SentinelOne

Version: 2.1.1

Cyber security that prevents threats at faster speed, greater scale, and higher accuracy than humanly possible.

Connect SentinelOne with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for SentinelOne.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Server URL: API URL for SentinelOne. Example: https://host/web/api/v2.1
    • Token: Token for authentication with SentinelOne server.
  4. After you've entered all the details, click Connect.

Actions for SentinelOne

Connects Agent To Network

Connects agent to network

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Agent IDJinja-templated agent ID which is to be connected to the network. Example: {{agent_id_column}}Required
Time between consecutive API requests (in millis)Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Connects Agent To Network Data
{
   "locations":null,
   "osStartTime":"2021-01-12T20:40:27Z",
   "rangerVersion":null,
   "cloudProviders":{
      
   },
   "osArch":"64 bit",
   "licenseKey":"",
   "updatedAt":"2021-09-06T16:36:34.926026Z",
   "externalId":"",
   "networkInterfaces":[
      {
         "name":"ens3",
         "gatewayIp":"10.0.0.1",
         "inet6":[
            
         ],
         "gatewayMacAddress":"00:00:17:31:2e:8e",
         "id":"1184207949927894021",
         "inet":[
            "10.0.0.2"
         ],
         "physical":"02:00:17:09:AC:E4"
      },
      {
         "name":"docker0",
         "gatewayIp":null,
         "inet6":[
            
         ],
         "gatewayMacAddress":null,
         "id":"1184207949927894022",
         "inet":[
            "172.17.0.1"
         ],
         "physical":"02:42:2D:5A:F2:4C"
      }
   ],
   "lastActiveDate":"2021-09-06T16:35:30.729725Z",
   "networkStatus":"connecting",
   "locationEnabled":false,
   "lastIpToMgmt":"10.0.0.2",
   "accountName":"SentinelOne",
   "threatRebootRequired":false,
   "scanStartedAt":"2021-06-22T21:30:56.771107Z",
   "domain":"sub01122036110.default.oraclevcn.com",
   "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
   "lastLoggedInUserName":"",
   "networkQuarantineEnabled":false,
   "isUninstalled":false,
   "scanStatus":"finished",
   "userActionsNeeded":[
      
   ],
   "osUsername":"root",
   "cpuCount":1,
   "storageType":null,
   "coreCount":2,
   "isPendingUninstall":false,
   "firewallEnabled":true,
   "accountId":"433241117337583618",
   "mitigationMode":"protect",
   "activeThreats":0,
   "registeredAt":"2021-06-22T21:29:48.386746Z",
   "machineType":"server",
   "groupId":"1184166245199854505",
   "infected":false,
   "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
   "consoleMigrationStatus":"N/A",
   "storageName":null,
   "has_error":false,
   "siteName":"LogicHub",
   "id":"1184207949919505412",
   "scanFinishedAt":"2021-06-23T00:03:51.386826Z",
   "error":null,
   "remoteProfilingStateExpiration":null,
   "installerType":".rpm",
   "groupName":"Default Group",
   "encryptedApplications":false,
   "remoteProfilingState":"disabled",
   "osType":"linux",
   "totalMemory":688,
   "externalIp":"129.213.58.77",
   "createdAt":"2021-06-22T21:29:48.389992Z",
   "osName":"Linux",
   "isActive":true,
   "agentVersion":"21.6.3.7",
   "inRemoteShellSession":false,
   "isUpToDate":true,
   "allowRemoteShell":true,
   "cpuId":"AMD EPYC 7551 32-Core Processor",
   "mitigationModeSuspicious":"detect",
   "isDecommissioned":false,
   "siteId":"1184166245183077288",
   "computerName":"instance-20210112-1436",
   "locationType":"not_supported",
   "operationalStateExpiration":null,
   "rangerStatus":"NotApplicable",
   "scanAbortedAt":null,
   "activeDirectory":{
      "computerDistinguishedName":null,
      "lastUserMemberOf":[
         
      ],
      "computerMemberOf":[
         
      ],
      "lastUserDistinguishedName":null
   },
   "operationalState":"na",
   "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
   "appsVulnerabilityStatus":"not_applicable",
   "groupIp":"129.213.58.x"
}

