Skip to main content

SentinelOne v2

This Integration is part of the SentinelOne Pack.#

Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database. This integration was integrated and tested with versions 2.0 and 2.1 of SentinelOne V2

Configure SentinelOne V2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for SentinelOne v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (e.g., https://usea1.sentinelone.net)True
    API TokenFalse
    API VersionTrue
    Fetch incidentsFalse
    Incident typeFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
    Minimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high risk. Relevant for API version 2.0.False
    Fetch limit: The maximum number of incidents to fetchFalse
    Site IDsComma-separated list of site IDs to fetch incidents for. Leave blank to fetch all sites.False
    Block Site IDsComma-separated list of site IDs for where hashes should be blocked. If left blank all hashes will be blocked globally. If filled out with site ids all hashes will be no longer be blocked globally, they will now be blocked in the scope of those sites.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    API Token (Deprecated)Use the "API Token (Recommended)" parameter instead.False
    Incidents Fetch IntervalFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sentinelone-list-agents#


Returns all agents that match the specified criteria.

Base Command#

sentinelone-list-agents

Input#

Argument NameDescriptionRequired
computer_nameThe computer name by which to filter the results.Optional
scan_statusA comma-separated list of scan statuses by which to filter the results, for example: "started,aborted". Possible values are: started, none, finished, aborted.Optional
os_typeIncluded operating system types, for example: "windows". Possible values are: windows, windows_legacy, macos, linux.Optional
created_atEndpoint creation timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
min_active_threatsMinimum number of threats per agent.Optional
limitThe maximum number of agents to return. Default is 10.Optional
paramsQuery params field=value pairs delimited by comma (e.g., activeThreats=3,gatewayIp=1.2.3.4). Query params are OR'd.Optional

Context Output#

PathTypeDescription
SentinelOne.Agents.NetworkStatusstringThe agent network status.
SentinelOne.Agents.IDstringThe agent ID.
SentinelOne.Agents.AgentVersionstringThe agent software version.
SentinelOne.Agents.IsDecommissionedbooleanWhether the agent is decommissioned.
SentinelOne.Agents.IsActivebooleanWhether the agent is active.
SentinelOne.Agents.LastActiveDatedateWhen was the agent last active.
SentinelOne.Agents.RegisteredAtdateThe registration date of the agent.
SentinelOne.Agents.ExternalIPstringThe agent IP address.
SentinelOne.Agents.ThreatCountnumberNumber of active threats.
SentinelOne.Agents.EncryptedApplicationsbooleanWhether disk encryption is enabled.
SentinelOne.Agents.OSNamestringName of operating system.
SentinelOne.Agents.ComputerNamestringName of agent computer.
SentinelOne.Agents.DomainstringDomain name of the agent.
SentinelOne.Agents.CreatedAtdateCreation time of the agent.
SentinelOne.Agents.SiteNamestringSite name associated with the agent.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
activeThreats__gtvalid
computerNamevalid
scanStatusvalid
osTypeosTypes
createdAt__gtevalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Agents.NetworkStatusvalid
SentinelOne.Agents.IDvalid
SentinelOne.Agents.AgentVersionvalid
SentinelOne.Agents.isDecommissionedvalid
SentinelOne.Agents.IsActivevalid
SentinelOne.Agents.LastActiveDatevalid
SentinelOne.Agents.RegisteredAtvalid
SentinelOne.Agents.ExternalIPvalid
SentinelOne.Agents.ThreatCountactiveThreat
SentinelOne.Agents.EncryptedApplicationsvalid
SentinelOne.Agents.OSNamevalid
SentinelOne.Agents.ComputerNamevalid
SentinelOne.Agents.Domainvalid
SentinelOne.Agents.CreatedAtvalid
SentinelOne.Agents.SiteNamevalid

Command Example#

!sentinelone-list-agents

Context Example#

{
"SentinelOne": {
"Agents": {
"AgentVersion": "3.1.3.38",
"ComputerName": "EC2AMAZ-AJ0KANC",
"CreatedAt": "2019-06-27T08:01:05.571895Z",
"Domain": "WORKGROUP",
"EncryptedApplications": false,
"ExternalIP": "8.88.8.8",
"ID": "657613730168123595",
"IsActive": false,
"IsDecommissioned": true,
"LastActiveDate": "2020-02-20T00:26:33.955830Z",
"NetworkStatus": "connecting",
"OSName": "Windows Server 2016",
"RegisteredAt": "2019-06-27T08:01:05.567249Z",
"SiteName": "demisto",
"ThreatCount": 0
}
}
}

Human Readable Output#

Sentinel One - List of Agents#

Provides summary information and details for all the agents that matched your search criteria |Agent Version|Computer Name|Created At|Domain|Encrypted Applications|External IP|ID|Is Active|Is Decommissioned|Last Active Date|Network Status|OS Name|Registered At|Site Name|Threat Count| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 3.1.3.38 | EC2AMAZ-AJ0KANC | 2019-06-27T08:01:05.571895Z | WORKGROUP | false | 8.88.8.8 | 657613730168123595 | false | true | 2020-02-20T00:26:33.955830Z | connecting | Windows Server 2016 | 2019-06-27T08:01:05.567249Z | demisto | 0 |

sentinelone-create-white-list-item#


Creates an exclusion item that matches the specified input filter.

Base Command#

sentinelone-create-white-list-item

Input#

Argument NameDescriptionRequired
exclusion_typeExclusion item type. Possible values are: file_type, path, white_hash, certificate, browser.Required
exclusion_valueValue of the exclusion item for the exclusion list.Required
os_typeOperating system type. Required for hash exclusions. Possible values are: windows, windows_legacy, macos, linux.Required
descriptionDescription for adding the exclusion item.Optional
exclusion_modeExclusion mode (path exclusion only). Possible values are: suppress, disable_in_process_monitor_deep, disable_in_process_monitor, disable_all_monitors, disable_all_monitors_deep.Optional
path_exclusion_typeExcluded path for a path exclusion list.Optional
group_idsA comma-separated list of group IDs by which to filter.Optional
site_idsA comma-separated list of site IDs by which to filter.Optional

Context Output#

PathTypeDescription
SentinelOne.Exclusions.IDstringThe entity ID on the allow list.
SentinelOne.Exclusions.TypestringThe item type on the allow list.
SentinelOne.Exclusions.CreatedAtdateTime when the allow list item was created.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
typevalid
valuevalid
osTypevalid
descriptionvalid
modevalid
groupIdsvalid
siteIdsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Exclusions.IDvalid
SentinelOne.Exclusions.Typevalid
SentinelOne.Exclusions.CreatedAtvalid

sentinelone-get-white-list#


Lists all exclusion items that match the specified input filter.

Base Command#

sentinelone-get-white-list

Input#

Argument NameDescriptionRequired
item_idsList of IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
os_typesA comma-separated list of operating system types by which to filter, for example: "windows, linux". Possible values are: windows, windows_legacy, macos, linux.Optional
exclusion_typeExclusion type. Possible values are: file_type, path, white_hash, certificate, browser.Optional
limitThe maximum number of items to return. Default is 10.Optional
include_parentWhether to include parent information of each item. Default value is false. Default is false.Optional
include_childrenWhether to include children information of each item. Default value is false. Default is false.Optional

Context Output#

PathTypeDescription
SentinelOne.Exclusions.IDstringThe exclusion item ID.
SentinelOne.Exclusions.TypestringThe exclusion item type.
SentinelOne.Exclusions.CreatedAtdateTimestamp when the exclusion item was added.
SentinelOne.Exclusions.ValuestringValue of the exclusion item.
SentinelOne.Exclusions.SourcestringSource of the exclusion item.
SentinelOne.Exclusions.UserIDstringUser ID of the user qho added the exclusion item.
SentinelOne.Exclusions.UpdatedAtdateTimestamp when the exclusion item was updated.
SentinelOne.Exclusions.OsTypestringOperating system type of the exclusion item.
SentinelOne.Exclusions.UserNamestringUser name of the user who added the exclusion item.
SentinelOne.Exclusions.ModestringA comma-separated list of modes by which to filter (path exclusions only), for example: "suppress".

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
idsvalid
osTypesvalid
typevalid
limitvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Exclusions.IDvalid
SentinelOne.Exclusions.Typevalid
SentinelOne.Exclusions.CreatedAtvalid
SentinelOne.Exclusions.Valuevalid
SentinelOne.Exclusions.Sourcevalid
SentinelOne.Exclusions.UserIDvalid
SentinelOne.Exclusions.UpdatedAtvalid
SentinelOne.Exclusions.OsTypevalid
SentinelOne.Exclusions.UserNamevalid
SentinelOne.Exclusions.Modevalid

Command Example#

!sentinelone-get-white-list os_types=windows exclusion_type=path

Context Example#

{
"SentinelOne": {
"Exclusions": {
"CreatedAt": "2020-10-25T14:09:58.928251Z",
"ID": "1010040403583584993",
"Mode": "suppress",
"OsType": "windows",
"Source": "user",
"Type": "path",
"UpdatedAt": "2020-10-25T14:09:58.921789Z",
"UserID": "475482955872052394",
"UserName": "XSOAR User",
"Value": "*/test/"
}
}
}

Human Readable Output#

Sentinel One - Listing exclusion items#

Provides summary information and details for all the exclusion items that matched your search criteria. |CreatedAt|ID|Mode|OsType|Source|Type|UpdatedAt|UserID|UserName|Value| |---|---|---|---|---|---|---|---|---|---| | 2020-10-25T14:09:58.928251Z | 1010040403583584993 | suppress | windows | user | path | 2020-10-25T14:09:58.921789Z | 475482955872052394 | XSOAR User | */test/ |

sentinelone-get-hash#


Gets the file reputation by a SHA1 hash.

Base Command#

sentinelone-get-hash

Input#

Argument NameDescriptionRequired
hashThe content hash.Required

Context Output#

PathTypeDescription
SentinelOne.Hash.RankNumberThe hash reputation (1-10).
SentinelOne.Hash.HashStringThe content hash.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
{hash}valid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Hash.Rankvalid
SentinelOne.Hash.HashNone (need to return from the input)
SentinelOne.Hash.ClassificationNone
SentinelOne.Hash.Classification SourceNone

Command Example#

!sentinelone-get-hash hash=3395856ce81f2b7382dee72602f798b642f14140

Context Example#

{
"SentinelOne": {
"Hash": {
"Hash": "3395856ce81f2b7382dee72602f798b642f14140",
"Rank": "7"
}
}
}

Human Readable Output#

Sentinel One - Hash Reputation#

Provides hash reputation (rank from 0 to 10): |Hash|Rank| |---|---| | 3395856ce81f2b7382dee72602f798b642f14140 | 7 |

sentinelone-get-threats#


Returns threats according to the specified filters.

