SentinelOne v2
SentinelOne Pack.#
This Integration is part of theUse the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database. This integration was integrated and tested with versions 2.0 and 2.1 of SentinelOne V2
#
Configure SentinelOne V2 on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for SentinelOne v2.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL (e.g., https://usea1.sentinelone.net) True API Token False API Version True Fetch incidents False Incident type False First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) False Minimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high risk. Relevant for API version 2.0. False Fetch limit: The maximum number of incidents to fetch False Site IDs Comma-separated list of site IDs to fetch incidents for. Leave blank to fetch all sites. False Block Site IDs Comma-separated list of site IDs for where hashes should be blocked. If left blank all hashes will be blocked globally. If filled out with site ids all hashes will be no longer be blocked globally, they will now be blocked in the scope of those sites. False Trust any certificate (not secure) False Use system proxy settings False API Token (Deprecated) Use the "API Token (Recommended)" parameter instead. False Incidents Fetch Interval False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
sentinelone-list-agentsReturns all agents that match the specified criteria.
#
Base Commandsentinelone-list-agents
#
InputArgument Name | Description | Required |
---|---|---|
computer_name | The computer name by which to filter the results. | Optional |
scan_status | A comma-separated list of scan statuses by which to filter the results, for example: "started,aborted". Possible values are: started, none, finished, aborted. | Optional |
os_type | Included operating system types, for example: "windows". Possible values are: windows, windows_legacy, macos, linux. | Optional |
created_at | Endpoint creation timestamp, for example: "2018-02-27T04:49:26.257525Z". | Optional |
min_active_threats | Minimum number of threats per agent. | Optional |
limit | The maximum number of agents to return. Default is 10. | Optional |
params | Query params field=value pairs delimited by comma (e.g., activeThreats=3,gatewayIp=1.2.3.4). Query params are OR'd. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Agents.NetworkStatus | string | The agent network status. |
SentinelOne.Agents.ID | string | The agent ID. |
SentinelOne.Agents.AgentVersion | string | The agent software version. |
SentinelOne.Agents.IsDecommissioned | boolean | Whether the agent is decommissioned. |
SentinelOne.Agents.IsActive | boolean | Whether the agent is active. |
SentinelOne.Agents.LastActiveDate | date | When was the agent last active. |
SentinelOne.Agents.RegisteredAt | date | The registration date of the agent. |
SentinelOne.Agents.ExternalIP | string | The agent IP address. |
SentinelOne.Agents.ThreatCount | number | Number of active threats. |
SentinelOne.Agents.EncryptedApplications | boolean | Whether disk encryption is enabled. |
SentinelOne.Agents.OSName | string | Name of operating system. |
SentinelOne.Agents.ComputerName | string | Name of agent computer. |
SentinelOne.Agents.Domain | string | Domain name of the agent. |
SentinelOne.Agents.CreatedAt | date | Creation time of the agent. |
SentinelOne.Agents.SiteName | string | Site name associated with the agent. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
activeThreats__gt | valid |
computerName | valid |
scanStatus | valid |
osType | osTypes |
createdAt__gte | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Agents.NetworkStatus | valid |
SentinelOne.Agents.ID | valid |
SentinelOne.Agents.AgentVersion | valid |
SentinelOne.Agents.isDecommissioned | valid |
SentinelOne.Agents.IsActive | valid |
SentinelOne.Agents.LastActiveDate | valid |
SentinelOne.Agents.RegisteredAt | valid |
SentinelOne.Agents.ExternalIP | valid |
SentinelOne.Agents.ThreatCount | activeThreat |
SentinelOne.Agents.EncryptedApplications | valid |
SentinelOne.Agents.OSName | valid |
SentinelOne.Agents.ComputerName | valid |
SentinelOne.Agents.Domain | valid |
SentinelOne.Agents.CreatedAt | valid |
SentinelOne.Agents.SiteName | valid |
#
Command Example!sentinelone-list-agents
#
Context Example#
Human Readable Output#
Sentinel One - List of AgentsProvides summary information and details for all the agents that matched your search criteria |Agent Version|Computer Name|Created At|Domain|Encrypted Applications|External IP|ID|Is Active|Is Decommissioned|Last Active Date|Network Status|OS Name|Registered At|Site Name|Threat Count| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 3.1.3.38 | EC2AMAZ-AJ0KANC | 2019-06-27T08:01:05.571895Z | WORKGROUP | false | 8.88.8.8 | 657613730168123595 | false | true | 2020-02-20T00:26:33.955830Z | connecting | Windows Server 2016 | 2019-06-27T08:01:05.567249Z | demisto | 0 |
#
sentinelone-create-white-list-itemCreates an exclusion item that matches the specified input filter.
#
Base Commandsentinelone-create-white-list-item
#
InputArgument Name | Description | Required |
---|---|---|
exclusion_type | Exclusion item type. Possible values are: file_type, path, white_hash, certificate, browser. | Required |
exclusion_value | Value of the exclusion item for the exclusion list. | Required |
os_type | Operating system type. Required for hash exclusions. Possible values are: windows, windows_legacy, macos, linux. | Required |
description | Description for adding the exclusion item. | Optional |
exclusion_mode | Exclusion mode (path exclusion only). Possible values are: suppress, disable_in_process_monitor_deep, disable_in_process_monitor, disable_all_monitors, disable_all_monitors_deep. | Optional |
path_exclusion_type | Excluded path for a path exclusion list. | Optional |
group_ids | A comma-separated list of group IDs by which to filter. | Optional |
site_ids | A comma-separated list of site IDs by which to filter. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Exclusions.ID | string | The entity ID on the allow list. |
SentinelOne.Exclusions.Type | string | The item type on the allow list. |
SentinelOne.Exclusions.CreatedAt | date | Time when the allow list item was created. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
type | valid |
value | valid |
osType | valid |
description | valid |
mode | valid |
groupIds | valid |
siteIds | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Exclusions.ID | valid |
SentinelOne.Exclusions.Type | valid |
SentinelOne.Exclusions.CreatedAt | valid |
#
sentinelone-get-white-listLists all exclusion items that match the specified input filter.
#
Base Commandsentinelone-get-white-list
#
InputArgument Name | Description | Required |
---|---|---|
item_ids | List of IDs by which to filter, for example: "225494730938493804,225494730938493915". | Optional |
os_types | A comma-separated list of operating system types by which to filter, for example: "windows, linux". Possible values are: windows, windows_legacy, macos, linux. | Optional |
exclusion_type | Exclusion type. Possible values are: file_type, path, white_hash, certificate, browser. | Optional |
limit | The maximum number of items to return. Default is 10. | Optional |
include_parent | Whether to include parent information of each item. Default value is false. Default is false. | Optional |
include_children | Whether to include children information of each item. Default value is false. Default is false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Exclusions.ID | string | The exclusion item ID. |
SentinelOne.Exclusions.Type | string | The exclusion item type. |
SentinelOne.Exclusions.CreatedAt | date | Timestamp when the exclusion item was added. |
SentinelOne.Exclusions.Value | string | Value of the exclusion item. |
SentinelOne.Exclusions.Source | string | Source of the exclusion item. |
SentinelOne.Exclusions.UserID | string | User ID of the user qho added the exclusion item. |
SentinelOne.Exclusions.UpdatedAt | date | Timestamp when the exclusion item was updated. |
SentinelOne.Exclusions.OsType | string | Operating system type of the exclusion item. |
SentinelOne.Exclusions.UserName | string | User name of the user who added the exclusion item. |
SentinelOne.Exclusions.Mode | string | A comma-separated list of modes by which to filter (path exclusions only), for example: "suppress". |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
ids | valid |
osTypes | valid |
type | valid |
limit | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Exclusions.ID | valid |
SentinelOne.Exclusions.Type | valid |
SentinelOne.Exclusions.CreatedAt | valid |
SentinelOne.Exclusions.Value | valid |
SentinelOne.Exclusions.Source | valid |
SentinelOne.Exclusions.UserID | valid |
SentinelOne.Exclusions.UpdatedAt | valid |
SentinelOne.Exclusions.OsType | valid |
SentinelOne.Exclusions.UserName | valid |
SentinelOne.Exclusions.Mode | valid |
#
Command Example!sentinelone-get-white-list os_types=windows exclusion_type=path
#
Context Example#
Human Readable Output#
Sentinel One - Listing exclusion itemsProvides summary information and details for all the exclusion items that matched your search criteria. |CreatedAt|ID|Mode|OsType|Source|Type|UpdatedAt|UserID|UserName|Value| |---|---|---|---|---|---|---|---|---|---| | 2020-10-25T14:09:58.928251Z | 1010040403583584993 | suppress | windows | user | path | 2020-10-25T14:09:58.921789Z | 475482955872052394 | XSOAR User | */test/ |
#
sentinelone-get-hashGets the file reputation by a SHA1 hash.
#
Base Commandsentinelone-get-hash
#
InputArgument Name | Description | Required |
---|---|---|
hash | The content hash. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Hash.Rank | Number | The hash reputation (1-10). |
SentinelOne.Hash.Hash | String | The content hash. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
{hash} | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Hash.Rank | valid |
SentinelOne.Hash.Hash | None (need to return from the input) |
SentinelOne.Hash.Classification | None |
SentinelOne.Hash.Classification Source | None |
#
Command Example!sentinelone-get-hash hash=3395856ce81f2b7382dee72602f798b642f14140
#
Context Example#
Human Readable Output#
Sentinel One - Hash ReputationProvides hash reputation (rank from 0 to 10): |Hash|Rank| |---|---| | 3395856ce81f2b7382dee72602f798b642f14140 | 7 |
#
sentinelone-get-threatsReturns threats according to the specified filters.
