SentinelOne
Version: 2.0.0
Cyber security that prevents threats at faster speed, greater scale, and higher accuracy than humanly possible.
Connect SentinelOne with LogicHub
- Navigate to Automations > Integrations.
- Search for SentinelOne.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- Server URL: API URL for SentinelOne. Example: https://host/web/api/v2.1
- Token: Token for authentication with SentinelOne server.
- After you've entered all the details, click Connect.
Actions for SentinelOne
Connects Agent To Network
Connects agent to network
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Agent ID | Jinja-templated agent ID which is to be connected to the network. Example: {{agent_id_column}} | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Connects Agent To Network Data
{
"locations":null,
"osStartTime":"2021-01-12T20:40:27Z",
"rangerVersion":null,
"cloudProviders":{
},
"osArch":"64 bit",
"licenseKey":"",
"updatedAt":"2021-09-06T16:36:34.926026Z",
"externalId":"",
"networkInterfaces":[
{
"name":"ens3",
"gatewayIp":"10.0.0.1",
"inet6":[
],
"gatewayMacAddress":"00:00:17:31:2e:8e",
"id":"1184207949927894021",
"inet":[
"10.0.0.2"
],
"physical":"02:00:17:09:AC:E4"
},
{
"name":"docker0",
"gatewayIp":null,
"inet6":[
],
"gatewayMacAddress":null,
"id":"1184207949927894022",
"inet":[
"172.17.0.1"
],
"physical":"02:42:2D:5A:F2:4C"
}
],
"lastActiveDate":"2021-09-06T16:35:30.729725Z",
"networkStatus":"connecting",
"locationEnabled":false,
"lastIpToMgmt":"10.0.0.2",
"accountName":"SentinelOne",
"threatRebootRequired":false,
"scanStartedAt":"2021-06-22T21:30:56.771107Z",
"domain":"sub01122036110.default.oraclevcn.com",
"uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
"lastLoggedInUserName":"",
"networkQuarantineEnabled":false,
"isUninstalled":false,
"scanStatus":"finished",
"userActionsNeeded":[
],
"osUsername":"root",
"cpuCount":1,
"storageType":null,
"coreCount":2,
"isPendingUninstall":false,
"firewallEnabled":true,
"accountId":"433241117337583618",
"mitigationMode":"protect",
"activeThreats":0,
"registeredAt":"2021-06-22T21:29:48.386746Z",
"machineType":"server",
"groupId":"1184166245199854505",
"infected":false,
"modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
"consoleMigrationStatus":"N/A",
"storageName":null,
"has_error":false,
"siteName":"LogicHub",
"id":"1184207949919505412",
"scanFinishedAt":"2021-06-23T00:03:51.386826Z",
"error":null,
"remoteProfilingStateExpiration":null,
"installerType":".rpm",
"groupName":"Default Group",
"encryptedApplications":false,
"remoteProfilingState":"disabled",
"osType":"linux",
"totalMemory":688,
"externalIp":"129.213.58.77",
"createdAt":"2021-06-22T21:29:48.389992Z",
"osName":"Linux",
"isActive":true,
"agentVersion":"21.6.3.7",
"inRemoteShellSession":false,
"isUpToDate":true,
"allowRemoteShell":true,
"cpuId":"AMD EPYC 7551 32-Core Processor",
"mitigationModeSuspicious":"detect",
"isDecommissioned":false,
"siteId":"1184166245183077288",
"computerName":"instance-20210112-1436",
"locationType":"not_supported",
"operationalStateExpiration":null,
"rangerStatus":"NotApplicable",
"scanAbortedAt":null,
"activeDirectory":{
"computerDistinguishedName":null,
"lastUserMemberOf":[
],
"computerMemberOf":[
],
"lastUserDistinguishedName":null
},
"operationalState":"na",
"osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
"appsVulnerabilityStatus":"not_applicable",
"groupIp":"129.213.58.x"
}
Disconnects Agent From Network
Disconnects agent from network
