SentinelOneV2
Integration version: 34.0
Configure SentinelOneV2 to work with Google Security Operations SOAR
New Authorization
For the new authorization, an API token is used instead of previously required Username and Password.
Benefits:
- If the account has 2FA, the username-password method stops working but the token works.
- A session token is created for a week, the API token is valid for 6 months, so you need to update credentials twice a year.
Generate an API Token from the WebUI
- In your Management Console, go to Settings > USERS.
- Click your username and click Edit.
- In Edit User > API Token, click Generate.
If the Revoke and Regenerate are present, you already have a token. If you revoke or regenerate it, scripts that use that token won't work. There is no confirmation. Revoke removes the token authorization, while Regenerate revokes the token and generates a new token. If you click Generate or Regenerate, a message shows the token string and the date that the token expires.
Configure SentinelOneV2 integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| API root | String | N/A | Yes | SentinelOne API root. |
| API Token | String | N/A | Yes | SentinelOne API token. Note: SentinelOne API token needs to be updated every 6 months. This is a SentinelOne policy. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Sentinel public cloud server is valid. |
Actions
Create Hash Exclusion Record
Add hash to the exclusion list in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Operation System | String | Windows | Yes | Specify the OS for the hash. Possible values: windows, windows_legacy, macos, linux. |
| Site IDs | String | N/A | No Note: One of them is mandatory. |
Specify a comma-separated list of site IDs, where hash needs to be sent to the exclusion list. |
| Group IDs | String | N/A | No Note: One of them is mandatory. |
Specify a comma-separated list of group IDs, where hash needs to be sent to the exclusion list. |
| Account IDs | CSV | N/A | No | Specify a comma-separated list of account IDs, where hash needs to be sent to the exclusion list. |
| Description | String | N/A | No | Specify additional information related to the hash. |
| Add to global exclusion list | Checkbox | Checked | No | If enabled, the action adds a hash to the global exclusion list. Note: When this parameter is enabled, the "Site IDs", "Group IDs" and "Account IDs" parameters are ignored. |
Use cases
Analyst can create an exclusion item for an allowlist.
Run On
This action runs on the Hash entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
`ENTITY_IDENTIFIER`:
{ID: `WHITELISTED_ENTITY_ID`,
Created Time: `TIME_THE_WHITELISTED_ITEM_WAS_CREATED`,
Scope ID: `SITE_OR_GROUP_ID`,
Scope Name: `SCOPE_NAME`}
}
]
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | If successful for one hash (is_success=true): "Successfully added the following hashes to the exclusion list in SentinelOne:\n{0}".format(entity.identifier) If already exist for at least one hash (is_success=true): "The following hashes were already a part of exclusion list in SentinelOne:\n{0}".format(entity.identifier) If not successful for one hash (is_success=true): "Action wasn't able to add the following hashes to the exclusion list in SentinelOne:\n{0}".format(entity.identifier) If not successful for all hashes (is_success=false): "No hashes were added to the exclusion list in SentinelOne." If a critical error is reported: "Error executing action "Create Hash Exclusion Record". Reason: {0}".(traceback) If the "Site IDs", "Group IDs", "Account IDs" parameters are not provided and the "Add to global exclusion list" parameter is not enabled: "Error executing action "Create Hash Exclusion Record". Reason: at least one value should be provided for "Site IDs" or "Group IDs" or "Account IDs" parameters or "Add to global exclusion list" should be enabled." |
General |
Create Path Exclusion Record
Add path to the exclusion list in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Path | String | N/A | Yes | Specify the path that needs to be added to the exclusion list. |
| Operation System | String | Windows | Yes | Specify the OS for the path. Possible values: windows, windows_legacy, macos, linux. |
| Site IDs | String | N/A | No Note: One of them is mandatory. |
Specify a comma-separated list of site IDs, where path needs to be sent to the exclusion list. |
| Group IDs | String | N/A | No Note: One of them is Mandatory. |
Specify a comma-separated list of group IDs, where path needs to be sent to the exclusion list. |
| Account IDs | CSV | N/A | No | Specify a comma-separated list of account IDs, where path needs to be sent to the exclusion list. |
| Description | String | N/A | No | Specify additional information related to the path. |
| Add to global exclusion list | Checkbox | Unchecked | No | If enabled, the action adds the path to the global exclusion list. Note: If this parameter is enabled, the "Site IDs", "Group IDs" and "Account IDs" parameters are ignored. |
| Include Subfolders | Checkbox | Unchecked | No | If enabled, the action includes subfolders for the provided path. This feature only works, if the user provides a folder path and not the file path. |
| Mode | DDL | Suppress Alerts Possible values:
|
No | Specify the mode that should be used for the excluded path. |
Use cases
Analyst can create an exclusion item for an allowlist.
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
`ENTITY_IDENTIFIER`:
{ID: `WHITELISTED_ENTITY_ID`,
Created Time: `TIME_THE_WHITELISTED_ITEM_WAS_CREATED`,
Scope ID: `SITE_OR_GROUP_ID`,
Scope Name: `SCOPE_NAME`}
}
]
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | If successful or errors/title="Already Exists" (is_success=true): "Successfully added path {0} to the exclusion list in SentinelOne:\n{0}".format(path value) If the 400 status code is reported: "Action wasn't able to add path {0} to the exclusion list." Reason: {1}".format(path, errors/detail) If critical error: "Error executing action "Create Path Exclusion Record". Reason: {0}".(traceback) If the "Site IDs", "Group IDs", "Account IDs" parameters are not provided and the "Add to global exclusion list" parameter is not enabled: "Error executing action "Create Path Exclusion Record". Reason: at least one value should be provided for "Site IDs" or "Group IDs" or "Account IDs" parameters or "Add to global exclusion list" should be enabled." |
General |
Mitigate Threat
Executes mitigation actions on the threats in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Mitigation action | DDL | quarantine Possible Values:
|
Yes | Specify the mitigation actions for the provided threats. |
| Threat IDs | List | N/A | Yes | Specify a comma-separated list of threat IDs that should be mitigated. |
Use cases
Analyst can apply a mitigation action to a group of threats.
