Skip to main content

SentinelOne v2

This Integration is part of the SentinelOne Pack.#

Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database. This integration was integrated and tested with versions 2.0 and 2.1 of SentinelOne V2

Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.

Configure SentinelOne v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for SentinelOne v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (e.g., https://usea1.sentinelone.net)True
    API TokenFalse
    API VersionTrue
    Fetch incidentsFalse
    Incident typeFalse
    Fetch incidents from typeFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
    Minimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high risk. Relevant for API version 2.0.False
    Defines Alert severity to fetch.False
    Define which Alerts should be fetched.False
    Define which Threats should be fetched.False
    Fetch limit: The maximum number of threats or alerts to fetchFalse
    Site IDsComma-separated list of site IDs to fetch incidents for. Leave blank to fetch all sites.False
    Block Site IDsComma-separated list of site IDs for where hashes should be blocked. If left blank all hashes will be blocked globally. If filled out with site ids all hashes will be no longer be blocked globally, they will now be blocked in the scope of those sites.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    API Token (Deprecated)Use the "API Token (Recommended)" parameter instead.False
    Incidents Fetch IntervalFalse
    Incident Mirroring DirectionChoose the direction to mirror the incident: Incoming (from SentinelOne to Cortex XSOAR), Outgoing (from Cortex XSOAR to SentinelOne), or Incoming and Outgoing (from/to Cortex XSOAR and SentinelOne).False
    Close Mirrored XSOAR IncidentWhen selected, closing the SentinelOne ticket is mirrored in Cortex XSOAR.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sentinelone-list-agents#


Returns all agents that match the specified criteria.

Base Command#

sentinelone-list-agents

Input#

Argument NameDescriptionRequired
computer_nameThe computer name by which to filter the results. It can match a partial computer name value (substring).Optional
scan_statusA comma-separated list of scan statuses by which to filter the results, for example: "started,aborted". Possible values are: started, none, finished, aborted.Optional
os_typeIncluded operating system types, for example: "windows". Possible values are: windows, windows_legacy, macos, linux.Optional
created_atEndpoint creation timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
min_active_threatsMinimum number of threats per agent.Optional
limitThe maximum number of agents to return. Default is 10.Optional
paramsQuery params field=value pairs delimited by comma (e.g., activeThreats=3,gatewayIp=1.2.3.4). Query params are OR'd.Optional
columnsA comma-separated list of additionals fields to display.Optional

Context Output#

PathTypeDescription
SentinelOne.Agents.NetworkStatusstringThe agent network status.
SentinelOne.Agents.IDstringThe agent ID.
SentinelOne.Agents.AgentVersionstringThe agent software version.
SentinelOne.Agents.IsDecommissionedbooleanWhether the agent is decommissioned.
SentinelOne.Agents.IsActivebooleanWhether the agent is active.
SentinelOne.Agents.LastActiveDatedateWhen was the agent last active.
SentinelOne.Agents.RegisteredAtdateThe registration date of the agent.
SentinelOne.Agents.ExternalIPstringThe agent IP address.
SentinelOne.Agents.ThreatCountnumberNumber of active threats.
SentinelOne.Agents.EncryptedApplicationsbooleanWhether disk encryption is enabled.
SentinelOne.Agents.OSNamestringName of operating system.
SentinelOne.Agents.ComputerNamestringName of agent computer.
SentinelOne.Agents.MachineTypestringMachine type.
SentinelOne.Agents.DomainstringDomain name of the agent.
SentinelOne.Agents.CreatedAtdateCreation time of the agent.
SentinelOne.Agents.SiteNamestringSite name associated with the agent.
SentinelOne.Agents.TagsunknownTags associated with the agent.

sentinelone-create-white-list-item#


Creates an exclusion item that matches the specified input filter.

Base Command#

sentinelone-create-white-list-item

Input#

Argument NameDescriptionRequired
exclusion_typeExclusion item type. Possible values are: file_type, path, white_hash, certificate, browser.Required
exclusion_valueValue of the exclusion item for the exclusion list.Required
os_typeOperating system type. Required for hash exclusions. Possible values are: windows, windows_legacy, macos, linux.Required
descriptionDescription for adding the exclusion item.Optional
exclusion_modeExclusion mode (path exclusion only). Possible values are: suppress, disable_in_process_monitor_deep, disable_in_process_monitor, disable_all_monitors, disable_all_monitors_deep.Optional
path_exclusion_typeExcluded path for a path exclusion list.Optional
group_idsA comma-separated list of group IDs by which to filter.Optional
site_idsA comma-separated list of site IDs by which to filter.Optional

Context Output#

PathTypeDescription
SentinelOne.Exclusions.IDstringThe entity ID on the allow list.
SentinelOne.Exclusions.TypestringThe item type on the allow list.
SentinelOne.Exclusions.CreatedAtdateTime when the allow list item was created.

sentinelone-get-white-list#


Lists all exclusion items that match the specified input filter.

Base Command#

sentinelone-get-white-list

Input#

Argument NameDescriptionRequired
item_idsList of IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
os_typesA comma-separated list of operating system types by which to filter, for example: "windows, linux". Possible values are: windows, windows_legacy, macos, linux.Optional
exclusion_typeExclusion type. Possible values are: file_type, path, white_hash, certificate, browser.Optional
limitThe maximum number of items to return. Default is 10.Optional
include_parentWhether to include parent information of each item. Default value is false. Default is false.Optional
include_childrenWhether to include children information of each item. Default value is false. Default is false.Optional

Context Output#

PathTypeDescription
SentinelOne.Exclusions.IDstringThe exclusion item ID.
SentinelOne.Exclusions.TypestringThe exclusion item type.
SentinelOne.Exclusions.CreatedAtdateTimestamp when the exclusion item was added.
SentinelOne.Exclusions.ValuestringValue of the exclusion item.
SentinelOne.Exclusions.SourcestringSource of the exclusion item.
SentinelOne.Exclusions.UserIDstringUser ID of the user qho added the exclusion item.
SentinelOne.Exclusions.UpdatedAtdateTimestamp when the exclusion item was updated.
SentinelOne.Exclusions.OsTypestringOperating system type of the exclusion item.
SentinelOne.Exclusions.UserNamestringUser name of the user who added the exclusion item.
SentinelOne.Exclusions.ModestringA comma-separated list of modes by which to filter (path exclusions only), for example: "suppress".

sentinelone-get-hash#


Gets the file reputation verdict by a SHA1 hash.

Base Command#

sentinelone-get-hash

Input#

Argument NameDescriptionRequired
hashThe content hash.Required

Context Output#

PathTypeDescription
SentinelOne.Hash.RankNumberThe hash reputation (1-10).
SentinelOne.Hash.VerdictStringThe hash reputation verdict.
SentinelOne.Hash.HashStringThe content hash.

sentinelone-get-threats#


Returns threats according to the specified filters.

Base Command#

sentinelone-get-threats

Input#

Argument NameDescriptionRequired
content_hashA comma-separated list of content hashes of the threat.Optional
mitigation_statusA comma-separated list of mitigation statuses. Possible values are: mitigated, active, blocked, suspicious, pending, suspicious_resolved.Optional
created_beforeSearches for threats created before this timestamp, for example: "2018-02-27T04:49:26.257525Z", "10 days", "5 months", "2 hours".Optional
created_afterSearches for threats created after this timestamp, for example: "2018-02-27T04:49:26.257525Z", "10 days", "5 months", "2 hours".Optional
created_untilSearches for threats created on or before this timestamp, for example: "2018-02-27T04:49:26.257525Z", "10 days", "5 months", "2 hours".Optional
created_fromSearch for threats created on or after this timestamp, for example: "2018-02-27T04:49:26.257525Z", "10 days", "5 months", "2 hours".Optional
resolvedWhether to only return resolved threats. Possible values are: false, true. Default is false.Optional
display_nameThreat display name. For API version 2.0 it can be a partial display name, doesn't have to be an exact match.Optional
limitThe maximum number of threats to return. Default is 20.Optional
queryFull free-text search for fields. Can be "content_hash", "file_display_name", "file_path", "computer_name", or "uuid".Optional
threat_idsA comma-separated list of threat IDs, for example: "225494730938493804,225494730938493915".Optional
classificationsA comma-separated list of threat classifications to search, for example: "Malware", "Network", "Benign". Possible values are: Engine, Static, Cloud, Behavioral.Optional
rankRisk level threshold to retrieve (1-10). Relevant for API version 2.0 only.Optional
site_idsA comma-separated list of site IDs to search for threats, for example: "225494730938493804,225494730938493915".Optional
incident_statusesIncident status. Example: "IN_PROGRESS, UNRESOLVED".Optional
include_resolved_paramWhether to include the resolved parameter in the query. Possible values are: false, true. Default is false.Optional

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.AgentComputerNameStringThe agent computer name.
SentinelOne.Threat.CreatedDateDateThe threat creation date.
SentinelOne.Threat.SiteIDStringThe site ID.
SentinelOne.Threat.ClassificationstringThe threat classification.
SentinelOne.Threat.ClassificationSourcestringSource of the threat classification.
SentinelOne.Threat.ConfidenceLevelstringSentinelOne threat confidence level.
SentinelOne.Threat.FileSha256stringSHA256 hash of the file content.
SentinelOne.Threat.MitigationStatusStringThe agent mitigation status.
SentinelOne.Threat.AgentIDStringThe threat agent ID.
SentinelOne.Threat.RankNumberThe number representing the cloud reputation (1-10).
SentinelOne.Threat.MarkedAsBenignBooleanWhether the threat is marked as benign. Relevant for version 2.0 only.

sentinelone-threat-summary#


Returns a dashboard threat summary. Can only be used with API V2.1.