Base Command#

sentinelone-get-threats

Input#

Argument NameDescriptionRequired
content_hashA comma-separated list of content hashes of the threat.Optional
mitigation_statusA comma-separated list of mitigation statuses. Possible values are: mitigated, active, blocked, suspicious, pending, suspicious_resolved.Optional
created_beforeSearches for threats created before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
created_afterSearches for threats created after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
created_untilSearches for threats created on or before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
created_fromSearch for threats created on or after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
resolvedWhether to only return resolved threats. Possible values are: false, true. Default is false.Optional
display_nameThreat display name. For API version 2.0 it can be a partial display name, doesn't have to be an exact match.Optional
limitThe maximum number of threats to return. Default is 20.Optional
queryFull free-text search for fields. Can be "content_hash", "file_display_name", "file_path", "computer_name", or "uuid".Optional
threat_idsA comma-separated list of threat IDs, for example: "225494730938493804,225494730938493915".Optional
classificationsA comma-separated list of threat classifications to search, for example: "Malware", "Network", "Benign". Possible values are: Engine, Static, Cloud, Behavioral.Optional
rankRisk level threshold to retrieve (1-10). Relevant for API version 2.0 only.Optional
site_idsA comma-separated list of site IDs to search for threats, for example: "225494730938493804,225494730938493915".Optional

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.AgentComputerNameStringThe agent computer name.
SentinelOne.Threat.CreatedDateDateThe threat creation date.
SentinelOne.Threat.SiteIDStringThe site ID.
SentinelOne.Threat.ClassificationstringThe threat classification.
SentinelOne.Threat.ClassificationSourcestringSource of the threat classification.
SentinelOne.Threat.ConfidenceLevelstringSentinelOne threat confidence level.
SentinelOne.Threat.FileSha256stringSHA256 hash of the file content.
SentinelOne.Threat.MitigationStatusStringThe agent mitigation status.
SentinelOne.Threat.AgentIDStringThe threat agent ID.
SentinelOne.Threat.RankNumberThe number representing the cloud reputation (1-10).
SentinelOne.Threat.MarkedAsBenignBooleanWhether the threat is marked as benign. Relevant for version 2.0 only.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
contentHashcontentHashes
mitigationStatusesvalid
createdAt__ltvalid
createdAt__gtvalid
createdAt__ltevalid
createdAt__gtevalid
resolvedvalid
displayName__likedisplayName
queryvalid
idsvalid
limitvalid
classificationsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Threat.IDvalid
SentinelOne.Threat.AgentComputeragentComputerName
SentinelOne.Threat.CreatedDatecreatedAt
SentinelOne.Threat.SiteIDvalid
SentinelOne.Threat.Classificationvalid
SentinelOne.Threat.MitigationStatusvalid
SentinelOne.Threat.AgentIDvalid
SentinelOne.Threat.RankNone
SentinelOne.Threat.MarkedAsBenigNone

Command Example#

!sentinelone-get-threats resolved=true

Context Example#

{
"SentinelOne": {
"Threat": [
{
"AgentComputerName": "EC2AMAZ-AJ0KANC",
"AgentID": "657613730168123595",
"AgentOsType": "windows",
"Classification": "Malware",
"ClassificationSource": "Static",
"ConfidenceLevel": "malicious",
"CreatedDate": "2019-09-15T12:05:49.095889Z",
"FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"FilePath": "\\Device\\HarddiskVolume1\\Users\\Administrator\\Downloads\\Unconfirmed 123490.crdownload",
"ID": "715718962991148224",
"MitigationStatus": "mitigated",
"SiteID": "475482421366727779",
"SiteName": "demisto",
"ThreatName": "Unconfirmed 123490.crdownload",
"Username": "EC2AMAZ-AJ0KANC\\Administrator"
},
{
"AgentComputerName": "EC2AMAZ-AJ0KANC",
"AgentID": "657613730168123595",
"AgentOsType": "windows",
"Classification": "Malware",
"ClassificationSource": "Static",
"ConfidenceLevel": "malicious",
"CreatedDate": "2019-09-15T12:14:42.440985Z",
"FileContentHash": "d8757a0396d05a1d532422827a70a7966c361366",
"FilePath": "\\Device\\HarddiskVolume1\\Users\\Administrator\\Downloads\\Ncat Netcat Portable - CHIP-Installer.exe",
"ID": "715723437013282014",
"MitigationStatus": "mitigated",
"SiteID": "475482421366727779",
"SiteName": "demisto",
"ThreatName": "Ncat Netcat Portable - CHIP-Installer.exe",
"Username": "EC2AMAZ-AJ0KANC\\Administrator"
}
]
}
}

Human Readable Output#

Sentinel One - Getting Threat List#

Provides summary information and details for all the threats that matched your search criteria. |ID|Agent Computer Name|Created Date|Site ID|Site Name|Classification|Mitigation Status|Confidence Level|Agent ID|File Content Hash| |---|---|---|---|---|---|---|---|---|---| | 715718962991148224 | EC2AMAZ-AJ0KANC | 2019-09-15T12:05:49.095889Z | 475482421366727779 | demisto | Malware | mitigated | malicious | 657613730168123595 | 3395856ce81f2b7382dee72602f798b642f14140 | | 715723437013282014 | EC2AMAZ-AJ0KANC | 2019-09-15T12:14:42.440985Z | 475482421366727779 | demisto | Malware | mitigated | malicious | 657613730168123595 | d8757a0396d05a1d532422827a70a7966c361366 |

sentinelone-threat-summary#


Returns a dashboard threat summary. Can only be used with API V2.1.

Base Command#

sentinelone-threat-summary

Input#

Argument NameDescriptionRequired
group_idsA comma-separated list of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional

Context Output#

PathTypeDescription
SentinelOne.Threat.NotResolvedNumberNumber of unresolved threats in the system.
SentinelOne.Threat.SuspiciousNotMitigatedNotResolvedNumberNumber of unmitigated suspicious threats in the system.
SentinelOne.Threat.SuspiciousNotResolvedNumberNumber of unresolved suspicious threats in the system.
SentinelOne.Threat.ResolvedNumberNumber of resolved threats in the system.
SentinelOne.Threat.InProgressNumberNumber of active threats in the system.
SentinelOne.Threat.TotalNumberTotal number of threats in the system.
SentinelOne.Threat.NotMitigatedNumberNumber of unmitigated threats in the system.
SentinelOne.Threat.MaliciousNotResolvedNumberNumber of unresolved malicious threats in the system.
SentinelOne.Threat.NotMitigatedNotResolvedNumberNumber of unmitigated and unresolved threats in the system.

Command Example#

!sentinelone-threat-summary group_ids="475482421375116388,764073410272419896"

Context Example#

{
"SentinelOne": {
"Threat": {
"InProgress": 0,
"MaliciousNotResolved": 0,
"NotMitigated": 0,
"NotMitigatedNotResolved": 0,
"NotResolved": 0,
"Resolved": 14,
"SuspiciousNotMitigatedNotResolved": 0,
"SuspiciousNotResolved": 0,
"Total": 14
}
}
}

Human Readable Output#

Sentinel One - Dashboard Threat Summary#

In ProgressMalicious Not ResolvedNot MitigatedNot Mitigated Not ResolvedNot ResolvedResolvedSuspicious Not Mitigated Not ResolvedSuspicious Not ResolvedTotal
00000140014

sentinelone-mark-as-threat#


Marks suspicious threats as threats. Can only be used with API V2.0.

Base Command#

sentinelone-mark-as-threat

Input#

Argument NameDescriptionRequired
threat_idsA comma-separated list of threat IDs.Optional
target_scopeScope to use for exclusions. Possible values are: site, tenant.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.MarkedAsThreatBooleanWhether the suspicious threat was successfully marked as a threat.

sentinelone-mitigate-threat#


Applies a mitigation action to a group of threats that match the specified input filter.

Base Command#

sentinelone-mitigate-threat

Input#

Argument NameDescriptionRequired
actionMitigation action. Possible values are: kill, quarantine, un-quarantine, remediate, rollback-remediation.Required
threat_idsA comma-separated list of threat IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.MitigatedBooleanWhether the threat was successfully mitigated.
SentinelOne.Threat.Mitigation.ActionNumberNumber of threats affected.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
filtervalid
idsvalid
actionvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Threat.IDNone (need to return from the input)
SentinelOne.Threat.MitigatedNone
SentinelOne.Threat.Mitigation.Actioneffected

sentinelone-resolve-threat#


Resolves threats using the threat ID. Can only be used with API V2.0.

Base Command#

sentinelone-resolve-threat

Input#

Argument NameDescriptionRequired
threat_idsA comma-separated list of threat IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.ResolvedBooleanWhether the threat was successfully resolved.

sentinelone-get-agent#


Returns the details of an agent according to the agent ID.

Base Command#

sentinelone-get-agent

Input#

Argument NameDescriptionRequired
agent_idA comma-separated list of agent IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.NetworkStatusstringThe agent network status.
SentinelOne.Agent.IDstringThe agent ID.
SentinelOne.Agent.AgentVersionstringThe agent software version.
SentinelOne.Agent.IsDecommissionedbooleanWhether the agent is decommissioned.
SentinelOne.Agent.IsActivebooleanWhether the agent is active.
SentinelOne.Agent.LastActiveDatedateWhen was the agent last active.
SentinelOne.Agent.RegisteredAtdateThe registration date of the agent.
SentinelOne.Agent.ExternalIPstringThe agent IP address.
SentinelOne.Agent.ThreatCountnumberNumber of active threats.
SentinelOne.Agent.EncryptedApplicationsbooleanWhether disk encryption is enabled.
SentinelOne.Agent.OSNamestringName of the operating system.
SentinelOne.Agent.ComputerNamestringName of the agent computer.
SentinelOne.Agent.DomainstringDomain name of the agent.
SentinelOne.Agent.CreatedAtdateAgent creation time.
SentinelOne.Agent.SiteNamestringSite name associated with the agent.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
idsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Agent.NetworkStatusvalid
SentinelOne.Agent.IDvalid
SentinelOne.Agent.AgentVersionvalid
SentinelOne.Agent.IsDecomissionedisDecommissioned (misspelled)
SentinelOne.Agent.IsActivevalid
SentinelOne.Agent.LastActiveDatevalid
SentinelOne.Agent.RegisteredAtvalid
SentinelOne.Agent.ExternalIPvalid
SentinelOne.Agent.ThreatCountactiveThreats
SentinelOne.Agent.EncryptedApplicavalid
SentinelOne.Agent.OSNamevalid
SentinelOne.Agent.ComputerNamevalid
SentinelOne.Agent.Domainvalid
SentinelOne.Agent.CreatedAtvalid
SentinelOne.Agent.SiteNamevalid

Command Example#

!sentinelone-get-agent agent_id=657613730168123595

Context Example#

{
"SentinelOne": {
"Agent": {
"AgentVersion": "3.1.3.38",
"ComputerName": "EC2AMAZ-AJ0KANC",
"CreatedAt": "2019-06-27T08:01:05.571895Z",
"Domain": "WORKGROUP",
"EncryptedApplications": false,
"ExternalIP": "8.88.8.8",
"ID": "657613730168123595",
"IsActive": false,
"IsDecommissioned": true,
"LastActiveDate": "2020-02-20T00:26:33.955830Z",
"NetworkStatus": "connecting",
"OSName": "Windows Server 2016",
"RegisteredAt": "2019-06-27T08:01:05.567249Z",
"SiteName": "demisto",
"ThreatCount": 0
}
}
}

Human Readable Output#

Sentinel One - Get Agent Details#

Agent VersionComputer NameCreated AtDomainEncrypted ApplicationsExternal IPIDIs ActiveIs DecommissionedLast Active DateNetwork StatusOS NameRegistered AtSite NameThreat Count
3.1.3.38EC2AMAZ-AJ0KANC2019-06-27T08:01:05.571895ZWORKGROUPfalse8.88.8.8657613730168123595falsetrue2020-02-20T00:26:33.955830ZconnectingWindows Server 20162019-06-27T08:01:05.567249Zdemisto0

sentinelone-get-sites#


Returns all sites that match the specified criteria.

