Skip to main content

SentinelOne v2

This Integration is part of the SentinelOne Pack.#

Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database. This integration was integrated and tested with versions 2.0 and 2.1 of SentinelOne V2

Configure SentinelOne V2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for SentinelOne V2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URL (e.g., https://usea1.sentinelone.net)True
    API TokenTrue
    API Version.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Fetch incidentsFalse
    Incident typeFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
    Minimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high risk. Relevant for API version 2.0.False
    Fetch limit: the maximum number of incidents to fetchFalse
    Site IDs: comma-separated list of Site IDs to fetch incidents for. (leave blank to fetch all sites)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sentinelone-list-agents#


Returns all agents that match the specified criteria.

Base Command#

sentinelone-list-agents

Input#

Argument NameDescriptionRequired
computer_nameFilter by computer name.Optional
scan_statusA comma-separated list of scan statuses by which to filter the results, for example: "started,aborted". Possible values are: started, none, finished, aborted.Optional
os_typeIncluded OS types, for example: "windows". Possible values are: windows, windows_legacy, macos, linux.Optional
created_atEndpoint creation timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
min_active_threatsMinimum number of threats per agent.Optional

Context Output#

PathTypeDescription
SentinelOne.Agents.NetworkStatusstringThe agent network status.
SentinelOne.Agents.IDstringThe agent ID.
SentinelOne.Agents.AgentVersionstringThe agent software version.
SentinelOne.Agents.IsDecommissionedbooleanWhether the agent is decommissioned.
SentinelOne.Agents.IsActivebooleanWhether the agent is active.
SentinelOne.Agents.LastActiveDatedateWhen was the agent last active.
SentinelOne.Agents.RegisteredAtdateThe registration date of the agent.
SentinelOne.Agents.ExternalIPstringThe agent IP address.
SentinelOne.Agents.ThreatCountnumberNumber of active threats.
SentinelOne.Agents.EncryptedApplicationsbooleanWhether disk encryption is enabled.
SentinelOne.Agents.OSNamestringName of operating system.
SentinelOne.Agents.ComputerNamestringName of agent computer.
SentinelOne.Agents.DomainstringDomain name of the agent.
SentinelOne.Agents.CreatedAtdateCreation time of the agent.
SentinelOne.Agents.SiteNamestringSite name associated with the agent.

Command Example#

!sentinelone-list-agents

Context Example#

{
"SentinelOne": {
"Agents": {
"AgentVersion": "3.1.3.38",
"ComputerName": "EC2AMAZ-AJ0KANC",
"CreatedAt": "2019-06-27T08:01:05.571895Z",
"Domain": "WORKGROUP",
"EncryptedApplications": false,
"ExternalIP": "8.88.8.8",
"ID": "657613730168123595",
"IsActive": false,
"IsDecommissioned": true,
"LastActiveDate": "2020-02-20T00:26:33.955830Z",
"NetworkStatus": "connecting",
"OSName": "Windows Server 2016",
"RegisteredAt": "2019-06-27T08:01:05.567249Z",
"SiteName": "demisto",
"ThreatCount": 0
}
}
}

Human Readable Output#

Sentinel One - List of Agents#

Provides summary information and details for all the agents that matched your search criteria |Agent Version|Computer Name|Created At|Domain|Encrypted Applications|External IP|ID|Is Active|Is Decommissioned|Last Active Date|Network Status|OS Name|Registered At|Site Name|Threat Count| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 3.1.3.38 | EC2AMAZ-AJ0KANC | 2019-06-27T08:01:05.571895Z | WORKGROUP | false | 8.88.8.8 | 657613730168123595 | false | true | 2020-02-20T00:26:33.955830Z | connecting | Windows Server 2016 | 2019-06-27T08:01:05.567249Z | demisto | 0 |

sentinelone-create-white-list-item#


Creates an exclusion item that matches the specified input filter.

Base Command#

sentinelone-create-white-list-item

Input#

Argument NameDescriptionRequired
exclusion_typeExclusion item type. The options are: file_type, path, white_hash, certificate, or browser. Possible values are: file_type, path, white_hash, certificate, browser.Required
exclusion_valueValue of the exclusion item for the exclusion list.Required
os_typeOS type. Can be "windows", "windows_legacy", "macos", or "linux". OS type is required for hash exclusions. Possible values are: windows, windows_legacy, macos, linux.Required
descriptionDescription for adding then exclusion item.Optional
exclusion_modeExclusion mode (path exclusion only). Can be "suppress", "disable_in_process_monitor_deep", "disable_in_process_monitor", "disable_all_monitors", or "disable_all_monitors_deep". Possible values are: suppress, disable_in_process_monitor_deep, disable_in_process_monitor, disable_all_monitors, disable_all_monitors_deep.Optional
path_exclusion_typeExcluded path for a path exclusion list.Optional
group_idsA comma-separated list of group IDs by which to filter.Optional
site_idsA comma-separated list of site IDs by which to filter.Optional

Context Output#

PathTypeDescription
SentinelOne.Exclusions.IDstringThe whitelisted entity ID.
SentinelOne.Exclusions.TypestringThe whitelisted item type.
SentinelOne.Exclusions.CreatedAtdateTime when the whitelist item was created.

sentinelone-get-white-list#


Lists all exclusion items that match the specified input filter.