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"mitigated": true,
"mitigation_action": "quarantine",
"Threat_ID": "838490132706375118"
}
]
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | If successful for one threat (is_success=true): "Successfully mitigated the following threats in SentinelOne: {0}".format(threat_ids) If no successful for one threat (is_success=true): "Action wasn't able to mitigate the following threats in SentinelOne: {0}".format(threat_ids) If no successful for all threats (is_success=false): "No threats were mitigated." |
General |
Resolve Threat
Resolve threats in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Threat IDs | List | N/A | Yes | Specify a comma-separated list of threat IDs that need to be resolved. |
| Annotation | String | N/A | No | Specify an annotation describing, why the threat can be resolved. |
Use cases
Analyst can resolve threats.
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{"resolved": false, "Threat_ID": "509259775582960700" } ]
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | If successful for one threat (is_success=true): "Successfully resolved the following threats in SentinelOne: {0}".format(threat_ids) If no successful for one threat (is_success=true): "Action wasn't able to resolve the following threats in SentinelOne: {0}".format(threat_ids) If no successful for any threat (is_success=false): "No threats were resolved." |
General |
Mark as Threat
Marks suspicious threats as a true positive threat in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Threat IDs | List | N/A | Yes | Specify a comma-separated list of threat IDs that should be marked. |
Use cases
Analysts want to mark suspicious threats as a threat.
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{ID: `THREAT_ID`, marked_as_threat: `BOOLEAN`}] **
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful for one threat (is_success=true): "Successfully marked the following threats in SentinelOne: {0}".format(threat_ids) If no successful for one threat (is_success=true): "Action wasn't able to mark the following threats in SentinelOne: {0}".format(threat_ids) If no successful for any threat (is_success=false): "No threats were marked." |
General |
Get Threats
Retrieve information about threats in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Mitigation Status | String | N/A | No | Specify a comma-separated list of threat statuses. Only threats that match the statuses are returned. Possible values: mitigated, active, blocked, suspicious, suspicious_resolved |
| Created until | String | N/A | No | Specify the end time for the threats.
|
| Created from | String | N/A | No | Specify the start time for the threats.
|
| Resolved Threats | Checkbox | Unchecked | No | If enabled, the action only returns resolved threats. |
| Threat Display Name | String | N/A | No | Specify a display name of the threat that you want to return. Partial name also works. |
| Limit | Integer | 10 | No | Specify the number of threats to return. |
| API Version | DDL | 2.0 Possible values:
|
Specify the version of API to use in the action. If nothing is provided the connector uses the 2.1 version. Note: The JSON result structure is different between API versions. It is recommended to use the latest one. |
Use cases
Analysts want to know threat ID.
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"accountId": "433241117337583618",
"accountName": "SentinelOne",
"agentComputerName": "desktop-43QNK0O",
"agentDomain": "WORKGROUP",
"agentId": "823949401337686055",
"agentInfected": false,
"agentIp": "76.112.223.210",
"agentIsActive": false,
"agentIsDecommissioned": false,
"agentMachineType": "desktop",
"agentNetworkStatus": "connected",
"agentOsType": "windows",
"agentVersion": "3.6.6.104",
"annotation": null,
"automaticallyResolved": false,
"browserType": null,
"certId": "",
"classification": "generic.heuristic",
"classificationSource": "Cloud",
"classifierName": "MANUAL",
"cloudVerdict": "provider_unknown",
"collectionId": "838490132723152335",
"commandId": "835975626369402963",
"createdAt": "2020-03-02T21:30:13.014874Z",
"createdDate": "2020-03-02T21:30:12.748000Z",
"description": "malware detected - not mitigated yet",
"engines": [
"manual"
],
"external_ticket_id": null,
"fileContentHash": "fc5a9b5e806f35a7b285e012ef8df3f06f399492",
"fileCreatedDate": null,
"fileDisplayName": "GameBar.exe",
"fileExtensionType": "Executable",
"fileIsDotNet": null,
"fileIsExecutable": true,
"fileIsSystem": false,
"fileMaliciousContent": null,
"fileObjectId": "99FF941D82E382D1",
"filePath": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Deleted\\Microsoft.XboxGamingOverlay_3.36.6003.0_x64__8wekyb3d8bbwe97f11a01-b980-4b88-806c-276c42d4d3d4\\GameBar.exe",
"fileSha256": null,
"fileVerificationType": "NotSigned",
"fromCloud": false,
"fromScan": false,
"id": "838490132706375118",
"indicators": [],
"initiatedBy": "dvCommand",
"initiatedByDescription": "Deep Visibility Command",
"initiatingUserId": "823741543702652055",
"isCertValid": false,
"isInteractiveSession": false,
"isPartialStory": false,
"maliciousGroupId": "0BB46E119EF0AE51",
"maliciousProcessArguments": "-ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca",
"markedAsBenign": true,
"mitigationMode": "protect",
"mitigationReport": {
"kill": {
"status": "success"
},
"network_quarantine": {
"status": null
},
"quarantine": {
