SentinelOne

Cyber security that prevents threats at faster speed, greater scale, and higher accuracy than humanly possible.

Integration with LogicHub

Connecting with SentinelOne

To connect to SentinelOne following details are required:

Actions with SentinelOne

Connects Agent To Network

Connects agent to network

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Agent ID: Jinja templated agent ID which is to be connected to the network. Example: {{agent_id_column}}
  • Jinja Template Time between consecutive API requests (in millis): Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds)

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Connects Agent To Network Data
{
   "locations":null,
   "osStartTime":"2021-01-12T20:40:27Z",
   "rangerVersion":null,
   "cloudProviders":{
      
   },
   "osArch":"64 bit",
   "licenseKey":"",
   "updatedAt":"2021-09-06T16:36:34.926026Z",
   "externalId":"",
   "networkInterfaces":[
      {
         "name":"ens3",
         "gatewayIp":"10.0.0.1",
         "inet6":[
            
         ],
         "gatewayMacAddress":"00:00:17:31:2e:8e",
         "id":"1184207949927894021",
         "inet":[
            "10.0.0.2"
         ],
         "physical":"02:00:17:09:AC:E4"
      },
      {
         "name":"docker0",
         "gatewayIp":null,
         "inet6":[
            
         ],
         "gatewayMacAddress":null,
         "id":"1184207949927894022",
         "inet":[
            "172.17.0.1"
         ],
         "physical":"02:42:2D:5A:F2:4C"
      }
   ],
   "lastActiveDate":"2021-09-06T16:35:30.729725Z",
   "networkStatus":"connecting",
   "locationEnabled":false,
   "lastIpToMgmt":"10.0.0.2",
   "accountName":"SentinelOne",
   "threatRebootRequired":false,
   "scanStartedAt":"2021-06-22T21:30:56.771107Z",
   "domain":"sub01122036110.default.oraclevcn.com",
   "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
   "lastLoggedInUserName":"",
   "networkQuarantineEnabled":false,
   "isUninstalled":false,
   "scanStatus":"finished",
   "userActionsNeeded":[
      
   ],
   "osUsername":"root",
   "cpuCount":1,
   "storageType":null,
   "coreCount":2,
   "isPendingUninstall":false,
   "firewallEnabled":true,
   "accountId":"433241117337583618",
   "mitigationMode":"protect",
   "activeThreats":0,
   "registeredAt":"2021-06-22T21:29:48.386746Z",
   "machineType":"server",
   "groupId":"1184166245199854505",
   "infected":false,
   "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
   "consoleMigrationStatus":"N/A",
   "storageName":null,
   "has_error":false,
   "siteName":"LogicHub",
   "id":"1184207949919505412",
   "scanFinishedAt":"2021-06-23T00:03:51.386826Z",
   "error":null,
   "remoteProfilingStateExpiration":null,
   "installerType":".rpm",
   "groupName":"Default Group",
   "encryptedApplications":false,
   "remoteProfilingState":"disabled",
   "osType":"linux",
   "totalMemory":688,
   "externalIp":"129.213.58.77",
   "createdAt":"2021-06-22T21:29:48.389992Z",
   "osName":"Linux",
   "isActive":true,
   "agentVersion":"21.6.3.7",
   "inRemoteShellSession":false,
   "isUpToDate":true,
   "allowRemoteShell":true,
   "cpuId":"AMD EPYC 7551 32-Core Processor",
   "mitigationModeSuspicious":"detect",
   "isDecommissioned":false,
   "siteId":"1184166245183077288",
   "computerName":"instance-20210112-1436",
   "locationType":"not_supported",
   "operationalStateExpiration":null,
   "rangerStatus":"NotApplicable",
   "scanAbortedAt":null,
   "activeDirectory":{
      "computerDistinguishedName":null,
      "lastUserMemberOf":[
         
      ],
      "computerMemberOf":[
         
      ],
      "lastUserDistinguishedName":null
   },
   "operationalState":"na",
   "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
   "appsVulnerabilityStatus":"not_applicable",
   "groupIp":"129.213.58.x"
}

Disconnects Agent From Network

Disconnects agent from network

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Agent ID: Jinja templated agent ID which is to be disconnected from the network. Example: {{agent_id_column}}
  • Jinja Template Time between consecutive API requests (in millis): Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds)

