SentinelOne V2
Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database.
Endpoint · SentinelOne
Configuration parameters
url— Server URL (e.g., https://usea1.sentinelone.net) (required)credentials—api_version— API Version (required)isFetch— Fetch incidentsincidentType— Incident typefetch_type— Fetch incidents from typefetch_uam_alert_type— Fetch incidents from UAM Alert typefetch_time— First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)fetch_threat_rank— Minimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high risk. Relevant for API version 2.0.fetch_severity— Defines Alert severity to fetch.fetch_incidentStatus— Define which Alerts should be fetched.fetch_threat_incident_statuses— Define which Threats should be fetched.fetch_limit— Fetch limit: The maximum number of threats or alerts to fetchfetch_site_ids— Site IDsblock_site_ids— Block Site IDsinsecure— Trust any certificate (not secure)proxy— Use system proxy settingstoken— API Token (Deprecated)incidentFetchInterval— Incidents Fetch Intervalmirror_direction— Incident Mirroring Directionclose_xsoar_incident— Close Mirrored XSOAR Incident
Commands (76)
-
get-mapping-fieldsReturns the list of fields for an incident type.
-
get-modified-remote-dataGets the list of incidents that were modified since the last update time. Note that this method is here for debugging purposes. The get-modified-remote-data command is used as part of a Mirroring feature, which is available from version 6.1.
-
get-remote-dataGet remote data from a remote incident. This method does not update the current incident, and should be used for debugging purposes.
-
sentinelone-abort-endpoint-scanAbort the endpoint virus scan on provided agent IDs.
-
sentinelone-add-hash-to-blocklistAdd a hash to the blocklist in SentinelOne. Supports scoping by site, group, or account. If Scope not provided, the block will be global.
-
sentinelone-agent-processesDeprecatedDeprecated. Retrieves running processes for a specific agent.
-
sentinelone-broadcast-messageBroadcasts a message to all agents that match the input filters.
-
sentinelone-connect-agentConnects agents to the network.
-
sentinelone-create-bulk-iocAdd bulk list of IoCs to the Threat Intelligence database. Relevant for API version 2.1.
-
sentinelone-create-iocAdd an IoC to the Threat Intelligence database. Relevant for API version 2.1.
-
sentinelone-create-power-queryDeprecatedDeprecated. Use ***sentinelone-get-power-query-results*** instead. Start a Deep Visibility Power query to get back status and potential results (ping afterwards using the queryId if query has not finished). Relevant for API version 2.1.
-
sentinelone-create-queryRuns a Deep Visibility query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.
-
sentinelone-create-star-ruleCreates a custom STAR rule. Relevant for API version 2.1.
-
sentinelone-create-white-list-itemCreates an exclusion item that matches the specified input filter.
-
sentinelone-delete-groupDeletes a group, by the group ID.
-
sentinelone-delete-iocDelete an IOC from the Threat Intelligence database that matches a filter. Relevant for API version 2.1.
-
sentinelone-delete-star-ruleDeletes Custom Detection Rules that match the specified input filter. Relevant for API version 2.1.
-
sentinelone-disable-star-rulesDisable Custom Detection rules that match the specified input filter. Relevant for API version 2.1.
-
sentinelone-disconnect-agentDisconnects agents from the network.
-
sentinelone-download-fetched-fileDownload a file fetched using th sentinelone-fetch-file command to submit the request and the sentinelone-get-activities command to get the download path.
-
sentinelone-enable-star-rulesActivate Custom Detection rules that match the specified input filter. Relevant for API version 2.1.
-
sentinelone-endpoint-fetch-logsGet the Agent and Endpoint logs from Agents for provided agent IDs.
-
sentinelone-expire-siteExpire the site of the given ID.
-
sentinelone-fetch-fileInvokes a fetch files command against an agent endpoint.
-
sentinelone-fetch-threat-fileFetch a file associated with the threat that matches the filter.
-
sentinelone-get-accountsReturns details of accounts.
-
sentinelone-get-activitiesReturns a list of activities.
-
sentinelone-get-agentReturns the details of an agent according to the agent ID.
-
sentinelone-get-agent-macReturns network interface details for a given Agent ID. This includes MAC address details and interface description.
-
sentinelone-get-alertsGet the list of alerts that matches the filter provided. Relevant for API version 2.1.
-
sentinelone-get-blocklistRetrieve the blocklist ("blacklist" in SentinelOne). You can filter by SHA1 or SHA256 hash. If the `global` flag is `true`, then group_ids, site_ids, and account_ids are ignored.
