InsightConnect Marketplace

SentinelOne

Back to Marketplace

SentinelOne

v1.4.0

The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne

Tags: sentinelone, endpoint, detection

Triggers
  • Get Threats

Actions
  • Get Activities
  • Get Activity Types
  • Agents Abort Scan
  • Connect to network
  • Agent Decommission
  • Disconnect Agents
  • Agents Fetch Logs
  • Initiate scan
  • Agents Processes
  • Agents Reload
  • Agents Restart
  • Agents Shutdown
  • Count Summary
  • Uninstall
  • Agents Applications
  • Blacklist
  • Blacklist by Content Hash
  • Blacklist by IoC Hash
  • Create IOC Threat
  • Get Agent Details
  • Get Threat Summary
  • Mark as Benign
  • Mark as Threat
  • Mitigate Threat
  • Available Name
  • Quarantine
  • Search Agents

Description

SentinelOne is a next-gen cybersecurity company focused on protecting the enterprise through the endpoint. The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne.

This plugin utilizes the SentinelOne API, the documentation is located in the SentinelOne console.

Key Features

  • Quarantine endpoints
  • Execute scans
  • Blacklist hashes
  • Trigger workflows on security alerts
  • Manage threats

Requirements

  • Sentinel one API administrative credentials

Documentation

Setup

The connection configuration accepts the following parameters:

Name Type Default Required Description Enum Example
credentials credential_username_password None True Username and password None {"username": "user@example.com", "password": "mypassword"}
url string None True SentinelOne Console URL None https://example.sentinelone.com

Example input:

{
  "credentials": {
    "username": "user@example.com",
    "password": "mypassword
  },
  "url": "https://example.sentinelone.com"
}

Technical Details

Actions

Search Agents

This action searches for agents by IP address, MAC address, hostname, or device ID.

Input
Name Type Default Required Description Enum Example
agent string None True Agent to retrieve device information from. Accepts IP address, MAC address, hostname, UUID or agent ID None hostname123

Example input:

{
  "agent": "hostname123"
}
Output
Name Type Required Description
agents []agent_data False Detailed information about agents found

Example output:

{
  "agents": [
    {
      "installerType": ".exe",
      "threatRebootRequired": false,
      "groupIp": "198.51.100.x",
      "modelName": "VMware, Inc. - VMware Virtual Platform",
      "machineType": "server",
      "groupName": "Default Group",
      "lastActiveDate": "2020-06-03T18:53:56.748663Z",
      "registeredAt": "2020-05-28T14:53:03.010853Z",
      "scanStatus": "finished",
      "allowRemoteShell": false,
      "appsVulnerabilityStatus": "up_to_date",
      "coreCount": 1,
      "inRemoteShellSession": false,
      "isDecommissioned": false,
      "siteId": "521580416395045459",
      "accountName": "SentinelOne",
      "isActive": true,
      "isUpToDate": true,
      "networkStatus": "disconnected",
      "osType": "windows",
      "updatedAt": "2020-06-03T18:53:39.584577Z",
      "createdAt": "2020-05-28T14:53:03.014660Z",
      "siteName": "Rapid7",
      "lastLoggedInUserName": "",
      "domain": "WORKGROUP",
      "externalId": "",
      "scanAbortedAt": "None",
      "computerName": "so-agent-win12",
      "id": "901345720792880606",
      "locationType": "fallback",
      "mitigationMode": "protect",
      "networkInterfaces": [
        {
          "id": "901345720801269215",
          "inet": [
            "198.51.100.100"
          ],
          "inet6": [
            "2001:db8:8:4::2"
          ],
          "name": "Ethernet",
          "physical": "00:50:56:94:17:08"
        }
      ],
      "scanStartedAt": "2020-05-28T21:12:58.216807Z",
      "userActionsNeeded": [],
      "activeDirectory": {
        "computerDistinguishedName": "None",
        "computerMemberOf": [],
        "lastUserDistinguishedName": "None",
        "lastUserMemberOf": []
      },
      "externalIp": "198.51.100.100",
      "isUninstalled": false,
      "licenseKey": "",
      "osArch": "64 bit",
      "totalMemory": 1023,
      "accountId": "433241117337583618",
      "consoleMigrationStatus": "N/A",
      "groupId": "521580416411822676",
      "isPendingUninstall": false,
      "locations": [
        {
          "scope": "global",
          "id": "629380164464502476",
          "name": "Fallback"
        }
      ],
      "osStartTime": "2020-05-28T14:59:33Z",
      "scanFinishedAt": "2020-05-28T22:24:59.420166Z",
      "cpuCount": 1,
      "osUsername": "None",
      "rangerVersion": "None",
      "agentVersion": "4.1.4.82",
      "osRevision": "9200",
      "uuid": "28db47168fa54f89aeed99769ac8d4dc",
      "mitigationModeSuspicious": "detect",
      "cpuId": "Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz",
      "infected": false,
      "encryptedApplications": false,
      "osName": "Windows Server 2012 Standard",
      "rangerStatus": "NotApplicable",
      "activeThreats": 0
    }
  ]
}

Quarantine

This action is used to isolate (quarantine) endpoint from the network.

