SentinelOne
The SentinelOne Connector app allows security teams to integrate with the SentinelOne enterprise application for computer network endpoint security by managing sites, threats, blacklist items, and hash.
Supported Actions and Example Prompts
The following table lists the supported actions and prompt examples for an action:
Action Name | Description | Prompt Example |
|---|---|---|
Create Query | This action creates a query. For more information, see Action: Create Query. | Create a query for AgentName IS NOT EMPTY from 2018-02-27T04:49:26.257525Z to 2018-02-28T04:49:26.257525Z using SentinelOne. |
Get Event by Type | This action retrieves a list of events of a specific type. For more information, see Action: Get Event by Type (Beta). | Get Events of the type Process Exitfrom SentinelOne. |
Get Query Events | This action retrieves a list of query events. For more information, see Action: Get Query Events. | Get query events of q1652233 from SentinelOne. |
Quarantine Machine | This action quarantines a machine from the rest of the network. For more information, see Action: Quarantine Machine. | Quarantine machine with the rule category as possible threats and threat IDs ["1234999", "23456888"]. |
Install and Configure the App
Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.
Before you Start
Ensure that you have the API token to authenticate with the SentinelOne app.
Steps
To install and configure an app, follow these steps:
Go to the application, in the left pane, select Quarterback AI.
In Apps, select SentinelOne and click Install.
After the app is installed, click Configure and enter the following details to create an instance:
Instance Name: Enter a name for the instance.
Instance Description: Enter a description for the instance.
Expiry: Select an expiry date for the instance.
Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.
Base URL: Enter the base URL of the SentinelOne management console. For example, your-subdomain.sentinelone.net.
API token: Enter the API token for accessing the SentinelOne management console REST API.
SSL/TLS Verify: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.
Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with AbuseIPDB. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.
Click Done.
The instance is created, and you can view it in Instances. To create another instance, click Add Instance.
Action: Create Query
This action creates a query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
From Date | Enter the date and time to create events after this timestamp. Example: 2018-02-27T04:49:26.257525Z | Text | Required | |
To Date | Enter the date and time to create events before this timestamp. Example: 2018-02-28T04:49:26.257525Z | Text | Required | |
Query | Enter the query to retrieve the matching events. Example: AgentName IS NOT EMPTY | Text | Required | |
Data | Enter the details to add to the query. Example: $JSON[{"isVerbose": true,"accountIds": ["225494730938493804"]}] | Key Value | Optional |
Example Request
[
{
"from_date": "2018-02-27T04:49:26.257525Z ",
"to_date": "2018-02-28T04:49:26.257525Z ",
"query": "AgentName IS NOT EMPTY",
"data":
{
"isVerbose":true,
"accountIds": ["225494730938493804"]
}
}
]Action Response Parameters
Parameters | Field Type | Description |
|---|---|---|
| Object | The response data |
| String | The unique identifier of the query |
| Object | The info on the mode of the query |
| String | The query mode |
| String | The last activated date of the query modee |
| Array | Errors |
Action: Get Event by Type (Beta)
This action retrieves a list of events of a specific type.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event Type | Enter an event type. Example: "Process Exit" | Text | Required | |
Query ID | Enter the query ID to retrieve the result. Example: "q1652233" | Text | Required | |
Query Parameters | Enter the query parameters to narrow down the result. Example: {"limit":10} | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"event_type": "Process Exit",
"query_id": "q1652233"
"query_param": {
"limit":10
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Agent domain |
| String | Agent group id |
| String | Agent id |
| Boolean | Agent infected |
| String | Agent ip |
| Boolean | Agent is active |
| Boolean | Agent is decommissioned |
| String | Agent machine type |
| String | Agent name |
| String | Agent network status |
| Enum | OS type |
| String | Agent uuid |
| String | Agent version |
| String | Created at |
| String | Id |
| String | Object type |
| String | Process name |
| String | Site name |
| String | User |
| String | Connection status |
| String | Direction |
| String | Dns request |
| String | Dns response |
| String | Dst ip |
| Integer | Dst port |
| String | Event type |
| String | File full name |
| String | File id |
| String | File md5 |
| String | File sha1 |
| String | File sha256 |
| String | File size |
| String | File type |
| String | Forensic url |
| String | Indicator category |
| String | Indicator description |
| String | Indicator metadata |
| String | Indicator name |
| Boolean | Is agent version fully supported for pg |
| String | Is agent version fully supported for pg message |
| String | Logins base type |
| String | Logins user name |
| String | Md5 |
| String | Network method |
| String | Network source |
| String | Network url |
| String | Old file md5 |
| String | Old file name |
| String | Old file sha1 |
| String | Old file sha256 |
| String | Parent pid |
| String | Parent process group id |