Base Command#

sentinelone-get-sites

Input#

Argument NameDescriptionRequired
updated_atTimestamp of the last update, for example: "2018-02-27T04:49:26.257525Z".Optional
queryFull-text search for fields: name, account_name.Optional
site_typeSite type. Possible values are: Trial, Paid, POC, DEV, NFR.Optional
featuresReturns sites that support the specified features. Possible values are: firewall-control, device-control, ioc.Optional
stateSite state. Possible values are: active, deleted, expired.Optional
suiteThe suite of product features active for this site. Possible values are: Core, Complete.Optional
admin_onlySites for which the user has admin privileges. Possible values are: true, false.Optional
account_idAccount ID, for example: "225494730938493804".Optional
site_nameSite name, for example: "My Site".Optional
created_atTimestamp of the site creation, for example: "2018-02-27T04:49:26.257525Z".Optional
limitMaximum number of results to return. Default is 50.Optional

Context Output#

PathTypeDescription
SentinelOne.Site.CreatorstringThe site creator name.
SentinelOne.Site.NamestringThe site name.
SentinelOne.Site.TypestringThe site type.
SentinelOne.Site.AccountNamestringThe site account name.
SentinelOne.Site.StatestringThe site state.
SentinelOne.Site.HealthStatusbooleanThe health status of the site.
SentinelOne.Site.SuitestringThe suite to which the site belongs.
SentinelOne.Site.ActiveLicensesnumberNumber of active licenses for the site.
SentinelOne.Site.IDstringID of the site.
SentinelOne.Site.TotalLicensesnumberNumber of total licenses for the site.
SentinelOne.Site.CreatedAtdateTimestamp when the site was created.
SentinelOne.Site.ExpirationstringTimestamp when the site will expire.
SentinelOne.Site.UnlimitedLicensesbooleanWhether the site has unlimited licenses.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
updatedAtvalid
queryvalid
siteTypevalid
featuresvalid
statevalid
suitevalid
adminOnlyvalid
accountIdvalid
namevalid
createdAtvalid
limitvalid
siteIdsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Site.Creatorvalid
SentinelOne.Site.Namevalid
SentinelOne.Site.TypesiteType
SentinelOne.Site.AccountNamevalid
SentinelOne.Site.Statevalid
SentinelOne.Site.HealthStatusvalid
SentinelOne.Site.Suitevalid
SentinelOne.Site.ActiveLicensesvalid
SentinelOne.Site.IDvalid
SentinelOne.Site.TotalLicensesvalid
SentinelOne.Site.CreatedAtvalid
SentinelOne.Site.Expirationvalid
SentinelOne.Site.UnlimitedLicensesvalid

Command Example#

!sentinelone-get-sites

Context Example#

{
"SentinelOne": {
"Site": {
"AccountName": "SentinelOne",
"ActiveLicenses": 0,
"CreatedAt": "2018-10-19T00:58:41.644879Z",
"Creator": "XSOAR User",
"Expiration": null,
"HealthStatus": true,
"ID": "475482421366727779",
"Name": "demisto",
"State": "active",
"Suite": "Complete",
"TotalLicenses": 0,
"Type": "Paid",
"UnlimitedLicenses": true
}
}
}

Human Readable Output#

Sentinel One - Getting List of Sites#

Provides summary information and details for all sites that matched your search criteria. |Account Name|Active Licenses|Created At|Creator|Health Status|ID|Name|State|Suite|Total Licenses|Type|Unlimited Licenses| |---|---|---|---|---|---|---|---|---|---|---|---| | SentinelOne | 0 | 2018-10-19T00:58:41.644879Z | XSOAR User | true | 475482421366727779 | demisto | active | Complete | 0 | Paid | true |

sentinelone-get-site#


Returns information about the site, according to the site ID.

Base Command#

sentinelone-get-site

Input#

Argument NameDescriptionRequired
site_idID of the site.Required

Context Output#

PathTypeDescription
SentinelOne.Site.CreatorstringThe site creator name.
SentinelOne.Site.NamestringThe site name.
SentinelOne.Site.TypestringThe site type.
SentinelOne.Site.AccountNamestringThe site account name.
SentinelOne.Site.StatestringThe site state.
SentinelOne.Site.HealthStatusbooleanThe health status of the site.
SentinelOne.Site.SuitestringThe suite to which the site belongs.
SentinelOne.Site.ActiveLicensesnumberNumber of active licenses for the site.
SentinelOne.Site.IDstringID of the site.
SentinelOne.Site.TotalLicensesnumberNumber of total licenses for the site.
SentinelOne.Site.CreatedAtdateTimestamp when the site was created.
SentinelOne.Site.ExpirationstringTimestamp when the site will expire.
SentinelOne.Site.UnlimitedLicensesbooleanWhether the site has unlimited licenses.
SentinelOne.Site.AccountIDstringSite account ID.
SentinelOne.Site.IsDefaultbooleanWhether the site is the default site.

Command Example#

!sentinelone-get-site site_id=475482421366727779

Context Example#

{
"SentinelOne": {
"Site": {
"AccountID": "433241117337583618",
"AccountName": "SentinelOne",
"ActiveLicenses": 0,
"CreatedAt": "2018-10-19T00:58:41.644879Z",
"Creator": "XSOAR User",
"Expiration": null,
"HealthStatus": true,
"ID": "475482421366727779",
"IsDefault": false,
"Name": "demisto",
"State": "active",
"Suite": "Complete",
"TotalLicenses": 0,
"Type": "Paid",
"UnlimitedLicenses": true
}
}
}

Human Readable Output#

Sentinel One - Summary About Site: 475482421366727779#

Provides summary information and details for specific site ID |Account ID|Account Name|Active Licenses|Created At|Creator|Health Status|ID|Is Default|Name|State|Suite|Total Licenses|Type|Unlimited Licenses| |---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 433241117337583618 | SentinelOne | 0 | 2018-10-19T00:58:41.644879Z | XSOAR User | true | 475482421366727779 | false | demisto | active | Complete | 0 | Paid | true |

sentinelone-reactivate-site#


Reactivates an expired site.

Base Command#

sentinelone-reactivate-site

Input#

Argument NameDescriptionRequired
site_idSite ID. For example: "225494730938493804".Required
unlimitedIf false, an expiration should be supplied.Optional
expirationExpiration date in case unlimited is false, for example, "2019-08-03T04:49:26.257525Z".Optional

Context Output#

PathTypeDescription
SentinelOne.Site.IDstringSite ID.
SentinelOne.Site.ReactivatedbooleanWhether the site was reactivated.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
site_idvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Site.IDNone (need to return from the input)
SentinelOne.Site.Reactivatedsuccess

sentinelone-get-activities#


Returns a list of activities.

Base Command#

sentinelone-get-activities

Input#

Argument NameDescriptionRequired
created_afterReturn activities created after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
user_emailsEmail address of the user who invoked the activity (if applicable).Optional
group_idsList of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
created_untilReturn activities created on or before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
include_hiddenInclude internal activities hidden from display. Possible values are: true, false.Optional
activities_idsA comma-separated list of activity IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
created_beforeReturn activities created before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
threats_idsA comma-separated list of threat IDs for which to return activities, for example: "225494730938493804,225494730938493915".Optional
activity_typesA comma-separated list of activity codes to return, for example: "52,53,71,72".Optional
user_idsA comma-separated list of user IDs for users that invoked the activity (if applicable), for example: "225494730938493804,225494730938493915".Optional
created_fromReturn activities created on or after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
created_betweenReturn activities created within this range (inclusive), for example: "1514978764288-1514978999999".Optional
agent_idsReturn activities related to specified agents. For example: "225494730938493804,225494730938493915".Optional
limitMaximum number of items to return (1-100).Optional
sort_byField to sort results by. Possible values are: activityType, createdAt, id.Optional
sort_orderOrder to sort by. Possible values are: asc, desc.Optional