Base Command#

sentinelone-get-white-list

Input#

Argument NameDescriptionRequired
item_idsList of IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
os_typesA comma-separated list of OS types by which to filter, for example: "windows, linux". Possible values are: windows, windows_legacy, macos, linux.Optional
exclusion_typeExclusion type. Can be "file_type", "path", "white_hash", "certificate", "browser". Possible values are: file_type, path, white_hash, certificate, browser.Optional
limitThe maximum number of items to return. Default is 10.Optional

Context Output#

PathTypeDescription
SentinelOne.Exclusions.IDstringThe exclusion item ID.
SentinelOne.Exclusions.TypestringThe exclusion item type.
SentinelOne.Exclusions.CreatedAtdateTimestamp when the exclusion item was added.
SentinelOne.Exclusions.ValuestringValue of the exclusion item.
SentinelOne.Exclusions.SourcestringSource of the exclusion item.
SentinelOne.Exclusions.UserIDstringUser ID of the user that added the exclusion item.
SentinelOne.Exclusions.UpdatedAtdateTimestamp when the exclusion item was updated.
SentinelOne.Exclusions.OsTypestringOS type of the exclusion item.
SentinelOne.Exclusions.UserNamestringUser name of the user that added the exclusion item.
SentinelOne.Exclusions.ModestringA comma-separated list of modes by which to filter (path exclusions only), for example: "suppress".

Command Example#

!sentinelone-get-white-list os_types=windows exclusion_type=path

Context Example#

{
"SentinelOne": {
"Exclusions": {
"CreatedAt": "2020-10-25T14:09:58.928251Z",
"ID": "1010040403583584993",
"Mode": "suppress",
"OsType": "windows",
"Source": "user",
"Type": "path",
"UpdatedAt": "2020-10-25T14:09:58.921789Z",
"UserID": "475482955872052394",
"UserName": "XSOAR User",
"Value": "*/test/"
}
}
}

Human Readable Output#

Sentinel One - Listing exclusion items#

Provides summary information and details for all the exclusion items that matched your search criteria. |CreatedAt|ID|Mode|OsType|Source|Type|UpdatedAt|UserID|UserName|Value| |---|---|---|---|---|---|---|---|---|---| | 2020-10-25T14:09:58.928251Z | 1010040403583584993 | suppress | windows | user | path | 2020-10-25T14:09:58.921789Z | 475482955872052394 | XSOAR User | */test/ |

sentinelone-get-hash#


Gets the file reputation by a SHA1 hash.

Base Command#

sentinelone-get-hash

Input#

Argument NameDescriptionRequired
hashThe content hash.Required

Context Output#

PathTypeDescription
SentinelOne.Hash.RankNumberThe hash reputation (1-10).
SentinelOne.Hash.HashStringThe content hash.

Command Example#

!sentinelone-get-hash hash=3395856ce81f2b7382dee72602f798b642f14140

Context Example#

{
"SentinelOne": {
"Hash": {
"Hash": "3395856ce81f2b7382dee72602f798b642f14140",
"Rank": "7"
}
}
}

Human Readable Output#

Sentinel One - Hash Reputation#

Provides hash reputation (rank from 0 to 10): |Hash|Rank| |---|---| | 3395856ce81f2b7382dee72602f798b642f14140 | 7 |

sentinelone-get-threats#


Returns threats according to the specified filters.

Base Command#

sentinelone-get-threats

Input#

Argument NameDescriptionRequired
content_hashThe content hash of the threat. Supports a comma-separated list of hashes.Optional
mitigation_statusA comma-separated list of mitigation statuses. Can be "mitigated", "active", "blocked", "suspicious", "pending", or "suspicious_resolved". Possible values are: mitigated, active, blocked, suspicious, pending, suspicious_resolved.Optional
created_beforeSearches for threats created before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
created_afterSearches for threats created after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
created_untilSearches for threats created on or before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
created_fromSearch for threats created on or after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
resolvedWhether to only return resolved threats. Possible values are: false, true. Default is false.Optional
display_nameThreat display name. For API version 2.0 it can be a partial display name, doesn't have to be an exact match.Optional
limitThe maximum number of threats to return. Default is 20. Default is 20.Optional
queryFull free-text search for fields. Can be "content_hash", "file_display_name", "file_path", "computer_name", or "uuid".Optional
threat_idsA comma-separated list of threat IDs, for example: "225494730938493804,225494730938493915".Optional
classificationsCSV list of threat classifications to search, for example: "Malware", "Network", "Benign". Possible values are: Engine, Static, Cloud, Behavioral.Optional
rankRisk level threshold to retrieve (1-10). Relevant for API version 2.0 only.Optional
site_idsA comma-separated list of Site IDs to search for threats, for example: "225494730938493804,225494730938493915".Optional

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.AgentComputerNameStringThe agent computer name.
SentinelOne.Threat.CreatedDateDateThe threat creation date.
SentinelOne.Threat.SiteIDStringThe site ID.
SentinelOne.Threat.ClassificationstringThe threat classification.
SentinelOne.Threat.ClassificationSourcestringSource of the threat Classification.
SentinelOne.Threat.ConfidenceLevelstringSentinelOne threat confidence level.
SentinelOne.Threat.FileSha256stringSHA256 hash of the file content.
SentinelOne.Threat.MitigationStatusStringThe agent mitigation status.
SentinelOne.Threat.AgentIDStringThe threat agent ID.
SentinelOne.Threat.RankNumberThe number representing the cloud reputation (1-10).
SentinelOne.Threat.MarkedAsBenignBooleanWhether the threat is marked as benign. Relevant for version 2.0 only.