#
Base Commandsentinelone-get-threats
#
InputArgument Name | Description | Required |
---|---|---|
content_hash | A comma-separated list of content hashes of the threat. | Optional |
mitigation_status | A comma-separated list of mitigation statuses. Possible values are: mitigated, active, blocked, suspicious, pending, suspicious_resolved. | Optional |
created_before | Searches for threats created before this timestamp, for example: "2018-02-27T04:49:26.257525Z". | Optional |
created_after | Searches for threats created after this timestamp, for example: "2018-02-27T04:49:26.257525Z". | Optional |
created_until | Searches for threats created on or before this timestamp, for example: "2018-02-27T04:49:26.257525Z". | Optional |
created_from | Search for threats created on or after this timestamp, for example: "2018-02-27T04:49:26.257525Z". | Optional |
resolved | Whether to only return resolved threats. Possible values are: false, true. Default is false. | Optional |
display_name | Threat display name. For API version 2.0 it can be a partial display name, doesn't have to be an exact match. | Optional |
limit | The maximum number of threats to return. Default is 20. | Optional |
query | Full free-text search for fields. Can be "content_hash", "file_display_name", "file_path", "computer_name", or "uuid". | Optional |
threat_ids | A comma-separated list of threat IDs, for example: "225494730938493804,225494730938493915". | Optional |
classifications | A comma-separated list of threat classifications to search, for example: "Malware", "Network", "Benign". Possible values are: Engine, Static, Cloud, Behavioral. | Optional |
rank | Risk level threshold to retrieve (1-10). Relevant for API version 2.0 only. | Optional |
site_ids | A comma-separated list of site IDs to search for threats, for example: "225494730938493804,225494730938493915". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Threat.ID | String | The threat ID. |
SentinelOne.Threat.AgentComputerName | String | The agent computer name. |
SentinelOne.Threat.CreatedDate | Date | The threat creation date. |
SentinelOne.Threat.SiteID | String | The site ID. |
SentinelOne.Threat.Classification | string | The threat classification. |
SentinelOne.Threat.ClassificationSource | string | Source of the threat classification. |
SentinelOne.Threat.ConfidenceLevel | string | SentinelOne threat confidence level. |
SentinelOne.Threat.FileSha256 | string | SHA256 hash of the file content. |
SentinelOne.Threat.MitigationStatus | String | The agent mitigation status. |
SentinelOne.Threat.AgentID | String | The threat agent ID. |
SentinelOne.Threat.Rank | Number | The number representing the cloud reputation (1-10). |
SentinelOne.Threat.MarkedAsBenign | Boolean | Whether the threat is marked as benign. Relevant for version 2.0 only. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
contentHash | contentHashes |
mitigationStatuses | valid |
createdAt__lt | valid |
createdAt__gt | valid |
createdAt__lte | valid |
createdAt__gte | valid |
resolved | valid |
displayName__like | displayName |
query | valid |
ids | valid |
limit | valid |
classifications | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Threat.ID | valid |
SentinelOne.Threat.AgentComputer | agentComputerName |
SentinelOne.Threat.CreatedDate | createdAt |
SentinelOne.Threat.SiteID | valid |
SentinelOne.Threat.Classification | valid |
SentinelOne.Threat.MitigationStatus | valid |
SentinelOne.Threat.AgentID | valid |
SentinelOne.Threat.Rank | None |
SentinelOne.Threat.MarkedAsBenig | None |
#
Command Example!sentinelone-get-threats resolved=true
#
Context Example#
Human Readable Output#
Sentinel One - Getting Threat ListProvides summary information and details for all the threats that matched your search criteria. |ID|Agent Computer Name|Created Date|Site ID|Site Name|Classification|Mitigation Status|Confidence Level|Agent ID|File Content Hash| |---|---|---|---|---|---|---|---|---|---| | 715718962991148224 | EC2AMAZ-AJ0KANC | 2019-09-15T12:05:49.095889Z | 475482421366727779 | demisto | Malware | mitigated | malicious | 657613730168123595 | 3395856ce81f2b7382dee72602f798b642f14140 | | 715723437013282014 | EC2AMAZ-AJ0KANC | 2019-09-15T12:14:42.440985Z | 475482421366727779 | demisto | Malware | mitigated | malicious | 657613730168123595 | d8757a0396d05a1d532422827a70a7966c361366 |
#
sentinelone-threat-summaryReturns a dashboard threat summary. Can only be used with API V2.1.
#
Base Commandsentinelone-threat-summary
#
InputArgument Name | Description | Required |
---|---|---|
group_ids | A comma-separated list of group IDs by which to filter, for example: "225494730938493804,225494730938493915". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Threat.NotResolved | Number | Number of unresolved threats in the system. |
SentinelOne.Threat.SuspiciousNotMitigatedNotResolved | Number | Number of unmitigated suspicious threats in the system. |
SentinelOne.Threat.SuspiciousNotResolved | Number | Number of unresolved suspicious threats in the system. |
SentinelOne.Threat.Resolved | Number | Number of resolved threats in the system. |
SentinelOne.Threat.InProgress | Number | Number of active threats in the system. |
SentinelOne.Threat.Total | Number | Total number of threats in the system. |
SentinelOne.Threat.NotMitigated | Number | Number of unmitigated threats in the system. |
SentinelOne.Threat.MaliciousNotResolved | Number | Number of unresolved malicious threats in the system. |
SentinelOne.Threat.NotMitigatedNotResolved | Number | Number of unmitigated and unresolved threats in the system. |
#
Command Example!sentinelone-threat-summary group_ids="475482421375116388,764073410272419896"
#
Context Example#
Human Readable Output#
Sentinel One - Dashboard Threat Summary
In Progress Malicious Not Resolved Not Mitigated Not Mitigated Not Resolved Not Resolved Resolved Suspicious Not Mitigated Not Resolved Suspicious Not Resolved Total 0 0 0 0 0 14 0 0 14
#
sentinelone-mark-as-threatMarks suspicious threats as threats. Can only be used with API V2.0.
#
Base Commandsentinelone-mark-as-threat
#
InputArgument Name | Description | Required |
---|---|---|
threat_ids | A comma-separated list of threat IDs. | Optional |
target_scope | Scope to use for exclusions. Possible values are: site, tenant. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Threat.ID | String | The threat ID. |
SentinelOne.Threat.MarkedAsThreat | Boolean | Whether the suspicious threat was successfully marked as a threat. |
#
sentinelone-mitigate-threatApplies a mitigation action to a group of threats that match the specified input filter.
#
Base Commandsentinelone-mitigate-threat
#
InputArgument Name | Description | Required |
---|---|---|
action | Mitigation action. Possible values are: kill, quarantine, un-quarantine, remediate, rollback-remediation. | Required |
threat_ids | A comma-separated list of threat IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Threat.ID | String | The threat ID. |
SentinelOne.Threat.Mitigated | Boolean | Whether the threat was successfully mitigated. |
SentinelOne.Threat.Mitigation.Action | Number | Number of threats affected. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
filter | valid |
ids | valid |
action | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Threat.ID | None (need to return from the input) |
SentinelOne.Threat.Mitigated | None |
SentinelOne.Threat.Mitigation.Action | effected |
#
sentinelone-resolve-threatResolves threats using the threat ID. Can only be used with API V2.0.
#
Base Commandsentinelone-resolve-threat
#
InputArgument Name | Description | Required |
---|---|---|
threat_ids | A comma-separated list of threat IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Threat.ID | String | The threat ID. |
SentinelOne.Threat.Resolved | Boolean | Whether the threat was successfully resolved. |
#
sentinelone-get-agentReturns the details of an agent according to the agent ID.
#
Base Commandsentinelone-get-agent
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | A comma-separated list of agent IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Agent.NetworkStatus | string | The agent network status. |
SentinelOne.Agent.ID | string | The agent ID. |
SentinelOne.Agent.AgentVersion | string | The agent software version. |
SentinelOne.Agent.IsDecommissioned | boolean | Whether the agent is decommissioned. |
SentinelOne.Agent.IsActive | boolean | Whether the agent is active. |
SentinelOne.Agent.LastActiveDate | date | When was the agent last active. |
SentinelOne.Agent.RegisteredAt | date | The registration date of the agent. |
SentinelOne.Agent.ExternalIP | string | The agent IP address. |
SentinelOne.Agent.ThreatCount | number | Number of active threats. |
SentinelOne.Agent.EncryptedApplications | boolean | Whether disk encryption is enabled. |
SentinelOne.Agent.OSName | string | Name of the operating system. |
SentinelOne.Agent.ComputerName | string | Name of the agent computer. |
SentinelOne.Agent.Domain | string | Domain name of the agent. |
SentinelOne.Agent.CreatedAt | date | Agent creation time. |
SentinelOne.Agent.SiteName | string | Site name associated with the agent. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
ids | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Agent.NetworkStatus | valid |
SentinelOne.Agent.ID | valid |
SentinelOne.Agent.AgentVersion | valid |
SentinelOne.Agent.IsDecomissioned | isDecommissioned (misspelled) |
SentinelOne.Agent.IsActive | valid |
SentinelOne.Agent.LastActiveDate | valid |
SentinelOne.Agent.RegisteredAt | valid |
SentinelOne.Agent.ExternalIP | valid |
SentinelOne.Agent.ThreatCount | activeThreats |
SentinelOne.Agent.EncryptedApplica | valid |
SentinelOne.Agent.OSName | valid |
SentinelOne.Agent.ComputerName | valid |
SentinelOne.Agent.Domain | valid |
SentinelOne.Agent.CreatedAt | valid |
SentinelOne.Agent.SiteName | valid |
#
Command Example!sentinelone-get-agent agent_id=657613730168123595
#
Context Example#
Human Readable Output#
Sentinel One - Get Agent Details
Agent Version Computer Name Created At Domain Encrypted Applications External IP ID Is Active Is Decommissioned Last Active Date Network Status OS Name Registered At Site Name Threat Count 3.1.3.38 EC2AMAZ-AJ0KANC 2019-06-27T08:01:05.571895Z WORKGROUP false 8.88.8.8 657613730168123595 false true 2020-02-20T00:26:33.955830Z connecting Windows Server 2016 2019-06-27T08:01:05.567249Z demisto 0
#
sentinelone-get-sitesReturns all sites that match the specified criteria.
