat Forensics | Retrieves forensics data for a specific threat on SentinelOne based on the threat ID and export format you have specified. | threat_forensics Investigation |
Free Text | Retrieves a metadata list of all the available free-text filters in SentinelOne | free_text_filters Investigation |
Get Application Count | Retrieves the count of applications from SentinelOne number of applications by risk level or filters and other input parameters you have specified. | get_application_count Investigation |
Get CVEs | Retrieves all known CVEs for applications from SentinelOne based on the input parameters you have specified. Note: This is available for complete SKU only. |
get_cve Investigation |
Export Applications Risk | Exports installed applications and CVE list from SentinelOne based on the input parameters you have specified. This operation also creates an 'Attachment' record in FortiSOAR, | export_applications_risk Investigation |
Get Applications | Retrieves a list of all installed applications per endpoint, including risk levels, from SentinelOne based on the input parameters you have specified. Note: This is available for complete SKU only. |
get_applications Investigation |
Get Application CVEs | Retrieves all known CVEs for a specific application, along with application and endpoint information, from SentinelOne, based on the application ID you have specified. Note: This is available for complete SKU only. |
get_application_cve Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent IDs | List of comma-separated agent IDs that you want to retrieve from SentinelOne. |
Is Active | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Decommissioned". |
Computer Name Like | Retrieve only those agents who match the specified name from SentinelOne. |
Agent Memory Less Than (MB) | Retrieve only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | Retrieve only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | Retrieve only those agents whose core count is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve only those agents whose core count is greater than the given input from SentinelOne. |
Agent Version | The version of the agent that you want to retrieve from SentinelOne. |
Network Status | Select the network status of the agent that you want to retrieve from SentinelOne. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
Limit Records | The maximum number of results, per page, that this operation should return. |
Offset | Skips the specified number of results (0-1000) from the total results. |
Cursor | The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne. |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The output contains the following populated JSON schema:
Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"activeDirectory": {
"computerDistinguishedName": "",
"computerMemberOf": [],
"lastUserDistinguishedName": "",
"lastUserMemberOf": []
},
"activeThreats": "",
"agentVersion": "",
"allowRemoteShell": "",
"appsVulnerabilityStatus": "",
"computerName": "",
"consoleMigrationStatus": "",
"coreCount": "",
"cpuCount": "",
"cpuId": "",
"createdAt": "",
"domain": "",
"encryptedApplications": "",
"externalId": "",
"externalIp": "",
"groupId": "",
"groupIp": "",
"groupName": "",
"id": "",
"inRemoteShellSession": "",
"infected": "",
"installerType": "",
"isActive": "",
"isDecommissioned": "",
"isPendingUninstall": "",
"isUninstalled": "",
"isUpToDate": "",
"lastActiveDate": "",
"lastIpToMgmt": "",
"lastLoggedInUserName": "",
"licenseKey": "",
"locationType": "",
"locations": [
{
"id": "",
"name": "",
"scope": ""
}
],
"machineType": "",
"mitigationMode": "",
"mitigationModeSuspicious": "",
"modelName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"networkStatus": "",
"osArch": "",
"osName": "",
"osRevision": "",
"osStartTime": "",
"osType": "",
"osUsername": "",
"rangerStatus": "",
"rangerVersion": "",
"registeredAt": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"threatRebootRequired": "",
"totalMemory": "",
"updatedAt": "",
"userActionsNeeded": [],
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Output schema when 'API Version' === v2.1
{
"data": [
{
"accountId": "",
"accountName": "",
"activeDirectory": {
"computerDistinguishedName": "",
"computerMemberOf": [],
"lastUserDistinguishedName": "",
"lastUserMemberOf": []
},
"activeThreats": "",
"agentVersion": "",
"allowRemoteShell": "",
"appsVulnerabilityStatus": "",
"cloudProviders": {},
"computerName": "",
"consoleMigrationStatus": "",
"coreCount": "",
"cpuCount": "",
"cpuId": "",
"createdAt": "",
"detectionState": "",
"domain": "",
"encryptedApplications": "",
"externalId": "",
"externalIp": "",
"firewallEnabled": "",
"firstFullModeTime": "",
"groupId": "",
"groupIp": "",
"groupName": "",
"id": "",
"inRemoteShellSession": "",
"infected": "",
"installerType": "",
"isActive": "",
"isDecommissioned": "",
"isPendingUninstall": "",
"isUninstalled": "",
"isUpToDate": "",
"lastActiveDate": "",
"lastIpToMgmt": "",
"lastLoggedInUserName": "",
"licenseKey": "",
"locationEnabled": "",
"locationType": "",
"locations": [
{
"id": "",
"name": "",
"scope": ""
}
],
"machineType": "",
"mitigationMode": "",
"mitigationModeSuspicious": "",
"modelName": "",
"networkInterfaces": [
{
"gatewayIp": "",
"gatewayMacAddress": "",
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"networkQuarantineEnabled": "",
"networkStatus": "",
"operationalState": "",
"operationalStateExpiration": "",
"osArch": "",
"osName": "",
"osRevision": "",
"osStartTime": "",
"osType": "",
"osUsername": "",
"rangerStatus": "",
"rangerVersion": "",
"registeredAt": "",
"remoteProfilingState": "",
"remoteProfilingStateExpiration": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"serialNumber": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"tags": {
"sentinelone": [
{
"assignedAt": "",
"assignedBy": "",
"assignedById": "",
"id": "",
"key": "",
"value": ""
}
]
},
"threatRebootRequired": "",
"totalMemory": "",
"updatedAt": "",
"userActionsNeeded": [],
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Action | Select the action that you want to perform on the specified agent in SentinelOne. You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent. |
Agent IDs | List of comma-separated agent IDs on which you want to perform actions in SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's group IDs on which you want to perform actions in SentinelOne. |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Decommissioned". |
Is Uninstalled | Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Uninstalled". |
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (MB): | Reconnects only those agents to the network in SentinelOne whose memory size is lesser than the given input. |
Agent Memory Greater Than (MB) | Reconnects only those agents to the network in SentinelOne whose memory size is greater than the given input. |
Agent Core Count Less Than | Reconnects only those agents to the network in SentinelOne whose core count is lesser than the given input. |
Agent Core Count Greater Than | Reconnects only those agents to the network in SentinelOne whose core count is greater than the given input. |
Is Active | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Active". |
Is Infected | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs that you want to reconnect to the SentinelOne network. |
Computer Name Like | Reconnects only those agents to the network in SentinelOne who match the specified computer name. |
Agent Version | The version of the agent that you want to reconnect to the SentinelOne network. |
OS Type | Select the OS type of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON contains a Success
message of agents reconnected back into the network.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Agent ID | The ID of the agent whose passphrase you want to retrieve from SentinelOne. The passphrase that can be used to delete an offline agent from SentinelOne. |
Cursor | (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Additional Fields | (Optional) Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne. |
The JSON contains a string output with the passphrase that can be used to delete an offline agent.
The output contains the following populated JSON schema:
{
"data": [
{
"computerName": "",
"domain": "",
"id": "",
"lastLoggedInUserName": "",
"passphrase": "",
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Agent ID | The ID of the agent whose list of installed applications you want to retrieve from SentinelOne. |
The JSON contains a list of application objects including information such as name, installation date, etc., about the applications installed on the specified agent.
The output contains the following populated JSON schema:
[
{
"name": "",
"size": "",
"version": "",
"publisher": "",
"installedDate": ""
}
]
Parameter | Description |
---|---|
Agent Id | The ID of the agent whose list of running applications you want to retrieve from SentinelOne. |
The JSON contains a list of running processes along with the process details for the specified agent.
The output contains the following populated JSON schema:
[
{
"cpuUsage": "",
"memoryUsage": "",
"pid": "",
"executablePath": "",
"startTime": "",
"processName": ""
}
]
Parameter | Description |
---|---|
Message | The message that you want to broadcast to an agent or a list of agents in SentinelOne. |
Agent IDs | List of comma-separated agent IDs in SentinelOne to whom you want to broadcast the specified message. |
Agent Memory Less Than (MB) | (Optional) Broadcast the message to only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | (Optional) Broadcast the message to only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | (Optional) Broadcast the message to only those agents whose core count is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | (Optional) Broadcast the message to only those agents whose core count is greater than the given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Active". |
Is Infected | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Decommissioned". |
Computer Name Like | (Optional) Broadcast the message to only those agents that match the specified computer name on SentinelOne. |
Agent Version | The version of the agent to whom you want to broadcast the message |
OS Type | Select the OS type of the agent in the SentinelOne network to whom you want to broadcast the message. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne to whom you want to broadcast the message. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (MB) | Initiates a scan only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | Initiates a scan only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | Initiates a scan only those agents whose core count is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | Initiates a scan only those agents whose core count is greater than the given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Active". |
Is Infected | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs on which you want to initiate a scan in SentinelOne. |
Computer Name Like | Initiate the scan only on those agents that match the specified computer name. |
Agent Version | The version of the agent on which you want to initiate a scan. |
OS Type | Select the OS type of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (MB) | Aborts the scan only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | Aborts the scan only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | Aborts the scan only those agents whose core count size is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | Aborts the scan only those agents whose core count size is greater than the given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Active". |
Is Infected | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs on which you want to abort the scan in SentinelOne. |
Computer Name Like | Abort the scan only on those agents that match the specified computer name. |
Agent Version | The version of the agent on which you want to abort the scan. |
OS Type | Select the OS type of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Hash ID | The ID (SHA1 only) of the hash whose details you want to retrieve from SentinelOne. |
The JSON contains the details of the specified hash ID.
The output contains the following populated JSON schema:
{
"rank": ""
}
Parameter | Description |
---|---|
Threat Id | The ID of the threat whose details you want to retrieve from SentinelOne. |
The JSON contains the details of the specified threat ID.
The output contains the following populated JSON schema:
Output schema when 'API Version' === v2.0
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}
Output schema when 'API Version' === v2.1
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}
Parameter | Description |
---|---|
Action | Select the action that you want to perform on the specified threat. You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation. |
Threat ID | The ID of the threat on which you want to take the specified action. |
Content Hash | (Optional) The Hash ID of the file associated with the threat that requires mitigation. |
Threat Name | (Optional) Name of the threat that requires mitigation. |
Agent ID | (Optional) The ID of the agent on which the threat has been identified. |
Limit Records | (Optional) The maximum number of results, per page, that this operation should return. |
From Scan | Select this option if the threat was detected as a result of a scan. |
The JSON contains a message about the threat being mitigated.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Target Scope | Scope of the target that you want to mark as safe in SentinelOne. |
Threat Id | The ID of the threat that you want to mark as safe in SentinelOne. |
Content Hash | (Optional) The Hash ID of the file associated with the threat that you want to mark as safe in SentinelOne. |
Threat Name | (Optional) Name of the threat that requires to be marked as safe in SentinelOne.. |
Agent Id | (Optional) The ID of the agent on which the threat has been identified. |
Limit Records | (Optional) The maximum number of results, per page, that this operation should return. |
From Scan | Select this option if the threat was detected as a result of a scan. |
The JSON contains a message about the threat being marked as safe.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (MB) | Retrieve logs of only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | Retrieve logs of only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | Retrieve logs of only those agents whose core count is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve logs of only those agents whose core count is greater than the given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs whose logs you want to retrieve from SentinelOne. |
Computer Name Like | Retrieve logs of only those agents who match the specified computer name. |
Agent Version | The version of the agent whose logs you want to retrieve from SentinelOne. |
OS Type | Select the OS type of the agent in SentinelOne whose logs you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne whose logs you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents whose logs are fetched after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (MB) | Retrieve counts of only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | Retrieve counts of only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | Retrieve counts of only those agents whose core count is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve counts of only those agents whose core count is greater than the given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs whose count you want to retrieve from SentinelOne |
Computer Name Like | Retrieve the count of only those agents who match the specified computer name. |
Agent Version | The version of the agents whose counts you want to retrieve from SentinelOne. |
OS Type | Select the OS type of the agent in SentinelOne whose counts you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne whose counts you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting |
The JSON output contains the number of available agents.