Input
Name Type Default Required Description Enum Example
agent string None True Agent to perform quarantine action on. Accepts IP address, MAC address, hostname, or device ID None hostname123
quarantine_state boolean None True True to quarantine host, false to unquarantine host None True
whitelist []string None False This list contains a set of devices that should not be blocked. This can include IPs, hostnames, and device IDs None ["198.51.100.100", "hostname123", "901345720792880606", "28db47168fa54f89aeed99769ac8d4dc"]

Example input:

{
  "agent": "hostname123",
  "quarantine_state": true,
  "whitelist": [
    "198.51.100.100",
    "hostname123",
    "28db47168fa54f89aeed99769ac8d4dc",
    "901345720792880606"
  ]
}
Output
Name Type Required Description
response quarantine_response False SentinelOne API call response data

Example output:

{
  "response": {
    "response": {
      "data": {
        "affected": 0
      }
    }
  }
}

Get Agent Details

This action retrieves agent details.

Input
Name Type Default Required Description Enum Example
agent string None True Agent to retrieve device information from. Accepts IP address, MAC address, hostname, or device ID None hostname123

Example input:

{
  "agent": "hostname123"
}
Output
Name Type Required Description
agents []agent_data False Detailed information about agents found

Example output:

{
  "agent": {
    "accountId": "433241117337583618",
    "accountName": "SentinelOne",
    "activeDirectory": {
      "computerDistinguishedName": "None",
      "computerMemberOf": [],
      "lastUserDistinguishedName": "None",
      "lastUserMemberOf": []
    },
    "activeThreats": 0,
    "agentVersion": "4.1.4.82",
    "allowRemoteShell": false,
    "appsVulnerabilityStatus": "up_to_date",
    "computerName": "so-agent-win12",
    "consoleMigrationStatus": "N/A",
    "coreCount": 1,
    "cpuCount": 1,
    "cpuId": "Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz",
    "createdAt": "2020-05-28T14:53:03.014660Z",
    "domain": "WORKGROUP",
    "encryptedApplications": false,
    "externalId": "",
    "externalIp": "198.51.100.100",
    "groupId": "521580416411822676",
    "groupIp": "198.51.100.x",
    "groupName": "Default Group",
    "id": "901345720792880606",
    "inRemoteShellSession": false,
    "infected": false,
    "installerType": ".exe",
    "isActive": true,
    "isDecommissioned": false,
    "isPendingUninstall": false,
    "isUninstalled": false,
    "isUpToDate": true,
    "lastActiveDate": "2020-06-05T18:32:56.748620Z",
    "lastLoggedInUserName": "",
    "licenseKey": "",
    "locationType": "fallback",
    "locations": [
      {
        "id": "629380164464502476",
        "name": "Fallback",
        "scope": "global"
      }
    ],
    "machineType": "server",
    "mitigationMode": "protect",
    "mitigationModeSuspicious": "detect",
    "modelName": "VMware, Inc. - VMware Virtual Platform",
    "networkInterfaces": [
      {
        "id": "901345720801269215",
        "inet": [
          "198.51.100.100"
        ],
        "inet6": [
          "2001:db8:8:4::2"
        ],
        "name": "Ethernet",
        "physical": "00:50:56:94:17:08"
      }
    ],
    "networkStatus": "disconnected",
    "osArch": "64 bit",
    "osName": "Windows Server 2012 Standard",
    "osRevision": "9200",
    "osStartTime": "2020-05-28T14:59:36Z",
    "osType": "windows",
    "osUsername": "None",
    "rangerStatus": "NotApplicable",
    "rangerVersion": "None",
    "registeredAt": "2020-05-28T14:53:03.010853Z",
    "scanAbortedAt": "None",
    "scanFinishedAt": "2020-05-28T22:24:59.420166Z",
    "scanStartedAt": "2020-05-28T21:12:58.216807Z",
    "scanStatus": "finished",
    "siteId": "521580416395045459",
    "siteName": "Rapid7",
    "threatRebootRequired": false,
    "totalMemory": 1023,
    "updatedAt": "2020-06-05T15:39:10.754112Z",
    "userActionsNeeded": [],
    "uuid": "28db47168fa54f89aeed99769ac8d4dc"
  }
}

Get Threat Summary

This action is used to get a list of activities.

Input
Name Type Default Required Description Enum
account_ids []string None False List of Account IDs to filter by None
activity_types []string None False Return only these activity codes None
agent_ids []string None False Return activities related to specified agent ids None
count_only boolean None False If true, only total number of items will be returned, without any of the actual objects None
created_at_between string None False Return activities created within this range (inclusive), example 1514978764288-1514978999999 None
created_at_gt string None False Return activities created after or at this date in ISO-8601, example 2018-02-27T04:49:26.257525Z. None
created_at_gte string None False Return activities created after or at this date in ISO-8601, example 2018-02-27T04:49:26.257525Z None
created_at_lt string None False Return activities created before this date in ISO-8601, example 2018-02-27T04:49:26.257525Z. None
created_at_lte string None False Return activities created before or at this date in ISO-8601, example 2018-02-27T04:49:26.257525Z. None
cursor string None False Cursor position returned by the last request. Should be used for iterating over more than 1000 items, example YWdlbnRfaWQ6NTgwMjkzODE= None
group_ids []string None False Get a list of activities None
ids []string None False If true, total number of items will not be calculated, which speeds up execution time None
include_hidden boolean None False Include internal activities hidden from display? None
limit integer None False Limit number of returned items (1-100) None
site_ids []string None False List of Site IDs to filter by None
skip integer None False Skip first number of items (0-1000). For iterating over more than a 1000 items please use cursor instead. None
skip_count boolean None False If true, total number of items will not be calculated, which speeds up execution time None
sort_by string None False The column to sort the results by ['id', 'activityType', 'createdAt']
sort_order string None False Sort direction ['asc', 'desc']
threat_ids []string None False Return only these activity codes None
user_emails []string None False Email of the user who invoked the activity (If applicable) None
user_ids []string None False The user who invoked the activity (If applicable) None
Output
Name Type Required Description
data []activities_list True Result of activities list
pagination pagination True Pagination object