Context Output#

PathTypeDescription
SentinelOne.Activity.AgentIDStringRelated agent (if applicable).
SentinelOne.Activity.AgentUpdatedVersionStringAgent's new version (if applicable).
SentinelOne.Activity.SiteIDStringRelated site (if applicable).
SentinelOne.Activity.UserIDStringThe user who invoked the activity (if applicable).
SentinelOne.Activity.SecondaryDescriptionStringSecondary description.
SentinelOne.Activity.OsFamilyStringAgent's operating system type (if applicable). Can be "linux", "macos", "windows", or "windows_legacy".
SentinelOne.Activity.ActivityTypeNumberActivity type.
SentinelOne.Activity.data.SiteIDStringThe site ID.
SentinelOne.Activity.data.SiteNameStringThe site name.
SentinelOne.Activity.data.usernameStringThe name of the site creator.
SentinelOne.Activity.HashStringThreat file hash (if applicable).
SentinelOne.Activity.UpdatedAtDateActivity last updated time (UTC).
SentinelOne.Activity.CommentsStringComments for the activity.
SentinelOne.Activity.ThreatIDStringRelated threat (if applicable).
SentinelOne.Activity.PrimaryDescriptionStringPrimary description for the activity.
SentinelOne.Activity.GroupIDStringRelated group (if applicable).
SentinelOne.Activity.IDStringActivity ID.
SentinelOne.Activity.CreatedAtDateActivity creation time (UTC).
SentinelOne.Activity.DescriptionStringExtra activity information.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
created_at__gtvalid
userEmailsvalid
groupIdsvalid
created_at__ltevalid
idsvalid
includeHiddenvalid
created_at__ltvalid
threatIdsvalid
activityTypesvalid
userIdsvalid
created_at__gtevalid
createdAt_betweenvalid
agentIdsvalid
limitvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Activity.AgentIDvalid
SentinelOne.Activity.AgentUpdatedagentUpdatedVersion
SentinelOne.Activity.SiteIDvalid
SentinelOne.Activity.UserIDvalid
SentinelOne.Activity.SecondaryDescriptionvalid
SentinelOne.Activity.OsFamilyvalid
SentinelOne.Activity.ActivityTypevalid
SentinelOne.Activity.data.SiteIDNone
SentinelOne.Activity.data.SiteNamevalid
SentinelOne.Activity.data.usernamevalid
SentinelOne.Activity.Hashvalid
SentinelOne.Activity.UpdatedAtvalid
SentinelOne.Activity.Commentsvalid
SentinelOne.Activity.ThreatIDvalid
SentinelOne.Activity.PrimaryDescriptionvalid
SentinelOne.Activity.GroupIDvalid
SentinelOne.Activity.IDvalid
SentinelOne.Activity.CreatedAtvalid
SentinelOne.Activity.Descriptionvalid

Command Example#

!sentinelone-get-activities

Context Example#

{
"SentinelOne": {
"Activity": [
{
"ActivityType": 61,
"AgentID": "657613730168123595",
"AgentUpdatedVersion": null,
"Comments": null,
"CreatedAt": "2020-01-12T20:16:44.594737Z",
"Data": {
"accountName": "SentinelOne",
"computerName": "EC2AMAZ-AJ0KANC",
"groupName": "Default Group",
"siteName": "demisto",
"username": "XSOAR User",
"uuid": "f431b0a1a8744d2a8a92fc88fa3c13bc"
},
"Description": null,
"GroupID": "475482421375116388",
"Hash": null,
"ID": "802214365638826164",
"OsFamily": null,
"PrimaryDescription": "The management user XSOAR User issued a disconnect from network command to the machine EC2AMAZ-AJ0KANC.",
"SecondaryDescription": null,
"SiteID": "475482421366727779",
"ThreatID": null,
"UpdatedAt": "2020-01-12T20:16:44.594743Z",
"UserID": "475482955872052394"
},
{
"ActivityType": 62,
"AgentID": "657613730168123595",
"AgentUpdatedVersion": null,
"Comments": null,
"CreatedAt": "2020-01-12T20:16:46.659017Z",
"Data": {
"accountName": "SentinelOne",
"computerName": "EC2AMAZ-AJ0KANC",
"groupName": "Default Group",
"siteName": "demisto",
"username": "XSOAR User",
"uuid": "f431b0a1a8744d2a8a92fc88fa3c13bc"
},
"Description": null,
"GroupID": "475482421375116388",
"Hash": null,
"ID": "802214382952913086",
"OsFamily": null,
"PrimaryDescription": "The management user XSOAR User issued a reconnect to network command to the machine EC2AMAZ-AJ0KANC.",
"SecondaryDescription": null,
"SiteID": "475482421366727779",
"ThreatID": null,
"UpdatedAt": "2020-01-12T20:16:46.659023Z",
"UserID": "475482955872052394"
},
{
"ActivityType": 1002,
"AgentID": "657613730168123595",
"AgentUpdatedVersion": null,
"Comments": null,
"CreatedAt": "2020-01-12T20:17:32.040670Z",
"Data": {
"computerName": "EC2AMAZ-AJ0KANC"
},
"Description": null,
"GroupID": "475482421375116388",
"Hash": null,
"ID": "802214763636332743",
"OsFamily": null,
"PrimaryDescription": "Agent EC2AMAZ-AJ0KANC was connected to network.",
"SecondaryDescription": null,
"SiteID": "475482421366727779",
"ThreatID": null,
"UpdatedAt": "2020-01-12T20:17:32.038143Z",
"UserID": null
},
{
"ActivityType": 1001,
"AgentID": "657613730168123595",
"AgentUpdatedVersion": null,
"Comments": null,
"CreatedAt": "2020-01-12T20:17:42.815619Z",
"Data": {
"computerName": "EC2AMAZ-AJ0KANC"
},
"Description": null,
"GroupID": "475482421375116388",
"Hash": null,
"ID": "802214854023583946",
"OsFamily": null,
"PrimaryDescription": "Agent EC2AMAZ-AJ0KANC was disconnected from network.",
"SecondaryDescription": null,
"SiteID": "475482421366727779",
"ThreatID": null,
"UpdatedAt": "2020-01-12T20:17:42.812834Z",
"UserID": null
}
]
}
}

Human Readable Output#

Sentinel One Activities#

IDPrimary DescriptionDataUser IDCreated AtUpdated At
802214365638826164The management user XSOAR User issued a disconnect from network command to the machine EC2AMAZ-AJ0KANC.accountName: SentinelOne
computerName: EC2AMAZ-AJ0KANC
groupName: Default Group
siteName: demisto
username: XSOAR User
uuid: f431b0a1a8744d2a8a92fc88fa3c13bc
4754829558720523942020-01-12T20:16:44.594737Z2020-01-12T20:16:44.594743Z
802214382952913086The management user XSOAR User issued a reconnect to network command to the machine EC2AMAZ-AJ0KANC.accountName: SentinelOne
computerName: EC2AMAZ-AJ0KANC
groupName: Default Group
siteName: demisto
username: XSOAR User
uuid: f431b0a1a8744d2a8a92fc88fa3c13bc
4754829558720523942020-01-12T20:16:46.659017Z2020-01-12T20:16:46.659023Z
802214763636332743Agent EC2AMAZ-AJ0KANC was connected to network.computerName: EC2AMAZ-AJ0KANC2020-01-12T20:17:32.040670Z2020-01-12T20:17:32.038143Z
802214854023583946Agent EC2AMAZ-AJ0KANC was disconnected from network.computerName: EC2AMAZ-AJ0KANC2020-01-12T20:17:42.815619Z2020-01-12T20:17:42.812834Z

sentinelone-get-groups#


Returns data for the specified group.

Base Command#

sentinelone-get-groups

Input#

Argument NameDescriptionRequired
group_typeGroup type, for example: "static".Optional
group_idsA comma-separated list of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
group_idGroup ID by which to filter, for example: "225494730938493804".Optional
is_defaultWhether this is the default group. Possible values are: true, false.Optional
nameThe name of the group.Optional
queryFree-text search.Optional
rankThe priority of a dynamic group over others, for example, "1", which is the highest priority.Optional
limitMaximum number of items to return (1-200).Optional

Context Output#

PathTypeDescription
SentinelOne.Group.siteIdStringThe ID of the site of which this group is a member.
SentinelOne.Group.filterNameStringIf the group is dynamic, the name of the filter which is used to associate agents.
SentinelOne.Group.creatorIdStringThe ID of the user who created the group.
SentinelOne.Group.nameStringThe name of the group.
SentinelOne.Group.creatorStringThe user who created the group.
SentinelOne.Group.rankNumberThe rank, which sets the priority of a dynamic group over others.
SentinelOne.Group.updatedAtDateTimestamp of the last update.
SentinelOne.Group.totalAgentsNumberNumber of agents in the group.
SentinelOne.Group.filterIdStringIf the group is dynamic, the group ID of the filter that is used to associate agents.
SentinelOne.Group.isDefaultBooleanWhether the groups is the default group of the site.
SentinelOne.Group.inheritsBooleanWhether the policy is inherited from a site. "False" if the group has its own edited policy.
SentinelOne.Group.typeStringGroup type. Can be static or dynamic
SentinelOne.Group.idStringThe ID of the group.
SentinelOne.Group.createdAtDateTimestamp of group creation.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
typevalid
groupIdsvalid
idvalid
isDefaultvalid
namevalid
queryvalid
rankvalid
limitvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Group.siteIdvalid
SentinelOne.Group.filterNamevalid
SentinelOne.Group.creatorIdvalid
SentinelOne.Group.namevalid
SentinelOne.Group.creatorvalid
SentinelOne.Group.rankvalid
SentinelOne.Group.updatedAtvalid
SentinelOne.Group.totalAgentsvalid
SentinelOne.Group.filterIdvalid
SentinelOne.Group.isDefaultvalid
SentinelOne.Group.inheritsvalid
SentinelOne.Group.typevalid
SentinelOne.Group.idvalid
SentinelOne.Group.createdAtvalid

Command Example#

!sentinelone-get-groups

Context Example#

{
"SentinelOne": {
"Group": {
"createdAt": "2018-10-19T00:58:41.646045Z",
"creator": "XSOAR User",
"creatorId": "433273625970238486",
"filterId": null,
"filterName": null,
"id": "475482421375116388",
"inherits": true,
"isDefault": true,
"name": "Default Group",
"rank": null,
"registrationToken": "eyJiOiAiZ184NjJiYWQzNTIwN2ZmNTJmIn0=",
"siteId": "475482421366727779",
"totalAgents": 0,
"type": "static",
"updatedAt": "2021-01-02T13:34:58.753880Z"
}
}
}

Human Readable Output#

Sentinel One Groups#

IdNameTypeCreatorCreator IdCreated At
475482421375116388Default GroupstaticXSOAR User4332736259702384862018-10-19T00:58:41.646045Z

sentinelone-move-agent#


Moves agents to a new group.

Base Command#

sentinelone-move-agent

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to move the agent to.Required
agents_idsAgents IDs.Optional

Context Output#

PathTypeDescription
SentinelOne.Agent.AgentsMovedNumberThe number of agents that were moved to another group.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
group_idvalid
agentIdsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Agent.AgentsMovedvalid

Command Example#

Human Readable Output#

sentinelone-delete-group#


Deletes a group, by the group ID.

Base Command#

sentinelone-delete-group

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to delete.Required

Context Output#

PathTypeDescription
SentinelOne.DeleteGroup.SuccessStringthe status of the command.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
group_idvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.DeleteGroup.Successvalid

Command Example#

Human Readable Output#

sentinelone-agent-processes#


DEPRECATED - Retrieves running processes for a specific agent.