The output contains the following populated JSON schema:
{
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent ID | The ID of the agent whose threats you want to list. |
Created After | Specify the Datetime using which you want to filter the result set to only include only those items that have been created after the specified timestamp. |
Updated After | Specify the Datetime using which you want to filter the result set to only include only those items that have been updated after the specified timestamp. |
Content Hash | The Hash ID of the file associated with the threat. |
Threat Name | The name of the threat that you want to search for on all agents on SentinelOne. |
Limit Records | The maximum number of results, per page, that this operation should return. |
Offset | Skips the specified number of results (0-1000) from the total results. |
Cursor | The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne. |
The JSON contains the objects of the threats that are found after the query is successfully run.
The output contains the following populated JSON schema:
Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Output schema when 'API Version' === v2.1
{
"data": [
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Created After | Specify the Datetime using which you want to filter the result set to only include only those items that have been created after the specified timestamp. |
Updated After | Specify the Datetime using which you want to filter the result set to only include only those items that have been updated after the specified timestamp. |
Query | A query is a free-text search term that you can use to match applicable attributes (sub-string match) in SentinelOne based on which you want to retrieve the threats from SentinelOne. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne. |
The output contains the following populated JSON schema:
Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Output schema when 'API Version' === v2.1
{
"data": [
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Query | A query is a free-text search term that you can use to match applicable attributes (sub-string match) in SentinelOne based on which you want to retrieve the query ID from SentinelOne |
From Date | The start date of the query from when you want to retrieve the query ID from SentinelOne. |
To Date | The end date of the query till when you want to retrieve the query ID from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's group IDs based on which you want to retrieve the query ID from SentinelOne. |
Tenant | Select this checkbox to indicate a tenant scope in the query. |
Query Type | (Optional) Type of query used by deep visibility in SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts based on which you want to retrieve the query ID from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites based on which you want to retrieve the query ID from SentinelOne. |
The output contains the following populated JSON schema:
{
"queryId": "",
"queryModeInfo": {
"lastActivatedAt": "",
"mode": ""
}
}
Parameter | Description |
---|---|
Query ID | The ID of the query whose status you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
The output contains the following populated JSON schema:
{
"progressStatus": "",
"queryModeInfo": {
"lastActivatedAt": "",
"mode": ""
},
"responseState": "",
"warnings": ""
}
Parameter | Description |
---|---|
Query ID | The ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
Limit Records | (Optional) The maximum number of results, per page, that this operation should return. |
Offset | (Optional) Skips the specified number of results (0-1000) from the total results. |
Cursor | (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Sort By | (Optional) Name of the field on which you want to sort the result (events). |
Sort Order | (Optional) The sorting order of the results (events), you can choose between Ascending or Descending. |
Sub Query | (Optional) The sub-query that you want to run on the already pulled data. |
The output contains the following populated JSON schema:
{
"data": [
{
"accountId": "",
"activeContentFileId": "",
"activeContentHash": "",
"activeContentPath": "",
"activeContentSignedStatus": "",
"activeContentType": "",
"agentDomain": "",
"agentGroupId": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentName": "",
"agentNetworkStatus": "",
"agentOs": "",
"agentTimestamp": "",
"agentUuid": "",
"agentVersion": "",
"childProcCount": "",
"containerId": "",
"containerImage": "",
"containerLabels": "",
"containerName": "",
"createdAt": "",
"crossProcCount": "",
"crossProcDupRemoteProcHandleCount": "",
"crossProcDupThreadHandleCount": "",
"crossProcOpenProcCount": "",
"crossProcOutOfStorylineCount": "",
"crossProcThreadCreateCount": "",
"dnsCount": "",
"endpointMachineType": "",
"endpointName": "",
"endpointOs": "",
"eventIndex": "",
"eventRepetitionCount": "",
"eventTime": "",
"eventType": "",
"fileIsExecutable": "",
"fileMd5": "",
"fileSha256": "",
"id": "",
"indicatorBootConfigurationUpdateCount": "",
"indicatorEvasionCount": "",
"indicatorExploitationCount": "",
"indicatorGeneralCount": "",
"indicatorInfostealerCount": "",
"indicatorInjectionCount": "",
"indicatorPersistenceCount": "",
"indicatorPostExploitationCount": "",
"indicatorRansomwareCount": "",
"indicatorReconnaissanceCount": "",
"isAgentVersionFullySupportedForPg": "",
"isAgentVersionFullySupportedForPgMessage": "",
"k8sClusterName": "",
"k8sControllerLabels": "",
"k8sControllerName": "",
"k8sControllerType": "",
"k8sNamespace": "",
"k8sNamespaceLabels": "",
"k8sNode": "",
"k8sPodLabels": "",
"k8sPodName": "",
"lastActivatedAt": "",
"metaEventName": "",
"moduleCount": "",
"netConnCount": "",
"netConnInCount": "",
"netConnOutCount": "",
"objectType": "",
"osSrcChildProcCount": "",
"osSrcCrossProcCount": "",
"osSrcCrossProcDupRemoteProcHandleCount": "",
"osSrcCrossProcDupThreadHandleCount": "",
"osSrcCrossProcOpenProcCount": "",
"osSrcCrossProcOutOfStorylineCount": "",
"osSrcCrossProcThreadCreateCount": "",
"osSrcDnsCount": "",
"osSrcIndicatorBootConfigurationUpdateCount": "",
"osSrcIndicatorEvasionCount": "",
"osSrcIndicatorExploitationCount": "",
"osSrcIndicatorGeneralCount": "",
"osSrcIndicatorInfostealerCount": "",
"osSrcIndicatorInjectionCount": "",
"osSrcIndicatorPersistenceCount": "",
"osSrcIndicatorPostExploitationCount": "",
"osSrcIndicatorRansomwareCount": "",
"osSrcIndicatorReconnaissanceCount": "",
"osSrcModuleCount": "",
"osSrcNetConnCount": "",
"osSrcNetConnInCount": "",
"osSrcNetConnOutCount": "",
"osSrcProcActiveContentFileId": "",
"osSrcProcActiveContentHash": "",
"osSrcProcActiveContentPath": "",
"osSrcProcActiveContentSignedStatus": "",
"osSrcProcActiveContentType": "",
"osSrcProcBinaryisExecutable": "",
"osSrcProcCmdLine": "",
"osSrcProcDisplayName": "",
"osSrcProcImageMd5": "",
"osSrcProcImagePath": "",
"osSrcProcImageSha1": "",
"osSrcProcImageSha256": "",
"osSrcProcIntegrityLevel": "",
"osSrcProcIsNative64Bit": "",
"osSrcProcIsRedirectCmdProcessor": "",
"osSrcProcIsStorylineRoot": "",
"osSrcProcName": "",
"osSrcProcParentActiveContentFileId": "",
"osSrcProcParentActiveContentHash": "",
"osSrcProcParentActiveContentPath": "",
"osSrcProcParentActiveContentSignedStatus": "",
"osSrcProcParentActiveContentType": "",
"osSrcProcParentCmdLine": "",
"osSrcProcParentDisplayName": "",
"osSrcProcParentImageMd5": "",
"osSrcProcParentImagePath": "",
"osSrcProcParentImageSha1": "",
"osSrcProcParentImageSha256": "",
"osSrcProcParentIntegrityLevel": "",
"osSrcProcParentIsNative64Bit": "",
"osSrcProcParentIsRedirectCmdProcessor": "",
"osSrcProcParentIsStorylineRoot": "",
"osSrcProcParentName": "",
"osSrcProcParentPid": "",
"osSrcProcParentPublisher": "",
"osSrcProcParentReasonSignatureInvalid": "",
"osSrcProcParentSessionId": "",
"osSrcProcParentSignedStatus": "",
"osSrcProcParentStartTime": "",
"osSrcProcParentStorylineId": "",
"osSrcProcParentUid": "",
"osSrcProcParentUser": "",
"osSrcProcPid": "",
"osSrcProcPublisher": "",
"osSrcProcReasonSignatureInvalid": "",
"osSrcProcRelatedToThreat": "",
"osSrcProcSessionId": "",
"osSrcProcSignedStatus": "",
"osSrcProcStartTime": "",
"osSrcProcStorylineId": "",
"osSrcProcSubsystem": "",
"osSrcProcUid": "",
"osSrcProcUser": "",
"osSrcProcVerifiedStatus": "",
"osSrcRegistryChangeCount": "",
"osSrcTgtFileCreationCount": "",
"osSrcTgtFileDeletionCount": "",
"osSrcTgtFileModificationCount": "",
"parentPid": "",
"parentProcessName": "",
"parentProcessStartTime": "",
"parentProcessUniqueKey": "",
"pid": "",
"processCmd": "",
"processDisplayName": "",
"processGroupId": "",
"processImagePath": "",
"processImageSha1Hash": "",
"processIntegrityLevel": "",
"processIsRedirectedCommandProcessor": "",
"processIsWow64": "",
"processName": "",
"processRoot": "",
"processSessionId": "",
"processStartTime": "",
"processSubSystem": "",
"processUniqueKey": "",
"publisher": "",
"registryChangeCount": "",
"relatedToThreat": "",
"retentionPeriod": "",
"rpid": "",
"signatureSignedInvalidReason": "",
"signedStatus": "",
"siteId": "",
"siteName": "",
"srcProcActiveContentFileId": "",
"srcProcActiveContentHash": "",
