SentinelOne v2
Use the SentinelOne v2 integration to your organize your company's end points.
This integration was integrated and tested with version xx of SentinelOne Beta
Configure SentinelOne Beta on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for SentinelOne Beta.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://usea1.sentinelone.net )
- Username
- API Token
- Trust any certificate (not secure)
- Use system proxy
- Fetch incidents
- Fetch limit
- Incident type
- First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
- Minimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high risk
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get all agents: sentinelone-list-agents
- Create an exclusion: sentinelone-create-white-list-item
- Get all exclusion items: sentinelone-get-white-list
- Get the reputation of a hash: sentinelone-get-hash
- Get a threat list: sentinelone-get-threats
- Get a threat summary: sentinelone-threat-summary
- Mark suspicious threats: sentinelone-mark-as-threat
- Mitigate threats: sentinelone-mitigate-threat
- Resolve threats: sentinelone-resolve-threat
- Get agent details: sentinelone-get-agent
- Get a list of sites: sentinelone-get-sites
- Get a site list: sentinelone-get-site
- Reactivate a site: sentinelone-reactivate-site
- Get a list of activities: sentinelone-get-activities
- Get group data: sentinelone-get-groups
- Move agent: sentinelone-move-agent
- Delete a group: sentinelone-delete-group
- Retrieve agent processes: sentinelone-agent-processes
- Connect an agent: sentinelone-connect-agent
- Disconnect an agent: sentinelone-disconnect-agent
- Broadcast a message to agents: sentinelone-broadcast-message
- Get Deep Visibility events: sentinelone-get-events
- Create a Deep Visibility query: sentinelone-create-query
- Get a list of Deep Visibility events by process: sentinelone-get-processes
- Shutdown an agent: sentinelone-shutdown-agent
- Uninstall an agent: sentinelone-uninstall-agent
1. Get all agents
Gets a list of all agents.
Base Command
sentinelone-list-agents
Input
| Argument Name | Description | Required |
|---|---|---|
| computer_name | Filter by computer name. | Optional |
| scan_status | CSV list of scan statuses by which to filter the results, for example: “started,aborted”. | Optional |
| os_type | Included OS types, for example: “windows”. | Optional |
| created_at | Endpoint created at timestamp, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| min_active_threats | Minimum number of threats for an agent. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Agents.NetworkStatus | string | The agent network status. |
| SentinelOne.Agents.ID | string | The agent ID. |
| SentinelOne.Agents.AgentVersion | string | The agent software version. |
| SentinelOne.Agents.IsDecomissioned | boolean | Whether the agent is decommissioned. |
| SentinelOne.Agents.IsActive | boolean | Whether the agent is active. |
| SentinelOne.Agents.LastActiveDate | date | The last active date of the agent |
| SentinelOne.Agents.RegisteredAt | date | The registration date of the agent. |
| SentinelOne.Agents.ExternalIP | string | The agent IP address. |
| SentinelOne.Agents.ThreatCount | number | Number of active threats. |
| SentinelOne.Agents.EncryptedApplications | boolean | Whether disk encryption is enabled. |
| SentinelOne.Agents.OSName | string | Name of operating system. |
| SentinelOne.Agents.ComputerName | string | Name of agent computer. |
| SentinelOne.Agents.Domain | string | Domain name of the agent. |
| SentinelOne.Agents.CreatedAt | date | Creation time of the agent. |
| SentinelOne.Agents.SiteName | string | Site name associated with the agent. |
Command Example
!sentinelone-list-agents
Context Example
{
"SentinelOne.Agents": [
{
"ExternalIP": "73.92.194.57",
"Domain": "local",
"LastActiveDate": "2019-08-18T10:31:18.675994Z",
"NetworkStatus": "connected",
"EncryptedApplications": true,
"ThreatCount": 0,
"ComputerName": "Bills-MacBook-Pro",
"IsActive": false,
"OSName": "OS X",
"SiteName": "demisto",
"AgentVersion": "2.6.3.2538",
"IsDecomissioned": false,
"RegisteredAt": "2018-12-02T08:48:37.785644Z",
"ID": "507609079972387179",
"CreatedAt": "2018-12-02T08:48:37.792682Z"
},
{
"ExternalIP": "3.122.240.42",
"Domain": "WORKGROUP",
"LastActiveDate": "2019-08-18T13:56:50.620408Z",
"NetworkStatus": "connected",
"EncryptedApplications": false,
"ThreatCount": 0,
"ComputerName": "EC2AMAZ-AJ0KANC",
"IsActive": true,
"OSName": "Windows Server 2016",
"SiteName": "demisto",
"AgentVersion": "3.1.3.38",
"IsDecomissioned": false,
"RegisteredAt": "2019-06-27T08:01:05.567249Z",
"ID": "657613730168123595",
"CreatedAt": "2019-06-27T08:01:05.571895Z"
},
{
"ExternalIP": "34.100.71.242",
"Domain": "PALOALTONETWORK",
"LastActiveDate": "2019-08-16T06:32:48.683437Z",
"NetworkStatus": "connecting",
"EncryptedApplications": true,
"ThreatCount": 0,
"ComputerName": "TLVWIN9131Q1V",
"IsActive": false,
"OSName": "Windows 10",
"SiteName": "demisto",
"AgentVersion": "3.1.3.38",
"IsDecomissioned": false,
"RegisteredAt": "2019-06-27T12:09:43.590587Z",
"ID": "657738871640371668",
"CreatedAt": "2019-06-27T12:09:43.598071Z"
},
{
"ExternalIP": "52.49.120.63",
"Domain": "WORKGROUP",
"LastActiveDate": "2019-08-06T07:38:35.677266Z",
"NetworkStatus": "connected",
"EncryptedApplications": false,
"ThreatCount": 0,
"ComputerName": "EC2AMAZ-55LV527",
"IsActive": false,
"OSName": "Windows Server 2016",
"SiteName": "demisto",
"AgentVersion": "3.1.5.63",
"IsDecomissioned": false,
"RegisteredAt": "2019-08-05T11:42:38.644242Z",
"ID": "685991494097052188",
"CreatedAt": "2019-08-05T11:42:38.648232Z"
},
{
"ExternalIP": "18.202.247.204",
"Domain": "WORKGROUP",
"LastActiveDate": "2019-08-06T07:37:05.677281Z",
"NetworkStatus": "connecting",
"EncryptedApplications": false,
"ThreatCount": 0,
"ComputerName": "EC2AMAZ-TR9AE9E",
"IsActive": false,
"OSName": "Windows Server 2016",
"SiteName": "demisto",
"AgentVersion": "3.1.5.63",
"IsDecomissioned": false,
"RegisteredAt": "2019-08-05T11:46:49.681346Z",
"ID": "685993599964815937",
"CreatedAt": "2019-08-05T11:46:49.687519Z"
}
]
}
Human Readable Output
Sentinel One - List of Agents
Provides summary information and details for all the agents that matched your search criteria.
| Agent Version | Computer Name | Created At | Domain | Encrypted Applications | External IP | ID | Is Active | Is Decomissioned | Last ActiveDate | Network Status | OS Name | Registered At | Site Name | Threat Count |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2.6.3.2538 | Bills-MacBook-Pro | 2018-12-02T08:48:37.792682Z | local | true | 73.92.194.57 | 507609079972387179 | false | false | 2019-08-18T10:31:18.675994Z | connected | OS X | 2018-12-02T08:48:37.785644Z | demisto | 0 |
| 3.1.3.38 | EC2AMAZ-AJ0KANC | 2019-06-27T08:01:05.571895Z | WORKGROUP | false | 3.122.240.42 | 657613730168123595 | true | false | 2019-08-18T13:56:50.620408Z | connected | Windows Server 2016 | 2019-06-27T08:01:05.567249Z | demisto | 0 |
| 3.1.3.38 | TLVWIN9131Q1V | 2019-06-27T12:09:43.598071Z | PALOALTONETWORK | true | 34.100.71.242 | 657738871640371668 | false | false | 2019-08-16T06:32:48.683437Z | connecting | Windows 10 | 2019-06-27T12:09:43.590587Z | demisto | 0 |
| 3.1.5.63 | EC2AMAZ-55LV527 | 2019-08-05T11:42:38.648232Z | WORKGROUP | false | 52.49.120.63 | 685991494097052188 | false | false | 2019-08-06T07:38:35.677266Z | connected | Windows Server 2016 | 2019-08-05T11:42:38.644242Z | demisto | 0 |
| 3.1.5.63 | EC2AMAZ-TR9AE9E | 2019-08-05T11:46:49.687519Z | WORKGROUP | false | 18.202.247.204 | 685993599964815937 | false | false | 2019-08-06T07:37:05.677281Z | connecting | Windows Server 2016 | 2019-08-05T11:46:49.681346Z | demisto | 0 |
2. Create an exclusion
Creates an exclusion item for a white list.
Base Command
sentinelone-create-white-list-item
Input
| Argument Name | Description | Required |
|---|---|---|
| exclusion_type | Exclusion item type. Can be “file_type”, “path”, “white_hash”, “certificate”, or “browser”. | Required |
| exclusion_value | Value of the exclusion item for the exclusion list. | Required |
| os_type | OS type. Can be “windows”, “windows_legacy”, “macos”, or “linux”. OS type is required for hash exclusions. | Required |
| description | Description for adding the item. | Optional |
| exclusion_mode | Exclusion mode (path exclusion only). Can be “suppress”, “disable_in_process_monitor_deep”, “disable_in_process_monitor”, “disable_all_monitors”, or “disable_all_monitors_deep”. | Optional |
| path_exclusion_type | Excluded path for a path exclusion list. | Optional |
| group_ids | CSV list of group IDs by which to filter. Can be “site_ids” or “group_ids”. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Exclusions.ID | string | The whitelisted entity ID. |
| SentinelOne.Exclusions.Type | string | The whitelisted item type. |
| SentinelOne.Exclusions.CreatedAt | date | Time when the whitelist item was created. |
Command Example
!sentinelone-create-white-list-item exclusion_type=browser exclusion_value=Chrome os_type=windows description=test group_ids=475482421375116388
Human Readable Output
###Sentinel One - Adding an exclusion item
##The provided item was successfully added to the exclusion list
|Created At|ID|Type|
|2019-08-18T13:50:14.454550Z| 695477800149743550|browser
3. Get all exclusion items: sentinelone-get-white-list
Gets all exclusion items in a white list.
Base Command
sentinelone-get-white-list
Input
| Argument Name | Description | Required |
|---|---|---|
| item_ids | List of IDs by which to filter, for example: “225494730938493804,225494730938493915”. | Optional |
| os_types | CSV list of OS types by which to filter, for example: “windows, linux”. | Optional |
| exclusion_type | Exclusion type. Can be “file_type”, “path”, “white_hash”, “certificate”, “browser”. | Optional |
| limit | The maximum number of items to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Exclusions.ID | string | The item ID. |
| SentinelOne.Exclusions.Type | string | The exclusion item type. |
| SentinelOne.Exclusions.CreatedAt | date | Timestamp when the item was added. |
| SentinelOne.Exclusions.Value | string | Value of the added item. |
| SentinelOne.Exclusions.Source | string | Source of the added item. |
| SentinelOne.Exclusions.UserID | string | User ID of the user that added the item. |
| SentinelOne.Exclusions.UpdatedAt | date | Timestamp when the item was updated |
| SentinelOne.Exclusions.OsType | string | OS type. |
| SentinelOne.Exclusions.UserName | string | User name of the user that added the item. |
| SentinelOne.Exclusions.Mode | string | CSV list of modes by which to filter (ath exclusions only), for example: “suppress”. |
Command Example
!sentinelone-get-white-list exclusion_type=file_type
Context Example
{
"SentinelOne.Exclusions": [
{
"UserName": "John Roe",
"UserID": "433273625970238486",
"Value": "MDF",
"Source": "user",
"Mode": null,
"UpdatedAt": "2018-11-05T18:48:49.070978Z",
"OsType": "windows",
"Type": "file_type",
"ID": "488342219732991235",
"CreatedAt": "2018-11-05T18:48:49.072116Z"
}
]
}
Human Readable Output
Sentinel One - Listing exclusion items
Provides summary information and details for all the exclusion items that matched your search criteria.
| CreatedAt | ID | OsType | Source | Type | UpdatedAt | UserID | UserName | Value |
|---|---|---|---|---|---|---|---|---|
| 2018-11-05T18:48:49.072116Z | 488342219732991235 | windows | user | file_type | 2018-11-05T18:48:49.070978Z | 433273625970238486 | John Roe | MDF |
4. Get the reputation of a hash
Gets the reputation of a hash.
