SentinelOne
App Vendor: SentinelOne
App Category: Endpoint Security
App Version in Orchestrate: 2.4.0
API version: V2.1
About App
The SentinelOne app allows security teams to integrate with the SentinelOne enterprise application for computer network endpoint security by managing sites, threats, blacklist items, and hash. The app offers next-generation network endpoint security by sharing deep insights with AI and human-enriched intel that helps analysts detect patterns, and possible next moves, and block potential attacks.
The SentinelOne app in the Orchestrate application performs the following actions:
Action Name | Description |
|---|---|
Quarantine machine | This action quarantines a machine from the rest of the network. |
Add note to incident | This action adds threat-related notes to an incident. |
Threat mitigation | This action mitigates threats using threat IDs and corrective actions. |
Update threat analyst verdict | This action updates the threat analyst verdict to understand if the threat is real, false, suspicious, or undefined. |
Add exclusions | This action adds exclusions to an incident with specific exclusion details, threat IDs, and target scope. |
Update incident | This action updates the status and details of an incident. |
Get site details | This action retrieves the details of a site using the site ID. |
Get a list of sites | This action retrieves a list of sites using the query parameters. |
Update blacklist | This action updates details of the blacklist item using the blacklist item ID, OS type, and other update fields. |
Create a blacklist item | This action creates a blacklist item using sha1 hash, OS type, mode, and other additional parameters. |
Get a list of blacklist items | This action retrieves a list of blacklisted items using the query parameters. |
Get threat files | This action fetches the threat files using threat IDs and file passwords. |
Add hash to blacklist | This action adds the sha1 hash in the blacklist for deep visibility using the sha1 hash, target scope, and other additional filters. |
Get user details | This action retrieves the details of a user using the user ID. |
Get a list of users | This action retrieves a list of all users using the query parameters. |
Get a list of threat events | This action retrieves the threat events using the threat ID and other query parameters. |
Get threat analysis details | This action retrieves details about the threat analysis using the threat ID. |
Get a list of all threats | This action fetches a list of all the threats using the query parameters. |
Get a list of agent processes | This action retrieves a list of agent processes using agent IDs. |
Get a list of reports | This action retrieves a list of reports using the query parameters. |
Get hash reputation | This action retrieves the hash reputation using the hash value. |
Get a list of agents | This action fetches a list of agents using the query parameters. |
Get a list of activities | This action fetches a list of activities using the query parameters. |
Get activity types | This action fetches details about the activity types. |
Get account details | This action retrieves details of an account using the account ID. |
Get a list of accounts | This action fetches a list of accounts using the query parameters. |
Get Script Results | This action retrieves script results URLs. |
Get Script Task Status | This action retrieves the status of the remote script tasks using a variety of filters. |
List Remote Scripts | This action retrieves data of the scripts in the SentinelOne Script Library. |
Run Remote Script | This action runs a remote script uploaded to the SentinelOne Script Library. |
Get Query Status | This action retrieves the status of a deep visibility query. |
Get Process Details | This action retrieves the details of all deep visibility processes from a query ID. |
Get Event by Type | This action retrieves a list of events of a specific type. |
Get Query Events | This action retrieves a list of query events. |
Create Power Query | This action creates a power query. |
Generic Action | This is a generic action to perform any additional use case that you want on SentinelOne. |
Get Alerts | This action retrieves a list of alerts. |
Update Alert Analyst Verdict | This action updates the verdict of an alert. |
Create Query | This action creates a query. |
Get Dashboard Overview Details (Deprecated) | This action retrieves the dashboard overview details as a report using query parameters. |
Get Threat Process Event Details (To be deleted) | This action retrieves the details of a threat process event using threat ID, event ID, and query parameters. |
Configuration Parameters
The following configuration parameters are required for the SentinelOne app to communicate with the SentinelOne enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL of the SentinelOne management console. Example: your-subdomain.sentinelone.net | Text | Required | |
SSL/TLS Verify | Select whether or not to use the SSL verification. | Text | Optional | Default value: False |
API token | Enter the API token for accessing the SentinelOne management console REST API. | Password | Required | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the SentinelOne. | Integer | Optional | Allowed values: 15-120 seconds Default value: 15 seconds |
Action: Quarantine machine
This action quarantines a machine from the rest of the network based on a rule category and threat IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Rule Category | Enter the rule category. Example: possible threats | Text | Required | |
Threat IDs | Enter the threat IDs in a comma separated list. Example: ["1234999", "23456888"] | List | Required | |
Tag IDs | Enter the list of tag ids. Example: [tag1,tag2] | List | Required | |
Extra Filters | Enter any additional filters as key-value pairs to quarantine a machine. | Key Value | Optional | Allowed values: 'createdAt__between', 'locationIds', 'enum', 'createdAt__lte', 'accountIds', 'name__contains', 'createdAt__gt', 'createdAt__lt', 'application__contains', 'minLength', 'directions', 'query', 'actions', 'protocols', 'description', 'groupIds', 'createdAt__gte', 'osTypes', 'protocol__contains', 'applications', 'service__contains', 'siteIds', 'minimum', 'tenant', 'name', 'scopes', 'statuses', 'tagName__contains'], 'tag_ids' |
Example Request
[
{
"threat_ids": "1194559565660255827",
"tag_ids": "tag1256",
"rule_category": "possiblethreats"
"extra_filters": {
“groupIds”: “group123”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Response data from SentinelOne. |
| Integer | Number of machines affected by the requested operation. |
| Array | Errors received from SentinelOne. |
| String | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Add Note to Incident
This action adds threat-related notes to an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Comment | Enter the threat related notes as a comment. Example: "Can be ignored" | Text | Required | |
Threat IDs | Enter the threat IDs in a comma separated list. Example: {"1234999", "23456888"} | Text | Required | |
Extra Filters | Enter any additional filters as key-value pairs. | Key Value | Optional | Allowed values: 'createdAt__lte', 'analystVerdictsNin', 'classifications', 'k8sClusterName__contains', 'mitigatedPreemptively', 'createdAt__gt', 'osNamesNin', 'computerName__contains', 'incidentStatuses', 'uuid__contains', 'filePath__contains', 'updatedAt__gt', 'groupIds', 'updatedAt__gte', 'accountIds', 'k8sNodeName__contains', 'noteExists', 'incidentStatusesNin', 'detectionEngines', 'contentHashes', 'collectionIds', 'k8sPodLabels__contains', 'description', 'classificationSources', 'mitigationStatuses', 'storyline__contains', 'resolved', 'classificationsNin', 'osNames', 'createdAt__gte', 'limit', 'failedActions', 'updatedAt__lt', 'minimum', 'detectionAgentVersion__contains', 'createdAt__lt', 'k8sControllerLabels__contains', 'containerName__contains', 'initiatedBy', 'osArchs', 'engines', 'containerImageName__contains', 'updatedAt__lte', 'agentMachineTypesNin', 'agentIsActive', 'pendingActions', 'commandLineArguments__contains', 'siteIds', 'enginesNin', 'initiatedByUsername__contains', 'countsFor', 'storylines', 'detectionAgentDomain__contains', 'contentHash__contains', 'containerLabels__contains', 'confidenceLevels', 'mitigationStatusesNin', 'rebootRequired', 'externalTicketId__contains', 'k8sControllerName__contains', 'agentVersionsNin', 'threatDetails__contains', 'agentVersions', 'displayName', 'k8sNamespaceName__contains', 'type', 'minLength', 'agentMachineTypes', 'k8sPodName__contains', 'detectionEnginesNin', 'query', 'externalTicketExists', 'analystVerdicts', 'osTypes', 'externalTicketIds', 'k8sNamespaceLabels__contains', 'agentIds', 'confidenceLevelsNin', 'tenant', 'originatedProcess__contains', 'classificationSourcesNin', 'initiatedByNin', 'osTypesNin', 'realtimeAgentVersion__contains', 'publisherName__contains' |
Example Request
[
{
"comment": "Can be ignored",
"threat_ids": "1194559565660255827"
"extra_params": {
“mitigationStatuses”: “mitigated”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Response data |