"status": "success"
},
"remediate": {
"status": null
},
"rollback": {
"status": null
},
"unquarantine": {
"status": "sent"
}
},
"mitigationStatus": "mitigated",
"publisher": "",
"rank": 2,
"resolved": true,
"siteId": "823740645903492137",
"siteName": "Siemplify.co",
"threatAgentVersion": "3.6.6.104",
"threatName": "GameBar.exe",
"updatedAt": "2020-07-07T17:19:48.260119Z",
"username": "DESKTOP-43QNK0O\\ddiserens",
"whiteningOptions": []
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If data is available (is_success=true): "Successfully retrieved information about the available threats in SentinelOne." If no data is available (is_success=false): "No information about threats was found based on the provided criteria." |
General |
Disconnect Agent From Network
Disconnect an agent from a network by its hostname or IP address.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Enrich Endpoints
Enrich information about the endpoint by IP Address or Hostname.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight with information about endpoints. |
| Only Infected Endpoints Insights | Checkbox | Checked | No | If enabled, the action only creates insights for the infected endpoints. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_succeed:False |
JSON Result
{
"accountId": "433241117337583618",
"accountName": "SentinelOne",
"activeDirectory": {
"computerDistinguishedName": "CN=LP-YAIR,CN=Computers,DC=SIEMPLIFY,DC=LOCAL",
"computerMemberOf": [],
"lastUserDistinguishedName": "CN=Yair Stern,OU=Users,OU=PS,OU=IL,OU=Operations,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
"lastUserMemberOf": [
"CN=esx.cs,OU=ESX,OU=GROUPS,OU=IL,OU=IT,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
"CN=Backup Operators,CN=Builtin,DC=SIEMPLIFY,DC=LOCAL",
"CN=esx.product,OU=ESX,OU=GROUPS,OU=IL,OU=IT,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
"CN=Siemplify_Admins,OU=QA,OU=IL,OU=IT,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
"CN=Local Admin,OU=GROUPS,OU=IL,OU=IT,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
"CN=CSM,OU=Operations,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
"CN=Event Log Readers,CN=Builtin,DC=SIEMPLIFY,DC=LOCAL"
]
},
"activeThreats": 0,
"agentVersion": "4.1.4.82",
"allowRemoteShell": false,
"appsVulnerabilityStatus": "patch_required",
"computerName": "LP-Yair",
"consoleMigrationStatus": "N/A",
"coreCount": 8,
"cpuCount": 8,
"cpuId": "Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz",
"createdAt": "2020-05-31T07:22:14.695136Z",
"domain": "SIEMPLIFY",
"encryptedApplications": false,
"externalId": "",
"externalIp": "84.109.241.91",
"groupId": "863712577864500060",
"groupIp": "84.109.241.x",
"groupName": "Test Group",
"id": "903293150232960453",
"inRemoteShellSession": false,
"infected": false,
"installerType": ".msi",
"isActive": false,
"isDecommissioned": false,
"isPendingUninstall": false,
"isUninstalled": false,
"isUpToDate": true,
"lastActiveDate": "2021-01-12T12:59:43.143066Z",
"lastIpToMgmt": "192.168.1.20",
"lastLoggedInUserName": "yair",
"licenseKey": "",
"locationType": "fallback",
"locations": [
{
"id": "629380164464502476",
"name": "Fallback",
"scope": "global"
}
],
"machineType": "laptop",
"mitigationMode": "protect",
"mitigationModeSuspicious": "protect",
"modelName": "Dell Inc. - Latitude 7490",
"networkInterfaces": [
{
"id": "931547468641304837",
"inet": [
"192.168.1.20"
],
"inet6": [
"2a10:8002:22a6:0:e4fd:4e37:4db6:f01c",
"2a10:8002:22a6:0:d5a6:6a91:1281:acc6",
"fe80::e4fd:4e37:4db6:f01c"
],
"name": "Wi-Fi",
"physical": "d0:c6:37:d6:f1:2d"
},
{
"id": "1062894239338355970",
"inet": [
"192.168.193.193"
],
"inet6": [
"fe80::fcc6:8ba0:da2b:c22d"
],
"name": "vEthernet (Default Switch)",
"physical": "00:15:5d:45:7c:74"
},
{
"id": "954982488643857092",
"inet": [
"10.0.75.1"
],
"inet6": [
"fe80::1ce0:8d0c:69ae:8616",
"fe80::1ce0:8d0c:69ae:8616"
],
"name": "vEthernet (DockerNAT)",
"physical": "00:15:5d:0a:14:21"
}
],
"networkStatus": "connecting",
"osArch": "64 bit",
"osName": "Windows 10 Pro",
"osRevision": "18363",
"osStartTime": "2021-01-03T15:38:32Z",
"osType": "windows",
"osUsername": null,
"rangerStatus": "NotApplicable",
"rangerVersion": null,
"registeredAt": "2020-05-31T07:22:14.691561Z",
"scanAbortedAt": null,
"scanFinishedAt": "2020-05-31T09:28:53.867014Z",
"scanStartedAt": "2020-05-31T07:25:37.814972Z",
"scanStatus": "finished",
"siteId": "823740645903492137",
"siteName": "Siemplify.co",
"threatRebootRequired": false,
"totalMemory": 16263,
"updatedAt": "2021-01-18T13:33:43.834618Z",
"userActionsNeeded": [],
"uuid": "87511ad6ea63462594268bfdc4c546db"
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful (is_success=true): "Successfully retrieved information about the following endpoins from SentinelOne: \n{0}" .format(entity.identifier) If not successful for some endpoints (is_success=true): "Action wasn't able to retrieve information about the following endpoins from SentinelOne: \n{0}" .format(entity.identifier) If not successful for all endpoints (is_success=false): "No information was retrieved for the provided entities." |
General |
Get Agent Status
Retrieve information about the status of the agents on the endpoints based on the IP Address or Hostname entity.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"status": "Not active"