#
Base Commandsentinelone-get-sites
#
InputArgument Name | Description | Required |
---|---|---|
updated_at | Timestamp of the last update, for example: "2018-02-27T04:49:26.257525Z". | Optional |
query | Full-text search for fields: name, account_name. | Optional |
site_type | Site type. Possible values are: Trial, Paid, POC, DEV, NFR. | Optional |
features | Returns sites that support the specified features. Possible values are: firewall-control, device-control, ioc. | Optional |
state | Site state. Possible values are: active, deleted, expired. | Optional |
suite | The suite of product features active for this site. Possible values are: Core, Complete. | Optional |
admin_only | Sites for which the user has admin privileges. Possible values are: true, false. | Optional |
account_id | Account ID, for example: "225494730938493804". | Optional |
site_name | Site name, for example: "My Site". | Optional |
created_at | Timestamp of the site creation, for example: "2018-02-27T04:49:26.257525Z". | Optional |
limit | Maximum number of results to return. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Site.Creator | string | The site creator name. |
SentinelOne.Site.Name | string | The site name. |
SentinelOne.Site.Type | string | The site type. |
SentinelOne.Site.AccountName | string | The site account name. |
SentinelOne.Site.State | string | The site state. |
SentinelOne.Site.HealthStatus | boolean | The health status of the site. |
SentinelOne.Site.Suite | string | The suite to which the site belongs. |
SentinelOne.Site.ActiveLicenses | number | Number of active licenses for the site. |
SentinelOne.Site.ID | string | ID of the site. |
SentinelOne.Site.TotalLicenses | number | Number of total licenses for the site. |
SentinelOne.Site.CreatedAt | date | Timestamp when the site was created. |
SentinelOne.Site.Expiration | string | Timestamp when the site will expire. |
SentinelOne.Site.UnlimitedLicenses | boolean | Whether the site has unlimited licenses. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
updatedAt | valid |
query | valid |
siteType | valid |
features | valid |
state | valid |
suite | valid |
adminOnly | valid |
accountId | valid |
name | valid |
createdAt | valid |
limit | valid |
siteIds | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Site.Creator | valid |
SentinelOne.Site.Name | valid |
SentinelOne.Site.Type | siteType |
SentinelOne.Site.AccountName | valid |
SentinelOne.Site.State | valid |
SentinelOne.Site.HealthStatus | valid |
SentinelOne.Site.Suite | valid |
SentinelOne.Site.ActiveLicenses | valid |
SentinelOne.Site.ID | valid |
SentinelOne.Site.TotalLicenses | valid |
SentinelOne.Site.CreatedAt | valid |
SentinelOne.Site.Expiration | valid |
SentinelOne.Site.UnlimitedLicenses | valid |
#
Command Example!sentinelone-get-sites
#
Context Example#
Human Readable Output#
Sentinel One - Getting List of SitesProvides summary information and details for all sites that matched your search criteria. |Account Name|Active Licenses|Created At|Creator|Health Status|ID|Name|State|Suite|Total Licenses|Type|Unlimited Licenses| |---|---|---|---|---|---|---|---|---|---|---|---| | SentinelOne | 0 | 2018-10-19T00:58:41.644879Z | XSOAR User | true | 475482421366727779 | demisto | active | Complete | 0 | Paid | true |
#
sentinelone-get-siteReturns information about the site, according to the site ID.
#
Base Commandsentinelone-get-site
#
InputArgument Name | Description | Required |
---|---|---|
site_id | ID of the site. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Site.Creator | string | The site creator name. |
SentinelOne.Site.Name | string | The site name. |
SentinelOne.Site.Type | string | The site type. |
SentinelOne.Site.AccountName | string | The site account name. |
SentinelOne.Site.State | string | The site state. |
SentinelOne.Site.HealthStatus | boolean | The health status of the site. |
SentinelOne.Site.Suite | string | The suite to which the site belongs. |
SentinelOne.Site.ActiveLicenses | number | Number of active licenses for the site. |
SentinelOne.Site.ID | string | ID of the site. |
SentinelOne.Site.TotalLicenses | number | Number of total licenses for the site. |
SentinelOne.Site.CreatedAt | date | Timestamp when the site was created. |
SentinelOne.Site.Expiration | string | Timestamp when the site will expire. |
SentinelOne.Site.UnlimitedLicenses | boolean | Whether the site has unlimited licenses. |
SentinelOne.Site.AccountID | string | Site account ID. |
SentinelOne.Site.IsDefault | boolean | Whether the site is the default site. |
#
Command Example!sentinelone-get-site site_id=475482421366727779
#
Context Example#
Human Readable Output#
Sentinel One - Summary About Site: 475482421366727779Provides summary information and details for specific site ID |Account ID|Account Name|Active Licenses|Created At|Creator|Health Status|ID|Is Default|Name|State|Suite|Total Licenses|Type|Unlimited Licenses| |---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 433241117337583618 | SentinelOne | 0 | 2018-10-19T00:58:41.644879Z | XSOAR User | true | 475482421366727779 | false | demisto | active | Complete | 0 | Paid | true |
#
sentinelone-reactivate-siteReactivates an expired site.
#
Base Commandsentinelone-reactivate-site
#
InputArgument Name | Description | Required |
---|---|---|
site_id | Site ID. For example: "225494730938493804". | Required |
unlimited | If false, an expiration should be supplied. | Optional |
expiration | Expiration date in case unlimited is false, for example, "2019-08-03T04:49:26.257525Z". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Site.ID | string | Site ID. |
SentinelOne.Site.Reactivated | boolean | Whether the site was reactivated. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
site_id | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Site.ID | None (need to return from the input) |
SentinelOne.Site.Reactivated | success |
#
sentinelone-get-activitiesReturns a list of activities.
#
Base Commandsentinelone-get-activities
#
InputArgument Name | Description | Required |
---|---|---|
created_after | Return activities created after this timestamp, for example: "2018-02-27T04:49:26.257525Z". | Optional |
user_emails | Email address of the user who invoked the activity (if applicable). | Optional |
group_ids | List of group IDs by which to filter, for example: "225494730938493804,225494730938493915". | Optional |
created_until | Return activities created on or before this timestamp, for example: "2018-02-27T04:49:26.257525Z". | Optional |
include_hidden | Include internal activities hidden from display. Possible values are: true, false. | Optional |
activities_ids | A comma-separated list of activity IDs by which to filter, for example: "225494730938493804,225494730938493915". | Optional |
created_before | Return activities created before this timestamp, for example: "2018-02-27T04:49:26.257525Z". | Optional |
threats_ids | A comma-separated list of threat IDs for which to return activities, for example: "225494730938493804,225494730938493915". | Optional |
activity_types | A comma-separated list of activity codes to return, for example: "52,53,71,72". | Optional |
user_ids | A comma-separated list of user IDs for users that invoked the activity (if applicable), for example: "225494730938493804,225494730938493915". | Optional |
created_from | Return activities created on or after this timestamp, for example: "2018-02-27T04:49:26.257525Z". | Optional |
created_between | Return activities created within this range (inclusive), for example: "1514978764288-1514978999999". | Optional |
agent_ids | Return activities related to specified agents. For example: "225494730938493804,225494730938493915". | Optional |
limit | Maximum number of items to return (1-100). | Optional |
sort_by | Field to sort results by. Possible values are: activityType, createdAt, id. | Optional |
sort_order | Order to sort by. Possible values are: asc, desc. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Activity.AgentID | String | Related agent (if applicable). |
SentinelOne.Activity.AgentUpdatedVersion | String | Agent's new version (if applicable). |
SentinelOne.Activity.SiteID | String | Related site (if applicable). |
SentinelOne.Activity.UserID | String | The user who invoked the activity (if applicable). |
SentinelOne.Activity.SecondaryDescription | String | Secondary description. |
SentinelOne.Activity.OsFamily | String | Agent's operating system type (if applicable). Can be "linux", "macos", "windows", or "windows_legacy". |
SentinelOne.Activity.ActivityType | Number | Activity type. |
SentinelOne.Activity.data.SiteID | String | The site ID. |
SentinelOne.Activity.data.SiteName | String | The site name. |
SentinelOne.Activity.data.username | String | The name of the site creator. |
SentinelOne.Activity.Hash | String | Threat file hash (if applicable). |
SentinelOne.Activity.UpdatedAt | Date | Activity last updated time (UTC). |
SentinelOne.Activity.Comments | String | Comments for the activity. |
SentinelOne.Activity.ThreatID | String | Related threat (if applicable). |
SentinelOne.Activity.PrimaryDescription | String | Primary description for the activity. |
SentinelOne.Activity.GroupID | String | Related group (if applicable). |
SentinelOne.Activity.ID | String | Activity ID. |
SentinelOne.Activity.CreatedAt | Date | Activity creation time (UTC). |
SentinelOne.Activity.Description | String | Extra activity information. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
created_at__gt | valid |
userEmails | valid |
groupIds | valid |
created_at__lte | valid |
ids | valid |
includeHidden | valid |
created_at__lt | valid |
threatIds | valid |
activityTypes | valid |
userIds | valid |
created_at__gte | valid |
createdAt_between | valid |
agentIds | valid |
limit | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Activity.AgentID | valid |
SentinelOne.Activity.AgentUpdated | agentUpdatedVersion |
SentinelOne.Activity.SiteID | valid |
SentinelOne.Activity.UserID | valid |
SentinelOne.Activity.SecondaryDescription | valid |
SentinelOne.Activity.OsFamily | valid |
SentinelOne.Activity.ActivityType | valid |
SentinelOne.Activity.data.SiteID | None |
SentinelOne.Activity.data.SiteName | valid |
SentinelOne.Activity.data.username | valid |
SentinelOne.Activity.Hash | valid |
SentinelOne.Activity.UpdatedAt | valid |
SentinelOne.Activity.Comments | valid |
SentinelOne.Activity.ThreatID | valid |
SentinelOne.Activity.PrimaryDescription | valid |
SentinelOne.Activity.GroupID | valid |
SentinelOne.Activity.ID | valid |
SentinelOne.Activity.CreatedAt | valid |
SentinelOne.Activity.Description | valid |
#
Command Example!sentinelone-get-activities
#
Context Example#
Human Readable Output#
Sentinel One Activities
ID Primary Description Data User ID Created At Updated At 802214365638826164 The management user XSOAR User issued a disconnect from network command to the machine EC2AMAZ-AJ0KANC. accountName: SentinelOne
computerName: EC2AMAZ-AJ0KANC
groupName: Default Group
siteName: demisto
username: XSOAR User
uuid: f431b0a1a8744d2a8a92fc88fa3c13bc475482955872052394 2020-01-12T20:16:44.594737Z 2020-01-12T20:16:44.594743Z 802214382952913086 The management user XSOAR User issued a reconnect to network command to the machine EC2AMAZ-AJ0KANC. accountName: SentinelOne
computerName: EC2AMAZ-AJ0KANC
groupName: Default Group
siteName: demisto
username: XSOAR User
uuid: f431b0a1a8744d2a8a92fc88fa3c13bc475482955872052394 2020-01-12T20:16:46.659017Z 2020-01-12T20:16:46.659023Z 802214763636332743 Agent EC2AMAZ-AJ0KANC was connected to network. computerName: EC2AMAZ-AJ0KANC 2020-01-12T20:17:32.040670Z 2020-01-12T20:17:32.038143Z 802214854023583946 Agent EC2AMAZ-AJ0KANC was disconnected from network. computerName: EC2AMAZ-AJ0KANC 2020-01-12T20:17:42.815619Z 2020-01-12T20:17:42.812834Z
#
sentinelone-get-groupsReturns data for the specified group.
