SentinelOne v2

End point protection

Configure SentinelOne V2 on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for SentinelOne V2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g., https://usea1.sentinelone.net\)True
tokenAPI TokenTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
fetch_timeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
fetch_threat_rankMinimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high riskFalse
fetch_limitFetch limit: the maximum number of incidents to fetchFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sentinelone-list-agents


Returns all agents that match the specified criteria.

Base Command

sentinelone-list-agents

Input

Argument NameDescriptionRequired
computer_nameFilter by computer name.Optional
scan_statusCSV list of scan statuses by which to filter the results, for example: "started,aborted".Optional
os_typeIncluded OS types, for example: "windows".Optional
created_atEndpoint created at timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
min_active_threatsMinimum number of threats for an agent.Optional

Context Output

PathTypeDescription
SentinelOne.Agents.NetworkStatusstringThe agent network status.
SentinelOne.Agents.IDstringThe agent ID.
SentinelOne.Agents.AgentVersionstringThe agent software version.
SentinelOne.Agents.IsDecomissionedbooleanWhether the agent is decommissioned.
SentinelOne.Agents.IsActivebooleanWhether the agent is active.
SentinelOne.Agents.LastActiveDatedateThe last active date of the agent
SentinelOne.Agents.RegisteredAtdateThe registration date of the agent.
SentinelOne.Agents.ExternalIPstringThe agent IP address.
SentinelOne.Agents.ThreatCountnumberNumber of active threats.
SentinelOne.Agents.EncryptedApplicationsbooleanWhether disk encryption is enabled.
SentinelOne.Agents.OSNamestringName of operating system.
SentinelOne.Agents.ComputerNamestringName of agent computer.
SentinelOne.Agents.DomainstringDomain name of the agent.
SentinelOne.Agents.CreatedAtdateCreation time of the agent.
SentinelOne.Agents.SiteNamestringSite name associated with the agent.

Command Example

Human Readable Output

sentinelone-create-white-list-item


Creates an exclusion item that matches the specified input filter.

Base Command

sentinelone-create-white-list-item

Input

Argument NameDescriptionRequired
exclusion_typeExclusion item type. Can be "file_type", "path", "white_hash", "certificate", or "browser".Required
exclusion_valueValue of the exclusion item for the exclusion list.Required
os_typeOS type. Can be "windows", "windows_legacy", "macos", or "linux". OS type is required for hash exclusions.Required
descriptionDescription for adding the item.Optional
exclusion_modeExclusion mode (path exclusion only). Can be "suppress", "disable_in_process_monitor_deep", "disable_in_process_monitor", "disable_all_monitors", or "disable_all_monitors_deep".Optional
path_exclusion_typeExcluded path for a path exclusion list.Optional
group_idsCSV list of group IDs by which to filter. Can be "site_ids" or "group_ids".Optional

Context Output

PathTypeDescription
SentinelOne.Exclusions.IDstringThe whitelisted entity ID.
SentinelOne.Exclusions.TypestringThe whitelisted item type.
SentinelOne.Exclusions.CreatedAtdateTime when the whitelist item was created.

Command Example

Human Readable Output

sentinelone-get-white-list


Lists all exclusion items that match the specified input filter.

Base Command

sentinelone-get-white-list

Input

Argument NameDescriptionRequired
item_idsList of IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
os_typesCSV list of OS types by which to filter, for example: "windows, linux".Optional
exclusion_typeExclusion type. Can be "file_type", "path", "white_hash", "certificate", "browser".Optional
limitThe maximum number of items to return.Optional

Context Output

PathTypeDescription
SentinelOne.Exclusions.IDstringThe item ID.
SentinelOne.Exclusions.TypestringThe exclusion item type.
SentinelOne.Exclusions.CreatedAtdateTimestamp when the item was added.
SentinelOne.Exclusions.ValuestringValue of the added item.
SentinelOne.Exclusions.SourcestringSource of the added item.
SentinelOne.Exclusions.UserIDstringUser ID of the user that added the item.
SentinelOne.Exclusions.UpdatedAtdateTimestamp when the item was updated
SentinelOne.Exclusions.OsTypestringOS type.
SentinelOne.Exclusions.UserNamestringUser name of the user that added the item.
SentinelOne.Exclusions.ModestringCSV list of modes by which to filter (ath exclusions only), for example: "suppress".