"srcProcActiveContentPath": "",
"srcProcActiveContentSignedStatus": "",
"srcProcActiveContentType": "",
"srcProcBinaryisExecutable": "",
"srcProcCmdLine": "",
"srcProcDisplayName": "",
"srcProcImageMd5": "",
"srcProcImagePath": "",
"srcProcImageSha1": "",
"srcProcImageSha256": "",
"srcProcIntegrityLevel": "",
"srcProcIsNative64Bit": "",
"srcProcIsRedirectCmdProcessor": "",
"srcProcIsStorylineRoot": "",
"srcProcName": "",
"srcProcParentActiveContentFileId": "",
"srcProcParentActiveContentHash": "",
"srcProcParentActiveContentPath": "",
"srcProcParentActiveContentSignedStatus": "",
"srcProcParentActiveContentType": "",
"srcProcParentCmdLine": "",
"srcProcParentDisplayName": "",
"srcProcParentImageMd5": "",
"srcProcParentImagePath": "",
"srcProcParentImageSha1": "",
"srcProcParentImageSha256": "",
"srcProcParentIntegrityLevel": "",
"srcProcParentIsNative64Bit": "",
"srcProcParentIsRedirectCmdProcessor": "",
"srcProcParentIsStorylineRoot": "",
"srcProcParentName": "",
"srcProcParentPid": "",
"srcProcParentProcUid": "",
"srcProcParentPublisher": "",
"srcProcParentReasonSignatureInvalid": "",
"srcProcParentSessionId": "",
"srcProcParentSignedStatus": "",
"srcProcParentStartTime": "",
"srcProcParentStorylineId": "",
"srcProcParentUid": "",
"srcProcParentUser": "",
"srcProcPid": "",
"srcProcPublisher": "",
"srcProcReasonSignatureInvalid": "",
"srcProcRelatedToThreat": "",
"srcProcRpid": "",
"srcProcSessionId": "",
"srcProcSignedStatus": "",
"srcProcStartTime": "",
"srcProcStorylineId": "",
"srcProcSubsystem": "",
"srcProcTid": "",
"srcProcUid": "",
"srcProcUser": "",
"srcProcVerifiedStatus": "",
"storyline": "",
"tgtFileCreationCount": "",
"tgtFileDeletionCount": "",
"tgtFileModificationCount": "",
"tgtPid": "",
"tgtProcAccessRights": "",
"tgtProcActiveContentFileId": "",
"tgtProcActiveContentHash": "",
"tgtProcActiveContentPath": "",
"tgtProcActiveContentSignedStatus": "",
"tgtProcActiveContentType": "",
"tgtProcBinaryisExecutable": "",
"tgtProcCmdLine": "",
"tgtProcDisplayName": "",
"tgtProcImageMd5": "",
"tgtProcImagePath": "",
"tgtProcImageSha1": "",
"tgtProcImageSha256": "",
"tgtProcIntegrityLevel": "",
"tgtProcIsNative64Bit": "",
"tgtProcIsRedirectCmdProcessor": "",
"tgtProcIsStorylineRoot": "",
"tgtProcName": "",
"tgtProcPid": "",
"tgtProcPublisher": "",
"tgtProcReasonSignatureInvalid": "",
"tgtProcRelation": "",
"tgtProcSessionId": "",
"tgtProcSignedStatus": "",
"tgtProcStartTime": "",
"tgtProcStorylineId": "",
"tgtProcSubsystem": "",
"tgtProcUid": "",
"tgtProcUser": "",
"tgtProcVerifiedStatus": "",
"tiOriginalEventId": "",
"tiOriginalEventIndex": "",
"tiOriginalEventTraceId": "",
"tid": "",
"tiindicatorRelatedEventTime": "",
"traceId": "",
"trueContext": "",
"user": "",
"verifiedStatus": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Query ID | The ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
Event Type | Event type by which you want to filter the results (events). You can choose between the following event types: Events, File, Ip, Url, Dns, Process, Registry, Scheduled task, Logins, or Indicators. |
Limit Records | (Optional) The maximum number of results, per page, that this operation should return. |
Offset | (Optional) Skips the specified number of results (0-1000) from the total results. |
Cursor | (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Sort Order | (Optional) The sorting order of the results (events), you can choose between Ascending or Descending. |
Sort By | (Optional) Name of the field on which you want to sort the result (events). |
Sub Query | (Optional) The sub-query that you want to run on the already pulled data. |
The output contains the following populated JSON schema:
{
"data": {
"agentGroupId": "",
"indicatorCategory": "",
"indicatorDescription": "",
"agentUuid": "",
"fileId": "",
"loginsBaseType": "",
"processName": "",
"agentIp": "",
"threatStatus": "",
"processSubSystem": "",
"direction": "",
"processImagePath": "",
"agentIsActive": "",
"agentVersion": "",
"parentProcessName": "",
"agentInfected": "",
"indicatorMetadata": "",
"processIsMalicious": "",
"srcPort": "",
"user": "",
"processStartTime": "",
"siteName": "",
"agentName": "",
"md5": "",
"sha1": "",
"registryId": "",
"fileSha1": "",
"id": "",
"sha256": "",
"processCmd": "",
"networkMethod": "",
"indicatorName": "",
"parentProcessGroupId": "",
"taskName": "",
"srcIp": "",
"registryPath": "",
"parentPid": "",
"parentProcessUniqueKey": "",
"agentMachineType": "",
"dnsResponse": "",
"tid": "",
"processSessionId": "",
"networkUrl": "",
"eventSubType": "",
"createdAt": "",
"dstPort": "",
"processUserName": "",
"agentDomain": "",
"fileSha256": "",
"processDisplayName": "",
"agentNetworkStatus": "",
"loginsUserName": "",
"signer": "",
"rpid": "",
"taskPath": "",
"pid": "",
"processIntegrityLevel": "",
"oldFileMd5": "",
"relatedToThreat": "",
"oldFileSha1": "",
"processGroupId": "",
"networkSource": "",
"fileMd5": "",
"oldFileSha256": "",
"agentOs": "",
"oldFileName": "",
"eventType": "",
"agentIsDecommissioned": "",
"parentProcessStartTime": "",
"processImageSha1Hash": "",
"trueContext": "",
"parentProcessIsMalicious": "",
"dnsRequest": "",
"fileFullName": "",
"dstIp": "",
"processUniqueKey": "",
"forensicUrl": "",
"agentId": ""
},
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Query ID | The ID of a deep visibility query that you want to stop in SentinelOne. When you create a query in SentinelOne you get its QueryID. |
The output contains the following populated JSON schema:
{
"success": ""
}
Parameter | Description |
---|---|
Threat ID | The ID of the threat whose "seen on network data" you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent sites whose "seen on network data" you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent groups whose "seen on network data" you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent accounts whose "seen on network data" you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"agent_version": "",
"description": "",
"created_date": "",
"meta_data": {
"updated_at": "",
"created_at": ""
},
"id": "",
"malicious_group_id": "",
"resolved": "",
"status": "",
"from_cloud": "",
"agent": ""
}
Parameter | Description |
---|---|
Threat ID | The ID of the threat whose forensic details you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"result": {
"policy_id": "",
"agent_version": "",
"occurred_at": "",
"graph": {
"edges_summary": [],
"node_sets": {}
},
"file_hash": "",
"file_display_name": "",
"file_created_at": "",
"agent": "",
"category_scores": [],
"publisher": "",
"raw_data": {
"edges": [],
"nodes": {
"6ADE07922117100C": {
"agent_version": "",
"in_threat": "",
"malicious_content": "",
"agent_uuid": "",
"meta_data": {
"updated_at": "",
"count": "",
"created_at": ""
},
"has_reputation": "",
"group_id": "",
"event_type": "",
"object_id": "",
"data": {
"path": "",
"is_system": "",
"created_date": "",
"is_executable": "",
"verification_type": "",
"extension_type": "",
"size": "",
"object_id": "",
"content_hash": "",
"permission": ""
}
}
}
},
"indicators": [],
"cert_id": "",
"is_cert_valid": ""
}
}
Parameter | Description |
---|---|
Threat ID | The ID of the threat whose threats along with its associated threats you want to export in the CSV, JSON, or RAW format from SentinelOne. |
Export Format | The format in which you want to export the threat data. You can choose between the following formats: CSV, RAW, or JSON. |
The output contains the following populated JSON schema:
{
"threat_details": {
"description": "",
"id": "",
"created_at": "",
"agent": ""
},
"threats": [],
"agent_details": {
"external_ip": "",
"registered_at": "",
"agent_version_current": "",
"computer_name": "",
"last_active_date": "",
"agent_version_at_threat_time": "",
"group_ip": "",
"domain": "",
"cpu": "",
"os": ""
},
"file_details": {
"size": "",
"created_at": "",
"id": "",
"display_name": "",
"permission": "",
"content_hash": ""
},
"reputation": {
"rank": ""
}
}
Parameter | Description |
---|---|
Threat ID | The ID of the threat for which you want to retrieve the forensic data. |
Site IDs | (Optional) List of comma-separated agent sites whose threat data you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent groups whose threat data you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent accounts whose threat data you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"result": {
"seen_on_network": "",
"occurred_at": "",
"file_display_name": "",
"marked_as_benign": "",
"classifier_name": "",
"mitigation_status": "",
"file_created_at": "",
"file_path": "",
"classification_source": "",
"classification": "",
"mitigation_report": {
"quarantine": {
"status": ""
},
"rollback": {
"status": ""
},
"remediate": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"kill": {
"status": ""
}
},
"threat_id": "",
"whitening_options": [],
"threat_created": "",
"malicious_group_id": "",
"in_quarantine": "",
"file_content_hash": "",
"file_hash": "",
"malicious_process_arguments": "",
"annotation_url": "",
"agent": "",
"from_scan": "",
"annotation": "",
"file_description": "",
"resolved": "",
"mitigation_actions": []
}
}
None.