#
Base Commandsentinelone-get-groups
#
InputArgument Name | Description | Required |
---|---|---|
group_type | Group type, for example: "static". | Optional |
group_ids | A comma-separated list of group IDs by which to filter, for example: "225494730938493804,225494730938493915". | Optional |
group_id | Group ID by which to filter, for example: "225494730938493804". | Optional |
is_default | Whether this is the default group. Possible values are: true, false. | Optional |
name | The name of the group. | Optional |
query | Free-text search. | Optional |
rank | The priority of a dynamic group over others, for example, "1", which is the highest priority. | Optional |
limit | Maximum number of items to return (1-200). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Group.siteId | String | The ID of the site of which this group is a member. |
SentinelOne.Group.filterName | String | If the group is dynamic, the name of the filter which is used to associate agents. |
SentinelOne.Group.creatorId | String | The ID of the user who created the group. |
SentinelOne.Group.name | String | The name of the group. |
SentinelOne.Group.creator | String | The user who created the group. |
SentinelOne.Group.rank | Number | The rank, which sets the priority of a dynamic group over others. |
SentinelOne.Group.updatedAt | Date | Timestamp of the last update. |
SentinelOne.Group.totalAgents | Number | Number of agents in the group. |
SentinelOne.Group.filterId | String | If the group is dynamic, the group ID of the filter that is used to associate agents. |
SentinelOne.Group.isDefault | Boolean | Whether the groups is the default group of the site. |
SentinelOne.Group.inherits | Boolean | Whether the policy is inherited from a site. "False" if the group has its own edited policy. |
SentinelOne.Group.type | String | Group type. Can be static or dynamic |
SentinelOne.Group.id | String | The ID of the group. |
SentinelOne.Group.createdAt | Date | Timestamp of group creation. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
type | valid |
groupIds | valid |
id | valid |
isDefault | valid |
name | valid |
query | valid |
rank | valid |
limit | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Group.siteId | valid |
SentinelOne.Group.filterName | valid |
SentinelOne.Group.creatorId | valid |
SentinelOne.Group.name | valid |
SentinelOne.Group.creator | valid |
SentinelOne.Group.rank | valid |
SentinelOne.Group.updatedAt | valid |
SentinelOne.Group.totalAgents | valid |
SentinelOne.Group.filterId | valid |
SentinelOne.Group.isDefault | valid |
SentinelOne.Group.inherits | valid |
SentinelOne.Group.type | valid |
SentinelOne.Group.id | valid |
SentinelOne.Group.createdAt | valid |
#
Command Example!sentinelone-get-groups
#
Context Example#
Human Readable Output#
Sentinel One Groups
Id Name Type Creator Creator Id Created At 475482421375116388 Default Group static XSOAR User 433273625970238486 2018-10-19T00:58:41.646045Z
#
sentinelone-move-agentMoves agents to a new group.
#
Base Commandsentinelone-move-agent
#
InputArgument Name | Description | Required |
---|---|---|
group_id | The ID of the group to move the agent to. | Required |
agents_ids | Agents IDs. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Agent.AgentsMoved | Number | The number of agents that were moved to another group. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
group_id | valid |
agentIds | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Agent.AgentsMoved | valid |
#
Command Example
#
Human Readable Output#
sentinelone-delete-groupDeletes a group, by the group ID.
#
Base Commandsentinelone-delete-group
#
InputArgument Name | Description | Required |
---|---|---|
group_id | The ID of the group to delete. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.DeleteGroup.Success | String | the status of the command. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
group_id | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.DeleteGroup.Success | valid |
#
Command Example
#
Human Readable Output#
sentinelone-agent-processesDEPRECATED - Retrieves running processes for a specific agent.
#
Base Commandsentinelone-agent-processes
#
InputArgument Name | Description | Required |
---|---|---|
agents_ids | The ID of the agent from which to retrieve the processes. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Agent.memoryUsage | Number | Memory usage (MB). |
SentinelOne.Agent.startTime | Date | The process start time. |
SentinelOne.Agent.pid | Number | The process ID. |
SentinelOne.Agent.processName | String | The name of the process. |
SentinelOne.Agent.cpuUsage | Number | CPU usage (%). |
SentinelOne.Agent.executablePath | String | Executable path. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
ids | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Agent.memoryUsage | valid |
SentinelOne.Agent.startTime | valid |
SentinelOne.Agent.pid | valid |
SentinelOne.Agent.processName | valid |
SentinelOne.Agent.cpuUsage | valid |
SentinelOne.Agent.executablePath | valid |
#
sentinelone-connect-agentConnects agents to the network.
#
Base Commandsentinelone-connect-agent
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | A comma-separated list of agent IDs to connect to the network. Run the list-agents command to get a list of agent IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Agent.AgentsAffected | Number | The number of affected agents. |
SentinelOne.Agent.ID | String | The IDs of the affected agents. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
ids | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Agent.AgentsAffected | affected |
SentinelOne.Agent.ID | None (need to return from the input) |
#
Command Example!sentinelone-connect-agent agent_id=657613730168123595
#
Context Example#
Human Readable Output1 agent(s) successfully connected to the network.
#
sentinelone-disconnect-agentDisconnects agents from the network.
#
Base Commandsentinelone-disconnect-agent
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | A comma-separated list of agent IDs to disconnect from the network. Run the list-agents command to get a list of agent IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Agent.NetworkStatus | String | Agent network status. |
SentinelOne.Agent.ID | String | The IDs of the affected agents. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
ids | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Agent.NetworkStatus | None |
SentinelOne.Agent.ID | None (need to return from the input) |
#
Command Example!sentinelone-disconnect-agent agent_id=657613730168123595
#
Context Example#
Human Readable Output1 agent(s) successfully disconnected from the network.
#
sentinelone-broadcast-messageBroadcasts a message to all agents that match the input filters.
#
Base Commandsentinelone-broadcast-message
#
InputArgument Name | Description | Required |
---|---|---|
message | The message to broadcast to agents. | Required |
active_agent | Whether to only include active agents. Default is "false". Possible values are: true, false. | Optional |
group_id | A comma-separated list of group IDs by which to filter the results. | Optional |
agent_id | A comma-separated list of agent IDs by which to filter the results. | Optional |
domain | A comma-separated of included network domains. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.BroadcastMessage.Affected | String | Number of affected endpoints. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
isActive | valid |
groupIds | valid |
ids | valid |
domains | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.BroadcastMessage.Affected | valid |
#
Command Example!sentinelone-broadcast-message message="Hey There, just checking" agent_id=657613730168123595
#
Human Readable OutputThe message was successfully delivered to the agent(s)
#
sentinelone-get-eventsReturns all Deep Visibility events that match the query.