Command Example

Human Readable Output

sentinelone-get-hash


Get file reputation by a SHA1 hash.

Base Command

sentinelone-get-hash

Input

Argument NameDescriptionRequired
hashThe content hash.Required

Context Output

PathTypeDescription
SentinelOne.Hash.RankNumberThe hash reputation (1-10).
SentinelOne.Hash.HashStringThe content hash.
SentinelOne.Hash.ClassificationStringThe hash classification.
SentinelOne.Hash.Classification SourceStringThe hash classification source.

Command Example

Human Readable Output

sentinelone-get-threats


Returns threats according to specified filters.

Base Command

sentinelone-get-threats

Input

Argument NameDescriptionRequired
content_hashThe content hash of the threat.Optional
mitigation_statusCSV list of mitigation statuses. Can be "mitigated", "active", "blocked", "suspicious", "pending", or "suspicious_resolved".Optional
created_beforeSearches for threats created before this date, for example: "2018-02-27T04:49:26.257525Z".Optional
created_afterSearches for threats created after this date, for example: "2018-02-27T04:49:26.257525Z".Optional
created_untilSearches for threats created on or before this date, for example: "2018-02-27T04:49:26.257525Z".Optional
created_fromSearch for threats created on or after this date, for example: "2018-02-27T04:49:26.257525Z".Optional
resolvedWhether to only return resolved threats.Optional
display_nameThreat display name. Can be a partial display name, not an exact match.Optional
limitThe maximum number of threats to return. Default is 20.Optional
queryFull free-text search for fields. Can be "content_hash", "file_display_name", "file_path", "computer_name", or "uuid".Optional
threat_idsCSV list of threat IDs, for example: "225494730938493804,225494730938493915".Optional
classificationsCSV list of threat classifications to search, for example: "Malware", "Network", "Benign".Optional
rankRisk level threshold to retrieve (1-10).Optional

Context Output

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.AgentComputerNameStringThe agent computer name.
SentinelOne.Threat.CreatedDateDateFile created date.
SentinelOne.Threat.SiteIDStringThe site ID.
SentinelOne.Threat.ClassificationstringClassification name.
SentinelOne.Threat.MitigationStatusStringThe agent status.
SentinelOne.Threat.AgentIDStringThe agent ID.
SentinelOne.Threat.RankNumberNumber representing cloud reputation (1-10).
SentinelOne.Threat.MarkedAsBenignBooleanWhether the threat is marked as benign.

Command Example

Human Readable Output

sentinelone-threat-summary


Returns a dashboard threat summary.

Base Command

sentinelone-threat-summary

Input

Argument NameDescriptionRequired
group_idsCSV list of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional

Context Output

PathTypeDescription
SentinelOne.Threat.ActiveNumberNumber of active threats in the system.
SentinelOne.Threat.TotalNumberTotal number of threats in the system.
SentinelOne.Threat.MitigatedNumberNumber of mitigated threats in the system.
SentinelOne.Threat.SuspiciousNumberNumber of suspicious threats in the system.
SentinelOne.Threat.BlockedNumberNumber of blocked threats in the system.

Command Example

Human Readable Output

sentinelone-mark-as-threat


Mark suspicious threats as threats

Base Command

sentinelone-mark-as-threat

Input

Argument NameDescriptionRequired
threat_idsCSV list of threat IDs.Optional
target_scopeScope to use for exclusions. Can be "site" or "tenant".Required

Context Output

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.MarkedAsThreatBooleanWhether the suspicious threat was successfully marked as a threat.

Command Example

Human Readable Output

sentinelone-mitigate-threat


Applies a mitigation action to a group of threats that match the specified input filter.

Base Command

sentinelone-mitigate-threat

Input

Argument NameDescriptionRequired
actionMitigation action. Can be "kill", "quarantine", "un-quarantine", "remediate", or "rollback-remediation".Required
threat_idsCSV list of threat IDs.Required

Context Output

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.MitigatedBooleanWhether the threat was successfully mitigated.
SentinelOne.Threat.Mitigation.ActionNumberNumber of threats affected.

Command Example

Human Readable Output

sentinelone-resolve-threat


Resolves threat using the threat ID.