Base Command#

sentinelone-threat-summary

Input#

Argument NameDescriptionRequired
group_idsA comma-separated list of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional

Context Output#

PathTypeDescription
SentinelOne.Threat.NotResolvedNumberNumber of unresolved threats in the system.
SentinelOne.Threat.SuspiciousNotMitigatedNotResolvedNumberNumber of unmitigated suspicious threats in the system.
SentinelOne.Threat.SuspiciousNotResolvedNumberNumber of unresolved suspicious threats in the system.
SentinelOne.Threat.ResolvedNumberNumber of resolved threats in the system.
SentinelOne.Threat.InProgressNumberNumber of active threats in the system.
SentinelOne.Threat.TotalNumberTotal number of threats in the system.
SentinelOne.Threat.NotMitigatedNumberNumber of unmitigated threats in the system.
SentinelOne.Threat.MaliciousNotResolvedNumberNumber of unresolved malicious threats in the system.
SentinelOne.Threat.NotMitigatedNotResolvedNumberNumber of unmitigated and unresolved threats in the system.

sentinelone-mark-as-threat#


Marks suspicious threats as threats. Can only be used with API V2.0.

Base Command#

sentinelone-mark-as-threat

Input#

Argument NameDescriptionRequired
threat_idsA comma-separated list of threat IDs.Optional
target_scopeScope to use for exclusions. Possible values are: site, tenant.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.MarkedAsThreatBooleanWhether the suspicious threat was successfully marked as a threat.

sentinelone-mitigate-threat#


Applies a mitigation action to a group of threats that match the specified input filter.

Base Command#

sentinelone-mitigate-threat

Input#

Argument NameDescriptionRequired
actionMitigation action. Possible values are: kill, quarantine, un-quarantine, remediate, rollback-remediation.Required
threat_idsA comma-separated list of threat IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.MitigatedBooleanWhether the threat was successfully mitigated.
SentinelOne.Threat.Mitigation.ActionStringThe mitigation action performed.

sentinelone-resolve-threat#


Resolves threats using the threat ID. Can only be used with API V2.0.

Base Command#

sentinelone-resolve-threat

Input#

Argument NameDescriptionRequired
threat_idsA comma-separated list of threat IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.ResolvedBooleanWhether the threat was successfully resolved.

sentinelone-get-agent#


Returns the details of an agent according to the agent ID.

Base Command#

sentinelone-get-agent

Input#

Argument NameDescriptionRequired
agent_idA comma-separated list of agent IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.NetworkStatusstringThe agent network status.
SentinelOne.Agent.IDstringThe agent ID.
SentinelOne.Agent.AgentVersionstringThe agent software version.
SentinelOne.Agent.IsDecommissionedbooleanWhether the agent is decommissioned.
SentinelOne.Agent.IsActivebooleanWhether the agent is active.
SentinelOne.Agent.LastActiveDatedateWhen was the agent last active.
SentinelOne.Agent.RegisteredAtdateThe registration date of the agent.
SentinelOne.Agent.ExternalIPstringThe agent IP address.
SentinelOne.Agent.ThreatCountnumberNumber of active threats.
SentinelOne.Agent.EncryptedApplicationsbooleanWhether disk encryption is enabled.
SentinelOne.Agent.OSNamestringName of the operating system.
SentinelOne.Agent.ComputerNamestringName of the agent computer.
SentinelOne.Agent.MachineTypestringMachine type.
SentinelOne.Agent.DomainstringDomain name of the agent.
SentinelOne.Agent.CreatedAtdateAgent creation time.
SentinelOne.Agent.SiteNamestringSite name associated with the agent.

sentinelone-get-sites#


Returns all sites that match the specified criteria.

Base Command#

sentinelone-get-sites

Input#

Argument NameDescriptionRequired
updated_atTimestamp of the last update, for example: "2018-02-27T04:49:26.257525Z".Optional
queryFull-text search for fields: name, account_name.Optional
site_typeSite type. Possible values are: Trial, Paid, POC, DEV, NFR.Optional
featuresReturns sites that support the specified features. Possible values are: firewall-control, device-control, ioc.Optional
stateSite state. Possible values are: active, deleted, expired.Optional
suiteThe suite of product features active for this site. Possible values are: Core, Complete.Optional
admin_onlySites for which the user has admin privileges. Possible values are: true, false.Optional
account_idAccount ID, for example: "225494730938493804".Optional
site_nameSite name, for example: "My Site".Optional
created_atTimestamp of the site creation, for example: "2018-02-27T04:49:26.257525Z".Optional
limitMaximum number of results to return. Default is 50.Optional

Context Output#

PathTypeDescription
SentinelOne.Site.CreatorstringThe site creator name.
SentinelOne.Site.NamestringThe site name.
SentinelOne.Site.TypestringThe site type.
SentinelOne.Site.AccountNamestringThe site account name.
SentinelOne.Site.StatestringThe site state.
SentinelOne.Site.HealthStatusbooleanThe health status of the site.
SentinelOne.Site.SuitestringThe suite to which the site belongs.
SentinelOne.Site.ActiveLicensesnumberNumber of active licenses for the site.
SentinelOne.Site.IDstringID of the site.
SentinelOne.Site.TotalLicensesnumberNumber of total licenses for the site.
SentinelOne.Site.CreatedAtdateTimestamp when the site was created.
SentinelOne.Site.ExpirationstringTimestamp when the site will expire.
SentinelOne.Site.UnlimitedLicensesbooleanWhether the site has unlimited licenses.

sentinelone-get-site#


Returns information about the site, according to the site ID.

Base Command#

sentinelone-get-site

Input#

Argument NameDescriptionRequired
site_idID of the site.Required

Context Output#

PathTypeDescription
SentinelOne.Site.CreatorstringThe site creator name.
SentinelOne.Site.NamestringThe site name.
SentinelOne.Site.TypestringThe site type.
SentinelOne.Site.AccountNamestringThe site account name.
SentinelOne.Site.StatestringThe site state.
SentinelOne.Site.HealthStatusbooleanThe health status of the site.
SentinelOne.Site.SuitestringThe suite to which the site belongs.
SentinelOne.Site.ActiveLicensesnumberNumber of active licenses for the site.
SentinelOne.Site.IDstringID of the site.
SentinelOne.Site.TotalLicensesnumberNumber of total licenses for the site.
SentinelOne.Site.CreatedAtdateTimestamp when the site was created.
SentinelOne.Site.ExpirationstringTimestamp when the site will expire.
SentinelOne.Site.UnlimitedLicensesbooleanWhether the site has unlimited licenses.
SentinelOne.Site.AccountIDstringSite account ID.
SentinelOne.Site.IsDefaultbooleanWhether the site is the default site.

sentinelone-reactivate-site#


Reactivates an expired site.

Base Command#

sentinelone-reactivate-site

Input#

Argument NameDescriptionRequired
site_idSite ID. For example: "225494730938493804".Required
unlimitedIf false, an expiration should be supplied.Optional
expirationExpiration date in case unlimited is false, for example, "2019-08-03T04:49:26.257525Z".Optional

Context Output#

PathTypeDescription
SentinelOne.Site.IDstringSite ID.
SentinelOne.Site.ReactivatedbooleanWhether the site was reactivated.

sentinelone-get-activities#


Returns a list of activities.