| Boolean | Parent process is malicious |
| String | Parent process name |
| String | Parent process start time |
| String | Parent process unique key |
| String | Pid |
| String | Process cmd |
| String | Process display name |
| String | Process group id |
| String | Process image path |
| String | Process image sha1 hash |
| String | Process integrity level |
| Boolean | Process is malicious |
| String | Process is redirected command processor |
| String | Process is wow64 |
| String | Process root |
| String | Process session id |
| String | Process start time |
| String | Process sub system |
| String | Process unique key |
| String | Process user name |
| String | Publisher |
| String | Registry id |
| String | Registry path |
| String | Related to threat |
| String | Rpid |
| String | Sha1 |
| String | Sha256 |
| String | Signature signed invalid reason |
| String | Signed status |
| String | Src ip |
| Integer | Src port |
| String | Src proc download token |
| String | Task name |
| String | Task path |
| String | Threat status |
| String | Tid |
| String | True context |
| String | Verified status |
| Array | Errors |
Action: Get Query Events
This action retrieves a list of query events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID to retrieve the events. Example: "q1652233" | Text | Required | |
Query Parameters | Enter the query parameters to narrow down the result. Example: {"limit":10} | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"query_id": "q1652233"
"query_param": {
"limit":10
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| String | Agent domain |
| String | Agent group id |
| String | Agent id |
| Boolean | Agent infected |
| String | Agent ip |
| Boolean | Agent is active |
| Boolean | Agent is decommissioned |
| String | Agent machine type |
| String | Agent name |
| String | Agent network status |
| Enum | OS type |
| String | Agent uuid |
| String | Agent version |
| String | Created at |
| String | Id |
| String | Object type |
| String | Process name |
| String | Site name |
| String | User |
| String | Connection status |
| String | Direction |
| String | Dns request |
| String | Dns response |
| String | Dst ip |
| Integer | Dst port |
| String | Event type |
| String | File full name |
| String | File id |
| String | File md5 |
| String | File sha1 |
| String | File sha256 |
| String | File size |
| String | File type |
| String | Forensic url |
| String | Indicator category |
| String | Indicator description |
| String | Indicator metadata |
| String | Indicator name |
| Boolean | Is agent version fully supported for pg |
| String | Is agent version fully supported for pg message |
| String | Logins base type |
| String | Logins user name |
| String | Md5 |
| String | Network method |
| String | Network source |
| String | Network url |
| String | Old file md5 |
| String | Old file name |
| String | Old file sha1 |
| String | Old file sha256 |
| String | Parent pid |
| String | Parent process group id |
| Boolean | Parent process is malicious |
| String | Parent process name |
| String | Parent process start time |
| String | Parent process unique key |
| String | Pid |
| String | Process cmd |
| String | Process display name |
| String | Process group id |
| String | Process image path |
| String | Process image sha1 hash |
| String | Process integrity level |
| Boolean | Process is malicious |
| String | Process is redirected command processor |
| String | Process is wow64 |
| String | Process root |
| String | Process session id |
| String | Process start time |
| String | Process sub system |
| String | Process unique key |
| String | Process user name |
| String | Publisher |
| String | Registry id |
| String | Registry path |
| String | Related to threat |
| String | Rpid |
| String | Sha1 |
| String | Sha256 |
| String | Signature signed invalid reason |
| String | Signed status |
| String | Src ip |
| Integer | Src port |
| String | Src proc download token |
| String | Task name |
| String | Task path |
| String | Threat status |
| String | Tid |
| String | True context |
| String | Verified status |
| Array | Errors |
Action: Quarantine Machine
This action quarantines a machine from the rest of the network based on a rule category and threat IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Rule Category | Enter the rule category. Example: possible threats | Text | Required | |
Threat IDs | Enter the threat IDs in a comma separated list. Example: ["1234999", "23456888"] | List | Required | |
Tag IDs | Enter the list of tag ids. Example: [tag1,tag2] | List | Required | |
Extra Filters | Enter any additional filters as key-value pairs to quarantine a machine. | Key Value | Optional | Allowed values: 'createdAt__between', 'locationIds', 'enum', 'createdAt__lte', 'accountIds', 'name__contains', 'createdAt__gt', 'createdAt__lt', 'application__contains', 'minLength', 'directions', 'query', 'actions', 'protocols', 'description', 'groupIds', 'createdAt__gte', 'osTypes', 'protocol__contains', 'applications', 'service__contains', 'siteIds', 'minimum', 'tenant', 'name', 'scopes', 'statuses', 'tagName__contains'], 'tag_ids' |
Example Request
[
{
"threat_ids": "1194559565660255827",
"tag_ids": "tag1256",
"rule_category": "possiblethreats"
"extra_filters": {
“groupIds”: “group123”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Response data from SentinelOne. |
| Integer | Number of machines affected by the requested operation. |
| Array | Errors received from SentinelOne. |
| String | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |