SentinelOne | Marketplace

Details
Content
Dependencies
Version History

Endpoint protection

This pack enables you to use SentinelOne for endpoint protection.
You can receive alerts from endpoints, search for processes on endpoints, block endpoints and manage the endpoint protection policy.

What does this pack do?

This pack enables you to

Connect, disconnect, shutdown, and uninstall agents.
Get information about agents and agent groups, move an agent from one group to another, delete groups, and send broadcast messages to groups of agents.
Get information about threats, mark a suspicious behavior as a threat, and mitigate threats.
Get information about the system sites and reactivate a site if necessary.
Get information about activities, events and processes in the system.
The Sentinel One - Endpoint data collection playbook collects endpoint information by using SentinelOne commands.
The pack includes the SentinelOne v2 integration and the Sentinel One - Endpoint data collection playbook.

How does this pack work?

Create an instance of the SentinelOne v2 integration and start fetching information from the SentinelOne database.

Note: Support for this Pack moved to the partner on March, 23, 2023.
Please contact the partner directly via the support link on the right.

This pack enables you to use SentinelOne for endpoint protection.
You can receive alerts from endpoints, search for processes on endpoints, block endpoints and manage the endpoint protection policy.

What does this pack do?

This pack enables you to

Connect, disconnect, shutdown, and uninstall agents.
Get information about agents and agent groups, move an agent from one group to another, delete groups, and send broadcast messages to groups of agents.
Get information about threats, mark a suspicious behavior as a threat, and mitigate threats.
Get information about the system sites and reactivate a site if necessary.
Get information about activities, events and processes in the system.
The Sentinel One - Endpoint data collection playbook collects endpoint information by using SentinelOne commands.
The pack includes the SentinelOne v2 integration and the Sentinel One - Endpoint data collection playbook.

How does this pack work?

Create an instance of the SentinelOne v2 integration and start fetching information from the SentinelOne database.

Note: Support for this Pack moved to the partner on March, 23, 2023.
Please contact the partner directly via the support link on the right.

Classifiers

Name	Description
SentinelOne Classifier	Classifies SentinelOne incidents.
SentinelOne - Outgoing Mapper	SentinelOne mirror out mapper.
SentinelOne Incoming Mapper	SentinelOne Incoming Mapper

Incident Fields

Name	Description
SentinelOne Threat Analyst Verdict
SentinelOne Threat Status
SentinelOne Threat ID

Incident Types

Name	Description
SentinelOne Incident

Integrations

Name	Description
SentinelOne (Deprecated) (Partner Contribution)	Deprecated. Use the SentinelOne v2 integration instead.
SentinelOne v2 (Partner Contribution)	Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database.

Layouts

Name	Description
SentinelOne Incident Layout

Playbooks

Name	Description
Sentinel One - Query Endpoints	Runs Query on Endpoints for SHA1 values
Sentinel One - Endpoint data collection	Deprecated. No available replacement.

Classifiers

Name	Description
SentinelOne Classifier	Classifies SentinelOne incidents.
SentinelOne - Outgoing Mapper	SentinelOne mirror out mapper.
SentinelOne Incoming Mapper	SentinelOne Incoming Mapper

Incident Fields

Name	Description
SentinelOne Threat ID
SentinelOne Threat Status
SentinelOne Threat Analyst Verdict

Incident Types

Name	Description
SentinelOne Incident

Integrations

Name	Description
SentinelOne Event Collector	This integration fetches activities, threats, and alerts from SentinelOne.
SentinelOne (Deprecated) (Partner Contribution)	Deprecated. Use the SentinelOne v2 integration instead.
SentinelOne v2 (Partner Contribution)	Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database.

Layouts

Name	Description
SentinelOne Incident Layout

Modeling Rules

Name	Description
SentinelOne Modeling Rule

Playbooks

Name	Description
Sentinel One - Query Endpoints	Runs Query on Endpoints for SHA1 values
Sentinel One - Endpoint data collection	Deprecated. No available replacement.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (4)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

3.2.23 - 924992 (March 31, 2024)

Integrations

SentinelOne v2

Updated the sentinelone-get-hash command to output the Hash Reputation Verdict, instead of the Hash Reputation Rank as SentinelOne has deprecated /rank API endpoint and recommend /verdict API which fetches Hash Reputation Verdict.
Updated the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 33649
- 33422

Download

3.2.22 - 849166 (February 25, 2024)

Integrations

SentinelOne v2

Updated the incident context data by removing the both details and labels.
Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 33005
- 33057

Download

3.2.21 - 839519 (February 20, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 33007

Download

3.2.20 - 798475 (February 1, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 32533

Download

3.2.19 - 772178 (January 19, 2024)

Integrations

SentinelOne v2

Fixed an issue where sentinelone-remove-hash-from-blocklist command would not remove from scoped blocklists.
Updated the Docker image to: demisto/python3:3.10.13.85415.

Related pull requests:
- 32262
- 32116

Download

3.2.18 - 767481 (January 17, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 32259

Download

3.2.17 - 750759 (January 9, 2024)

Integrations

SentinelOne v2

Updated the argument computer_name of the sentinelone-list-agents command so it can now match a partial computer name value (substring).