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful (is_success=true): "Successfully retrieved information about agent status for the following endpoints: \n{0}".format(entity.identifier)" If not successful for some endpoints (is_success=true): "Action wasn't able to retrieve information about agent status for the following endpoints: \n{0}".format(entity.identifier)" If not successful for all endpoint (is_success=false): "No information about agent status was found for the provided endpoints." |
General |
Get Application List for Endpoint
Retrieve information about available applications on the endpoint by IP Address or Hostname.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Max Applications To Return | Integer | N/A | No | Specify the number of applications to return. If nothing is specified, the action returns all of the applications. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": [
{
"installedDate": "2021-01-06T08:55:56.762000Z",
"name": "Mozilla Firefox 84.0.1 (x64 en-US)",
"publisher": "Mozilla",
"size": 211562,
"version": "84.0.1"
}
]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful (is_success=true): "Successfully retrieved available applications for the following endpoints: \n{0}".format(entity.identifier)" If not successful for one endpoint (is_success=true): "Action wasn't able to retrieve available applications for the following endpoints: \n{0}".format(entity.identifier)" If not successful for all endpoints (is_success=false): "No applications were retrieved for the provided endpoints." |
General |
Get Events for Endpoint Hours Back
Retrieve information about the latest events on the endpoint. Works with the IP Address and Hostname entities.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Hours Back | String | N/A | Yes | Specify the number hours backwards to fetch events. |
| Events Amount Limit | String | 50 | No | Specify the number of events to return per event type. |
| Include File Events Information | Checkbox | Unchecked | No | If enabled, the action also queries information about the file events. |
| Include Indicator Events Information | Checkbox | Unchecked | No | If enabled, the action also queries information about the indicator events. |
| Include DNS Events Information | Checkbox | Unchecked | No | If enabled, the action also queries information about the DNS events. |
| Include Network Actions Events Information | Checkbox | Unchecked | No | If enabled, the action also queries information about the "network actions" events. |
| Include URL Events Information | Checkbox | Unchecked | No | If enabled, the action also queries information about the URL events. |
| Include Registry Events Information | Checkbox | Unchecked | No | If enabled, the action also queries information about the registry events. |
| Include Scheduled Task Events Information | Checkbox | Unchecked | No | If enabled, the action also queries information about the scheduled task events. |
Use cases
Analysts may use this action to get information about the latest events related to one endpoint, which can help in the triage process.
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": [
{
"activeContentFileId": null,
"activeContentHash": null,
"activeContentPath": null,
"activeContentSignedStatus": null,
"activeContentType": null,
"agentDomain": "",
"agentGroupId": "823740645928657962",
"agentId": "849867819647755581",
"agentInfected": false,
"agentIp": "3.136.184.160",
"agentIsActive": true,
"agentIsDecommissioned": false,
"agentMachineType": "server",
"agentName": "ip-10-0-2-205",
"agentNetworkStatus": "connected",
"agentOs": "linux",
"agentTimestamp": "2020-03-19T08:17:01.575Z",
"agentUuid": "11dd65a0-9b2d-e631-73da-4cc15d6bbc9e",
"agentVersion": "3.3.1.14",
"attributes": [
{
"display": "Created At",
"display_attribute": false,
"field_id": "agentTimestamp",
"priority": 3,
"queryable": false,
"section": "Main Attributes",
"value": "2020-03-19T08:17:01.575Z"
},{
"display": "Site ID",
"display_attribute": false,
"field_id": "siteId",
"priority": 7,
"queryable": true,
"section": "Endpoint Info",
"value": null
}
],
"containerId": null,
"containerImage": null,
"containerLabels": null,
"containerName": null,
"createdAt": "2020-03-19T08:17:01.575000Z",
"eventType": "Process Creation",
"hasParent": true,
"id": "401693219383738379",
"k8sClusterName": null,
"k8sControllerLabels": null,
"k8sControllerName": null,
"k8sControllerType": null,
"k8sNamespace": null,
"k8sNamespaceLabels": null,
"k8sNode": null,
"k8sPodLabels": null,
"k8sPodName": null,
"md5": null,
"objectType": "process",
"parentPid": "32461",
"parentProcessName": "dash",
"parentProcessStartTime": "2020-03-19T08:17:01.785Z",
"parentProcessUniqueKey": "12f6fc9d-d213-474a-eae7-62240ec731c9",
"pid": "32462",
"processCmd": " run-parts --report /etc/cron.hourly",
"processDisplayName": null,
"processGroupId": "c98a4557-94b5-da31-5074-fe6360f17228",
"processImagePath": "/bin/run-parts",
"processImageSha1Hash": "66df74a1f7cc3509c87d6a190ff90ac86caf440d",
"processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"processIsRedirectedCommandProcessor": "False",
"processIsWow64": "False",
"processName": "run-parts",
"processRoot": "False",
"processSessionId": "0",
"processStartTime": "2020-03-19T08:17:01.787Z",
"processSubSystem": "SUBSYSTEM_UNKNOWN",
"processUniqueKey": "c460aa89-aaf8-8366-e1ef-2554d291acb6",
"publisher": null,
"relatedToThreat": "False",
"sha256": null,
"signatureSignedInvalidReason": null,