Base Command

sentinelone-resolve-threat

Input

Argument NameDescriptionRequired
threat_idsCSV list of threat IDs.Required

Context Output

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.ResolvedBooleanWhether the threat was successfully resolved.

Command Example

Human Readable Output

sentinelone-get-agent


Returns details of an agent, by agent ID.

Base Command

sentinelone-get-agent

Input

Argument NameDescriptionRequired
agent_idThe agent ID.Required

Context Output

PathTypeDescription
SentinelOne.Agent.NetworkStatusstringThe agent network status.
SentinelOne.Agent.IDstringThe agent ID.
SentinelOne.Agent.AgentVersionstringThe agent software version.
SentinelOne.Agent.IsDecomissionedbooleanWhether the agent is decommissioned.
SentinelOne.Agent.IsActivebooleanWhether the agent is active.
SentinelOne.Agent.LastActiveDatedateThe last active date of the agent.
SentinelOne.Agent.RegisteredAtdateThe registration date of the agent.
SentinelOne.Agent.ExternalIPstringThe agent IP address.
SentinelOne.Agent.ThreatCountnumberNumber of active threats.
SentinelOne.Agent.EncryptedApplicationsbooleanWhether disk encryption is enabled.
SentinelOne.Agent.OSNamestringName of the operating system.
SentinelOne.Agent.ComputerNamestringName of the agent computer.
SentinelOne.Agent.DomainstringDomain name of the agent.
SentinelOne.Agent.CreatedAtdateAgent creation time.
SentinelOne.Agent.SiteNamestringSite name associated with the agent.

Command Example

Human Readable Output

sentinelone-get-sites


Returns all sites that match the specified criteria.

Base Command

sentinelone-get-sites

Input

Argument NameDescriptionRequired
updated_atTimestamp of last update, for example: "2018-02-27T04:49:26.257525Z".Optional
queryFull-text search for fields: name, account_name.Optional
site_typeSite type. Can be "Trial", "Paid", "POC", "DEV", or "NFR".Optional
featuresReturns sites that support the specified features. Can be "firewall-control", "device-control", or "ioc".Optional
stateSite state. Can be "active", "deleted", or "expired".Optional
suiteThe suite of product features active for this site. Can be "Core" or "Complete".Optional
admin_onlySites to which the user has Admin privileges.Optional
account_idAccount ID, for example: "225494730938493804".Optional
site_nameSite name, for example: "My Site".Optional
created_atTimestamp of site creation, for example: "2018-02-27T04:49:26.257525Z".Optional
limitMaximum number of results to return.Optional

Context Output

PathTypeDescription
SentinelOne.Site.CreatorstringThe creator name.
SentinelOne.Site.NamestringThe site name.
SentinelOne.Site.TypestringThe site type.
SentinelOne.Site.AccountNamestringThe account name.
SentinelOne.Site.StatestringThe site state.
SentinelOne.Site.HealthStatusbooleanThe health status of the site.
SentinelOne.Site.SuitestringThe suite to which the site belongs.
SentinelOne.Site.ActiveLicensesnumberNumber of active licenses on the site.
SentinelOne.Site.IDstringID of the site.
SentinelOne.Site.TotalLicensesnumberNumber of total licenses on the site.
SentinelOne.Site.CreatedAtdateTimestamp when the site was created.
SentinelOne.Site.ExpirationstringTimestamp when the site will expire.
SentinelOne.Site.UnlimitedLicensesbooleanWhether the site has unlimited licenses.

Command Example

Human Readable Output

sentinelone-get-site


Returns a site, by site ID.

Base Command

sentinelone-get-site

Input

Argument NameDescriptionRequired
site_idID of the site.Required

Context Output

PathTypeDescription
SentinelOne.Site.CreatorstringThe creator name.
SentinelOne.Site.NamestringThe site name.
SentinelOne.Site.TypestringThe site type.
SentinelOne.Site.AccountNamestringThe account name.
SentinelOne.Site.StatestringThe site state.
SentinelOne.Site.HealthStatusbooleanThe health status of the site.
SentinelOne.Site.SuitestringThe suite to which the site belongs.
SentinelOne.Site.ActiveLicensesnumberNumber of active licenses on the site.
SentinelOne.Site.IDstringID of the site.
SentinelOne.Site.TotalLicensesnumberNumber of total licenses on the site.
SentinelOne.Site.CreatedAtdateTimestamp when the site was created.
SentinelOne.Site.ExpirationstringTimestamp when the site will expire.
SentinelOne.Site.UnlimitedLicensesbooleanUnlimited licenses boolean.
SentinelOne.Site.AccountIDstringAccount ID.
SentinelOne.Site.IsDefaultbooleanWhether the site is the default site.