Base Command#

sentinelone-get-activities

Input#

Argument NameDescriptionRequired
created_afterReturn activities created after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
user_emailsEmail address of the user who invoked the activity (if applicable).Optional
group_idsList of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
created_untilReturn activities created on or before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
include_hiddenInclude internal activities hidden from display. Possible values are: true, false.Optional
activities_idsA comma-separated list of activity IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
created_beforeReturn activities created before this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
threats_idsA comma-separated list of threat IDs for which to return activities, for example: "225494730938493804,225494730938493915".Optional
activity_typesA comma-separated list of activity codes to return, for example: "52,53,71,72".Optional
user_idsA comma-separated list of user IDs for users that invoked the activity (if applicable), for example: "225494730938493804,225494730938493915".Optional
created_fromReturn activities created on or after this timestamp, for example: "2018-02-27T04:49:26.257525Z".Optional
created_betweenReturn activities created within this range (inclusive), for example: "1514978764288-1514978999999".Optional
agent_idsReturn activities related to specified agents. For example: "225494730938493804,225494730938493915".Optional
limitMaximum number of items to return (1-100).Optional
sort_byField to sort results by. Possible values are: activityType, createdAt, id.Optional
sort_orderOrder to sort by. Possible values are: asc, desc.Optional

Context Output#

PathTypeDescription
SentinelOne.Activity.AgentIDStringRelated agent (if applicable).
SentinelOne.Activity.AgentUpdatedVersionStringAgent's new version (if applicable).
SentinelOne.Activity.SiteIDStringRelated site (if applicable).
SentinelOne.Activity.UserIDStringThe user who invoked the activity (if applicable).
SentinelOne.Activity.SecondaryDescriptionStringSecondary description.
SentinelOne.Activity.OsFamilyStringAgent's operating system type (if applicable). Can be "linux", "macos", "windows", or "windows_legacy".
SentinelOne.Activity.ActivityTypeNumberActivity type.
SentinelOne.Activity.data.SiteIDStringThe site ID.
SentinelOne.Activity.data.SiteNameStringThe site name.
SentinelOne.Activity.data.usernameStringThe name of the site creator.
SentinelOne.Activity.HashStringThreat file hash (if applicable).
SentinelOne.Activity.UpdatedAtDateActivity last updated time (UTC).
SentinelOne.Activity.CommentsStringComments for the activity.
SentinelOne.Activity.ThreatIDStringRelated threat (if applicable).
SentinelOne.Activity.PrimaryDescriptionStringPrimary description for the activity.
SentinelOne.Activity.GroupIDStringRelated group (if applicable).
SentinelOne.Activity.IDStringActivity ID.
SentinelOne.Activity.CreatedAtDateActivity creation time (UTC).
SentinelOne.Activity.DescriptionStringExtra activity information.

sentinelone-get-groups#


Returns data for the specified group.

Base Command#

sentinelone-get-groups

Input#

Argument NameDescriptionRequired
group_typeGroup type, for example: "static".Optional
group_idsA comma-separated list of group IDs by which to filter, for example: "225494730938493804,225494730938493915".Optional
group_idGroup ID by which to filter, for example: "225494730938493804".Optional
is_defaultWhether this is the default group. Possible values are: true, false.Optional
nameThe name of the group.Optional
queryFree-text search.Optional
rankThe priority of a dynamic group over others, for example, "1", which is the highest priority.Optional
limitMaximum number of items to return (1-200).Optional

Context Output#

PathTypeDescription
SentinelOne.Group.siteIdStringThe ID of the site of which this group is a member.
SentinelOne.Group.filterNameStringIf the group is dynamic, the name of the filter which is used to associate agents.
SentinelOne.Group.creatorIdStringThe ID of the user who created the group.
SentinelOne.Group.nameStringThe name of the group.
SentinelOne.Group.creatorStringThe user who created the group.
SentinelOne.Group.rankNumberThe rank, which sets the priority of a dynamic group over others.
SentinelOne.Group.updatedAtDateTimestamp of the last update.
SentinelOne.Group.totalAgentsNumberNumber of agents in the group.
SentinelOne.Group.filterIdStringIf the group is dynamic, the group ID of the filter that is used to associate agents.
SentinelOne.Group.isDefaultBooleanWhether the groups is the default group of the site.
SentinelOne.Group.inheritsBooleanWhether the policy is inherited from a site. "False" if the group has its own edited policy.
SentinelOne.Group.typeStringGroup type. Can be static or dynamic
SentinelOne.Group.idStringThe ID of the group.
SentinelOne.Group.createdAtDateTimestamp of group creation.

sentinelone-move-agent#


Moves agents to a new group.

Base Command#

sentinelone-move-agent

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to move the agent to.Required
agents_idsAgents IDs.Optional

Context Output#

PathTypeDescription
SentinelOne.Agent.AgentsMovedNumberThe number of agents that were moved to another group.

sentinelone-delete-group#


Deletes a group, by the group ID.

Base Command#

sentinelone-delete-group

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to delete.Required

Context Output#

PathTypeDescription
SentinelOne.DeleteGroup.SuccessStringThe status of the command.

sentinelone-connect-agent#


Connects agents to the network.

Base Command#

sentinelone-connect-agent

Input#

Argument NameDescriptionRequired
agent_idA comma-separated list of agent IDs to connect to the network. Run the list-agents command to get a list of agent IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.AgentsAffectedNumberThe number of affected agents.
SentinelOne.Agent.NetworkStatusStringAgent network status.
SentinelOne.Agent.IDStringInput agents' IDs.

sentinelone-disconnect-agent#


Disconnects agents from the network.

Base Command#

sentinelone-disconnect-agent

Input#

Argument NameDescriptionRequired
agent_idA comma-separated list of agent IDs to disconnect from the network. Run the list-agents command to get a list of agent IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.NetworkStatusStringAgent network status.
SentinelOne.Agent.IDStringInput agents' IDs.

sentinelone-broadcast-message#


Broadcasts a message to all agents that match the input filters.

Base Command#

sentinelone-broadcast-message

Input#

Argument NameDescriptionRequired
messageThe message to broadcast to agents.Required
active_agentWhether to only include active agents. Default is "false". Possible values are: true, false.Optional
group_idA comma-separated list of group IDs by which to filter the results.Optional
agent_idA comma-separated list of agent IDs by which to filter the results.Optional
domainA comma-separated of included network domains.Optional

Context Output#

PathTypeDescription
SentinelOne.BroadcastMessage.AffectedStringNumber of affected endpoints.

sentinelone-get-events#


Returns all Deep Visibility events that match the query.

Base Command#

sentinelone-get-events

Input#

Argument NameDescriptionRequired
limitMaximum number of items to return (1-100). Default is 50.Optional
query_idQueryId obtained when creating a query in the sentinelone-create-query command. Example: "q1xx2xx3".Required
cursorCursor pointer to get next page of results from query.Optional
columnsA comma-separated list of additionals fields to display.Optional

Context Output#

PathTypeDescription
SentinelOne.Event.ProcessUIDStringProcess unique identifier.
SentinelOne.Event.SHA256StringSHA256 hash of the file.
SentinelOne.Event.AgentOSStringOperating system type. Can be "windows", "linux", "macos", or "windows_legac".
SentinelOne.Event.ProcessIDNumberThe process ID.
SentinelOne.Event.UserStringUser assigned to the event.
SentinelOne.Event.TimeDateProcess start time.
SentinelOne.Event.EndpointStringThe agent name.
SentinelOne.Event.SiteNameStringSite name.
SentinelOne.Event.EventTypeStringEvent type. Can be "events", "file", "ip", "url", "dns", "process", "registry", "scheduled_task", or "logins".
SentinelOne.Event.ProcessNameStringThe name of the process.
SentinelOne.Event.MD5StringMD5 hash of the file.
SentinelOne.Event.SourceIPStringThe source ip.
SentinelOne.Event.SourcePortStringThe source port.
SentinelOne.Event.DestinationIPStringThe destination IP.
SentinelOne.Event.DestinationPortStringThe destination port.
SentinelOne.Event.SourceProcessUserStringThe source process user.
SentinelOne.Event.SourceProcessCommandLineStringThe source process command line.
SentinelOne.Event.DNSRequestStringThe DNS Request.
SentinelOne.Event.FileFullNameStringThe file full name.
SentinelOne.Event.EventTimeStringThe event time.
Event.IDStringEvent process ID.
Event.NameStringEvent name.
Event.TypeStringEvent type.
SentinelOne.Cursor.EventStringcursor to recieve next page

sentinelone-create-query#


Runs a Deep Visibility query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.