Disconnects Agent From Network

Disconnects agent from network

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Agent IDJinja-templated agent ID which is to be disconnected from the network. Example: {{agent_id_column}}Required
Time between consecutive API requests (in millis)Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Disconnects Agent From Network Data
{
   "locations":null,
   "osStartTime":"2021-01-12T20:40:27Z",
   "rangerVersion":null,
   "cloudProviders":{
      
   },
   "osArch":"64 bit",
   "licenseKey":"",
   "updatedAt":"2021-09-06T16:36:34.926026Z",
   "externalId":"",
   "networkInterfaces":[
      {
         "name":"ens3",
         "gatewayIp":"10.0.0.1",
         "inet6":[
            
         ],
         "gatewayMacAddress":"00:00:17:31:2e:8e",
         "id":"1184207949927894021",
         "inet":[
            "10.0.0.2"
         ],
         "physical":"02:00:17:09:AC:E4"
      },
      {
         "name":"docker0",
         "gatewayIp":null,
         "inet6":[
            
         ],
         "gatewayMacAddress":null,
         "id":"1184207949927894022",
         "inet":[
            "172.17.0.1"
         ],
         "physical":"02:42:2D:5A:F2:4C"
      }
   ],
   "lastActiveDate":"2021-09-06T16:35:30.729725Z",
   "networkStatus":"connecting",
   "locationEnabled":false,
   "lastIpToMgmt":"10.0.0.2",
   "accountName":"SentinelOne",
   "threatRebootRequired":false,
   "scanStartedAt":"2021-06-22T21:30:56.771107Z",
   "domain":"sub01122036110.default.oraclevcn.com",
   "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
   "lastLoggedInUserName":"",
   "networkQuarantineEnabled":false,
   "isUninstalled":false,
   "scanStatus":"finished",
   "userActionsNeeded":[
      
   ],
   "osUsername":"root",
   "cpuCount":1,
   "storageType":null,
   "coreCount":2,
   "isPendingUninstall":false,
   "firewallEnabled":true,
   "accountId":"433241117337583618",
   "mitigationMode":"protect",
   "activeThreats":0,
   "registeredAt":"2021-06-22T21:29:48.386746Z",
   "machineType":"server",
   "groupId":"1184166245199854505",
   "infected":false,
   "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
   "consoleMigrationStatus":"N/A",
   "storageName":null,
   "has_error":false,
   "siteName":"LogicHub",
   "id":"1184207949919505412",
   "scanFinishedAt":"2021-06-23T00:03:51.386826Z",
   "error":null,
   "remoteProfilingStateExpiration":null,
   "installerType":".rpm",
   "groupName":"Default Group",
   "encryptedApplications":false,
   "remoteProfilingState":"disabled",
   "osType":"linux",
   "totalMemory":688,
   "externalIp":"129.213.58.77",
   "createdAt":"2021-06-22T21:29:48.389992Z",
   "osName":"Linux",
   "isActive":true,
   "agentVersion":"21.6.3.7",
   "inRemoteShellSession":false,
   "isUpToDate":true,
   "allowRemoteShell":true,
   "cpuId":"AMD EPYC 7551 32-Core Processor",
   "mitigationModeSuspicious":"detect",
   "isDecommissioned":false,
   "siteId":"1184166245183077288",
   "computerName":"instance-20210112-1436",
   "locationType":"not_supported",
   "operationalStateExpiration":null,
   "rangerStatus":"NotApplicable",
   "scanAbortedAt":null,
   "activeDirectory":{
      "computerDistinguishedName":null,
      "lastUserMemberOf":[
         
      ],
      "computerMemberOf":[
         
      ],
      "lastUserDistinguishedName":null
   },
   "operationalState":"na",
   "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
   "appsVulnerabilityStatus":"not_applicable",
   "groupIp":"129.213.58.x"
}

Create Query

Runs a Deep Visibility Query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
QueryJinja-templated query used for creating the query. Example: EndpointName exists.Required
From DateJinja-templated from date used for creating the query. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48ZRequired
To DateJinja-templated to date used for creating the query. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48ZRequired
Time between consecutive API requests (in millis)Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Create Query Data
{
   "has_error":false,
   "data":{
      "queryId":"qe4080a5f8088b188b423b9edcc768252"
   },
   "error":null
}

Get Agent

Get agent details by agent ID

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Agent IDJinja-templated agent ID which is to be fetched. Example: {{agent_id_column}}Required
Time between consecutive API requests (in millis)Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Get Agent Data
{
   "locations":null,
   "osStartTime":"2021-01-12T20:40:27Z",
   "rangerVersion":null,
   "cloudProviders":{
      