Base Command
sentinelone-get-hash
Input
| Argument Name | Description | Required |
|---|---|---|
| hash | The content hash. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Hash.Rank | Number | The hash reputation (1-10). |
| SentinelOne.Hash.Hash | String | The content hash. |
| SentinelOne.Hash.Classification | String | The hash classification. |
| SentinelOne.Hash.Classification Source | String | The hash classification source. |
Command Example
!sentinelone-get-hash hash=3aacf35d3ff2e15288851e8afe8026576f7110eb
Context Example
{
"SentinelOne.Hash": {
"ClassificationSource": "Cloud",
"Hash": "3aacf35d3ff2e15288851e8afe8026576f7110eb",
"Rank": "6",
"Classification": "PUA"
}
}
Human Readable Output
Sentinel One - Hash Reputation and Classification
Provides hash reputation (rank from 0 to 10):
| Hash | Rank | ClassificationSource | Classification |
|---|---|---|---|
| 3aacf35d3ff2e15288851e8afe8026576f7110eb | 6 | Cloud | PUA |
5. Get a threat list
Gets a list of threats.
Base Command
sentinelone-get-threats
Input
| Argument Name | Description | Required |
|---|---|---|
| content_hash | The content hash of the threat. | Optional |
| mitigation_status | CSV list of mitigation statuses. Can be “mitigated”, “active”, “blocked”, “suspicious”, “pending”, or “suspicious_resolved”. | Optional |
| created_before | Searches for threats created before this date, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| created_after | Searches for threats created after this date, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| created_until | Searches for threats created on or before this date, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| created_from | Search for threats created on or after this date, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| resolved | Whether to only return resolved threats. | Optional |
| display_name | Threat display name. Can be a partial display name, not an exact match. | Optional |
| limit | The maximum number of threats to return. Default is 20. | Optional |
| query | Full free-text search for fields. Can be “content_hash”, “file_display_name”, “file_path”, “computer_name”, or “uuid”. | Optional |
| threat_ids | CSV list of threat IDs, for example: “225494730938493804,225494730938493915”. | Optional |
| classifications | CSV list of threat classifications to search, for example: “Malware”, “Network”, “Benign”. | Optional |
| rank | Risk level threshold to retrieve (1-10). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Threat.ID | String | The threat ID. |
| SentinelOne.Threat.AgentComputerName | String | The agent computer name. |
| SentinelOne.Threat.CreatedDate | Date | File created date. |
| SentinelOne.Threat.SiteID | String | The site ID. |
| SentinelOne.Threat.Classification | string | Classification name. |
| SentinelOne.Threat.MitigationStatus | String | The agent status. |
| SentinelOne.Threat.AgentID | String | The agent ID. |
| SentinelOne.Threat.Rank | Number | Number representing cloud reputation (1-10). |
| SentinelOne.Threat.MarkedAsBenign | Boolean | Whether the threat is marked as benign. |
Command Example
!sentinelone-get-threats
Context Example
{
"SentinelOne.Threat": [
{
"Username": "root",
"FileSha256": null,
"ThreatName": "eicar.com.txt",
"Description": "static-check-on-write",
"Classification": "Malware",
"FilePath": "/Users/yardensade/Downloads/eicar.com.txt",
"InQuarantine": null,
"Rank": 7,
"ID": "513526418089756174",
"MarkedAsBenign": false,
"FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"SiteID": "475482421366727779",
"CreatedDate": "2018-12-10T12:45:19.325000Z",
"AgentOsType": "macos",
"AgentID": "513505756159722818",
"AgentComputerName": "Yardens-MacBook-Pro",
"FileDisplayName": "eicar.com.txt",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
},
{
"Username": "root",
"FileSha256": null,
"ThreatName": "eicar.com",
"Description": "static-check-on-write",
"Classification": "Malware",
"FilePath": "/Users/yardensade/Downloads/eicar.com",
"InQuarantine": null,
"Rank": 7,
"ID": "513526832755426837",
"MarkedAsBenign": false,
"FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"SiteID": "475482421366727779",
"CreatedDate": "2018-12-10T12:46:08.771000Z",
"AgentOsType": "macos",
"AgentID": "513505756159722818",
"AgentComputerName": "Yardens-MacBook-Pro",
"FileDisplayName": "eicar.com",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
},
{
"Username": "root",
"FileSha256": null,
"ThreatName": "totally_not_a_virus.txt",
"Description": "static-check-on-write",
"Classification": "Malware",
"FilePath": "/Users/yardensade/Downloads/totally_not_a_virus.txt",
"InQuarantine": null,
"Rank": 7,
"ID": "513529274335282723",
"MarkedAsBenign": false,
"FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"SiteID": "475482421366727779",
"CreatedDate": "2018-12-10T12:50:59.855000Z",
"AgentOsType": "macos",
"AgentID": "513505756159722818",
"AgentComputerName": "Yardens-MacBook-Pro",
"FileDisplayName": "totally_not_a_virus.txt",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
},
{
"Username": "root",
"FileSha256": null,
"ThreatName": "eicar.com (1).txt",
"Description": "scanner",
"Classification": "Malware",
"FilePath": "/Users/yardensade/Downloads/eicar.com (1).txt",
"InQuarantine": null,
"Rank": 7,
"ID": "523732151490265554",
"MarkedAsBenign": false,
"FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"SiteID": "475482421366727779",
"CreatedDate": "2018-12-24T14:42:17.533000Z",
"AgentOsType": "macos",
"AgentID": "513505756159722818",
"AgentComputerName": "Yardens-MacBook-Pro",
"FileDisplayName": "eicar.com (1).txt",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
},
{
"Username": "root",
"FileSha256": null,
"ThreatName": "eicar.com (4).txt",
"Description": "scanner",
"Classification": "Malware",
"FilePath": "/Users/yardensade/Downloads/eicar.com (4).txt",
"InQuarantine": null,
"Rank": 7,
"ID": "523732178744852953",
"MarkedAsBenign": false,
"FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"SiteID": "475482421366727779",
"CreatedDate": "2018-12-24T14:42:20.792000Z",
"AgentOsType": "macos",
"AgentID": "513505756159722818",
"AgentComputerName": "Yardens-MacBook-Pro",
"FileDisplayName": "eicar.com (4).txt",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
},
{
"Username": "root",
"FileSha256": null,
"ThreatName": "eicar.com (3).txt",
"Description": "scanner",
"Classification": "Malware",
"FilePath": "/Users/yardensade/Downloads/eicar.com (3).txt",
"InQuarantine": null,
"Rank": 7,
"ID": "523732180305134048",
"MarkedAsBenign": false,
"FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"SiteID": "475482421366727779",
"CreatedDate": "2018-12-24T14:42:20.972000Z",
"AgentOsType": "macos",
"AgentID": "513505756159722818",
"AgentComputerName": "Yardens-MacBook-Pro",
"FileDisplayName": "eicar.com (3).txt",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
},
{
"Username": "root",
"FileSha256": null,
"ThreatName": "eicar.com (2).txt",
"Description": "scanner",
"Classification": "Malware",
"FilePath": "/Users/yardensade/Downloads/eicar.com (2).txt",
"InQuarantine": null,
"Rank": 7,
"ID": "523732207828156907",
"MarkedAsBenign": false,
"FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"SiteID": "475482421366727779",
"CreatedDate": "2018-12-24T14:42:24.275000Z",
"AgentOsType": "macos",
"AgentID": "513505756159722818",
"AgentComputerName": "Yardens-MacBook-Pro",
"FileDisplayName": "eicar.com (2).txt",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
},
{
"Username": "",
"FileSha256": null,
"ThreatName": "Fusion.dll",
"Description": "malware detected - not mitigated yet (static engine)",
"Classification": "PUA",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\Mayag\\AppData\\Local\\Temp\\nsi483E.tmp\\Fusion.dll",
"InQuarantine": null,
"Rank": 6,
"ID": "579478682051177175",
"MarkedAsBenign": null,
"FileContentHash": "42361f19d4b3db3a3af96b3e7dba7bce8a5df265",
"SiteID": "475482421366727779",
"CreatedDate": "2019-03-11T12:40:42.717000Z",
"AgentOsType": "windows",
"AgentID": "523685228116918098",
"AgentComputerName": "LAPTOP-MAYA",
"FileDisplayName": "Fusion.dll",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
},
{
"Username": "",
"FileSha256": null,
"ThreatName": "BAFABC52CDF342A08CC06EFFE79F3D11.MAL",
"Description": "malware detected - not mitigated yet (static engine)",
"Classification": "PUA",
"FilePath": "\\Device\\HarddiskVolume3\\ProgramData\\Sentinel\\Quarantine\\BAFABC52CDF342A08CC06EFFE79F3D11.MAL",
"InQuarantine": null,
"Rank": 6,
"ID": "580921365667955680",
"MarkedAsBenign": null,
"FileContentHash": "42361f19d4b3db3a3af96b3e7dba7bce8a5df265",
"SiteID": "475482421366727779",
"CreatedDate": "2019-03-13T12:26:28.919000Z",
"AgentOsType": "windows",
"AgentID": "523685228116918098",
"AgentComputerName": "LAPTOP-MAYA",
"FileDisplayName": "BAFABC52CDF342A08CC06EFFE79F3D11.MAL",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
},
{
"Username": "",
"FileSha256": null,
"ThreatName": "f_004dba",
"Description": "malware detected - not mitigated yet (static engine)",
"Classification": "PUA",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\Mayag\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\f_004dba",
"InQuarantine": null,
"Rank": 6,
"ID": "582523025838244347",
"MarkedAsBenign": null,
"FileContentHash": "3aacf35d3ff2e15288851e8afe8026576f7110eb",
"SiteID": "475482421366727779",
"CreatedDate": "2019-03-15T17:29:17.973000Z",
"AgentOsType": "windows",
"AgentID": "523685228116918098",
"AgentComputerName": "LAPTOP-MAYA",
"FileDisplayName": "f_004dba",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
},
{
"Username": "root",
"FileSha256": null,
"ThreatName": "eicar.com.txt",
"Description": "static-check-on-write",
"Classification": "Malware",
"FilePath": "/Users/yardensade/.Trash/eicar.com.txt",
"InQuarantine": null,
"Rank": 7,
"ID": "593894834529633491",
"MarkedAsBenign": false,
"FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"SiteID": "475482421366727779",
"CreatedDate": "2019-03-31T10:03:01.109000Z",
"AgentOsType": "macos",
"AgentID": "513505756159722818",
"AgentComputerName": "Yardens-MacBook-Pro",
"FileDisplayName": "eicar.com.txt",
"MitigationStatus": "mitigated",
"FileMaliciousContent": null
}
]
}
Human Readable Output
Sentinel One - Getting Threat List
Provides summary information and details for all the threats that matched your search criteria.