Command Example#

!sentinelone-get-threats resolved=true

Context Example#

{
"SentinelOne": {
"Threat": [
{
"AgentComputerName": "EC2AMAZ-AJ0KANC",
"AgentID": "657613730168123595",
"AgentOsType": "windows",
"Classification": "Malware",
"ClassificationSource": "Static",
"ConfidenceLevel": "malicious",
"CreatedDate": "2019-09-15T12:05:49.095889Z",
"FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"FilePath": "\\Device\\HarddiskVolume1\\Users\\Administrator\\Downloads\\Unconfirmed 123490.crdownload",
"ID": "715718962991148224",
"MitigationStatus": "mitigated",
"SiteID": "475482421366727779",
"SiteName": "demisto",
"ThreatName": "Unconfirmed 123490.crdownload",
"Username": "EC2AMAZ-AJ0KANC\\Administrator"
},
{
"AgentComputerName": "EC2AMAZ-AJ0KANC",
"AgentID": "657613730168123595",
"AgentOsType": "windows",
"Classification": "Malware",
"ClassificationSource": "Static",
"ConfidenceLevel": "malicious",
"CreatedDate": "2019-09-15T12:14:42.440985Z",
"FileContentHash": "d8757a0396d05a1d532422827a70a7966c361366",
"FilePath": "\\Device\\HarddiskVolume1\\Users\\Administrator\\Downloads\\Ncat Netcat Portable - CHIP-Installer.exe",
"ID": "715723437013282014",
"MitigationStatus": "mitigated",
"SiteID": "475482421366727779",
"SiteName": "demisto",
"ThreatName": "Ncat Netcat Portable - CHIP-Installer.exe",
"Username": "EC2AMAZ-AJ0KANC\\Administrator"
}
]
}
}

Human Readable Output#

Sentinel One - Getting Threat List#

Provides summary information and details for all the threats that matched your search criteria. |ID|Agent Computer Name|Created Date|Site ID|Site Name|Classification|Mitigation Status|Confidence Level|Agent ID|File Content Hash| |---|---|---|---|---|---|---|---|---|---| | 715718962991148224 | EC2AMAZ-AJ0KANC | 2019-09-15T12:05:49.095889Z | 475482421366727779 | demisto | Malware | mitigated | malicious | 657613730168123595 | 3395856ce81f2b7382dee72602f798b642f14140 | | 715723437013282014 | EC2AMAZ-AJ0KANC | 2019-09-15T12:14:42.440985Z | 475482421366727779 | demisto | Malware | mitigated | malicious | 657613730168123595 | d8757a0396d05a1d532422827a70a7966c361366 |

sentinelone-threat-summary#


Returns a dashboard threat summary.

Base Command#

sentinelone-threat-summary

Input#

Argument NameDescriptionRequired
group_idsA comma-separated list of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional

Context Output#

PathTypeDescription
SentinelOne.Threat.NotResolvedNumberNumber of unresolved threats in the system.
SentinelOne.Threat.SuspiciousNotMitigatedNotResolvedNumberNumber of unmitigated suspicious threats in the system.
SentinelOne.Threat.SuspiciousNotResolvedNumberNumber of unresolved suspicious threats in the system.
SentinelOne.Threat.ResolvedNumberNumber of resolved threats in the system.
SentinelOne.Threat.InProgressNumberNumber of active threats in the system.
SentinelOne.Threat.TotalNumberTotal number of threats in the system.
SentinelOne.Threat.NotMitigatedNumberNumber of unmitigated threats in the system.
SentinelOne.Threat.MaliciousNotResolvedNumberNumber of unresolved malicious threats in the system.
SentinelOne.Threat.NotMitigatedNotResolvedNumberNumber of unmitigated and unresolved threats in the system.

Command Example#

!sentinelone-threat-summary group_ids="475482421375116388,764073410272419896"

Context Example#

{
"SentinelOne": {
"Threat": {
"InProgress": 0,
"MaliciousNotResolved": 0,
"NotMitigated": 0,
"NotMitigatedNotResolved": 0,
"NotResolved": 0,
"Resolved": 14,
"SuspiciousNotMitigatedNotResolved": 0,
"SuspiciousNotResolved": 0,
"Total": 14
}
}
}

Human Readable Output#

Sentinel One - Dashboard Threat Summary#

In ProgressMalicious Not ResolvedNot MitigatedNot Mitigated Not ResolvedNot ResolvedResolvedSuspicious Not Mitigated Not ResolvedSuspicious Not ResolvedTotal
00000140014

sentinelone-mark-as-threat#


Marks suspicious threats as threats.

Base Command#

sentinelone-mark-as-threat

Input#

Argument NameDescriptionRequired
threat_idsA comma-separated list of threat IDs.Optional
target_scopeScope to use for exclusions. Can be "site" or "tenant". Possible values are: site, tenant.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.MarkedAsThreatBooleanWhether the suspicious threat was successfully marked as a threat.

sentinelone-mitigate-threat#


Applies a mitigation action to a group of threats that match the specified input filter.

Base Command#

sentinelone-mitigate-threat

Input#

Argument NameDescriptionRequired
actionMitigation action. Can be "kill", "quarantine", "un-quarantine", "remediate", or "rollback-remediation". Possible values are: kill, quarantine, un-quarantine, remediate, rollback-remediation.Required
threat_idsA comma-separated list of threat IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.MitigatedBooleanWhether the threat was successfully mitigated.
SentinelOne.Threat.Mitigation.ActionNumberNumber of threats affected.

sentinelone-resolve-threat#


Resolves threats using the threat ID.

Base Command#

sentinelone-resolve-threat

Input#

Argument NameDescriptionRequired
threat_idsA comma-separated list of threat IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.ResolvedBooleanWhether the threat was successfully resolved.

sentinelone-get-agent#


Returns the details of an agent according to the agent ID.

Base Command#

sentinelone-get-agent

Input#

Argument NameDescriptionRequired
agent_idA comma-separated list of agent IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.NetworkStatusstringThe agent network status.
SentinelOne.Agent.IDstringThe agent ID.
SentinelOne.Agent.AgentVersionstringThe agent software version.
SentinelOne.Agent.IsDecommissionedbooleanWhether the agent is decommissioned.
SentinelOne.Agent.IsActivebooleanWhether the agent is active.
SentinelOne.Agent.LastActiveDatedateWhen was the agent last active.
SentinelOne.Agent.RegisteredAtdateThe registration date of the agent.
SentinelOne.Agent.ExternalIPstringThe agent IP address.
SentinelOne.Agent.ThreatCountnumberNumber of active threats.
SentinelOne.Agent.EncryptedApplicationsbooleanWhether disk encryption is enabled.
SentinelOne.Agent.OSNamestringName of the operating system.
SentinelOne.Agent.ComputerNamestringName of the agent computer.
SentinelOne.Agent.DomainstringDomain name of the agent.
SentinelOne.Agent.CreatedAtdateAgent creation time.
SentinelOne.Agent.SiteNamestringSite name associated with the agent.

Command Example#

!sentinelone-get-agent agent_id=657613730168123595

Context Example#

{
"SentinelOne": {
"Agent": {
"AgentVersion": "3.1.3.38",
"ComputerName": "EC2AMAZ-AJ0KANC",
"CreatedAt": "2019-06-27T08:01:05.571895Z",
"Domain": "WORKGROUP",
"EncryptedApplications": false,
"ExternalIP": "8.88.8.8",
"ID": "657613730168123595",
"IsActive": false,
"IsDecommissioned": true,
"LastActiveDate": "2020-02-20T00:26:33.955830Z",
"NetworkStatus": "connecting",
"OSName": "Windows Server 2016",
"RegisteredAt": "2019-06-27T08:01:05.567249Z",
"SiteName": "demisto",
"ThreatCount": 0
}
}
}

Human Readable Output#

Sentinel One - Get Agent Details#

Agent VersionComputer NameCreated AtDomainEncrypted ApplicationsExternal IPIDIs ActiveIs DecommissionedLast Active DateNetwork StatusOS NameRegistered AtSite NameThreat Count
3.1.3.38EC2AMAZ-AJ0KANC2019-06-27T08:01:05.571895ZWORKGROUPfalse8.88.8.8657613730168123595falsetrue2020-02-20T00:26:33.955830ZconnectingWindows Server 20162019-06-27T08:01:05.567249Zdemisto0

sentinelone-get-sites#


Returns all sites that match the specified criteria.

Base Command#

sentinelone-get-sites

Input#

Argument NameDescriptionRequired
updated_atTimestamp of the last update, for example: "2018-02-27T04:49:26.257525Z".Optional
queryFull-text search for fields: name, account_name.Optional
site_typeSite type. Can be "Trial", "Paid", "POC", "DEV", or "NFR". Possible values are: Trial, Paid, POC, DEV, NFR.Optional
featuresReturns sites that support the specified features. Can be "firewall-control", "device-control", or "ioc". Possible values are: firewall-control, device-control, ioc.Optional
stateSite state. Can be "active", "deleted", or "expired". Possible values are: active, deleted, expired.Optional
suiteThe suite of product features active for this site. Can be "Core" or "Complete". Possible values are: Core, Complete.Optional
admin_onlySites for which the user has admin privileges. Possible values are: true, false.Optional
account_idAccount ID, for example: "225494730938493804".Optional
site_nameSite name, for example: "My Site".Optional
created_atTimestamp of the site creation, for example: "2018-02-27T04:49:26.257525Z".Optional
limitMaximum number of results to return. Default is 50.Optional

Context Output#

PathTypeDescription
SentinelOne.Site.CreatorstringThe site creator name.
SentinelOne.Site.NamestringThe site name.
SentinelOne.Site.TypestringThe site type.
SentinelOne.Site.AccountNamestringThe site account name.
SentinelOne.Site.StatestringThe site state.
SentinelOne.Site.HealthStatusbooleanThe health status of the site.
SentinelOne.Site.SuitestringThe suite to which the site belongs.
SentinelOne.Site.ActiveLicensesnumberNumber of active licenses for the site.
SentinelOne.Site.IDstringID of the site.
SentinelOne.Site.TotalLicensesnumberNumber of total licenses for the site.
SentinelOne.Site.CreatedAtdateTimestamp when the site was created.
SentinelOne.Site.ExpirationstringTimestamp when the site will expire.
SentinelOne.Site.UnlimitedLicensesbooleanWhether the site has unlimited licenses.

Command Example#

!sentinelone-get-sites

Context Example#

{
"SentinelOne": {
"Site": {
"AccountName": "SentinelOne",
"ActiveLicenses": 0,
"CreatedAt": "2018-10-19T00:58:41.644879Z",
"Creator": "XSOAR User",
"Expiration": null,
"HealthStatus": true,
"ID": "475482421366727779",
"Name": "demisto",
"State": "active",
"Suite": "Complete",
"TotalLicenses": 0,
"Type": "Paid",
"UnlimitedLicenses": true
}
}
}

Human Readable Output#

Sentinel One - Getting List of Sites#

Provides summary information and details for all sites that matched your search criteria. |Account Name|Active Licenses|Created At|Creator|Health Status|ID|Name|State|Suite|Total Licenses|Type|Unlimited Licenses| |---|---|---|---|---|---|---|---|---|---|---|---| | SentinelOne | 0 | 2018-10-19T00:58:41.644879Z | XSOAR User | true | 475482421366727779 | demisto | active | Complete | 0 | Paid | true |

sentinelone-get-site#


Returns information about the site, according to the site ID.

Base Command#

sentinelone-get-site

Input#

Argument NameDescriptionRequired
site_idID of the site.Required

Context Output#

PathTypeDescription
SentinelOne.Site.CreatorstringThe site creator name.
SentinelOne.Site.NamestringThe site name.
SentinelOne.Site.TypestringThe site type.
SentinelOne.Site.AccountNamestringThe site account name.
SentinelOne.Site.StatestringThe site state.
SentinelOne.Site.HealthStatusbooleanThe health status of the site.
SentinelOne.Site.SuitestringThe suite to which the site belongs.
SentinelOne.Site.ActiveLicensesnumberNumber of active licenses for the site.
SentinelOne.Site.IDstringID of the site.
SentinelOne.Site.TotalLicensesnumberNumber of total licenses for the site.
SentinelOne.Site.CreatedAtdateTimestamp when the site was created.
SentinelOne.Site.ExpirationstringTimestamp when the site will expire.
SentinelOne.Site.UnlimitedLicensesbooleanWhether the site has unlimited licenses.
SentinelOne.Site.AccountIDstringSite account ID.
SentinelOne.Site.IsDefaultbooleanWhether the site is the default site.

Command Example#

!sentinelone-get-site site_id=475482421366727779

Context Example#

{
"SentinelOne": {
"Site": {
"AccountID": "433241117337583618",
"AccountName": "SentinelOne",
"ActiveLicenses": 0,
"CreatedAt": "2018-10-19T00:58:41.644879Z",
"Creator": "XSOAR User",
"Expiration": null,
"HealthStatus": true,
"ID": "475482421366727779",
"IsDefault": false,
"Name": "demisto",
"State": "active",
"Suite": "Complete",
"TotalLicenses": 0,
"Type": "Paid",
"UnlimitedLicenses": true
}
}
}

Human Readable Output#

Sentinel One - Summary About Site: 475482421366727779#

Provides summary information and details for specific site ID |Account ID|Account Name|Active Licenses|Created At|Creator|Health Status|ID|Is Default|Name|State|Suite|Total Licenses|Type|Unlimited Licenses| |---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 433241117337583618 | SentinelOne | 0 | 2018-10-19T00:58:41.644879Z | XSOAR User | true | 475482421366727779 | false | demisto | active | Complete | 0 | Paid | true |

sentinelone-reactivate-site#


Reactivates an expired site.

Base Command#

sentinelone-reactivate-site

Input#

Argument NameDescriptionRequired
site_idSite ID. For example: "225494730938493804".Required

Context Output#

PathTypeDescription
SentinelOne.Site.IDstringSite ID.
SentinelOne.Site.ReactivatedbooleanWhether the site was reactivated.

sentinelone-get-activities#


Returns a list of activities.

Base Command#

sentinelone-get-activities

Input#

Argument NameDescriptionRequired
created_afterReturn activities created after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
user_emailsEmail address of the user who invoked the activity (if applicable).Optional
group_idsList of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
created_untilReturn activities created on or before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
include_hiddenInclude internal activities hidden from display. Possible values are: true, false.Optional
activities_idsA comma-separated list of activity IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
created_beforeReturn activities created before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
threats_idsA comma-separated list of threat IDs for which to return activities, for example: "225494730938493804,225494730938493915".Optional
activity_typesA comma-separated list of activity codes to return, for example: "52,53,71,72".Optional
user_idsA comma-separated list of user IDs for users that invoked the activity (if applicable), for example: "225494730938493804,225494730938493915".Optional
created_fromReturn activities created on or after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
created_betweenReturn activities created within this range (inclusive), for example: "1514978764288-1514978999999".Optional
agent_idsReturn activities related to specified agents. For example: "225494730938493804,225494730938493915".Optional
limitMaximum number of items to return (1-100).Optional

Context Output#

PathTypeDescription
SentinelOne.Activity.AgentIDStringRelated agent (if applicable).
SentinelOne.Activity.AgentUpdatedVersionStringAgent's new version (if applicable).
SentinelOne.Activity.SiteIDStringRelated site (if applicable).
SentinelOne.Activity.UserIDStringThe user who invoked the activity (if applicable).
SentinelOne.Activity.SecondaryDescriptionStringSecondary description.
SentinelOne.Activity.OsFamilyStringAgent's OS type (if applicable). Can be "linux", "macos", "windows", or "windows_legacy".
SentinelOne.Activity.ActivityTypeNumberActivity type.
SentinelOne.Activity.data.SiteIDStringThe site ID.
SentinelOne.Activity.data.SiteNameStringThe site name.
SentinelOne.Activity.data.usernameStringThe name of the site creator.
SentinelOne.Activity.HashStringThreat file hash (if applicable).
SentinelOne.Activity.UpdatedAtDateActivity last updated time (UTC).
SentinelOne.Activity.CommentsStringComments for the activity.
SentinelOne.Activity.ThreatIDStringRelated threat (if applicable).
SentinelOne.Activity.PrimaryDescriptionStringPrimary description for the activity.
SentinelOne.Activity.GroupIDStringRelated group (if applicable).
SentinelOne.Activity.IDStringActivity ID.
SentinelOne.Activity.CreatedAtDateActivity creation time (UTC).
SentinelOne.Activity.DescriptionStringExtra activity information.