#
Base Commandsentinelone-get-events
#
InputArgument Name | Description | Required |
---|---|---|
limit | Maximum number of items to return (1-100). Default is 50. | Optional |
query_id | QueryId obtained when creating a query in the sentinelone-create-query command. Example: "q1xx2xx3". | Required |
cursor | Cursor pointer to get next page of results from query. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Event.ProcessUID | String | Process unique identifier. |
SentinelOne.Event.SHA256 | String | SHA256 hash of the file. |
SentinelOne.Event.AgentOS | String | Operating system type. Can be "windows", "linux", "macos", or "windows_legac". |
SentinelOne.Event.ProcessID | Number | The process ID. |
SentinelOne.Event.User | String | User assigned to the event. |
SentinelOne.Event.Time | Date | Process start time. |
SentinelOne.Event.Endpoint | String | The agent name. |
SentinelOne.Event.SiteName | String | Site name. |
SentinelOne.Event.EventType | String | Event type. Can be "events", "file", "ip", "url", "dns", "process", "registry", "scheduled_task", or "logins". |
SentinelOne.Event.ProcessName | String | The name of the process. |
SentinelOne.Event.MD5 | String | MD5 hash of the file. |
SentinelOne.Event.SourceIP | String | The source ip. |
SentinelOne.Event.SourcePort | String | The source port. |
SentinelOne.Event.DestinationIP | String | The destination IP. |
SentinelOne.Event.DestinationPort | String | The destination port. |
SentinelOne.Event.SourceProcessUser | String | The source process user. |
SentinelOne.Event.SourceProcessCommandLine | String | The source process command line. |
SentinelOne.Event.DNSRequest | String | The DNS Request. |
SentinelOne.Event.FileFullName | String | The file full name. |
SentinelOne.Event.EventTime | String | The event time. |
Event.ID | String | Event process ID. |
Event.Name | String | Event name. |
Event.Type | String | Event type. |
SentinelOne.Cursor.Event | String | cursor to recieve next page |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
query_id | valid |
limit | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Event.ProcessUID | srcProcUid |
SentinelOne.Event.SHA256 | valid |
SentinelOne.Event.AgentOS | valid |
SentinelOne.Event.ProcessID | pid |
SentinelOne.Event.User | valid |
SentinelOne.Event.Time | processStartTime |
SentinelOne.Event.Endpoint | agentName |
SentinelOne.Event.SiteName | valid |
SentinelOne.Event.EventType | valid |
SentinelOne.Event.ProcessName | valid |
SentinelOne.Event.MD5 | valid |
Event.ID | id |
Event.Name | None |
Event.Type | eventType |
#
Command Example!sentinelone-get-events query_id=q034ae362a30eba5a187cbe601d19abaa
#
Human Readable OutputNo events were found.
#
sentinelone-create-queryRuns a Deep Visibility query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.
#
Base Commandsentinelone-create-query
#
InputArgument Name | Description | Required |
---|---|---|
query | The query string for which to return events. | Required |
from_date | Query start date, for example, "2019-08-03T04:49:26.257525Z". Limited to 93 days ago. | Required |
to_date | Query end date, for example, "2019-08-03T04:49:26.257525Z". | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Query.FromDate | Date | Query start date. |
SentinelOne.Query.Query | String | The search query string. |
SentinelOne.Query.QueryID | String | The query ID. |
SentinelOne.Query.ToDate | Date | Query end date. |
#
Command Example!sentinelone-create-query query="AgentName Is Not Empty" from_date="2020-10-13T15:24:09.257Z" to_date="2021-01-10T04:49:26.257525Z"
#
Context Example#
Human Readable OutputThe query ID is q15a9c0b5a5f2081188e70c42897ef5f9
#
sentinelone-get-processesReturns a list of Deep Visibility events from query by event type - process.
#
Base Commandsentinelone-get-processes
#
InputArgument Name | Description | Required |
---|---|---|
query_id | The queryId that is returned when creating a query under Create Query. Example: "q1xx2xx3". Get the query_id from the "get-query-id" command. | Required |
limit | Maximum number of items to return (1-100). Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Event.ParentProcessID | Number | Parent process ID. |
SentinelOne.Event.ProcessUID | String | The process unique identifier. |
SentinelOne.Event.SHA1 | String | SHA1 hash of the process image. |
SentinelOne.Event.SubsystemType | String | Process sub-system. |
SentinelOne.Event.ParentProcessStartTime | Date | The parent process start time. |
SentinelOne.Event.ProcessID | Number | The process ID. |
SentinelOne.Event.ParentProcessUID | String | Parent process unique identifier. |
SentinelOne.Event.User | String | User assigned to the event. |
SentinelOne.Event.Time | Date | Start time of the process. |
SentinelOne.Event.ParentProcessName | String | Parent process name. |
SentinelOne.Event.SiteName | String | Site name. |
SentinelOne.Event.EventType | String | The event type. |
SentinelOne.Event.Endpoint | String | The agent name (endpoint). |
SentinelOne.Event.IntegrityLevel | String | Process integrity level. |
SentinelOne.Event.CMD | String | Process CMD. |
SentinelOne.Event.ProcessName | String | Process name. |
SentinelOne.Event.ProcessDisplayName | String | Process display name. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
query_id | valid |
limit | valid |
event_type | Event_type (need to be added if using GET/web/api/v2.1/dv/events/{event_type} ) |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Event.ParentProcessID | parentPid |
SentinelOne.Event.ProcessUID | None |
SentinelOne.Event.SHA1 | valid |
SentinelOne.Event.SubsystemType | processSubSystem |
SentinelOne.Event.ParentProcessStartTim | valid |
SentinelOne.Event.ProcessID | Pid |
SentinelOne.Event.ParentProcessUID | None |
SentinelOne.Event.User | valid |
SentinelOne.Event.Time | processStartTime |
SentinelOne.Event.ParentProcessName | valid |
SentinelOne.Event.SiteName | valid |
SentinelOne.Event.EventType | valid |
SentinelOne.Event.Endpoint | agentName |
SentinelOne.Event.IntegrityLevel | processIntegrityLevel |
SentinelOne.Event.CMD | processCmd |
SentinelOne.Event.ProcessName | valid |
SentinelOne.Event.ProcessDisplayName | valid |
#
Command Example!sentinelone-get-processes query_id=q034ae362a30eba5a187cbe601d19abaa
#
sentinelone-shutdown-agentSends a shutdown command to all agents that match the input filter.
#
Base Commandsentinelone-shutdown-agent
#
InputArgument Name | Description | Required |
---|---|---|
query | A free-text search term that will match applicable attributes (sub-string match). Note: A device's physical addresses will only be matched if they start with the search term (not if they contain the search term). | Optional |
agent_id | A comma-separated list of agents IDs to shutdown. | Optional |
group_id | The ID of the network group. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Agent.ID | String | The ID of the agent that was shutdown. |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
query | valid |
ids | valid |
groupIds | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.Agent.ID | None |
#
sentinelone-uninstall-agentSends an uninstall command to all agents that match the input filter.
#
Base Commandsentinelone-uninstall-agent
#
InputArgument Name | Description | Required |
---|---|---|
query | A free-text search term that will match applicable attributes (sub-string match). Note: A device's physical addresses will only be matched if they start with the search term (not if they contain the search term). | Optional |
agent_id | A comma-separated list of agents IDs to shutdown. | Optional |
group_id | The ID of the network group. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.uninstall.Affected | String | Number of agents that were uninstalled |
#
V2.0 to V2.1 API ChangesParams (input) API V2 (XOAR) | API V2.1 (S1) |
---|---|
query | valid |
ids | valid |
groupIds | valid |
Params (Outputs) API V2 (XOAR) | API V2.1 (S1) |
---|---|
SentinelOne.uninstall.Affected | valid |
#
sentinelone-add-hash-to-blocklistAdd a hash to the Global blocklist in SentinelOne.
#
Base Commandsentinelone-add-hash-to-blocklist
#
InputArgument Name | Description | Required |
---|---|---|
sha1 | SHA1 hash to add to the Global blocklist. | Optional |
source | String describing the source of the block. Default is XSOAR. | Optional |
os_type | Type of operating system. Possible values are: windows, linux, macos. | Required |
description | Note stored in SentinelOne about the block. Default is Blocked from XSOAR. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.AddHashToBlocklist.hash | unknown | Hash of the file |
SentinelOne.AddHashToBlocklist.status | unknown | Status of the action to add a hash to the blocklist. |
#
Command Example!sentinelone-add-hash-to-blocklist os_type=windows description="EICAR Test File" sha1=3395856ce81f2b7382dee72602f798b642f14140 source=XSOAR
#
sentinelone-remove-hash-from-blocklistRemove a hash from the Global blocklist in SentinelOne
#
Base Commandsentinelone-remove-hash-from-blocklist
#
InputArgument Name | Description | Required |
---|---|---|
sha1 | SHA1 hash to remove from the Global blocklist. | Optional |
os_type | Optional operating system type. If not supplied, will remove across all platforms. Possible values are: windows, macos, linux. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.RemoveHashFromBlocklist.hash | unknown | Hash of the file. |
SentinelOne.RemoveHashFromBlocklist.status | unknown | Status of the action to remove a hash from the blocklist. |
#
Command Example!sentinelone-remove-hash-from-blocklist os_type=windows sha1=3395856ce81f2b7382dee72602f798b642f14140
#
sentinelone-download-fetched-fileDownload a file fetched using the sentinelone-fetch-file command to submit the request and the sentinelone-get-activities command to get the download path.
#
Base Commandsentinelone-download-fetched-file
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | SentinelOne agent ID. Default is Agent ID. | Required |
activity_id | Activity ID in the get-activities command. | Required |
password | Password used in the sentinelone-fetch-file command. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!sentinelone-download-fetched-file activity_id=ACTIVITY_ID agent_id=AGENT_ID password=PossiblyInfected0987&*()
#
sentinelone-update-threats-verdictUpdates the analyst verdict to a group of threats that match the specified input filter. Relevant for API version 2.1.
#
Base Commandsentinelone-update-threats-verdict
#
InputArgument Name | Description | Required |
---|---|---|
verdict | Analyst verdict action. Possible values are: undefined, true_positive, false_positive, suspicious. | Required |
threat_ids | A comma-separated list of threat IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Threat.ID | String | The threat ID. |
SentinelOne.Threat.Updated | Boolean | Whether the threat was successfully updated in the analyst verdict. |
SentinelOne.Threat.Update.Action | String | Name of the analyst verdict action performed on the threats. |
#
Command Example!sentinelone-update-threats-verdict threat_ids="14417837215288624" action=false_positive
#
sentinelone-update-alerts-verdictUpdates the analyst verdict to a group of alerts that match the specified input filter. Relevant for API version 2.1.
#
Base Commandsentinelone-update-alerts-verdict
#
InputArgument Name | Description | Required |
---|---|---|
verdict | Analyst verdict action. Possible values are: undefined, true_positive, false_positive, suspicious. | Required |
alert_ids | A comma-separated list of alert IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Alert.ID | String | The alert ID. |
SentinelOne.Alert.Updated | Boolean | Whether the alert was successfully updated in the analyst verdict. |
SentinelOne.Alert.Update.Action | String | Name of the analyst verdict action performed on the alerts. |
#
Command Example!sentinelone-update-alerts-verdict threat_ids="14417837215288624" action=false_positive
#
sentinelone-create-star-ruleCreates a custom STAR rule. Relevant for API version 2.1.