The output contains the following populated JSON schema:
{
"title": "",
"key": "",
"autoComplete": ""
}
Parameter | Description |
---|---|
Get Count By | Filter based on which you want to retrieve the application count from SentinelOne. You can choose between Risk Levels or Filters. By default, this is set as Risk Level. |
Site IDs | (Optional) List of comma-separated agent sites whose application count you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent groups whose application count you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent accounts whose application count you want to retrieve from SentinelOne. |
Agent Machine Types | (Optional) Type of agent machine whose application count you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | (Optional) List of comma-separated application IDs accounts whose application count you want to retrieve, per filter value, from SentinelOne. |
Application Types | (Optional) Type of application whose application count you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Is Decommissioned | Select this checkbox if the status of the agent whose application count you want to retrieve from SentinelOne is set as "Decommissioned". |
Risk Levels | (Optional) Level of risks whose application count you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
OS Types | (Optional) Type of OS whose application count you want to retrieve from SentinelOne. You can choose between the following OS types: MacOS, Windows_Legacy, Linux. or Windows. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve application counts from SentinelOne. |
The output contains the following populated JSON schema:
Output schema when you choose "Get Count By" as "Risk Levels":
{
"enableNegation": "",
"key": "",
"title": "",
"values": [
{
"count": "",
"title": "",
"value": ""
}
]
}
Output schema when you choose "Get Count By" as "Filters":
{
"enableNegation": "",
"disableSorting": "",
"key": "",
"title": "",
"values": [
{
"count": "",
"title": "",
"value": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Internal CVE IDs | List of comma-separated internal CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne. |
Global CVE IDs | List of comma-separated global CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne. |
Limit Records | The maximum number of results, per page, that this operation should return. |
Skip Count | Select this option to avoid calculating the total number of results, which results in speeding up the execution time. |
Sort By | Name of the field on which you want to sort the result. You can choose between the following fields: ID, PublishedAt, AgentID, or ApplicationID. |
Sort Order | The sorting order of the results (CVEs), you can choose between Ascending or Descending. |
Count Only | Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne. |
Cursor | The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne. |
The output contains the following populated JSON schema:
{
"data": [
{
"createdAt": "",
"cveId": "",
"description": "",
"id": "",
"link": "",
"publishedAt": "",
"riskLevel": "",
"score": "",
"updatedAt": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Site IDs | List of comma-separated agent site IDs to export application risks from SentinelOne. |
Group IDs | List of comma-separated agent group IDs to export application risks from SentinelOne. |
Account IDs | List of comma-separated agent account IDs to export application risks from SentinelOne. |
Size Between | Size range of the application between which you want to filter the application risks. You can specify the size range in bytes from 1024 to 104856. |
Agent Machine Types | Type of agent machine whose application risks you want to export from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | The ID of the agent application whose installed applications and CVEs list you want to export from SentinelOne. |
Application Types | Type of application whose application risks you want to export from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Is Decommissioned | Select this checkbox if the status of the agent whose application risks you want to export from SentinelOne is set as "Decommissioned". |
Risk Levels | Level of risks whose application risks you want to export from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
OS Types | Type of OS whose application risks you want to export from SentinelOne. You can choose between the following os types: MacOS, Windows Legacy, Linux, or Windows. |
Additional Fields | Additional fields, in the JSON format, based on which you want to export application risks from SentinelOne. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit Records | The maximum number of results, per page, that this operation should return. |
Skip Count | Select this option to avoid calculating the total number of results, which results in speeding up the execution time. |
Sort Order | The sorting order of the results (applications), you can choose between Ascending or Descending. |
Agent Machine Types | Type of endpoint machine whose applications you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | The ID of the agent application whose installed applications you want to retrieve from SentinelOne |
Is Decommissioned | Select this checkbox if the status of the agent whose applications you want to retrieve from SentinelOne is set as "Decommissioned". |
Application Types | Type of application whose applications you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Risk Levels | Level of risks whose applications you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
Sort By | Name of the field on which you want to sort the result. You can choose between the following fields: ID, InstallAt, Type, Name, Publisher, Version, Size, AgentComputerName. or RiskLevel. |
Count Only | Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne. |
OS Types | Type of OS whose applications you want to retrieve from SentinelOne. You can choose between the following os types: MacOS, Windows Legacy, Linux, or Windows. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve applications from SentinelOne. |
The output contains the following populated JSON schema:
{
"data": [
{
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOperationalState": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"createdAt": "",
"id": "",
"installedAt": "",
"name": "",
"osType": "",
"publisher": "",
"riskLevel": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"version": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Application ID | The ID of the agent application whose application CVEs you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"agentInfected": "",
"agentNetworkStatus": "",
"installedAt": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"agentComputerName": "",
"name": "",
"agentOsType": "",
"version": "",
"publisher": "",
"agentMachineType": "",
"id": "",
"agentVersion": "",
"osType": "",
"createdAt": "",
"cves": [],
"agentDomain": "",
"agentId": "",
"agentIsDecommissioned": "",
"riskLevel": "",
"agentUuid": "",
"agentIsActive": ""
}
The Sample - SentinelOne - 3.1.0
playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling threats from SentinelOne. Currently, "threats" in SentinelOne have been mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming SentinelOne "threats" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data from SentinelOne into FortiSOAR. It also lets you pull some sample data from SentinelOne using which you can define the mapping of data between SentinelOne and FortiSOAR. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the SentinelOne threat.
On the Field Mapping screen, map the fields of a SentinelOne threat to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the agentIp parameter of a SentinelOne threat to the Source IP parameter of a FortiSOAR™ alert, click the Source IP Time field and then click the agentIp field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to SentinelOne, so that the content gets pulled from the SentinelOne integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from SentinelOne every morning at 5 am, click Daily, and in the hour box enter 5
, and in the minute box enter 0
:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.
Resolution:
Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.
There are many reasons for a playbook failure, for example, if a required field is null
in the target module record, or there are problems with the Playbook Appliance keys.
Resolution:
Investigate the reason for failure using the 'Executed Playbook Logs'. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.
SentinelOne is a cybersecurity platform. SentinelOne unifies prevention, detection, and response in a single platform, enabling organizations to protect their user endpoint devices and critical servers against advanced malware, exploits, and other types of sophisticated threats.
This document provides information about the SentinelOne connector, which facilitates automated interactions, with a SentinelOne server using FortiSOAR™ playbooks. Add the SentinelOne connector as a step in FortiSOAR™ playbooks and perform automated operations, such as detecting threats at the endpoints, isolating or shutting down agents, etc.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling threats from SentinelOne. For more information, see the Data Ingestion Support section.
Connector Version: 3.1.0
FortiSOAR™ Version Tested on: 7.2.1-1021
SentinelOne API Versions Tested on: v2.0.0-EA#115, v2.1
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the SentinelOne connector in version 3.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-sentinelone
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SentinelOne connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the SentinelOne REST endpoint to which you will connect and perform the automated operations. |
API Token | Specify the API token that is required to access the SentinelOne REST endpoint. Important: The minimum role required for the user to use the API endpoint is "Site Viewer". |
API Version | Specify the version of the API that you are using to access the SentinelOne REST endpoint. |
Verify SSL | Verify SSL connection to the SentinelOne API endpoint. By default, this option is set as T rue . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Agents | Retrieves a list of agents attached to an account from SentinelOne based on the input parameters you have specified. | list_agents Investigation |
Agent Action | Actions that you want to perform on an agent in Sentinel One based on the action, agent IDs, and other input parameters you have specified. | isolate_agent Containment |
Reconnect Agent | Reconnects a disconnected agent to the network in SentinelOne based on the input parameters you have specified. | reconnect_agent Remediation |
Get Agent Passphrase | Retrieves an agent's passphrase to uninstall an offline agent in SentinelOne based on the agent ID you have specified. | agent_passphrase Miscellaneous |
Get Agent Application | Retrieves a list of applications installed on an agent in SentinelOne based on the agent ID you have specified. | list_applications Investigation |
Get Agent Process | Retrieves a list of processes running on an agent in SentinelOne based on the agent ID you have specified. | list_processes Investigation |
Broadcast Message to Agent | Broadcasts a message to a specified agent system or a list of agent systems in SentinelOne based on the agent ID, message, and other input parameters you have specified. | broadcast_message Miscellaneous |
Initiate Agent Scan | Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. | scan_agent Investigation |
Abort Agent Scan | Initiates scanning on a specified agent system or all agents in SentinelOne based on the input parameters you have specified. | abort_scan Investigation |
Get Hash Details | Retrieve the details for a specified hash from SentinelOne based on the Hash ID you have specified. | hash_details Investigation |
Get Threat Details | Retrieve the details for a specified threat from SentinelOne based on the threat ID you have specified. | threat_details Investigation |
Mitigate Threat | Mitigates identified threats in the SentinelOne system based on the threat ID, action, and other input parameters you have specified. | mitigate_threats Remediation |
Mark Threat as Benign | Marks an identified threat as safe in SentinelOne based on the threat ID, target scope, and other input parameters you have specified. | mark_threat_as_benign Remediation |
Fetch Agents Logs | Retrieves logs from the agent's system to the SentinelOne cloud based on the input parameters you have specified. | fetch_logs Investigation |
Get Agent Count | Retrieves the count of agents in SentinelOne filtered by the input parameters you have specified. | agent_count Miscellaneous |
List All Threats | List all threats identified by SentinelOne on agents. You can additionally filter out the results by specifying the agent ID or the threat name. | list_threats Investigation |
Fetch Threats | List all threats or specific threats identified by SentinelOne on agents filtered by the input parameters you have specified. | fetch_threats Investigation |
Create Query And Get Query ID | Starts a deep visibility Query and retrieves the Query ID from SentinelOne based on the query, date range, and other input parameters you have specified. | create_query Investigation |
Get Query Status | Retrieves the status of the deep visibility query from SentinelOne based on the query ID you have specified. | get_query_status Investigation |
Get Events | Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID and other input parameters you have specified. | get_events Investigation |
Get Events By Type | Retrieves the deep visibility events associated with a query from SentinelOne based on the query ID, event type, and other input parameters you have specified. | get_events_by_type Investigation |
Cancel Running Query | Stops a deep visibility query that is running on SentinelOne based on the query ID you have specified. | cancel_running_query Investigation |
Get Threat Seen on Network | Retrieves "seen on network" details for a specific threat in SentinelOne based on the threat ID and other input parameters you have specified. | threat_seen_on_network Investigation |
Threat Forensic Details | Retrieves detailed forensics data for a specific threat on SentinelOne based on the threat ID you have specified. | threat_forensic_details Investigation |
Export Threat | Exports threats along with its associated threats, in the CSV or JSON formation, for a specific threat on SentinelOne based on the threat ID and export format you have specified. | export_forensics_threat Investigation |
Get Threat Forensics | Retrieves forensics data for a specific threat on SentinelOne based on the threat ID and export format you have specified. | threat_forensics Investigation |
Free Text | Retrieves a metadata list of all the available free-text filters in SentinelOne | free_text_filters Investigation |
Get Application Count | Retrieves the count of applications from SentinelOne number of applications by risk level or filters and other input parameters you have specified. | get_application_count Investigation |
Get CVEs | Retrieves all known CVEs for applications from SentinelOne based on the input parameters you have specified. Note: This is available for complete SKU only. |
get_cve Investigation |
Export Applications Risk | Exports installed applications and CVE list from SentinelOne based on the input parameters you have specified. This operation also creates an 'Attachment' record in FortiSOAR, | export_applications_risk Investigation |