Command Example

Human Readable Output

sentinelone-reactivate-site


Reactivates an expired site.

Base Command

sentinelone-reactivate-site

Input

Argument NameDescriptionRequired
site_idSite ID. Example: "225494730938493804".Required

Context Output

PathTypeDescription
SentinelOne.Site.IDstringSite ID.
SentinelOne.Site.ReactivatedbooleanWhether the site was reactivated.

Command Example

Human Readable Output

sentinelone-get-activities


Returns a list of activities.

Base Command

sentinelone-get-activities

Input

Argument NameDescriptionRequired
created_afterReturn activities created after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
user_emailsEmail address of the user who invoked the activity (if applicable).Optional
group_idsList of Group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
created_untilReturn activities created on or before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
include_hiddenInclude internal activities hidden from display, for example: "False".Optional
activities_idsCSV list of activity IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
created_beforeReturn activities created before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
threats_idsCSV list of threat IDs for which to return activities, for example: "225494730938493804,225494730938493915".Optional
activity_typesCSV of activity codes to return, for example: "52,53,71,72".Optional
user_idsCSV list of user IDs for users that invoked the activity (if applicable), for example: "225494730938493804,225494730938493915".Optional
created_fromReturn activities created on or after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
created_betweenReturn activities created within this range (inclusive), for example: "1514978764288-1514978999999".Optional
agent_idsReturn activities related to specified agents. Example: "225494730938493804,225494730938493915".Optional
limitMaximum number of items to return (1-100).Optional

Context Output

PathTypeDescription
SentinelOne.Activity.AgentIDStringRelated agent (if applicable).
SentinelOne.Activity.AgentUpdatedVersionStringAgent's new version (if applicable).
SentinelOne.Activity.SiteIDStringRelated site (if applicable).
SentinelOne.Activity.UserIDStringThe user who invoked the activity (if applicable).
SentinelOne.Activity.SecondaryDescriptionStringSecondary description.
SentinelOne.Activity.OsFamilyStringAgent's OS type (if applicable). Can be "linux", "macos", "windows", or "windows_legacy".
SentinelOne.Activity.ActivityTypeNumberActivity type.
SentinelOne.Activity.data.SiteIDStringThe site ID.
SentinelOne.Activity.data.SiteNameStringThe site name.
SentinelOne.Activity.data.usernameStringThe name of the site creator.
SentinelOne.Activity.HashStringThreat file hash (if applicable).
SentinelOne.Activity.UpdatedAtDateActivity last updated time (UTC).
SentinelOne.Activity.CommentsStringComments for the activity.
SentinelOne.Activity.ThreatIDStringRelated threat (if applicable).
SentinelOne.Activity.PrimaryDescriptionStringPrimary description for the activity.
SentinelOne.Activity.GroupIDStringRelated group (if applicable).
SentinelOne.Activity.IDStringActivity ID.
SentinelOne.Activity.CreatedAtDateActivity creation time (UTC).
SentinelOne.Activity.DescriptionStringExtra activity information.

Command Example

Human Readable Output

sentinelone-get-groups


Returns data for the specified group.

Base Command

sentinelone-get-groups

Input

Argument NameDescriptionRequired
group_typeGroup type, for example: "static".Optional
group_idsCSV list of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
group_idGroup ID by which to filter, for example: "225494730938493804".Optional
is_defaultWhether this is the default group.Optional
nameThe name of the group.Optional
queryFree-text search on fields name.Optional
rankThe rank sets the priority of a dynamic group over others, for example, "1", which is the highest priority.Optional
limitMaximum number of items to return (1-200).Optional