#
Base Commandsentinelone-create-star-rule
#
InputArgument Name | Description | Required |
---|---|---|
name | The name of the STAR rule. | Required |
rule_severity | The rule severity. Possible values are: Low, Medium, High, Critical. | Required |
expiration_mode | Type of expiration mode. Possible values are: Permanent, Temporary. | Required |
query_type | Type of the query. For now it's "events". Possible values are: events, processes. | Required |
query | The query string for which to return events. | Required |
description | The description of the STAR rule. | Optional |
expiration_date | If expiration mode is "Temporary" then it should be supplied, for example, "2019-08-03T04:49:26.257525Z" . | Optional |
site_ids | A comma-separated list of site IDs. | Optional |
group_ids | A comma-separated list of Group IDs. | Optional |
account_ids | A comma-separated list of Account IDs. | Optional |
network_quarantine | Whether to enable the network quarantine of the STAR rule. Possible values are: true, false. | Required |
treatAsThreat | The treatAsThreat type. Possible values are: Malicious, Suspicious, UNDEFINED. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.StarRule.ID | String | The STAR rule ID. |
SentinelOne.StarRule.Name | String | The STAR rule name. |
SentinelOne.StarRule.Status | String | The status of the STAR rule. |
SentinelOne.StarRule.Severity | String | The severity of the STAR rule. |
SentinelOne.StarRule.Description | String | The description of the STAR rule. |
SentinelOne.StarRule.NetworkQuarantine | Boolean | The network quarantine of the STAR rule. |
SentinelOne.StarRule.TreatAsThreat | String | The Treat As Threat of the STAR rule. |
SentinelOne.StarRule.ExpirationMode | String | The expiration mode of the STAR rule. |
SentinelOne.StarRule.ExpirationDate | String | The expiration date of the STAR rule. |
SentinelOne.StarRule.ScopeHierarchy | String | The scope hierarchy of the STAR rule. |
SentinelOne.StarRule.CreatedAt | String | The created time for the STAR rule. |
SentinelOne.StarRule.UpdatedAt | String | The updated time for the STAR rule. |
#
Command Example!sentinelone-create-star-rule name="test" rule_severity=Low expiration_mode=Temporary expiration_date=2022-06-23T09:29:29.206941Z query_type=events query="Dstip EXISTS" network_quarantine=false treatAsThreat=Malicious
#
sentinelone-get-star-rulesGet a list of custom detection rules for a given scope. Relevant for API version 2.1.
#
Base Commandsentinelone-get-star-rules
#
InputArgument Name | Description | Required |
---|---|---|
status | A comma-separated list of the status of the STAR rule. Available options are: "Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft".Example: "Draft,Active". | Optional |
creator_contains | Free-text filter by rule creator (supports multiple values). Example: "Service Pack 1". | Optional |
queryType | Return rules with the filtered type. Example: "events". Possible values are: events, processes. | Optional |
query | Free-text filter by S1 query (supports multiple values). Example: "Service Pack 1". | Optional |
description_contains | Free-text filter by rule description (supports multiple values). Example: "Service Pack 1". | Optional |
ruleIds | A comma-separated list of Rules IDs. Example: "225494730938493804,225494730938493915". | Optional |
name_contains | Free-text filter by rule name (supports multiple values). Example: "Service Pack 1". | Optional |
accountIds | A comma-separated list of Account IDs to filter by. Example: "225494730938493804,225494730938493915". | Optional |
expirationMode | Return rules with the filtered expiration mode. Example: "Permanent". Possible values are: Temporary, Permanent. | Optional |
limit | Limit number of returned items (1-1000). Example: "10". | Optional |
siteIds | A comma-separated list of site IDs to filter by. Example: "225494730938493804,225494730938493915". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.StarRule.ID | Number | The STAR rule ID. |
SentinelOne.StarRule.Creator | string | The STAR rule creator. |
SentinelOne.StarRule.Name | string | The STAR rule name. |
SentinelOne.StarRule.Status | string | The STAR rule status. |
SentinelOne.StarRule.Severity | string | The STAR rule severity. |
SentinelOne.StarRule.GeneratedAlerts | Number | The number of STAR rule generated alerts. |
SentinelOne.StarRule.Description | string | The STAR rule description. |
SentinelOne.StarRule.StatusReason | string | The STAR rule status reason. |
SentinelOne.StarRule.ExpirationMode | string | The STAR rule expiration mode. |
SentinelOne.StarRule.ExpirationDate | Date | The STAR rule expiration date. |
SentinelOne.StarRule.Expired | Boolean | Whether the STAR rule expired. |
#
Command Example!sentinelone-get-star-rules
#
sentinelone-update-star-ruleUpdates a custom STAR rule. Relevant for API version 2.1.
#
Base Commandsentinelone-update-star-rule
#
InputArgument Name | Description | Required |
---|---|---|
rule_id | Rule ID Example: "225494730938493804". | Required |
name | The name of the STAR rule. | Required |
rule_severity | The rule severity. Possible values are: Low, Medium, High, Critical. | Required |
expiration_mode | Type of expiration mode. Possible values are: Permanent, Temporary. | Required |
query_type | Type of the query. For now it's "events". Possible values are: events, processes. | Required |
query | The query string for which to return events. | Required |
description | The description of the STAR rule. | Optional |
expiration_date | If expiration mode is "Temporary" then it should be supplied, for example, "2019-08-03T04:49:26.257525Z". | Optional |
site_ids | A comma-separated list of site IDs. | Optional |
group_ids | A comma-separated list of group IDs. | Optional |
account_ids | A comma-separated list of account IDs. | Optional |
network_quarantine | Whether to enable the network quarantine of the STAR rule. Possible values are: true, false. | Required |
treatAsThreat | The treatAsThreat. Possible values are: Malicious, Suspicious, UNDEFINED. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.StarRule.ID | String | The STAR rule ID. |
SentinelOne.StarRule.Name | String | The STAR rule name. |
SentinelOne.StarRule.Status | String | The status of the STAR rule. |
SentinelOne.StarRule.Severity | String | The severity of the STAR rule. |
SentinelOne.StarRule.Description | String | The description of the STAR rule. |
SentinelOne.StarRule.NetworkQuarantine | Boolean | The network quarantine of the STAR rule. |
SentinelOne.StarRule.TreatAsThreat | String | The Treat As Threat of the STAR rule. |
SentinelOne.StarRule.ExpirationMode | String | The expiration mode of the STAR rule. |
SentinelOne.StarRule.ExpirationDate | String | The expiration date of the STAR rule. |
SentinelOne.StarRule.ScopeHierarchy | String | The scope hierarchy of the STAR rule. |
SentinelOne.StarRule.CreatedAt | String | The created time for the STAR rule. |
SentinelOne.StarRule.UpdatedAt | String | The updated time for the STAR rule. |
#
Command Example!sentinelone-update-star-rule rule_id=225494730938493804 name="test" rule_severity=Low expiration_mode=Temporary expiration_date=2022-06-23T09:29:29.206941Z query_type=events query="Dstip EXISTS" network_quarantine=false treatAsThreat=Malicious
#
sentinelone-enable-star-rulesActivate Custom Detection rules that match the specified input filter. Relevant for API version 2.1.
#
Base Commandsentinelone-enable-star-rules
#
InputArgument Name | Description | Required |
---|---|---|
rule_ids | A comma-separated list of STAR rule IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.StarRule.ID | String | The Rule ID. |
SentinelOne.StarRule.Enabled | Boolean | Whether the star rule was successfully eabled or not. |
#
Command Example!sentinelone-enable-star-rules rule_ids=225494730938493804
#
sentinelone-disable-star-rulesDisable Custom Detection rules that match the specified input filter. Relevant for API version 2.1.
#
Base Commandsentinelone-disable-star-rules
#
InputArgument Name | Description | Required |
---|---|---|
rule_ids | A comma-separated list of STAR rule IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.StarRule.ID | String | The Rule ID. |
SentinelOne.StarRule.Disabled | Boolean | Whether the star rule was successfully disabled or not. |
#
Command Example!sentinelone-disable-star-rules rule_ids=225494730938493804
#
sentinelone-delete-star-ruleDeletes Custom Detection Rules that match the specified input filter. Relevant for API version 2.1.
#
Base Commandsentinelone-delete-star-rule
#
InputArgument Name | Description | Required |
---|---|---|
rule_ids | A comma-separated list of STAR rule IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.StarRule.ID | String | The Rule ID. |
SentinelOne.StarRule.Deleted | Boolean | Whether the STAR rule was successfully deleted. |
#
sentinelone-get-blocklistAdd a hash to the blocklist ("blacklist" in SentinelOne documentation). If the global
flag is true
, then group_ids, site_ids, and account_ids are ignored.
#
Base Commandsentinelone-get-blocklist
#
InputArgument Name | Description | Required |
---|---|---|
global | Whether the global list is accessible. (Same as tenant flag in API docs.). Possible values are: true, false. Default is true. | Optional |
group_ids | Comma-separated list of group IDs to filter by. | Optional |
site_ids | Comma-separated list of site IDs to filter by. | Optional |
account_ids | Comma-separated list of account IDs to filter by. | Optional |
offset | The number of records to skip (for paging). Default is 0. | Optional |
limit | The maximum number of records to return. Default is 1000. | Optional |
hash | Hash to search for in the blocklist. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Blocklist.UserId | String | User ID. |
SentinelOne.Blocklist.UpdatedAt | String | When entry was most recently updated. |
SentinelOne.Blocklist.Value | String | File hash. |
SentinelOne.Blocklist.ScopePath | String | SentinelOne list scope. |
SentinelOne.Blocklist.Type | String | Block list type. |
SentinelOne.Blocklist.Source | String | Source of entry. |
SentinelOne.Blocklist.ID | String | Entry ID. |
SentinelOne.Blocklist.CreatedAt | String | Date entry was created. |
SentinelOne.Blocklist.Description | String | Description of the blocklist. |
SentinelOne.Blocklist.OSType | String | Operating system type block is enforced on. |
SentinelOne.Blocklist.ScopeName | String | Name of the blocklist scope. |
#
Command Example!sentinelone-get-blocklist account_ids=ACCOUNT_ID global=true offset=0 limit=1
#
sentinelone-add-hash-to-blocklistAdd a hash to the global blocklist in SentinelOne.