"signedStatus": "unsigned",
"siteName": "Siemplify.co",
"trueContext": "c98a4557-94b5-da31-5074-fe6360f17228",
"user": "unknown",
"verifiedStatus": null
}
],
"pagination": {
"nextCursor": "eyJpZF9jb2x1bW4iOiAiaWQiLCAiaWRfdmFsdWUiOiAiNDAxNjkzMjE5MzgzNzM4Mzc5IiwgInNvcnRfYnlfY29sdW1uIjogImFnZW50VGltZXN0YW1wIiwgInNvcnRfYnlfdmFsdWUiOiAiMjAyMC0wMy0xOVQwODoxNzowMS41NzVaIiwgInNvcnRfb3JkZXIiOiAiZGVzYyJ9",
"totalItems": 632
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If found at least one event: "Successfully retrieved information about the events for the following endpoints: \n{0}".format(entity.identifier)" If not found event for one endpoint: "Action wasn't able to find any events for the following endpoints:\n {0}".format(entity.identifier)" If not found event for all endpoints: "No information events for the provided endpoints." |
General |
Get Group Details
Retrieve detailed information about the provided groups.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Group Names | String | N/A | Yes | Specify a comma-separated list of group names for which you want to retrieve details. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{`GROUP_NAME`:response.get('data')}]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should neither fail nor stop a playbook execution: If successful for one group: "Successfully retrieved information about the following groups in SentinelOne: \n {group name}" If not successful for one group: "Action wasn't able to retrieve information about the following groups in SentinelOne:\n {group name}" If not successful for all groups: "No information about the provided groups was found"
If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Get Group Details". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV | Table Name: SentinelOne Groups Table Columns:
|
General |
Get Hash Reputation
Retrieve information about the hashes from SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Reputation Threshold | entitiesInteger | 5 | No | Specify the reputation threshold in order to be marked as suspicious. If nothing is provided, the action does not mark entities as suspicious. Maximum: 10 |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight containing information about the reputation. |
| Only Suspicious Hashes Insight | Checkbox | Checked | No | If enabled, the action only creates insight for hashes that have higher or equal reputation to the "Reputation Threshold" value. |
Run On
This action runs on the Hash entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Enrichment Table
| Enrichment Field Name | Logic - When to apply |
|---|---|
| SENO_reputation = rank | Returns if it exists in JSON result. |
Get Process List for Endpoint
Get System Status
Retrieve the status of a system.
Parameters
N/A
Use cases
Analysts may use this action to check that SentinelOne is working properly.
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"system_status": {
"data": {
"health": "ok"
}},
"db_status": {
"data": {
"health": "ok"
}},
"cache_status": {
"data": {
"health": "ok"
}
}
}
Get System Version
Retrieve the version of a system.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Initiate Full Scan
Initiate a full disk scan on the endpoint in SentinelOne.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful for at least one endpoint (is_success=true): "Successfully started the full disk scan on the following endpoints in SentinelOne: {0}".format(entity.identifier) If not successful for at least one endpoint (is_success=true): "Action wasn't able to start a full disk scan on the following endpoints in SentinelOne: {0}".format(entity.identifier) If not successful for all endpoints (is_success=false): "No full disk scans were initiated." |
General |
Move Agents
Move agents to the provided group. This action works with the Hostname and IP Address entities.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Group ID | String | N/A | No | Specify the ID of the group, where to move the agents. |
| Group Name | String | N/A | No | Specify the name of the group, where to move the agents. Note: If both the "Group ID" parameter and the "Group Name" parameter are provided, the action puts the "Group ID" parameter in the priority. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful for at least one endpoint: "Successfully moved the following endpoints to the group with {0} {1} in SentinelOne:\n{2}".format("ID"/"Name", group_id/group_name,entity.identity) If no successful for at least one endpoint: "Action wasn't able to move the following endpoints to the group with {0} {1} in SentinelOne:\n{2}".format("ID"/"Name", group_id/group_name,entity.identity) If no successful for all endpoint: "No endpoints were moved to the group {0} {1} in SentinelOne".format("ID"/"Name", group_id/group_name) If the group is not found: "Action wasn't able to move endpoints to the group with {0} {1} in SentinelOne. Reason: Group was not found.".format("ID"/"Name", group_id/group_name) If the "Group Name" or "Group ID" parameter is not provided (fail): "Error executing action "Move Agents". Reason: either "Group Name" or "Group ID" should be provided." |
General |
Ping
Test integration connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Reconnect Agent to the Network
Reconnect disconnected endpoint to the network. Works with the Hostname and IP Address entities.