Get Applications | Retrieves a list of all installed applications per endpoint, including risk levels, from SentinelOne based on the input parameters you have specified. Note: This is available for complete SKU only. |
get_applications Investigation |
Get Application CVEs | Retrieves all known CVEs for a specific application, along with application and endpoint information, from SentinelOne, based on the application ID you have specified. Note: This is available for complete SKU only. |
get_application_cve Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent IDs | List of comma-separated agent IDs that you want to retrieve from SentinelOne. |
Is Active | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent that you want to retrieve from SentinelOne is set as "Decommissioned". |
Computer Name Like | Retrieve only those agents who match the specified name from SentinelOne. |
Agent Memory Less Than (MB) | Retrieve only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | Retrieve only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | Retrieve only those agents whose core count is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve only those agents whose core count is greater than the given input from SentinelOne. |
Agent Version | The version of the agent that you want to retrieve from SentinelOne. |
Network Status | Select the network status of the agent that you want to retrieve from SentinelOne. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
Limit Records | The maximum number of results, per page, that this operation should return. |
Offset | Skips the specified number of results (0-1000) from the total results. |
Cursor | The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne. |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The output contains the following populated JSON schema:
Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"activeDirectory": {
"computerDistinguishedName": "",
"computerMemberOf": [],
"lastUserDistinguishedName": "",
"lastUserMemberOf": []
},
"activeThreats": "",
"agentVersion": "",
"allowRemoteShell": "",
"appsVulnerabilityStatus": "",
"computerName": "",
"consoleMigrationStatus": "",
"coreCount": "",
"cpuCount": "",
"cpuId": "",
"createdAt": "",
"domain": "",
"encryptedApplications": "",
"externalId": "",
"externalIp": "",
"groupId": "",
"groupIp": "",
"groupName": "",
"id": "",
"inRemoteShellSession": "",
"infected": "",
"installerType": "",
"isActive": "",
"isDecommissioned": "",
"isPendingUninstall": "",
"isUninstalled": "",
"isUpToDate": "",
"lastActiveDate": "",
"lastIpToMgmt": "",
"lastLoggedInUserName": "",
"licenseKey": "",
"locationType": "",
"locations": [
{
"id": "",
"name": "",
"scope": ""
}
],
"machineType": "",
"mitigationMode": "",
"mitigationModeSuspicious": "",
"modelName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"networkStatus": "",
"osArch": "",
"osName": "",
"osRevision": "",
"osStartTime": "",
"osType": "",
"osUsername": "",
"rangerStatus": "",
"rangerVersion": "",
"registeredAt": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"threatRebootRequired": "",
"totalMemory": "",
"updatedAt": "",
"userActionsNeeded": [],
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Output schema when 'API Version' === v2.1
{
"data": [
{
"accountId": "",
"accountName": "",
"activeDirectory": {
"computerDistinguishedName": "",
"computerMemberOf": [],
"lastUserDistinguishedName": "",
"lastUserMemberOf": []
},
"activeThreats": "",
"agentVersion": "",
"allowRemoteShell": "",
"appsVulnerabilityStatus": "",
"cloudProviders": {},
"computerName": "",
"consoleMigrationStatus": "",
"coreCount": "",
"cpuCount": "",
"cpuId": "",
"createdAt": "",
"detectionState": "",
"domain": "",
"encryptedApplications": "",
"externalId": "",
"externalIp": "",
"firewallEnabled": "",
"firstFullModeTime": "",
"groupId": "",
"groupIp": "",
"groupName": "",
"id": "",
"inRemoteShellSession": "",
"infected": "",
"installerType": "",
"isActive": "",
"isDecommissioned": "",
"isPendingUninstall": "",
"isUninstalled": "",
"isUpToDate": "",
"lastActiveDate": "",
"lastIpToMgmt": "",
"lastLoggedInUserName": "",
"licenseKey": "",
"locationEnabled": "",
"locationType": "",
"locations": [
{
"id": "",
"name": "",
"scope": ""
}
],
"machineType": "",
"mitigationMode": "",
"mitigationModeSuspicious": "",
"modelName": "",
"networkInterfaces": [
{
"gatewayIp": "",
"gatewayMacAddress": "",
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"networkQuarantineEnabled": "",
"networkStatus": "",
"operationalState": "",
"operationalStateExpiration": "",
"osArch": "",
"osName": "",
"osRevision": "",
"osStartTime": "",
"osType": "",
"osUsername": "",
"rangerStatus": "",
"rangerVersion": "",
"registeredAt": "",
"remoteProfilingState": "",
"remoteProfilingStateExpiration": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"serialNumber": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"tags": {
"sentinelone": [
{
"assignedAt": "",
"assignedBy": "",
"assignedById": "",
"id": "",
"key": "",
"value": ""
}
]
},
"threatRebootRequired": "",
"totalMemory": "",
"updatedAt": "",
"userActionsNeeded": [],
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Action | Select the action that you want to perform on the specified agent in SentinelOne. You can choose between the following actions: Isolate Agent Network, Decommission Agent, Uninstall Agent, or Shutdown Agent. |
Agent IDs | List of comma-separated agent IDs on which you want to perform actions in SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's group IDs on which you want to perform actions in SentinelOne. |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Decommissioned". |
Is Uninstalled | Select this checkbox if the status of the agent on which you want to perform actions on SentinelOne is set as "Uninstalled". |
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (MB): | Reconnects only those agents to the network in SentinelOne whose memory size is lesser than the given input. |
Agent Memory Greater Than (MB) | Reconnects only those agents to the network in SentinelOne whose memory size is greater than the given input. |
Agent Core Count Less Than | Reconnects only those agents to the network in SentinelOne whose core count is lesser than the given input. |
Agent Core Count Greater Than | Reconnects only those agents to the network in SentinelOne whose core count is greater than the given input. |
Is Active | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Active". |
Is Infected | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent that you want to reconnect to the SentinelOne network is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs that you want to reconnect to the SentinelOne network. |
Computer Name Like | Reconnects only those agents to the network in SentinelOne who match the specified computer name. |
Agent Version | The version of the agent that you want to reconnect to the SentinelOne network. |
OS Type | Select the OS type of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent that you want to reconnect to the SentinelOne network. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON contains a Success
message of agents reconnected back into the network.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Agent ID | The ID of the agent whose passphrase you want to retrieve from SentinelOne. The passphrase that can be used to delete an offline agent from SentinelOne. |
Cursor | (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Additional Fields | (Optional) Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne. |
The JSON contains a string output with the passphrase that can be used to delete an offline agent.
The output contains the following populated JSON schema:
{
"data": [
{
"computerName": "",
"domain": "",
"id": "",
"lastLoggedInUserName": "",
"passphrase": "",
"uuid": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Agent ID | The ID of the agent whose list of installed applications you want to retrieve from SentinelOne. |
The JSON contains a list of application objects including information such as name, installation date, etc., about the applications installed on the specified agent.
The output contains the following populated JSON schema:
[
{
"name": "",
"size": "",
"version": "",
"publisher": "",
"installedDate": ""
}
]
Parameter | Description |
---|---|
Agent Id | The ID of the agent whose list of running applications you want to retrieve from SentinelOne. |
The JSON contains a list of running processes along with the process details for the specified agent.
The output contains the following populated JSON schema:
[
{
"cpuUsage": "",
"memoryUsage": "",
"pid": "",
"executablePath": "",
"startTime": "",
"processName": ""
}
]
Parameter | Description |
---|---|
Message | The message that you want to broadcast to an agent or a list of agents in SentinelOne. |
Agent IDs | List of comma-separated agent IDs in SentinelOne to whom you want to broadcast the specified message. |
Agent Memory Less Than (MB) | (Optional) Broadcast the message to only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | (Optional) Broadcast the message to only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | (Optional) Broadcast the message to only those agents whose core count is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | (Optional) Broadcast the message to only those agents whose core count is greater than the given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Active". |
Is Infected | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent to whom you want to broadcast a message is set as "Decommissioned". |
Computer Name Like | (Optional) Broadcast the message to only those agents that match the specified computer name on SentinelOne. |
Agent Version | The version of the agent to whom you want to broadcast the message |
OS Type | Select the OS type of the agent in the SentinelOne network to whom you want to broadcast the message. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne to whom you want to broadcast the message. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the broadcast operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (MB) | Initiates a scan only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | Initiates a scan only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | Initiates a scan only those agents whose core count is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | Initiates a scan only those agents whose core count is greater than the given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Active". |
Is Infected | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to initiate a scan is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs on which you want to initiate a scan in SentinelOne. |
Computer Name Like | Initiate the scan only on those agents that match the specified computer name. |
Agent Version | The version of the agent on which you want to initiate a scan. |
OS Type | Select the OS type of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne on which you want to initiate the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the scan operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (MB) | Aborts the scan only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | Aborts the scan only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | Aborts the scan only those agents whose core count size is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | Aborts the scan only those agents whose core count size is greater than the given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Active". |
Is Infected | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent on which you want to abort the scan is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs on which you want to abort the scan in SentinelOne. |
Computer Name Like | Abort the scan only on those agents that match the specified computer name. |
Agent Version | The version of the agent on which you want to abort the scan. |
OS Type | Select the OS type of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne on which you want to abort the scan. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents that are affected by the abort scan operation after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Hash ID | The ID (SHA1 only) of the hash whose details you want to retrieve from SentinelOne. |
The JSON contains the details of the specified hash ID.
The output contains the following populated JSON schema:
{
"rank": ""
}
Parameter | Description |
---|---|
Threat Id | The ID of the threat whose details you want to retrieve from SentinelOne. |
The JSON contains the details of the specified threat ID.
The output contains the following populated JSON schema:
Output schema when 'API Version' === v2.0
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}
Output schema when 'API Version' === v2.1
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}
Parameter | Description |
---|---|
Action | Select the action that you want to perform on the specified threat. You can choose between the following actions: Kill, Quarantine, Un-Quarantine, Remediate, or Rollback-Remediation. |
Threat ID | The ID of the threat on which you want to take the specified action. |
Content Hash | (Optional) The Hash ID of the file associated with the threat that requires mitigation. |
Threat Name | (Optional) Name of the threat that requires mitigation. |
Agent ID | (Optional) The ID of the agent on which the threat has been identified. |
Limit Records | (Optional) The maximum number of results, per page, that this operation should return. |
From Scan | Select this option if the threat was detected as a result of a scan. |
The JSON contains a message about the threat being mitigated.
The output contains the following populated JSON schema:
{
"affected": ""
}
Parameter | Description |
---|---|
Target Scope | Scope of the target that you want to mark as safe in SentinelOne. |
Threat Id | The ID of the threat that you want to mark as safe in SentinelOne. |
Content Hash | (Optional) The Hash ID of the file associated with the threat that you want to mark as safe in SentinelOne. |
Threat Name | (Optional) Name of the threat that requires to be marked as safe in SentinelOne.. |
Agent Id | (Optional) The ID of the agent on which the threat has been identified. |
Limit Records | (Optional) The maximum number of results, per page, that this operation should return. |
From Scan | Select this option if the threat was detected as a result of a scan. |
The JSON contains a message about the threat being marked as safe.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (MB) | Retrieve logs of only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | Retrieve logs of only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | Retrieve logs of only those agents whose core count is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve logs of only those agents whose core count is greater than the given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs whose logs you want to retrieve from SentinelOne. |
Computer Name Like | Retrieve logs of only those agents who match the specified computer name. |
Agent Version | The version of the agent whose logs you want to retrieve from SentinelOne. |
OS Type | Select the OS type of the agent in SentinelOne whose logs you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne whose logs you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting. |
The JSON output contains the number of agents whose logs are fetched after the query is successfully run.