Base Command#

sentinelone-create-query

Input#

Argument NameDescriptionRequired
queryThe query string for which to return events.Required
from_dateQuery start date, for example, "2019-08-03T04:49:26.257525Z". Limited to 93 days ago.Required
to_dateQuery end date, for example, "2019-08-03T04:49:26.257525Z".Required

Context Output#

PathTypeDescription
SentinelOne.Query.FromDateDateQuery start date.
SentinelOne.Query.QueryStringThe search query string.
SentinelOne.Query.QueryIDStringThe query ID.
SentinelOne.Query.ToDateDateQuery end date.

sentinelone-get-processes#


Returns a list of Deep Visibility events from query by event type - process.

Base Command#

sentinelone-get-processes

Input#

Argument NameDescriptionRequired
query_idThe queryId that is returned when creating a query under Create Query. Example: "q1xx2xx3". Get the query_id from the "get-query-id" command.Required
limitMaximum number of items to return (1-100). Default is 50.Optional

Context Output#

PathTypeDescription
SentinelOne.Event.ParentProcessIDNumberParent process ID.
SentinelOne.Event.ProcessUIDStringThe process unique identifier.
SentinelOne.Event.SHA1StringSHA1 hash of the process image.
SentinelOne.Event.SubsystemTypeStringProcess sub-system.
SentinelOne.Event.ParentProcessStartTimeDateThe parent process start time.
SentinelOne.Event.ProcessIDNumberThe process ID.
SentinelOne.Event.ParentProcessUIDStringParent process unique identifier.
SentinelOne.Event.UserStringUser assigned to the event.
SentinelOne.Event.TimeDateStart time of the process.
SentinelOne.Event.ParentProcessNameStringParent process name.
SentinelOne.Event.SiteNameStringSite name.
SentinelOne.Event.EventTypeStringThe event type.
SentinelOne.Event.EndpointStringThe agent name (endpoint).
SentinelOne.Event.IntegrityLevelStringProcess integrity level.
SentinelOne.Event.CMDStringProcess CMD.
SentinelOne.Event.ProcessNameStringProcess name.
SentinelOne.Event.ProcessDisplayNameStringProcess display name.

sentinelone-shutdown-agent#


Sends a shutdown command to all agents that match the input filter.

Base Command#

sentinelone-shutdown-agent

Input#

Argument NameDescriptionRequired
queryA free-text search term that will match applicable attributes (sub-string match). Note: A device's physical addresses will only be matched if they start with the search term (not if they contain the search term).Optional
agent_idA comma-separated list of agents IDs to shutdown.Optional
group_idThe ID of the network group.Optional

Context Output#

PathTypeDescription
SentinelOne.Agent.IDStringThe ID of the agent that was shutdown.

sentinelone-uninstall-agent#


Sends an uninstall command to all agents that match the input filter.

Base Command#

sentinelone-uninstall-agent

Input#

Argument NameDescriptionRequired
queryA free-text search term that will match applicable attributes (sub-string match). Note: A device's physical addresses will only be matched if they start with the search term (not if they contain the search term).Optional
agent_idA comma-separated list of agents IDs to shutdown.Optional
group_idThe ID of the network group.Optional

Context Output#

PathTypeDescription
SentinelOne.uninstall.AffectedStringNumber of affected agents.

sentinelone-update-threats-verdict#


Updates the analyst verdict to a group of threats that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-update-threats-verdict

Input#

Argument NameDescriptionRequired
verdictAnalyst verdict action. Possible values are: undefined, true_positive, false_positive, suspicious.Required
threat_idsA comma-separated list of threat IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.UpdatedBooleanWhether the threat was successfully updated in the analyst verdict.
SentinelOne.Threat.Update.ActionStringName of the analyst verdict action performed on the threats.

sentinelone-update-alerts-verdict#


Updates the analyst verdict to a group of alerts that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-update-alerts-verdict

Input#

Argument NameDescriptionRequired
verdictAnalyst verdict action. Possible values are: undefined, true_positive, false_positive, suspicious.Required
alert_idsA comma-separated list of alert IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Alert.IDStringThe alert ID.
SentinelOne.Alert.UpdatedBooleanWhether the alert was successfully updated in the analyst verdict.
SentinelOne.Alert.Update.ActionStringName of the analyst verdict action performed on the alerts.

sentinelone-create-star-rule#


Creates a custom STAR rule. Relevant for API version 2.1.

Base Command#

sentinelone-create-star-rule

Input#

Argument NameDescriptionRequired
nameThe name of the STAR rule.Required
rule_severityThe rule severity. Possible values are: Low, Medium, High, Critical.Required
expiration_modeType of expiration mode. Possible values are: Permanent, Temporary.Required
query_typeType of the query. For now it's "events". Possible values are: events, processes.Required
queryThe query string for which to return events.Required
descriptionThe description of the STAR rule.Optional
expiration_dateIf expiration mode is "Temporary" then it should be supplied, for example, "2019-08-03T04:49:26.257525Z" .Optional
site_idsA comma-separated list of site IDs.Optional
group_idsA comma-separated list of Group IDs.Optional
account_idsA comma-separated list of Account IDs.Optional
network_quarantineWhether to enable the network quarantine of the STAR rule. Possible values are: true, false.Required
treatAsThreatThe treatAsThreat type. Possible values are: Malicious, Suspicious, UNDEFINED.Required

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDStringThe STAR rule ID.
SentinelOne.StarRule.NameStringThe STAR rule name.
SentinelOne.StarRule.StatusStringThe status of the STAR rule.
SentinelOne.StarRule.SeverityStringThe severity of the STAR rule.
SentinelOne.StarRule.DescriptionStringThe description of the STAR rule.
SentinelOne.StarRule.NetworkQuarantineBooleanThe network quarantine of the STAR rule.
SentinelOne.StarRule.TreatAsThreatStringThe Treat As Threat of the STAR rule.
SentinelOne.StarRule.ExpirationModeStringThe expiration mode of the STAR rule.
SentinelOne.StarRule.ExpirationDateStringThe expiration date of the STAR rule.
SentinelOne.StarRule.ScopeHierarchyStringThe scope hierarchy of the STAR rule.
SentinelOne.StarRule.CreatedAtStringThe created time for the STAR rule.
SentinelOne.StarRule.UpdatedAtStringThe updated time for the STAR rule.

sentinelone-get-star-rules#


Get a list of custom detection rules for a given scope. Relevant for API version 2.1.

Base Command#

sentinelone-get-star-rules

Input#

Argument NameDescriptionRequired
statusA comma-separated list of the status of the STAR rule. Available options are: "Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft".Example: "Draft,Active".Optional
creator_containsFree-text filter by rule creator (supports multiple values). Example: "Service Pack 1".Optional
queryTypeReturn rules with the filtered type. Example: "events". Possible values are: events, processes.Optional
queryFree-text filter by S1 query (supports multiple values). Example: "Service Pack 1".Optional
description_containsFree-text filter by rule description (supports multiple values). Example: "Service Pack 1".Optional
ruleIdsA comma-separated list of Rules IDs. Example: "225494730938493804,225494730938493915".Optional
name_containsFree-text filter by rule name (supports multiple values). Example: "Service Pack 1".Optional
accountIdsA comma-separated list of Account IDs to filter by. Example: "225494730938493804,225494730938493915".Optional
expirationModeReturn rules with the filtered expiration mode. Example: "Permanent". Possible values are: Temporary, Permanent.Optional
limitLimit number of returned items (1-1000). Example: "10".Optional
siteIdsA comma-separated list of site IDs to filter by. Example: "225494730938493804,225494730938493915".Optional

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDNumberThe STAR rule ID.
SentinelOne.StarRule.CreatorstringThe STAR rule creator.
SentinelOne.StarRule.NamestringThe STAR rule name.
SentinelOne.StarRule.StatusstringThe STAR rule status.
SentinelOne.StarRule.SeveritystringThe STAR rule severity.
SentinelOne.StarRule.GeneratedAlertsNumberThe number of STAR rule generated alerts.
SentinelOne.StarRule.DescriptionstringThe STAR rule description.
SentinelOne.StarRule.StatusReasonstringThe STAR rule status reason.
SentinelOne.StarRule.ExpirationModestringThe STAR rule expiration mode.
SentinelOne.StarRule.ExpirationDateDateThe STAR rule expiration date.
SentinelOne.StarRule.ExpiredBooleanWhether the STAR rule expired.

sentinelone-update-star-rule#


Updates a custom STAR rule. Relevant for API version 2.1.