Example output:

{
  "data": [
    {
      "agentOsType": "windows",
      "automaticallyResolved": false,
      "cloudVerdict": "black",
      "id": "566535959618699500",
      "indicators": [],
      "engines": [
        "reputation"
      ],
      "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140",
      "fromCloud": false,
      "mitigationMode": "protect",
      "mitigationReport": {
        "network_quarantine": {},
        "quarantine": {
          "status": "success"
        },
        "remediate": {},
        "rollback": {},
        "unquarantine": {},
        "kill": {
          "status": "success"
        }
      },
      "rank": 7,
      "siteName": "Rapid7",
      "whiteningOptions": [
        "hash"
      ],
      "agentComputerName": "vagrant-pc",
      "collectionId": "433377870883088367",
      "createdAt": "2019-02-21T16:05:49.251201Z",
      "mitigationStatus": "active",
      "classificationSource": "Static",
      "resolved": true,
      "accountName": "SentinelOne",
      "fileVerificationType": "NotSigned",
      "siteId": "521580416395045459",
      "fileIsExecutable": false,
      "fromScan": false,
      "agentNetworkStatus": "disconnecting",
      "createdDate": "2019-02-21T16:05:49.175000Z",
      "accountId": "433241117337583618",
      "initiatedBy": "agentPolicy",
      "initiatedByDescription": "Agent Policy",
      "threatAgentVersion": "3.0.1.3",
      "username": "vagrant-pc\\vagrant",
      "agentVersion": "3.0.1.3",
      "classifierName": "STATIC",
      "fileExtensionType": "Executable",
      "agentDomain": "WORKGROUP",
      "fileIsSystem": false,
      "agentInfected": false,
      "isCertValid": false,
      "isInteractiveSession": false,
      "isPartialStory": false,
      "updatedAt": "2020-05-28T21:53:36.064425Z",
      "agentId": "560700200554747611",
      "agentMachineType": "desktop",
      "classification": "Malware",
      "markedAsBenign": false,
      "threatName": "EICAR.com",
      "agentIsDecommissioned": true,
      "description": "malware detected - not mitigated yet (static engin...",
      "fileDisplayName": "EICAR.com",
      "agentIp": "198.51.100.100",
      "agentIsActive": false,
      "fileObjectId": "F0F63E0588AAC528",
      "filePath": "\\Device\\HarddiskVolume2\\Users\\vagrant\\Desktop\\EICA...",
      "maliciousGroupId": "542D14600CEBA01D"
    }
  ],
  "pagination": {
    "totalItems": 1
  }
}

Get Activities

This action is used to get a list of activities.

Input

Name Type Default Required Description Enum Example
account_ids []string None False List of Account IDs to filter by None None
activity_types []string None False Return only these activity codes None None
agent_ids []string None False Return activities related to specified agent ids None None
count_only boolean None False If true, only total number of items will be returned, without any of the actual objects None None
created_at_between string None False Return activities created within this range (inclusive), example 1514978764288-1514978999999 None None
created_at_gt string None False Return activities created after or at this date in ISO-8601, example 2018-02-27T04:49:26.257525Z None None
created_at_gte string None False Return activities created after or at this date in ISO-8601, example 2018-02-27T04:49:26.257525Z None None
created_at_lt string None False Return activities created before this date in ISO-8601, example 2018-02-27T04:49:26.257525Z None None
created_at_lte string None False Return activities created before or at this date in ISO-8601, example 2018-02-27T04:49:26.257525Z None None
cursor string None False Cursor position returned by the last request. Should be used for iterating over more than 1000 items, example YWdlbnRfaWQ6NTgwMjkzODE= None None
group_ids []string None False Get a list of activities None None
ids []string None False If true, total number of items will not be calculated, which speeds up execution time None None
include_hidden boolean None False Include internal activities hidden from display? None None
limit integer None False Limit number of returned items (1-100) None None
site_ids []string None False List of Site IDs to filter by None None
skip integer None False Skip first number of items (0-1000). For iterating over more than a 1000 items please use cursor instead None None
skip_count boolean None False If true, total number of items will not be calculated, which speeds up execution time None None
sort_by string None False The column to sort the results by ['id', 'activityType', 'createdAt'] None
sort_order string None False Sort direction ['asc', 'desc'] None
threat_ids []string None False Return only these activity codes None None
user_emails []string None False Email of the user who invoked the activity (If applicable) None None
user_ids []string None False The user who invoked the activity (If applicable) None None

Output

Name Type Required Description
data []activities_list True Result of activities list
pagination pagination True Pagination object

Example output:

Get Activity Types

This action is used to get a list of activity types.

Example input:

Output
Name Type Required Description
activity_types []activities_types True Result of activities types

Example output:

{
  "activity_types": [
    {
      "id": 0,
      "descriptionTemplate": "string",
      "action": "string"
    }
  ]
}

Agents Abort Scan

This action aborts running scan on all agents matching the input filter.