   },
   "osArch":"64 bit",
   "licenseKey":"",
   "updatedAt":"2021-09-06T04:27:29.724745Z",
   "externalId":"",
   "networkInterfaces":[
      {
         "name":"ens3",
         "gatewayIp":"10.0.0.1",
         "inet6":[
            
         ],
         "gatewayMacAddress":"00:00:17:31:2e:8e",
         "id":"1184207949927894021",
         "inet":[
            "10.0.0.2"
         ],
         "physical":"02:00:17:09:AC:E4"
      },
      {
         "name":"docker0",
         "gatewayIp":null,
         "inet6":[
            
         ],
         "gatewayMacAddress":null,
         "id":"1184207949927894022",
         "inet":[
            "172.17.0.1"
         ],
         "physical":"02:42:2D:5A:F2:4C"
      }
   ],
   "lastActiveDate":"2021-09-06T16:32:30.729967Z",
   "networkStatus":"connected",
   "locationEnabled":false,
   "lastIpToMgmt":"10.0.0.2",
   "accountName":"SentinelOne",
   "threatRebootRequired":false,
   "scanStartedAt":"2021-06-22T21:30:56.771107Z",
   "domain":"sub01122036110.default.oraclevcn.com",
   "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
   "lastLoggedInUserName":"",
   "networkQuarantineEnabled":false,
   "isUninstalled":false,
   "scanStatus":"finished",
   "userActionsNeeded":[
      
   ],
   "osUsername":"root",
   "cpuCount":1,
   "storageType":null,
   "coreCount":2,
   "isPendingUninstall":false,
   "firewallEnabled":true,
   "accountId":"433241117337583618",
   "mitigationMode":"protect",
   "activeThreats":0,
   "registeredAt":"2021-06-22T21:29:48.386746Z",
   "machineType":"server",
   "groupId":"1184166245199854505",
   "infected":false,
   "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
   "consoleMigrationStatus":"N/A",
   "storageName":null,
   "has_error":false,
   "siteName":"LogicHub",
   "id":"1184207949919505412",
   "scanFinishedAt":"2021-06-23T00:03:51.386826Z",
   "error":null,
   "remoteProfilingStateExpiration":null,
   "installerType":".rpm",
   "groupName":"Default Group",
   "encryptedApplications":false,
   "remoteProfilingState":"disabled",
   "osType":"linux",
   "totalMemory":688,
   "externalIp":"129.213.58.77",
   "createdAt":"2021-06-22T21:29:48.389992Z",
   "osName":"Linux",
   "isActive":true,
   "agentVersion":"21.6.3.7",
   "inRemoteShellSession":false,
   "isUpToDate":true,
   "allowRemoteShell":true,
   "cpuId":"AMD EPYC 7551 32-Core Processor",
   "mitigationModeSuspicious":"detect",
   "isDecommissioned":false,
   "siteId":"1184166245183077288",
   "computerName":"instance-20210112-1436",
   "locationType":"not_supported",
   "operationalStateExpiration":null,
   "rangerStatus":"NotApplicable",
   "scanAbortedAt":null,
   "activeDirectory":{
      "computerDistinguishedName":null,
      "lastUserMemberOf":[
         
      ],
      "computerMemberOf":[
         
      ],
      "lastUserDistinguishedName":null
   },
   "operationalState":"na",
   "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
   "appsVulnerabilityStatus":"not_applicable",
   "groupIp":"129.213.58.x"
}

Get Events

Fetch all deep visibility events that match the query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Query IDJinja-templated query ID which is to be fetched. Example: {{query_id_column}}Required
LimitLimit for number of events to be fetched. (Default is 100000)Required
Time between consecutive API requests (in millis)Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Get Events Data
{
   "has_error":false,
   "noResults":"no results returned",
   "error":null
}

List Agents

List all agents matching the input filter

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Minimum Active ThreatsJinja-templated minimum active threats. Agents with active threats greater than this value will be fetched. Example: {{minimum_active_threats}}Required
Computer NameJinja-templated computer name. Example: {{computer_name_column}}Required
Scan StatusJinja-templated scan status. Example: {{scan_status_column}}Required
OS TypeJinja-templated OS type. Example: {{os_type_column}}Required
Created AtJinja-templated date representing created date of the agent. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48ZRequired
Time between consecutive API requests (in millis)Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List Agents Data
{
   "locations":null,
   "osStartTime":"2021-01-12T20:40:27Z",
   "rangerVersion":null,
   "cloudProviders":{
      