| Integer | Number of entities affected by the requested operation |
| Array | Errors |
Action: Threat mitigation
This action mitigates threats using threat IDs and corrective actions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat IDs | Enter the threat IDs in a comma separated list. Example: {"1234999", "23456888"} | Text | Required | |
Action | Enter the corrective action. Example:
| Text | Required | |
Extra Filters | Enter any additional filters as key-value pairs to mitigate threats. | Key Value | Optional | Allowed values: 'externalTicketId__contains', 'externalTicketExists', 'agentVersionsNin', 'osTypesNin', 'k8sControllerLabels__contains', 'classificationsNin', 'threatDetails__contains', 'osNamesNin', 'siteIds', 'limit', 'classificationSources', 'externalTicketIds', 'engines', 'mitigationStatuses', 'originatedProcess__contains', 'incidentStatusesNin', 'storylines', 'agentIds', 'analystVerdictsNin', 'osArchs', 'failedActions', 'k8sNodeName__contains', 'displayName', 'k8sClusterName__contains', 'pendingActions', 'createdAt__lt', 'containerName__contains', 'groupIds',, 'agentIsActive', 'description', 'mitigatedPreemptively', 'storyline__contains', 'confidenceLevelsNin', 'classificationSourcesNin', 'updatedAt__lte', 'query', 'containerLabels__contains', 'analystVerdicts', 'detectionAgentVersion__contains', 'noteExists', 'enginesNin', 'detectionAgentDomain__contains', 'tenant', 'k8sPodLabels__contains', 'commandLineArguments__contains', 'createdAt__gt', 'contentHash__contains', 'minimum', 'agentMachineTypes', 'filePath__contains', 'initiatedByNin', 'accountIds', 'agentMachineTypesNin', 'publisherName__contains', 'initiatedBy', 'updatedAt__gt', 'mitigationStatusesNin', 'k8sControllerName__contains', 'containerImageName__contains', 'initiatedByUsername__contains', 'k8sNamespaceLabels__contains', 'minLength', 'osNames', 'updatedAt__gte', 'detectionEnginesNin', 'classifications', 'incidentStatuses', 'agentVersions', 'detectionEngines', 'k8sPodName__contains', 'resolved', 'confidenceLevels', 'createdAt__lte', 'osTypes', 'contentHashes', 'collectionIds', 'updatedAt__lt', 'uuid__contains', 'createdAt__gte', 'rebootRequired', 'countsFor', 'k8sNamespaceName__contains', 'computerName__contains', 'realtimeAgentVersion__contains' |
Example Request
[
{
"action": "remediate",
"threat_ids": "1194559565660255827",
"extra_filters": {
“mitigationStatuses”: “mitigated”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Response data |
| Integer | Number of entities affected by the requested operation |
| Array | Single threat mitigation information |
| Array | List of latest mitigation reports created by the action trigger. |
| Boolean | Agent could not find the threat |
| String | Report download URL. If None, there is no report |
| String | The time the Agent started the mitigation |
| Enum | Action |
| String | The time the Agent finished the mitigation |
| Object | Actions counters |
| Integer | Total |
| Integer | Success |
| Integer | Not found |
| Integer | Failed |
| Integer | Pending reboot |
| Enum | Status |
| Boolean | The Agent generates a full mitigation report |
| String | Timestamp of last mitigation status update |
| String | ID of the mitigation report |
| Array | List of skipped mitigation actions with additional details. |
| Enum | Action |
| Enum | Reason |
| String | Description |
| String | Threat ID |
| Array | Errors |
Action: Update threat analyst verdict
This action updates the threat analyst verdict to understand if the threat is real, false, suspicious or undefined.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Analyst Verdict | Enter the analyst verdict. Example:
| Text | Required | |
Threat IDs | Enter the threat IDs in a comma separated list. Example: {"1234999", "23456888"} | Text | Required | |
Extra Filters | Enter the extra filters if any as key-value pairs to update the threat analyst verdict. | Key Value | Optional | Allowed values: 'noteExists', 'containerLabels__contains', 'minLength', 'classificationSources', 'agentIsActive', 'enginesNin', 'confidenceLevelsNin', 'agentVersionsNin', 'classificationSourcesNin', 'detectionAgentDomain__contains', 'accountIds', 'agentMachineTypesNin', 'uuid__contains', 'k8sClusterName__contains', 'initiatedByUsername__contains', 'updatedAt__gt', 'k8sControllerLabels__contains', 'rebootRequired', 'osNames', 'confidenceLevels', 'k8sControllerName__contains', 'k8sNodeName__contains', 'externalTicketExists', 'createdAt__lt', 'query', 'createdAt__lte', 'computerName__contains', 'minimum', 'detectionEnginesNin', 'initiatedByNin', 'classificationsNin', 'agentMachineTypes', 'k8sPodLabels__contains', 'mitigationStatuses', 'k8sNamespaceName__contains', 'externalTicketId__contains', 'analystVerdict', 'incidentStatuses', 'siteIds', 'agentIds', 'limit', 'containerImageName__contains', 'failedActions', 'engines', 'createdAt__gte', 'externalTicketIds', 'detectionEngines', 'resolved', 'createdAt__gt', 'contentHash__contains', 'osNamesNin', 'updatedAt__lte', 'realtimeAgentVersion__contains', 'mitigatedPreemptively', 'classifications', 'incidentStatusesNin', 'originatedProcess__contains', 'threatDetails__contains', 'k8sNamespaceLabels__contains', 'updatedAt__lt', 'osTypesNin', 'publisherName__contains', 'detectionAgentVersion__contains', 'commandLineArguments__contains', 'containerName__contains', 'filePath__contains', 'countsFor', 'collectionIds', 'description', 'displayName', 'k8sPodName__contains', 'osArchs', 'updatedAt__gte', 'storylines', 'tenant', 'initiatedBy', 'groupIds', 'contentHashes', 'agentVersions', 'analystVerdictsNin', 'mitigationStatusesNin', 'pendingActions', 'osTypes', 'storyline__contains' |
Example Request
[
{
"threat_ids": "1194559565660255827",
"analyst_verdict": "true_positive"
"extra_filters": {
“mitigationstatus”: “mitigated”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Response data |
| Integer | Number of entities affected by the requested operation |
| Array | Result details for each threat |
| Enum | Result of changing the threat's analyst verdict |
| String | Threat ID |
| Array | Errors |
Action: Add exclusions
This action adds exclusions to an incident with specific exclusion details, threat IDs, and target scope .
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Exclusion | Enter the exclusion. Example: "allowIPlist" | Text | Required | |
Threat IDs | Enter the threat IDs in a comma separated list. Example: {"1234999", "23456888"} | Text | Required | |
Target Scope | Enter the target scope. Example: global | Text | Required | Allowed values:
|
Note | Enter a note for this exclusion. | Text | Optional | |
Extra Filters | Enter the extra filters if any as key-value pairs to add exclusions. | Key Value | Optional | Allowed values: 'confidenceLevelsNin', 'updatedAt__gt', 'k8sNamespaceName__contains', 'classifications', 'osNamesNin', 'osArchs', 'siteIds', 'query', 'pathExclusionType', 'realtimeAgentVersion__contains', 'countsFor', 'originatedProcess__contains', 'updatedAt__gte', 'enginesNin', 'updatedAt__lt', 'k8sControllerName__contains', 'k8sControllerLabels__contains', 'pendingActions', 'externalTicketExists', 'storyline__contains', 'accountIds', 'detectionEnginesNin', 'detectionAgentDomain__contains', 'initiatedByNin', 'createdAt__lt', 'mitigatedPreemptively', 'tenant', 'publisherName__contains', 'k8sClusterName__contains', 'analystVerdictsNin', 'engines', 'confidenceLevels', 'analystVerdicts', 'resolved', 'containerName__contains', 'initiatedByUsername__contains', 'incidentStatuses', 'createdAt__lte', 'noteExists', 'classificationSources', 'description', 'detectionAgentVersion__contains', 'osTypesNin', 'computerName__contains', 'agentIsActive', 'displayName', 'mitigationStatuses', 'updatedAt__lte', 'osTypes', 'agentIds', 'threatDetails__contains', 'classificationsNin', 'commandLineArguments__contains', 'k8sNamespaceLabels__contains', 'k8sPodLabels__contains', 'externalTicketId__contains', 'k8sPodName__contains', 'incidentStatusesNin', 'minLength', 'uuid__contains', 'value', 'containerImageName__contains', 'classificationSourcesNin', 'externalTicketIds', 'initiatedBy', 'contentHashes', 'limit', 'k8sNodeName__contains', 'detectionEngines', 'groupIds', 'createdAt__gte', 'collectionIds', 'osNames', 'agentMachineTypesNin', 'externalTicketId', 'minimum', 'agentMachineTypes', 'storylines', 'rebootRequired', 'agentVersionsNin', 'contentHash__contains', 'failedActions', 'agentVersions', 'filePath__contains', 'mitigationStatusesNin', 'containerLabels__contains', 'createdAt__gt' |
Example Request
[
{
"exclusion": "mitigation",
"threat_ids": "1194559565660255827",
"target_scope": "domain",
"extra_filters": {
“mitigationstatus”: “mitigated”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Response data |
| Integer | Number of entities affected by the requested operation |
| Array | Result details for each threat |
| Enum | Result of changing the threat's analyst verdict as part of adding the threat to blocklist or exclusions |
| Enum | Result of adding the threat to blocklist or exclusions |
| String | Threat ID |
| Array | Errors |
Action: Update incident
This action updates the status and details of an incident .
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident Status | Enter the incident status. Example:
| Text | Required | |
Threat IDs | Enter the threat IDs in a comma separated list. Example: "1234999", "23456888" | Text | Required | |
Analyst Verdict | Enter the analyst verdict. | Text | Optional | Allowed values:
|
Extra Filters | Enter any additional filters in the form of key value pairs to update an incident. | Key Value | Optional | Allowed values: 'mitigationStatusesNin', 'updatedAt__lte', 'minLength', 'agentVersions', 'tenant', 'uuid__contains', 'analystVerdictsNin', 'k8sNamespaceLabels__contains', 'mitigatedPreemptively', 'osTypesNin', 'initiatedByUsername__contains', 'rebootRequired', 'createdAt__gte', 'detectionEngines','pendingActions', 'accountIds', 'engines', 'originatedProcess__contains', 'siteIds', 'agentVersionsNin', 'displayName', 'confidenceLevelsNin', 'k8sPodLabels__contains', 'containerName__contains', 'updatedAt__lt', 'detectionAgentDomain__contains', 'detectionAgentVersion__contains', 'detectionEnginesNin', 'countsFor', 'updatedAt__gte', 'storylines', 'k8sNamespaceName__contains', 'createdAt__lte', 'type', 'initiatedBy', 'enginesNin', 'incidentStatuses', 'osNamesNin', 'containerImageName__contains', 'incidentStatusesNin', 'osArchs', 'classificationSources', 'k8sControllerLabels__contains', 'updatedAt__gt', 'externalTicketExists', 'failedActions', 'enum', 'agentMachineTypesNin', 'osNames', 'k8sControllerName__contains', 'publisherName__contains', 'k8sPodName__contains', 'agentIds', 'limit', 'mitigationStatuses', 'query', 'confidenceLevels', 'groupIds', 'classificationsNin', 'osTypes', 'classificationSourcesNin', 'createdAt__gt', 'example', 'k8sClusterName__contains', 'minimum', 'description', 'threatDetails__contains', 'initiatedByNin', 'agentMachineTypes', 'contentHash__contains', 'collectionIds', 'resolved', 'commandLineArguments__contains', 'externalTicketId__contains', 'realtimeAgentVersion__contains', 'containerLabels__contains', 'contentHashes', 'createdAt__lt', 'k8sNodeName__contains', 'classifications', 'agentIsActive', 'analystVerdicts', 'externalTicketIds', 'noteExists', 'storyline__contains', 'computerName__contains' |
Example Request
[
{
"threat_ids": "1194559565660255827",
"incident_status": "in_progress",
"analyst_verdict": "suspicious",
"extra_filters": {
“mitigationStatuses”: “mitigated”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Response data |
| Integer | Number of entities affected by the requested operation |
| Array | Result details for each threat |
| Enum | Result of changing the threat's analyst verdict as part of changing the threat's status |
| Enum | Result of changing the threat's status |
| String | Threat ID |
| Array | Errors |
Action: Get Site Details
This action retrieves the details of a site using the site ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Site ID | Enter the site ID to retrieve the site details. Example: "738239109734805524" | Text | Required |
Example Request
[
{
"site_id": "738239109734805524"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Response data |
| String | Account ID |
| String | Account name |
| Integer | Number of active licenses for the site |
| String | Timestamp of site creation |
| String | Full name of the creating user |
| String | ID of the creating user |
| String | The user-defined description for the Site |
| String | Expiration |
| String | ID of CRM external system |
| Boolean | Obsolete. Always true |
| String | Site ID |
| Boolean | Is default |
| JSON Object | The site licenses |
| Array | The licenses Bundles |
| String | The Bundle display name |
| Integer | The Bundle major version |
| Integer | The Bundle minor version |
| String | The Bundle internal API name |
| Array | The Surfaces in the Bundle |
| Integer | The Surface count. -1 indicates unlimited count |
| String | The Surface name |
| Integer | The total number of Surfaces in this Bundle. -1 indicates unlimited count |
| Array | The licenses Add-ons |
| String | The Add-on display name |
| Integer | The Add-on major version |
| String | The Add-on internal API name |
| Array | The licenses Settings |
| String | [DEPRECATED] The Setting display name |
| String | The Setting group name |
| String | The Setting display name |
| String | [DEPRECATED] The Setting group name |
| String | The Setting group display name |
| String | Name |
| String | [DEPRECATED] Token generation in dedicated endpoint - /sites/<site_id>/token |
| String | Site type |
| Enum | [DEPRECATED] The SKU of product features active for this site |
| Enum | Site state |
| Enum | [DEPRECATED] Use SKU instead |
| Integer | Total licenses |
| Boolean | The site does not expire |
| Boolean | Site licenses unlimited |
| String | Timestamp of last update |
| String | Usage type |
| Array | Errors |
Action: Get a list of sites
This action retrieves a list of sites using the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters as key-value pairs to retrieve the list of sites. | Key Value | Optional | Allowed values: features,name,suite,totalLicenses,siteIds,limit,states, updatedAt,expiration,query,externalId,countOnly,registrationToken, siteType,sortOrder,isDefault,accountId,state,availableMoveSites, activeLicenses,skip,healthStatus,skipCount,accountIds,adminOnly, createdAt,cursor,sortBy |
Example Request
[
{
"extra_params":
{
"states": "active",
"limit": 20
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Pagination information |
| Integer | Total number of items found matching your query |
| String | Pass this value as "cursor" on your next request, to get the next page of results (Will be "null" when last page reached) |
| Object | Response data |
| Object | All sites |
| Integer | Active licenses |
| Integer | Total licenses |
| Array | Sites |
| String | Account ID |
| String | Account name |
| Integer | Number of active licenses for the site |
| String | Timestamp of site creation |
| String | Full name of the creating user |
| String | ID of the creating user |
| String | The user-defined description for the Site |
| String | Expiration |
| String | ID of CRM external system |
| Boolean | Obsolete. Always true |
| String | Site ID |
| Boolean | Is default |
| Object | The site licenses |
| String | Usage type |
| Array | Errors |
Action: Update blacklist
This action updates details of the blacklist item using the blacklist item ID, OS type, and other update fields.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Blacklist item ID | Enter the blacklist item ID. Example: "123456" | Text | Required | |
OS Type | Enter the OS type. Example: "windows" | Text | Required | Allowed values:
|
Update Fields | Enter the fields to be updated as key-value pairs. | Key Value | Optional | Allowed values: 'actions', 'mode', 'description', 'pathExclusionType', 'enum', 'source', 'value', 'inject' |
Note:
You can also pass additional fields as a key-value pair to update the blacklist item.
Example Request
[
{
"os_type": "linux",
"blacklist_id": "225494730938493804",
"update_fields":
{
"description": "blacklisted"
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Array | Response data |
| JSON Object | Scope |
| Array of Strings | Account ids |
| Array of Strings | Group ids |
| Array of Strings | Site ids |
| Boolean | Tenant |
| String | Timestamp of blocklist item creation |
| String | Description |
| String | Id |
| String | Not recommended |
| Enum | OS type |
| String | Scope name |
| Enum | Source: cloud, user, or action_from_threat |
| String | Type |
| String | Timestamp of blocklist item update |
| String | ID of the creating user |
| String | Name of the creating user |
| String | SHA1 hash |
| Array | Errors |
Action: Create a blacklist item
This action creates a blacklist item using sha1 hash, OS type, mode, and other additional parameters.
Note
You can also pass additional parameters to create a blacklist item such as Source, Description, Path exclusion type, Group IDs, Account IDs, and Site IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
SHA1 hash | Enter the sha1 hash value. Example: "sha1_hash" | Text | Required | |
OS type | Enter the OS type. Example: "windows" | Text | Required | Allowed values:
|
Mode | Enter the mode. Example: "suppress" | Text | Required | Allowed values:
|
Example Request
[
{
"mode": "suppress",
"os_type": "windows",
"sha1_hash": "sha1_hash"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Array of Objects | Response data |
| JSON Object | Scope |
| Array of Strings | Account IDs |
| Array of Strings | Group IDs |
| Array of Strings | Site IDs |
| Boolean | Tenant |
| String | Timestamp of blocklist item creation |
| String | Description |
| String | ID |
| String | Not recommended |
| Enum | OS type |
| String | Scope name |
| Enum | Source: cloud, user, or action_from_threat |
| String | Type |
| String | Timestamp of blocklist item update |
| String | ID of the creating user |
| String | Name of the creating user |
| String | SHA1 hash |
| Array | Errors |
Action: Get a list of blacklist items
This action retrieves a list of blacklisted items using the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters as key-value pairs to retrieve the list of blacklist items. | Key Value | Optional | Allowed values:createdAt__gte, includeParents, createdAt__between, siteIds, ids, limit, osTypes, source, types, query, countOnly, updatedAt__gt, createdAt__lt, createdAt__gt, updatedAt__lte, sortOrder, tenant, value, groupIds, updatedAt__between |
Example Request
[
{
"extra_params": {
"osTypes": "windows",
"sortOrder": "asc",
"sortBy": "createdAt",
"nodes": "disable_in_process_monitor_deep"
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Pagination information |
| Integer | Total number of items found matching your query |
| String | Pass this value as "cursor" on your next request, to get the next page of results (Will be "null" when last page reached) |
| Object Array | Response data |
| String | Timestamp of item creation |
| String | Description |
| String | ID |
| Boolean | Indication whether the exclusion was imported by a bulk operation or not |
| Boolean | Return filters from children scope levels (Default: false) |
| Boolean | Return filters from parent scope levels (Default: false) |
| String | Not recommended |
| Enum | OS type |
| Object | Scope |
| String Array | Account ids |
| String Array | Group ids |
| String Array | Site ids |
| Boolean | Tenant |
| String | Scope name |
| String | Scope path |
| Enum | Source: cloud, user, or action_from_threat |
| String | Type |
| String | Timestamp of item update |
| String | ID of the creating user |
| String | Name of the creating user |
| String | SHA1 hash |
| String | type |
| String | osType |
| Array | Errors |
Action: Get threat files
This action fetches the threat files using threat IDs and file password.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat IDs | Enter the threat IDs in a comma separated list. Example: "1234999", "23456888" | Any | Required | |
File password | Enter the file password. | Password | Required | |
Query filters | Enter the threat filters as key value pairs to retrieve the threat files. | Key Value | Optional | Allowed values: 'updatedAt__gte', 'accountIds', 'analystVerdictsNin', 'externalTicketIds', 'noteExists', 'agentVersions', 'threatDetails__contains', 'classificationSourcesNin', 'tenant', 'agentIsActive', 'minLength', 'agentVersionsNin', 'agentIds', 'publisherName__contains', 'osNamesNin', 'contentHashes', 'incidentStatuses', 'description', 'agentMachineTypesNin', 'classificationsNin', 'commandLineArguments__contains', 'containerName__contains', 'pendingActions', 'originatedProcess__contains', 'containerImageName__contains', 'initiatedByNin', 'updatedAt__lt', 'enginesNin', 'k8sPodName__contains', 'detectionEngines', 'groupIds', 'k8sControllerName__contains', 'classifications', 'osNames', 'k8sClusterName__contains', 'createdAt__lte', 'k8sNamespaceName__contains', 'mitigationStatuses', 'agentMachineTypes', 'updatedAt__lte', 'mitigationStatusesNin', 'classificationSources', 'k8sPodLabels__contains', 'query', 'minimum', 'k8sControllerLabels__contains', 'mitigatedPreemptively', 'updatedAt__gt', 'resolved', 'contentHash__contains', 'createdAt__gte', 'realtimeAgentVersion__contains', 'data', 'k8sNodeName__contains', 'siteIds', 'initiatedBy', 'osTypesNin', 'createdAt__lt', 'confidenceLevelsNin', 'engines', 'storyline__contains', 'countsFor', 'analystVerdicts', 'createdAt__gt', 'osTypes', 'filePath__contains', 'osArchs', 'rebootRequired', 'containerLabels__contains', 'confidenceLevels', 'collectionIds', 'detectionAgentVersion__contains', 'incidentStatusesNin', 'detectionAgentDomain__contains', 'k8sNamespaceLabels__contains', 'detectionEnginesNin', 'initiatedByUsername__contains', 'failedActions', 'computerName__contains', 'displayName', 'externalTicketId__contains', 'uuid__contains', 'externalTicketExists', 'filter', 'storylines' |