Base Command#

sentinelone-agent-processes

Input#

Argument NameDescriptionRequired
agents_idsThe ID of the agent from which to retrieve the processes.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.memoryUsageNumberMemory usage (MB).
SentinelOne.Agent.startTimeDateThe process start time.
SentinelOne.Agent.pidNumberThe process ID.
SentinelOne.Agent.processNameStringThe name of the process.
SentinelOne.Agent.cpuUsageNumberCPU usage (%).
SentinelOne.Agent.executablePathStringExecutable path.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
idsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Agent.memoryUsagevalid
SentinelOne.Agent.startTimevalid
SentinelOne.Agent.pidvalid
SentinelOne.Agent.processNamevalid
SentinelOne.Agent.cpuUsagevalid
SentinelOne.Agent.executablePathvalid

sentinelone-connect-agent#


Connects agents to the network.

Base Command#

sentinelone-connect-agent

Input#

Argument NameDescriptionRequired
agent_idA comma-separated list of agent IDs to connect to the network. Run the list-agents command to get a list of agent IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.AgentsAffectedNumberThe number of affected agents.
SentinelOne.Agent.IDStringThe IDs of the affected agents.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
idsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Agent.AgentsAffectedaffected
SentinelOne.Agent.IDNone (need to return from the input)

Command Example#

!sentinelone-connect-agent agent_id=657613730168123595

Context Example#

{
"SentinelOne": {
"Agent": {
"ID": "657613730168123595",
"NetworkStatus": "connecting"
}
}
}

Human Readable Output#

1 agent(s) successfully connected to the network.

sentinelone-disconnect-agent#


Disconnects agents from the network.

Base Command#

sentinelone-disconnect-agent

Input#

Argument NameDescriptionRequired
agent_idA comma-separated list of agent IDs to disconnect from the network. Run the list-agents command to get a list of agent IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.NetworkStatusStringAgent network status.
SentinelOne.Agent.IDStringThe IDs of the affected agents.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
idsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Agent.NetworkStatusNone
SentinelOne.Agent.IDNone (need to return from the input)

Command Example#

!sentinelone-disconnect-agent agent_id=657613730168123595

Context Example#

{
"SentinelOne": {
"Agent": {
"ID": "657613730168123595",
"NetworkStatus": "disconnecting"
}
}
}

Human Readable Output#

1 agent(s) successfully disconnected from the network.

sentinelone-broadcast-message#


Broadcasts a message to all agents that match the input filters.

Base Command#

sentinelone-broadcast-message

Input#

Argument NameDescriptionRequired
messageThe message to broadcast to agents.Required
active_agentWhether to only include active agents. Default is "false". Possible values are: true, false.Optional
group_idA comma-separated list of group IDs by which to filter the results.Optional
agent_idA comma-separated list of agent IDs by which to filter the results.Optional
domainA comma-separated of included network domains.Optional

Context Output#

PathTypeDescription
SentinelOne.BroadcastMessage.AffectedStringNumber of affected endpoints.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
isActivevalid
groupIdsvalid
idsvalid
domainsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.BroadcastMessage.Affectedvalid

Command Example#

!sentinelone-broadcast-message message="Hey There, just checking" agent_id=657613730168123595

Human Readable Output#

The message was successfully delivered to the agent(s)

sentinelone-get-events#


Returns all Deep Visibility events that match the query.

Base Command#

sentinelone-get-events

Input#

Argument NameDescriptionRequired
limitMaximum number of items to return (1-100). Default is 50.Optional
query_idQueryId obtained when creating a query in the sentinelone-create-query command. Example: "q1xx2xx3".Required
cursorCursor pointer to get next page of results from query.Optional

Context Output#

PathTypeDescription
SentinelOne.Event.ProcessUIDStringProcess unique identifier.
SentinelOne.Event.SHA256StringSHA256 hash of the file.
SentinelOne.Event.AgentOSStringOperating system type. Can be "windows", "linux", "macos", or "windows_legac".
SentinelOne.Event.ProcessIDNumberThe process ID.
SentinelOne.Event.UserStringUser assigned to the event.
SentinelOne.Event.TimeDateProcess start time.
SentinelOne.Event.EndpointStringThe agent name.
SentinelOne.Event.SiteNameStringSite name.
SentinelOne.Event.EventTypeStringEvent type. Can be "events", "file", "ip", "url", "dns", "process", "registry", "scheduled_task", or "logins".
SentinelOne.Event.ProcessNameStringThe name of the process.
SentinelOne.Event.MD5StringMD5 hash of the file.
SentinelOne.Event.SourceIPStringThe source ip.
SentinelOne.Event.SourcePortStringThe source port.
SentinelOne.Event.DestinationIPStringThe destination IP.
SentinelOne.Event.DestinationPortStringThe destination port.
SentinelOne.Event.SourceProcessUserStringThe source process user.
SentinelOne.Event.SourceProcessCommandLineStringThe source process command line.
SentinelOne.Event.DNSRequestStringThe DNS Request.
SentinelOne.Event.FileFullNameStringThe file full name.
SentinelOne.Event.EventTimeStringThe event time.
Event.IDStringEvent process ID.
Event.NameStringEvent name.
Event.TypeStringEvent type.
SentinelOne.Cursor.EventStringcursor to recieve next page

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
query_idvalid
limitvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Event.ProcessUIDsrcProcUid
SentinelOne.Event.SHA256valid
SentinelOne.Event.AgentOSvalid
SentinelOne.Event.ProcessIDpid
SentinelOne.Event.Uservalid
SentinelOne.Event.TimeprocessStartTime
SentinelOne.Event.EndpointagentName
SentinelOne.Event.SiteNamevalid
SentinelOne.Event.EventTypevalid
SentinelOne.Event.ProcessNamevalid
SentinelOne.Event.MD5valid
Event.IDid
Event.NameNone
Event.TypeeventType

Command Example#

!sentinelone-get-events query_id=q034ae362a30eba5a187cbe601d19abaa

Human Readable Output#

No events were found.

sentinelone-create-query#


Runs a Deep Visibility query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.

Base Command#

sentinelone-create-query

Input#

Argument NameDescriptionRequired
queryThe query string for which to return events.Required
from_dateQuery start date, for example, "2019-08-03T04:49:26.257525Z". Limited to 93 days ago.Required
to_dateQuery end date, for example, "2019-08-03T04:49:26.257525Z".Required

Context Output#

PathTypeDescription
SentinelOne.Query.FromDateDateQuery start date.
SentinelOne.Query.QueryStringThe search query string.
SentinelOne.Query.QueryIDStringThe query ID.
SentinelOne.Query.ToDateDateQuery end date.

Command Example#

!sentinelone-create-query query="AgentName Is Not Empty" from_date="2020-10-13T15:24:09.257Z" to_date="2021-01-10T04:49:26.257525Z"

Context Example#

{
"SentinelOne": {
"Query": {
"FromDate": "2020-10-13T15:24:09.257Z",
"Query": "AgentName Is Not Empty",
"QueryID": "q15a9c0b5a5f2081188e70c42897ef5f9",
"ToDate": "2021-01-10T04:49:26.257525Z"
}
}
}

Human Readable Output#

The query ID is q15a9c0b5a5f2081188e70c42897ef5f9

sentinelone-get-processes#


Returns a list of Deep Visibility events from query by event type - process.

Base Command#

sentinelone-get-processes

Input#

Argument NameDescriptionRequired
query_idThe queryId that is returned when creating a query under Create Query. Example: "q1xx2xx3". Get the query_id from the "get-query-id" command.Required
limitMaximum number of items to return (1-100). Default is 50.Optional

Context Output#

PathTypeDescription
SentinelOne.Event.ParentProcessIDNumberParent process ID.
SentinelOne.Event.ProcessUIDStringThe process unique identifier.
SentinelOne.Event.SHA1StringSHA1 hash of the process image.
SentinelOne.Event.SubsystemTypeStringProcess sub-system.
SentinelOne.Event.ParentProcessStartTimeDateThe parent process start time.
SentinelOne.Event.ProcessIDNumberThe process ID.
SentinelOne.Event.ParentProcessUIDStringParent process unique identifier.
SentinelOne.Event.UserStringUser assigned to the event.
SentinelOne.Event.TimeDateStart time of the process.
SentinelOne.Event.ParentProcessNameStringParent process name.
SentinelOne.Event.SiteNameStringSite name.
SentinelOne.Event.EventTypeStringThe event type.
SentinelOne.Event.EndpointStringThe agent name (endpoint).
SentinelOne.Event.IntegrityLevelStringProcess integrity level.
SentinelOne.Event.CMDStringProcess CMD.
SentinelOne.Event.ProcessNameStringProcess name.
SentinelOne.Event.ProcessDisplayNameStringProcess display name.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
query_idvalid
limitvalid
event_typeEvent_type (need to be added if using GET/web/api/v2.1/dv/events/{event_type} )
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Event.ParentProcessIDparentPid
SentinelOne.Event.ProcessUIDNone
SentinelOne.Event.SHA1valid
SentinelOne.Event.SubsystemTypeprocessSubSystem
SentinelOne.Event.ParentProcessStartTimvalid
SentinelOne.Event.ProcessIDPid
SentinelOne.Event.ParentProcessUIDNone
SentinelOne.Event.Uservalid
SentinelOne.Event.TimeprocessStartTime
SentinelOne.Event.ParentProcessNamevalid
SentinelOne.Event.SiteNamevalid
SentinelOne.Event.EventTypevalid
SentinelOne.Event.EndpointagentName
SentinelOne.Event.IntegrityLevelprocessIntegrityLevel
SentinelOne.Event.CMDprocessCmd
SentinelOne.Event.ProcessNamevalid
SentinelOne.Event.ProcessDisplayNamevalid

Command Example#

!sentinelone-get-processes query_id=q034ae362a30eba5a187cbe601d19abaa

sentinelone-shutdown-agent#


Sends a shutdown command to all agents that match the input filter.

Base Command#

sentinelone-shutdown-agent

Input#

Argument NameDescriptionRequired
queryA free-text search term that will match applicable attributes (sub-string match). Note: A device's physical addresses will only be matched if they start with the search term (not if they contain the search term).Optional
agent_idA comma-separated list of agents IDs to shutdown.Optional
group_idThe ID of the network group.Optional

Context Output#

PathTypeDescription
SentinelOne.Agent.IDStringThe ID of the agent that was shutdown.

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
queryvalid
idsvalid
groupIdsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.Agent.IDNone

sentinelone-uninstall-agent#


Sends an uninstall command to all agents that match the input filter.

Base Command#

sentinelone-uninstall-agent

Input#

Argument NameDescriptionRequired
queryA free-text search term that will match applicable attributes (sub-string match). Note: A device's physical addresses will only be matched if they start with the search term (not if they contain the search term).Optional
agent_idA comma-separated list of agents IDs to shutdown.Optional
group_idThe ID of the network group.Optional

Context Output#

PathTypeDescription
SentinelOne.uninstall.AffectedStringNumber of agents that were uninstalled

V2.0 to V2.1 API Changes#

Params (input) API V2 (XOAR)API V2.1 (S1)
queryvalid
idsvalid
groupIdsvalid
Params (Outputs) API V2 (XOAR) API V2.1 (S1)
SentinelOne.uninstall.Affectedvalid

sentinelone-add-hash-to-blocklist#


Add a hash to the Global blocklist in SentinelOne.