Related pull requests:
- 31988
- 32037

Download

3.2.16 - 722180 (December 28, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 31828

Download

3.2.15 - 7254058 (December 24, 2023)

Integrations

SentinelOne v2

Fixed bug for the sentinelone-run-remote-script command, removing the empty values from the payload of an API call.

Related pull requests:
- 31687
- 31595

Download

3.2.14 - 7153835 (December 13, 2023)

Integrations

SentinelOne v2

Added the include_resolved_param argument to the command sentinelone-get-threats which allows ignoring the resolved argument in order to get threats no matter what their status is.
Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31433
- 31355

Download

3.2.13 - 7076512 (December 5, 2023)

Integrations

SentinelOne v2

Added 2 commands:
- sentinelone-get-accounts
- sentinelone-get-threat-notes
Added the columns argument to the commands sentinelone-list-agents and sentinelone-get-events.
Updated the description and type of the output SentinelOne.Threat.Mitigation.Action from the command sentinelone-mitigate-threat as they were incorrect.
Updated the Docker image to: demisto/python3:3.10.13.82467.

Related pull requests:
- 31312

Download

3.2.12 - 6834680 (November 8, 2023)

Classifiers

SentinelOne Classifier

Fixed an issue where the SentinelOne Classifier unable to mapped with the Incident Type whose name is incident.

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.13.80014.
Improved implementation of the fetch-threats functionality, so that it will fetch the selected threat statuses from the configuration.

Related pull requests:
- 30740
- 30626

Download

3.2.11 - 6679159 (October 23, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 30084

Download

3.2.10 - R6592021 (October 13, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.13.75921.
Fixed an issue with the Classifier where some incidents fall under the incorrect incident_type. This causes a red numbered mark on the classifier tab in XSOAR UI, which is considered as an unclassified incident.

Related pull requests:
- 29993
- 29841

Download

3.2.9 - 6367558 (September 19, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.13.73190.
Fixed an issue with the sentinelone-create-star-rule and sentinelone-update-star-rule commands, where the filters query parameter, when provided with empty values for any of site_ids, group_ids, or account_ids, was causing a validation error.
Updated the sentinelone-get-threats command by including new argument: incident_statuses.
Added filter options while fetching threats.

Related pull requests:
- 29549
- 29722

Download

3.2.8 - 6253250 (September 6, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 29440

Download

3.2.7 - 6133197 (August 23, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 29157

Download

3.2.6 - 6069807 (August 16, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 29000

Download

3.2.5 - 5925411 (August 1, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 28643

Download

3.2.4 - R5866730 (July 25, 2023)

Integrations

SentinelOne v2

Removed pack version from script.

Related pull requests:
- 28181

Download

3.2.3 - 5746599 (July 12, 2023)

Integrations

SentinelOne v2

Updated the sentinelone-run-remote-script command by including new arguments: singularity_xdr_Keyword, singularity_xdr_Url, api_key, input_params, password, script_runtime_timeout_seconds and requires_approval.
Fixed an issue in fetch incidents by defaulting the fetch type to Threats in the code.
Bug fixes.

Mappers

SentinelOne Incoming Mapper

Added a new common field Verdict by mapping it to the analyst verdict of the incident.

Playbooks

Sentinel One - Endpoint data collection

Deprecated. No available replacement.

Related pull requests:
- 27909
- 28072

Download

3.2.2 - 5668905 (July 2, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27820

Download

3.2.1 - 5558549 (June 18, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 27520

Download

3.2.0 - 5422508 (June 1, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.11.61265.
Updated the created_until argument from required to optional in sentinelone-get-alerts command.
Updated the created_until and created_from arguments to accept input in the form of "10 days", "2 hours","5 months" in the sentinelone-get-alerts command.
Updated the created_after created_before created_from and created_until arguments to accept input in the form of "10 days", "2 hours","5 months" in the sentinelone-get-threats command.
Updated the fetch-incidents command to fetch threats, alerts or both, including additional filtering options.
Added a new command sentinelone-get-dv-query-status: returns status of a Deep Visibility Query.
Added a new command sentinelone-get-agent-mac: returns network interface details for a given Agent ID. This includes MAC address details and interface description.

Playbooks

New: Sentinel One - Query Endpoints

Runs Query on Endpoints for SHA1 values

Related pull requests:
- 26566
- 27137

Download

3.1.4 - 5304600 (May 19, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 26640

Download

3.1.3 - R5226855 (May 9, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 26246

Download

3.1.2 - R5170573 (May 2, 2023)

Incident Fields

SentinelOne Threat Analyst Verdict
SentinelOne Threat ID
SentinelOne Threat Status

Related pull requests:
- 26153

Download

3.1.1 - 4960979 (April 3, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.10.51930.
Fixed an issue where the sentinelone-add-hash-to-blocklist command failed when there were no Block Site IDs configured in the integration configuration.

Related pull requests:
- 25476

Download

PUBLISHER

SentinelOne

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	September 23, 2020
Last Release	March 31, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.