Example Request
[
{
"threat_ids": "1194559565660255827",
"file_password": "*******",
"extra_filters": {
“mitigationStatuses”: “mitigated”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Response data |
| Integer | Number of entities affected by the requested operation |
| Array | Errors |
Action: Add hash to blacklist
This action adds the sha1 hash to the blacklist for deep visibility using the sha1 hash, target scope, and other additional filters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Target scope | Enter the target scope. Example: "global" | Text | Required | Allowed values:
|
Hash Details | Enter the list of hash details in JSON format. | List | Required | Allowed Values: { "hash": “19423e162be504e52b8f7a18e2445309a6ada52f”, "agentId": "225494730938493804" } |
Example Request
[
{
"hashes": [
{
"agentId": "135673186983385932",
"hash": "ef24195f5ea82e2080ac562957ed7c9758673397"
}
],
"target_scope": "site"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| String | Includes the response received from the app action. |
| JSON Object | Response data from SentinelOne. |
| Integer | Number of machines affected by the requested operation. |
| Array | Errors received from SentinelOne. |
| String | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Get user details
This action retrieves the details of a user using the user ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the user ID. Example: "937121089584155031" | Text | Required |
Example Request
[
{
"user_id": "1143580790218484327"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Response data |
| Boolean | True if two-factor authentication option cannot be modified |
| Boolean | Can generate API token |
| Boolean | True if email cannot be modified |
| Boolean | True if full name cannot be modified |
| Boolean | User two-factor authentication is configured |
| Boolean | True if the End User License Agreement (EULA) was agreed upon |
| String | Source |
| Enum | User Scope |
| Array | Roles of the scope user |
| String | Scope name |
| String | Scope ID |
| String | ID of the wanted role |
| String | Scope name |
| Array | List containing the desired role name in this scope. Use role_id or role_name instead. |
| String | Name of the role (deprecated) |
| Integer | Defines for how many minutes the user can call protected actions once their session is elevated |
| Array | Role and site IDs for the user. Using scopeRoles is more consistent |
| String | Site name |
| String | Site ID |
| String | ID of the wanted role |
| Array | List containing the desired role name in this scope. Use role_id instead |
| String | Name of the role (deprecated) |
| String | Link to End User License Agreement (EULA) agreement if it was not agreed yet |
| String | |
| Object | Api token |
| String | The id of the account |
| String | The name of the account |
| String | Last login |
| Boolean | [DEPRECATED] Unused field. The user's role will determine if it is allowed to use remote_shell |
| String | Date joined |
| String | [DEPRECATED] in RBAC there's no 'lowest' role. Returns Admin if user has admin permission on all sites, otherwise a different role |
| String | Full name |
Action: Get a list of users
This action retrieves a list of all users using the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs. | Key Value | Optional | Allowed values: roleIds,fullNameReadOnly, siteIds,firstLogin,limit,ids,query, countOnly,emailVerified,sortOrder, dateJoined,twoFaEnabled, emailReadOnly,fullName,source, lastLogin,skip,sortBy primaryTwoFaMethod,skipCount, accountIds,email,cursor |
Example Request
[
{
"extra_params": {
"email": "sampleuser@example.com",
"fullName": "Anna Smith",
"sortBy": "lastLogin"
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Array | Errors |
| Array | Response data |
| String | First login |
| String | Id |
| Boolean | Two fa enabled |
| String | Primary two fa method |
| Boolean | [Deprecated] |
| Boolean | True if email verification completed successfully |
| Object | Api token |
| String | Expiration date of the API token |
| String | Creation date of the API token |
| Boolean | True if the user is a system user |
| Array | [DEPRECATED] Role ids for the tenant user. Using scopeRoles is more consistent. |
| String | State of 2FA setup |
| Boolean | True if two fa option cannot be modified |
| Boolean | Can generate api token |
| Boolean | True if email cannot be modified |
| Boolean | True if full name cannot be modified |
| Boolean | User 2FA Auth is configured |
| Boolean | True if EULA was agreed for user's sites |
| String | Source |
| String | User Scope |
| Array | Roles of the scope user |
| Array | [DEPRECATED] Role and site ids for the user. Using scopeRoles is more consistent. |
| String | Link to EULA agreement if it was not agreed yet |
| String | |
| String | Last login |
| Boolean | [DEPRECATED] Unused field. The user's role will determine if it is allowed to use remote_shell. |
| String | Date joined |
| String | [DEPRECATED] in RBAC there's no 'lowest' role. Returns Admin if user has admin permission on all sites, otherwise a different role. |
| String | Full name |
Action: Get a list of threat events
This action retrieves the threat events using the threat ID and other query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat ID | Enter the threat ID. Example: "739689244088122893" | Text | Required | |
Query parameters | Enter the query parameters as key value pairs to retrieve a list of threat events. | Key Value | Optional | Allowed values: eventSubTypes,skip,cursor,e ventTypes,sortOrder,limit, skipCount,eventId, countOnly,processName__like, sortBy |
Example Request
[
{
"threat_id": "1194559565660255827",
"extra_params": {
“limit”: 20
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Pagination information |
| Integer | Total number of items found matching your query |
| String | Pass this value as "cursor" on your next request, to get the next page of results (Will be "null" when last page reached) |
| Object | Response data |
| String | Agent domain |
| String | Agent group id |
| String | Agent id |
| Boolean | Agent infected |
| String | Agent ip |
| Boolean | Agent is active |
| Boolean | Agent is decommissioned |
| String | Agent machine type |
| String | Agent name |
| String | Agent network status |
| Enum | OS type |
| String | Agent uuid |
| String | Agent version |
| String | Created at |
| String | Id |
| Enum | Object type |
| String | Process name |
| String | Site id |
| String | Site name |
| String | Active content file id |
| String | Active content hash |
| String | Active content path |
| String | Connection status |
| String | Direction |
| String | Dns request |
| String | Dns response |
| String | Dst ip |
| Integer | Dst port |
| String | Event type |
| String | File full name |
| String | File id |
| String | File md5 |
| String | File sha1 |
| String | File sha256 |
| String | File size |
| String | File type |
| Boolean | Has active content |
| String | Indicator category |
| String | Indicator description |
| String | Indicator metadata |
| String | Indicator name |
| String | Logins base type |
| String | Logins user name |
| String | Md5 |
| String | Network method |
| String | Network source |
| String | Network url |
| String | Old file md5 |
| String | Old file name |
| String | Old file sha1 |
| String | Old file sha256 |
| String | Parent pid |
| String | Parent process group id |
| Boolean | Parent process is malicious |
| String | Parent process name |
| String | Parent process unique key |
| String | Pid |
| String | Process cmd |
| String | Process display name |
| String | Process group id |
| String | Process image path |
| String | Process image sha1 hash |
| String | Process integrity level |
| Boolean | Process is malicious |
| String | Process is redirected command processor |
| String | Process is wow64 |
| String | Process root |
| String | Process session id |
| String | Process start time |
| String | Process sub system |
| String | Process unique key |
| String | Process user name |
| String | Protocol |
| String | Publisher |
| String | Registry classification |
| String | Registry id |
| String | Registry path |
| Boolean | Related to threat |
| String | Rpid |
| String | Sha1 |
| String | Sha256 |
| String | Signature signed invalid reason |
| String | Signed status |
| String | Src ip |
| Integer | Src port |
| String | Storyline |
| String | Task name |
| String | Task path |
| String | Threat status |
| String | Tid |
| String | [DEPRECATED] Use "storyline" instead |
| String | User |
| String | Verified status |
| Array | Errors |
Action: Get threat analysis details
This action retrieves the details about the threat analysis using the threat ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat ID | Enter the threat ID to get the threat analysis. Example: "739689244088122893" | Text | Required | |
Query parameters | Enter the query parameters as key value pairs to retrieve the threat analysis details. | Key Value | Optional | Allowed values: skip,cursor,sortOrder,siteIds,limit,activityTypes,skipCount, accountIds,query,countOnly,sortBy,groupIds |
Example Request
[
{
"threat_id": "1194559565660255827",
"extra_params": {
“limit”: 20
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Pagination information |
| Integer | Total number of items found matching your query |
| String | Pass this value as "cursor" on your next request, to get the next page of results (Will be "null" when last page reached) |
| Object | Response data |
| String | Related account (If applicable) |
| Integer | Activity type |
| String | Related Agent (If applicable) |
| String | Agent's new version (If applicable) |
| String | Activity creation time (UTC) |
| Object | Extra activity specific data |
| String | Related group (If applicable) |
| String | Threat file hash (If applicable) |
| String | Activity ID |
| Enum | Agent's OS type (if applicable) |
| String | Primary description |
| String | Secondary description |
| String | Related site (If applicable) |
| String | Related threat (If applicable) |
| String | Activity last updated time (UTC) |
| String | The user who invoked the activity (If applicable) |
| Array | Errors |
Action: Get a list of all threats
This action retrieves a list of all the threats using the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters as key-value pairs to retrieve the threats list. | Key Value | Optional | Allowed values: createdAt__gte,agentVersionsNin, noteExists,externalTicketIds, failedActions,k8sNamespaceLabels__contains, siteIds,analystVerdicts, ids,k8sNamespaceName__contains,query, publisherName__contains, createdAt__gt,containerName__contains, initiatedByNin,groupIds, contentHash__contains, containerLabels__contains, osArchs,osTypesNin |
Example Request
[
{
"extra_params": {
“noteExists”: True,
"siteIds": "12267908768"
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Pagination information |
| Integer | Total number of items found matching your query |
| String | Pass this value as "cursor" on your next request, to get the next page of results (Will be "null" when last page reached) |
| Object | Response data |
| Object | Agent detection time information |
| String | Orig account id |
| String | Orig account name |
| String | The Agent's detection state at time of detection |
| String | Network domain |
| String | Orig agent ip v4 |
| String | Orig agent ip v6 |
| String | UPN of last logged in user |
| String | Mail from AD of last logged in user |
| String | Orig logged user |
| Enum | Agent mitigation mode policy |
| String | Orig agent os name |
| String | Orig agent os revision |
| String | Time of first registration to management console |
| String | UUID of the agent |
| String | Orig agent version |
| Object | Cloud providers for this agent |
| String | Orig agent external ip |
| String | Orig group id |
| String | Orig group name |
| String | Orig site id |
| String | Orig site name |
| Object | Agent realtime information |
| String | Account id |
| String | Account name |
| Integer | Active threats |
| String | Computer name |