Command Example#

!sentinelone-get-activities

Context Example#

{
"SentinelOne": {
"Activity": [
{
"ActivityType": 61,
"AgentID": "657613730168123595",
"AgentUpdatedVersion": null,
"Comments": null,
"CreatedAt": "2020-01-12T20:16:44.594737Z",
"Data": {
"accountName": "SentinelOne",
"computerName": "EC2AMAZ-AJ0KANC",
"groupName": "Default Group",
"siteName": "demisto",
"username": "XSOAR User",
"uuid": "f431b0a1a8744d2a8a92fc88fa3c13bc"
},
"Description": null,
"GroupID": "475482421375116388",
"Hash": null,
"ID": "802214365638826164",
"OsFamily": null,
"PrimaryDescription": "The management user XSOAR User issued a disconnect from network command to the machine EC2AMAZ-AJ0KANC.",
"SecondaryDescription": null,
"SiteID": "475482421366727779",
"ThreatID": null,
"UpdatedAt": "2020-01-12T20:16:44.594743Z",
"UserID": "475482955872052394"
},
{
"ActivityType": 62,
"AgentID": "657613730168123595",
"AgentUpdatedVersion": null,
"Comments": null,
"CreatedAt": "2020-01-12T20:16:46.659017Z",
"Data": {
"accountName": "SentinelOne",
"computerName": "EC2AMAZ-AJ0KANC",
"groupName": "Default Group",
"siteName": "demisto",
"username": "XSOAR User",
"uuid": "f431b0a1a8744d2a8a92fc88fa3c13bc"
},
"Description": null,
"GroupID": "475482421375116388",
"Hash": null,
"ID": "802214382952913086",
"OsFamily": null,
"PrimaryDescription": "The management user XSOAR User issued a reconnect to network command to the machine EC2AMAZ-AJ0KANC.",
"SecondaryDescription": null,
"SiteID": "475482421366727779",
"ThreatID": null,
"UpdatedAt": "2020-01-12T20:16:46.659023Z",
"UserID": "475482955872052394"
},
{
"ActivityType": 1002,
"AgentID": "657613730168123595",
"AgentUpdatedVersion": null,
"Comments": null,
"CreatedAt": "2020-01-12T20:17:32.040670Z",
"Data": {
"computerName": "EC2AMAZ-AJ0KANC"
},
"Description": null,
"GroupID": "475482421375116388",
"Hash": null,
"ID": "802214763636332743",
"OsFamily": null,
"PrimaryDescription": "Agent EC2AMAZ-AJ0KANC was connected to network.",
"SecondaryDescription": null,
"SiteID": "475482421366727779",
"ThreatID": null,
"UpdatedAt": "2020-01-12T20:17:32.038143Z",
"UserID": null
},
{
"ActivityType": 1001,
"AgentID": "657613730168123595",
"AgentUpdatedVersion": null,
"Comments": null,
"CreatedAt": "2020-01-12T20:17:42.815619Z",
"Data": {
"computerName": "EC2AMAZ-AJ0KANC"
},
"Description": null,
"GroupID": "475482421375116388",
"Hash": null,
"ID": "802214854023583946",
"OsFamily": null,
"PrimaryDescription": "Agent EC2AMAZ-AJ0KANC was disconnected from network.",
"SecondaryDescription": null,
"SiteID": "475482421366727779",
"ThreatID": null,
"UpdatedAt": "2020-01-12T20:17:42.812834Z",
"UserID": null
}
]
}
}

Human Readable Output#

Sentinel One Activities#

IDPrimary DescriptionDataUser IDCreated AtUpdated At
802214365638826164The management user XSOAR User issued a disconnect from network command to the machine EC2AMAZ-AJ0KANC.accountName: SentinelOne
computerName: EC2AMAZ-AJ0KANC
groupName: Default Group
siteName: demisto
username: XSOAR User
uuid: f431b0a1a8744d2a8a92fc88fa3c13bc
4754829558720523942020-01-12T20:16:44.594737Z2020-01-12T20:16:44.594743Z
802214382952913086The management user XSOAR User issued a reconnect to network command to the machine EC2AMAZ-AJ0KANC.accountName: SentinelOne
computerName: EC2AMAZ-AJ0KANC
groupName: Default Group
siteName: demisto
username: XSOAR User
uuid: f431b0a1a8744d2a8a92fc88fa3c13bc
4754829558720523942020-01-12T20:16:46.659017Z2020-01-12T20:16:46.659023Z
802214763636332743Agent EC2AMAZ-AJ0KANC was connected to network.computerName: EC2AMAZ-AJ0KANC2020-01-12T20:17:32.040670Z2020-01-12T20:17:32.038143Z
802214854023583946Agent EC2AMAZ-AJ0KANC was disconnected from network.computerName: EC2AMAZ-AJ0KANC2020-01-12T20:17:42.815619Z2020-01-12T20:17:42.812834Z

sentinelone-get-groups#


Returns data for the specified group.