The output contains the following populated JSON schema:
{
"affected": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent Memory Less Than (MB) | Retrieve counts of only those agents whose memory size is lesser than the given input from SentinelOne. |
Agent Memory Greater Than (MB) | Retrieve counts of only those agents whose memory size is greater than the given input from SentinelOne. |
Agent Core Count Less Than | Retrieve counts of only those agents whose core count is lesser than the given input from SentinelOne. |
Agent Core Count Greater Than | Retrieve counts of only those agents whose core count is greater than the given input from SentinelOne. |
Is Active | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Active". |
Is Infected | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Infected". |
Is Decommissioned | Select this checkbox if the status of the agent whose logs you want to retrieve from SentinelOne is set as "Decommissioned". |
Agent IDs | List of comma-separated agent IDs whose count you want to retrieve from SentinelOne |
Computer Name Like | Retrieve the count of only those agents who match the specified computer name. |
Agent Version | The version of the agents whose counts you want to retrieve from SentinelOne. |
OS Type | Select the OS type of the agent in SentinelOne whose counts you want to retrieve. You can choose from the following options: Unknown, Osx, Windows, Andriod, or Linux. |
Network Status | Select the network status of the agent in the SentinelOne whose counts you want to retrieve. You can choose from the following options: Connected, Disconnected, Connecting, or Disconnecting |
The JSON output contains the number of available agents.
The output contains the following populated JSON schema:
{
"total": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Agent ID | The ID of the agent whose threats you want to list. |
Created After | Specify the Datetime using which you want to filter the result set to only include only those items that have been created after the specified timestamp. |
Updated After | Specify the Datetime using which you want to filter the result set to only include only those items that have been updated after the specified timestamp. |
Content Hash | The Hash ID of the file associated with the threat. |
Threat Name | The name of the threat that you want to search for on all agents on SentinelOne. |
Limit Records | The maximum number of results, per page, that this operation should return. |
Offset | Skips the specified number of results (0-1000) from the total results. |
Cursor | The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne. |
The JSON contains the objects of the threats that are found after the query is successfully run.
The output contains the following populated JSON schema:
Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Output schema when 'API Version' === v2.1
{
"data": [
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Created After | Specify the Datetime using which you want to filter the result set to only include only those items that have been created after the specified timestamp. |
Updated After | Specify the Datetime using which you want to filter the result set to only include only those items that have been updated after the specified timestamp. |
Query | A query is a free-text search term that you can use to match applicable attributes (sub-string match) in SentinelOne based on which you want to retrieve the threats from SentinelOne. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne. |
The output contains the following populated JSON schema:
Output schema when 'API Version' === v2.0
{
"data": [
{
"accountId": "",
"accountName": "",
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOsType": "",
"agentVersion": "",
"annotation": "",
"automaticallyResolved": "",
"browserType": "",
"certId": "",
"classification": "",
"classificationSource": "",
"classifierName": "",
"cloudVerdict": "",
"collectionId": "",
"commandId": "",
"createdAt": "",
"createdDate": "",
"description": "",
"engines": [],
"external_ticket_id": "",
"fileContentHash": "",
"fileCreatedDate": "",
"fileDisplayName": "",
"fileExtensionType": "",
"fileIsDotNet": "",
"fileIsExecutable": "",
"fileIsSystem": "",
"fileMaliciousContent": "",
"fileObjectId": "",
"filePath": "",
"fileSha256": "",
"fileVerificationType": "",
"fromCloud": "",
"fromScan": "",
"id": "",
"indicators": [],
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"isCertValid": "",
"isInteractiveSession": "",
"isPartialStory": "",
"maliciousGroupId": "",
"maliciousProcessArguments": "",
"markedAsBenign": "",
"mitigationMode": "",
"mitigationReport": {
"kill": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"quarantine": {
"status": ""
},
"remediate": {
"status": ""
},
"rollback": {
"status": ""
},
"unquarantine": {
"status": ""
}
},
"mitigationStatus": "",
"publisher": "",
"rank": "",
"resolved": "",
"siteId": "",
"siteName": "",
"threatAgentVersion": "",
"threatName": "",
"updatedAt": "",
"username": "",
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Output schema when 'API Version' === v2.1
{
"data": [
{
"agentDetectionInfo": {
"accountId": "",
"accountName": "",
"agentDetectionState": "",
"agentDomain": "",
"agentIpV4": "",
"agentIpV6": "",
"agentLastLoggedInUpn": "",
"agentLastLoggedInUserMail": "",
"agentLastLoggedInUserName": "",
"agentMitigationMode": "",
"agentOsName": "",
"agentOsRevision": "",
"agentRegisteredAt": "",
"agentUuid": "",
"agentVersion": "",
"cloudProviders": {},
"externalIp": "",
"groupId": "",
"groupName": "",
"siteId": "",
"siteName": ""
},
"agentRealtimeInfo": {
"accountId": "",
"accountName": "",
"activeThreats": "",
"agentComputerName": "",
"agentDecommissionedAt": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentMitigationMode": "",
"agentNetworkStatus": "",
"agentOsName": "",
"agentOsRevision": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"groupId": "",
"groupName": "",
"networkInterfaces": [
{
"id": "",
"inet": [],
"inet6": [],
"name": "",
"physical": ""
}
],
"operationalState": "",
"rebootRequired": "",
"scanAbortedAt": "",
"scanFinishedAt": "",
"scanStartedAt": "",
"scanStatus": "",
"siteId": "",
"siteName": "",
"storageName": "",
"storageType": "",
"userActionsNeeded": []
},
"containerInfo": {
"id": "",
"image": "",
"labels": "",
"name": ""
},
"id": "",
"indicators": [
{
"category": "",
"description": "",
"ids": [],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": "",
"controllerKind": "",
"controllerLabels": "",
"controllerName": "",
"namespace": "",
"namespaceLabels": "",
"node": "",
"pod": "",
"podLabels": ""
},
"mitigationStatus": [
{
"action": "",
"actionsCounters": {
"failed": "",
"notFound": "",
"pendingReboot": "",
"success": "",
"total": ""
},
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
},
{
"action": "",
"actionsCounters": "",
"agentSupportsReport": "",
"groupNotFound": "",
"lastUpdate": "",
"latestReport": "",
"mitigationEndedAt": "",
"mitigationStartedAt": "",
"status": ""
}
],
"threatInfo": {
"analystVerdict": "",
"analystVerdictDescription": "",
"automaticallyResolved": "",
"browserType": "",
"certificateId": "",
"classification": "",
"classificationSource": "",
"cloudFilesHashVerdict": "",
"collectionId": "",
"confidenceLevel": "",
"createdAt": "",
"detectionEngines": [
{
"key": "",
"title": ""
}
],
"detectionType": "",
"engines": [],
"externalTicketExists": "",
"externalTicketId": "",
"failedActions": "",
"fileExtension": "",
"fileExtensionType": "",
"filePath": "",
"fileSize": "",
"fileVerificationType": "",
"identifiedAt": "",
"incidentStatus": "r",
"incidentStatusDescription": "",
"initiatedBy": "",
"initiatedByDescription": "",
"initiatingUserId": "",
"initiatingUsername": "",
"isFileless": "",
"isValidCertificate": "",
"maliciousProcessArguments": "",
"md5": "",
"mitigatedPreemptively": "",
"mitigationStatus": "",
"mitigationStatusDescription": "",
"originatorProcess": "",
"pendingActions": "",
"processUser": "",
"publisherName": "",
"reachedEventsLimit": "",
"rebootRequired": "",
"sha1": "",
"sha256": "",
"storyline": "",
"threatId": "",
"threatName": "",
"updatedAt": ""
},
"whiteningOptions": []
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Query | A query is a free-text search term that you can use to match applicable attributes (sub-string match) in SentinelOne based on which you want to retrieve the query ID from SentinelOne |
From Date | The start date of the query from when you want to retrieve the query ID from SentinelOne. |
To Date | The end date of the query till when you want to retrieve the query ID from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent's group IDs based on which you want to retrieve the query ID from SentinelOne. |
Tenant | Select this checkbox to indicate a tenant scope in the query. |
Query Type | (Optional) Type of query used by deep visibility in SentinelOne. |
Account IDs | (Optional) List of comma-separated agent's accounts based on which you want to retrieve the query ID from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent's sites based on which you want to retrieve the query ID from SentinelOne. |
The output contains the following populated JSON schema:
{
"queryId": "",
"queryModeInfo": {
"lastActivatedAt": "",
"mode": ""
}
}
Parameter | Description |
---|---|
Query ID | The ID of the query whose status you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
The output contains the following populated JSON schema:
{
"progressStatus": "",
"queryModeInfo": {
"lastActivatedAt": "",
"mode": ""
},
"responseState": "",
"warnings": ""
}
Parameter | Description |
---|---|
Query ID | The ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
Limit Records | (Optional) The maximum number of results, per page, that this operation should return. |
Offset | (Optional) Skips the specified number of results (0-1000) from the total results. |
Cursor | (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Sort By | (Optional) Name of the field on which you want to sort the result (events). |
Sort Order | (Optional) The sorting order of the results (events), you can choose between Ascending or Descending. |
Sub Query | (Optional) The sub-query that you want to run on the already pulled data. |
The output contains the following populated JSON schema:
{
"data": [
{
"accountId": "",
"activeContentFileId": "",
"activeContentHash": "",
"activeContentPath": "",
"activeContentSignedStatus": "",
"activeContentType": "",
"agentDomain": "",
"agentGroupId": "",
"agentId": "",
"agentInfected": "",
"agentIp": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentName": "",
"agentNetworkStatus": "",
"agentOs": "",
"agentTimestamp": "",
"agentUuid": "",
"agentVersion": "",
"childProcCount": "",
"containerId": "",
"containerImage": "",
"containerLabels": "",
"containerName": "",
"createdAt": "",
"crossProcCount": "",
"crossProcDupRemoteProcHandleCount": "",
"crossProcDupThreadHandleCount": "",
"crossProcOpenProcCount": "",
"crossProcOutOfStorylineCount": "",
"crossProcThreadCreateCount": "",
"dnsCount": "",
"endpointMachineType": "",
"endpointName": "",
"endpointOs": "",
"eventIndex": "",
"eventRepetitionCount": "",
"eventTime": "",
"eventType": "",
"fileIsExecutable": "",
"fileMd5": "",
"fileSha256": "",
"id": "",
"indicatorBootConfigurationUpdateCount": "",
"indicatorEvasionCount": "",
"indicatorExploitationCount": "",
"indicatorGeneralCount": "",
"indicatorInfostealerCount": "",
"indicatorInjectionCount": "",
"indicatorPersistenceCount": "",