| Agent Computer Name | Agent ID | Classification | Created Date | File Content Hash | ID | Marked As Benign | Mitigation Status | Rank | Site ID | Site Name |
|---|---|---|---|---|---|---|---|---|---|---|
| Yardens-MacBook-Pro | 513505756159722818 | Malware | 2018-12-10T12:45:19.325000Z | 3395856ce81f2b7382dee72602f798b642f14140 | 513526418089756174 | false | mitigated | 7 | 475482421366727779 | demisto |
| Yardens-MacBook-Pro | 513505756159722818 | Malware | 2018-12-10T12:46:08.771000Z | 3395856ce81f2b7382dee72602f798b642f14140 | 513526832755426837 | false | mitigated | 7 | 475482421366727779 | demisto |
| Yardens-MacBook-Pro | 513505756159722818 | Malware | 2018-12-10T12:50:59.855000Z | 3395856ce81f2b7382dee72602f798b642f14140 | 513529274335282723 | false | mitigated | 7 | 475482421366727779 | demisto |
| Yardens-MacBook-Pro | 513505756159722818 | Malware | 2018-12-24T14:42:17.533000Z | 3395856ce81f2b7382dee72602f798b642f14140 | 523732151490265554 | false | mitigated | 7 | 475482421366727779 | demisto |
| Yardens-MacBook-Pro | 513505756159722818 | Malware | 2018-12-24T14:42:20.792000Z | 3395856ce81f2b7382dee72602f798b642f14140 | 523732178744852953 | false | mitigated | 7 | 475482421366727779 | demisto |
| Yardens-MacBook-Pro | 513505756159722818 | Malware | 2018-12-24T14:42:20.972000Z | 3395856ce81f2b7382dee72602f798b642f14140 | 523732180305134048 | false | mitigated | 7 | 475482421366727779 | demisto |
| Yardens-MacBook-Pro | 513505756159722818 | Malware | 2018-12-24T14:42:24.275000Z | 3395856ce81f2b7382dee72602f798b642f14140 | 523732207828156907 | false | mitigated | 7 | 475482421366727779 | demisto |
| LAPTOP-MAYA | 523685228116918098 | PUA | 2019-03-11T12:40:42.717000Z | 42361f19d4b3db3a3af96b3e7dba7bce8a5df265 | 579478682051177175 | mitigated | 6 | 475482421366727779 | demisto | |
| LAPTOP-MAYA | 523685228116918098 | PUA | 2019-03-13T12:26:28.919000Z | 42361f19d4b3db3a3af96b3e7dba7bce8a5df265 | 580921365667955680 | mitigated | 6 | 475482421366727779 | demisto | |
| LAPTOP-MAYA | 523685228116918098 | PUA | 2019-03-15T17:29:17.973000Z | 3aacf35d3ff2e15288851e8afe8026576f7110eb | 582523025838244347 | mitigated | 6 | 475482421366727779 | demisto | |
| Yardens-MacBook-Pro | 513505756159722818 | Malware | 2019-03-31T10:03:01.109000Z | 3395856ce81f2b7382dee72602f798b642f14140 | 593894834529633491 | false | mitigated | 7 | 475482421366727779 | demisto |
6. Get a threat summary
Gets a threat summary.
Base Command
sentinelone-threat-summary
Input
| Argument Name | Description | Required |
|---|---|---|
| group_ids | CSV list of group IDs by which to filter, for example: “225494730938493804,225494730938493915”. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Threat.Active | Number | Number of active threats in the system. |
| SentinelOne.Threat.Total | Number | Total number of threats in the system. |
| SentinelOne.Threat.Mitigated | Number | Number of mitigated threats in the system. |
| SentinelOne.Threat.Suspicious | Number | Number of suspicious threats in the system. |
| SentinelOne.Threat.Blocked | Number | Number of blocked threats in the system. |
Command Example
!sentinelone-threat-summary
Context Example
{
"SentinelOne.Threat": {
"Active": 0,
"Suspicious": 0,
"Mitigated": 11,
"Total": 11,
"Blocked": 0
}
}
Human Readable Output
Sentinel One - Dashboard Threat Summary
| Active | Blocked | Mitigated | Suspicious | Total |
|---|---|---|---|---|
| 0 | 0 | 11 | 0 | 11 |
7. Mark suspicious threats
Marks suspicious threats as a threat.
Base Command
sentinelone-mark-as-threat
Input
| Argument Name | Description | Required |
|---|---|---|
| threat_ids | CSV list of threat IDs. | Optional |
| target_scope | Scope to use for exclusions. Can be “site” or “tenant”. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Threat.ID | String | The threat ID. |
| SentinelOne.Threat.MarkedAsThreat | Boolean | Whether the suspicious threat was successfully marked as a threat. |
Command Example
!sentinelone-mark-as-threat target_scope=site threat_ids=50925977558296070
Human Readable Output
Sentinel One - Marking suspicious threats as threats
Total of 1 provided threats were marked successfully
|ID|Marked As Threat|
|509259775582960700|true
8. Mitigate threats
Applies a mitigation action to a group of threats.
Base Command
sentinelone-mitigate-threat
Input
| Argument Name | Description | Required |
|---|---|---|
| action | Mitigation action. Can be “kill”, “quarantine”, “un-quarantine”, “remediate”, or “rollback-remediation”. | Required |
| threat_ids | CSV list of threat IDs. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Threat.ID | String | The threat ID. |
| SentinelOne.Threat.Mitigated | Boolean | Whether the threat was successfully mitigated. |
| SentinelOne.Threat.Mitigation.Action | Number | Number of threats affected. |
Command Example
!sentinelone-mitigate-threat action=quarantine threat_ids=509259775582960700
Context Example
{
"SentinelOne.Threat": [
{
"Mitigated": true,
"Mitigation": {
"Action": "quarantine"
},
"ID": "509259775582960700"
}
]
}
Human Readable Output
Sentinel One - Mitigating threats
Total of 1 provided threats were mitigated successfully
| ID | Mitigation Action | Mitigated |
|---|---|---|
| 509259775582960700 | quarantine | true |
9. Resolve threats
Resolves threats using the threat ID.
Base Command
sentinelone-resolve-threat
Input
| Argument Name | Description | Required |
|---|---|---|
| threat_ids | CSV list of threat IDs. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Threat.ID | String | The threat ID. |
| SentinelOne.Threat.Resolved | Boolean | Whether the threat was successfully resolved. |
Command Example
!sentinelone-resolve-threat threat_ids=509259775582960700
Context Example
{
"SentinelOne.Threat": [
{
"Resolved": false,
"ID": "509259775582960700"
}
]
}
Human Readable Output
Sentinel One - Resolving threats
No threats were resolved
| ID | Resolved |
|---|---|
| 509259775582960700 | false |
10. Get agent details
Gets details of an agent by agent ID.
Base Command
sentinelone-get-agent
Input
| Argument Name | Description | Required |
|---|---|---|
| agent_id | The agent ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Agent.NetworkStatus | string | The agent network status. |
| SentinelOne.Agent.ID | string | The agent ID. |
| SentinelOne.Agent.AgentVersion | string | The agent software version. |
| SentinelOne.Agent.IsDecomissioned | boolean | Whether the agent is decommissioned. |
| SentinelOne.Agent.IsActive | boolean | Whether the agent is active. |
| SentinelOne.Agent.LastActiveDate | date | The last active date of the agent. |
| SentinelOne.Agent.RegisteredAt | date | The registration date of the agent. |
| SentinelOne.Agent.ExternalIP | string | The agent IP address. |
| SentinelOne.Agent.ThreatCount | number | Number of active threats. |
| SentinelOne.Agent.EncryptedApplications | boolean | Whether disk encryption is enabled. |
| SentinelOne.Agent.OSName | string | Name of the operating system. |
| SentinelOne.Agent.ComputerName | string | Name of the agent computer. |
| SentinelOne.Agent.Domain | string | Domain name of the agent. |
| SentinelOne.Agent.CreatedAt | date | Agent creation time. |
| SentinelOne.Agent.SiteName | string | Site name associated with the agent. |
Command Example
!sentinelone-get-agent agent_id=661361473466353783
Context Example
{
"SentinelOne.Agent": [
{
"ExternalIP": "99.80.149.227",
"Domain": "WORKGROUP",
"LastActiveDate": "2019-07-15T22:01:30.896402Z",
"NetworkStatus": "connecting",
"EncryptedApplications": false,
"ThreatCount": 0,
"ComputerName": "EC2AMAZ-S5C73AI",
"IsActive": false,
"OSName": "Windows Server 2016",
"SiteName": "demisto",
"AgentVersion": "3.2.4.54",
"IsDecomissioned": true,
"RegisteredAt": "2019-07-02T12:07:11.384037Z",
"ID": "661361473466353783",
"CreatedAt": "2019-07-02T12:07:11.388038Z"
}
]
}
Human Readable Output
Sentinel One - Get Agent Details
Provides details for the following agent ID : 661361473466353783
| Agent Version | Computer Name | Created At | Domain | Encrypted Applications | External IP | ID | Is Active | Is Decomissioned | Last ActiveDate | Network Status | OS Name | Registered At | Site Name | Threat Count |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3.2.4.54 | EC2AMAZ-S5C73AI | 2019-07-02T12:07:11.388038Z | WORKGROUP | false | 99.80.149.227 | 661361473466353783 | false | true | 2019-07-15T22:01:30.896402Z | connecting | Windows Server 2016 | 2019-07-02T12:07:11.384037Z | demisto | 0 |
11. Get a list of sites
Gets a list of all sites.
Base Command
sentinelone-get-sites
Input
| Argument Name | Description | Required |
|---|---|---|
| updated_at | Timestamp of last update, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| query | Full-text search for fields: name, account_name. | Optional |
| site_type | Site type. Can be “Trial”, “Paid”, “POC”, “DEV”, or “NFR”. | Optional |
| features | Returns sites that support the specified features. Can be “firewall-control”, “device-control”, or “ioc”. | Optional |
| state | Site state. Can be “active”, “deleted”, or “expired”. | Optional |
| suite | The suite of product features active for this site. Can be “Core” or “Complete”. | Optional |
| admin_only | Sites to which the user has Admin privileges. | Optional |
| account_id | Account ID, for example: “225494730938493804”. | Optional |
| site_name | Site name, for example: “My Site”. | Optional |
| created_at | Timestamp of site creation, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| limit | Maximum number of results to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Site.Creator | string | The creator name. |
| SentinelOne.Site.Name | string | The site name. |
| SentinelOne.Site.Type | string | The site type. |
| SentinelOne.Site.AccountName | string | The account name. |
| SentinelOne.Site.State | string | The site state. |
| SentinelOne.Site.HealthStatus | boolean | The health status of the site. |
| SentinelOne.Site.Suite | string | The suite to which the site belongs. |
| SentinelOne.Site.ActiveLicenses | number | Number of active licenses on the site. |
| SentinelOne.Site.ID | string | ID of the site. |
| SentinelOne.Site.TotalLicenses | number | Number of total licenses on the site. |
| SentinelOne.Site.CreatedAt | date | Timestamp when the site was created. |
| SentinelOne.Site.Expiration | string | Timestamp when the site will expire. |
| SentinelOne.Site.UnlimitedLicenses | boolean | Whether the site has unlimited licenses. |
Command Example
!sentinelone-get-sites
Context Example
{
"SentinelOne.Site": [
{
"UnlimitedLicenses": true,
"Name": "demisto",
"Creator": "John Roe",
"AccountName": "SentinelOne",
"State": "active",
"HealthStatus": true,
"Expiration": null,
"ActiveLicenses": 5,
"Suite": "Complete",
"TotalLicenses": 0,
"Type": "Paid",
"ID": "475482421366727779",
"CreatedAt": "2018-10-19T00:58:41.644879Z"
}
]
}
Human Readable Output
Sentinel One - Getting List of Sites
Provides summary information and details for all sites that matched your search criteria.
| Account Name | Active Licenses | Created At | Creator | Health Status | ID | Name | State | Suite | Total Licenses | Type | Unlimited Licenses |
|---|---|---|---|---|---|---|---|---|---|---|---|
| SentinelOne | 5 | 2018-10-19T00:58:41.644879Z | John Roe | true | 475482421366727779 | demisto | active | Complete | 0 | Paid | true |
12. Get a site list
Gets a site list by site ID.