Base Command#

sentinelone-add-hash-to-blocklist

Input#

Argument NameDescriptionRequired
sha1SHA1 hash to add to the Global blocklist.Optional
sourceString describing the source of the block. Default is XSOAR.Optional
os_typeType of operating system. Possible values are: windows, linux, macos.Required
descriptionNote stored in SentinelOne about the block. Default is Blocked from XSOAR.Optional

Context Output#

PathTypeDescription
SentinelOne.AddHashToBlocklist.hashunknownHash of the file
SentinelOne.AddHashToBlocklist.statusunknownStatus of the action to add a hash to the blocklist.

Command Example#

!sentinelone-add-hash-to-blocklist os_type=windows description="EICAR Test File" sha1=3395856ce81f2b7382dee72602f798b642f14140 source=XSOAR

sentinelone-remove-hash-from-blocklist#


Remove a hash from the Global blocklist in SentinelOne

Base Command#

sentinelone-remove-hash-from-blocklist

Input#

Argument NameDescriptionRequired
sha1SHA1 hash to remove from the Global blocklist.Optional
os_typeOptional operating system type. If not supplied, will remove across all platforms. Possible values are: windows, macos, linux.Optional

Context Output#

PathTypeDescription
SentinelOne.RemoveHashFromBlocklist.hashunknownHash of the file.
SentinelOne.RemoveHashFromBlocklist.statusunknownStatus of the action to remove a hash from the blocklist.

Command Example#

!sentinelone-remove-hash-from-blocklist os_type=windows sha1=3395856ce81f2b7382dee72602f798b642f14140

sentinelone-download-fetched-file#


Download a file fetched using the sentinelone-fetch-file command to submit the request and the sentinelone-get-activities command to get the download path.

Base Command#

sentinelone-download-fetched-file

Input#

Argument NameDescriptionRequired
agent_idSentinelOne agent ID. Default is Agent ID.Required
activity_idActivity ID in the get-activities command.Required
passwordPassword used in the sentinelone-fetch-file command.Required

Context Output#

There is no context output for this command.

Command Example#

!sentinelone-download-fetched-file activity_id=ACTIVITY_ID agent_id=AGENT_ID password=PossiblyInfected0987&*()

sentinelone-update-threats-verdict#


Updates the analyst verdict to a group of threats that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-update-threats-verdict

Input#

Argument NameDescriptionRequired
verdictAnalyst verdict action. Possible values are: undefined, true_positive, false_positive, suspicious.Required
threat_idsA comma-separated list of threat IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.UpdatedBooleanWhether the threat was successfully updated in the analyst verdict.
SentinelOne.Threat.Update.ActionStringName of the analyst verdict action performed on the threats.

Command Example#

!sentinelone-update-threats-verdict threat_ids="14417837215288624" action=false_positive

sentinelone-update-alerts-verdict#


Updates the analyst verdict to a group of alerts that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-update-alerts-verdict

Input#

Argument NameDescriptionRequired
verdictAnalyst verdict action. Possible values are: undefined, true_positive, false_positive, suspicious.Required
alert_idsA comma-separated list of alert IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Alert.IDStringThe alert ID.
SentinelOne.Alert.UpdatedBooleanWhether the alert was successfully updated in the analyst verdict.
SentinelOne.Alert.Update.ActionStringName of the analyst verdict action performed on the alerts.

Command Example#

!sentinelone-update-alerts-verdict threat_ids="14417837215288624" action=false_positive

sentinelone-create-star-rule#


Creates a custom STAR rule. Relevant for API version 2.1.

Base Command#

sentinelone-create-star-rule

Input#

Argument NameDescriptionRequired
nameThe name of the STAR rule.Required
rule_severityThe rule severity. Possible values are: Low, Medium, High, Critical.Required
expiration_modeType of expiration mode. Possible values are: Permanent, Temporary.Required
query_typeType of the query. For now it's "events". Possible values are: events, processes.Required
queryThe query string for which to return events.Required
descriptionThe description of the STAR rule.Optional
expiration_dateIf expiration mode is "Temporary" then it should be supplied, for example, "2019-08-03T04:49:26.257525Z" .Optional
site_idsA comma-separated list of site IDs.Optional
group_idsA comma-separated list of Group IDs.Optional
account_idsA comma-separated list of Account IDs.Optional
network_quarantineWhether to enable the network quarantine of the STAR rule. Possible values are: true, false.Required
treatAsThreatThe treatAsThreat type. Possible values are: Malicious, Suspicious, UNDEFINED.Required

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDStringThe STAR rule ID.
SentinelOne.StarRule.NameStringThe STAR rule name.
SentinelOne.StarRule.StatusStringThe status of the STAR rule.
SentinelOne.StarRule.SeverityStringThe severity of the STAR rule.
SentinelOne.StarRule.DescriptionStringThe description of the STAR rule.
SentinelOne.StarRule.NetworkQuarantineBooleanThe network quarantine of the STAR rule.
SentinelOne.StarRule.TreatAsThreatStringThe Treat As Threat of the STAR rule.
SentinelOne.StarRule.ExpirationModeStringThe expiration mode of the STAR rule.
SentinelOne.StarRule.ExpirationDateStringThe expiration date of the STAR rule.
SentinelOne.StarRule.ScopeHierarchyStringThe scope hierarchy of the STAR rule.
SentinelOne.StarRule.CreatedAtStringThe created time for the STAR rule.
SentinelOne.StarRule.UpdatedAtStringThe updated time for the STAR rule.

Command Example#

!sentinelone-create-star-rule name="test" rule_severity=Low expiration_mode=Temporary expiration_date=2022-06-23T09:29:29.206941Z query_type=events query="Dstip EXISTS" network_quarantine=false treatAsThreat=Malicious

sentinelone-get-star-rules#


Get a list of custom detection rules for a given scope. Relevant for API version 2.1.

Base Command#

sentinelone-get-star-rules

Input#

Argument NameDescriptionRequired
statusA comma-separated list of the status of the STAR rule. Available options are: "Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft".Example: "Draft,Active".Optional
creator_containsFree-text filter by rule creator (supports multiple values). Example: "Service Pack 1".Optional
queryTypeReturn rules with the filtered type. Example: "events". Possible values are: events, processes.Optional
queryFree-text filter by S1 query (supports multiple values). Example: "Service Pack 1".Optional
description_containsFree-text filter by rule description (supports multiple values). Example: "Service Pack 1".Optional
ruleIdsA comma-separated list of Rules IDs. Example: "225494730938493804,225494730938493915".Optional
name_containsFree-text filter by rule name (supports multiple values). Example: "Service Pack 1".Optional
accountIdsA comma-separated list of Account IDs to filter by. Example: "225494730938493804,225494730938493915".Optional
expirationModeReturn rules with the filtered expiration mode. Example: "Permanent". Possible values are: Temporary, Permanent.Optional
limitLimit number of returned items (1-1000). Example: "10".Optional
siteIdsA comma-separated list of site IDs to filter by. Example: "225494730938493804,225494730938493915".Optional

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDNumberThe STAR rule ID.
SentinelOne.StarRule.CreatorstringThe STAR rule creator.
SentinelOne.StarRule.NamestringThe STAR rule name.
SentinelOne.StarRule.StatusstringThe STAR rule status.
SentinelOne.StarRule.SeveritystringThe STAR rule severity.
SentinelOne.StarRule.GeneratedAlertsNumberThe number of STAR rule generated alerts.
SentinelOne.StarRule.DescriptionstringThe STAR rule description.
SentinelOne.StarRule.StatusReasonstringThe STAR rule status reason.
SentinelOne.StarRule.ExpirationModestringThe STAR rule expiration mode.
SentinelOne.StarRule.ExpirationDateDateThe STAR rule expiration date.
SentinelOne.StarRule.ExpiredBooleanWhether the STAR rule expired.

Command Example#

!sentinelone-get-star-rules

sentinelone-update-star-rule#


Updates a custom STAR rule. Relevant for API version 2.1.

Base Command#

sentinelone-update-star-rule

Input#

Argument NameDescriptionRequired
rule_idRule ID Example: "225494730938493804".Required
nameThe name of the STAR rule.Required
rule_severityThe rule severity. Possible values are: Low, Medium, High, Critical.Required
expiration_modeType of expiration mode. Possible values are: Permanent, Temporary.Required
query_typeType of the query. For now it's "events". Possible values are: events, processes.Required
queryThe query string for which to return events.Required
descriptionThe description of the STAR rule.Optional
expiration_dateIf expiration mode is "Temporary" then it should be supplied, for example, "2019-08-03T04:49:26.257525Z".Optional
site_idsA comma-separated list of site IDs.Optional
group_idsA comma-separated list of group IDs.Optional
account_idsA comma-separated list of account IDs.Optional
network_quarantineWhether to enable the network quarantine of the STAR rule. Possible values are: true, false.Required
treatAsThreatThe treatAsThreat. Possible values are: Malicious, Suspicious, UNDEFINED.Required

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDStringThe STAR rule ID.
SentinelOne.StarRule.NameStringThe STAR rule name.
SentinelOne.StarRule.StatusStringThe status of the STAR rule.
SentinelOne.StarRule.SeverityStringThe severity of the STAR rule.
SentinelOne.StarRule.DescriptionStringThe description of the STAR rule.
SentinelOne.StarRule.NetworkQuarantineBooleanThe network quarantine of the STAR rule.
SentinelOne.StarRule.TreatAsThreatStringThe Treat As Threat of the STAR rule.
SentinelOne.StarRule.ExpirationModeStringThe expiration mode of the STAR rule.
SentinelOne.StarRule.ExpirationDateStringThe expiration date of the STAR rule.
SentinelOne.StarRule.ScopeHierarchyStringThe scope hierarchy of the STAR rule.
SentinelOne.StarRule.CreatedAtStringThe created time for the STAR rule.
SentinelOne.StarRule.UpdatedAtStringThe updated time for the STAR rule.

Command Example#

!sentinelone-update-star-rule rule_id=225494730938493804 name="test" rule_severity=Low expiration_mode=Temporary expiration_date=2022-06-23T09:29:29.206941Z query_type=events query="Dstip EXISTS" network_quarantine=false treatAsThreat=Malicious

sentinelone-enable-star-rules#


Activate Custom Detection rules that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-enable-star-rules

Input#

Argument NameDescriptionRequired
rule_idsA comma-separated list of STAR rule IDs.Required

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDStringThe Rule ID.
SentinelOne.StarRule.EnabledBooleanWhether the star rule was successfully eabled or not.