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Create Hash Black List Record
Add hashes to a blocklist in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Operating System | String | windows | Yes | Specify the OS for the hash. Possible values: windows, windows_legacy, macos, linux. |
| Site IDs | Array | N/A | No | Specify a comma-separated list of site IDs, where hash needs to be sent to the blocklist. |
| Group IDs | Array | N/A | No | Specify a comma-separated list of group IDs, where hash needs to be sent to the blocklist. |
| Account IDs | Array | N/A | No | Specify a comma-separated list of account IDs, where hash needs to be sent to the blocklist. |
| Description | String | "" | No | Specify additional information related to the hash. |
| Add to global blocklist | Checkbox | Unchecked | Yes | If enabled, the action adds the hash to the global blocklist. Note: If this parameter is enabled, the "Site IDs", "Group IDs", and "Account IDs" parameters are ignored. |
Run On
This action runs on the Hash entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"Entity": "36F9CA40B3CE96FCEE1CF1D4A7222935536FD25A",
"EntityResult": [{
"userName": "user",
"description": "Created by Siemplify.",
"userId": "8237415437026xxxxx",
"scopeName": "Test Group",
"value": "36F9CA40B3CE96FCEE1CF1D4A7222935536FD25A",
"source": "user",
"updatedAt": "2020-07-02T14:41:20.678280Z",
"osType": "windows",
"scope": {
"groupIds": ["863712577864500060"]
},
"type": "white_hash",
"id": "926706979756730756",
"createdAt": "2020-07-02T14:41:20.678690Z"
}, {
"userName": "user",
"description": "Created by Siemplify.",
"userId": "8237415437026xxxxx",
"scopeName": "Test Group 2",
"value": "36F9CA40B3CE96FCEE1CF1D4A7222935536FD25A",
"source": "user",
"updatedAt": "2020-07-02T14:41:20.683858Z",
"osType": "windows",
"scope": {
"groupIds": ["926559911218143489"]
},
"type": "white_hash",
"id": "926706979807062407",
"createdAt": "2020-07-02T14:41:20.684677Z"
}]
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful for one hash (is_success=true): "Successfully added the following hashes to the blacklist in SentinelOne:\n{0}".format(entity.identifier) If already exist for at least one (is_success=true): "The following hashes were already a part of blacklist in SentinelOne:\n{0}".format(entity.identifier) If not successful for one hash (is_success=true): "Action wasn't able to add the following hashes to the blacklist in SentinelOne:\n{0}".format(entity.identifier) If not successful for all hashes (is_success=false): "No hashes were added to the blacklist in SentinelOne." If a critical error is reported: "Error executing action "Create Hash Blacklist Record". Reason: {0}".(traceback) If the "Site IDs", "Group IDs", "Account IDs" are not provided and the "Add to global black list" parameter is not enabled: "Error executing action "Create Hash Blacklist Record". Reason: at least one value should be provided for "Site IDs" or "Group IDs" or "Account IDs" parameters or "Add to global black list" should be enabled. |
General |
Get Blacklist
Get a list of all the items available in the blocklist in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Hash | String | N/A | No | Specify a comma-separated list of hashes that need to be checked in the blocklist. Only hashes that were found are returned. If nothing is specified here the action returns all hashes. Note: If the "Hash" parameter is provided then the "Limit" parameter is ignored. |
| Site IDs | Array | N/A | No | Specify a comma-separated list of site IDs, which should be used to return blocklist items. |
| Group IDs | Array | N/A | No | Specify a comma-separated list of group IDs, which should be used to return blocklist items. |
| Account Ids | Array | N/A | No | Specify a comma-separated list of account IDs, which should be used to return blocklist items. |
| Limit | Integer | 50 | No | Specify the number of blocklist items that should be returned. Note: If the "Hash" parameter has values, then this parameter is ignored. Maximum: 1000 |
| Query | String | N/A | No | Specify the query that needs to be used in order to filter the results. |
| Use Global Blacklist | Checkbox | Unchecked | No | If enabled, the action also returns hashes from the global blacklist. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"userName": "Example",
"description": "test",
"userId": "8237415437026xxxxx",
"scopeName": "Siemplify.co",
"value": "cf23df2207d99a74fbe169e3eba035e633bxxxxx",
"source": "user",
"updatedAt": "2020-02-27T15:02:54.686991Z",
"osType": "windows",
"scope": {
"siteIds": ["8237406459034xxxxx"]
},
"type": "black_hash",
"id": "8353960925573xxxxx",
"createdAt": "2020-02-27T15:02:54.687675Z"
}, {
"description": "Detected by SentinelOne Cloud",
"userId": null,
"scopeName": "Siemplify.co",
"value": "3395856ce81f2b7382dee72602f798b642fxxxxx",
"source": "cloud",
"updatedAt": "2020-03-18T14:42:02.730095Z",
"osType": "linux",
"scope": {
"siteIds": ["8237406459034xxxxx"]
},
"type": "black_hash",
"id": "8498811050050xxxxx",
"createdAt": "2020-03-18T14:42:02.730449Z"
}, {
"description": "Detected by SentinelOne Cloud",
"userId": null,
"scopeName": "Siemplify.co",
"value": "df531d66173235167ac502b867f3cae2170xxxxx",
"source": "cloud",
"updatedAt": "2020-04-08T07:27:35.686775Z",
"osType": "linux",
"scope": {
"siteIds": ["8237406459034xxxxx"]
},
"type": "black_hash",
"id": "8648827291549xxxxx",
"createdAt": "2020-04-08T07:27:35.687168Z"
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful and has results (is_success=true): "Successfully retrieved blacklisted hashes based on the provided filter criteria in SentinelOne.". If successful and no results are found (is_success=false): "No blacklisted hashes were found for the provided criteria in SentinelOne." If a critical error is reported: "Error executing action "Get Blacklist". Reason: {0}".(traceback) If the "Site IDs", "Group IDs", "Account IDs" parameters are not provided and the "Use Global Blacklist" parameter is not enabled: "Error executing action "Get Blacklist". Reason: at least one value should be provided for "Site IDs" or "Group IDs" or "Account IDs" parameters or "Use Global Blacklist" should be enabled. |
General |
| Table | Table Name: Blacklist Hashes Table Columns:
|
General |
Get Deep Visibility Query Result
Retrieve information about deep visibility query results.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Query ID | String | N/A | Yes | Specify the ID of the query for which you want to return results. This ID is available in the JSON result of the "Initiate Deep Visibility Query" action as the "query_id" parameter. |
| Limit | String | 50 | No | Specify the number of events to return. Maximum: 100 |
Run On