Base Command
sentinelone-get-site
Input
| Argument Name | Description | Required |
|---|---|---|
| site_id | ID of the site. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Site.Creator | string | The creator name. |
| SentinelOne.Site.Name | string | The site name. |
| SentinelOne.Site.Type | string | The site type. |
| SentinelOne.Site.AccountName | string | The account name. |
| SentinelOne.Site.State | string | The site state. |
| SentinelOne.Site.HealthStatus | boolean | The health status of the site. |
| SentinelOne.Site.Suite | string | The suite to which the site belongs. |
| SentinelOne.Site.ActiveLicenses | number | Number of active licenses on the site. |
| SentinelOne.Site.ID | string | ID of the site. |
| SentinelOne.Site.TotalLicenses | number | Number of total licenses on the site. |
| SentinelOne.Site.CreatedAt | date | Timestamp when the site was created. |
| SentinelOne.Site.Expiration | string | Timestamp when the site will expire. |
| SentinelOne.Site.UnlimitedLicenses | boolean | Unlimited licenses boolean. |
| SentinelOne.Site.AccountID | string | Account ID. |
| SentinelOne.Site.IsDefault | boolean | Whether the site is the default site. |
Command Example
!sentinelone-get-site site_id=475482421366727779
Context Example
{
"SentinelOne.Site": [
{
"IsDefault": false,
"UnlimitedLicenses": true,
"Name": "demisto",
"Creator": "John Roe",
"AccountName": "SentinelOne",
"State": "active",
"HealthStatus": true,
"Expiration": null,
"ActiveLicenses": 5,
"Suite": "Complete",
"TotalLicenses": 0,
"Type": "Paid",
"ID": "475482421366727779",
"CreatedAt": "2018-10-19T00:58:41.644879Z",
"AccountID": "433241117337583618"
}
]
}
Human Readable Output
Sentinel One - Summary About Site: 475482421366727779
Provides summary information and details for specific site ID.
| Account Name | AccountID | Active Licenses | Created At | Creator | Health Status | ID | IsDefault | Name | State | Suite | Total Licenses | Type | Unlimited Licenses |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SentinelOne | 433241117337583618 | 5 | 2018-10-19T00:58:41.644879Z | John Roe | true | 475482421366727779 | false | demisto | active | Complete | 0 | Paid | true |
13. Reactivate a site
Reactivates an expired site.
Base Command
sentinelone-reactivate-site
Input
| Argument Name | Description | Required |
|---|---|---|
| site_id | Site ID. Example: “225494730938493804”. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Site.ID | string | Site ID. |
| SentinelOne.Site.Reactivated | boolean | Whether the site was reactivated. |
Command Example
!sentinelone-reactivate-site site_id=475482421366727779
Human Readable Output
Sentinel One - Reactivated Site: 475482421366727779
##‘Site has been reactivated successfully’
| ID | Reactivated |
|---|---|
| 475482421366727779 | success |
14. Get a list of activities
Gets a list of activities.
Base Command
sentinelone-get-activities
Input
| Argument Name | Description | Required |
|---|---|---|
| created_after | Return activities created after this timestamp, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| user_emails | Email address of the user who invoked the activity (if applicable). | Optional |
| group_ids | List of Group IDs by which to filter, for example: “225494730938493804,225494730938493915”. | Optional |
| created_until | Return activities created on or before this timestamp, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| include_hidden | Include internal activities hidden from display, for example: “False”. | Optional |
| activities_ids | CSV list of activity IDs by which to filter, for example: “225494730938493804,225494730938493915”. | Optional |
| created_before | Return activities created before this timestamp, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| threats_ids | CSV list of threat IDs for which to return activities, for example: “225494730938493804,225494730938493915”. | Optional |
| activity_types | CSV of activity codes to return, for example: “52,53,71,72”. | Optional |
| user_ids | CSV list of user IDs for users that invoked the activity (if applicable), for example: “225494730938493804,225494730938493915”. | Optional |
| created_from | Return activities created on or after this timestamp, for example: “2018-02-27T04:49:26.257525Z”. | Optional |
| created_between | Return activities created within this range (inclusive), for example: “1514978764288-1514978999999”. | Optional |
| agent_ids | Return activities related to specified agents. Example: “225494730938493804,225494730938493915”. | Optional |
| limit | Maximum number of items to return (1-100). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Activity.AgentID | String | Related agent (if applicable). |
| SentinelOne.Activity.AgentUpdatedVersion | String | Agent’s new version (if applicable). |
| SentinelOne.Activity.SiteID | String | Related site (if applicable). |
| SentinelOne.Activity.UserID | String | The user who invoked the activity (if applicable). |
| SentinelOne.Activity.SecondaryDescription | String | Secondary description. |
| SentinelOne.Activity.OsFamily | String | Agent’s OS type (if applicable). Can be “linux”, “macos”, “windows”, or “windows_legacy”. |
| SentinelOne.Activity.ActivityType | Number | Activity type. |
| SentinelOne.Activity.data.SiteID | String | The site ID. |
| SentinelOne.Activity.data.SiteName | String | The site name. |
| SentinelOne.Activity.data.username | String | The name of the site creator. |
| SentinelOne.Activity.Hash | String | Threat file hash (if applicable). |
| SentinelOne.Activity.UpdatedAt | Date | Activity last updated time (UTC). |
| SentinelOne.Activity.Comments | String | Comments for the activity. |
| SentinelOne.Activity.ThreatID | String | Related threat (if applicable). |
| SentinelOne.Activity.PrimaryDescription | String | Primary description for the activity. |
| SentinelOne.Activity.GroupID | String | Related group (if applicable). |
| SentinelOne.Activity.ID | String | Activity ID. |
| SentinelOne.Activity.CreatedAt | Date | Activity creation time (UTC). |
| SentinelOne.Activity.Description | String | Extra activity information. |
Command Example
!sentinelone-get-activities
Context Example
{
"SentinelOne.Activity": [
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 5020,
"UserID": "433273625970238486",
"Comments": null,
"ID": "475482421492556909",
"PrimaryDescription": "The management user John Roe created demisto site.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-10-19T00:58:41.660287Z",
"AgentID": null,
"Data": {
"siteName": "demisto",
"username": "John Roe",
"siteId": 475482421366727800
},
"GroupID": null,
"CreatedAt": "2018-10-19T00:58:41.660278Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": "John Roe",
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 23,
"UserID": "475482955872052394",
"Comments": null,
"ID": "475482955955938476",
"PrimaryDescription": "The management user John Roe added user Jane Doe as admin.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-10-19T00:59:45.373592Z",
"AgentID": null,
"Data": {
"byUser": "John Roe",
"username": "Jane Doe",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-10-19T00:59:45.373584Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "475553388201878769",
"PrimaryDescription": "The management user Jane Doe logged into management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-10-19T03:19:41.551249Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-10-19T03:19:41.551236Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "476162850050648822",
"PrimaryDescription": "The management user Jane Doe logged into management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-10-19T23:30:35.062505Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-10-19T23:30:35.062484Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "476162850092591864",
"PrimaryDescription": "The management user Jane Doe logged into management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-10-19T23:30:35.068827Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-10-19T23:30:35.068812Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "478078612361294941",
"PrimaryDescription": "The management user Jane Doe logged into management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-10-22T14:56:51.726777Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-10-22T14:56:51.726762Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "478078815793427551",
"PrimaryDescription": "The management user Jane Doe logged into management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-10-22T14:57:15.978615Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-10-22T14:57:15.978605Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "499090543532554580",
"PrimaryDescription": "The management user Jane Doe logged into management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-11-20T14:43:49.115665Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-11-20T14:43:49.115657Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "500911232606524037",
"PrimaryDescription": "The management user Jane Doe logged into management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-11-23T03:01:12.166753Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-11-23T03:01:12.166743Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "504856083882582151",
"PrimaryDescription": "The management user Jane Doe logged into management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-11-28T13:38:55.085497Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-11-28T13:38:55.085488Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": "",
"ActivityType": 17,
"UserID": null,
"Comments": null,
"ID": "507609080257599870",
"PrimaryDescription": "Bills-MBP subscribed and joined the group Default Group.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-02T08:48:37.826824Z",
"AgentID": "507609079972387179",
"Data": {
"computerName": "Bills-MBP",
"group": "Default Group",
"optionalGroups": []
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-02T08:48:37.826816Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 71,
"UserID": null,
"Comments": null,
"ID": "507609080626698626",
"PrimaryDescription": "System initiated a full disk scan to the agent: Bills-MBP (98.234.105.153).",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-02T08:48:37.871144Z",
"AgentID": "507609079972387179",
"Data": {
"externalIp": "98.234.105.153",
"computerName": "Bills-MBP",
"system": true,
"uuid": "9A532F6E-0F87-5F8E-B6AB-C0206599C568"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-02T08:48:37.871136Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 90,
"UserID": null,
"Comments": null,
"ID": "507609341168474555",
"PrimaryDescription": "Agent Bills-MBP started full disk scan at Sun, 02 Dec 2018, 08:49:08 UTC.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-02T08:49:08.929672Z",
"AgentID": "507609079972387179",
"Data": {
"status": "started",
"computerName": "Bills-MBP",
"createdAt": "2018-12-02T08:49:08.908384Z"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-02T08:49:08.929660Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 92,
"UserID": null,
"Comments": null,
"ID": "508159023422660725",
"PrimaryDescription": "Agent Bills-MBP completed full disk scan at Mon, 03 Dec 2018, 03:01:16 UTC.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-03T03:01:16.160715Z",
"AgentID": "507609079972387179",
"Data": {
"status": "finished",
"computerName": "Bills-MBP",
"createdAt": "2018-12-03T03:01:16.153462Z"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-03T03:01:16.160707Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "509259775582960700",
"SecondaryDescription": "/Users/bill/.Trash/eicar.com.txt",
"ActivityType": 18,
"UserID": null,
"Comments": null,
"ID": "509259775683623999",
"PrimaryDescription": "Threat detected, name: eicar.com.txt.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-04T15:28:16.055823Z",
"AgentID": "507609079972387179",
"Data": {
"username": null,
"computerName": "Bills-MBP",
"threatClassificationSource": "Engine",
"filePath": "/Users/bill/.Trash/eicar.com.txt",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "eicar.com.txt"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-04T15:28:16.055815Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "509259775582960700",
"SecondaryDescription": "/Users/bill/.Trash/eicar.com.txt",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "509259776623148097",
"PrimaryDescription": "The agent Bills-MBP successfully quarantined the threat: eicar.com.txt.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-04T15:28:16.168238Z",
"AgentID": "507609079972387179",
"Data": {
"computerName": "Bills-MBP",
"threatClassificationSource": "Engine",
"filePath": "/Users/bill/.Trash/eicar.com.txt",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "eicar.com.txt"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-04T15:28:16.168216Z"
},
{
"OsFamily": "macos",
"AgentUpdatedVersion": null,
"Hash": "3395856ce81f2b7382dee72602f798b642f14140",
"Description": null,
"ThreatID": null,
"SecondaryDescription": "3395856ce81f2b7382dee72602f798b642f14140",
"ActivityType": 3006,
"UserID": null,
"Comments": null,
"ID": "509259849436265543",
"PrimaryDescription": "Cloud has added macOS black hash.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-04T15:28:24.847663Z",
"AgentID": null,
"Data": {
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"osFamily": "osx",
"description": null
},
"GroupID": null,
"CreatedAt": "2018-12-04T15:28:24.847654Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "510432832787879335",
"PrimaryDescription": "The management user Jane Doe logged into the management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-06T06:18:55.360302Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-12-06T06:18:55.360294Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 33,
"UserID": "475482955872052394",
"Comments": null,
"ID": "510434401356912041",
"PrimaryDescription": "The management user Jane Doe logged out of the management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-06T06:22:02.348128Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-12-06T06:22:02.348116Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "512980043203657099",
"PrimaryDescription": "The management user Jane Doe logged into the management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-09T18:39:46.504215Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-12-09T18:39:46.504206Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "513485626755302270",
"PrimaryDescription": "The management user Jane Doe logged into the management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T11:24:16.759935Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-12-10T11:24:16.759925Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": "Jane Doe",
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 23,
"UserID": "513488018280334208",
"Comments": null,