Base Command#

sentinelone-update-star-rule

Input#

Argument NameDescriptionRequired
rule_idRule ID Example: "225494730938493804".Required
nameThe name of the STAR rule.Required
rule_severityThe rule severity. Possible values are: Low, Medium, High, Critical.Required
expiration_modeType of expiration mode. Possible values are: Permanent, Temporary.Required
query_typeType of the query. For now it's "events". Possible values are: events, processes.Required
queryThe query string for which to return events.Required
descriptionThe description of the STAR rule.Optional
expiration_dateIf expiration mode is "Temporary" then it should be supplied, for example, "2019-08-03T04:49:26.257525Z".Optional
site_idsA comma-separated list of site IDs.Optional
group_idsA comma-separated list of group IDs.Optional
account_idsA comma-separated list of account IDs.Optional
network_quarantineWhether to enable the network quarantine of the STAR rule. Possible values are: true, false.Required
treatAsThreatThe treatAsThreat. Possible values are: Malicious, Suspicious, UNDEFINED.Required

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDStringThe STAR rule ID.
SentinelOne.StarRule.NameStringThe STAR rule name.
SentinelOne.StarRule.StatusStringThe status of the STAR rule.
SentinelOne.StarRule.SeverityStringThe severity of the STAR rule.
SentinelOne.StarRule.DescriptionStringThe description of the STAR rule.
SentinelOne.StarRule.NetworkQuarantineBooleanThe network quarantine of the STAR rule.
SentinelOne.StarRule.TreatAsThreatStringThe Treat As Threat of the STAR rule.
SentinelOne.StarRule.ExpirationModeStringThe expiration mode of the STAR rule.
SentinelOne.StarRule.ExpirationDateStringThe expiration date of the STAR rule.
SentinelOne.StarRule.ScopeHierarchyStringThe scope hierarchy of the STAR rule.
SentinelOne.StarRule.CreatedAtStringThe created time for the STAR rule.
SentinelOne.StarRule.UpdatedAtStringThe updated time for the STAR rule.

sentinelone-enable-star-rules#


Activate Custom Detection rules that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-enable-star-rules

Input#

Argument NameDescriptionRequired
rule_idsA comma-separated list of STAR rule IDs.Required

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDStringThe Rule ID.
SentinelOne.StarRule.EnabledBooleanWhether the STAR rule was successfully enabled.

sentinelone-disable-star-rules#


Disable Custom Detection rules that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-disable-star-rules

Input#

Argument NameDescriptionRequired
rule_idsA comma-separated list of STAR rule IDs.Required

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDStringThe Rule ID.
SentinelOne.StarRule.DisabledBooleanWhether the STAR rule was successfully disabled.

sentinelone-delete-star-rule#


Deletes Custom Detection Rules that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-delete-star-rule

Input#

Argument NameDescriptionRequired
rule_idsA comma-separated list of STAR rule IDs.Required

Context Output#

PathTypeDescription
SentinelOne.StarRule.IDStringThe Rule ID.
SentinelOne.StarRule.DeletedBooleanWhether the STAR rule was successfully deleted.

sentinelone-get-blocklist#


Add a hash to the blocklist ("blacklist" in SentinelOne documentation). If the global flag is true, then group_ids, site_ids, and account_ids are ignored.

Base Command#

sentinelone-get-blocklist

Input#

Argument NameDescriptionRequired
globalWhether the global list is accessible. (Same as tenant flag in API docs.). Possible values are: true, false. Default is true.Optional
group_idsComma-separated list of group IDs to filter by.Optional
site_idsComma-separated list of site IDs to filter by.Optional
account_idsComma-separated list of account IDs to filter by.Optional
offsetThe number of records to skip (for paging). Default is 0.Optional
limitThe maximum number of records to return. Default is 1000.Optional
hashHash to search for in the blocklist.Optional

Context Output#

PathTypeDescription
SentinelOne.Blocklist.UserIdStringUser ID.
SentinelOne.Blocklist.UpdatedAtStringWhen entry was most recently updated.
SentinelOne.Blocklist.ValueStringFile hash.
SentinelOne.Blocklist.ScopePathStringSentinelOne list scope.
SentinelOne.Blocklist.TypeStringBlock list type.
SentinelOne.Blocklist.SourceStringSource of entry.
SentinelOne.Blocklist.IDStringEntry ID.
SentinelOne.Blocklist.CreatedAtStringDate entry was created.
SentinelOne.Blocklist.DescriptionStringDescription of the blocklist.
SentinelOne.Blocklist.OSTypeStringOperating system type block is enforced on.
SentinelOne.Blocklist.ScopeNameStringName of the blocklist scope.

sentinelone-add-hash-to-blocklist#


Add a hash to the global blocklist in SentinelOne.

Base Command#

sentinelone-add-hash-to-blocklist

Input#

Argument NameDescriptionRequired
sha1SHA1 hash to add to the global blocklist.Optional
sourceString describing the source of the block. Default is XSOAR.Optional
os_typeType of operating system. Possible values are: windows, linux, macos.Required
descriptionNote stored in SentinelOne about the block. Default is Blocked from XSOAR.Optional

Context Output#

PathTypeDescription
SentinelOne.AddHashToBlocklist.hashunknownHash of the file.
SentinelOne.AddHashToBlocklist.statusunknownStatus of the action to add a hash to the blocklist.

sentinelone-remove-hash-from-blocklist#


Remove a hash from the global blocklist in SentinelOne

Base Command#

sentinelone-remove-hash-from-blocklist

Input#

Argument NameDescriptionRequired
sha1SHA1 hash to remove from the global blocklist.Optional
os_typeOptional operating system type. If not supplied, will remove the SHA1 hash across all platforms. Possible values are: windows, macos, linux.Optional

Context Output#

PathTypeDescription
SentinelOne.RemoveHashFromBlocklist.hashunknownHash of the file.
SentinelOne.RemoveHashFromBlocklist.statusunknownStatus of the action to remove a hash from the blocklist.

sentinelone-fetch-file#


Invokes a fetch files command against an agent endpoint.

Base Command#

sentinelone-fetch-file

Input#

Argument NameDescriptionRequired
agent_idAgent ID to retrieve the file from.Required
file_pathFile path to download the file from.Required
passwordPassword to protect the zip file with.Required

Context Output#

There is no context output for this command.

sentinelone-download-fetched-file#


Download a file fetched using th sentinelone-fetch-file command to submit the request and the sentinelone-get-activities command to get the download path.

Base Command#

sentinelone-download-fetched-file

Input#

Argument NameDescriptionRequired
agent_idSentinelOne agent ID. Default is Agent ID.Required
activity_idActivity ID in the get-activities command.Required
passwordPassword used in the sentinelone-fetch-file command.Required

Context Output#

There is no context output for this command.

sentinelone-write-threat-note#


Add a threat note to one or more threats. Relevant for API version 2.1.

Base Command#

sentinelone-write-threat-note

Input#

Argument NameDescriptionRequired
threat_idsA comma-separated list of threat IDs.Required
noteThreat Note Text.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.NoteStringThe threat note.
SentinelOne.Threat.StatusStringWhether the note was added successfully.

sentinelone-create-ioc#


Add an IoC to the Threat Intelligence database. Relevant for API version 2.1.

Base Command#

sentinelone-create-ioc

Input#

Argument NameDescriptionRequired
nameThreat Intelligence indicator name.Required
sourceThe source of the identified Threat Intelligence indicator.Required
typeThe type of the Threat Intelligence indicator. Possible values are: DNS, IPV4, IPV6, MD5, SHA1, SHA256, URL.Required
methodThe comparison method used by SentinelOne to trigger the event. Possible values are: EQUALS.Required
validUntilExpiration date for the Threat Intelligence indicator.Required
valueThe value of the Threat Intelligence indicator.Required
account_idsList of account IDs to filter by.Required
externalIdThe unique identifier of the indicator as provided by the Threat Intelligence source.Optional
descriptionDescription of the Threat Intelligence indicator.Optional

Context Output#

PathTypeDescription
SentinelOne.IOC.UUIDStringThe IOC UUID.
SentinelOne.IOC.NameStringThreat Intelligence indicator name.
SentinelOne.IOC.SourceStringThe source of the identified Threat Intelligence indicator.
SentinelOne.IOC.TypeStringThe type of the Threat Intelligence indicator.
SentinelOne.IOC.BatchIdStringThe IOC batch ID.
SentinelOne.IOC.CreatorStringThe IOC creator.
SentinelOne.IOC.ScopeStringThe IOC scope.
SentinelOne.IOC.ScopeIdStringThe IOC scope ID.
SentinelOne.IOC.ValidUntilStringExpiration date for the Threat Intelligence indicator.
SentinelOne.IOC.DescriptionStringDescription of the Threat Intelligence indicator.
SentinelOne.IOC.ExternalIdStringThe unique identifier of the indicator as provided by the Threat Intelligence source.

sentinelone-delete-ioc#


Delete an IOC from the Threat Intelligence database that matches a filter. Relevant for API version 2.1.