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Agent ID | Jinja-templated agent ID which is to be disconnected from the network. Example: {{agent_id_column}} | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Disconnects Agent From Network Data
{
"locations":null,
"osStartTime":"2021-01-12T20:40:27Z",
"rangerVersion":null,
"cloudProviders":{
},
"osArch":"64 bit",
"licenseKey":"",
"updatedAt":"2021-09-06T16:36:34.926026Z",
"externalId":"",
"networkInterfaces":[
{
"name":"ens3",
"gatewayIp":"10.0.0.1",
"inet6":[
],
"gatewayMacAddress":"00:00:17:31:2e:8e",
"id":"1184207949927894021",
"inet":[
"10.0.0.2"
],
"physical":"02:00:17:09:AC:E4"
},
{
"name":"docker0",
"gatewayIp":null,
"inet6":[
],
"gatewayMacAddress":null,
"id":"1184207949927894022",
"inet":[
"172.17.0.1"
],
"physical":"02:42:2D:5A:F2:4C"
}
],
"lastActiveDate":"2021-09-06T16:35:30.729725Z",
"networkStatus":"connecting",
"locationEnabled":false,
"lastIpToMgmt":"10.0.0.2",
"accountName":"SentinelOne",
"threatRebootRequired":false,
"scanStartedAt":"2021-06-22T21:30:56.771107Z",
"domain":"sub01122036110.default.oraclevcn.com",
"uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
"lastLoggedInUserName":"",
"networkQuarantineEnabled":false,
"isUninstalled":false,
"scanStatus":"finished",
"userActionsNeeded":[
],
"osUsername":"root",
"cpuCount":1,
"storageType":null,
"coreCount":2,
"isPendingUninstall":false,
"firewallEnabled":true,
"accountId":"433241117337583618",
"mitigationMode":"protect",
"activeThreats":0,
"registeredAt":"2021-06-22T21:29:48.386746Z",
"machineType":"server",
"groupId":"1184166245199854505",
"infected":false,
"modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
"consoleMigrationStatus":"N/A",
"storageName":null,
"has_error":false,
"siteName":"LogicHub",
"id":"1184207949919505412",
"scanFinishedAt":"2021-06-23T00:03:51.386826Z",
"error":null,
"remoteProfilingStateExpiration":null,
"installerType":".rpm",
"groupName":"Default Group",
"encryptedApplications":false,
"remoteProfilingState":"disabled",
"osType":"linux",
"totalMemory":688,
"externalIp":"129.213.58.77",
"createdAt":"2021-06-22T21:29:48.389992Z",
"osName":"Linux",
"isActive":true,
"agentVersion":"21.6.3.7",
"inRemoteShellSession":false,
"isUpToDate":true,
"allowRemoteShell":true,
"cpuId":"AMD EPYC 7551 32-Core Processor",
"mitigationModeSuspicious":"detect",
"isDecommissioned":false,
"siteId":"1184166245183077288",
"computerName":"instance-20210112-1436",
"locationType":"not_supported",
"operationalStateExpiration":null,
"rangerStatus":"NotApplicable",
"scanAbortedAt":null,
"activeDirectory":{
"computerDistinguishedName":null,
"lastUserMemberOf":[
],
"computerMemberOf":[
],
"lastUserDistinguishedName":null
},
"operationalState":"na",
"osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
"appsVulnerabilityStatus":"not_applicable",
"groupIp":"129.213.58.x"
}
Create Query
Runs a Deep Visibility Query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query | Jinja-templated query used for creating the query. Example: EndpointName exists. | Required |
| From Date | Jinja-templated from date used for creating the query. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48Z | Required |
| To Date | Jinja-templated to date used for creating the query. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48Z | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Create Query Data
{
"has_error":false,
"data":{
"queryId":"qe4080a5f8088b188b423b9edcc768252"
},
"error":null
}
Get Agent
Get agent details by agent ID