"ID": "513488018364220290",
"PrimaryDescription": "The management user Jane Doe added user Yarden Sade as admin.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T11:29:01.861735Z",
"AgentID": null,
"Data": {
"byUser": "Jane Doe",
"username": "Yarden Sade",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-12-10T11:29:01.861727Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 33,
"UserID": "475482955872052394",
"Comments": null,
"ID": "513489064113259396",
"PrimaryDescription": "The management user Jane Doe logged out of the management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T11:31:06.525318Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-12-10T11:31:06.525307Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "513488018280334208",
"Comments": null,
"ID": "513489107926958983",
"PrimaryDescription": "The management user Yarden Sade logged into the management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T11:31:11.748582Z",
"AgentID": null,
"Data": {
"username": "Yarden Sade",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-12-10T11:31:11.748574Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 5008,
"UserID": "513488018280334208",
"Comments": null,
"ID": "513490499303424908",
"PrimaryDescription": "The management user Yarden Sade has created New group Test.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T11:33:57.612933Z",
"AgentID": null,
"Data": {
"username": "Yarden Sade",
"groupName": "Test",
"groupId": "513490499236316042"
},
"GroupID": null,
"CreatedAt": "2018-12-10T11:33:57.612924Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 33,
"UserID": "513488018280334208",
"Comments": null,
"ID": "513504037921146173",
"PrimaryDescription": "The management user Yarden Sade logged out of the management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:00:51.541682Z",
"AgentID": null,
"Data": {
"username": "Yarden Sade",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-12-10T12:00:51.541671Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "513504203889755456",
"PrimaryDescription": "The management user Jane Doe logged into the management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:01:11.326905Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-12-10T12:01:11.326896Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": "",
"ActivityType": 17,
"UserID": null,
"Comments": null,
"ID": "513505756310717775",
"PrimaryDescription": "164 subscribed and joined the group Default Group.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:04:16.390472Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"group": "Default Group",
"optionalGroups": []
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:04:16.390462Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 71,
"UserID": null,
"Comments": null,
"ID": "513505756696593747",
"PrimaryDescription": "System initiated a full disk scan to the agent: 164 (94.188.164.68).",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:04:16.436092Z",
"AgentID": "513505756159722818",
"Data": {
"externalIp": "94.188.164.68",
"computerName": "164",
"system": true,
"uuid": "46DBCBC2-216A-5732-A007-4348BB55B37F"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:04:16.436084Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 90,
"UserID": null,
"Comments": null,
"ID": "513506023588545884",
"PrimaryDescription": "Agent 164 started full disk scan at Mon, 10 Dec 2018, 12:04:48 UTC.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:04:48.252701Z",
"AgentID": "513505756159722818",
"Data": {
"status": "started",
"computerName": "164",
"createdAt": "2018-12-10T12:04:48.248338Z"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:04:48.252693Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513516799695046076",
"SecondaryDescription": "/Users/yardensade/WebstormProjects/content/TestData/EICAR.exe",
"ActivityType": 18,
"UserID": null,
"Comments": null,
"ID": "513516799787320769",
"PrimaryDescription": "Threat detected, name: EICAR.exe.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:26:12.874792Z",
"AgentID": "513505756159722818",
"Data": {
"username": null,
"computerName": "164",
"threatClassificationSource": null,
"filePath": "/Users/yardensade/WebstormProjects/content/TestData/EICAR.exe",
"threatClassification": null,
"fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62",
"fileDisplayName": "EICAR.exe"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:26:12.874784Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513516799695046076",
"SecondaryDescription": "/Users/yardensade/WebstormProjects/content/TestData/EICAR.exe",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "513516801297270211",
"PrimaryDescription": "The agent 164 successfully quarantined the threat: EICAR.exe.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:26:13.054678Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/WebstormProjects/content/TestData/EICAR.exe",
"threatClassification": "OSX.Malware",
"fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62",
"fileDisplayName": "EICAR.exe"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:26:13.054666Z"
},
{
"OsFamily": "macos",
"AgentUpdatedVersion": null,
"Hash": "cf8bd9dfddff007f75adf4c2be48005cea317c62",
"Description": null,
"ThreatID": null,
"SecondaryDescription": "cf8bd9dfddff007f75adf4c2be48005cea317c62",
"ActivityType": 3006,
"UserID": null,
"Comments": null,
"ID": "513516852300006858",
"PrimaryDescription": "Cloud has added macOS black hash.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:26:19.135226Z",
"AgentID": null,
"Data": {
"fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62",
"osFamily": "osx",
"description": null
},
"GroupID": null,
"CreatedAt": "2018-12-10T12:26:19.135218Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513516952292214236",
"SecondaryDescription": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe",
"ActivityType": 18,
"UserID": null,
"Comments": null,
"ID": "513516952367711710",
"PrimaryDescription": "Threat detected, name: EICAR.exe.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:26:31.064576Z",
"AgentID": "513505756159722818",
"Data": {
"username": null,
"computerName": "164",
"threatClassificationSource": "Cloud",
"filePath": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe",
"threatClassification": "Malware",
"fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62",
"fileDisplayName": "EICAR.exe"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:26:31.064568Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513516952292214236",
"SecondaryDescription": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "513516953818940898",
"PrimaryDescription": "The agent 164 successfully quarantined the threat: EICAR.exe.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:26:31.236777Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Cloud",
"filePath": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe",
"threatClassification": "Malware",
"fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62",
"fileDisplayName": "EICAR.exe"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:26:31.236769Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513518844384691684",
"SecondaryDescription": "/Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe",
"ActivityType": 18,
"UserID": null,
"Comments": null,
"ID": "513518844460189159",
"PrimaryDescription": "Threat detected, name: EICAR.exe.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:30:16.619432Z",
"AgentID": "513505756159722818",
"Data": {
"username": null,
"computerName": "164",
"threatClassificationSource": "Cloud",
"filePath": "/Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe",
"threatClassification": "Malware",
"fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62",
"fileDisplayName": "EICAR.exe"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:30:16.619423Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513518844384691684",
"SecondaryDescription": "/Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "513518845877863914",
"PrimaryDescription": "The agent 164 successfully quarantined the threat: EICAR.exe.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:30:16.788068Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Cloud",
"filePath": "/Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe",
"threatClassification": "Malware",
"fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62",
"fileDisplayName": "EICAR.exe"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:30:16.788059Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 92,
"UserID": null,
"Comments": null,
"ID": "513519504073213420",
"PrimaryDescription": "Agent 164 completed full disk scan at Mon, 10 Dec 2018, 12:31:35 UTC.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:31:35.251329Z",
"AgentID": "513505756159722818",
"Data": {
"status": "finished",
"computerName": "164",
"createdAt": "2018-12-10T12:31:35.248610Z"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:31:35.251320Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513526418089756174",
"SecondaryDescription": "/Users/yardensade/Downloads/eicar.com.txt",
"ActivityType": 18,
"UserID": null,
"Comments": null,
"ID": "513526418156865040",
"PrimaryDescription": "Threat detected, name: eicar.com.txt.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:45:19.474339Z",
"AgentID": "513505756159722818",
"Data": {
"username": null,
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/Downloads/eicar.com.txt",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "eicar.com.txt"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:45:19.474330Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513526418089756174",
"SecondaryDescription": "/Users/yardensade/Downloads/eicar.com.txt",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "513526419608094227",
"PrimaryDescription": "The agent 164 successfully quarantined the threat: eicar.com.txt.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:45:19.647320Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/Downloads/eicar.com.txt",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "eicar.com.txt"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:45:19.647311Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513526832755426837",
"SecondaryDescription": "/Users/yardensade/Downloads/eicar.com",
"ActivityType": 18,
"UserID": null,
"Comments": null,
"ID": "513526832864478743",
"PrimaryDescription": "Threat detected, name: eicar.com.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:46:08.910934Z",
"AgentID": "513505756159722818",
"Data": {
"username": null,
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/Downloads/eicar.com",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "eicar.com"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:46:08.910923Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513526832755426837",
"SecondaryDescription": "/Users/yardensade/Downloads/eicar.com",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "513526834374428187",
"PrimaryDescription": "The agent 164 successfully quarantined the threat: eicar.com.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:46:09.091198Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/Downloads/eicar.com",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "eicar.com"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:46:09.091186Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513526832755426837",
"SecondaryDescription": "/Users/yardensade/Downloads/eicar.com",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "513526971268122141",
"PrimaryDescription": "The agent 164 successfully quarantined the threat: eicar.com.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:46:25.410362Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/Downloads/eicar.com",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "eicar.com"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:46:25.410353Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513526418089756174",
"SecondaryDescription": "/Users/yardensade/Downloads/eicar.com.txt",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "513528784247637538",
"PrimaryDescription": "The agent 164 successfully quarantined the threat: eicar.com.txt.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:50:01.534329Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/Downloads/eicar.com.txt",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "eicar.com.txt"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:50:01.534321Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513529274335282723",
"SecondaryDescription": "/Users/yardensade/Downloads/totally_not_a_virus.txt",
"ActivityType": 18,
"UserID": null,
"Comments": null,
"ID": "513529274402391589",
"PrimaryDescription": "Threat detected, name: totally_not_a_virus.txt.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:50:59.965549Z",
"AgentID": "513505756159722818",
"Data": {
"username": null,
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/Downloads/totally_not_a_virus.txt",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "totally_not_a_virus.txt"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:50:59.965541Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513529274335282723",
"SecondaryDescription": "/Users/yardensade/Downloads/totally_not_a_virus.txt",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "513529275895563816",
"PrimaryDescription": "The agent 164 successfully quarantined the threat: totally_not_a_virus.txt.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:51:00.143471Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/Downloads/totally_not_a_virus.txt",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "totally_not_a_virus.txt"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:51:00.143461Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513529274335282723",
"SecondaryDescription": "/Users/yardensade/Downloads/totally_not_a_virus.txt",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "513529459253757483",
"PrimaryDescription": "The agent 164 successfully quarantined the threat: totally_not_a_virus.txt.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:51:22.000536Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/Downloads/totally_not_a_virus.txt",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "totally_not_a_virus.txt"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:51:22.000526Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513529274335282723",
"SecondaryDescription": "/Users/yardensade/Downloads/totally_not_a_virus.txt",
"ActivityType": 2004,
"UserID": null,
"Comments": null,
"ID": "513533152942409262",
"PrimaryDescription": "The agent 164 successfully quarantined the threat: totally_not_a_virus.txt.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-10T12:58:42.323499Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Engine",
"filePath": "/Users/yardensade/Downloads/totally_not_a_virus.txt",