   },
   "osArch":"64 bit",
   "licenseKey":"",
   "updatedAt":"2021-09-06T04:27:29.724745Z",
   "externalId":"",
   "networkInterfaces":[
      {
         "gatewayIp":"10.0.0.1",
         "gatewayMacAddress":"00:00:17:31:2e:8e",
         "id":"1184207949927894021",
         "inet":[
            "10.0.0.2"
         ],
         "inet6":[
            
         ],
         "name":"ens3",
         "physical":"02:00:17:09:AC:E4"
      },
      {
         "gatewayIp":null,
         "gatewayMacAddress":null,
         "id":"1184207949927894022",
         "inet":[
            "172.17.0.1"
         ],
         "inet6":[
            
         ],
         "name":"docker0",
         "physical":"02:42:2D:5A:F2:4C"
      }
   ],
   "lastActiveDate":"2021-09-06T16:19:00.729942Z",
   "networkStatus":"connected",
   "locationEnabled":false,
   "lastIpToMgmt":"10.0.0.2",
   "accountName":"SentinelOne",
   "threatRebootRequired":false,
   "scanStartedAt":"2021-06-22T21:30:56.771107Z",
   "domain":"sub01122036110.default.oraclevcn.com",
   "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
   "lastLoggedInUserName":"",
   "networkQuarantineEnabled":false,
   "isUninstalled":false,
   "scanStatus":"finished",
   "userActionsNeeded":[
      
   ],
   "osUsername":"root",
   "cpuCount":1,
   "storageType":null,
   "coreCount":2,
   "isPendingUninstall":false,
   "firewallEnabled":true,
   "accountId":"433241117337583618",
   "mitigationMode":"protect",
   "activeThreats":0,
   "registeredAt":"2021-06-22T21:29:48.386746Z",
   "machineType":"server",
   "groupId":"1184166245199854505",
   "infected":false,
   "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
   "consoleMigrationStatus":"N/A",
   "storageName":null,
   "has_error":false,
   "siteName":"LogicHub",
   "id":"1184207949919505412",
   "scanFinishedAt":"2021-06-23T00:03:51.386826Z",
   "error":null,
   "remoteProfilingStateExpiration":null,
   "installerType":".rpm",
   "groupName":"Default Group",
   "encryptedApplications":false,
   "remoteProfilingState":"disabled",
   "osType":"linux",
   "totalMemory":688,
   "externalIp":"129.213.58.77",
   "createdAt":"2021-06-22T21:29:48.389992Z",
   "osName":"Linux",
   "isActive":true,
   "agentVersion":"21.6.3.7",
   "inRemoteShellSession":false,
   "isUpToDate":true,
   "allowRemoteShell":true,
   "cpuId":"AMD EPYC 7551 32-Core Processor",
   "mitigationModeSuspicious":"detect",
   "isDecommissioned":false,
   "siteId":"1184166245183077288",
   "computerName":"instance-20210112-1436",
   "locationType":"not_supported",
   "operationalStateExpiration":null,
   "rangerStatus":"NotApplicable",
   "scanAbortedAt":null,
   "activeDirectory":{
      "computerDistinguishedName":null,
      "computerMemberOf":[
         
      ],
      "lastUserDistinguishedName":null,
      "lastUserMemberOf":[
         
      ]
   },
   "operationalState":"na",
   "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
   "appsVulnerabilityStatus":"not_applicable",
   "groupIp":"129.213.58.x"
}

Shutdown Agent

Shutdown agent via filters

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
QueryJinja-templated query for shutting down the agents. Example: {{query_column}}Required
Agent IDsJinja-templated comma separated Agent IDs which are to be shutdown. Example: {{agent_id_column}}Required
Group IDsJinja-templated comma separated Group ID. Example: {{group_id_column}}Required
Time between consecutive API requests (in millis)Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Shutdown Agent Data
{
   "locations":null,
   "osStartTime":"2021-01-12T20:40:27Z",
   "rangerVersion":null,
   "cloudProviders":{
      
   },
   "osArch":"64 bit",
   "licenseKey":"",
   "updatedAt":"2021-09-06T16:36:34.926026Z",
   "externalId":"",
   "networkInterfaces":[
      {
         "name":"ens3",
         "gatewayIp":"10.0.0.1",
         "inet6":[
            