-
sentinelone-get-dv-query-statusReturns status of a Deep Visibility Query.
-
sentinelone-get-eventsReturns all Deep Visibility events that match the query.
-
sentinelone-get-groupsReturns data for the specified group.
-
sentinelone-get-hashGets the file reputation by a SHA1 hash.
-
sentinelone-get-installed-applicationsGet the installed applications for a specific agent.
-
sentinelone-get-iocsGet the IOCs of a specified account that match the filter. Relevant for API version 2.1.
-
sentinelone-get-power-query-resultsAutomate a power query and return the query results. (The maximum timeout of 300 seconds is allowed.)
-
sentinelone-get-processesReturns a list of Deep Visibility events from query by event type - process.
-
sentinelone-get-remote-script-task-resultsGet a script's result download URL.
-
sentinelone-get-remote-script-task-statusGet remote scripts tasks using a variety of filters.
-
sentinelone-get-service-usersReturns all service users that match the specified filter values.
-
sentinelone-get-siteReturns information about the site, according to the site ID.
-
sentinelone-get-sitesReturns all sites that match the specified criteria.
-
sentinelone-get-star-rulesGet a list of custom detection rules for a given scope. Relevant for API version 2.1.
-
sentinelone-get-threat-notesReturns threat notes.
-
sentinelone-get-threatsReturns threats according to the specified filters.
-
sentinelone-get-white-listLists all exclusion items that match the specified input filter.
-
sentinelone-initiate-endpoint-scanInitiate the endpoint virus scan on provided agent IDs.
-
sentinelone-list-agentsReturns all agents that match the specified criteria.
-
sentinelone-list-installed-singularity-marketplace-applicationsReturns all installed singularity marketplace applications that match the specified filter values.
-
sentinelone-mark-as-threatMarks suspicious threats as threats. Can only be used with API V2.0.
-
sentinelone-mitigate-threatApplies a mitigation action to a group of threats that match the specified input filter.
-
sentinelone-move-agentMoves agents to a new group.
-
sentinelone-ping-power-queryDeprecatedDeprecated. Use ***sentinelone-get-power-query-results*** instead. Ping a Deep Visibility Power query using the queryId argument if results have not returned from an initial Power query or a previous ping. Relevant for API version 2.1.
-
sentinelone-reactivate-siteReactivates an expired site.
-
sentinelone-remote-script-automate-resultsAutomate a remote script's execution cycle and return the script's results.
-
sentinelone-remove-hash-from-blocklistRemove a hash from the global blocklist in SentinelOne.
-
sentinelone-remove-item-from-whitelistRemove an item from the SentinelOne exclusion list.
-
sentinelone-resolve-threatResolves threats using the threat ID. Can only be used with API V2.0.
-
sentinelone-run-powerqueryRun a PowerQuery, where you can pipe one or many search expressions into a set of commands to transform, manipulate, group, and summarize your data.
-
sentinelone-run-remote-scriptRun a remote script that was uploaded to the SentinelOne Script Library.
-
sentinelone-shutdown-agentSends a shutdown command to all agents that match the input filter.
-
sentinelone-threat-analysisReturns threat analysis. Can only be used with API V2.1.
-
sentinelone-threat-download-from-cloudDownload a file associated with the threat from the Cloud (BinaryVault).
-
sentinelone-threat-summaryReturns a dashboard threat summary. Can only be used with API V2.1.
-
sentinelone-uninstall-agentSends an uninstall command to all agents that match the input filter.
-
sentinelone-update-alerts-statusUpdates the incident status to a group of alerts that match the specified input filter. Relevant for API version 2.1.
-
sentinelone-update-alerts-verdictUpdates the analyst verdict to a group of alerts that match the specified input filter. Relevant for API version 2.1.
-
sentinelone-update-star-ruleUpdates a custom STAR rule. Relevant for API version 2.1.
-
sentinelone-update-threats-statusUpdates the incident status to a group of threats that match the specified input filter. Relevant for API version 2.1.
-
sentinelone-update-threats-verdictUpdates the analyst verdict to a group of threats that match the specified input filter. Relevant for API version 2.1.
-
sentinelone-update-uam-alert-statusUpdates the status for a group of UAM alerts. Relevant for API version 2.1.
-
sentinelone-update-uam-alert-verdictUpdates the analyst verdict for a group of UAM alerts. Relevant for API version 2.1.
-
sentinelone-write-threat-noteAdd a threat note to one or more threats. Relevant for API version 2.1.
-
update-remote-systemPushes local changes to the remote system.