Base Command#

sentinelone-delete-ioc

Input#

Argument NameDescriptionRequired
account_idsList of account IDs to filter by.Required
uuidsUUID of Threat Intelligence indicator.Required

Context Output#

PathTypeDescription
SentinelOne.IOC.UUIDStringThe IOC UUID.
SentinelOne.IOC.DeletedBooleanWhether the Threat Intelligence indicator was deleted.

sentinelone-get-iocs#


Get the IOCs of a specified account that match the filter. Relevant for API version 2.1.

Base Command#

sentinelone-get-iocs

Input#

Argument NameDescriptionRequired
account_idsList of account IDs to filter by.Required
limitLimit number of returned items (1-1000). Default is 1000.Optional
upload_time_gteThe time (greater than or equal to) at which the Threat Intelligence indicator was uploaded to the SentinelOne database. Example: "2022-07-13T20:33:29.007906Z".Optional
upload_time_lteThe time (less than or equal to) at which the Threat Intelligence indicator was uploaded to the SentinelOne database. Example: "2022-07-13T20:33:29.007906Z".Optional
cursorCursor position returned by the last request. Should be used for iterating over more than 1000 items. Example: "YWdlbnRfaWQ6NTgwMjkzODE=".Optional
uuidsA list of unique IDs of the parent process of the indicator of compromise. Example: "2cffae871197f20d864fe8363eee6651".Optional
typeThe type of the Threat Intelligence indicator. Possible values are: DNS, IPV4, IPV6, MD5, SHA1, SHA256, URL.Optional
batch_idUnique ID of the uploaded indicators batch. Example: "atmtn000000028a881bcf939dc6d92ab55443".Optional
sourceList of the sources of the identified Threat Intelligence indicator. Example: "AlienVault".Optional
valueThe value of the Threat Intelligence indicator. Example: "175.0.x.x".Optional
external_idThe unique identifier of the indicator as provided by the Threat Intelligence source. Example: "e277603e-1060-5ad4-9937-c26c97f1ca68".Optional
name_containsA comma-separated list of free-text filtered by the indicator name. Example: "foo.dll".Optional
creator_containsA comma-separated list of free-text filtered by the user who uploaded the Threat Intelligence indicator. Example: "admin@sentinelone.com".Optional
description_containsA comma-separated list of free-text filtered by the description of the indicator. Example: "Malicious-activity".Optional
category_inThe categories of the Threat Intelligence indicator. Example: The malware type associated with the IOC.Optional
updated_at_gteThe time (greater or equal to) at which the indicator was last updated in the SentinelOne database. Example: "2021-07-13T20:33:29.007906Z".Optional
updated_at_lteThe time (less than or equal to) at which the indicator was last updated in the SentinelOne database. Example: "2021-07-13T20:33:29.007906Z".Optional
creation_time_gteCreation time (greater than or equal to) as set by the user. Example: "2021-07-13T20:33:29.007906Z".Optional
creation_time_lteCreation time (less than or equal to) as set by the user. Example: "2021-07-13T20:33:29.007906Z".Optional

Context Output#

PathTypeDescription
SentinelOne.IOC.UUIDStringThe IOC UUID.
SentinelOne.IOC.CreatorStringThreat Intelligence indicator creator.
SentinelOne.IOC.NameStringThreat Intelligence indicator name.
SentinelOne.IOC.ValueStringThreat Intelligence indicator value.
SentinelOne.IOC.DescriptionStringThreat Intelligence indicator description.
SentinelOne.IOC.TypeStringThreat Intelligence indicator type.
SentinelOne.IOC.ExternalIdStringThreat Intelligence indicator external ID.
SentinelOne.IOC.SourceStringThreat Intelligence indicator source.
SentinelOne.IOC.UploadTimeStringThreat Intelligence indicator upload time.
SentinelOne.IOC.ValidUntilStringThreat Intelligence indicator expiration time.

sentinelone-create-power-query#


Deprecated. Start a Deep Visibility Power query to get back status and potential results (ping afterwards using the queryId if query has not finished). Relevant for API version 2.1

Base Command#

sentinelone-create-power-query

Input#

Argument NameDescriptionRequired
queryEvents matching the query search term will be returned.Required
from_dateEvents created after this timestamp.Required
to_dateEvents created before or at this timestamp.Required
limitLimit number of returned items (1-100000).Optional

Context Output#

There is no context output for this command.

sentinelone-ping-power-query#


Deprecated. Ping a Deep Visibility Power query using the queryId argument if results have not returned from an initial Power query or a previous ping. Relevant for API version 2.1.

Base Command#

sentinelone-ping-power-query

Input#

Argument NameDescriptionRequired
queryIdQueryId.Required

Context Output#

There is no context output for this command.

sentinelone-update-threats-status#


Updates the incident status to a group of threats that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-update-threats-status

Input#

Argument NameDescriptionRequired
statusIncident status. Possible values are: in_progress, resolved, unresolved.Required
threat_idsA comma-separated list of threat IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.UpdatedBooleanWhether the threat was successfully updated.
SentinelOne.Threat.StatusStringName of the status performed on the threats.

sentinelone-update-alerts-status#


Updates the incident status to a group of alerts that match the specified input filter. Relevant for API version 2.1.

Base Command#

sentinelone-update-alerts-status

Input#

Argument NameDescriptionRequired
statusIncident status. Possible values are: in_progress, resolved, unresolved.Required
alert_idsA comma-separated list of alert IDs.Required

Context Output#

PathTypeDescription
SentinelOne.Alert.IDStringThe alert ID.
SentinelOne.Alert.UpdatedBooleanWhether the alert was successfully updated.
SentinelOne.Alert.StatusStringThe status performed on the alerts.

sentinelone-expire-site#


Expire the site of the given ID

Base Command#

sentinelone-expire-site

Input#

Argument NameDescriptionRequired
site_idA valid site ID.Required

Context Output#

PathTypeDescription
SentinelOne.Site.IDStringThe site ID.
SentinelOne.Site.NameStringThe site name.
SentinelOne.Site.StateStringThe site state.
SentinelOne.Site.SKUStringThe SKU of product features active for this site.
SentinelOne.Site.SiteTypeStringThe site type.
SentinelOne.Site.SuiteStringThe site suite.
SentinelOne.Site.TotalLicensesStringThe total licenses.
SentinelOne.Site.AccountIDStringThe account ID.
SentinelOne.Site.CreatorStringFull name of the creating user.
SentinelOne.Site.CreatorIDStringID of the creating user.
SentinelOne.Site.DescriptionStringDescription of the site.
SentinelOne.Site.ExpirationStringExpiration date of the site.

sentinelone-fetch-threat-file#


Fetch a file associated with the threat that matches the filter.

Base Command#

sentinelone-fetch-threat-file

Input#

Argument NameDescriptionRequired
threat_idPlease provide the Valid Threat ID. Example: 14629133470822878.Required
passwordFile encryption password. (At least 10 characters, three out of this list "uppercase", "lowercase", "digits" and "symbols" are mandatory. Maximum length is 256 characters.).Required

Context Output#

PathTypeDescription
SentinelOne.Threat.IDStringThe threat ID.
SentinelOne.Threat.DownloadableBooleanWhether the file is downloadable.
SentinelOne.Threat.ZippedFileStringDetails of the zipped folder.

sentinelone-get-alerts#


Get the list of alerts that matches the filter provided. Relevant for API version 2.1.

Base Command#

sentinelone-get-alerts

Input#

Argument NameDescriptionRequired
created_fromGreater than or equal to the time created. Example: "2018-02-27T04:49:26.257525Z", "10 days", "2 hours","5 months".Required
created_untilLess than or equal to the time created. Example: "2018-02-27T04:49:26.257525Z", "10 days", "2 hours","5 months".Optional
ruleNameFree-text filter by rule name. Example: "rule1".Optional
incidentStatusIncident status. Example: "IN_PROGRESS".Optional
analystVerdictAnalyst verdict. Example: "TRUE_POSITIVE".Optional
alert_idsA comma-separated list of alert IDs.Optional
limitLimit number of returned items (1-1000). Default is 1000.Optional
site_idsA comma-separated list of site IDs to filter by. Example: "225494730938493804,225494730938493915".Optional
cursorCursor position returned by the last request. Should be used for iterating over more than 1000 items. Example: "YWdlbnRfaWQ6NTgwMjkzODE=".Optional