"indicatorPostExploitationCount": "",
"indicatorRansomwareCount": "",
"indicatorReconnaissanceCount": "",
"isAgentVersionFullySupportedForPg": "",
"isAgentVersionFullySupportedForPgMessage": "",
"k8sClusterName": "",
"k8sControllerLabels": "",
"k8sControllerName": "",
"k8sControllerType": "",
"k8sNamespace": "",
"k8sNamespaceLabels": "",
"k8sNode": "",
"k8sPodLabels": "",
"k8sPodName": "",
"lastActivatedAt": "",
"metaEventName": "",
"moduleCount": "",
"netConnCount": "",
"netConnInCount": "",
"netConnOutCount": "",
"objectType": "",
"osSrcChildProcCount": "",
"osSrcCrossProcCount": "",
"osSrcCrossProcDupRemoteProcHandleCount": "",
"osSrcCrossProcDupThreadHandleCount": "",
"osSrcCrossProcOpenProcCount": "",
"osSrcCrossProcOutOfStorylineCount": "",
"osSrcCrossProcThreadCreateCount": "",
"osSrcDnsCount": "",
"osSrcIndicatorBootConfigurationUpdateCount": "",
"osSrcIndicatorEvasionCount": "",
"osSrcIndicatorExploitationCount": "",
"osSrcIndicatorGeneralCount": "",
"osSrcIndicatorInfostealerCount": "",
"osSrcIndicatorInjectionCount": "",
"osSrcIndicatorPersistenceCount": "",
"osSrcIndicatorPostExploitationCount": "",
"osSrcIndicatorRansomwareCount": "",
"osSrcIndicatorReconnaissanceCount": "",
"osSrcModuleCount": "",
"osSrcNetConnCount": "",
"osSrcNetConnInCount": "",
"osSrcNetConnOutCount": "",
"osSrcProcActiveContentFileId": "",
"osSrcProcActiveContentHash": "",
"osSrcProcActiveContentPath": "",
"osSrcProcActiveContentSignedStatus": "",
"osSrcProcActiveContentType": "",
"osSrcProcBinaryisExecutable": "",
"osSrcProcCmdLine": "",
"osSrcProcDisplayName": "",
"osSrcProcImageMd5": "",
"osSrcProcImagePath": "",
"osSrcProcImageSha1": "",
"osSrcProcImageSha256": "",
"osSrcProcIntegrityLevel": "",
"osSrcProcIsNative64Bit": "",
"osSrcProcIsRedirectCmdProcessor": "",
"osSrcProcIsStorylineRoot": "",
"osSrcProcName": "",
"osSrcProcParentActiveContentFileId": "",
"osSrcProcParentActiveContentHash": "",
"osSrcProcParentActiveContentPath": "",
"osSrcProcParentActiveContentSignedStatus": "",
"osSrcProcParentActiveContentType": "",
"osSrcProcParentCmdLine": "",
"osSrcProcParentDisplayName": "",
"osSrcProcParentImageMd5": "",
"osSrcProcParentImagePath": "",
"osSrcProcParentImageSha1": "",
"osSrcProcParentImageSha256": "",
"osSrcProcParentIntegrityLevel": "",
"osSrcProcParentIsNative64Bit": "",
"osSrcProcParentIsRedirectCmdProcessor": "",
"osSrcProcParentIsStorylineRoot": "",
"osSrcProcParentName": "",
"osSrcProcParentPid": "",
"osSrcProcParentPublisher": "",
"osSrcProcParentReasonSignatureInvalid": "",
"osSrcProcParentSessionId": "",
"osSrcProcParentSignedStatus": "",
"osSrcProcParentStartTime": "",
"osSrcProcParentStorylineId": "",
"osSrcProcParentUid": "",
"osSrcProcParentUser": "",
"osSrcProcPid": "",
"osSrcProcPublisher": "",
"osSrcProcReasonSignatureInvalid": "",
"osSrcProcRelatedToThreat": "",
"osSrcProcSessionId": "",
"osSrcProcSignedStatus": "",
"osSrcProcStartTime": "",
"osSrcProcStorylineId": "",
"osSrcProcSubsystem": "",
"osSrcProcUid": "",
"osSrcProcUser": "",
"osSrcProcVerifiedStatus": "",
"osSrcRegistryChangeCount": "",
"osSrcTgtFileCreationCount": "",
"osSrcTgtFileDeletionCount": "",
"osSrcTgtFileModificationCount": "",
"parentPid": "",
"parentProcessName": "",
"parentProcessStartTime": "",
"parentProcessUniqueKey": "",
"pid": "",
"processCmd": "",
"processDisplayName": "",
"processGroupId": "",
"processImagePath": "",
"processImageSha1Hash": "",
"processIntegrityLevel": "",
"processIsRedirectedCommandProcessor": "",
"processIsWow64": "",
"processName": "",
"processRoot": "",
"processSessionId": "",
"processStartTime": "",
"processSubSystem": "",
"processUniqueKey": "",
"publisher": "",
"registryChangeCount": "",
"relatedToThreat": "",
"retentionPeriod": "",
"rpid": "",
"signatureSignedInvalidReason": "",
"signedStatus": "",
"siteId": "",
"siteName": "",
"srcProcActiveContentFileId": "",
"srcProcActiveContentHash": "",
"srcProcActiveContentPath": "",
"srcProcActiveContentSignedStatus": "",
"srcProcActiveContentType": "",
"srcProcBinaryisExecutable": "",
"srcProcCmdLine": "",
"srcProcDisplayName": "",
"srcProcImageMd5": "",
"srcProcImagePath": "",
"srcProcImageSha1": "",
"srcProcImageSha256": "",
"srcProcIntegrityLevel": "",
"srcProcIsNative64Bit": "",
"srcProcIsRedirectCmdProcessor": "",
"srcProcIsStorylineRoot": "",
"srcProcName": "",
"srcProcParentActiveContentFileId": "",
"srcProcParentActiveContentHash": "",
"srcProcParentActiveContentPath": "",
"srcProcParentActiveContentSignedStatus": "",
"srcProcParentActiveContentType": "",
"srcProcParentCmdLine": "",
"srcProcParentDisplayName": "",
"srcProcParentImageMd5": "",
"srcProcParentImagePath": "",
"srcProcParentImageSha1": "",
"srcProcParentImageSha256": "",
"srcProcParentIntegrityLevel": "",
"srcProcParentIsNative64Bit": "",
"srcProcParentIsRedirectCmdProcessor": "",
"srcProcParentIsStorylineRoot": "",
"srcProcParentName": "",
"srcProcParentPid": "",
"srcProcParentProcUid": "",
"srcProcParentPublisher": "",
"srcProcParentReasonSignatureInvalid": "",
"srcProcParentSessionId": "",
"srcProcParentSignedStatus": "",
"srcProcParentStartTime": "",
"srcProcParentStorylineId": "",
"srcProcParentUid": "",
"srcProcParentUser": "",
"srcProcPid": "",
"srcProcPublisher": "",
"srcProcReasonSignatureInvalid": "",
"srcProcRelatedToThreat": "",
"srcProcRpid": "",
"srcProcSessionId": "",
"srcProcSignedStatus": "",
"srcProcStartTime": "",
"srcProcStorylineId": "",
"srcProcSubsystem": "",
"srcProcTid": "",
"srcProcUid": "",
"srcProcUser": "",
"srcProcVerifiedStatus": "",
"storyline": "",
"tgtFileCreationCount": "",
"tgtFileDeletionCount": "",
"tgtFileModificationCount": "",
"tgtPid": "",
"tgtProcAccessRights": "",
"tgtProcActiveContentFileId": "",
"tgtProcActiveContentHash": "",
"tgtProcActiveContentPath": "",
"tgtProcActiveContentSignedStatus": "",
"tgtProcActiveContentType": "",
"tgtProcBinaryisExecutable": "",
"tgtProcCmdLine": "",
"tgtProcDisplayName": "",
"tgtProcImageMd5": "",
"tgtProcImagePath": "",
"tgtProcImageSha1": "",
"tgtProcImageSha256": "",
"tgtProcIntegrityLevel": "",
"tgtProcIsNative64Bit": "",
"tgtProcIsRedirectCmdProcessor": "",
"tgtProcIsStorylineRoot": "",
"tgtProcName": "",
"tgtProcPid": "",
"tgtProcPublisher": "",
"tgtProcReasonSignatureInvalid": "",
"tgtProcRelation": "",
"tgtProcSessionId": "",
"tgtProcSignedStatus": "",
"tgtProcStartTime": "",
"tgtProcStorylineId": "",
"tgtProcSubsystem": "",
"tgtProcUid": "",
"tgtProcUser": "",
"tgtProcVerifiedStatus": "",
"tiOriginalEventId": "",
"tiOriginalEventIndex": "",
"tiOriginalEventTraceId": "",
"tid": "",
"tiindicatorRelatedEventTime": "",
"traceId": "",
"trueContext": "",
"user": "",
"verifiedStatus": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Query ID | The ID of the query whose associated events you want to retrieve from SentinelOne. When you create a query in SentinelOne you get its QueryID. |
Event Type | Event type by which you want to filter the results (events). You can choose between the following event types: Events, File, Ip, Url, Dns, Process, Registry, Scheduled task, Logins, or Indicators. |
Limit Records | (Optional) The maximum number of results, per page, that this operation should return. |
Offset | (Optional) Skips the specified number of results (0-1000) from the total results. |
Cursor | (Optional) The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Sort Order | (Optional) The sorting order of the results (events), you can choose between Ascending or Descending. |
Sort By | (Optional) Name of the field on which you want to sort the result (events). |
Sub Query | (Optional) The sub-query that you want to run on the already pulled data. |
The output contains the following populated JSON schema:
{
"data": {
"agentGroupId": "",
"indicatorCategory": "",
"indicatorDescription": "",
"agentUuid": "",
"fileId": "",
"loginsBaseType": "",
"processName": "",
"agentIp": "",
"threatStatus": "",
"processSubSystem": "",
"direction": "",
"processImagePath": "",
"agentIsActive": "",
"agentVersion": "",
"parentProcessName": "",
"agentInfected": "",
"indicatorMetadata": "",
"processIsMalicious": "",
"srcPort": "",
"user": "",
"processStartTime": "",
"siteName": "",
"agentName": "",
"md5": "",
"sha1": "",
"registryId": "",
"fileSha1": "",
"id": "",
"sha256": "",
"processCmd": "",
"networkMethod": "",
"indicatorName": "",
"parentProcessGroupId": "",
"taskName": "",
"srcIp": "",
"registryPath": "",
"parentPid": "",
"parentProcessUniqueKey": "",
"agentMachineType": "",
"dnsResponse": "",
"tid": "",
"processSessionId": "",
"networkUrl": "",
"eventSubType": "",
"createdAt": "",
"dstPort": "",
"processUserName": "",
"agentDomain": "",
"fileSha256": "",
"processDisplayName": "",
"agentNetworkStatus": "",
"loginsUserName": "",
"signer": "",
"rpid": "",
"taskPath": "",
"pid": "",
"processIntegrityLevel": "",
"oldFileMd5": "",
"relatedToThreat": "",
"oldFileSha1": "",
"processGroupId": "",
"networkSource": "",
"fileMd5": "",
"oldFileSha256": "",
"agentOs": "",
"oldFileName": "",
"eventType": "",
"agentIsDecommissioned": "",
"parentProcessStartTime": "",
"processImageSha1Hash": "",
"trueContext": "",
"parentProcessIsMalicious": "",
"dnsRequest": "",
"fileFullName": "",
"dstIp": "",
"processUniqueKey": "",
"forensicUrl": "",
"agentId": ""
},
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Query ID | The ID of a deep visibility query that you want to stop in SentinelOne. When you create a query in SentinelOne you get its QueryID. |
The output contains the following populated JSON schema:
{
"success": ""
}
Parameter | Description |
---|---|
Threat ID | The ID of the threat whose "seen on network data" you want to retrieve from SentinelOne. |
Site IDs | (Optional) List of comma-separated agent sites whose "seen on network data" you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent groups whose "seen on network data" you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent accounts whose "seen on network data" you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"agent_version": "",
"description": "",
"created_date": "",
"meta_data": {
"updated_at": "",
"created_at": ""
},
"id": "",
"malicious_group_id": "",
"resolved": "",
"status": "",
"from_cloud": "",
"agent": ""
}
Parameter | Description |
---|---|
Threat ID | The ID of the threat whose forensic details you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"result": {
"policy_id": "",
"agent_version": "",
"occurred_at": "",
"graph": {
"edges_summary": [],
"node_sets": {}
},
"file_hash": "",
"file_display_name": "",
"file_created_at": "",
"agent": "",
"category_scores": [],
"publisher": "",
"raw_data": {
"edges": [],
"nodes": {
"6ADE07922117100C": {
"agent_version": "",
"in_threat": "",
"malicious_content": "",
"agent_uuid": "",
"meta_data": {
"updated_at": "",
"count": "",
"created_at": ""
},
"has_reputation": "",
"group_id": "",
"event_type": "",
"object_id": "",
"data": {
"path": "",
"is_system": "",
"created_date": "",
"is_executable": "",
"verification_type": "",
"extension_type": "",
"size": "",
"object_id": "",
"content_hash": "",
"permission": ""
}
}
}
},
"indicators": [],
"cert_id": "",
"is_cert_valid": ""
}
}
Parameter | Description |
---|---|
Threat ID | The ID of the threat whose threats along with its associated threats you want to export in the CSV, JSON, or RAW format from SentinelOne. |
Export Format | The format in which you want to export the threat data. You can choose between the following formats: CSV, RAW, or JSON. |
The output contains the following populated JSON schema:
{
"threat_details": {
"description": "",
"id": "",
"created_at": "",