         ],
         "gatewayMacAddress":"00:00:17:31:2e:8e",
         "id":"1184207949927894021",
         "inet":[
            "10.0.0.2"
         ],
         "physical":"02:00:17:09:AC:E4"
      },
      {
         "name":"docker0",
         "gatewayIp":null,
         "inet6":[
            
         ],
         "gatewayMacAddress":null,
         "id":"1184207949927894022",
         "inet":[
            "172.17.0.1"
         ],
         "physical":"02:42:2D:5A:F2:4C"
      }
   ],
   "lastActiveDate":"2021-09-06T16:35:30.729725Z",
   "networkStatus":"connecting",
   "locationEnabled":false,
   "lastIpToMgmt":"10.0.0.2",
   "accountName":"SentinelOne",
   "threatRebootRequired":false,
   "scanStartedAt":"2021-06-22T21:30:56.771107Z",
   "domain":"sub01122036110.default.oraclevcn.com",
   "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
   "lastLoggedInUserName":"",
   "networkQuarantineEnabled":false,
   "isUninstalled":false,
   "scanStatus":"finished",
   "userActionsNeeded":[
      
   ],
   "osUsername":"root",
   "cpuCount":1,
   "storageType":null,
   "coreCount":2,
   "isPendingUninstall":false,
   "firewallEnabled":true,
   "accountId":"433241117337583618",
   "mitigationMode":"protect",
   "activeThreats":0,
   "registeredAt":"2021-06-22T21:29:48.386746Z",
   "machineType":"server",
   "groupId":"1184166245199854505",
   "infected":false,
   "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
   "consoleMigrationStatus":"N/A",
   "storageName":null,
   "has_error":false,
   "siteName":"LogicHub",
   "id":"1184207949919505412",
   "scanFinishedAt":"2021-06-23T00:03:51.386826Z",
   "error":null,
   "remoteProfilingStateExpiration":null,
   "installerType":".rpm",
   "groupName":"Default Group",
   "encryptedApplications":false,
   "remoteProfilingState":"disabled",
   "osType":"linux",
   "totalMemory":688,
   "externalIp":"129.213.58.77",
   "createdAt":"2021-06-22T21:29:48.389992Z",
   "osName":"Linux",
   "isActive":true,
   "agentVersion":"21.6.3.7",
   "inRemoteShellSession":false,
   "isUpToDate":true,
   "allowRemoteShell":true,
   "cpuId":"AMD EPYC 7551 32-Core Processor",
   "mitigationModeSuspicious":"detect",
   "isDecommissioned":false,
   "siteId":"1184166245183077288",
   "computerName":"instance-20210112-1436",
   "locationType":"not_supported",
   "operationalStateExpiration":null,
   "rangerStatus":"NotApplicable",
   "scanAbortedAt":null,
   "activeDirectory":{
      "computerDistinguishedName":null,
      "lastUserMemberOf":[
         
      ],
      "computerMemberOf":[
         
      ],
      "lastUserDistinguishedName":null
   },
   "operationalState":"na",
   "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
   "appsVulnerabilityStatus":"not_applicable",
   "groupIp":"129.213.58.x"
}

Dashboard Threat Summary

Dashboard threat summary for sites and groups

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Site IDsJinja-templated comma separated site IDs for which threat summary needs to be pulled. Example: {{site_id_column}}Required
Group IDsJinja-templated comma separated group IDs. Example: {{group_id_column}}Required
Time between consecutive API requests (in millis)Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Dashboard Threat Summary Data
{
   "has_error":false,
   "data":{
      "notResolved":0,
      "resolved":0,
      "suspiciousNotMitigatedNotResolved":0,
      "suspiciousNotResolved":0,
      "notMitigatedNotResolved":0,
      "inProgress":0,
      "total":0,
      "maliciousNotResolved":0,
      "notMitigated":0
   },
   "error":null
}

Get Activities

Get the activities, and their data, that match the filters.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
ParamsJinja-templated JSON containing the params for the sentinel one API.Optional
LimitLimit for number of events to be fetched. (Default is 100000)Optional

Output

JSON containing the following items:

{
   "accountId":"234523452345",
   "accountName":"SOME COMPANY",
   "activityType":3456,
   "activityUuid":"3aasdfasdf-asdf-4709-asdf-c12341234",
   "agentId":"1212341234653467471242",
   "agentUpdatedVersion":null,
   "comments":null,
   "createdAt":"2022-06-12T07:53:35.342143Z",
   "data":{
      "accountName":"SOME COMPANY",
      "agentipv4":"192.168.1.1",
      "alertid":1234534635156700,
      "detectedat":1655020403994,
      "dnsrequest":"",
      "dnsresponse":"",
      "dstip":"",
      "dstport":0,
      "dveventid":"",
      "dveventtype":"PROCESSCREATION",
      "externalip":"1.16.5.19",
      "fullScopeDetails":"Group Default group in Site Default site of Account SOME COMPANY",
      "fullScopeDetailsPath":"Global / Default site / Default group",
      "groupName":"Default group",
      "indicatorcategory":"",
      "indicatordescription":"",
      "indicatorname":"",
      "k8sclustername":"",
      "k8scontainerid":"",
      "k8scontainerimage":"",
      "k8scontainerlabels":"",
      "k8scontainername":"",
      "k8scontrollerkind":"",
      "k8scontrollerlabels":"",
      "k8scontrollername":"",
      "k8snamespace":"",
      "k8snamespacelabels":"",
      "k8snode":"",
      "k8spod":"",
      "k8spodlabels":"",
      "loginaccountdomain":"",
      "loginaccountsid":"",
      "loginisadministratorequivalent":"",
      "loginissuccessful":"",
      "loginsusername":"",
      "logintype":"",
      "modulepath":"",
      "modulesha1":"",
      "neteventdirection":"",
      "origagentmachinetype":"laptop",
      "origagentname":"DFGH-123",
      "origagentosfamily":"windows",
      "origagentosname":"Windows 10 Pro",
      "origagentosrevision":"19044",
      "origagentsiteid":"92345234523452345",
      "origagentuuid":"7f23f524d5s2f52345d1fds5xe11fb",
      "origagentversion":"1.7.5.80",
      "physical":"f1:12:01:5r:5h:d9",
      "registrykeypath":"",
      "registryoldvalue":"",
      "registryoldvaluetype":"",
      "registrypath":"",
      "registryvalue":"",
      "ruledescription":"Rule to monitor new process creation where proc name contains AnyDesk.",
      "ruleid":23452345345,
      "rulename":"block-somesoft",
      "rulescopeid":9234523456324515400,
      "rulescopelevel":"E_TENANT",
      "scopeId":951234512451345,
      "scopeLevel":"Group",
      "scopeName":"Default group",
      "severity":"E_LOW",
      "siteName":"Default site",
      "sourcename":"STAR",
      "sourceparentprocesscommandline":"wininit.exe",
      "sourceparentprocessintegritylevel":"system",
      "sourceparentprocesskey":"4BADB78887DE5F2F",
      "userName":"RANDOM name",
      "some more fields here": "asdfasdf"
   },
   "description":null,
   "error":null,
   "groupId":"9123412354567567",
   "groupName":"Default group",
   "has_error":false,
   "hash":null,
   "id":"3457478654763456595",
   "osFamily":null,
   "primaryDescription":"Alert created for services.exe",
   "secondaryDescription":"d7a345y3t4t243r2r2345twas4t51de54",
   "siteId":"9523456467534234583",
   "siteName":"Default site",
   "threatId":null,
   "updatedAt":"2022-06-12T07:53:35.339591Z",
   "userId":"134567456472345234511"
}

Disconnect From Network

Use this action to isolate (quarantine) endpoints from the network, if the endpoints match the filter.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
ParamsJinja-templated JSON containing the params for the sentinel one API.Optional
BodyJinja-templated JSON containing the body for the sentinel one API.Optional

Output

JSON containing the following items:

{
   "has_error":true,
   "error_response":{
      "errors":[
         {
            "code":4030010,
            "detail":null,
            "title":"Insufficient permissions"
         }
      ]
   },
   "error":"An error occurred: 403 Client Error: FORBIDDEN for url: https://test.sentinelone.net/web/api/v2.1/agents/actions/disconnect"
}

Release Notes

  • v2.1.1 - Added 2 new actions: Get Activities and Disconnect From Network
  • v2.0.0 - Updated architecture to support IO via filesystem
  • v1.1.1 - Added documentation link in the automation library.

© Devo Technology Inc. All Rights Reserved.