| Boolean | Decommissioned at |
| String | Domain |
| String | Id |
| Boolean | Agent infected |
| Boolean | Is active |
| Boolean | Is decommissioned |
| Enum | Machine type |
| Enum | Agent mitigation mode policy |
| Enum | Network status |
| String | Os name |
| String | Os revision |
| Enum | OS type |
| String | Uuid |
| String | Agent version |
| String | Group id |
| String | Group name |
| Object | Device's network interfaces |
| String | Agent operational state |
| Boolean | A reboot is required on the endpoint for at least one threat |
| String | Abort time of last scan (If applicable) |
| String | Finish time of last scan (If applicable) |
| String | Start time of last scan |
| Enum | Scan status |
| String | Site id |
| String | Site name |
| String | Storage Name |
| String | Storage Type |
| String | A list of pending user actions. List items possible values: "none, user_action_needed, reboot_needed, upgrade_needed, incompatible_os, unprotected, rebootless_without_dynamic_detection, extended_exclusions_partially_accepted, reboot_required, pending_deprecation, ne_not_running, ne_cf_not_active" |
| Object | Threat container information |
| String | Id |
| String | Image |
| Boolean | True if the container is quarantined |
| String | Labels |
| String | Name |
| Object | Threat ECS information |
| String | Cluster name |
| String | Service arn |
| String | Service name |
| String | Task arn |
| String | Task availability zone |
| String | Task definition arn |
| String | Task definition family |
| String | Task definition revision |
| String | Type |
| String | Version |
| String | Threat ID |
| Object | Indicators |
| String | Category |
| Integer | [DEPRECATED] |
| String | Description |
| Integer | List of all the indicators IDs |
| Object | Tactics |
| String | Name |
| String | Source |
| Object | Techniques |
| String | Link |
| String | Name |
| Object | Threat kubernetes information |
| String | Cluster |
| String | Controller kind |
| String | Controller labels |
| String | Controller name |
| Boolean | True if the container is quarantined |
| String | Namespace |
| String | Namespace labels |
| String | Node |
| String | Node labels |
| String | Pod |
| String | Pod labels |
| Object | Threat mitigation information |
| Enum | Action |
| Object | Actions counters |
| Integer | Failed |
| Integer | Not found |
| Integer | Pending reboot |
| Integer | Success |
| Integer | Total |
| Boolean | The Agent generates a full mitigation report |
| Boolean | Agent could not find the threat |
| String | Timestamp of last mitigation status update |
| String | Report download URL. If None, there is no report |
| String | The time the Agent finished the mitigation |
| String | The time the Agent started the mitigation |
| String | ID of the mitigation report |
| Enum | Status |
| Object | Threat information |
| String | SHA1 hash of file content |
| Enum | Analyst verdict |
| String | Analyst verdict description |
| Boolean | Automatically resolved |
| String | Browser type |
| String | File Certificate ID |
| String | Classification of the threat |
| Enum | Source of the threat Classification |
| String | Cloud files hash verdict |
| String | Collection id |
| Enum | SentinelOne threat confidence level |
| String | Timestamp of date creation in the Management Console. |
| List of engines that detected the threat | Detection engines |
| Enum | Detection type |
| [Deprecated] List of engines that detected the threat | Engines |
| Boolean | External ticket exists |
| String | External ticket id |
| Boolean | At least one action failed on the threat |
| String | File extension |
| String | File extension type |
| String | File path |
| Integer | File size |
| String | File verification type |
| String | Identified at |
| Enum | Incident status |
| String | Incident status description |
| Enum | Source of threat |
| String | Initiated by description |
| String | Initiating user id |
| String | Initiating username |
| Boolean | Is fileless |
| Boolean | True if the certificate is valid |
| Object | List of macro modules |
| String | Malicious process arguments |
| String | Md5 |
| Boolean | True is the threat was blocked before execution |
| Enum | Mitigation status |
| String | Mitigation status description |
| String | Originator process |
| Boolean | At least one action is pending on the threat |
| String | Process user |
| String | Certificate publisher |
| Boolean | Has number of OS events for this threat reached the limit, resulting in a partial attack storyline |
| Boolean | A reboot is required on the endpoint for at least one action on the threat |
| String | Root process UPN |
| String | SHA256 hash of file content |
| String | Storyline identifier from agent |
| String | Threat id |
| String | Threat name |
| String | Timestamp of last update |
| String | Whitening options |
| Array | Errors |
Action: Get a list of agent processes
This action lists the agent processes using a list of agent IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent IDs | Enter the agent IDs in a comma-separated list to get a list of agent processes. Example: {"742228809538088161", "19322810337538089471"} | List | Required |
Example Request
[
{
"agent_ids": {"742228809538088161", "673545309879138890"}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | CPU Usage (%) |
| String | Executable path |
| Integer | Memory usage (MB) |
| Integer | Process ID |
| String | Process name |
| String | Start time |
| Array | Errors |
Action: Get a list of agents
This action fetches a list of agents using the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters as key-value pairs to retrieve the agents list. | Key Value | Optional | Allowed values: createdAt__gte,agentVersionsNin, networkStatuses, awsSubnetIds__contains,coreCount__lt,siteIds,ids, adUserQuery__contains,query, adComputerName__contains, decommissionedAt__gt,clusterName__contains, adUserName__contains,isUninstalled, azureResourceGroup__contains,createdAt__gt, mitigationMode,isUpToDate,operationalStatesNin, machineTypesNin,adQuery, isActive,cpuCount__gte,groupIds,coreCount__between, rangerStatus,coreCount__gt,infected, threatHidden,hasLocalConfiguration,totalMemory__lt, threatCreatedAt__gt,osVersion__contains, osTypesNin,networkInterfacePhysical__contains, isPendingUninstall, skip,uuid,updatedAt__gte,totalMemory__gt,threatResolved, userActionsNeededNin,accountIds,lastActiveDate__gte,cursor, threatCreatedAt__between,coreCount__gte, adQuery__contains,locationEnabled, migrationStatus,threatCreatedAt__lte,firewallEnabled, agentVersions,updatedAt__gt,consoleMigrationStatusesNin, K8SVersion__contains,createdAt__lt, totalMemory__between, encryptedApplications,K8SNodeLabels__contains, operationalStates,adComputerQuery__contains, mitigationModeSuspicious, scanStatusesNin,cpuCount__between, networkInterfaceGatewayMacAddress__contains, uuids,appsVulnerabilityStatusesNin,countsFor, lastActiveDate__between,installerTypesNin, scanStatus,isDecommissioned,filterId, skipCount,consoleMigrationStatuses, cloudTags__contains,cloudInstanceId__contains, gcpServiceAccount__contains, sortBy,rangerStatusesNin,osArch,networkStatusesNin, networkQuarantineEnabled, osTypes,decommissionedAt__gte,cloudProviderNin, uuid__contains, agentNamespace__contains,computerName__like,registeredAt__gt, rangerVersionsNin, agentPodName__contains,threatCreatedAt__gte, updatedAt__between,machineTypes, totalMemory__lte,userActionsNeeded,cloudProvider,gatewayIp, remoteProfilingStatesNin, awsSecurityGroups__contains,cpuCount__gt, decommissionedAt__lt,threatCreatedAt__lt, computerName,filteredGroupIds, remoteProfilingStates,scanStatuses,cloudLocation__contains, locationIds,externalId__contains,lastActiveDate__lte,K8SType__contains, threatRebootRequired,computerName__contains, createdAt__between,cloudImage__contains, limit,coreCount__lte,cpuCount__lt,filteredSiteIds, cloudInstanceSize__contains,registeredAt__lt, totalMemory__gte,registeredAt__gte,appsVulnerabilityStatuses, cpuCount__lte, registeredAt__between,domainsNin,updatedAt__lte, adUserMember__contains,domains, registeredAt__lte,lastLoggedInUserName__contains,activeThreats, adComputerMember__contains, decommissionedAt__between,lastActiveDate__gt, threatContentHash,externalIp__contains, rangerStatuses,updatedAt__lt,networkInterfaceInet__contains, installerTypes, K8SNodeName__contains, wsRole__contains,cloudAccount__contains, cloudNetwork__contains,threatMitigationStatus |
Example Request
[
{
"extra_params": {
"siteIds": {"125654865","764567592"},
"limit": 20
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | Total number of items found matching your query |
| String | Pass this value as "cursor" on your next request, to get the next page of results (Will be "null" when last page reached) |
| String | A reference to the containing account |
| String | Name of the containing account |
| Object | Active Directory data |
| Integer | Current number of active threats |
| String | Agent version |
| Boolean | Agent is capable and policy enabled for remote shell |
| Enum | Apps vulnerability status |
| Object | Cloud providers for this agent |
| String | Computer name |
| Enum | What step the agent is at in the process of migrating to another console, if any |
| Object | Containerized workload counts |
| Integer | CPU cores |
| Integer | Number of CPUs |
| String | CPU model |
| String | Created at |
| String | Detection State |
| String | Network domain |
| Boolean | Disk encryption status |
| String | External id set by customer |
| String | External IPv4 address |
| Boolean | Firewall enabled |
| String | Date of the first time the Agent moved to full or slim detection modes |
| String | Last time scan status was updated |
| String | A reference to the containing network group |
| String | IP Address subnet |
| String | Name of the containing network group |
| String | Group updated at |
| Boolean | Indicates whether the agent protects containerized workload at the moment |
| String | Agent ID |
| Boolean | Indicates if the Agent has active threats |
| Boolean | Is the Agent in a remote shell session |
| Enum | Installer package type (file extension) |
| Boolean | Indicates if the agent was recently active |
| Boolean | Is Agent decommissioned |
| Boolean | Agent with a pending uninstall request |
| Boolean | Indicates if Agent was removed from the device |
| Boolean | Indicates if the agent version is up to date |
| String | Last active date |
| String | The last ip used to connect to the Management console |
| String | Last logged in user name |
| String | Last successful full disc scan time |
| String | License key |
| Boolean | Location enabled |
| Object [] | A list of locations reported by the Agent |
| Enum | Reported location type |
| Enum | Machine type |
| String [] | A list of missing permissions |
| Enum | Agent mitigation mode policy |
| Enum | Mitigation mode policy for suspicious activity |
| String | Device model |
| Object [] | Device's network interfaces |
| Boolean | Network quarantine enabled |
| Enum | Agent's network connectivity status |
| String | Agent operational state |
| String | Agent operational state expiration |
| Enum | Os arch |
| String | Os name |
| String | Os revision |
| String | Last boot time |
| Enum | OS type |
| String | Os username |
| String | Policy updated at |
| Object | Proxy state information |
| Enum | Is Agent disabled as a Network Discovery |
| String | The version of Network Discovery |
| String | Time of first registration to management console (similar to createdAt) |
| String | Agent remote profiling state |
| String | Agent remote profiling state expiration inseconds |
| String | Abort time of last scan (If applicable) |
| String | Finish time of last scan (If applicable) |
| String | Start time of last scan |
| Enum | Last scan status |
| String | Serial Number of the endpoint |
| Boolean | Show alert icon in agent view and details |
| String | A reference to the containing site |
| String | Name of the containing site |
| String | Storage Name |
| String | Storage Type |
| Object | Agent's attached tags |
| Boolean | Has at least one threat with at least one mitigation action that is pending reboot to succeed |
| Integer | Memory size (MB) |
| String | Updated at |
| String | A list of pending user actions |
| String | Agent's universally unique identifier |
| Array | Errors |
Action: Get activity types
This action fetches the activity type details such as specific actions, description templates, and so on.