Context Output#

PathTypeDescription
SentinelOne.Alert.EventTypeStringEvent type.
SentinelOne.Alert.RuleNameStringThe rule name.
SentinelOne.Alert.SrcProcUserStringSource process user.
SentinelOne.Alert.SrcProcNameStringSource process name.
SentinelOne.Alert.SrcProcPathStringSource process file path.
SentinelOne.Alert.SrcProcCommandlineStringThe command line
SentinelOne.Alert.SrcProcSHA1StringSource process SHA1 file hash.
SentinelOne.Alert.SrcProcStartTimeStringPID start time.
SentinelOne.Alert.SrcProcStorylineIdStringSource process story line ID.
SentinelOne.Alert.SrcParentProcNameStringSource parent process name.
SentinelOne.Alert.SrcParentProcPathStringSource parent process file path.
SentinelOne.Alert.SrcParentProcCommandlineStringSource parent process command line.
SentinelOne.Alert.SrcParentProcStartTimeStringPID start time.
SentinelOne.Alert.SrcParentProcUserStringSource parent process user.
SentinelOne.Alert.SrcParentProcSHA1StringSource parent process SHA1 file hash.
SentinelOne.Alert.SrcProcSignerIdentityStringSource process file signer identity.
SentinelOne.Alert.SrcParentProcSignerIdentityStringSource parent process file signer identity.
SentinelOne.Alert.AlertCreatedAtStringThe the alert was created.
SentinelOne.Alert.AlertIdStringAlert ID.
SentinelOne.Alert.AnalystVerdictStringAnalyst verdict.
SentinelOne.Alert.IncidentStatusStringIncident status
SentinelOne.Alert.EndpointNameStringEndpoint name
SentinelOne.Alert.AgentIdStringAgent ID.
SentinelOne.Alert.AgentUUIDStringAgent UUID.
SentinelOne.Alert.dvEventIdStringDeep Visibility event ID.
SentinelOne.Alert.AgentOSStringAgent operating system.
SentinelOne.Alert.AgentVersionStringAgent version.
SentinelOne.Alert.SiteIdStringSite ID.
SentinelOne.Alert.RuleIdStringRule ID.

sentinelone-get-installed-applications#


Get the installed applications for a specific agent.

Base Command#

sentinelone-get-installed-applications

Input#

Argument NameDescriptionRequired
agent_idsA comma-separated list of agent IDs. Example: 14629133470822878,14627455454652878.Required

Context Output#

PathTypeDescription
SentinelOne.Application.NameStringThe application name.
SentinelOne.Application.PublisherStringThe publisher.
SentinelOne.Application.SizeStringThe size of the application in bytes.
SentinelOne.Application.VersionStringThe version of the application.
SentinelOne.Application.InstalledOnStringThe date the application was installed.

sentinelone-initiate-endpoint-scan#


Initiate the endpoint virus scan on provided agent IDs.

Base Command#

sentinelone-initiate-endpoint-scan

Input#

Argument NameDescriptionRequired
agent_idsA comma-separated list of Agent IDs. Example: 14629133470822878,14627455454652878.Required

Context Output#

PathTypeDescription
SentinelOne.Agent.AgentIDStringThe Agent ID.
SentinelOne.Agent.InitiatedBooleanWhether the scan was initiated.

sentinelone-remove-item-from-whitelist#


Remove an item from the SentinelOne exclusion list

Base Command#

sentinelone-remove-item-from-whitelist

Input#

Argument NameDescriptionRequired
itemValue of the item to be removed from the exclusion list.Required
os_typeOS type. Can be "windows", "windows_legacy", "macos", or "linux". Possible values are: windows, windows_legacy, macos, linux.Optional
exclusion_typeExclusion item type. The options are: file_type, path, white_hash, certificate, or browser.Optional

Context Output#

PathTypeDescription
SentinelOne.RemoveItemFromWhitelist.statusStringStatus on if items were removed from whitelist or not found on whitelist.
SentinelOne.RemoveItemFromWhitelist.itemStringItem removed fom whitelist.

sentinelone-run-remote-script#


Run a remote script that was uploaded to the SentinelOne Script Library.

Base Command#

sentinelone-run-remote-script

Input#

Argument NameDescriptionRequired
account_idsA comma-separated list of account IDs.Required
output_destinationOutput destination. Possible values: DataSetCloud/Local/None/SentinelCloud. Possible values are: DataSetCloud, Local, None, SentinelCloud.Required
task_descriptionTask description.Required
script_idScript ID.Required
output_directoryOutput directory.Optional
agent_idsA comma-separated list of agent IDs on which the script should run.Required
singularity_xdr_KeywordSingularityxdr keyword.Optional
singularity_xdr_UrlSingularityxdr keyword.Optional
api_keyApi key.Optional
input_paramsInput params.Optional
passwordPassword.Optional
script_runtime_timeout_secondsScript runtime timout in seconds for current execution.Optional
requires_approvalIf set to true, execution will require approval.Optional

Context Output#

PathTypeDescription
SentinelOne.RunRemoteScript.pendingExecutionIdstringID of the created pending execution. Present only if pending flag is true.
SentinelOne.RunRemoteScript.pendingbooleanFlag indicating if the requested script execution requires approval and is created as a pending execution.
SentinelOne.RunRemoteScript.affectednumberNumber of entities affected by the requested operation.
SentinelOne.RunRemoteScript.parentTaskIdstringThe parent task ID of the script execution task. Null in case of pending execution.

sentinelone-get-remote-script-task-status#


Get remote script tasks using a variety of filters.

Base Command#

sentinelone-get-remote-script-task-status

Input#

Argument NameDescriptionRequired
account_idsA comma-separated list of account IDs. Example: '225494730938493804,225494730938493915'.Optional
computer_name_containsFree-text filter by agent computer name (supports multiple values).Optional
count_onlyIf true, only total number of items will be returned, without any of the actual objects.Optional
created_at_gtCreated at greater than datetime. Example: '2018-02-27T04:49:26.257525Z'.Optional
created_at_gteCreated at greater or equal than datetime. Example: '2018-02-27T04:49:26.257525Z'.Optional
created_at_ltCreated at lesser than datetime. Example: '2018-02-27T04:49:26.257525Z'.Optional
created_at_lteCreated at lesser or equal than datetime. Example: '2018-02-27T04:49:26.257525Z'.Optional
cursorCursor position returned by the last request. Use to iterate over more than 1000 items. Example: 'YWdlbnRfaWQ6NTgwMjkzODE='.Optional
description_containsOnly include tasks with specific description.Optional
detailed_status_containsOnly include tasks with specific detailed status.Optional
group_idsComma-separated list of Group IDs to filter by. Example: '225494730938493804,225494730938493915'.Optional
idsComma-separated list of IDs to filter by. Example: '225494730938493804,225494730938493915'.Optional
initiated_by_containsOnly include tasks from specific initiating user.Optional
limitLimit number of returned items (1-1000). Example: '10'.Optional
parent_task_idParent task ID to fetch the status by. Example: '225494730938493804'.Required
parent_task_id_inComma-separated list of IDs to filter by.Optional
queryA free-text search term that will match applicable attributes (sub-string match).Optional
site_idsComma-separated list of Site IDs to filter by. Example: '225494730938493804,225494730938493915'.Optional
statusStatus of the script task. Example: 'created'.Optional
tenantA tenant scope request.Optional
updated_at_gtUpdated at greater than datetime. Example: '2018-02-27T04:49:26.257525Z'.Optional
updated_at_gteUpdated at greater or equal than datetime. Example: '2018-02-27T04:49:26.257525Z'.Optional
updated_at_ltUpdated at lesser than datetime. Example: '2018-02-27T04:49:26.257525Z'.Optional
updated_at_lteUpdated at lesser or equal than datetime. Example: '2018-02-27T04:49:26.257525Z'.Optional
uuid_containsFree-text filter by agent UUID (supports multiple values).Optional

Context Output#

PathTypeDescription
SentinelOne.GetRemoteScript.idstringID of the task.
SentinelOne.GetRemoteScript.accountIdstringAccount ID where this script is executed.
SentinelOne.GetRemoteScript.accountNamestringAccount name where this script is executed.
SentinelOne.GetRemoteScript.agentIdstringAgent ID where this script is executed.
SentinelOne.GetRemoteScript.agentIsActivebooleanThe status of the agent.
SentinelOne.GetRemoteScript.agentMachineTypestringAgent machine type.
SentinelOne.GetRemoteScript.agentOsTypestringAgent operating system type.
SentinelOne.GetRemoteScript.agentUuidstringAgent UUID.
SentinelOne.GetRemoteScript.createdAtstringThe script created at datetime.
SentinelOne.GetRemoteScript.descriptionstringThe description of the remote script.
SentinelOne.GetRemoteScript.detailedStatusstringThe detailed status of the remote script.
SentinelOne.GetRemoteScript.groupIdstringGroup ID where this script is executed.
SentinelOne.GetRemoteScript.groupNamestringGroup name where this script is executed.
SentinelOne.GetRemoteScript.initiatedBystringRemote script initiate by.
SentinelOne.GetRemoteScript.initiatedByIdstringID of the remote script initiator.
SentinelOne.GetRemoteScript.parentTaskIdstringParent task ID of the remote script.
SentinelOne.GetRemoteScript.siteIdstringSite ID where this script is executed.
SentinelOne.GetRemoteScript.siteNamestringSite name where this script is executed.
SentinelOne.GetRemoteScript.statusstringStatus of the remote script.
SentinelOne.GetRemoteScript.statusCodestringStatus code of the remote script.
SentinelOne.GetRemoteScript.statusDescriptionstringStatus description of the remote script.
SentinelOne.GetRemoteScript.typestringType of remote script.
SentinelOne.GetRemoteScript.updateAtstringRemote script upated at.

sentinelone-get-remote-script-task-results#


Get a script's result download URL.