Input
Name Type Default Required Description Enum Example
filter object None True Applied filter - only matched agents will be affected by the requested action. Leave empty to apply the action on all applicable agents None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 0
}

Connect to network

This action sends a connect to network command to all agents matching the input filter.

Input
Name Type Default Required Description Enum Example
filter object None True Applied filter - only matched agents will be affected by the requested action. Leave empty to apply the action on all applicable agents None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 0
}

Agent Decommission

This action decommissions all agents matching the input filter.

Input
Name Type Default Required Description Enum Example
filter object None True Applied filter - only matched agents will be affected by the requested action. Note - one of the following filter arguments must be supplied - ids, groupIds, filterId None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 0
}

Disconnect Agents

This action disconnects agents associated to marked threats from network.

Input
Name Type Default Required Description Enum Example
filter object None True Use any of the filtering options to control the list of affected threats. You can also leave this field empty to apply to all available threats None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 0
}

Agents Fetch Logs

This action sends a fetch logs command to all agents matching the input filter.

Input
Name Type Default Required Description Enum Example
filter object None True Applied filter - only matched agents will be affected by the requested action. Leave empty to apply the action on all applicable agents None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 0
}

Initiate scan

This action sends a scan command to all agents matching the input filter.

Input
Name Type Default Required Description Enum Example
filter object None True Applied filter - only matched agents will be affected by the requested action. Leave empty to apply the action on all applicable agents None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 0
}

Agents Processes

This action is used to retrieve running processes for a specific agent.

Input
Name Type Default Required Description Enum Example
ids []string None True Agent ID list None None

Example input:

Output
Name Type Required Description
agents_processes []agents_processes False Agents processes entities

Example output:

Agents Reload

This action is used to reload an agent module (applies to Windows agents only).

Input
Name Type Default Required Description Enum Example
filter object None True Applied filter - only matched agents will be affected by the requested action. Leave empty to apply the action on all applicable agents None None
module string None True Agent module to reload ['monitor', 'static', 'agent', 'log'] None

Example input:

{
  "blacklist_state": true,
  "description": "Hash Blacklisted from InsightConnect",
  "hash": "3395856ce81f2b7382dee72602f798b642f14140"
}
Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 0
}

Agents Restart

This action sends a restart command to all agents matching the input filter.

Input
Name Type Default Required Description Enum Example
filter object None True Applied filter - only matched agents will be affected by the requested action. Note - One of the following filter arguments must be supplied - ids, groupIds, filterId None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 0
}

Agents Shutdown

This action sends a shutdown command to all agents matching the input filter.

Input
Name Type Default Required Description Enum Example
filter object None True Applied filter - only matched agents will be affected by the requested action. Note - one of the following filter arguments must be supplied - ids, groupIds, filterId None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 0
}

Count Summary

This action is used to summary of agents by numbers.

Input
Name Type Default Required Description Enum Example
account_ids []string None False List of Account IDs to filter by None None
site_ids []string None False List of Site IDs to filter by None None

Example input:

Output
Name Type Required Description
decommissioned integer False Number of decommissioned agents
infected integer False Number of agents with at least one active threat
online integer False Number of online agents
out_of_date integer False Number of agents running an older software version
total integer False Number of installed active agents
up_to_date integer False Number of agents with the most up-to-date software version

Example output:

Uninstall

This action sends an uninstall command to all agents matching the input filter.

Input
Name Type Default Required Description Enum Example
filter object None True Applied filter - only matched agents will be affected by the requested action. Note - one of the following filter arguments must be supplied - ids, groupIds, filterId None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 0
}

Agents Applications

This action is used to retrieve running applications for a specific agent.

Input
Name Type Default Required Description Enum Example
ids []string None True Agent ID list None None

Example input:

Output
Name Type Required Description
data []agent_applications True List of installed applications

Example output:

Blacklist by Content Hash

This action is used to add hashed content to global blacklist. The input for this action makes use of contentHash from the threat summary.

Input
Name Type Default Required Description Enum Example
hash string None True Content hash to add to blacklist None None

Example input:

Output
Name Type Required Description
result blacklist_data True Result of hashing operation

Example output:

{
  "blacklist_data": {
    "affected": 127
  }
}

Blacklist by IoC Hash

This action is used to add hashed indicator of compromise to global blacklist.

Input
Name Type Default Required Description Enum Example
agent_id string None True Agent ID None None
hash string None True Indicator of compromise hash to add to blacklist None None

Example input:

Output
Name Type Required Description
result blacklist_data True Result of hashing operation

Example output:

{
  "blacklist_data": {
    "affected": 127
  }
}

Create IOC Threat

This action is used to create a threat from an IOC event.

Input
Name Type Default Required Description Enum Example
agent_id string None True Agent ID for the slim threat None None
annotation string None True Vigilance annotation None None
annotation_url string None True Vigilance annotation URL None None
group_id string None False Group ID None None
hash string None True SHA1 hash None None
path string None False Path None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 1
}

Get Threat Summary

This action gets summary of all threats.

Output
Name Type Required Description
data []data False Data
errors []object False Errors
pagination pagination False Pagination

Example output:

Mark as Benign

This action is used to mark a threat as resolved.

Input
Name Type Default Required Description Enum Example
target_scope string None True Scope to be used for exclusions ['group', 'site', 'tenant'] None
threat_id string None True ID of a threat None None
whitening_option string None False Selected whitening option ['', 'browser-type', 'certificate', 'file-type', 'file_hash', 'path'] None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 1
}

Mark as Threat

This action is used to mark a suspicious threat as a threat.