#
Base Commandsentinelone-add-hash-to-blocklist
#
InputArgument Name | Description | Required |
---|---|---|
sha1 | SHA1 hash to add to the global blocklist. | Optional |
source | String describing the source of the block. Default is XSOAR. | Optional |
os_type | Type of operating system. Possible values are: windows, linux, macos. | Required |
description | Note stored in SentinelOne about the block. Default is Blocked from XSOAR. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.AddHashToBlocklist.hash | unknown | Hash of the file. |
SentinelOne.AddHashToBlocklist.status | unknown | Status of the action to add a hash to the blocklist. |
#
Command Example!sentinelone-add-hash-to-blocklist os_type=windows description="EICAR Test File" sha1=3395856ce81f2b7382dee72602f798b642f14140 source=XSOAR
#
sentinelone-remove-hash-from-blocklistRemove a hash from the global blocklist in SentinelOne
#
Base Commandsentinelone-remove-hash-from-blocklist
#
InputArgument Name | Description | Required |
---|---|---|
sha1 | SHA1 hash to remove from the global blocklist. | Optional |
os_type | Optional operating system type. If not supplied, will remove the SHA1 hash across all platforms. Possible values are: windows, macos, linux. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.RemoveHashFromBlocklist.hash | unknown | Hash of the file. |
SentinelOne.RemoveHashFromBlocklist.status | unknown | Status of the action to remove a hash from the blocklist. |
#
sentinelone-fetch-fileInvokes a fetch files command against an agent endpoint.
#
Base Commandsentinelone-fetch-file
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent ID to retrieve the file from. | Required |
file_path | File path to download the file from. | Required |
password | Password to protect the zip file with. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!sentinelone-fetch-file agent_id=AGENT_ID file_path="C:\Test\Path\To\File.txt" password=PossiblyInfected0987&*()
#
sentinelone-download-fetched-fileDownload a file fetched using th sentinelone-fetch-file command to submit the request and the sentinelone-get-activities command to get the download path.
#
Base Commandsentinelone-download-fetched-file
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | SentinelOne agent ID. Default is Agent ID. | Required |
activity_id | Activity ID in the get-activities command. | Required |
password | Password used in the sentinelone-fetch-file command. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!sentinelone-download-fetched-file activity_id=ACTIVITY_ID agent_id=AGENT_ID password=PossiblyInfected0987&*()
#
sentinelone-write-threat-noteAdd a threat note to one or more threats. Relevant for API version 2.1.
#
Base Commandsentinelone-write-threat-note
#
InputArgument Name | Description | Required |
---|---|---|
threat_ids | A comma-separated list of threat IDs. | Required |
note | Threat Note Text. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Threat.ID | String | The threat ID. |
SentinelOne.Threat.Note | String | The threat note. |
SentinelOne.Threat.Status | String | Whether the note was added successfully. |
#
Command Example!sentinelone-write-threat-note threat_ids=14417837215288624 note="a sample test"
#
sentinelone-create-iocAdd an IoC to the Threat Intelligence database. Relevant for API version 2.1.
#
Base Commandsentinelone-create-ioc
#
InputArgument Name | Description | Required |
---|---|---|
name | Threat Intelligence indicator name. | Required |
source | The source of the identified Threat Intelligence indicator. | Required |
type | The type of the Threat Intelligence indicator. Possible values are: DNS, IPV4, IPV6, MD5, SHA1, SHA256, URL. | Required |
method | The comparison method used by SentinelOne to trigger the event. Possible values are: EQUALS. | Required |
validUntil | Expiration date for the Threat Intelligence indicator. | Required |
value | The value of the Threat Intelligence indicator. | Required |
account_ids | List of account IDs to filter by. | Required |
externalId | The unique identifier of the indicator as provided by the Threat Intelligence source. | Optional |
description | Description of the Threat Intelligence indicator. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.IOC.UUID | String | The IOC UUID. |
SentinelOne.IOC.Name | String | Threat Intelligence indicator name. |
SentinelOne.IOC.Source | String | The source of the identified Threat Intelligence indicator. |
SentinelOne.IOC.Type | String | The type of the Threat Intelligence indicator. |
SentinelOne.IOC.BatchId | String | The IOC batch ID. |
SentinelOne.IOC.Creator | String | The IOC creator. |
SentinelOne.IOC.Scope | String | The IOC scope. |
SentinelOne.IOC.ScopeId | String | The IOC scope ID. |
SentinelOne.IOC.ValidUntil | String | Expiration date for the Threat Intelligence indicator. |
SentinelOne.IOC.Description | String | Description of the Threat Intelligence indicator. |
SentinelOne.IOC.ExternalId | String | The unique identifier of the indicator as provided by the Threat Intelligence source. |
#
Command Example!sentinelone-create-ioc name="test" source="proof_test" type="IPV4" method="EQUALS" validUntil="2022-06-25T07:52:09.428858Z" value="10.0.2.15" account_ids="106802936546889425464"
#
sentinelone-delete-iocDelete an IOC from the Threat Intelligence database that matches a filter. Relevant for API version 2.1.
#
Base Commandsentinelone-delete-ioc
#
InputArgument Name | Description | Required |
---|---|---|
account_ids | List of account IDs to filter by. | Required |
uuids | UUID of Threat Intelligence indicator. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.IOC.UUID | String | The IOC UUID. |
SentinelOne.IOC.Deleted | Boolean | Whether the Threat Intelligence indicator was deleted. |
#
Command Example!sentinelone-delete-ioc account_ids=106802961889425793 uuids=ef367d66175288e75fa6b29c53d46d4
#
sentinelone-get-iocsGet the IOCs of a specified account that match the filter. Relevant for API version 2.1.
#
Base Commandsentinelone-get-iocs
#
InputArgument Name | Description | Required |
---|---|---|
account_ids | List of account IDs to filter by. | Required |
limit | Limit number of returned items (1-1000). Default is 1000. | Optional |
upload_time_gte | The time (greater than or equal to) at which the Threat Intelligence indicator was uploaded to the SentinelOne database. Example: "2022-07-13T20:33:29.007906Z". | Optional |
upload_time_lte | The time (less than or equal to) at which the Threat Intelligence indicator was uploaded to the SentinelOne database. Example: "2022-07-13T20:33:29.007906Z". | Optional |
cursor | Cursor position returned by the last request. Should be used for iterating over more than 1000 items. Example: "YWdlbnRfaWQ6NTgwMjkzODE=". | Optional |
uuids | A list of unique IDs of the parent process of the indicator of compromise. Example: "2cffae871197f20d864fe8363eee6651". | Optional |
type | The type of the Threat Intelligence indicator. Possible values are: DNS, IPV4, IPV6, MD5, SHA1, SHA256, URL. | Optional |
batch_id | Unique ID of the uploaded indicators batch. Example: "atmtn000000028a881bcf939dc6d92ab55443". | Optional |
source | List of the sources of the identified Threat Intelligence indicator. Example: "AlienVault". | Optional |
value | The value of the Threat Intelligence indicator. Example: "175.0.x.x". | Optional |
external_id | The unique identifier of the indicator as provided by the Threat Intelligence source. Example: "e277603e-1060-5ad4-9937-c26c97f1ca68". | Optional |
name_contains | A comma-separated list of free-text filtered by the indicator name. Example: "foo.dll". | Optional |
creator_contains | A comma-separated list of free-text filtered by the user who uploaded the Threat Intelligence indicator. Example: "admin@sentinelone.com". | Optional |
description_contains | A comma-separated list of free-text filtered by the description of the indicator. Example: "Malicious-activity". | Optional |
category_in | The categories of the Threat Intelligence indicator. Example: The malware type associated with the IOC. | Optional |
updated_at_gte | The time (greater or equal to) at which the indicator was last updated in the SentinelOne database. Example: "2021-07-13T20:33:29.007906Z". | Optional |
updated_at_lte | The time (less than or equal to) at which the indicator was last updated in the SentinelOne database. Example: "2021-07-13T20:33:29.007906Z". | Optional |
creation_time_gte | Creation time (greater than or equal to) as set by the user. Example: "2021-07-13T20:33:29.007906Z". | Optional |
creation_time_lte | Creation time (less than or equal to) as set by the user. Example: "2021-07-13T20:33:29.007906Z". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.IOC.UUID | String | The IOC UUID. |
SentinelOne.IOC.Creator | String | Threat Intelligence indicator creator. |
SentinelOne.IOC.Name | String | Threat Intelligence indicator name. |
SentinelOne.IOC.Value | String | Threat Intelligence indicator value. |
SentinelOne.IOC.Description | String | Threat Intelligence indicator description. |
SentinelOne.IOC.Type | String | Threat Intelligence indicator type. |
SentinelOne.IOC.ExternalId | String | Threat Intelligence indicator external ID. |
SentinelOne.IOC.Source | String | Threat Intelligence indicator source. |
SentinelOne.IOC.UploadTime | String | Threat Intelligence indicator upload time. |
SentinelOne.IOC.ValidUntil | String | Threat Intelligence indicator expiration time. |
#
Command Example!sentinelone-get-iocs account_ids="1068029618885547693" upload_time_gte="2022-04-25T07:52:09.428858Z" upload_time_lte="2022-06-30T07:52:09.428858Z"
#
sentinelone-create-power-queryStart a Deep Visibility Power query to get back status and potential results (ping afterwards using the queryId if query has not finished). Relevant for API version 2.1
#
Base Commandsentinelone-create-power-query
#
InputArgument Name | Description | Required |
---|---|---|
query | Events matching the query search term will be returned. | Required |
from_date | Events created after this timestamp. | Required |
to_date | Events created before or at this timestamp. | Required |
limit | Limit number of returned items (1-100000). | Optional |
#
Context OutputThe context outputs are based on the power query
#
Command Example!sentinelone-create-power-query query="event.time = * | columns eventTime = event.time, agentUuid = agent.uuid" from_date="2022-06-05T04:49:26.257525Z" to_date="2022-06-07T04:49:26.257525Z"
#
sentinelone-ping-power-queryPing a Deep Visibility Power query using the queryId argument if results have not returned from an initial Power query or a previous ping. Relevant for API version 2.1.
