Cortex XSOAR for Developers (Formerly Demisto)

SentinelOne v2

Use the SentinelOne v2 integration to your organize your company's end points.
This integration was integrated and tested with version xx of SentinelOne Beta

Configure SentinelOne Beta on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for SentinelOne Beta.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://usea1.sentinelone.net )
    • Username
    • API Token
    • Trust any certificate (not secure)
    • Use system proxy
    • Fetch incidents
    • Fetch limit
    • Incident type
    • First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
    • Minimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high risk
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get all agents: sentinelone-list-agents
  2. Create an exclusion: sentinelone-create-white-list-item
  3. Get all exclusion items: sentinelone-get-white-list
  4. Get the reputation of a hash: sentinelone-get-hash
  5. Get a threat list: sentinelone-get-threats
  6. Get a threat summary: sentinelone-threat-summary
  7. Mark suspicious threats: sentinelone-mark-as-threat
  8. Mitigate threats: sentinelone-mitigate-threat
  9. Resolve threats: sentinelone-resolve-threat
  10. Get agent details: sentinelone-get-agent
  11. Get a list of sites: sentinelone-get-sites
  12. Get a site list: sentinelone-get-site
  13. Reactivate a site: sentinelone-reactivate-site
  14. Get a list of activities: sentinelone-get-activities
  15. Get group data: sentinelone-get-groups
  16. Move agent: sentinelone-move-agent
  17. Delete a group: sentinelone-delete-group
  18. Retrieve agent processes: sentinelone-agent-processes
  19. Connect an agent: sentinelone-connect-agent
  20. Disconnect an agent: sentinelone-disconnect-agent
  21. Broadcast a message to agents: sentinelone-broadcast-message
  22. Get Deep Visibility events: sentinelone-get-events
  23. Create a Deep Visibility query: sentinelone-create-query
  24. Get a list of Deep Visibility events by process: sentinelone-get-processes
  25. Shutdown an agent: sentinelone-shutdown-agent
  26. Uninstall an agent: sentinelone-uninstall-agent

1. Get all agents

Gets a list of all agents.

Base Command

sentinelone-list-agents

Input
Argument Name Description Required
computer_name Filter by computer name. Optional
scan_status CSV list of scan statuses by which to filter the results, for example: “started,abort