Command Example#

!sentinelone-enable-star-rules rule_ids=225494730938493804

sentinelone-disable-star-rules#


Disable Custom Detection rules that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-disable-star-rules

Input#

Argument NameDescriptionRequired
rule_idsA comma-separated list of STAR rule IDs.Required

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDStringThe Rule ID.
SentinelOne.StarRule.DisabledBooleanWhether the star rule was successfully disabled or not.

Command Example#

!sentinelone-disable-star-rules rule_ids=225494730938493804

sentinelone-delete-star-rule#


Deletes Custom Detection Rules that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-delete-star-rule

Input#

Argument NameDescriptionRequired
rule_idsA comma-separated list of STAR rule IDs.Required

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDStringThe Rule ID.
SentinelOne.StarRule.DeletedBooleanWhether the STAR rule was successfully deleted.

sentinelone-get-blocklist#


Add a hash to the blocklist ("blacklist" in SentinelOne documentation). If the global flag is true, then group_ids, site_ids, and account_ids are ignored.

Base Command#

sentinelone-get-blocklist

Input#

Argument NameDescriptionRequired
globalWhether the global list is accessible. (Same as tenant flag in API docs.). Possible values are: true, false. Default is true.Optional
group_idsComma-separated list of group IDs to filter by.Optional
site_idsComma-separated list of site IDs to filter by.Optional
account_idsComma-separated list of account IDs to filter by.Optional
offsetThe number of records to skip (for paging). Default is 0.Optional
limitThe maximum number of records to return. Default is 1000.Optional
hashHash to search for in the blocklist.Optional

Context Output#

PathTypeDescription
SentinelOne.Blocklist.UserIdStringUser ID.
SentinelOne.Blocklist.UpdatedAtStringWhen entry was most recently updated.
SentinelOne.Blocklist.ValueStringFile hash.
SentinelOne.Blocklist.ScopePathStringSentinelOne list scope.
SentinelOne.Blocklist.TypeStringBlock list type.
SentinelOne.Blocklist.SourceStringSource of entry.
SentinelOne.Blocklist.IDStringEntry ID.
SentinelOne.Blocklist.CreatedAtStringDate entry was created.
SentinelOne.Blocklist.DescriptionStringDescription of the blocklist.
SentinelOne.Blocklist.OSTypeStringOperating system type block is enforced on.
SentinelOne.Blocklist.ScopeNameStringName of the blocklist scope.

Command Example#

!sentinelone-get-blocklist account_ids=ACCOUNT_ID global=true offset=0 limit=1

sentinelone-add-hash-to-blocklist#


Add a hash to the global blocklist in SentinelOne.

Base Command#

sentinelone-add-hash-to-blocklist

Input#

Argument NameDescriptionRequired
sha1SHA1 hash to add to the global blocklist.Optional
sourceString describing the source of the block. Default is XSOAR.Optional
os_typeType of operating system. Possible values are: windows, linux, macos.Required
descriptionNote stored in SentinelOne about the block. Default is Blocked from XSOAR.Optional

Context Output#

PathTypeDescription
SentinelOne.AddHashToBlocklist.hashunknownHash of the file.
SentinelOne.AddHashToBlocklist.statusunknownStatus of the action to add a hash to the blocklist.

Command Example#

!sentinelone-add-hash-to-blocklist os_type=windows description="EICAR Test File" sha1=3395856ce81f2b7382dee72602f798b642f14140 source=XSOAR

sentinelone-remove-hash-from-blocklist#


Remove a hash from the global blocklist in SentinelOne

Base Command#

sentinelone-remove-hash-from-blocklist

Input#

Argument NameDescriptionRequired
sha1SHA1 hash to remove from the global blocklist.Optional
os_typeOptional operating system type. If not supplied, will remove the SHA1 hash across all platforms. Possible values are: windows, macos, linux.Optional

Context Output#

PathTypeDescription
SentinelOne.RemoveHashFromBlocklist.hashunknownHash of the file.
SentinelOne.RemoveHashFromBlocklist.statusunknownStatus of the action to remove a hash from the blocklist.

sentinelone-fetch-file#


Invokes a fetch files command against an agent endpoint.

Base Command#

sentinelone-fetch-file

Input#

Argument NameDescriptionRequired
agent_idAgent ID to retrieve the file from.Required
file_pathFile path to download the file from.Required
passwordPassword to protect the zip file with.Required

Context Output#

There is no context output for this command.

Command Example#

!sentinelone-fetch-file agent_id=AGENT_ID file_path="C:\Test\Path\To\File.txt" password=PossiblyInfected0987&*()

sentinelone-download-fetched-file#


Download a file fetched using th sentinelone-fetch-file command to submit the request and the sentinelone-get-activities command to get the download path.

Base Command#

sentinelone-download-fetched-file

Input#

Argument NameDescriptionRequired
agent_idSentinelOne agent ID. Default is Agent ID.Required
activity_idActivity ID in the get-activities command.Required
passwordPassword used in the sentinelone-fetch-file command.Required

Context Output#

There is no context output for this command.

Command Example#

!sentinelone-download-fetched-file activity_id=ACTIVITY_ID agent_id=AGENT_ID password=PossiblyInfected0987&*()

sentinelone-write-threat-note#


Add a threat note to one or more threats. Relevant for API version 2.1.

Base Command#

sentinelone-write-threat-note

Input#

Argument NameDescriptionRequired
threat_idsA comma-separated list of threat IDs.Required
noteThreat Note Text.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.NoteStringThe threat note.
SentinelOne.Threat.StatusStringWhether the note was added successfully.

Command Example#

!sentinelone-write-threat-note threat_ids=14417837215288624 note="a sample test"

sentinelone-create-ioc#


Add an IoC to the Threat Intelligence database. Relevant for API version 2.1.

Base Command#

sentinelone-create-ioc

Input#

Argument NameDescriptionRequired
nameThreat Intelligence indicator name.Required
sourceThe source of the identified Threat Intelligence indicator.Required
typeThe type of the Threat Intelligence indicator. Possible values are: DNS, IPV4, IPV6, MD5, SHA1, SHA256, URL.Required
methodThe comparison method used by SentinelOne to trigger the event. Possible values are: EQUALS.Required
validUntilExpiration date for the Threat Intelligence indicator.Required
valueThe value of the Threat Intelligence indicator.Required
account_idsList of account IDs to filter by.Required
externalIdThe unique identifier of the indicator as provided by the Threat Intelligence source.Optional
descriptionDescription of the Threat Intelligence indicator.Optional

Context Output#

PathTypeDescription
SentinelOne.IOC.UUIDStringThe IOC UUID.
SentinelOne.IOC.NameStringThreat Intelligence indicator name.
SentinelOne.IOC.SourceStringThe source of the identified Threat Intelligence indicator.
SentinelOne.IOC.TypeStringThe type of the Threat Intelligence indicator.
SentinelOne.IOC.BatchIdStringThe IOC batch ID.
SentinelOne.IOC.CreatorStringThe IOC creator.
SentinelOne.IOC.ScopeStringThe IOC scope.
SentinelOne.IOC.ScopeIdStringThe IOC scope ID.
SentinelOne.IOC.ValidUntilStringExpiration date for the Threat Intelligence indicator.
SentinelOne.IOC.DescriptionStringDescription of the Threat Intelligence indicator.
SentinelOne.IOC.ExternalIdStringThe unique identifier of the indicator as provided by the Threat Intelligence source.

Command Example#

!sentinelone-create-ioc name="test" source="proof_test" type="IPV4" method="EQUALS" validUntil="2022-06-25T07:52:09.428858Z" value="10.0.2.15" account_ids="106802936546889425464"

sentinelone-delete-ioc#


Delete an IOC from the Threat Intelligence database that matches a filter. Relevant for API version 2.1.

Base Command#

sentinelone-delete-ioc

Input#

Argument NameDescriptionRequired
account_idsList of account IDs to filter by.Required
uuidsUUID of Threat Intelligence indicator.Required

Context Output#

PathTypeDescription
SentinelOne.IOC.UUIDStringThe IOC UUID.
SentinelOne.IOC.DeletedBooleanWhether the Threat Intelligence indicator was deleted.

Command Example#

!sentinelone-delete-ioc account_ids=106802961889425793 uuids=ef367d66175288e75fa6b29c53d46d4

sentinelone-get-iocs#


Get the IOCs of a specified account that match the filter. Relevant for API version 2.1.

Base Command#

sentinelone-get-iocs

Input#

Argument NameDescriptionRequired
account_idsList of account IDs to filter by.Required
limitLimit number of returned items (1-1000). Default is 1000.Optional
upload_time_gteThe time (greater than or equal to) at which the Threat Intelligence indicator was uploaded to the SentinelOne database. Example: "2022-07-13T20:33:29.007906Z".Optional
upload_time_lteThe time (less than or equal to) at which the Threat Intelligence indicator was uploaded to the SentinelOne database. Example: "2022-07-13T20:33:29.007906Z".Optional
cursorCursor position returned by the last request. Should be used for iterating over more than 1000 items. Example: "YWdlbnRfaWQ6NTgwMjkzODE=".Optional
uuidsA list of unique IDs of the parent process of the indicator of compromise. Example: "2cffae871197f20d864fe8363eee6651".Optional
typeThe type of the Threat Intelligence indicator. Possible values are: DNS, IPV4, IPV6, MD5, SHA1, SHA256, URL.Optional
batch_idUnique ID of the uploaded indicators batch. Example: "atmtn000000028a881bcf939dc6d92ab55443".Optional
sourceList of the sources of the identified Threat Intelligence indicator. Example: "AlienVault".Optional
valueThe value of the Threat Intelligence indicator. Example: "175.0.x.x".Optional
external_idThe unique identifier of the indicator as provided by the Threat Intelligence source. Example: "e277603e-1060-5ad4-9937-c26c97f1ca68".Optional
name_containsA comma-separated list of free-text filtered by the indicator name. Example: "foo.dll".Optional
creator_containsA comma-separated list of free-text filtered by the user who uploaded the Threat Intelligence indicator. Example: "admin@sentinelone.com".Optional
description_containsA comma-separated list of free-text filtered by the description of the indicator. Example: "Malicious-activity".Optional
category_inThe categories of the Threat Intelligence indicator. Example: The malware type associated with the IOC.Optional
updated_at_gteThe time (greater or equal to) at which the indicator was last updated in the SentinelOne database. Example: "2021-07-13T20:33:29.007906Z".Optional
updated_at_lteThe time (less than or equal to) at which the indicator was last updated in the SentinelOne database. Example: "2021-07-13T20:33:29.007906Z".Optional
creation_time_gteCreation time (greater than or equal to) as set by the user. Example: "2021-07-13T20:33:29.007906Z".Optional
creation_time_lteCreation time (less than or equal to) as set by the user. Example: "2021-07-13T20:33:29.007906Z".Optional

Context Output#

PathTypeDescription
SentinelOne.IOC.UUIDStringThe IOC UUID.
SentinelOne.IOC.CreatorStringThreat Intelligence indicator creator.
SentinelOne.IOC.NameStringThreat Intelligence indicator name.
SentinelOne.IOC.ValueStringThreat Intelligence indicator value.
SentinelOne.IOC.DescriptionStringThreat Intelligence indicator description.
SentinelOne.IOC.TypeStringThreat Intelligence indicator type.
SentinelOne.IOC.ExternalIdStringThreat Intelligence indicator external ID.
SentinelOne.IOC.SourceStringThreat Intelligence indicator source.
SentinelOne.IOC.UploadTimeStringThreat Intelligence indicator upload time.
SentinelOne.IOC.ValidUntilStringThreat Intelligence indicator expiration time.