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Agent ID | Jinja-templated agent ID which is to be fetched. Example: {{agent_id_column}} | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Agent Data
{
"locations":null,
"osStartTime":"2021-01-12T20:40:27Z",
"rangerVersion":null,
"cloudProviders":{
},
"osArch":"64 bit",
"licenseKey":"",
"updatedAt":"2021-09-06T04:27:29.724745Z",
"externalId":"",
"networkInterfaces":[
{
"name":"ens3",
"gatewayIp":"10.0.0.1",
"inet6":[
],
"gatewayMacAddress":"00:00:17:31:2e:8e",
"id":"1184207949927894021",
"inet":[
"10.0.0.2"
],
"physical":"02:00:17:09:AC:E4"
},
{
"name":"docker0",
"gatewayIp":null,
"inet6":[
],
"gatewayMacAddress":null,
"id":"1184207949927894022",
"inet":[
"172.17.0.1"
],
"physical":"02:42:2D:5A:F2:4C"
}
],
"lastActiveDate":"2021-09-06T16:32:30.729967Z",
"networkStatus":"connected",
"locationEnabled":false,
"lastIpToMgmt":"10.0.0.2",
"accountName":"SentinelOne",
"threatRebootRequired":false,
"scanStartedAt":"2021-06-22T21:30:56.771107Z",
"domain":"sub01122036110.default.oraclevcn.com",
"uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
"lastLoggedInUserName":"",
"networkQuarantineEnabled":false,
"isUninstalled":false,
"scanStatus":"finished",
"userActionsNeeded":[
],
"osUsername":"root",
"cpuCount":1,
"storageType":null,
"coreCount":2,
"isPendingUninstall":false,
"firewallEnabled":true,
"accountId":"433241117337583618",
"mitigationMode":"protect",
"activeThreats":0,
"registeredAt":"2021-06-22T21:29:48.386746Z",
"machineType":"server",
"groupId":"1184166245199854505",
"infected":false,
"modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
"consoleMigrationStatus":"N/A",
"storageName":null,
"has_error":false,
"siteName":"LogicHub",
"id":"1184207949919505412",
"scanFinishedAt":"2021-06-23T00:03:51.386826Z",
"error":null,
"remoteProfilingStateExpiration":null,
"installerType":".rpm",
"groupName":"Default Group",
"encryptedApplications":false,
"remoteProfilingState":"disabled",
"osType":"linux",
"totalMemory":688,
"externalIp":"129.213.58.77",
"createdAt":"2021-06-22T21:29:48.389992Z",
"osName":"Linux",
"isActive":true,
"agentVersion":"21.6.3.7",
"inRemoteShellSession":false,
"isUpToDate":true,
"allowRemoteShell":true,
"cpuId":"AMD EPYC 7551 32-Core Processor",
"mitigationModeSuspicious":"detect",
"isDecommissioned":false,
"siteId":"1184166245183077288",
"computerName":"instance-20210112-1436",
"locationType":"not_supported",
"operationalStateExpiration":null,
"rangerStatus":"NotApplicable",
"scanAbortedAt":null,
"activeDirectory":{
"computerDistinguishedName":null,
"lastUserMemberOf":[
],
"computerMemberOf":[
],
"lastUserDistinguishedName":null
},
"operationalState":"na",
"osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
"appsVulnerabilityStatus":"not_applicable",
"groupIp":"129.213.58.x"
}
Get Events
Fetch all deep visibility events that match the query.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query ID | Jinja-templated query ID which is to be fetched. Example: {{query_id_column}} | Required |
| Limit | Limit for number of events to be fetched. (Default is 100000) | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Events Data
{
"has_error":false,
"noResults":"no results returned",
"error":null
}
List Agents
List all agents matching the input filter
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Minimum Active Threats | Jinja-templated minimum active threats. Agents with active threats greater than this value will be fetched. Example: {{minimum_active_threats}} | Required |