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Disconnects Agent From Network Data
{
   "locations":null,
   "osStartTime":"2021-01-12T20:40:27Z",
   "rangerVersion":null,
   "cloudProviders":{
      
   },
   "osArch":"64 bit",
   "licenseKey":"",
   "updatedAt":"2021-09-06T16:36:34.926026Z",
   "externalId":"",
   "networkInterfaces":[
      {
         "name":"ens3",
         "gatewayIp":"10.0.0.1",
         "inet6":[
            
         ],
         "gatewayMacAddress":"00:00:17:31:2e:8e",
         "id":"1184207949927894021",
         "inet":[
            "10.0.0.2"
         ],
         "physical":"02:00:17:09:AC:E4"
      },
      {
         "name":"docker0",
         "gatewayIp":null,
         "inet6":[
            
         ],
         "gatewayMacAddress":null,
         "id":"1184207949927894022",
         "inet":[
            "172.17.0.1"
         ],
         "physical":"02:42:2D:5A:F2:4C"
      }
   ],
   "lastActiveDate":"2021-09-06T16:35:30.729725Z",
   "networkStatus":"connecting",
   "locationEnabled":false,
   "lastIpToMgmt":"10.0.0.2",
   "accountName":"SentinelOne",
   "threatRebootRequired":false,
   "scanStartedAt":"2021-06-22T21:30:56.771107Z",
   "domain":"sub01122036110.default.oraclevcn.com",
   "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
   "lastLoggedInUserName":"",
   "networkQuarantineEnabled":false,
   "isUninstalled":false,
   "scanStatus":"finished",
   "userActionsNeeded":[
      
   ],
   "osUsername":"root",
   "cpuCount":1,
   "storageType":null,
   "coreCount":2,
   "isPendingUninstall":false,
   "firewallEnabled":true,
   "accountId":"433241117337583618",
   "mitigationMode":"protect",
   "activeThreats":0,
   "registeredAt":"2021-06-22T21:29:48.386746Z",
   "machineType":"server",
   "groupId":"1184166245199854505",
   "infected":false,
   "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
   "consoleMigrationStatus":"N/A",
   "storageName":null,
   "has_error":false,
   "siteName":"LogicHub",
   "id":"1184207949919505412",
   "scanFinishedAt":"2021-06-23T00:03:51.386826Z",
   "error":null,
   "remoteProfilingStateExpiration":null,
   "installerType":".rpm",
   "groupName":"Default Group",
   "encryptedApplications":false,
   "remoteProfilingState":"disabled",
   "osType":"linux",
   "totalMemory":688,
   "externalIp":"129.213.58.77",
   "createdAt":"2021-06-22T21:29:48.389992Z",
   "osName":"Linux",
   "isActive":true,
   "agentVersion":"21.6.3.7",
   "inRemoteShellSession":false,
   "isUpToDate":true,
   "allowRemoteShell":true,
   "cpuId":"AMD EPYC 7551 32-Core Processor",
   "mitigationModeSuspicious":"detect",
   "isDecommissioned":false,
   "siteId":"1184166245183077288",
   "computerName":"instance-20210112-1436",
   "locationType":"not_supported",
   "operationalStateExpiration":null,
   "rangerStatus":"NotApplicable",
   "scanAbortedAt":null,
   "activeDirectory":{
      "computerDistinguishedName":null,
      "lastUserMemberOf":[
         
      ],
      "computerMemberOf":[
         
      ],
      "lastUserDistinguishedName":null
   },
   "operationalState":"na",
   "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
   "appsVulnerabilityStatus":"not_applicable",
   "groupIp":"129.213.58.x"
}

Create Query

Runs a Deep Visibility Query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Query: Jinja templated query used for creating the query. Example: EndpointName exists
  • From Date: Jinja templated from date used for creating the query. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48Z
  • To Date: Jinja templated to date used for creating the query. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48Z
  • Jinja Template Time between consecutive API requests (in millis): Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds)

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Create Query Data
{
   "has_error":false,
   "data":{
      "queryId":"qe4080a5f8088b188b423b9edcc768252"
   },
   "error":null
}

Get Agent

Get agent details by agent ID

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Agent ID: Jinja templated agent ID which is to be fetched. Example: {{agent_id_column}}
  • Jinja Template Time between consecutive API requests (in millis): Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds)