This action doesn't run on any entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should neither fail nor stop a playbook execution: If successful: "Successfully found events for query: <query id>." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Get Deep Visibility Query Result". Reason: {0}''.format(error.Stacktrace If the 400 status code is reported (fail): "Error executing action "Get Deep Visibility Query Result". Reason: {0}".format(errors/detail) If the query status is not set to "Finished" (fail): "Error executing action "Get Deep Visibility Query Result". Reason: status of the query - {0}. Please run action 'Initialize Deep Visibility Query' again.".format(query status) |
General |
| CSV Table | Table Title: SentinelOne Events Table Columns:
|
General |
Initiate Deep Visibility Query
Initiate a Deep Visibility Query search. Returns the Query ID, which should be used in the "Get Deep Visibility Query Result" action.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Query | String | N/A | Yes | Specify the query for the search. |
| Start Date | String | N/A | No | Specify the start date for the search. If nothing is specified, the action fetches events from 30 days ago. |
| End Date | String | N/A | No | Specify the end date for the search. If nothing is specified, the action uses current time. |
Run On
This action doesn't run on any entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{"query_id\":\"q0794f2c18433b38115982b501017c636"}]",
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should neither fail nor stop a playbook execution: If successful: "Successfully created a deep visibility query. Query ID: <query ID value>" If failed to run (no data): "Failed to create a deep visibility query" The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Initiate a Deep Visibility Query". Reason: {0}''.format(error.Stacktrace) If the 400 status code is reported (fail): "Error executing action 'Initiate Deep Visibility Query'. Reason: {0}".format(errors/detail) |
General |
Download Threat File
Download a file related to the threat in SentinelOne.
Known Limitation
Sometimes SentinelOne initiates a file fetch, but doesn't provide a download URL. In that case, action runs into a timeout. To confirm this situation, you need to navigate to the timeline of the threat.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Threat ID | String | N/A | Yes | Specify the ID of the threat for which you want to download the file. |
| Password | Password | N/A | Yes | Specify the password for the zip that contains the threat file. Password requirements: At least 10 characters Needs to include: uppercase, lowercase, digits, special symbols Maximum length is 256 characters. |
| Download Folder Path | String | N/A | Yes | Specify the path to the folder, where you want to store the threat file. |
| Overwrite | Checkbox | Unchecked | Yes | If enabled, the action overwrites the file with the same name. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"absolute_path": "`ABSOLUTE_PATH_TO_THE_FILE`"
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should neither fail nor stop a playbook execution:
If activityType=86 is not found (is_success=false): "Action wasn't able to download the file related to threat {threat_id}. Reason: action was able to initiate the downloading of the file, but SentinelOne didn't return a download URL." Async message: "Waiting for the download link to appear in SentinelOne" The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, folder doesn't exist, other is reported: "Error executing action "Download Threat File". Reason: {0}''.format(error.Stacktrace) If the 400 status code is reported: "Error executing action "Download Threat File". Reason: {0}".format(errors/detail) If the file with the same name already exists, but "Overwrite" is set to false: "Error executing action "Download Threat File". Reason: file with path {0} already exists. Please delete the file or set "Overwrite" to true." |
General |
Update Analyst Verdict
Update analyst verdict of the threat in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Threat ID | String | N/A | Yes | Specify a comma-separated list of threat IDs for which you want to update the analyst verdict. |
| Analyst Verdict | DDL | Undefined Possible Values:
|
Yes | Specify the analyst verdict. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful for some threats (is_success=true): "Successfully updated analyst verdict for the following threats in SentinelOne: {threat id}." If not successful for some threats (is_success=true): "Action wasn't able to update analyst verdict for the following threats in SentinelOne: {threat id}." If not successful for some threats (is_success=false): "Action wasn't able to update analyst verdict for the provided threats in SentinelOne." |
General |
Update Incident Status
Update threat incident status in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Threat ID | String | N/A | Yes | Specify a comma-separated list of threat ids for which you want to update the incident status. |
| Status | DDL | Resolved Possible Values:
|
Yes | Specify the incident status. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful for some incidents (is_success=true): "Successfully updated incident status for the following threats in SentinelOne: {threat id}." If not successful for some incidents (is_success=true): "Action wasn't able to update incident status for the following threats in SentinelOne: {threat id}." If not successful for some incidents (is_success=false): "Action wasn't able to update incident status for the provided threats in SentinelOne." |
General |
Add Threat Note
Add a note to the threat in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Threat ID | String | N/A | Yes | Specify the ID of the threat for which you want to add a note. |
| Note | String | N/A | Yes | Specify the note that needs to be added to the threat. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should neither fail nor stop a playbook execution:
If not successful (is_success=false): "Action wasn't able to add a note to the threat {threat id} in SentinelOne." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Threat Note". Reason: {0}''.format(error.Stacktrace) |
General |
Delete Hash Blacklist Record
Delete hashes from a blocklist in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Site IDs | String | N/A | No | Specify a comma-separated list of site IDs, from where the hash needs to be removed. |
| Group IDs | String | N/A | No | Specify a comma-separated list of group IDs, from where the hash needs to be removed. |
| Account IDs | String | N/A | No | Specify a comma-separated list of account IDs, from where the hash needs to be removed. |