Context Output

PathTypeDescription
SentinelOne.Group.siteIdStringThe ID of the site of which this group is a member.
SentinelOne.Group.filterNameStringIf the group is dynamic, the name of the filter which is used to associate agents.
SentinelOne.Group.creatorIdStringThe ID of the user that created the group.
SentinelOne.Group.nameStringThe name of the group.
SentinelOne.Group.creatorStringThe user that created the group.
SentinelOne.Group.rankNumberThe rank, which sets the priority of a dynamic group over others.
SentinelOne.Group.updatedAtDateTimestamp of the last update.
SentinelOne.Group.totalAgentsNumberNumber of agents in the group.
SentinelOne.Group.filterIdStringIf the group is dynamic, the group ID of the filter that is used to associate agents.
SentinelOne.Group.isDefaultBooleanWhether the groups is the default group of the site.
SentinelOne.Group.inheritsBooleanWhether the policy is inherited from a site. "False" if the group has its own edited policy.
SentinelOne.Group.typeStringGroup type. Can be static or dynamic
SentinelOne.Group.idStringThe ID of the group.
SentinelOne.Group.createdAtDateTimestamp of group creation.

Command Example

Human Readable Output

sentinelone-move-agent


Moves agents to a new group.

Base Command

sentinelone-move-agent

Input

Argument NameDescriptionRequired
group_idThe ID of the group to move the agent to.Required
agents_idsAgents IDs.Optional

Context Output

PathTypeDescription
SentinelOne.Agent.AgentsMovedNumberThe number of agents that were moved to another group.

Command Example

Human Readable Output

sentinelone-delete-group


Deletes a group, by the group ID.

Base Command

sentinelone-delete-group

Input

Argument NameDescriptionRequired
group_idThe ID of the group to delete.Required

Context Output

There is no context output for this command.

Command Example

Human Readable Output

sentinelone-agent-processes


Retrieves running processes for a specific agent.

Base Command

sentinelone-agent-processes

Input

Argument NameDescriptionRequired
agents_idsThe ID of the agent from which to retrieve the processes.Required

Context Output

PathTypeDescription
SentinelOne.Agent.memoryUsageNumberMemory usage (MB).
SentinelOne.Agent.startTimeDateThe process start time.
SentinelOne.Agent.pidNumberThe process ID.
SentinelOne.Agent.processNameStringThe name of the process.
SentinelOne.Agent.cpuUsageNumberCPU usage (%).
SentinelOne.Agent.executablePathStringExecutable path.

Command Example

Human Readable Output

sentinelone-connect-agent


Connects agents to network.

Base Command

sentinelone-connect-agent

Input

Argument NameDescriptionRequired
agent_idA CSV list of agent IDs to connect to the network. Run the list-agents command to get a list of agent IDs.Required

Context Output

PathTypeDescription
SentinelOne.Agent.AgentsAffectedNumberThe number of affected agents.
SentinelOne.Agent.IDStringThe IDs of the affected agents.

Command Example

Human Readable Output

sentinelone-disconnect-agent


Disconnects agents from network.

Base Command

sentinelone-disconnect-agent

Input

Argument NameDescriptionRequired
agent_idA CSV list of agent IDs to disconnect from the network. Run the list-agents command to get a list of agent IDs.Required

Context Output

PathTypeDescription
SentinelOne.Agent.NetworkStatusStringAgent network status.
SentinelOne.Agent.IDStringThe IDs of the affected agents.

Command Example

Human Readable Output

sentinelone-broadcast-message


Broadcasts a message to all agents that match the input filters.

Base Command

sentinelone-broadcast-message

Input

Argument NameDescriptionRequired
messageThe Message to broadcast to agents.Required
active_agentWhether to only include active agents. Default is "false".Optional
group_idList of Group IDs by which to filter the results.Optional
agent_idA list of Agent IDs by which to filter the results.Optional
domainIncluded network domains.Optional

Context Output

There is no context output for this command.

Command Example

Human Readable Output

sentinelone-get-events


Returns all Deep Visibility events that match the query.