Input
Name Type Default Required Description Enum Example
target_scope string None True Scope to be used for exclusions ['group', 'site', 'tenant'] None
threat_id string None True ID of a threat None None
whitening_option string None False Selected whitening option ['', 'browser-type', 'certificate', 'file-type', 'file_hash', 'path'] None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 1
}

Mitigate Threat

This action is used to apply a mitigation action to a threat.

Input
Name Type Default Required Description Enum Example
action string None True Mitigation action ['rollback-remediation', 'quarantine', 'kill', 'remediate', 'un-quarantine'] None
threat_id string None True ID of a threat None None

Example input:

Output
Name Type Required Description
affected integer False Number of entities affected by the requested operation

Example output:

{
  "affected": 1
}

Available Name

This action is the account name available for this account.

Input
Name Type Default Required Description Enum Example
name string None True Account Name to validate None None

Example input:

Output
Name Type Required Description
available boolean True Account Name to validate

Example output:

{
  "available": true
}

Blacklist

This action is used to blacklist and unblacklist a SHA1 hash. The blacklist is attempted for Linux, Windows, and MacOS operating systems and for all sites that the user has permission to manage. Note that when attempting to unblacklist a SHA1 hash by setting blacklist_state to false, the SentinelOne API will always return success even if the hash was not blacklisted to begin with.

Input
Name Type Default Required Description Enum Example
blacklist_state boolean True True True to create blacklist hash, false to unblacklist hash None True
description string Hash Blacklisted from InsightConnect False Description for why the hash is blacklisted None Hash Blacklisted from InsightConnect
hash string None True Create a blacklist item from a SHA1 hash None 3395856ce81f2b7382dee72602f798b642f14140

Example input:

{
  "blacklist_state": true,
  "description": "Hash Blacklisted from InsightConnect",
  "hash": "3395856ce81f2b7382dee72602f798b642f14140"
}
Output
Name Type Required Description
success boolean True Return true if blacklist item was created or deleted

Example output:

{
  "success": true
}

Triggers

Get Threats

This trigger is used to get threats.

Input
Name Type Default Required Description Enum Example
agent_is_active boolean None False Include agents currently connected to the management console None None
classifications []string None False List of classifications to search None None
engines []string None False Included engines None None
frequency integer 5 False Poll frequency in seconds None None
resolved boolean None False Include resolved threats None None

Example input:

Output
Name Type Required Description
threat data False Threat

Example output:

{
  'threat': {
    'agentComputerName':'vagrant-pc',
    'agentDomain':'WORKGROUP',
    'agentId':'560700200554747611',
    'agentInfected':False,
    'agentIp':'xxx.xxx.xxx.xxx',
    'agentIsActive':True,
    'agentIsDecommissioned':False,
    'agentMachineType':'desktop',
    'agentNetworkStatus':'connected',
    'agentOsType':'windows',
    'agentVersion':'3.0.1.3',
    'annotation':None,
    'annotationUrl':None,
    'browserType':None,
    'certId':'',
    'classification':'Malware',
    'classificationSource':'Engine',
    'classifierName':'BLACKLIST',
    'cloudVerdict':'black',
    'collectionId':'433377870883088367',
    'createdAt':'2019-02-13T15:05:21.948892Z',
    'createdDate':'2019-02-13T15:05:21.605000Z',
    'description':'malware detected - not mitigated yet (static engine)',
    'engines':[
        'reputation'
    ],
    'fileContentHash':'3395856ce81f2b7382dee72602f798b642f14140',
    'fileCreatedDate':None,
    'fileDisplayName':'{D5EEFA7C-3EA6-4B78-BED3-56CB49156FD1}-EICAR.com',
    'fileExtensionType':'Executable',
    'fileIsDotNet':None,
    'fileIsExecutable':False,
    'fileIsSystem':False,
    'fileMaliciousContent':None,
    'fileObjectId':'49E6C98245C9F0D8',
    'filePath':'\\Device\\HarddiskVolume2\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\{D5EEFA7C-3EA6-4B78-BED3-56CB49156FD1}-EICAR.com',
    'fileSha256':None,
    'fileVerificationType':'NotSigned',
    'fromCloud':False,
    'fromScan':False,
    'id':'560707325754496894',
    'indicators':[

    ],
    'isCertValid':False,
    'isInteractiveSession':False,
    'isPartialStory':False,
    'maliciousGroupId':'B5930C761E06E0CD',
    'maliciousProcessArguments':None,
    'markedAsBenign':None,
    'mitigationMode':'protect',
    'mitigationReport':{
        'kill':{
          'status':'success'
        },
        'network_quarantine':{
          'status':None
        },
        'quarantine':{
          'status':'success'
        },
        'remediate':{
          'status':None
        },
        'rollback':{
          'status':None
        }
    },
    'mitigationStatus':'mitigated',
    'publisher':'',
    'rank':7,
    'resolved':False,
    'siteId':'521580416395045459',
    'siteName':'Rapid7',
    'threatAgentVersion':'3.0.1.3',
    'threatName':None,
    'updatedAt':'2019-02-13T15:05:22.274291Z',
    'username':'',
    'whiteningOptions':[
        'hash'
    ]
  }
}