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Get Agent Data
{
   "locations":null,
   "osStartTime":"2021-01-12T20:40:27Z",
   "rangerVersion":null,
   "cloudProviders":{
      
   },
   "osArch":"64 bit",
   "licenseKey":"",
   "updatedAt":"2021-09-06T04:27:29.724745Z",
   "externalId":"",
   "networkInterfaces":[
      {
         "name":"ens3",
         "gatewayIp":"10.0.0.1",
         "inet6":[
            
         ],
         "gatewayMacAddress":"00:00:17:31:2e:8e",
         "id":"1184207949927894021",
         "inet":[
            "10.0.0.2"
         ],
         "physical":"02:00:17:09:AC:E4"
      },
      {
         "name":"docker0",
         "gatewayIp":null,
         "inet6":[
            
         ],
         "gatewayMacAddress":null,
         "id":"1184207949927894022",
         "inet":[
            "172.17.0.1"
         ],
         "physical":"02:42:2D:5A:F2:4C"
      }
   ],
   "lastActiveDate":"2021-09-06T16:32:30.729967Z",
   "networkStatus":"connected",
   "locationEnabled":false,
   "lastIpToMgmt":"10.0.0.2",
   "accountName":"SentinelOne",
   "threatRebootRequired":false,
   "scanStartedAt":"2021-06-22T21:30:56.771107Z",
   "domain":"sub01122036110.default.oraclevcn.com",
   "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
   "lastLoggedInUserName":"",
   "networkQuarantineEnabled":false,
   "isUninstalled":false,
   "scanStatus":"finished",
   "userActionsNeeded":[
      
   ],
   "osUsername":"root",
   "cpuCount":1,
   "storageType":null,
   "coreCount":2,
   "isPendingUninstall":false,
   "firewallEnabled":true,
   "accountId":"433241117337583618",
   "mitigationMode":"protect",
   "activeThreats":0,
   "registeredAt":"2021-06-22T21:29:48.386746Z",
   "machineType":"server",
   "groupId":"1184166245199854505",
   "infected":false,
   "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
   "consoleMigrationStatus":"N/A",
   "storageName":null,
   "has_error":false,
   "siteName":"LogicHub",
   "id":"1184207949919505412",
   "scanFinishedAt":"2021-06-23T00:03:51.386826Z",
   "error":null,
   "remoteProfilingStateExpiration":null,
   "installerType":".rpm",
   "groupName":"Default Group",
   "encryptedApplications":false,
   "remoteProfilingState":"disabled",
   "osType":"linux",
   "totalMemory":688,
   "externalIp":"129.213.58.77",
   "createdAt":"2021-06-22T21:29:48.389992Z",
   "osName":"Linux",
   "isActive":true,
   "agentVersion":"21.6.3.7",
   "inRemoteShellSession":false,
   "isUpToDate":true,
   "allowRemoteShell":true,
   "cpuId":"AMD EPYC 7551 32-Core Processor",
   "mitigationModeSuspicious":"detect",
   "isDecommissioned":false,
   "siteId":"1184166245183077288",
   "computerName":"instance-20210112-1436",
   "locationType":"not_supported",
   "operationalStateExpiration":null,
   "rangerStatus":"NotApplicable",
   "scanAbortedAt":null,
   "activeDirectory":{
      "computerDistinguishedName":null,
      "lastUserMemberOf":[
         
      ],
      "computerMemberOf":[
         
      ],
      "lastUserDistinguishedName":null
   },
   "operationalState":"na",
   "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
   "appsVulnerabilityStatus":"not_applicable",
   "groupIp":"129.213.58.x"
}

Get Events

Fetch all deep visibility events that match the query.

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Query ID: Jinja templated query ID which is to be fetched. Example: {{query_id_column}}
  • Jinja Template Limit: Limit for number of events to be fetched. (Default is 100000)
  • Jinja Template Time between consecutive API requests (in millis): Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds)

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Get Events Data
{
   "has_error":false,
   "noResults":"no results returned",
   "error":null
}

List Agents

List all agents matching the input filter

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Minimum Active Threats: Jinja templated minimum active threats. Agents with active threats greater than this value will be fetched. Example: {{minimum_active_threats}}
  • Computer Name: Jinja templated computer name. Example: {{computer_name_column}}
  • Scan Status: Jinja templated scan status. Example: {{scan_status_column}}
  • OS Type: Jinja templated OS type. Example: {{os_type_column}}
  • Created At: Jinja templated date representing created date of the agent. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48Z
  • Jinja Template Time between consecutive API requests (in millis): Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds)