| Computer Name | Jinja-templated computer name. Example: {{computer_name_column}} | Required |
| Scan Status | Jinja-templated scan status. Example: {{scan_status_column}} | Required |
| OS Type | Jinja-templated OS type. Example: {{os_type_column}} | Required |
| Created At | Jinja-templated date representing created date of the agent. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48Z | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List Agents Data
{
"locations":null,
"osStartTime":"2021-01-12T20:40:27Z",
"rangerVersion":null,
"cloudProviders":{
},
"osArch":"64 bit",
"licenseKey":"",
"updatedAt":"2021-09-06T04:27:29.724745Z",
"externalId":"",
"networkInterfaces":[
{
"gatewayIp":"10.0.0.1",
"gatewayMacAddress":"00:00:17:31:2e:8e",
"id":"1184207949927894021",
"inet":[
"10.0.0.2"
],
"inet6":[
],
"name":"ens3",
"physical":"02:00:17:09:AC:E4"
},
{
"gatewayIp":null,
"gatewayMacAddress":null,
"id":"1184207949927894022",
"inet":[
"172.17.0.1"
],
"inet6":[
],
"name":"docker0",
"physical":"02:42:2D:5A:F2:4C"
}
],
"lastActiveDate":"2021-09-06T16:19:00.729942Z",
"networkStatus":"connected",
"locationEnabled":false,
"lastIpToMgmt":"10.0.0.2",
"accountName":"SentinelOne",
"threatRebootRequired":false,
"scanStartedAt":"2021-06-22T21:30:56.771107Z",
"domain":"sub01122036110.default.oraclevcn.com",
"uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
"lastLoggedInUserName":"",
"networkQuarantineEnabled":false,
"isUninstalled":false,
"scanStatus":"finished",
"userActionsNeeded":[
],
"osUsername":"root",
"cpuCount":1,
"storageType":null,
"coreCount":2,
"isPendingUninstall":false,
"firewallEnabled":true,
"accountId":"433241117337583618",
"mitigationMode":"protect",
"activeThreats":0,
"registeredAt":"2021-06-22T21:29:48.386746Z",
"machineType":"server",
"groupId":"1184166245199854505",
"infected":false,
"modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
"consoleMigrationStatus":"N/A",
"storageName":null,
"has_error":false,
"siteName":"LogicHub",
"id":"1184207949919505412",
"scanFinishedAt":"2021-06-23T00:03:51.386826Z",
"error":null,
"remoteProfilingStateExpiration":null,
"installerType":".rpm",
"groupName":"Default Group",
"encryptedApplications":false,
"remoteProfilingState":"disabled",
"osType":"linux",
"totalMemory":688,
"externalIp":"129.213.58.77",
"createdAt":"2021-06-22T21:29:48.389992Z",
"osName":"Linux",
"isActive":true,
"agentVersion":"21.6.3.7",
"inRemoteShellSession":false,
"isUpToDate":true,
"allowRemoteShell":true,
"cpuId":"AMD EPYC 7551 32-Core Processor",
"mitigationModeSuspicious":"detect",
"isDecommissioned":false,
"siteId":"1184166245183077288",
"computerName":"instance-20210112-1436",
"locationType":"not_supported",
"operationalStateExpiration":null,
"rangerStatus":"NotApplicable",
"scanAbortedAt":null,
"activeDirectory":{
"computerDistinguishedName":null,
"computerMemberOf":[
],
"lastUserDistinguishedName":null,
"lastUserMemberOf":[
]
},
"operationalState":"na",
"osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
"appsVulnerabilityStatus":"not_applicable",
"groupIp":"129.213.58.x"
}
Shutdown Agent
Shutdown agent via filters
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query | Jinja-templated query for shutting down the agents. Example: {{query_column}} | Required |
| Agent IDs | Jinja-templated comma separated Agent IDs which are to be shutdown. Example: {{agent_id_column}} | Required |
| Group IDs | Jinja-templated comma separated Group ID. Example: {{group_id_column}} | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Shutdown Agent Data