Custom Output Types

activities_types

Name Type Required Description
action string False Action descripted in the activity
descriptionTemplate string False Activity description template as seen in activity page
id float False Activity type ID

activities_list

Name Type Required Description
accountId string False Related account (If applicable)
activityType integer False Activity type
agentId string False Related agent (If applicable)
agentUpdatedVersion string False Agent's new version (If applicable)
comments string False Comments
createdAt string False Activity creation time (UTC)
data object False Extra activity specific data
description string False Extra activity information
groupId string False Related group (If applicable)
hash string False Threat file hash (If applicable)
id string False Activity ID
osFamily string False Agent's OS type (if applicable)
primaryDescription string False Primary description
secondaryDescription string False Secondary description
siteId string False Related site (If applicable)
threatId string False Related threat (If applicable)
updatedAt string False Activity last updated time (UTC)
userId string False The user who invoked the activity (If applicable)

agent_applications

Name Type Required Description
installedDate string False Date when application installed
name string False Name of installed application
publisher string False Publisher of installed application
size string False Size of installed application
version string False Version of installed application

agents_processes

Name Type Required Description
cpuUsage integer False CPU Usage (%)
executablePath string False Executable path
memoryUsage integer False Memory usage (MB)
pid integer False Process ID
processName string False Process name
startTime string False Start time

blacklist_data

Name Type Required Description
affected integer False Affected

pagination

Name Type Required Description
nextCursor string False Next cursor
totalItems integer False Total items

data

Name Type Required Description
agentComputerName string False Agent computer name
agentDomain string False Agent domain
agentId string False Agent ID
agentInfected boolean False Agent infected
agentIp string False Agent IP
agentIsActive boolean False Agent is Active
agentIsDecommissioned boolean False Agent is Decommissioned
agentMachineType string False Agent machine type
agentNetworkStatus string False Agent network status
agentOsType string False Agent OS type
agentVersion string False Agent version
annotation string False Annotation
annotationUrl string False Annotation URL
browserType string False Browser type
certId string False Cert ID
classification string False Classification
classificationSource string False Classification source
classifierName string False Classifiername
cloudVerdict string False Cloud verdict
collectionId string False Collection ID
createdAt string False Created At
createdDate string False Created date
description string False Description
engines []string False Engines
fileContentHash string False File content hash
fileCreatedDate string False File created date
fileData object False File data
fileDisplayName string False File display name
fileExtensionType string False File extension type
fileIsDotNet boolean False File is dotnet
fileIsExecutable boolean False File is executable
fileIsSystem boolean False File is system
fileMaliciousContent boolean False File malicious content
fileObjectId string False File object ID
filePath string False File path
fileSha256 string False File SHA 256
fileVerificationType string False File verification type
fromCloud boolean False From cloud
fromScan boolean False From scan
id string False ID
inQuarantine boolean False In quarantine
indicators []integer False Indicators
isCertValid boolean False Is cert valid
isInteractiveSession boolean False Is interactive session
isPartialStory boolean False Is partial story
maliciousGroupId string False Malicious group ID
maliciousProcessArguments string False Malicious process arguments
markedAsBenign boolean False Marked as Benign
mitigationActions []string False Mitigation actions
mitigationMode string False Mitigation mode
mitigationReport object False Mitigation report
mitigationStatus string False Mitigation status
publisher string False Publisher
rank integer False Rank
resolved boolean False Resolved
siteId string False Site ID
siteName string False Site name
threatAgentVersion string False Threat agent version
threatName string False Threat name
updatedAt string False Updated at
username string False Username
whiteningOptions []string False Whitening options

agent_data

Name Type Required Description
Account Id string False A reference to the containing account
Account Name string False Name of the containing account
Active Directory object False Active Directory data
Active Threats integer False Current number of active threats
Agent Version string False Agent version
Allow Remote Shell boolean False Agent is capable and policy enabled for remote shell
Apps Vulnerability Status string False Apps vulnerability status
Computer Name string False Computer name
Console Migration Status string False What step the agent is at in the process of migrating to another console, if any
Core Count integer False Number of CPU cores
CPU Count integer False Number of CPUs
CPU ID string False CPU model
Created At string False Created at date
Domain string False Network domain
Encrypted Applications boolean False Disk encryption status
External ID string False External id set by customer
External Ip string False External IPv4 address
Group Id string False A reference to the containing network group
Group IP string False IP Address subnet
Group Name string False Name of the containing network group
Group Updated At string False Date of when the group was last updated
id string False Agent ID
In Remote Shell Session boolean False Is the Agent in a remote shell session
infected boolean False Indicates if the Agent has active threats
Installer Type string False Installer package type (file extension)
Is Active boolean False Indicates if the agent was recently active
Is Decommissioned boolean False Is Agent decommissioned
Is Pending Uninstall boolean False Agent with a pending uninstall request
Is Uninstalled boolean False Indicates if Agent was removed from the device
Is Up To Date boolean False Indicates if the agent version is up to date
Last Active Date string False Last active date
Last Logged In User Name string False Last logged in user name
License Key string False License key
Location Type string False Reported location type
Locations []object False A list of locations reported by the Agent
Machine Type string False Machine type
Mitigation Mode string False Agent mitigation mode policy
Mitigation Mode Suspicious string False Mitigation mode policy for suspicious activity
Model Name string False Model name
Network Interfaces []object False Device's network interfaces
Network Status string False Agent's network connectivity status
OS Arch string False OS Arch
OS Name string False Os name
OS Revision string False OS revision
OS Start Time string False Last boot time
OS Type string False OS type
OS Username string False Os username
Policy Updated At string False Date of when the policy was last updated
Ranger Status string False Is Agent disabled as a Ranger
Ranger Version string False The version of Ranger
Registered At string False Time of first registration to management console (similar to createdAt)
Scan Aborted At string False Abort time of last scan
Scan Finished At string False Finish time of last scan
Scan Started At string False Start time of last scan
Scan Status string False Last scan status
Site Id string False A reference to the containing site
Site Name string False Name of the containing site
Threat Reboot Required boolean False Has at least one threat with at least one mitigation action that is pending reboot to succeed
Total Memory integer False Memory size (MB)
Updated at string False Last updated date
User Actions Needed []string False A list of pending user actions.
UUID string False Agent's universally unique identifier

