SentinelOne V2

Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database.

Endpoint · SentinelOne

Configuration parameters

  • url — Server URL (e.g., https://usea1.sentinelone.net) (required)
  • credentials
  • api_version — API Version (required)
  • isFetch — Fetch incidents
  • incidentType — Incident type
  • fetch_type — Fetch incidents from type
  • fetch_uam_alert_type — Fetch incidents from UAM Alert type
  • fetch_time — First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
  • fetch_threat_rank — Minimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high risk. Relevant for API version 2.0.
  • fetch_severity — Defines Alert severity to fetch.
  • fetch_incidentStatus — Define which Alerts should be fetched.
  • fetch_threat_incident_statuses — Define which Threats should be fetched.
  • fetch_limit — Fetch limit: The maximum number of threats or alerts to fetch
  • fetch_site_ids — Site IDs
  • block_site_ids — Block Site IDs
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings
  • token — API Token (Deprecated)
  • incidentFetchInterval — Incidents Fetch Interval
  • mirror_direction — Incident Mirroring Direction
  • close_xsoar_incident — Close Mirrored XSOAR Incident

Commands (76)

  • get-mapping-fields

    Returns the list of fields for an incident type.

  • get-modified-remote-data

    Gets the list of incidents that were modified since the last update time. Note that this method is here for debugging purposes. The get-modified-remote-data command is used as part of a Mirroring feature, which is available from version 6.1.

  • get-remote-data

    Get remote data from a remote incident. This method does not update the current incident, and should be used for debugging purposes.

  • sentinelone-abort-endpoint-scan

    Abort the endpoint virus scan on provided agent IDs.

  • sentinelone-add-hash-to-blocklist

    Add a hash to the blocklist in SentinelOne. Supports scoping by site, group, or account. If Scope not provided, the block will be global.

  • sentinelone-agent-processes Deprecated

    Deprecated. Retrieves running processes for a specific agent.

  • sentinelone-broadcast-message

    Broadcasts a message to all agents that match the input filters.

  • sentinelone-connect-agent

    Connects agents to the network.

  • sentinelone-create-bulk-ioc

    Add bulk list of IoCs to the Threat Intelligence database. Relevant for API version 2.1.

  • sentinelone-create-ioc

    Add an IoC to the Threat Intelligence database. Relevant for API version 2.1.

  • sentinelone-create-power-query Deprecated

    Deprecated. Use ***sentinelone-get-power-query-results*** instead. Start a Deep Visibility Power query to get back status and potential results (ping afterwards using the queryId if query has not finished). Relevant for API version 2.1.

  • sentinelone-create-query

    Runs a Deep Visibility query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.

  • sentinelone-create-star-rule

    Creates a custom STAR rule. Relevant for API version 2.1.

  • sentinelone-create-white-list-item

    Creates an exclusion item that matches the specified input filter.

  • sentinelone-delete-group

    Deletes a group, by the group ID.

  • sentinelone-delete-ioc

    Delete an IOC from the Threat Intelligence database that matches a filter. Relevant for API version 2.1.

  • sentinelone-delete-star-rule

    Deletes Custom Detection Rules that match the specified input filter. Relevant for API version 2.1.

  • sentinelone-disable-star-rules

    Disable Custom Detection rules that match the specified input filter. Relevant for API version 2.1.

  • sentinelone-disconnect-agent

    Disconnects agents from the network.

  • sentinelone-download-fetched-file

    Download a file fetched using th sentinelone-fetch-file command to submit the request and the sentinelone-get-activities command to get the download path.

  • sentinelone-enable-star-rules

    Activate Custom Detection rules that match the specified input filter. Relevant for API version 2.1.

  • sentinelone-endpoint-fetch-logs

    Get the Agent and Endpoint logs from Agents for provided agent IDs.

  • sentinelone-expire-site

    Expire the site of the given ID.

  • sentinelone-fetch-file

    Invokes a fetch files command against an agent endpoint.

  • sentinelone-fetch-threat-file

    Fetch a file associated with the threat that matches the filter.

  • sentinelone-get-accounts

    Returns details of accounts.

  • sentinelone-get-activities

    Returns a list of activities.

  • sentinelone-get-agent

    Returns the details of an agent according to the agent ID.

  • sentinelone-get-agent-mac

    Returns network interface details for a given Agent ID. This includes MAC address details and interface description.

  • sentinelone-get-alerts

    Get the list of alerts that matches the filter provided. Relevant for API version 2.1.

  • sentinelone-get-blocklist

    Retrieve the blocklist ("blacklist" in SentinelOne). You can filter by SHA1 or SHA256 hash. If the `global` flag is `true`, then group_ids, site_ids, and account_ids are ignored.