Base Command#

sentinelone-get-groups

Input#

Argument NameDescriptionRequired
group_typeGroup type, for example: "static".Optional
group_idsA comma-separated list of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
group_idGroup ID by which to filter, for example: "225494730938493804".Optional
is_defaultWhether this is the default group. Possible values are: true, false.Optional
nameThe name of the group.Optional
queryFree-text search.Optional
rankThe rank sets the priority of a dynamic group over others, for example, "1", which is the highest priority.Optional
limitMaximum number of items to return (1-200).Optional

Context Output#

PathTypeDescription
SentinelOne.Group.siteIdStringThe ID of the site of which this group is a member.
SentinelOne.Group.filterNameStringIf the group is dynamic, the name of the filter which is used to associate agents.
SentinelOne.Group.creatorIdStringThe ID of the user that created the group.
SentinelOne.Group.nameStringThe name of the group.
SentinelOne.Group.creatorStringThe user that created the group.
SentinelOne.Group.rankNumberThe rank, which sets the priority of a dynamic group over others.
SentinelOne.Group.updatedAtDateTimestamp of the last update.
SentinelOne.Group.totalAgentsNumberNumber of agents in the group.
SentinelOne.Group.filterIdStringIf the group is dynamic, the group ID of the filter that is used to associate agents.
SentinelOne.Group.isDefaultBooleanWhether the groups is the default group of the site.
SentinelOne.Group.inheritsBooleanWhether the policy is inherited from a site. "False" if the group has its own edited policy.
SentinelOne.Group.typeStringGroup type. Can be static or dynamic
SentinelOne.Group.idStringThe ID of the group.
SentinelOne.Group.createdAtDateTimestamp of group creation.

Command Example#

!sentinelone-get-groups

Context Example#

{
"SentinelOne": {
"Group": {
"createdAt": "2018-10-19T00:58:41.646045Z",
"creator": "XSOAR User",
"creatorId": "433273625970238486",
"filterId": null,
"filterName": null,
"id": "475482421375116388",
"inherits": true,
"isDefault": true,
"name": "Default Group",
"rank": null,
"registrationToken": "eyJiOiAiZ184NjJiYWQzNTIwN2ZmNTJmIn0=",
"siteId": "475482421366727779",
"totalAgents": 0,
"type": "static",
"updatedAt": "2021-01-02T13:34:58.753880Z"
}
}
}

Human Readable Output#

Sentinel One Groups#

IdNameTypeCreatorCreator IdCreated At
475482421375116388Default GroupstaticXSOAR User4332736259702384862018-10-19T00:58:41.646045Z

sentinelone-move-agent#


Moves agents to a new group.

Base Command#

sentinelone-move-agent

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to move the agent to.Required
agents_idsAgents IDs.Optional

Context Output#

PathTypeDescription
SentinelOne.Agent.AgentsMovedNumberThe number of agents that were moved to another group.

Command Example#

Human Readable Output#

sentinelone-delete-group#


Deletes a group, by the group ID.

Base Command#

sentinelone-delete-group

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to delete.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

sentinelone-agent-processes#


DEPRECATED - Retrieves running processes for a specific agent.

Base Command#

sentinelone-agent-processes

Input#

Argument NameDescriptionRequired
agents_idsThe ID of the agent from which to retrieve the processes.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.memoryUsageNumberMemory usage (MB).
SentinelOne.Agent.startTimeDateThe process start time.
SentinelOne.Agent.pidNumberThe process ID.
SentinelOne.Agent.processNameStringThe name of the process.
SentinelOne.Agent.cpuUsageNumberCPU usage (%).
SentinelOne.Agent.executablePathStringExecutable path.

sentinelone-connect-agent#


Connects agents to network.

Base Command#

sentinelone-connect-agent

Input#

Argument NameDescriptionRequired
agent_idA comma-separated list of agent IDs to connect to the network. Run the list-agents command to get a list of agent IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.AgentsAffectedNumberThe number of affected agents.
SentinelOne.Agent.IDStringThe IDs of the affected agents.

Command Example#

!sentinelone-connect-agent agent_id=657613730168123595

Context Example#

{
"SentinelOne": {
"Agent": {
"ID": "657613730168123595",
"NetworkStatus": "connecting"
}
}
}

Human Readable Output#

1 agent(s) successfully connected to the network.

sentinelone-disconnect-agent#


Disconnects agents from network.

Base Command#

sentinelone-disconnect-agent

Input#

Argument NameDescriptionRequired
agent_idA comma-separated list of agent IDs to disconnect from the network. Run the list-agents command to get a list of agent IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.NetworkStatusStringAgent network status.
SentinelOne.Agent.IDStringThe IDs of the affected agents.

Command Example#

!sentinelone-disconnect-agent agent_id=657613730168123595

Context Example#

{
"SentinelOne": {
"Agent": {
"ID": "657613730168123595",
"NetworkStatus": "disconnecting"
}
}
}

Human Readable Output#

1 agent(s) successfully disconnected from the network.

sentinelone-broadcast-message#


Broadcasts a message to all agents that match the input filters.

Base Command#

sentinelone-broadcast-message

Input#

Argument NameDescriptionRequired
messageThe Message to broadcast to agents.Required
active_agentWhether to only include active agents. Default is "false". Possible values are: true, false.Optional
group_idA comma-separated list of Group IDs by which to filter the results.Optional
agent_idA comma-separated list of Agent IDs by which to filter the results.Optional
domainA comma-separated of included network domains.Optional

Context Output#

There is no context output for this command.

Command Example#

!sentinelone-broadcast-message message="Hey There, just checking" agent_id=657613730168123595

Human Readable Output#

The message was successfully delivered to the agent(s)

sentinelone-get-events#


Returns all Deep Visibility events that match the query.