Command Example#

!sentinelone-get-iocs account_ids="1068029618885547693" upload_time_gte="2022-04-25T07:52:09.428858Z" upload_time_lte="2022-06-30T07:52:09.428858Z"

sentinelone-create-power-query#


Start a Deep Visibility Power query to get back status and potential results (ping afterwards using the queryId if query has not finished). Relevant for API version 2.1

Base Command#

sentinelone-create-power-query

Input#

Argument NameDescriptionRequired
queryEvents matching the query search term will be returned.Required
from_dateEvents created after this timestamp.Required
to_dateEvents created before or at this timestamp.Required
limitLimit number of returned items (1-100000).Optional

Context Output#

The context outputs are based on the power query

Command Example#

!sentinelone-create-power-query query="event.time = * | columns eventTime = event.time, agentUuid = agent.uuid" from_date="2022-06-05T04:49:26.257525Z" to_date="2022-06-07T04:49:26.257525Z"

sentinelone-ping-power-query#


Ping a Deep Visibility Power query using the queryId argument if results have not returned from an initial Power query or a previous ping. Relevant for API version 2.1.

Base Command#

sentinelone-ping-power-query

Input#

Argument NameDescriptionRequired
queryIdQueryId.Required

Context Output#

The context outputs are based on the power query

Command Example#

!sentinelone-ping-power-query queryId="pqe18ccaaa69fedc65889eb155dbe039"

sentinelone-update-threats-status#


Updates the incident status to a group of threats that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-update-threats-status

Input#

Argument NameDescriptionRequired
statusIncident status. Possible values are: in_progress, resolved, unresolved.Required
threat_idsA comma-separated list of threat IDs.Required

Command Example#

!sentinelone-update-threats-status status=in_progress threat_ids=67683743445454363

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.UpdatedBooleanWhether the threat was successfully updated.
SentinelOne.Threat.StatusStringName of the status performed on the threats.

sentinelone-update-alerts-status#


Updates the incident status to a group of alerts that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-update-alerts-status

Input#

Argument NameDescriptionRequired
statusIncident status. Possible values are: in_progress, resolved, unresolved.Required
alert_idsA comma-separated list of alert IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Alert.IDStringThe alert ID.
SentinelOne.Alert.UpdatedBooleanWhether the alert was successfully updated.
SentinelOne.Alert.StatusStringThe status performed on the alerts.

Command Example#

!sentinelone-update-alerts-status status=in_progress alert_ids=36386764344636343

sentinelone-expire-site#


Expire the site of the given ID

Base Command#

sentinelone-expire-site

Input#

Argument NameDescriptionRequired
site_idA valid site ID.Required

Context Output#

PathTypeDescription
SentinelOne.Site.IDStringThe site ID.
SentinelOne.Site.NameStringThe site name.
SentinelOne.Site.StateStringThe site state.
SentinelOne.Site.SKUStringThe SKU of product features active for this site.
SentinelOne.Site.SiteTypeStringThe site type.
SentinelOne.Site.SuiteStringThe site suite.
SentinelOne.Site.TotalLicensesStringThe total licenses.
SentinelOne.Site.AccountIDStringThe account ID.
SentinelOne.Site.CreatorStringFull name of the creating user.
SentinelOne.Site.CreatorIDStringID of the creating user.
SentinelOne.Site.DescriptionStringDescription of the site.
SentinelOne.Site.ExpirationStringExpiration date of the site.

sentinelone-fetch-threat-file#


Fetch a file associated with the threat that matches the filter.

Base Command#

sentinelone-fetch-threat-file

Input#

Argument NameDescriptionRequired
threat_idPlease provide the Valid Threat ID. Example: 14629133470822878.Required
passwordFile encryption password. (At least 10 characters, three out of this list "uppercase", "lowercase", "digits" and "symbols" are mandatory. Maximum length is 256 characters.).Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.DownloadableBooleanWhether the file is downloadable.
SentinelOne.Threat.ZippedFileStringDetails of the zipped folder.

Command Example#

!sentinelone-fetch-threat-file threat_ids=106802961889425793 password=Mypassword1!

sentinelone-get-alerts#


Get the list of alerts that matches the filter provided. Relevant for API version 2.1.

Base Command#

sentinelone-get-alerts

Input#

Argument NameDescriptionRequired
created_fromGreater than or equal to the time created. Example: "2018-02-27T04:49:26.257525Z".Required
created_untilLess than or equal to the time created. Example: "2018-02-27T04:49:26.257525Z".Required
ruleNameFree-text filter by rule name. Example: "rule1".Optional
incidentStatusIncident status. Example: "IN_PROGRESS".Optional
analystVerdictAnalyst verdict. Example: "TRUE_POSITIVE".Optional
alert_idsA comma-separated list of alert IDs.Optional
limitLimit number of returned items (1-1000). Default is 1000.Optional
site_idsA comma-separated list of site IDs to filter by. Example: "225494730938493804,225494730938493915".Optional
cursorCursor position returned by the last request. Should be used for iterating over more than 1000 items. Example: "YWdlbnRfaWQ6NTgwMjkzODE=".Optional

Context Output#

PathTypeDescription
SentinelOne.Alert.EventTypeStringEvent type.
SentinelOne.Alert.RuleNameStringThe rule name.
SentinelOne.Alert.SrcProcUserStringSource process user.
SentinelOne.Alert.SrcProcNameStringSource process name.
SentinelOne.Alert.SrcProcPathStringSource process file path.
SentinelOne.Alert.SrcProcCommandlineStringThe command line
SentinelOne.Alert.SrcProcSHA1StringSource process SHA1 file hash.
SentinelOne.Alert.SrcProcStartTimeStringPID start time.
SentinelOne.Alert.SrcProcStorylineIdStringSource process story line ID.
SentinelOne.Alert.SrcParentProcNameStringSource parent process name.
SentinelOne.Alert.SrcParentProcPathStringSource parent process file path.
SentinelOne.Alert.SrcParentProcCommandlineStringSource parent process command line.
SentinelOne.Alert.SrcParentProcStartTimeStringPID start time.
SentinelOne.Alert.SrcParentProcUserStringSource parent process user.
SentinelOne.Alert.SrcParentProcSHA1StringSource parent process SHA1 file hash.
SentinelOne.Alert.SrcProcSignerIdentityStringSource process file signer identity.
SentinelOne.Alert.SrcParentProcSignerIdentityStringSource parent process file signer identity.
SentinelOne.Alert.AlertCreatedAtStringThe the alert was created.
SentinelOne.Alert.AlertIdStringAlert ID.
SentinelOne.Alert.AnalystVerdictStringAnalyst verdict.
SentinelOne.Alert.IncidentStatusStringIncident status
SentinelOne.Alert.EndpointNameStringEndpoint name
SentinelOne.Alert.AgentIdStringAgent ID.
SentinelOne.Alert.AgentUUIDStringAgent UUID.
SentinelOne.Alert.dvEventIdStringDeep Visibility event ID.
SentinelOne.Alert.AgentOSStringAgent operating system.
SentinelOne.Alert.AgentVersionStringAgent version.
SentinelOne.Alert.SiteIdStringSite ID.
SentinelOne.Alert.RuleIdStringRule ID.

Command Example#

!sentinelone-get-alerts created_from=2012-02-27T04:49:26.257525Z created_until=2012-05-27T04:49:26.257525Z

sentinelone-get-installed-applications#


Get the installed applications for a specific agent.

Base Command#

sentinelone-get-installed-applications

Input#

Argument NameDescriptionRequired
agent_idsA comma-separated list of agent IDs. Example: 14629133470822878,14627455454652878.Required

Context Output#

PathTypeDescription
SentinelOne.Application.NameStringThe application name.
SentinelOne.Application.PublisherStringThe publisher.
SentinelOne.Application.SizeStringThe size of the application in bytes.
SentinelOne.Application.VersionStringThe version of the application.
SentinelOne.Application.InstalledOnStringThe date the application was installed.

Command Example#

!sentinelone-get-installed-applications agent_ids="1463801667584541849,1463801667584545236"

sentinelone-initiate-endpoint-scan#


Initiate the endpoint virus scan on provided agent IDs.

Base Command#

sentinelone-initiate-endpoint-scan

Input#

Argument NameDescriptionRequired
agent_idsA comma-separated list of Agent IDs. Example: 14629133470822878,14627455454652878.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.AgentIDStringThe Agent ID.
SentinelOne.Agent.InitiatedBooleanWhether the scan was initiated.

Command Example#

!sentinelone-initiate-endpoint-scan agent_ids="1463801667584541849,1463801667584545236"

sentinelone-remove-item-from-whitelist#


Remove an item from the SentinelOne exclusion list

Base Command#

sentinelone-remove-item-from-whitelist

Input#

Argument NameDescriptionRequired
itemValue of the item to be removed from the exclusion list.Required
os_typeOS type. Can be "windows", "windows_legacy", "macos", or "linux". Possible values are: windows, windows_legacy, macos, linux.Optional
exclusion_typeExclusion item type. The options are: file_type, path, white_hash, certificate, or browser.Optional

Context Output#

PathTypeDescription
SentinelOne.RemoveItemFromWhitelist.itemStringItem removed fom whitelist.
SentinelOne.RemoveItemFromWhitelist.statusStringStatus on if items were removed from whitelist or not found on whitelist.

Command Example#

!sentinelone-remove-item-from-whitelist item="31cb594e8f688521a24dd6f95b95508de42d870d" exclusion_type="white_hash" os_type="windows"