{
"locations":null,
"osStartTime":"2021-01-12T20:40:27Z",
"rangerVersion":null,
"cloudProviders":{
},
"osArch":"64 bit",
"licenseKey":"",
"updatedAt":"2021-09-06T16:36:34.926026Z",
"externalId":"",
"networkInterfaces":[
{
"name":"ens3",
"gatewayIp":"10.0.0.1",
"inet6":[
],
"gatewayMacAddress":"00:00:17:31:2e:8e",
"id":"1184207949927894021",
"inet":[
"10.0.0.2"
],
"physical":"02:00:17:09:AC:E4"
},
{
"name":"docker0",
"gatewayIp":null,
"inet6":[
],
"gatewayMacAddress":null,
"id":"1184207949927894022",
"inet":[
"172.17.0.1"
],
"physical":"02:42:2D:5A:F2:4C"
}
],
"lastActiveDate":"2021-09-06T16:35:30.729725Z",
"networkStatus":"connecting",
"locationEnabled":false,
"lastIpToMgmt":"10.0.0.2",
"accountName":"SentinelOne",
"threatRebootRequired":false,
"scanStartedAt":"2021-06-22T21:30:56.771107Z",
"domain":"sub01122036110.default.oraclevcn.com",
"uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
"lastLoggedInUserName":"",
"networkQuarantineEnabled":false,
"isUninstalled":false,
"scanStatus":"finished",
"userActionsNeeded":[
],
"osUsername":"root",
"cpuCount":1,
"storageType":null,
"coreCount":2,
"isPendingUninstall":false,
"firewallEnabled":true,
"accountId":"433241117337583618",
"mitigationMode":"protect",
"activeThreats":0,
"registeredAt":"2021-06-22T21:29:48.386746Z",
"machineType":"server",
"groupId":"1184166245199854505",
"infected":false,
"modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
"consoleMigrationStatus":"N/A",
"storageName":null,
"has_error":false,
"siteName":"LogicHub",
"id":"1184207949919505412",
"scanFinishedAt":"2021-06-23T00:03:51.386826Z",
"error":null,
"remoteProfilingStateExpiration":null,
"installerType":".rpm",
"groupName":"Default Group",
"encryptedApplications":false,
"remoteProfilingState":"disabled",
"osType":"linux",
"totalMemory":688,
"externalIp":"129.213.58.77",
"createdAt":"2021-06-22T21:29:48.389992Z",
"osName":"Linux",
"isActive":true,
"agentVersion":"21.6.3.7",
"inRemoteShellSession":false,
"isUpToDate":true,
"allowRemoteShell":true,
"cpuId":"AMD EPYC 7551 32-Core Processor",
"mitigationModeSuspicious":"detect",
"isDecommissioned":false,
"siteId":"1184166245183077288",
"computerName":"instance-20210112-1436",
"locationType":"not_supported",
"operationalStateExpiration":null,
"rangerStatus":"NotApplicable",
"scanAbortedAt":null,
"activeDirectory":{
"computerDistinguishedName":null,
"lastUserMemberOf":[
],
"computerMemberOf":[
],
"lastUserDistinguishedName":null
},
"operationalState":"na",
"osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
"appsVulnerabilityStatus":"not_applicable",
"groupIp":"129.213.58.x"
}
Dashboard Threat Summary
Dashboard threat summary for sites and groups
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Site IDs | Jinja-templated comma separated site IDs for which threat summary needs to be pulled. Example: {{site_id_column}} | Required |
| Group IDs | Jinja-templated comma separated group IDs. Example: {{group_id_column}} | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Dashboard Threat Summary Data
{
"has_error":false,
"data":{
"notResolved":0,
"resolved":0,
"suspiciousNotMitigatedNotResolved":0,
"suspiciousNotResolved":0,
"notMitigatedNotResolved":0,
"inProgress":0,
"total":0,
"maliciousNotResolved":0,
"notMitigated":0
},
"error":null
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystemv1.1.1- Added documentation link in the automation library.
Updated 3 months ago