"threatClassification": "OSX.Malware",
"fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
"fileDisplayName": "totally_not_a_virus.txt"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-10T12:58:42.323491Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": "513516952292214236",
"SecondaryDescription": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe",
"ActivityType": 2009,
"UserID": null,
"Comments": null,
"ID": "514190868824249980",
"PrimaryDescription": "The agent 164 failed to quarantine the threat: EICAR.exe.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-11T10:45:28.166458Z",
"AgentID": "513505756159722818",
"Data": {
"computerName": "164",
"threatClassificationSource": "Cloud",
"filePath": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe",
"threatClassification": "Malware",
"fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62",
"fileDisplayName": "EICAR.exe"
},
"GroupID": "475482421375116388",
"CreatedAt": "2018-12-11T10:45:28.166449Z"
},
{
"OsFamily": null,
"AgentUpdatedVersion": null,
"Hash": null,
"Description": null,
"ThreatID": null,
"SecondaryDescription": null,
"ActivityType": 27,
"UserID": "475482955872052394",
"Comments": null,
"ID": "514803118157132740",
"PrimaryDescription": "The management user Jane Doe logged into the management console.",
"SiteID": "475482421366727779",
"UpdatedAt": "2018-12-12T07:01:53.974164Z",
"AgentID": null,
"Data": {
"username": "Jane Doe",
"source": "mgmt",
"role": "admin"
},
"GroupID": null,
"CreatedAt": "2018-12-12T07:01:53.974154Z"
}
]
}
Human Readable Output
Sentinel One Activities
| ID | Primary description | Data | User ID | Created at | Updated at | Threat ID |
|---|---|---|---|---|---|---|
| 475482421492556909 | The management user John Roe created demisto site. | siteId: 475482421366727779<br>siteName: demisto<br>username: John Roe | 433273625970238486 | 2018-10-19T00:58:41.660278Z | 2018-10-19T00:58:41.660287Z | |
| 475482955955938476 | The management user John Roe added user Jane Doe as admin. | byUser: John Roe<br>role: admin<br>username: Jane Doe | 475482955872052394 | 2018-10-19T00:59:45.373584Z | 2018-10-19T00:59:45.373592Z | |
| 475553388201878769 | The management user Jane Doe logged into management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-10-19T03:19:41.551236Z | 2018-10-19T03:19:41.551249Z | |
| 476162850050648822 | The management user Jane Doe logged into management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-10-19T23:30:35.062484Z | 2018-10-19T23:30:35.062505Z | |
| 476162850092591864 | The management user Jane Doe logged into management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-10-19T23:30:35.068812Z | 2018-10-19T23:30:35.068827Z | |
| 478078612361294941 | The management user Jane Doe logged into management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-10-22T14:56:51.726762Z | 2018-10-22T14:56:51.726777Z | |
| 478078815793427551 | The management user Jane Doe logged into management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-10-22T14:57:15.978605Z | 2018-10-22T14:57:15.978615Z | |
| 499090543532554580 | The management user Jane Doe logged into management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-11-20T14:43:49.115657Z | 2018-11-20T14:43:49.115665Z | |
| 500911232606524037 | The management user Jane Doe logged into management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-11-23T03:01:12.166743Z | 2018-11-23T03:01:12.166753Z | |
| 504856083882582151 | The management user Jane Doe logged into management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-11-28T13:38:55.085488Z | 2018-11-28T13:38:55.085497Z | |
| 507609080257599870 | Bills-MBP subscribed and joined the group Default Group. | computerName: Bills-MBP<br>group: Default Group<br>optionalGroups: | 2018-12-02T08:48:37.826816Z | 2018-12-02T08:48:37.826824Z | ||
| 507609080626698626 | System initiated a full disk scan to the agent: Bills-MBP (98.234.105.153). | computerName: Bills-MBP<br>externalIp: 98.234.105.153<br>system: true<br>uuid: 9A532F6E-0F87-5F8E-B6AB-C0206599C568 | 2018-12-02T08:48:37.871136Z | 2018-12-02T08:48:37.871144Z | ||
| 507609341168474555 | Agent Bills-MBP started full disk scan at Sun, 02 Dec 2018, 08:49:08 UTC. | computerName: Bills-MBP<br>createdAt: 2018-12-02T08:49:08.908384Z<br>status: started | 2018-12-02T08:49:08.929660Z | 2018-12-02T08:49:08.929672Z | ||
| 508159023422660725 | Agent Bills-MBP completed full disk scan at Mon, 03 Dec 2018, 03:01:16 UTC. | computerName: Bills-MBP<br>createdAt: 2018-12-03T03:01:16.153462Z<br>status: finished | 2018-12-03T03:01:16.160707Z | 2018-12-03T03:01:16.160715Z | ||
| 509259775683623999 | Threat detected, name: eicar.com.txt. | computerName: Bills-MBP<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com.txt<br>filePath: /Users/bill/.Trash/eicar.com.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine<br>username: null | 2018-12-04T15:28:16.055815Z | 2018-12-04T15:28:16.055823Z | 509259775582960700 | |
| 509259776623148097 | The agent Bills-MBP successfully quarantined the threat: eicar.com.txt. | computerName: Bills-MBP<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com.txt<br>filePath: /Users/bill/.Trash/eicar.com.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine | 2018-12-04T15:28:16.168216Z | 2018-12-04T15:28:16.168238Z | 509259775582960700 | |
| 509259849436265543 | Cloud has added macOS black hash. | description: null<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>osFamily: osx | 2018-12-04T15:28:24.847654Z | 2018-12-04T15:28:24.847663Z | ||
| 510432832787879335 | The management user Jane Doe logged into the management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-12-06T06:18:55.360294Z | 2018-12-06T06:18:55.360302Z | |
| 510434401356912041 | The management user Jane Doe logged out of the management console. | role: admin<br>username: Jane Doe | 475482955872052394 | 2018-12-06T06:22:02.348116Z | 2018-12-06T06:22:02.348128Z | |
| 512980043203657099 | The management user Jane Doe logged into the management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-12-09T18:39:46.504206Z | 2018-12-09T18:39:46.504215Z | |
| 513485626755302270 | The management user Jane Doe logged into the management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-12-10T11:24:16.759925Z | 2018-12-10T11:24:16.759935Z | |
| 513488018364220290 | The management user Jane Doe added user Yarden Sade as admin. | byUser: Jane Doe<br>role: admin<br>username: Yarden Sade | 513488018280334208 | 2018-12-10T11:29:01.861727Z | 2018-12-10T11:29:01.861735Z | |
| 513489064113259396 | The management user Jane Doe logged out of the management console. | role: admin<br>username: Jane Doe | 475482955872052394 | 2018-12-10T11:31:06.525307Z | 2018-12-10T11:31:06.525318Z | |
| 513489107926958983 | The management user Yarden Sade logged into the management console. | role: admin<br>source: mgmt<br>username: Yarden Sade | 513488018280334208 | 2018-12-10T11:31:11.748574Z | 2018-12-10T11:31:11.748582Z | |
| 513490499303424908 | The management user Yarden Sade has created New group Test. | groupId: 513490499236316042<br>groupName: Test<br>username: Yarden Sade | 513488018280334208 | 2018-12-10T11:33:57.612924Z | 2018-12-10T11:33:57.612933Z | |
| 513504037921146173 | The management user Yarden Sade logged out of the management console. | role: admin<br>username: Yarden Sade | 513488018280334208 | 2018-12-10T12:00:51.541671Z | 2018-12-10T12:00:51.541682Z | |
| 513504203889755456 | The management user Jane Doe logged into the management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-12-10T12:01:11.326896Z | 2018-12-10T12:01:11.326905Z | |
| 513505756310717775 | 164 subscribed and joined the group Default Group. | computerName: 164<br>group: Default Group<br>optionalGroups: | 2018-12-10T12:04:16.390462Z | 2018-12-10T12:04:16.390472Z | ||
| 513505756696593747 | System initiated a full disk scan to the agent: 164 (94.188.164.68). | computerName: 164<br>externalIp: 94.188.164.68<br>system: true<br>uuid: 46DBCBC2-216A-5732-A007-4348BB55B37F | 2018-12-10T12:04:16.436084Z | 2018-12-10T12:04:16.436092Z | ||
| 513506023588545884 | Agent 164 started full disk scan at Mon, 10 Dec 2018, 12:04:48 UTC. | computerName: 164<br>createdAt: 2018-12-10T12:04:48.248338Z<br>status: started | 2018-12-10T12:04:48.252693Z | 2018-12-10T12:04:48.252701Z | ||
| 513516799787320769 | Threat detected, name: EICAR.exe. | computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/WebstormProjects/content/TestData/EICAR.exe<br>threatClassification: null<br>threatClassificationSource: null<br>username: null | 2018-12-10T12:26:12.874784Z | 2018-12-10T12:26:12.874792Z | 513516799695046076 | |
| 513516801297270211 | The agent 164 successfully quarantined the threat: EICAR.exe. | computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/WebstormProjects/content/TestData/EICAR.exe<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine | 2018-12-10T12:26:13.054666Z | 2018-12-10T12:26:13.054678Z | 513516799695046076 | |
| 513516852300006858 | Cloud has added macOS black hash. | description: null<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>osFamily: osx | 2018-12-10T12:26:19.135218Z | 2018-12-10T12:26:19.135226Z | ||
| 513516952367711710 | Threat detected, name: EICAR.exe. | computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/dev/demisto/content/TestData/EICAR.exe<br>threatClassification: Malware<br>threatClassificationSource: Cloud<br>username: null | 2018-12-10T12:26:31.064568Z | 2018-12-10T12:26:31.064576Z | 513516952292214236 | |
| 513516953818940898 | The agent 164 successfully quarantined the threat: EICAR.exe. | computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/dev/demisto/content/TestData/EICAR.exe<br>threatClassification: Malware<br>threatClassificationSource: Cloud | 2018-12-10T12:26:31.236769Z | 2018-12-10T12:26:31.236777Z | 513516952292214236 | |
| 513518844460189159 | Threat detected, name: EICAR.exe. | computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe<br>threatClassification: Malware<br>threatClassificationSource: Cloud<br>username: null | 2018-12-10T12:30:16.619423Z | 2018-12-10T12:30:16.619432Z | 513518844384691684 | |
| 513518845877863914 | The agent 164 successfully quarantined the threat: EICAR.exe. | computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe<br>threatClassification: Malware<br>threatClassificationSource: Cloud | 2018-12-10T12:30:16.788059Z | 2018-12-10T12:30:16.788068Z | 513518844384691684 | |
| 513519504073213420 | Agent 164 completed full disk scan at Mon, 10 Dec 2018, 12:31:35 UTC. | computerName: 164<br>createdAt: 2018-12-10T12:31:35.248610Z<br>status: finished | 2018-12-10T12:31:35.251320Z | 2018-12-10T12:31:35.251329Z | ||
| 513526418156865040 | Threat detected, name: eicar.com.txt. | computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com.txt<br>filePath: /Users/yardensade/Downloads/eicar.com.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine<br>username: null | 2018-12-10T12:45:19.474330Z | 2018-12-10T12:45:19.474339Z | 513526418089756174 | |
| 513526419608094227 | The agent 164 successfully quarantined the threat: eicar.com.txt. | computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com.txt<br>filePath: /Users/yardensade/Downloads/eicar.com.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine | 2018-12-10T12:45:19.647311Z | 2018-12-10T12:45:19.647320Z | 513526418089756174 | |
| 513526832864478743 | Threat detected, name: eicar.com. | computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com<br>filePath: /Users/yardensade/Downloads/eicar.com<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine<br>username: null | 2018-12-10T12:46:08.910923Z | 2018-12-10T12:46:08.910934Z | 513526832755426837 | |
| 513526834374428187 | The agent 164 successfully quarantined the threat: eicar.com. | computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com<br>filePath: /Users/yardensade/Downloads/eicar.com<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine | 2018-12-10T12:46:09.091186Z | 2018-12-10T12:46:09.091198Z | 513526832755426837 | |
| 513526971268122141 | The agent 164 successfully quarantined the threat: eicar.com. | computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com<br>filePath: /Users/yardensade/Downloads/eicar.com<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine | 2018-12-10T12:46:25.410353Z | 2018-12-10T12:46:25.410362Z | 513526832755426837 | |
| 513528784247637538 | The agent 164 successfully quarantined the threat: eicar.com.txt. | computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com.txt<br>filePath: /Users/yardensade/Downloads/eicar.com.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine | 2018-12-10T12:50:01.534321Z | 2018-12-10T12:50:01.534329Z | 513526418089756174 | |
| 513529274402391589 | Threat detected, name: totally_not_a_virus.txt. | computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: totally_not_a_virus.txt<br>filePath: /Users/yardensade/Downloads/totally_not_a_virus.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine<br>username: null | 2018-12-10T12:50:59.965541Z | 2018-12-10T12:50:59.965549Z | 513529274335282723 | |
| 513529275895563816 | The agent 164 successfully quarantined the threat: totally_not_a_virus.txt. | computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: totally_not_a_virus.txt<br>filePath: /Users/yardensade/Downloads/totally_not_a_virus.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine | 2018-12-10T12:51:00.143461Z | 2018-12-10T12:51:00.143471Z | 513529274335282723 | |
| 513529459253757483 | The agent 164 successfully quarantined the threat: totally_not_a_virus.txt. | computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: totally_not_a_virus.txt<br>filePath: /Users/yardensade/Downloads/totally_not_a_virus.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine | 2018-12-10T12:51:22.000526Z | 2018-12-10T12:51:22.000536Z | 513529274335282723 | |
| 513533152942409262 | The agent 164 successfully quarantined the threat: totally_not_a_virus.txt. | computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: totally_not_a_virus.txt<br>filePath: /Users/yardensade/Downloads/totally_not_a_virus.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine | 2018-12-10T12:58:42.323491Z | 2018-12-10T12:58:42.323499Z | 513529274335282723 | |
| 514190868824249980 | The agent 164 failed to quarantine the threat: EICAR.exe. | computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/dev/demisto/content/TestData/EICAR.exe<br>threatClassification: Malware<br>threatClassificationSource: Cloud | 2018-12-11T10:45:28.166449Z | 2018-12-11T10:45:28.166458Z | 513516952292214236 | |
| 514803118157132740 | The management user Jane Doe logged into the management console. | role: admin<br>source: mgmt<br>username: Jane Doe | 475482955872052394 | 2018-12-12T07:01:53.974154Z | 2018-12-12T07:01:53.974164Z |
15. Get group data
Gets data for the specified group.