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List Agents Data
{
   "locations":null,
   "osStartTime":"2021-01-12T20:40:27Z",
   "rangerVersion":null,
   "cloudProviders":{
      
   },
   "osArch":"64 bit",
   "licenseKey":"",
   "updatedAt":"2021-09-06T04:27:29.724745Z",
   "externalId":"",
   "networkInterfaces":[
      {
         "gatewayIp":"10.0.0.1",
         "gatewayMacAddress":"00:00:17:31:2e:8e",
         "id":"1184207949927894021",
         "inet":[
            "10.0.0.2"
         ],
         "inet6":[
            
         ],
         "name":"ens3",
         "physical":"02:00:17:09:AC:E4"
      },
      {
         "gatewayIp":null,
         "gatewayMacAddress":null,
         "id":"1184207949927894022",
         "inet":[
            "172.17.0.1"
         ],
         "inet6":[
            
         ],
         "name":"docker0",
         "physical":"02:42:2D:5A:F2:4C"
      }
   ],
   "lastActiveDate":"2021-09-06T16:19:00.729942Z",
   "networkStatus":"connected",
   "locationEnabled":false,
   "lastIpToMgmt":"10.0.0.2",
   "accountName":"SentinelOne",
   "threatRebootRequired":false,
   "scanStartedAt":"2021-06-22T21:30:56.771107Z",
   "domain":"sub01122036110.default.oraclevcn.com",
   "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
   "lastLoggedInUserName":"",
   "networkQuarantineEnabled":false,
   "isUninstalled":false,
   "scanStatus":"finished",
   "userActionsNeeded":[
      
   ],
   "osUsername":"root",
   "cpuCount":1,
   "storageType":null,
   "coreCount":2,
   "isPendingUninstall":false,
   "firewallEnabled":true,
   "accountId":"433241117337583618",
   "mitigationMode":"protect",
   "activeThreats":0,
   "registeredAt":"2021-06-22T21:29:48.386746Z",
   "machineType":"server",
   "groupId":"1184166245199854505",
   "infected":false,
   "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
   "consoleMigrationStatus":"N/A",
   "storageName":null,
   "has_error":false,
   "siteName":"LogicHub",
   "id":"1184207949919505412",
   "scanFinishedAt":"2021-06-23T00:03:51.386826Z",
   "error":null,
   "remoteProfilingStateExpiration":null,
   "installerType":".rpm",
   "groupName":"Default Group",
   "encryptedApplications":false,
   "remoteProfilingState":"disabled",
   "osType":"linux",
   "totalMemory":688,
   "externalIp":"129.213.58.77",
   "createdAt":"2021-06-22T21:29:48.389992Z",
   "osName":"Linux",
   "isActive":true,
   "agentVersion":"21.6.3.7",
   "inRemoteShellSession":false,
   "isUpToDate":true,
   "allowRemoteShell":true,
   "cpuId":"AMD EPYC 7551 32-Core Processor",
   "mitigationModeSuspicious":"detect",
   "isDecommissioned":false,
   "siteId":"1184166245183077288",
   "computerName":"instance-20210112-1436",
   "locationType":"not_supported",
   "operationalStateExpiration":null,
   "rangerStatus":"NotApplicable",
   "scanAbortedAt":null,
   "activeDirectory":{
      "computerDistinguishedName":null,
      "computerMemberOf":[
         
      ],
      "lastUserDistinguishedName":null,
      "lastUserMemberOf":[
         
      ]
   },
   "operationalState":"na",
   "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
   "appsVulnerabilityStatus":"not_applicable",
   "groupIp":"129.213.58.x"
}

Shutdown Agent

Shutdown agent via filters

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Query: Jinja templated query for shutting down the agents. Example: {{query_column}}
  • Agent IDs: Jinja templated comma separated Agent IDs which are to be shutdown. Example: {{agent_id_column}}
  • Group IDs: Jinja templated comma separated Group ID. Example: {{group_id_column}}
  • Jinja Template Time between consecutive API requests (in millis): Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds)

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Shutdown Agent Data
{
   "locations":null,
   "osStartTime":"2021-01-12T20:40:27Z",
   "rangerVersion":null,
   "cloudProviders":{
      