Action Input Parameters
This action does not require any input parameters.
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Action described in the activity |
| String | Activity description template as seen in activity page |
| Integer | Activity type ID |
| Array | Errors |
Action: Get a list of activities
This action fetches a list of all activities using the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters as key-value pairs to get a list of activities. | Key Value | Optional | Allowed values: groupIds,createdAt_lte,limit,createdAt_gt,siteIds, agentIds,skipCount,createdAt__between,includeHidden, sortOrder,skip,activityType,sortBy,userEmails,cursor, userIds,Ids,countOnly,threatIds,createdAt_lt,createdAt_gte, accountIds |
Example Request
[
{
"extra_params": {
"agentIds": {"35641887655","3236965609"},
"limit": 20
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | Total number of items found matching your query |
| String | Pass this value as "cursor" on your next request, to get the next page of results (Will be "null" when last page reached) |
| String | Related account id (If applicable) |
| String | Related account name (If applicable) |
| Integer | Activity type |
| String | Activity UUID |
| String | Related agent (If applicable) |
| String | Agent's new version (If applicable) |
| String | Comments |
| String | Activity creation time (UTC) |
| String | Extra activity information |
| String | Related group id (If applicable) |
| String | Related group name (If applicable) |
| String | Threat file hash (If applicable) |
| Enum | Agent's OS type (if applicable) |
| String | Primary description |
| String | Secondary description |
| String | Related site id (If applicable) |
| String | Related site name (If applicable) |
| String | Related threat (If applicable) |
| String | Activity last updated time (UTC) |
| String | The user who invoked the activity (If applicable) |
| Array | Errors |
Action: Get hash reputation
This action retrieves the hash reputation using the hash value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash | Enter the hash value to get the hash reputation. Example: "01fd53f9b2ed7301147a69ae6be12ac8d50de970" | Text | Required |
Example Request
[
{
"hash_value": "01fd53f9b2ed7301147a69ae6be12ac8d50de970"
}
]Action: Get list of reports
This action retrieves a list of reports using the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters as key-value pairs to get a list of reports. | Key Value | Optional | Allowed values: createdAt__gte,name,frequency, siteIds,ids,limit,query,countOnly, toDate,scope,sortOrder,id, groupIds,createdAt__lte, taskId,fromDate,skip,scheduleType,skipCount, accountIds,interval, cursor,sortBy |
Example Request
[
{
"extra_params": {
“siteIds”: {“126890667”, "1256906698"},
"limit": 20
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | Total number of items found matching your query |
| String | Pass this value as "cursor" on your next request, to get the next page of results (Will be "null" when last page reached) |
| String Array | Type of documents for the report |
| String | Creation date |
| String | Id of the creator |
| String | Name of the creator |
| String | Report frequency |
| String | From date |
| String | Id |
| Object Array | Report data |
| String | Interval of the report |
| String | Name of the report |
| Enum | Report type |
| String | Scope of the report |
| String | Report sites |
| String | Status of the reports |
| String | To date |
| Array | Errors |
Action: Get a list of blacklist items
This action retrieves a list of blacklisted items using the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters as key-value pairs to retrieve a list of blacklist items. | Key Value | Optional | Allowed values: createdAt__gte, includeParents, createdAt__between, siteIds, ids, limit, osTypes, source, types, query, countOnly, updatedAt__gt, createdAt__lt, createdAt__gt, updatedAt__lte, sortOrder, tenant, value, groupIds, updatedAt__between |
Example Request
[
{
"extra_params": {
"siteIds": {"56573888888943","565737777943"},
"limit": 20
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | Total number of items found matching your query |
| String | Pass this value as "cursor" on your next request, to get the next page of results (Will be "null" when last page reached) |
| String | Timestamp of item creation |
| String | Description |
| String | Id |
| Boolean | Indication whether the exclusion was imported by a bulk operation or not |
| Boolean | Return filters from children scope levels (Default: false) |
| Boolean | Return filters from parent scope levels (Default: false) |
| String | Not recommended |
| Enum | os_type |
| Object | Scope |
| String Array | Account ids |
| String Array | Group ids |
| String Array | Site ids |
| Boolean | Tenant |
| String | Scope name |
| String | Scope path |
| Enum | Source: cloud, user, or action_from_threat |
| String | Type |
| String | Timestamp of item update |
| String | ID of the creating user |
| String | Name of the creating user |
| String | SHA1 hash |
| Array | Errors |
Action: Get account details
This action fetches the details of an account using the account ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Account ID | Enter the account ID to retrieve the account details. Example: 79600390-9B73-102E-A3E2-001676E4A757 | Text | Required |
Example Request
[
{
"account_id": "79600390-9B73-102E-A3E2-001676E4A757"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Account type |
| Integer | Total Agents in the Account |
| Integer | [DEPRECATED] Number of Agents connected to a Complete site |
| Integer | [DEPRECATED] Number of Agents connected to a Control site |
| Integer | [DEPRECATED] Number of Agents connected to a Core site |
| Enum | Billing mode |
| Integer | [DEPRECATED] Number of Sites in suite Complete |
| Integer | [DEPRECATED] Number of Sites in suite Control |
| Integer | [DEPRECATED] Number of Sites in suite Core |
| String | Timestamp of Account creation |
| String | The user that created the group |
| String | The ID of the user that created the group |
| String | Expiration |
| String | ID of CRM external system |
| String | Account ID |
| Boolean | Is default |
| Object | The account licenses. |
| String | Name |
| Integer | Total number of Sites in this Account |
| String | |
| Object Array | [DEPRECATED] The list of SKUs for the Account. |
| Enum | Account state |
| Integer | [DEPRECATED] Total Number of Complete licenses |
| Integer | [DEPRECATED] Total Number of Control licenses |
| Integer | [DEPRECATED] Total Number of Core licenses |
| Integer | The total number of licenses on all Surfaces for all Bundles. |
| Boolean | [DEPRECATED] True if Complete licenses count is unlimited |
| Boolean | [DEPRECATED] True if Control licenses count is unlimited |
| Boolean | [DEPRECATED] True if Core licenses count is unlimited |
| Boolean | The Account does not expire |
| String | Timestamp of last update |
| Enum | Usage type |
| Array | Errors |
Action: Get list of accounts
This action retrieves a list of accounts using the query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in key-value pairs to retrieve the accounts list. | Key Value | Optional | Allowed values: limit,query,skipCount,features,updateAt, sortOrder,skip,totalLicenses,sortBy(str),activeLicenses, isDefault,cursor,Ids,state,createAt,name,accountType, countOnly,expiration,accountIds |
Example Request
[
{
"extra_params": {
"state": "expired",
"limit": 20
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Account type |
| Integer | Total Agents in the Account |
| Integer | [DEPRECATED] Number of Agents connected to a Complete site |
| Integer | [DEPRECATED] Number of Agents connected to a Control site |
| Integer | [DEPRECATED] Number of Agents connected to a Core site |
| Enum | Billing mode |
| Integer | [DEPRECATED] Number of Sites in suite Complete |
| Integer | [DEPRECATED] Number of Sites in suite Control |
| Integer | [DEPRECATED] Number of Sites in suite Core |
| String | Timestamp of Account creation |
| String | The user that created the group |
| String | The ID of the user that created the group |
| String | Expiration |
| String | ID of CRM external system |
| String | Account ID |
| Boolean | Is default |
| Object | The account licenses. |
| String | Name |
| Integer | Total number of Sites in this Account |
| String | |
| Object Array | [DEPRECATED] The list of SKUs for the Account. |
| Enum | Account state |
| Integer | [DEPRECATED] Total Number of Complete licenses |
| Integer | [DEPRECATED] Total Number of Control licenses |
| Integer | [DEPRECATED] Total Number of Core licenses |
| Integer | The total number of licenses on all Surfaces for all Bundles. |
| Boolean | [DEPRECATED] True if Complete licenses count is unlimited |
| Boolean | [DEPRECATED] True if Control licenses count is unlimited |
| Boolean | [DEPRECATED] True if Core licenses count is unlimited |
| Boolean | The Account does not expire |
| String | Timestamp of last update |
| Enum | Usage type |
| Array | Errors |
Action: Get Script Results
This action retrieves script results URLs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data | Enter the search data in the form of key-value pairs. You can search using computer names or with task IDs. Example: {"taskIds":["225494730938493804"]} or {"computerNames":["value",..]} | Key Value | Required |
Example Request
[
{
"data": {
"taskIds": "225494730938493804"
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object Array | List of download links |
| String | The name of the file |
| String | The task id related to the download link |
| String | Download link for the file |
| Array | Task id's and detailed errors for tasks which a download link couldn't be fetched |
| Array | Errors |
Action: Get Script Task Status
This action retrieves the status of the remote script tasks using a variety of filters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Parent Task ID | Enter the parent task ID to retrieve details. Example: "225494730938493804" | Text | Required | |
Extra Filters | Enter the extra filters in the form of key-value pairs. Example: {"limit":"10"} | Key Value | Optional | Allowed values:
|
Example Request
[
{
"parent_task_id": "225494730938493804"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Pagination information |
| Object Array | Response data |
| String | Account id |
| String | Account name |
| String | Agent computer name |
| String | Agent id |
| Boolean | Agent is active |
| Boolean | Agent is decommissioned |
| String | Agent machine type |
| Enum | OS type |
| String | Agent uuid |
| String | Timestamp of date creation |
| String | Description |
| String | Detailed status |
| String | Group id |
| String | Group name |
| String | Task id |
| String | Initiated by |
| String | Initiated by id |
| String | Parent task id |
| String | Script results bucket |
| String | Script results path |
| String | Script results signature |
| String | Site id |
| String | Site name |
| Enum | Status |
| Integer | Status code |
| String | Status description |
| String | Type |