Base Command#

sentinelone-get-remote-script-task-results

Input#

Argument NameDescriptionRequired
computer_namesA comma-separated list of partial or whole computer names, which ran scripts.Optional
task_idsA comma-separated list of task IDs to get a download link for.Required

Context Output#

PathTypeDescription
SentinelOne.RemoteScriptResults.taskIdstringID of the task.
SentinelOne.RemoteScriptResults.fileNamestringFile name.
SentinelOne.RemoteScriptResults.downloadUrlstringDownload URL.

sentinelone-remote-script-automate-results#


Automate a remote script's execution cycle and return the script's results.

Base Command#

sentinelone-remote-script-automate-results

Input#

Argument NameDescriptionRequired
account_idsA comma-separated list of account IDs.Required
output_destinationOutput destination. Possible values are: DataSetCloud, Local, None, SentinelCloud.Required
task_descriptionTask description.Required
script_idScript ID.Required
output_directoryOutput directory.Optional
agent_idsA comma-separated list of agent IDs on which the script should run.Required
singularity_xdr_KeywordSingularity XDR keyword.Optional
singularity_xdr_UrlSingularity XDR URL.Optional
api_keyAPI key.Optional
input_paramsInput parameters.Optional
passwordPassword.Optional
script_runtime_timeout_secondsScript runtime timeout in seconds for current execution.Optional
requires_approvalIf set to true, execution will require approval.Optional
intervalIndicates how long to wait between command execution (in seconds) when 'polling' argument is true. Minimum value is 10 seconds. Default is 60.Optional
timeoutIndicates the time in seconds until the polling sequence timeouts. Default is 600.Optional
parent_task_idParent task ID to fetch the status by. Example: '225494730938493804'.Optional

Context Output#

PathTypeDescription
SentinelOne.RemoteScriptResults.taskIdstringID of the task.
SentinelOne.RemoteScriptResults.fileNamestringFile name.
SentinelOne.RemoteScriptResults.downloadUrlstringDownload URL.

sentinelone-get-power-query-results#


Automate a power query and return the query results. (The maximum timeout of 300 seconds is allowed.)

Base Command#

sentinelone-get-power-query-results

Input#

Argument NameDescriptionRequired
account_idsA comma-separated list of account IDs.Optional
site_idsA comma-separated list of site IDs on which the query should run.Optional
queryEvents matching the query search term will be returned.Required
from_dateEvents created after this date. Example: '2018-02-27T04:49:26.257525Z'.Required
to_dateEvents created before or at this date. Example: '2018-02-27T04:49:26.257525Z'.Required
limitLimit number of returned items (1-100000).Optional
intervalIndicates how long to wait between command execution (in seconds) when 'polling' argument is true. Minimum value is 10 seconds.Optional
timeoutIndicates the time in seconds until the polling sequence timeouts.Optional
query_idQueryId. Example: pq3be5e2747f716cxxxxxxxxxxxxx20a0.Optional

Context Output#

PathTypeDescription
SentinelOne.PowerQuery.ResultIndexListResult from the power query in list of objects format

get-mapping-fields#


Returns the list of fields for an incident type.

Base Command#

get-mapping-fields

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

update-remote-system#


Pushes local changes to the remote system.

Base Command#

update-remote-system

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

get-remote-data#


Get remote data from a remote incident. This method does not update the current incident, and should be used for debugging purposes.

Base Command#

get-remote-data

Input#

Argument NameDescriptionRequired
idThe ticket ID.Required
lastUpdateRetrieve entries that were created after lastUpdate.Required

Context Output#

There is no context output for this command.

get-modified-remote-data#


Gets the list of incidents that were modified since the last update time. Note that this method is here for debugging purposes. The get-modified-remote-data command is used as part of a Mirroring feature, which is available from version 6.1.

Base Command#

get-modified-remote-data

Input#

Argument NameDescriptionRequired
last_updateRetrieve entries that were created after lastUpdate.Optional

Context Output#

There is no context output for this command.

sentinelone-get-dv-query-status#


Returns status of a Deep Visibility Query

Base Command#

sentinelone-get-dv-query-status

Input#

Argument NameDescriptionRequired
query_idThe queryId that is returned when creating a query under Create Query. Example: "q1xx2xx3". Get the query_id from the "get-query-id" command.Required

Context Output#

PathTypeDescription
SentinelOne.Query.Status.progressStatusstringProgress Query Status
SentinelOne.Query.Status.queryModeInfo.lastActivatedAtstringLast Activated At
SentinelOne.Query.Status.queryModeInfo.modestringQuery Mode
SentinelOne.Query.Status.responseStatestringState of the Query
SentinelOne.Query.Status.warningsstringWarnings during Query
SentinelOne.Query.Status.QueryIdstringQueryID From Request

sentinelone-get-agent-mac#


Returns network interface details for a given Agent ID. This includes MAC address details and interface description.

Base Command#

sentinelone-get-agent-mac

Input#

Argument NameDescriptionRequired
agent_idAgentId of the System.Required

Context Output#

PathTypeDescription
SentinelOne.MACstringAgent network interface details.
SentinelOne.MAC.agent_idstringAgentID
SentinelOne.MAC.hostnamestringHostname
SentinelOne.MAC.int_namestringInterface Name
SentinelOne.MAC.ipstringIP Address
SentinelOne.MAC.macstringMAC Address

sentinelone-get-accounts#


Returns details of accounts.

Base Command#

sentinelone-get-accounts

Input#

Argument NameDescriptionRequired
account_idCan filter on one account ID. Otherwise, it returns information from all accounts.Optional

Context Output#

PathTypeDescription
SentinelOne.Accounts.AccountTypestringThe account type.
SentinelOne.Accounts.ActiveAgentsnumberThe account number of active agents.
SentinelOne.Accounts.NumberOfSitesnumberThe account number of sites.
SentinelOne.Accounts.StatestringThe account state.
SentinelOne.Accounts.CreatedAtstringThe account creation date.
SentinelOne.Accounts.ExpirationstringThe account expiration date.
SentinelOne.Accounts.IDstringThe account ID.
SentinelOne.Accounts.NamestringThe account name.

sentinelone-get-threat-notes#


Returns threat notes.

Base Command#

sentinelone-get-threat-notes

Input#

Argument NameDescriptionRequired
threat_idThe ID of the threat.Required

Context Output#

PathTypeDescription
SentinelOne.Notes.CreatedAtstringThe note creation date.
SentinelOne.Notes.CreatorstringThe note creator.
SentinelOne.Notes.CreatorIDstringThe note creator ID.
SentinelOne.Notes.EditedbooleanWhether the note was edited or not..
SentinelOne.Notes.IDstringThe note ID.
SentinelOne.Notes.TextstringThe note text.
SentinelOne.Notes.UpdatedAtstringThe note updated time.

Incident Mirroring#

You can enable incident mirroring between Cortex XSOAR incidents and SentinelOne v2 corresponding events (available from Cortex XSOAR version 6.0.0). To set up the mirroring:

  1. Enable Fetching incidents in your instance configuration.

  2. In the Mirroring Direction integration parameter, select in which direction the incidents should be mirrored:

    OptionDescription
    NoneTurns off incident mirroring.
    IncomingAny changes in SentinelOne v2 events (mirroring incoming fields) will be reflected in Cortex XSOAR incidents.
    OutgoingAny changes in Cortex XSOAR incidents will be reflected in SentinelOne v2 events (outgoing mirrored fields).
    Incoming And OutgoingChanges in Cortex XSOAR incidents and SentinelOne v2 events will be reflected in both directions.

Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents.

Important Note: To ensure the mirroring works as expected, mappers are required, both for incoming and outgoing, to map the expected fields in Cortex XSOAR and SentinelOne v2.