   },
   "osArch":"64 bit",
   "licenseKey":"",
   "updatedAt":"2021-09-06T16:36:34.926026Z",
   "externalId":"",
   "networkInterfaces":[
      {
         "name":"ens3",
         "gatewayIp":"10.0.0.1",
         "inet6":[
            
         ],
         "gatewayMacAddress":"00:00:17:31:2e:8e",
         "id":"1184207949927894021",
         "inet":[
            "10.0.0.2"
         ],
         "physical":"02:00:17:09:AC:E4"
      },
      {
         "name":"docker0",
         "gatewayIp":null,
         "inet6":[
            
         ],
         "gatewayMacAddress":null,
         "id":"1184207949927894022",
         "inet":[
            "172.17.0.1"
         ],
         "physical":"02:42:2D:5A:F2:4C"
      }
   ],
   "lastActiveDate":"2021-09-06T16:35:30.729725Z",
   "networkStatus":"connecting",
   "locationEnabled":false,
   "lastIpToMgmt":"10.0.0.2",
   "accountName":"SentinelOne",
   "threatRebootRequired":false,
   "scanStartedAt":"2021-06-22T21:30:56.771107Z",
   "domain":"sub01122036110.default.oraclevcn.com",
   "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
   "lastLoggedInUserName":"",
   "networkQuarantineEnabled":false,
   "isUninstalled":false,
   "scanStatus":"finished",
   "userActionsNeeded":[
      
   ],
   "osUsername":"root",
   "cpuCount":1,
   "storageType":null,
   "coreCount":2,
   "isPendingUninstall":false,
   "firewallEnabled":true,
   "accountId":"433241117337583618",
   "mitigationMode":"protect",
   "activeThreats":0,
   "registeredAt":"2021-06-22T21:29:48.386746Z",
   "machineType":"server",
   "groupId":"1184166245199854505",
   "infected":false,
   "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
   "consoleMigrationStatus":"N/A",
   "storageName":null,
   "has_error":false,
   "siteName":"LogicHub",
   "id":"1184207949919505412",
   "scanFinishedAt":"2021-06-23T00:03:51.386826Z",
   "error":null,
   "remoteProfilingStateExpiration":null,
   "installerType":".rpm",
   "groupName":"Default Group",
   "encryptedApplications":false,
   "remoteProfilingState":"disabled",
   "osType":"linux",
   "totalMemory":688,
   "externalIp":"129.213.58.77",
   "createdAt":"2021-06-22T21:29:48.389992Z",
   "osName":"Linux",
   "isActive":true,
   "agentVersion":"21.6.3.7",
   "inRemoteShellSession":false,
   "isUpToDate":true,
   "allowRemoteShell":true,
   "cpuId":"AMD EPYC 7551 32-Core Processor",
   "mitigationModeSuspicious":"detect",
   "isDecommissioned":false,
   "siteId":"1184166245183077288",
   "computerName":"instance-20210112-1436",
   "locationType":"not_supported",
   "operationalStateExpiration":null,
   "rangerStatus":"NotApplicable",
   "scanAbortedAt":null,
   "activeDirectory":{
      "computerDistinguishedName":null,
      "lastUserMemberOf":[
         
      ],
      "computerMemberOf":[
         
      ],
      "lastUserDistinguishedName":null
   },
   "operationalState":"na",
   "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
   "appsVulnerabilityStatus":"not_applicable",
   "groupIp":"129.213.58.x"
}

Dashboard Threat Summary

Dashboard threat summary for sites and groups

Inputs to this Action:

  • Connections: Choose a connection that you have created.
  • Site IDs: Jinja templated comma separated site IDs for which threat summary needs to be pulled. Example: {{site_id_column}}
  • Group IDs: Jinja templated comma separated group IDs. Example: {{group_id_column}}
  • Jinja Template Time between consecutive API requests (in millis): Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds)

Output of Action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Dashboard Threat Summary Data
{
   "has_error":false,
   "data":{
      "notResolved":0,
      "resolved":0,
      "suspiciousNotMitigatedNotResolved":0,
      "suspiciousNotResolved":0,
      "notMitigatedNotResolved":0,
      "inProgress":0,
      "total":0,
      "maliciousNotResolved":0,
      "notMitigated":0
   },
   "error":null
}

Did this page help you?