| String | Timestamp of last update |
| Array | Errors |
Action: List Remote Scripts
This action retrieves data of the scripts in the SentinelOne Script Library.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Payload | Enter the payload data in the form of key-value pairs. Example {"totalItems":"10"} | Key Value | Required | Allowed values:
|
Account IDs | Enter the list of account IDs to filter by. Example: $LIST[225494730938493804, 225494730938493915] | List | Required | |
Extra Parameters | Enter the extra parameters in the form of key-value pairs. Example: {"ids":["225494730938493804"]} | Key Value | Optional | Allowed values:
|
Example Request
[
{
"filters":{
"totalItems":"10"
},
"account_ids":[
"225494730938493804"
],
"extra_data":{
"ids":[
"225494730938493804"
]
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Pagination information |
| Object Array | Response data |
| String | Created by user id |
| String | Input example |
| String | Input instructions |
| Boolean | Is input required |
| String | Script name |
| String | Script type |
| String | Version |
| String | Bucket name |
| String | Created at |
| String | Created by user |
| String | Name of the creating user |
| String | Id of the creating user |
| String | File name with full path |
| Integer | File size |
| String | Script ID |
| Boolean | Is the script runnable in Advanced Response Scripts |
| Boolean | Is the script runnable in Lite version |
| Integer | Mgmt id |
| String Array | OS types |
| String Array | Output file paths |
| Object | Package |
| String | Scope ID |
| Enum | Scope level |
| String | The scripts scope name |
| String | The path of the scripts scope |
| String | Script description |
| Integer | Script runtime timeout in seconds |
| String | File name |
| String | Signature |
| String | Signature type |
| String Array | Supported destinations |
| String | Updated at |
| String | Name of the updating user |
| String | Id of the updating user |
| Array | Errors |
Action: Run Remote Script
This action runs a remote script that was uploaded to the SentinelOne Script Library.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter the filters in the form of key-value pairs. Example: {"cpuCount__lt":"90"} | Key Value | Required | Allowed values:
|
Group IDs | Enter the list of group IDs. Example: $LIST[ 225494730938493804, 225494730938493915 ] | List | Required | |
Task Description | Enter the task description. Example: "Sample Description" | Text | Required | |
Output Destination | Enter the output destination. Example: "SentinelCloud" | Text | Required | |
Extra Parameters | Enter the extra parameters in the form of key-value pairs. | Key Value | Optional | Allowed values:
|
Example Request
[
{
"filters": {
"cpuCount__lt": "2"
},
"extra_data": {
"scriptRuntimeTimeoutSeconds": 90
},
"taskdescription": "Sample Description",
"outputdestination": "SentinelCloud"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | Number of entities affected by the requested operation |
| String | The parent task id of the script execution task, null in case of pending execution |
| Boolean | Flag indicating if requested script execution requires approval and is created as pending execution |
| String | ID of created pending execution, present only if pending flag is true |
| Array | Errors |
Action: Get Query Status
This action retrieves the status of a deep visibility query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID to retrieve the status. Example: "q1652233" | Text | Required |
Example Request
[
{
"query_id": "q1652233"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | Query loading status in percentage |
| Enum | Response state |
| Object | Query mode info |
| String | The query mode |
| String | The query mode last_activated_at date |
| String | Relevant only for FAILED and FAILED_CLIENT DV errors |
| String | Warnings |
| Array | Errors |
Action: Get Process Details
This action retrieves the details of all deep visibility processes from a query ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID to retrieve the status. Example: "q1652233" | Text | Required | |
Query Parameters | Enter the query parameters to narrow down the result. Example: {"limit":10} | Key Value | Optional | Allowed keys:
|
Example Request:
[
{
"query_id": "q1652233"
"query_param": {
"limit":10
}
}
]Action: Get Event by Type
This action retrieves a list of events of a specific type.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event Type | Enter an event type. Example: "Process Exit" | Text | Required | |
Query ID | Enter the query ID to retrieve the result. Example: "q1652233" | Text | Optional | |
Query Parameters | Enter the query parameters to narrow down the result. Example: {"limit":10} | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"event_type": "Process Exit",
"query_id": "q1652233"
"query_param": {
"limit":10
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Agent domain |
| String | Agent group id |
| String | Agent id |
| Boolean | Agent infected |
| String | Agent ip |
| Boolean | Agent is active |
| Boolean | Agent is decommissioned |
| String | Agent machine type |
| String | Agent name |
| String | Agent network status |
| Enum | OS type |
| String | Agent uuid |
| String | Agent version |
| String | Created at |
| String | Id |
| String | Object type |
| String | Process name |
| String | Site name |
| String | User |
| String | Connection status |
| String | Direction |
| String | Dns request |
| String | Dns response |
| String | Dst ip |
| Integer | Dst port |
| String | Event type |
| String | File full name |
| String | File id |
| String | File md5 |
| String | File sha1 |
| String | File sha256 |
| String | File size |
| String | File type |
| String | Forensic url |
| String | Indicator category |
| String | Indicator description |
| String | Indicator metadata |
| String | Indicator name |
| Boolean | Is agent version fully supported for pg |
| String | Is agent version fully supported for pg message |
| String | Logins base type |
| String | Logins user name |
| String | Md5 |
| String | Network method |
| String | Network source |
| String | Network url |
| String | Old file md5 |
| String | Old file name |
| String | Old file sha1 |
| String | Old file sha256 |
| String | Parent pid |
| String | Parent process group id |
| Boolean | Parent process is malicious |
| String | Parent process name |
| String | Parent process start time |
| String | Parent process unique key |
| String | Pid |
| String | Process cmd |
| String | Process display name |
| String | Process group id |
| String | Process image path |
| String | Process image sha1 hash |
| String | Process integrity level |
| Boolean | Process is malicious |
| String | Process is redirected command processor |
| String | Process is wow64 |
| String | Process root |
| String | Process session id |
| String | Process start time |
| String | Process sub system |
| String | Process unique key |
| String | Process user name |
| String | Publisher |
| String | Registry id |
| String | Registry path |
| String | Related to threat |
| String | Rpid |
| String | Sha1 |
| String | Sha256 |
| String | Signature signed invalid reason |
| String | Signed status |
| String | Src ip |
| Integer | Src port |
| String | Src proc download token |
| String | Task name |
| String | Task path |
| String | Threat status |
| String | Tid |
| String | True context |
| String | Verified status |
| Array | Errors |
Action: Get Query Events
This action retrieves a list of query events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID to retrieve the events. Example: "q1652233" | Text | Required | |
Query Parameters | Enter the query parameters to narrow down the result. Example: {"limit":10} | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"query_id": "q1652233"
"query_param": {
"limit":10
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Agent domain |
| String | Agent group id |
| String | Agent id |
| Boolean | Agent infected |
| String | Agent ip |
| Boolean | Agent is active |
| Boolean | Agent is decommissioned |
| String | Agent machine type |
| String | Agent name |
| String | Agent network status |
| Enum | OS type |
| String | Agent uuid |
| String | Agent version |
| String | Created at |
| String | Id |
| String | Object type |
| String | Process name |
| String | Site name |
| String | User |
| String | Connection status |
| String | Direction |
| String | Dns request |
| String | Dns response |
| String | Dst ip |
| Integer | Dst port |
| String | Event type |
| String | File full name |
| String | File id |
| String | File md5 |
| String | File sha1 |
| String | File sha256 |
| String | File size |
| String | File type |
| String | Forensic url |
| String | Indicator category |
| String | Indicator description |
| String | Indicator metadata |
| String | Indicator name |
| Boolean | Is agent version fully supported for pg |
| String | Is agent version fully supported for pg message |
| String | Logins base type |
| String | Logins user name |
| String | Md5 |
| String | Network method |
| String | Network source |
| String | Network url |
| String | Old file md5 |
| String | Old file name |
| String | Old file sha1 |
| String | Old file sha256 |
| String | Parent pid |
| String | Parent process group id |
| Boolean | Parent process is malicious |
| String | Parent process name |
| String | Parent process start time |
| String | Parent process unique key |
| String | Pid |
| String | Process cmd |
| String | Process display name |
| String | Process group id |
| String | Process image path |
| String | Process image sha1 hash |
| String | Process integrity level |
| Boolean | Process is malicious |
| String | Process is redirected command processor |
| String | Process is wow64 |
| String | Process root |
| String | Process session id |
| String | Process start time |
| String | Process sub system |
| String | Process unique key |
| String | Process user name |
| String | Publisher |
| String | Registry id |
| String | Registry path |
| String | Related to threat |
| String | Rpid |
| String | Sha1 |
| String | Sha256 |
| String | Signature signed invalid reason |
| String | Signed status |
| String | Src ip |
| Integer | Src port |
| String | Src proc download token |
| String | Task name |
| String | Task path |
| String | Threat status |
| String | Tid |
| String | True context |
| String | Verified status |
| Array | Errors |
Action: Create Power Query
This action creates a power query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
From Date | Enter the date and time to create events after this timestamp. Example: "2018-02-27T04:49:26.257525Z" | Text | Required | |
To Date | Enter the date and time to create events before this timestamp. Example: "2018-02-28T04:49:26.257525Z" | Text | Required | |
Query | Enter the query to retrieve the matching events. Example: "AgentName IS NOT EMPTY" | Text | Required | |
Data | Enter the details to add to the query. Example: $JSON[{"isVerbose": true,"accountIds": ["225494730938493804"]}] | JSON | Optional |
Example Request
[
{