Base Command

sentinelone-get-events

Input

Argument NameDescriptionRequired
limitMaximum number of items to return (1-100). Default is "50".Optional
query_idQueryId obtained when creating a query in the sentinelone-create-query command. Example: "q1xx2xx3".Required

Context Output

PathTypeDescription
SentinelOne.Event.ProcessUIDStringProcess unique identifier.
SentinelOne.Event.SHA256StringSHA256 hash of the file.
SentinelOne.Event.AgentOSStringOS type. Can be "windows", "linux", "macos", or "windows_legac".
SentinelOne.Event.ProcessIDNumberThe process ID.
SentinelOne.Event.UserStringUser assigned to the event.
SentinelOne.Event.TimeDateProcess start time.
SentinelOne.Event.EndpointStringThe agent name.
SentinelOne.Event.SiteNameStringSite name.
SentinelOne.Event.EventTypeStringEvent type. Can be "events", "file", "ip", "url", "dns", "process", "registry", "scheduled_task", or "logins".
SentinelOne.Event.ProcessNameStringThe name of the process.
SentinelOne.Event.MD5StringMD5 hash of the file.
Event.IDStringEvent process ID.
Event.NameStringEvent name.
Event.TypeStringEvent type.

Command Example

Human Readable Output

sentinelone-create-query


Runs a Deep Visibility Query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.

Base Command

sentinelone-create-query

Input

Argument NameDescriptionRequired
queryThe query string for which to return events.Required
from_dateQuery start date, for example, "2019-08-03T04:49:26.257525Z".Required
to_dateQuery end date, for example, "2019-08-03T04:49:26.257525Z".Required

Context Output

PathTypeDescription
SentinelOne.Query.FromDateDateQuery start date.
SentinelOne.Query.QueryStringThe search query string.
SentinelOne.Query.QueryIDStringThe query ID.
SentinelOne.Query.ToDateDateQuery end date.

Command Example

Human Readable Output

sentinelone-get-processes


Returns a list of Deep Visibility events from query by event type - process.

Base Command

sentinelone-get-processes

Input

Argument NameDescriptionRequired
query_idThe queryId that is returned when creating a query under Create Query. Example: "q1xx2xx3". Get the query_id from the "get-query-id" command.Required
limitMaximum number of items to return (1-100). Default is "50".Optional

Context Output

PathTypeDescription
SentinelOne.Event.ParentProcessIDNumberParent process ID.
SentinelOne.Event.ProcessUIDStringThe process unique identifier.
SentinelOne.Event.SHA1StringSHA1 hash of the process image.
SentinelOne.Event.SubsystemTypeStringProcess sub-system.
SentinelOne.Event.ParentProcessStartTimeDateThe parent process start time.
SentinelOne.Event.ProcessIDNumberThe process ID.
SentinelOne.Event.ParentProcessUIDStringParent process unique identifier.
SentinelOne.Event.UserStringUser assigned to the event.
SentinelOne.Event.TimeDateStart time of the process.
SentinelOne.Event.ParentProcessNameStringParent process name.
SentinelOne.Event.SiteNameStringSite name.
SentinelOne.Event.EventTypeStringThe event type.
SentinelOne.Event.EndpointStringThe agent name (endpoint).
SentinelOne.Event.IntegrityLevelStringProcess integrity level.
SentinelOne.Event.CMDStringProcess CMD.
SentinelOne.Event.ProcessNameStringProcess name.
SentinelOne.Event.ProcessDisplayNameStringProcess display name.

Command Example

Human Readable Output

sentinelone-shutdown-agent


Sends a shutdown command to all agents that match the input filter.

Base Command

sentinelone-shutdown-agent

Input

Argument NameDescriptionRequired
queryA free-text search term, will match applicable attributes (sub-string match). Note: A device's physical addresses will only be matched if they start with the search term (not if they contain the search term).Optional
agent_idA CSV list of agents IDs to shutdown.Optional
group_idThe ID of the network group.Optional

Context Output

PathTypeDescription
SentinelOne.Agent.IDStringThe ID of the agent that was shutdown.

Command Example

Human Readable Output

sentinelone-uninstall-agent


Sends an uninstall command to all agents that match the input filter.

Base Command

sentinelone-uninstall-agent

Input

Argument NameDescriptionRequired
queryA free-text search term, will match applicable attributes (sub-string match). Note: A device's physical addresses will only be matched if they start with the search term (not if they contain the search term).Optional
agent_idA CSV list of agents IDs to shutdown.Optional
group_idThe ID of the network group.Optional

Context Output

There is no context output for this command.

Command Example

Human Readable Output