quarantine_response

Name Type Required Description
Data object False Response data
Errors []object False Errors

Troubleshooting

This plugin does not contain any troubleshooting information.

Version History

  • 1.4.0 - New actions Quarantine, Get Agent Details, Search Agents
  • 1.3.0 - Add new action Blacklist
  • 1.2.2 - Update error message in Connection
  • 1.2.1 - Update to use the komand/python-3-37-slim-plugin Docker image to reduce plugin size
  • 1.2.0 - New spec and help.md format for the Extension Library | New actions activities_list, activities_types, agents_abort_scan, agents_connect, agents_decommission, agents_disconnect, agents_fetch_logs, agents_initiate, agents_processes, agents_reload, agents_restart, agents_shutdown, agents_summary, agents_uninstall, apps_by_agent_ids, name_available
  • 1.1.0 - New trigger Get Threats | New actions Mitigate Threat, Mark as Benign, Mark as Threat and Create IOC Threat
  • 1.0.1 - Update to add Blacklist by IoC Hash and Blacklist by Content Hash
  • 1.0.0 - Initial plugin

Links

References

plugin_spec_version: v2
extension: plugin
products: [insightconnect]
name: sentinelone
title: SentinelOne
version: 1.4.0
description: The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne
vendor: rapid7
support: rapid7
status: []
resources:
  source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/sentinelone
  license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE
  vendor_url: https://www.sentinelone.com/
tags:
- sentinelone
- endpoint
- detection
hub_tags:
  use_cases: [threat_detection_and_response]
  keywords: [sentinelone, endpoint, detection]
  features: []
types:
  activities_types:
    id:
      title: Type ID
      description: Activity type ID
      type: float
      required: false
    descriptionTemplate:
      title: Description Template
      description: Activity description template as seen in activity page
      type: string
      required: false
    action:
      title: Action
      description: Action descripted in the activity
      type: string
      required: false
  activities_list:
    comments:
      title: Comments
      type: string
      description: Comments
      required: false
    userId:
      title: UserId
      type: string
      description: The user who invoked the activity (If applicable)
      required: false
    accountId:
      title: Account ID
      type: string
      description: Related account (If applicable)
      required: false
    createdAt:
      title: Created At
      type: string
      description: Activity creation time (UTC)
      required: false
    data:
      title: Data
      type: object
      description: Extra activity specific data
      required: false
    agentUpdatedVersion:
      title: Agent Updated Version
      type: string
      description: Agent's new version (If applicable)
      required: false
    siteId:
      title: Site ID
      type: string
      description: Related site (If applicable)
      required: false
    id:
      title: ID
      type: string
      description: Activity ID
      required: false
    updatedAt:
      title: Updated At
      type: string
      description: Activity last updated time (UTC)
      required: false
    description:
      title: Description
      type: string
      description: Extra activity information
      required: false
    primaryDescription:
      title: Primary Description
      type: string
      description: Primary description
      required: false
    agentId:
      title: Agent ID
      type: string
      description: Related agent (If applicable)
      required: false
    hash:
      title: Hash
      type: string
      description: Threat file hash (If applicable)
      required: false
    activityType:
      title: Activity Type
      type: integer
      description: Activity type
      required: false
    osFamily:
      title: OS Family
      type: string
      description: Agent's OS type (if applicable)
      required: false
    threatId:
      title: Threat ID
      type: string
      description: Related threat (If applicable)
      required: false
    groupId:
      title: Group ID
      type: string
      description: Related group (If applicable)
      required: false
    secondaryDescription:
      title: Secondary Description
      type: string
      description: Secondary description
      required: false
  agent_applications:
    installedDate:
      title: Installed Date
      description: Date when application installed
      type: string
      required: false
    version:
      title: Version
      description: Version of installed application
      type: string
      required: false
    publisher:
      title: Publisher
      description: Publisher of installed application
      type: string
      required: false
    size:
      title: Size
      description: Size of installed application
      type: string
      required: false
    name:
      title: Name
      description: Name of installed application
      type: string
      required: false
  agents_processes:
    startTime:
      title: Start time
      description: Start time
      type: string
      required: false
    processName:
      title: Process name
      description: Process name
      type: string
      required: false
    memoryUsage:
      title: Memory usage
      description: Memory usage (MB)
      type: integer
      required: false
    cpuUsage:
      title: CPU Usage
      description: CPU Usage (%)
      type: integer
      required: false
    executablePath:
      title: Executable path
      description: Executable path
      type: string
      required: false
    pid:
      title: PID
      description: Process ID
      type: integer
      required: false
  blacklist_data:
    affected:
      title: Affected
      type: integer
      description: Affected
      required: false
  pagination:
    totalItems:
      title: Total Items
      type: integer
      description: Total items
      required: false
    nextCursor:
      title: Next Cursor
      type: string
      description: Next cursor
      required: false
  data:
    username:
      title: Username
      type: string
      description: Username
      required: false
    classification:
      title: Classification
      type: string
      description: Classification
      required: false
    siteName:
      title: Site Name
      type: string