  • sentinelone-get-dv-query-status

    Returns status of a Deep Visibility Query.

  • sentinelone-get-events

    Returns all Deep Visibility events that match the query.

  • sentinelone-get-groups

    Returns data for the specified group.

  • sentinelone-get-hash

    Gets the file reputation by a SHA1 hash.

  • sentinelone-get-installed-applications

    Get the installed applications for a specific agent.

  • sentinelone-get-iocs

    Get the IOCs of a specified account that match the filter. Relevant for API version 2.1.

  • sentinelone-get-power-query-results

    Automate a power query and return the query results. (The maximum timeout of 300 seconds is allowed.)

  • sentinelone-get-processes

    Returns a list of Deep Visibility events from query by event type - process.

  • sentinelone-get-remote-script-task-results

    Get a script's result download URL.

  • sentinelone-get-remote-script-task-status

    Get remote scripts tasks using a variety of filters.

  • sentinelone-get-service-users

    Returns all service users that match the specified filter values.

  • sentinelone-get-site

    Returns information about the site, according to the site ID.

  • sentinelone-get-sites

    Returns all sites that match the specified criteria.

  • sentinelone-get-star-rules

    Get a list of custom detection rules for a given scope. Relevant for API version 2.1.

  • sentinelone-get-threat-notes

    Returns threat notes.

  • sentinelone-get-threats

    Returns threats according to the specified filters.

  • sentinelone-get-white-list

    Lists all exclusion items that match the specified input filter.

  • sentinelone-initiate-endpoint-scan

    Initiate the endpoint virus scan on provided agent IDs.

  • sentinelone-list-agents

    Returns all agents that match the specified criteria.

  • sentinelone-list-installed-singularity-marketplace-applications

    Returns all installed singularity marketplace applications that match the specified filter values.

  • sentinelone-mark-as-threat

    Marks suspicious threats as threats. Can only be used with API V2.0.

  • sentinelone-mitigate-threat

    Applies a mitigation action to a group of threats that match the specified input filter.

  • sentinelone-move-agent

    Moves agents to a new group.

  • sentinelone-ping-power-query Deprecated

    Deprecated. Use ***sentinelone-get-power-query-results*** instead. Ping a Deep Visibility Power query using the queryId argument if results have not returned from an initial Power query or a previous ping. Relevant for API version 2.1.

  • sentinelone-reactivate-site

    Reactivates an expired site.

  • sentinelone-remote-script-automate-results

    Automate a remote script's execution cycle and return the script's results.

  • sentinelone-remove-hash-from-blocklist

    Remove a hash from the global blocklist in SentinelOne.

  • sentinelone-remove-item-from-whitelist

    Remove an item from the SentinelOne exclusion list.

  • sentinelone-resolve-threat

    Resolves threats using the threat ID. Can only be used with API V2.0.

  • sentinelone-run-powerquery

    Run a PowerQuery, where you can pipe one or many search expressions into a set of commands to transform, manipulate, group, and summarize your data.

  • sentinelone-run-remote-script

    Run a remote script that was uploaded to the SentinelOne Script Library.

  • sentinelone-shutdown-agent

    Sends a shutdown command to all agents that match the input filter.

  • sentinelone-threat-analysis

    Returns threat analysis. Can only be used with API V2.1.

  • sentinelone-threat-download-from-cloud

    Download a file associated with the threat from the Cloud (BinaryVault).

  • sentinelone-threat-summary

    Returns a dashboard threat summary. Can only be used with API V2.1.

  • sentinelone-uninstall-agent

    Sends an uninstall command to all agents that match the input filter.

  • sentinelone-update-alerts-status

    Updates the incident status to a group of alerts that match the specified input filter. Relevant for API version 2.1.

  • sentinelone-update-alerts-verdict

    Updates the analyst verdict to a group of alerts that match the specified input filter. Relevant for API version 2.1.

  • sentinelone-update-star-rule

    Updates a custom STAR rule. Relevant for API version 2.1.

  • sentinelone-update-threats-status

    Updates the incident status to a group of threats that match the specified input filter. Relevant for API version 2.1.

  • sentinelone-update-threats-verdict

    Updates the analyst verdict to a group of threats that match the specified input filter. Relevant for API version 2.1.

  • sentinelone-update-uam-alert-status

    Updates the status for a group of UAM alerts. Relevant for API version 2.1.

  • sentinelone-update-uam-alert-verdict

    Updates the analyst verdict for a group of UAM alerts. Relevant for API version 2.1.

  • sentinelone-write-threat-note

    Add a threat note to one or more threats. Relevant for API version 2.1.

  • update-remote-system

    Pushes local changes to the remote system.