Base Command
sentinelone-get-groups
Input
| Argument Name | Description | Required |
|---|---|---|
| group_type | Group type, for example: “static”. | Optional |
| group_ids | CSV list of group IDs by which to filter, for example: “225494730938493804,225494730938493915”. | Optional |
| group_id | Group ID by which to filter, for example: “225494730938493804”. | Optional |
| is_default | Whether this is the default group. | Optional |
| name | The name of the group. | Optional |
| query | Free-text search on fields name. | Optional |
| rank | The rank sets the priority of a dynamic group over others, for example, “1”, which is the highest priority. | Optional |
| limit | Maximum number of items to return (1-200). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Group.siteId | String | The ID of the site of which this group is a member. |
| SentinelOne.Group.filterName | String | If the group is dynamic, the name of the filter which is used to associate agents. |
| SentinelOne.Group.creatorId | String | The ID of the user that created the group. |
| SentinelOne.Group.name | String | The name of the group. |
| SentinelOne.Group.creator | String | The user that created the group. |
| SentinelOne.Group.rank | Number | The rank, which sets the priority of a dynamic group over others. |
| SentinelOne.Group.updatedAt | Date | Timestamp of the last update. |
| SentinelOne.Group.totalAgents | Number | Number of agents in the group. |
| SentinelOne.Group.filterId | String | If the group is dynamic, the group ID of the filter that is used to associate agents. |
| SentinelOne.Group.isDefault | Boolean | Whether the groups is the default group of the site. |
| SentinelOne.Group.inherits | Boolean | Whether the policy is inherited from a site. “False” if the group has its own edited policy. |
| SentinelOne.Group.type | String | Group type. Can be static or dynamic |
| SentinelOne.Group.id | String | The ID of the group. |
| SentinelOne.Group.createdAt | Date | Timestamp of group creation. |
Command Example
!sentinelone-get-groups
Context Example
{
"SentinelOne.Group": [
{
"inherits": true,
"name": "Default Group",
"creator": "John Roe",
"filterName": null,
"updatedAt": "2019-07-25T07:23:58.622476Z",
"filterId": null,
"rank": null,
"registrationToken": "eyJ1cmwiOiAiaHR0cHM6Ly91c2VhMS1wYXJ0bmVycy5zZW50aW5lbG9uZS5uZXQiLCAic2l0ZV9rZXkiOiAiZ184NjJiYWQzNTIwN2ZmNTJmIn0=",
"siteId": "475482421366727779",
"isDefault": true,
"creatorId": "433273625970238486",
"totalAgents": 5,
"type": "static",
"id": "475482421375116388",
"createdAt": "2018-10-19T00:58:41.646045Z"
}
]
}
Human Readable Output
Sentinel One Groups
| ID | Name | Type | Creator | Creator ID | Created at |
|---|---|---|---|---|---|
| 475482421375116388 | Default Group | static | John Roe | 433273625970238486 | 2018-10-19T00:58:41.646045Z |
16. Move agent
Moves agents to a new group.
Base Command
sentinelone-move-agent
Input
| Argument Name | Description | Required |
|---|---|---|
| group_id | The ID of the group to move the agent to. | Required |
| agents_ids | Agents IDs. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Agent.AgentsMoved | Number | The number of agents that were moved to another group. |
17. Delete a group
Deletes a group by the group ID.
Base Command
sentinelone-delete-group
Input
| Argument Name | Description | Required |
|---|---|---|
| group_id | The ID of the group to delete. | Required |
Context Output
There is no context output for this command.
Command Example
!sentinelone-delete-group group_id=661564034148420567
Human Readable Output
The group was deleted successfully
18. Retrieve agent processes
Retrieves running processes for a specific agent.
Base Command
sentinelone-agent-processes
Input
| Argument Name | Description | Required |
|---|---|---|
| agents_ids | The ID of the agent from which to retrieve the processes. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Agent.memoryUsage | Number | Memory usage (MB). |
| SentinelOne.Agent.startTime | Date | The process start time. |
| SentinelOne.Agent.pid | Number | The process ID. |
| SentinelOne.Agent.processName | String | The name of the process. |
| SentinelOne.Agent.cpuUsage | Number | CPU usage (%). |
| SentinelOne.Agent.executablePath | String | Executable path. |
19. Connect an agent
Connects agents to a network.
Base Command
sentinelone-connect-agent
Input
| Argument Name | Description | Required |
|---|---|---|
| agent_id | A CSV list of agent IDs to connect to the network. Run the list-agents command to get a list of agent IDs. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Agent.AgentsAffected | Number | The number of affected agents. |
| SentinelOne.Agent.ID | String | The IDs of the affected agents. |
Command Example
!sentinelone-connect-agent agent_id=657738871640371668
Context Example
{
"SentinelOne.Agent": {
"ID": "657738871640371668",
"NetworkStatus": "connecting"
}
}
Human Readable Output
1 agent(s) successfully connected to the network.
20. Disconnect an agent
Disconnects an agents from a network.
Base Command
sentinelone-disconnect-agent
Input
| Argument Name | Description | Required |
|---|---|---|
| agent_id | A CSV list of agent IDs to disconnect from the network. Run the list-agents command to get a list of agent IDs. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Agent.NetworkStatus | String | Agent network status. |
| SentinelOne.Agent.ID | String | The IDs of the affected agents. |
Command Example
!sentinelone-disconnect-agent agent_id=657738871640371668
Context Example
{
"SentinelOne.Agent": {
"ID": "657738871640371668",
"NetworkStatus": "connecting"
}
}
Human Readable Output
1 agent(s) successfully disconnected from the network.
21. Broadcast a message to agents
Broadcasts a message to all agents.
Base Command
sentinelone-broadcast-message
Input
| Argument Name | Description | Required |
|---|---|---|
| message | The Message to broadcast to agents. | Required |
| active_agent | Whether to only include active agents. Default is “false”. | Optional |
| group_id | List of Group IDs by which to filter the results. | Optional |
| agent_id | A list of Agent IDs by which to filter the results. | Optional |
| domain | Included network domains. | Optional |
Context Output
There is no context output for this command.
Command Example
!sentinelone-broadcast-message message="Hello World"
Human Readable Output
The message was successfully delivered to the agent(s)
22. Get Deep Visibility events
Gets all Deep Visibility events that match the query.
Base Command
sentinelone-get-events
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | Maximum number of items to return (1-100). Default is “50”. | Optional |
| query_id | Query ID obtained when creating a query in the sentinelone-create-query command. Example: “q1xx2xx3”. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Event.ProcessUID | String | Process unique identifier. |
| SentinelOne.Event.SHA256 | String | SHA256 hash of the file. |
| SentinelOne.Event.AgentOS | String | OS type. Can be “windows”, “linux”, “macos”, or “windows_legac”. |
| SentinelOne.Event.ProcessID | Number | The process ID. |
| SentinelOne.Event.User | String | User assigned to the event. |
| SentinelOne.Event.Time | Date | Process start time. |
| SentinelOne.Event.Endpoint | String | The agent name. |
| SentinelOne.Event.SiteName | String | Site name. |
| SentinelOne.Event.EventType | String | Event type. Can be “events”, “file”, “ip”, “url”, “dns”, “process”, “registry”, “scheduled_task”, or “logins”. |
| SentinelOne.Event.ProcessName | String | The name of the process. |
| SentinelOne.Event.MD5 | String | MD5 hash of the file. |
| Event.ID | String | Event process ID. |
| Event.Name | String | Event name. |
| Event.Type | String | Event type. |
Command Example
!sentinelone-get-events limit="10" query_id="q5b327f7c84162549eb1d568c968ff655"
Context Example
{
"Event": [
{
"Type": "process",
"ID": "5556",
"Name": "svchost.exe"
},
{
"Type": "process",
"ID": "5432",
"Name": "VSSVC.exe"
},
{
"Type": "ip",
"ID": "1636",
"Name": "amazon-ssm-agent.exe"
},
{
"Type": "file",
"ID": "3996",
"Name": "Google Chrome"
},
{
"Type": "file",
"ID": "3996",
"Name": "Google Chrome"
},
{
"Type": "file",
"ID": "3996",
"Name": "Google Chrome"
},
{
"Type": "file",
"ID": "3996",
"Name": "Google Chrome"
},
{
"Type": "file",
"ID": "3996",
"Name": "Google Chrome"
},
{
"Type": "file",
"ID": "3996",
"Name": "Google Chrome"
},
{
"Type": "file",
"ID": "3996",
"Name": "Google Chrome"
}
],
"SentinelOne.Event": [
{
"ProcessID": "5556",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"EventType": "process",
"ProcessUID": "10EEF25AF81502CD",
"ProcessName": "svchost.exe",
"User": null,
"Time": "2019-08-04T04:48:36.440Z",
"SHA256": "438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7",
"AgentOS": "windows",
"MD5": "36f670d89040709013f6a460176767ec"
},
{
"ProcessID": "5432",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"EventType": "process",
"ProcessUID": "DAB10F03FC995CCA",
"ProcessName": "VSSVC.exe",
"User": null,
"Time": "2019-08-04T04:48:26.439Z",
"SHA256": "29c18ccdb5077ee158ee591e2226f2c95d27a0f26f259c16c621ecc20b499bed",
"AgentOS": "windows",
"MD5": "adf381b23416fd54d5dbb582dbb7992d"
},
{
"ProcessID": "1636",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"EventType": "ip",
"ProcessUID": "1525CEC635947A9A",
"ProcessName": "amazon-ssm-agent.exe",
"User": null,
"Time": "2019-06-27T08:01:32.077Z",
"SHA256": null,
"AgentOS": "windows",
"MD5": null
},
{
"ProcessID": "3996",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"EventType": "file",
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"User": null,
"Time": "2019-06-30T13:50:54.280Z",
"SHA256": null,
"AgentOS": "windows",
"MD5": null
},
{
"ProcessID": "3996",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"EventType": "file",
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"User": null,
"Time": "2019-06-30T13:50:54.280Z",
"SHA256": null,
"AgentOS": "windows",
"MD5": null
},
{
"ProcessID": "3996",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"EventType": "file",
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"User": null,
"Time": "2019-06-30T13:50:54.280Z",
"SHA256": null,
"AgentOS": "windows",
"MD5": null
},
{
"ProcessID": "3996",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"EventType": "file",
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"User": null,
"Time": "2019-06-30T13:50:54.280Z",
"SHA256": null,
"AgentOS": "windows",
"MD5": null
},
{
"ProcessID": "3996",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"EventType": "file",
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"User": null,
"Time": "2019-06-30T13:50:54.280Z",
"SHA256": null,
"AgentOS": "windows",
"MD5": null
},
{
"ProcessID": "3996",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"EventType": "file",
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"User": null,
"Time": "2019-06-30T13:50:54.280Z",
"SHA256": null,
"AgentOS": "windows",
"MD5": null
},
{
"ProcessID": "3996",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"EventType": "file",
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"User": null,
"Time": "2019-06-30T13:50:54.280Z",
"SHA256": null,
"AgentOS": "windows",
"MD5": null
}
]
}
Human Readable Output
SentinelOne Events
| EventType | SiteName | Time | AgentOS | ProcessID | ProcessUID | ProcessName | MD5 | SHA256 |
|---|---|---|---|---|---|---|---|---|
| process | demisto | 2019-08-04T04:48:36.440Z | windows | 5556 | 10EEF25AF81502CD | svchost.exe | 36f670d89040709013f6a460176767ec | 438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7 |
| process | demisto | 2019-08-04T04:48:26.439Z | windows | 5432 | DAB10F03FC995CCA | VSSVC.exe | adf381b23416fd54d5dbb582dbb7992d | 29c18ccdb5077ee158ee591e2226f2c95d27a0f26f259c16c621ecc20b499bed |
| ip | demisto | 2019-06-27T08:01:32.077Z | windows | 1636 | 1525CEC635947A9A | amazon-ssm-agent.exe | ||
| file | demisto | 2019-06-30T13:50:54.280Z | windows | 3996 | 84FEED6A0CB9C211 | Google Chrome | ||
| file | demisto | 2019-06-30T13:50:54.280Z | windows | 3996 | 84FEED6A0CB9C211 | Google Chrome | ||
| file | demisto | 2019-06-30T13:50:54.280Z | windows | 3996 | 84FEED6A0CB9C211 | Google Chrome | ||
| file | demisto | 2019-06-30T13:50:54.280Z | windows | 3996 | 84FEED6A0CB9C211 | Google Chrome | ||
| file | demisto | 2019-06-30T13:50:54.280Z | windows | 3996 | 84FEED6A0CB9C211 | Google Chrome | ||
| file | demisto | 2019-06-30T13:50:54.280Z | windows | 3996 | 84FEED6A0CB9C211 | Google Chrome | ||
| file | demisto | 2019-06-30T13:50:54.280Z | windows | 3996 | 84FEED6A0CB9C211 | Google Chrome |
23. Create a Deep Visibility query
Runs a Deep Visibility Query and returns the query ID. You can use the query ID for all other commands, such as the sentinelone-get-events command.