"agent": ""
},
"threats": [],
"agent_details": {
"external_ip": "",
"registered_at": "",
"agent_version_current": "",
"computer_name": "",
"last_active_date": "",
"agent_version_at_threat_time": "",
"group_ip": "",
"domain": "",
"cpu": "",
"os": ""
},
"file_details": {
"size": "",
"created_at": "",
"id": "",
"display_name": "",
"permission": "",
"content_hash": ""
},
"reputation": {
"rank": ""
}
}
Parameter | Description |
---|---|
Threat ID | The ID of the threat for which you want to retrieve the forensic data. |
Site IDs | (Optional) List of comma-separated agent sites whose threat data you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent groups whose threat data you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent accounts whose threat data you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"result": {
"seen_on_network": "",
"occurred_at": "",
"file_display_name": "",
"marked_as_benign": "",
"classifier_name": "",
"mitigation_status": "",
"file_created_at": "",
"file_path": "",
"classification_source": "",
"classification": "",
"mitigation_report": {
"quarantine": {
"status": ""
},
"rollback": {
"status": ""
},
"remediate": {
"status": ""
},
"network_quarantine": {
"status": ""
},
"kill": {
"status": ""
}
},
"threat_id": "",
"whitening_options": [],
"threat_created": "",
"malicious_group_id": "",
"in_quarantine": "",
"file_content_hash": "",
"file_hash": "",
"malicious_process_arguments": "",
"annotation_url": "",
"agent": "",
"from_scan": "",
"annotation": "",
"file_description": "",
"resolved": "",
"mitigation_actions": []
}
}
None.
The output contains the following populated JSON schema:
{
"title": "",
"key": "",
"autoComplete": ""
}
Parameter | Description |
---|---|
Get Count By | Filter based on which you want to retrieve the application count from SentinelOne. You can choose between Risk Levels or Filters. By default, this is set as Risk Level. |
Site IDs | (Optional) List of comma-separated agent sites whose application count you want to retrieve from SentinelOne. |
Group IDs | (Optional) List of comma-separated agent groups whose application count you want to retrieve from SentinelOne. |
Account IDs | (Optional) List of comma-separated agent accounts whose application count you want to retrieve from SentinelOne. |
Agent Machine Types | (Optional) Type of agent machine whose application count you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | (Optional) List of comma-separated application IDs accounts whose application count you want to retrieve, per filter value, from SentinelOne. |
Application Types | (Optional) Type of application whose application count you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Is Decommissioned | Select this checkbox if the status of the agent whose application count you want to retrieve from SentinelOne is set as "Decommissioned". |
Risk Levels | (Optional) Level of risks whose application count you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
OS Types | (Optional) Type of OS whose application count you want to retrieve from SentinelOne. You can choose between the following OS types: MacOS, Windows_Legacy, Linux. or Windows. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve application counts from SentinelOne. |
The output contains the following populated JSON schema:
Output schema when you choose "Get Count By" as "Risk Levels":
{
"enableNegation": "",
"key": "",
"title": "",
"values": [
{
"count": "",
"title": "",
"value": ""
}
]
}
Output schema when you choose "Get Count By" as "Filters":
{
"enableNegation": "",
"disableSorting": "",
"key": "",
"title": "",
"values": [
{
"count": "",
"title": "",
"value": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Internal CVE IDs | List of comma-separated internal CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne. |
Global CVE IDs | List of comma-separated global CVE IDs on which you want to filter the CVEs retrieved using this operation from SentinelOne. |
Limit Records | The maximum number of results, per page, that this operation should return. |
Skip Count | Select this option to avoid calculating the total number of results, which results in speeding up the execution time. |
Sort By | Name of the field on which you want to sort the result. You can choose between the following fields: ID, PublishedAt, AgentID, or ApplicationID. |
Sort Order | The sorting order of the results (CVEs), you can choose between Ascending or Descending. |
Count Only | Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne. |
Cursor | The 'Cursor' parameter is used only if a previous operation had returned a partial result. If a previous response contains a cursor element, then the value of the cursor element includes a cursor parameter that specifies a starting point to use for subsequent calls. This parameter is useful when we have pagination in the response. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve threats from SentinelOne. |
The output contains the following populated JSON schema:
{
"data": [
{
"createdAt": "",
"cveId": "",
"description": "",
"id": "",
"link": "",
"publishedAt": "",
"riskLevel": "",
"score": "",
"updatedAt": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Site IDs | List of comma-separated agent site IDs to export application risks from SentinelOne. |
Group IDs | List of comma-separated agent group IDs to export application risks from SentinelOne. |
Account IDs | List of comma-separated agent account IDs to export application risks from SentinelOne. |
Size Between | Size range of the application between which you want to filter the application risks. You can specify the size range in bytes from 1024 to 104856. |
Agent Machine Types | Type of agent machine whose application risks you want to export from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | The ID of the agent application whose installed applications and CVEs list you want to export from SentinelOne. |
Application Types | Type of application whose application risks you want to export from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Is Decommissioned | Select this checkbox if the status of the agent whose application risks you want to export from SentinelOne is set as "Decommissioned". |
Risk Levels | Level of risks whose application risks you want to export from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
OS Types | Type of OS whose application risks you want to export from SentinelOne. You can choose between the following os types: MacOS, Windows Legacy, Linux, or Windows. |
Additional Fields | Additional fields, in the JSON format, based on which you want to export application risks from SentinelOne. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Limit Records | The maximum number of results, per page, that this operation should return. |
Skip Count | Select this option to avoid calculating the total number of results, which results in speeding up the execution time. |
Sort Order | The sorting order of the results (applications), you can choose between Ascending or Descending. |
Agent Machine Types | Type of endpoint machine whose applications you want to retrieve from SentinelOne. You can choose between the following agent machine types: Unknown, Desktop, Laptop, or Server. |
Application IDs | The ID of the agent application whose installed applications you want to retrieve from SentinelOne |
Is Decommissioned | Select this checkbox if the status of the agent whose applications you want to retrieve from SentinelOne is set as "Decommissioned". |
Application Types | Type of application whose applications you want to retrieve from SentinelOne. You can choose between the following application types: App, Kb, Patch, ChromeExtension, EdgeExtension, FirefoxExtension, or SafariExtension. |
Risk Levels | Level of risks whose applications you want to retrieve from SentinelOne. You can choose between the following risk levels: None, Low, Medium, High, or Critical. |
Sort By | Name of the field on which you want to sort the result. You can choose between the following fields: ID, InstallAt, Type, Name, Publisher, Version, Size, AgentComputerName. or RiskLevel. |
Count Only | Select this option to only retrieve the total number of items, without any of the actual objects, from SentinelOne. |
OS Types | Type of OS whose applications you want to retrieve from SentinelOne. You can choose between the following os types: MacOS, Windows Legacy, Linux, or Windows. |
Additional Fields | Additional fields, in the JSON format, based on which you want to retrieve applications from SentinelOne. |
The output contains the following populated JSON schema:
{
"data": [
{
"agentComputerName": "",
"agentDomain": "",
"agentId": "",
"agentInfected": "",
"agentIsActive": "",
"agentIsDecommissioned": "",
"agentMachineType": "",
"agentNetworkStatus": "",
"agentOperationalState": "",
"agentOsType": "",
"agentUuid": "",
"agentVersion": "",
"createdAt": "",
"id": "",
"installedAt": "",
"name": "",
"osType": "",
"publisher": "",
"riskLevel": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"version": ""
}
],
"pagination": {
"nextCursor": "",
"totalItems": ""
}
}
Parameter | Description |
---|---|
Application ID | The ID of the agent application whose application CVEs you want to retrieve from SentinelOne. |
The output contains the following populated JSON schema:
{
"agentInfected": "",
"agentNetworkStatus": "",
"installedAt": "",
"signed": "",
"size": "",
"type": "",
"updatedAt": "",
"agentComputerName": "",
"name": "",
"agentOsType": "",
"version": "",
"publisher": "",
"agentMachineType": "",
"id": "",
"agentVersion": "",
"osType": "",
"createdAt": "",
"cves": [],
"agentDomain": "",
"agentId": "",
"agentIsDecommissioned": "",
"riskLevel": "",
"agentUuid": "",
"agentIsActive": ""
}
The Sample - SentinelOne - 3.1.0
playbook collection comes bundled with the SentinelOne connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SentinelOne connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling threats from SentinelOne. Currently, "threats" in SentinelOne have been mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming SentinelOne "threats" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data from SentinelOne into FortiSOAR. It also lets you pull some sample data from SentinelOne using which you can define the mapping of data between SentinelOne and FortiSOAR. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the SentinelOne threat.
On the Field Mapping screen, map the fields of a SentinelOne threat to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the agentIp parameter of a SentinelOne threat to the Source IP parameter of a FortiSOAR™ alert, click the Source IP Time field and then click the agentIp field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to SentinelOne, so that the content gets pulled from the SentinelOne integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from SentinelOne every morning at 5 am, click Daily, and in the hour box enter 5
, and in the minute box enter 0
:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production and you might need to switch the certificates on or off.
Resolution:
Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.
There are many reasons for a playbook failure, for example, if a required field is null
in the target module record, or there are problems with the Playbook Appliance keys.
Resolution:
Investigate the reason for failure using the 'Executed Playbook Logs'. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.