Base Command#

sentinelone-get-events

Input#

Argument NameDescriptionRequired
limitMaximum number of items to return (1-100). Default is "50". Default is 50.Optional
query_idQueryId obtained when creating a query in the sentinelone-create-query command. Example: "q1xx2xx3".Required

Context Output#

PathTypeDescription
SentinelOne.Event.ProcessUIDStringProcess unique identifier.
SentinelOne.Event.SHA256StringSHA256 hash of the file.
SentinelOne.Event.AgentOSStringOS type. Can be "windows", "linux", "macos", or "windows_legac".
SentinelOne.Event.ProcessIDNumberThe process ID.
SentinelOne.Event.UserStringUser assigned to the event.
SentinelOne.Event.TimeDateProcess start time.
SentinelOne.Event.EndpointStringThe agent name.
SentinelOne.Event.SiteNameStringSite name.
SentinelOne.Event.EventTypeStringEvent type. Can be "events", "file", "ip", "url", "dns", "process", "registry", "scheduled_task", or "logins".
SentinelOne.Event.ProcessNameStringThe name of the process.
SentinelOne.Event.MD5StringMD5 hash of the file.
Event.IDStringEvent process ID.
Event.NameStringEvent name.
Event.TypeStringEvent type.

Command Example#

!sentinelone-get-events query_id=q034ae362a30eba5a187cbe601d19abaa

Human Readable Output#

No events were found.

sentinelone-create-query#


Runs a Deep Visibility Query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.

Base Command#

sentinelone-create-query

Input#

Argument NameDescriptionRequired
queryThe query string for which to return events.Required
from_dateQuery start date, for example, "2019-08-03T04:49:26.257525Z". Limited to 93 days ago.Required
to_dateQuery end date, for example, "2019-08-03T04:49:26.257525Z".Required

Context Output#

PathTypeDescription
SentinelOne.Query.FromDateDateQuery start date.
SentinelOne.Query.QueryStringThe search query string.
SentinelOne.Query.QueryIDStringThe query ID.
SentinelOne.Query.ToDateDateQuery end date.

Command Example#

!sentinelone-create-query query="AgentName Is Not Empty" from_date="2020-10-13T15:24:09.257Z" to_date="2021-01-10T04:49:26.257525Z"

Context Example#

{
"SentinelOne": {
"Query": {
"FromDate": "2020-10-13T15:24:09.257Z",
"Query": "AgentName Is Not Empty",
"QueryID": "q15a9c0b5a5f2081188e70c42897ef5f9",
"ToDate": "2021-01-10T04:49:26.257525Z"
}
}
}

Human Readable Output#

The query ID is q15a9c0b5a5f2081188e70c42897ef5f9

sentinelone-get-processes#


Returns a list of Deep Visibility events from query by event type - process.

Base Command#

sentinelone-get-processes

Input#

Argument NameDescriptionRequired
query_idThe queryId that is returned when creating a query under Create Query. Example: "q1xx2xx3". Get the query_id from the "get-query-id" command.Required
limitMaximum number of items to return (1-100). Default is "50". Default is 50.Optional

Context Output#

PathTypeDescription
SentinelOne.Event.ParentProcessIDNumberParent process ID.
SentinelOne.Event.ProcessUIDStringThe process unique identifier.
SentinelOne.Event.SHA1StringSHA1 hash of the process image.
SentinelOne.Event.SubsystemTypeStringProcess sub-system.
SentinelOne.Event.ParentProcessStartTimeDateThe parent process start time.
SentinelOne.Event.ProcessIDNumberThe process ID.
SentinelOne.Event.ParentProcessUIDStringParent process unique identifier.
SentinelOne.Event.UserStringUser assigned to the event.
SentinelOne.Event.TimeDateStart time of the process.
SentinelOne.Event.ParentProcessNameStringParent process name.
SentinelOne.Event.SiteNameStringSite name.
SentinelOne.Event.EventTypeStringThe event type.
SentinelOne.Event.EndpointStringThe agent name (endpoint).
SentinelOne.Event.IntegrityLevelStringProcess integrity level.
SentinelOne.Event.CMDStringProcess CMD.
SentinelOne.Event.ProcessNameStringProcess name.
SentinelOne.Event.ProcessDisplayNameStringProcess display name.

Command Example#

!sentinelone-get-processes query_id=q034ae362a30eba5a187cbe601d19abaa

sentinelone-shutdown-agent#


Sends a shutdown command to all agents that match the input filter.

Base Command#

sentinelone-shutdown-agent

Input#

Argument NameDescriptionRequired
queryA free-text search term, will match applicable attributes (sub-string match). Note: A device's physical addresses will only be matched if they start with the search term (not if they contain the search term).Optional
agent_idA comma-separated list of agents IDs to shutdown.Optional
group_idThe ID of the network group.Optional

Context Output#

PathTypeDescription
SentinelOne.Agent.IDStringThe ID of the agent that was shutdown.

Command Example#

Human Readable Output#

sentinelone-uninstall-agent#


Sends an uninstall command to all agents that match the input filter.

Base Command#

sentinelone-uninstall-agent

Input#

Argument NameDescriptionRequired
queryA free-text search term, will match applicable attributes (sub-string match). Note: A device's physical addresses will only be matched if they start with the search term (not if they contain the search term).Optional
agent_idA comma-separated list of agents IDs to shutdown.Optional
group_idThe ID of the network group.Optional

Context Output#

There is no context output for this command.