Base Command
sentinelone-create-query
Input
| Argument Name | Description | Required |
|---|---|---|
| query | The query string for which to return events. | Required |
| from_date | Query start date, for example, “2019-08-03T04:49:26.257525Z”. | Required |
| to_date | Query end date, for example, “2019-08-03T04:49:26.257525Z”. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Query.FromDate | Date | Query start date. |
| SentinelOne.Query.Query | String | The search query string. |
| SentinelOne.Query.QueryID | String | The query ID. |
| SentinelOne.Query.ToDate | Date | Query end date. |
Command Example
!sentinelone-create-query query="AgentName Is Not Empty" from_date="2019-08-02T04:49:26.257525Z" to_date="2019-08-04T04:49:26.257525Z"
24. Get a list of Deep Visibility events by process
Gets a list of Deep Visibility events from query by event type process.
Base Command
sentinelone-get-processes
Input
| Argument Name | Description | Required |
|---|---|---|
| query_id | The queryId that is returned when creating a query under Create Query. Example: “q1xx2xx3”. Get the query_id from the “get-query-id” command. | Required |
| limit | Maximum number of items to return (1-100). Default is “50”. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Event.ParentProcessID | Number | Parent process ID. |
| SentinelOne.Event.ProcessUID | String | The process unique identifier. |
| SentinelOne.Event.SHA1 | String | SHA1 hash of the process image. |
| SentinelOne.Event.SubsystemType | String | Process sub-system. |
| SentinelOne.Event.ParentProcessStartTime | Date | The parent process start time. |
| SentinelOne.Event.ProcessID | Number | The process ID. |
| SentinelOne.Event.ParentProcessUID | String | Parent process unique identifier. |
| SentinelOne.Event.User | String | User assigned to the event. |
| SentinelOne.Event.Time | Date | Start time of the process. |
| SentinelOne.Event.ParentProcessName | String | Parent process name. |
| SentinelOne.Event.SiteName | String | Site name. |
| SentinelOne.Event.EventType | String | The event type. |
| SentinelOne.Event.Endpoint | String | The agent name (endpoint). |
| SentinelOne.Event.IntegrityLevel | String | Process integrity level. |
| SentinelOne.Event.CMD | String | Process CMD. |
| SentinelOne.Event.ProcessName | String | Process name. |
| SentinelOne.Event.ProcessDisplayName | String | Process display name. |
Command Example
!sentinelone-get-processes query_id="q5b327f7c84162549eb1d568c968ff655"
Context Example
{
"SentinelOne.Event": [
{
"ProcessID": "5556",
"Time": "2019-08-04T04:48:36.440Z",
"CMD": null,
"ParentProcessStartTime": "2019-06-27T08:01:30.957Z",
"SHA1": "0dac68816ae7c09efc24d11c27c3274dfd147dee",
"ParentProcessID": "560",
"ProcessDisplayName": "Host Process for Windows Services",
"EventType": "process",
"ParentProcessName": "Services and Controller app",
"SubsystemType": "SYS_WIN32",
"ProcessUID": "10EEF25AF81502CD",
"ProcessName": "svchost.exe",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "CFEE347DA897CF4C",
"IntegrityLevel": "SYSTEM"
},
{
"ProcessID": "5432",
"Time": "2019-08-04T04:48:26.439Z",
"CMD": null,
"ParentProcessStartTime": "2019-06-27T08:01:30.957Z",
"SHA1": "cd5e7c15e7688d40d51d32b8286c2e1804a97349",
"ParentProcessID": "560",
"ProcessDisplayName": "Microsoft\u00ae Volume Shadow Copy Service",
"EventType": "process",
"ParentProcessName": "Services and Controller app",
"SubsystemType": "SYS_WIN32",
"ProcessUID": "DAB10F03FC995CCA",
"ProcessName": "VSSVC.exe",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "CFEE347DA897CF4C",
"IntegrityLevel": "SYSTEM"
},
{
"ProcessID": "1636",
"Time": "2019-06-27T08:01:32.077Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "ip",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "1525CEC635947A9A",
"ProcessName": "amazon-ssm-agent.exe",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "1525CEC635947A9A",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "dns",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3840",
"Time": "2019-08-04T04:17:52.041Z",
"CMD": null,
"ParentProcessStartTime": "2019-06-30T13:50:54.280Z",
"SHA1": "03ffc95e7d54a40b7fd42aba048248f64026ae24",
"ParentProcessID": "3996",
"ProcessDisplayName": "Google Chrome",
"EventType": "process",
"ParentProcessName": "Google Chrome",
"SubsystemType": "SYS_WIN32",
"ProcessUID": "73CBEE7BFDEA4128",
"ProcessName": "chrome.exe",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": "LOW"
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "dns",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3996",
"Time": "2019-06-30T13:50:54.280Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "file",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "84FEED6A0CB9C211",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "84FEED6A0CB9C211",
"IntegrityLevel": null
},
{
"ProcessID": "3872",
"Time": "2019-06-30T13:50:55.249Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "dns",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "25C25C96C5DED63C",
"ProcessName": "Google Chrome",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "25C25C96C5DED63C",
"IntegrityLevel": null
},
{
"ProcessID": "3308",
"Time": "2019-06-27T08:04:32.183Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "scheduled_task",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "C4CBCB781DAA7B5F",
"ProcessName": "Windows Problem Reporting",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "C4CBCB781DAA7B5F",
"IntegrityLevel": null
},
{
"ProcessID": "2508",
"Time": "2019-08-04T04:12:38.608Z",
"CMD": null,
"ParentProcessStartTime": "2019-06-27T08:01:31.423Z",
"SHA1": "f5cf72933752e92e5c41d1f6683a7c0863450670",
"ParentProcessID": "872",
"ProcessDisplayName": "Windows Problem Reporting",
"EventType": "process",
"ParentProcessName": "Host Process for Windows Services",
"SubsystemType": "SYS_WIN32",
"ProcessUID": "B25C1F9FCC7A718B",
"ProcessName": "wermgr.exe",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "6DCFCCC56860944F",
"IntegrityLevel": "SYSTEM"
},
{
"ProcessID": "3308",
"Time": "2019-06-27T08:04:32.183Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "scheduled_task",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "C4CBCB781DAA7B5F",
"ProcessName": "Windows Problem Reporting",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "C4CBCB781DAA7B5F",
"IntegrityLevel": null
},
{
"ProcessID": "4624",
"Time": "2019-08-04T04:09:34.054Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "dns",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "55F0E146874E0114",
"ProcessName": "Google Installer",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "55F0E146874E0114",
"IntegrityLevel": null
},
{
"ProcessID": "4624",
"Time": "2019-08-04T04:09:34.054Z",
"CMD": null,
"ParentProcessStartTime": null,
"SHA1": null,
"ParentProcessID": null,
"ProcessDisplayName": null,
"EventType": "ip",
"ParentProcessName": null,
"SubsystemType": null,
"ProcessUID": "55F0E146874E0114",
"ProcessName": "Google Installer",
"Endpoint": "EC2AMAZ-AJ0KANC",
"SiteName": "demisto",
"User": null,
"ParentProcessUID": "55F0E146874E0114",
"IntegrityLevel": null
}
]
}
Human Readable Output
SentinelOne Processes
| EventType | SiteName | Time | ParentProcessID | ParentProcessUID | ProcessName | ParentProcessName | ProcessDisplayName | ProcessID | ProcessUID | SHA1 | SubsystemType | IntegrityLevel | ParentProcessStartTime |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| process | demisto | 2019-08-04T04:48:36.440Z | 560 | CFEE347DA897CF4C | svchost.exe | Services and Controller app | Host Process for Windows Services | 5556 | 10EEF25AF81502CD | 0dac68816ae7c09efc24d11c27c3274dfd147dee | SYS_WIN32 | SYSTEM | 2019-06-27T08:01:30.957Z |
| process | demisto | 2019-08-04T04:48:26.439Z | 560 | CFEE347DA897CF4C | VSSVC.exe | Services and Controller app | Microsoft® Volume Shadow Copy Service | 5432 | DAB10F03FC995CCA | cd5e7c15e7688d40d51d32b8286c2e1804a97349 | SYS_WIN32 | SYSTEM | 2019-06-27T08:01:30.957Z |
| ip | demisto | 2019-06-27T08:01:32.077Z | 1525CEC635947A9A | amazon-ssm-agent.exe | 1636 | 1525CEC635947A9A | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| dns | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| file | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| file | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| file | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| file | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| process | demisto | 2019-08-04T04:17:52.041Z | 3996 | 84FEED6A0CB9C211 | chrome.exe | Google Chrome | Google Chrome | 3840 | 73CBEE7BFDEA4128 | 03ffc95e7d54a40b7fd42aba048248f64026ae24 | SYS_WIN32 | LOW | 2019-06-30T13:50:54.280Z |
| dns | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| file | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| file | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| file | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| file | demisto | 2019-06-30T13:50:54.280Z | 84FEED6A0CB9C211 | Google Chrome | 3996 | 84FEED6A0CB9C211 | |||||||
| dns | demisto | 2019-06-30T13:50:55.249Z | 25C25C96C5DED63C | Google Chrome | 3872 | 25C25C96C5DED63C | |||||||
| scheduled_task | demisto | 2019-06-27T08:04:32.183Z | C4CBCB781DAA7B5F | Windows Problem Reporting | 3308 | C4CBCB781DAA7B5F | |||||||
| process | demisto | 2019-08-04T04:12:38.608Z | 872 | 6DCFCCC56860944F | wermgr.exe | Host Process for Windows Services | Windows Problem Reporting | 2508 | B25C1F9FCC7A718B | f5cf72933752e92e5c41d1f6683a7c0863450670 | SYS_WIN32 | SYSTEM | 2019-06-27T08:01:31.423Z |
| scheduled_task | demisto | 2019-06-27T08:04:32.183Z | C4CBCB781DAA7B5F | Windows Problem Reporting | 3308 | C4CBCB781DAA7B5F | |||||||
| dns | demisto | 2019-08-04T04:09:34.054Z | 55F0E146874E0114 | Google Installer | 4624 | 55F0E146874E0114 | |||||||
| ip | demisto | 2019-08-04T04:09:34.054Z | 55F0E146874E0114 | Google Installer | 4624 | 55F0E146874E0114 |
25. Shutdown agent
Shutdowns an agent by agent ID.
Base Command
sentinelone-shutdown-agent
Input
| Argument Name | Description | Required |
|---|---|---|
| query | A free-text search term, will match applicable attributes (sub-string match). Note: A device’s physical addresses will only be matched if they start with the search term (not if they contain the search term). | Optional |
| agent_id | A CSV list of agents IDs to shutdown. | Optional |
| group_id | The ID of the network group. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| SentinelOne.Agent.ID | String | The ID of the agent that was shutdown. |
Command Example
!sentinelone-shutdown-agent agent_id=685993599964815937
Human Readable Output
Shutting down 1 agent(s).
26. Uninstall an agent
Uninstalls agent by agent ID.
Base Command
sentinelone-uninstall-agent
Input
| Argument Name | Description | Required |
|---|---|---|
| query | A free-text search term, will match applicable attributes (sub-string match). Note: A device’s physical addresses will only be matched if they start with the search term (not if they contain the search term). | Optional |
| agent_id | A CSV list of agents IDs to shutdown. | Optional |
| group_id | The ID of the network group. | Optional |
Context Output
There is no context output for this command.
Command Example
!sentinelone-uninstall-agent agent_id=685993599964815937
Human Readable Output
Uninstall was sent to 1 agent(s).