| Remove from global black list | Checkbox | Unchecked | No | If enabled, the action removes the hash from the global blocklist. Note: If this parameter is enabled, the "Site IDs", "Group IDs" and "Account IDs" parameters are ignored. |
Run On
This action runs on the Hash entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should neither fail nor stop a playbook execution: If successful for one entity (is_success=true): "Successfully removed the following hashes from blacklist in SentinelOne: {\n entity.identifier}" If not successful for one (not SHA1) (is_success=true): "Action wasn't able to remove the following hashes from blacklist in SentinelOne: {\n entity.identifier}" If the hash is not found (is_success=true): "The following hashes were not found in the blacklist in SentinelOne: {\n entity.identifier}" If not successful for all entities (is_success=false): "No hashes were removed from blacklist in SentinelOne." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Delete Hash Blacklist Record". Reason: {error traceback}" If the "Site IDs", "Group IDs", "Account IDs" parameters are not provided: "Error executing action "Delete Hash Blacklist Record". Reason: at least one value should be provided for "Site IDs" or "Group IDs". If the "Site IDs", "Group IDs", "Account IDs" parameters are not provided and the "Remove from global black list" is not enabled: "Error executing action "Delete Hash Blacklist Record". Reason: at least one value should be provided for "Site IDs" or "Group IDs" or "Account IDs" parameters or "Remove from global black list" should be enabled." |
General |
List Sites
List available sites in SentinelOne.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Filter Key | DDL | Select One Possible Values:
|
No | Specify the key that needs to be used to filter sites. |
| Filter Logic | DDL | Not Specified Possible Values:
|
No | Specify the filter logic that should be applied. Filtering logic is working based on the value provided in the "Filter Key" parameter. |
| Filter Value | String | N/A | No | Specify the value that should be used in the filter. If "Equal" is selected, the action tries to find the exact match among results. If "Contains" is selected, the action tries to find results that contain the specified substring. If nothing is provided in this parameter, the filter is not applied. Filtering logic works based on the value provided in the "Filter Key" parameter. |
| Max Records To Return | Integer | 50 | No | Specify the number of records to return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should neither fail nor stop a playbook execution: If data is available (is_success = true): "Successfully found sites for the provided criteria in SentinelOne". If data is not available (is_success=false): "No sites were found for the provided criteria in {product name}" If the "Filter Value" parameter is empty (is_success=true): "The filter was not applied, because parameter "Filter Value" has an empty value." The action should fail and stop a playbook execution: If the "Filter Key" parameter is set to "Select One" and the "Filter Logic" is set to "Equal" or "Contains": "Error executing action "{action name}"." Reason: you need to select a field from the "Filter Key" parameter. If the "Filter Logic" parameter is set to "Equal" or "Contains": "Error executing action "{action name}"." Reason: you need to select a field from the "Filter Key" parameter. If an invalid value is provided for the "Max Records to Return" parameter: "Error executing action "{action name}"." Reason: "Invalid value was provided for "Max Records to Return": . Positive number should be provided". If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace)" |
General |
| Case Wall Table | Table Name: Available Sites Table Columns:
|
General |
Connectors
SentinelOne - Threats Connector
Pull threats from SentinelOne.
For this connector we are changing the authorization method, adding an ability to filter alerts based on whitelists.
Authorization changes
Username and Password fields are removed and API Token is added.
Whitelist logic
The connector is able to filter alerts based on the Alert Name. A new connector
parameter, Use whitelist as a blacklist, is introduced - which will change the
logic, based on the value.
Use whitelist as a blacklist = false
With these conditions, allowlist is used as intended. Only alerts that have alert_names in the allowlist will be ingested into Google Security Operations SOAR.
Use whitelist as a blacklist = true.
With these conditions, allowlist is used as a blocklist. Only alerts that don't have alert_names in the allowlist will be ingested into Google Security Operations SOAR.
If there are no Alert Names in the allowlist, all alerts are ingested.
Use cases and examples
Analysts may use this connector to get threats from SentinelOne.
Configure SentinelOne - Threats Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | siemplify_event | Yes | Describes the name of the field where the product name is stored. |
| Event Field Name | String | classificationSource | Yes | Describes the name of the field where the event name is stored. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regular expression pattern to run on the value found in the "Environment Field Name" field. Default is Used to allow the user to manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://usea1-partners.sentinelone.net/ | Yes | Address of SentinelOne API root. |
| API Token | String | N/A | Yes | SentinelOne API token. |
| API Version | String | 2.0 |
Specify what version of api to use in the connector. If nothing is provided connector will use version 2.1. |
|
| Fetch Max Days Backwards | Integer | 1 | No | Amount of days from where to fetch threats. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, allowlist will be used as a blocklist. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Sentinel public cloud server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use |
| Proxy Username | String | N/A | No | The proxy username to authenticate with |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with |
| Event Object Type Filter | CSV | N/A | No | A comma-separated list of event objects that need to be returned alongside threat info. This parameter is used as a filter to only return certain objects. Examples: process,ip,indicators. If nothing is provided, the connector ingests all event object types. |
| Event Type Filter | CSV | N/A | No | A comma-separated list of event types that need to be returned alongside threat info. This parameter is used as a filter to only return certain event types. Examples: Process Creation, Behavioral Indicators |
| Max Events To Return | Integer | 199 | No | Specify the number of events to return per threat. Maximum: 199 |
Connector rules
The connector supports proxy.
The connector supports allowlist and blocklist.