"from_date": "2018-02-27T04:49:26.257525Z ",
"to_date": "2018-02-28T04:49:26.257525Z ",
"query": "AgentName IS NOT EMPTY",
"data": {
"isVerbose":true,
"accountIds": ["225494730938493804"]
}
}
]Action: Generic Action
This is a generic action to perform any additional use case that you want on SentinelOne.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the complete endpoint to send the request. Example: "/events/hunt" | Text | Required | |
HTTP Method | Enter an HTTP method in capital letters. Example: "POST" | Text | Required | |
Request Body | Enter the request body in JSON format. Example: $JSON[{"isVerbose": true,"accountIds": ["225494730938493804"]}] | JSON | Required | |
Query Params | Enter the query parameters to pass with the request. Example: $JSON[{"isVerbose": true,"accountIds": ["225494730938493804"]}] | JSON | Optional |
Example Request
[
{
"endpoint": "/events/hunt",
"http_method": "POST",
"request_body": {
"isVerbose":true,
"accountIds": ["225494730938493804"]
},
"query_params": {
"isVerbose":true,
"accountIds": ["225494730938493804"]
}
}
]Action: Get Alerts
This action retrieves a list of alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Query Parameters | Enter the query parameters to narrow down the result. | Any | Optional | Allowed keys:
|
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| Object | Pagination information |
| Integer | Total number of items found matching your query |
| String | Pass this value as "cursor" on your next request, to get the next page of results (Will be "null" when last page reached) |
| Object | The response data |
| Object | The agent detection time information |
| String | Account ID |
| String | Machine type |
| String | Name |
| String | OS family |
| String | OS name |
| String | OS revision |
| String | Site ID |
| String | The UUID of the agent |
| String | Version |
| object | Alert information |
| String | The ID of the alert |
| Enum | Analyst verdict |
| String | Timestamp alert sent for detection |
| String | The DNS name |
| String | The DNS response information (examples: IP address, DNS, data type) |
| String | The IP address of the destination. |
| String | The port number of the destination |
| String | The ID of the deep visibilty event |
| String | The type of the event |
| Enum | Type of hit reported from the Agent |
| Enum | Incident status |
| String | Get the Indicator categories for this process |
| String | Get the description of the indicator |
| String | Get the Indicator names for this process |
| Boolean | Returns true if the event is EDR |
| String | The domain or computer name for which the login attempt was performed |
| String | The SID of the account that attempted to log in |
| String | See if the login attempt was performed by an administrator equivalent |
| String | Check if the login attempt succeeded |
| String | The login username |
| String | The type of login that was performed |
| String | The paths of modules loaded by this process |
| String | The SHA1 signatures for modules loaded by this process |
| String | The direction of the connection attempt (incoming or outgoing) |
| String | The full paths of registry entries modified by this process |
| String | The previous registry value if it was modified |
| String | The previous registry value type if it was modified |
| String | The full path location of the registry key entry |
| String | The registry value |
| String | The timestamp of alert creation in STAR |
| String | The source reported from the agent |
| String | The IP address of the traffic source |
| String | The IP address of the endpoint performing the login attempt |
| String | The port number of the traffic source |
| String | The comparison method used by SentinelOne to trigger the event |
| String | The source of the identified Threat Intelligence indicator |
| String | The type of the identified Threat Intelligence indicator |
| String | The value of the identified Threat Intelligence indicator |
| String | The date of alert updated in STAR MMS |
| Object | The alert container information |
| String | The alert container ID |
| String | Image |
| String | Labels |
| String | Name |
| Object | The alert kubernetes information |
| String | Cluster |
| String | Controller kind |
| String | Controller labels |
| String | Controller name |
| String | Namespace |
| String | Namespace labels |
| String | Node |
| String | Pod |
| String | Pod labels |
| Object | Custom Detection rules like STAR indicators information |
| String | Query |
| String | The rule description for the STAR alert |
| String | The rule ID for the STAR alert |
| String | The rule name for the STAR alert |
| Enum | Defines the s1ql version query language of the rule (1.0/2.0) |
| Enum | The query type |
| Enum | Scope level |
| Enum | The severity of the rule |
| Enum | Rule treat as threat type |
| Object | Source parent process info |
| Enum | Integrity level |
| Enum | Subsystem |
| String | Commandline |
| String | Effective user |
| String | File hash MD5 |
| String | File hash SHA1 |
| String | File hash SHA256 |
| String | File path |
| String | The identity of the file signer |
| String | The login user |
| String | Name |
| String | PID |
| String | PID starttime |
| String | Real user |
| String | Storyline |
| String | Unique ID |
| String | User |
| Object | Source process info |
| Enum | Integrity level |
| Enum | Subsystem |
| String | Commandline |
| String | Effective user |
| String | File hash MD5 |
| String | File hash SHA1 |
| String | File hash SHA256 |
| String | File path |
| String | File signer identity |
| String | Login user |
| String | Name |
| String | PID |
| String | PID starttime |
| String | Real user |
| String | Storyline |
| String | Unique ID |
| String | User |
| Object | Target process info |
| String | The target file |
| String | Target file hash SHA1 |
| String | Target file hash SHA256 |
| String | The ID of the target file |
| String | Returns info if the target file is signed |
| String | Target file modified at |
| String | The old path of the target file |
| String | The path of the target file |
| String | The signed status of the target file |
| String | Target proc command line |
| String | Target proc image path |
| Enum | Target proc integrity level |
| String | Target proc name |
| String | Target proc PID |
| String | Target proc signed status |
| String | Target proc start time |
| String | Target proc storyline ID |
| String | Target proc UID |
Action: Create Query
This action creates a query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
From Date | Enter the date and time to create events after this timestamp. Example: 2018-02-27T04:49:26.257525Z | Text | Required | |
To Date | Enter the date and time to create events before this timestamp. Example: 2018-02-28T04:49:26.257525Z | Text | Required | |
Query | Enter the query to retrieve the matching events. Example: AgentName IS NOT EMPTY | Text | Required | |
Data | Enter the details to add to the query. Example: $JSON[{"isVerbose": true,"accountIds": ["225494730938493804"]}] | JSON | Optional |
Example Request
[
{
"from_date": "2018-02-27T04:49:26.257525Z ",
"to_date": "2018-02-28T04:49:26.257525Z ",
"query": "AgentName IS NOT EMPTY",
"data":
{
"isVerbose":true,
"accountIds": ["225494730938493804"]
}
}
]Action Response Parameters
Parameters | Field Type | Description |
|---|---|---|
| Object | The response data |
| String | The unique identifier of the query |
| Object | The info on the mode of the query |
| String | The query mode |
| String | The last activated date of the query modee |
| Array | Errors |
Action: Update threat analyst verdict
This action updates the threat analyst verdict to understand if the threat is real, false, suspicious or undefined.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Analyst Verdict | Enter the analyst verdict. Example:
| Text | Required | |
Threat IDs | Enter the threat IDs in a comma separated list. Example: {"1234999", "23456888"} | Text | Required | |
Extra Filters | Enter the extra filters if any as key-value pairs to update the threat analyst verdict. | Key Value | Optional | Allowed values: 'noteExists', 'containerLabels__contains', 'minLength', 'classificationSources', 'agentIsActive', 'enginesNin', 'confidenceLevelsNin', 'agentVersionsNin', 'classificationSourcesNin', 'detectionAgentDomain__contains', 'accountIds', 'agentMachineTypesNin', 'uuid__contains', 'k8sClusterName__contains', 'initiatedByUsername__contains', 'updatedAt__gt', 'k8sControllerLabels__contains', 'rebootRequired', 'osNames', 'confidenceLevels', 'k8sControllerName__contains', 'k8sNodeName__contains', 'externalTicketExists', 'createdAt__lt', 'query', 'createdAt__lte', 'computerName__contains', 'minimum', 'detectionEnginesNin', 'initiatedByNin', 'classificationsNin', 'agentMachineTypes', 'k8sPodLabels__contains', 'mitigationStatuses', 'k8sNamespaceName__contains', 'externalTicketId__contains', 'analystVerdict', 'incidentStatuses', 'siteIds', 'agentIds', 'limit', 'containerImageName__contains', 'failedActions', 'engines', 'createdAt__gte', 'externalTicketIds', 'detectionEngines', 'resolved', 'createdAt__gt', 'contentHash__contains', 'osNamesNin', 'updatedAt__lte', 'realtimeAgentVersion__contains', 'mitigatedPreemptively', 'classifications', 'incidentStatusesNin', 'originatedProcess__contains', 'threatDetails__contains', 'k8sNamespaceLabels__contains', 'updatedAt__lt', 'osTypesNin', 'publisherName__contains', 'detectionAgentVersion__contains', 'commandLineArguments__contains', 'containerName__contains', 'filePath__contains', 'countsFor', 'collectionIds', 'description', 'displayName', 'k8sPodName__contains', 'osArchs', 'updatedAt__gte', 'storylines', 'tenant', 'initiatedBy', 'groupIds', 'contentHashes', 'agentVersions', 'analystVerdictsNin', 'mitigationStatusesNin', 'pendingActions', 'osTypes', 'storyline__contains' |
Example Request
[
{
"threat_ids": "1194559565660255827",
"analyst_verdict": "true_positive"
"extra_filters": {
“mitigationstatus”: “mitigated”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Response data |
| Integer | Number of entities affected by the requested operation |
| Array | Result details for each threat |
| Enum | Result of changing the threat's analyst verdict |
| String | Threat ID |
| Array | Errors |
Action: Get Dashboard Overview Details (Deprecated)
This action retrieves the dashboard overview details as a report using query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Query Parameters | Enter the query parameters in the form of key-value pairs. | Key Value | Optional | Allowed values:
|
Action: Get Threat Process Event Details (To be deleted)
This action retrieves the details of a threat process event using threat ID, event ID, and query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Threat ID | Enter the threat ID. Example: 739689244088122893 | Text | Required | |
Event ID | Enter the event ID. Example: 739737254943839285 | Text | Required | |
Query Parameters | Enter the query parameters in the form of key-value pairs. | Key Value | Optional | Allowed value: addCounts (bool) |