#
Base Commandsentinelone-ping-power-query
#
InputArgument Name | Description | Required |
---|---|---|
queryId | QueryId. | Required |
#
Context OutputThe context outputs are based on the power query
#
Command Example!sentinelone-ping-power-query queryId="pqe18ccaaa69fedc65889eb155dbe039"
#
sentinelone-update-threats-statusUpdates the incident status to a group of threats that match the specified input filter. Relevant for API version 2.1.
#
Base Commandsentinelone-update-threats-status
#
InputArgument Name | Description | Required |
---|---|---|
status | Incident status. Possible values are: in_progress, resolved, unresolved. | Required |
threat_ids | A comma-separated list of threat IDs. | Required |
#
Command Example!sentinelone-update-threats-status status=in_progress threat_ids=67683743445454363
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Threat.ID | String | The threat ID. |
SentinelOne.Threat.Updated | Boolean | Whether the threat was successfully updated. |
SentinelOne.Threat.Status | String | Name of the status performed on the threats. |
#
sentinelone-update-alerts-statusUpdates the incident status to a group of alerts that match the specified input filter. Relevant for API version 2.1.
#
Base Commandsentinelone-update-alerts-status
#
InputArgument Name | Description | Required |
---|---|---|
status | Incident status. Possible values are: in_progress, resolved, unresolved. | Required |
alert_ids | A comma-separated list of alert IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Alert.ID | String | The alert ID. |
SentinelOne.Alert.Updated | Boolean | Whether the alert was successfully updated. |
SentinelOne.Alert.Status | String | The status performed on the alerts. |
#
Command Example!sentinelone-update-alerts-status status=in_progress alert_ids=36386764344636343
#
sentinelone-expire-siteExpire the site of the given ID
#
Base Commandsentinelone-expire-site
#
InputArgument Name | Description | Required |
---|---|---|
site_id | A valid site ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Site.ID | String | The site ID. |
SentinelOne.Site.Name | String | The site name. |
SentinelOne.Site.State | String | The site state. |
SentinelOne.Site.SKU | String | The SKU of product features active for this site. |
SentinelOne.Site.SiteType | String | The site type. |
SentinelOne.Site.Suite | String | The site suite. |
SentinelOne.Site.TotalLicenses | String | The total licenses. |
SentinelOne.Site.AccountID | String | The account ID. |
SentinelOne.Site.Creator | String | Full name of the creating user. |
SentinelOne.Site.CreatorID | String | ID of the creating user. |
SentinelOne.Site.Description | String | Description of the site. |
SentinelOne.Site.Expiration | String | Expiration date of the site. |
#
sentinelone-fetch-threat-fileFetch a file associated with the threat that matches the filter.
#
Base Commandsentinelone-fetch-threat-file
#
InputArgument Name | Description | Required |
---|---|---|
threat_id | Please provide the Valid Threat ID. Example: 14629133470822878. | Required |
password | File encryption password. (At least 10 characters, three out of this list "uppercase", "lowercase", "digits" and "symbols" are mandatory. Maximum length is 256 characters.). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Threat.ID | String | The threat ID. |
SentinelOne.Threat.Downloadable | Boolean | Whether the file is downloadable. |
SentinelOne.Threat.ZippedFile | String | Details of the zipped folder. |
#
Command Example!sentinelone-fetch-threat-file threat_ids=106802961889425793 password=Mypassword1!
#
sentinelone-get-alertsGet the list of alerts that matches the filter provided. Relevant for API version 2.1.
#
Base Commandsentinelone-get-alerts
#
InputArgument Name | Description | Required |
---|---|---|
created_from | Greater than or equal to the time created. Example: "2018-02-27T04:49:26.257525Z". | Required |
created_until | Less than or equal to the time created. Example: "2018-02-27T04:49:26.257525Z". | Required |
ruleName | Free-text filter by rule name. Example: "rule1". | Optional |
incidentStatus | Incident status. Example: "IN_PROGRESS". | Optional |
analystVerdict | Analyst verdict. Example: "TRUE_POSITIVE". | Optional |
alert_ids | A comma-separated list of alert IDs. | Optional |
limit | Limit number of returned items (1-1000). Default is 1000. | Optional |
site_ids | A comma-separated list of site IDs to filter by. Example: "225494730938493804,225494730938493915". | Optional |
cursor | Cursor position returned by the last request. Should be used for iterating over more than 1000 items. Example: "YWdlbnRfaWQ6NTgwMjkzODE=". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Alert.EventType | String | Event type. |
SentinelOne.Alert.RuleName | String | The rule name. |
SentinelOne.Alert.SrcProcUser | String | Source process user. |
SentinelOne.Alert.SrcProcName | String | Source process name. |
SentinelOne.Alert.SrcProcPath | String | Source process file path. |
SentinelOne.Alert.SrcProcCommandline | String | The command line |
SentinelOne.Alert.SrcProcSHA1 | String | Source process SHA1 file hash. |
SentinelOne.Alert.SrcProcStartTime | String | PID start time. |
SentinelOne.Alert.SrcProcStorylineId | String | Source process story line ID. |
SentinelOne.Alert.SrcParentProcName | String | Source parent process name. |
SentinelOne.Alert.SrcParentProcPath | String | Source parent process file path. |
SentinelOne.Alert.SrcParentProcCommandline | String | Source parent process command line. |
SentinelOne.Alert.SrcParentProcStartTime | String | PID start time. |
SentinelOne.Alert.SrcParentProcUser | String | Source parent process user. |
SentinelOne.Alert.SrcParentProcSHA1 | String | Source parent process SHA1 file hash. |
SentinelOne.Alert.SrcProcSignerIdentity | String | Source process file signer identity. |
SentinelOne.Alert.SrcParentProcSignerIdentity | String | Source parent process file signer identity. |
SentinelOne.Alert.AlertCreatedAt | String | The the alert was created. |
SentinelOne.Alert.AlertId | String | Alert ID. |
SentinelOne.Alert.AnalystVerdict | String | Analyst verdict. |
SentinelOne.Alert.IncidentStatus | String | Incident status |
SentinelOne.Alert.EndpointName | String | Endpoint name |
SentinelOne.Alert.AgentId | String | Agent ID. |
SentinelOne.Alert.AgentUUID | String | Agent UUID. |
SentinelOne.Alert.dvEventId | String | Deep Visibility event ID. |
SentinelOne.Alert.AgentOS | String | Agent operating system. |
SentinelOne.Alert.AgentVersion | String | Agent version. |
SentinelOne.Alert.SiteId | String | Site ID. |
SentinelOne.Alert.RuleId | String | Rule ID. |
#
Command Example!sentinelone-get-alerts created_from=2012-02-27T04:49:26.257525Z created_until=2012-05-27T04:49:26.257525Z
#
sentinelone-get-installed-applicationsGet the installed applications for a specific agent.
#
Base Commandsentinelone-get-installed-applications
#
InputArgument Name | Description | Required |
---|---|---|
agent_ids | A comma-separated list of agent IDs. Example: 14629133470822878,14627455454652878. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Application.Name | String | The application name. |
SentinelOne.Application.Publisher | String | The publisher. |
SentinelOne.Application.Size | String | The size of the application in bytes. |
SentinelOne.Application.Version | String | The version of the application. |
SentinelOne.Application.InstalledOn | String | The date the application was installed. |
#
Command Example!sentinelone-get-installed-applications agent_ids="1463801667584541849,1463801667584545236"
#
sentinelone-initiate-endpoint-scanInitiate the endpoint virus scan on provided agent IDs.
#
Base Commandsentinelone-initiate-endpoint-scan
#
InputArgument Name | Description | Required |
---|---|---|
agent_ids | A comma-separated list of Agent IDs. Example: 14629133470822878,14627455454652878. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.Agent.AgentID | String | The Agent ID. |
SentinelOne.Agent.Initiated | Boolean | Whether the scan was initiated. |
#
Command Example!sentinelone-initiate-endpoint-scan agent_ids="1463801667584541849,1463801667584545236"
#
sentinelone-remove-item-from-whitelistRemove an item from the SentinelOne exclusion list
#
Base Commandsentinelone-remove-item-from-whitelist
#
InputArgument Name | Description | Required |
---|---|---|
item | Value of the item to be removed from the exclusion list. | Required |
os_type | OS type. Can be "windows", "windows_legacy", "macos", or "linux". Possible values are: windows, windows_legacy, macos, linux. | Optional |
exclusion_type | Exclusion item type. The options are: file_type, path, white_hash, certificate, or browser. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SentinelOne.RemoveItemFromWhitelist.item | String | Item removed fom whitelist. |
SentinelOne.RemoveItemFromWhitelist.status | String | Status on if items were removed from whitelist or not found on whitelist. |
#
Command Example!sentinelone-remove-item-from-whitelist item="31cb594e8f688521a24dd6f95b95508de42d870d" exclusion_type="white_hash" os_type="windows"