      description: Site name
      required: false
    fileObjectId:
      title: File Object ID
      type: string
      description: File object ID
      required: false
    mitigationActions:
      title: Mitigation Actions
      type: '[]string'
      description: Mitigation actions
      required: false
    fileCreatedDate:
      title: File Created Date
      type: string
      description: File created date
      required: false
    fileIsExecutable:
      title: File is Executable
      type: boolean
      description: File is executable
      required: false
    agentIp:
      title: Agent IP
      type: string
      description: Agent IP
      required: false
    agentNetworkStatus:
      title: Agent Network Status
      type: string
      description: Agent network status
      required: false
    isInteractiveSession:
      title: Is Interactive Session
      type: boolean
      description: Is interactive session
      required: false
    agentVersion:
      title: Agent Version
      type: string
      description: Agent version
      required: false
    mitigationReport:
      title: Mitigation Report
      type: object
      description: Mitigation report
      required: false
    id:
      title: ID
      type: string
      description: ID
      required: false
    fileData:
      title: File Data
      type: object
      description: File data
      required: false
    agentId:
      title: Agent ID
      type: string
      description: Agent ID
      required: false
    fileExtensionType:
      title: File Extension Type
      type: string
      description: File extension type
      required: false
    fileDisplayName:
      title: File Display Name
      type: string
      description: File display name
      required: false
    createdAt:
      title: Created At
      type: string
      description: Created At
      required: false
    whiteningOptions:
      title: Whitening Options
      type: '[]string'
      description: Whitening options
      required: false
    maliciousProcessArguments:
      title: Malicious Process Arguments
      type: string
      description: Malicious process arguments
      required: false
    certId:
      title: Cert ID
      type: string
      description: Cert ID
      required: false
    engines:
      title: Engines
      type: '[]string'
      description: Engines
      required: false
    collectionId:
      title: Collection ID
      type: string
      description: Collection ID
      required: false
    inQuarantine:
      title: In Quarantine
      type: boolean
      description: In quarantine
      required: false
    browserType:
      title: Browser Type
      type: string
      description: Browser type
      required: false
    fileIsSystem:
      title: File is System
      type: boolean
      description: File is system
      required: false
    markedAsBenign:
      title: Marked as Benign
      type: boolean
      description: Marked as Benign
      required: false
    cloudVerdict:
      title: Cloud Verdict
      type: string
      description: Cloud verdict
      required: false
    indicators:
      title: Indicators
      type: '[]integer'
      description: Indicators
      required: false
    classificationSource:
      title: Classification Source
      type: string
      description: Classification source
      required: false
    agentComputerName:
      title: Agent Computer Name
      type: string
      description: Agent computer name
      required: false
    mitigationStatus:
      title: Mitigation Status
      type: string
      description: Mitigation status
      required: false
    resolved:
      title: Resolved
      type: boolean
      description: Resolved
      required: false
    fileSha256:
      title: File SHA 256
      type: string
      description: File SHA 256
      required: false
    description:
      title: Description
      type: string
      description: Description
      required: false
    filePath:
      title: File Path
      type: string
      description: File path
      required: false
    fromScan:
      title: From Scan
      type: boolean
      description: From scan
      required: false
    classifierName:
      title: Classifiername
      type: string
      description: Classifiername
      required: false
    agentMachineType:
      title: Agent Machine Type
      type: string
      description: Agent machine type
      required: false
    isCertValid:
      title: Is Cert Valid
      type: boolean
      description: Is cert valid
      required: false
    fileIsDotNet:
      title: File is Dotnet
      type: boolean
      description: File is dotnet
      required: false
    fileContentHash:
      title: File Content Hash
      type: string
      description: File content hash
      required: false
    siteId:
      title: Site ID
      type: string
      description: Site ID
      required: false
    rank:
      title: Rank
      type: integer
      description: Rank
      required: false
    createdDate:
      title: Created Date
      type: string
      description: Created date
      required: false
    updatedAt:
      title: Updated At
      type: string
      description: Updated at
      required: false
    agentOsType:
      title: Agent OS Type
      type: string
      description: Agent OS type
      required: false
    agentIsDecommissioned:
      title: Agent is Decommissioned
      type: boolean
      description: Agent is Decommissioned
      required: false
    isPartialStory:
      title: Is Partial Story
      type: boolean
      description: Is partial story
      required: false
    annotation:
      title: Annotation
      type: string
      description: Annotation
      required: false
    fileVerificationType:
      title: File Verification Type
      type: string
      description: File verification type
      required: false
    publisher:
      title: Publisher
      type: string
      description: Publisher
      required: false
    threatName:
      title: Threat Name
      type: string
      description: Threat name
      required: false
    maliciousGroupId:
      title: Malicious Group ID
      type: string
      description: Malicious group ID
      required: false
    annotationUrl:
      title: Annotation URL
      type: string
      description: Annotation URL
      required: false
    agentIsActive:
      title: Agent is Active
      type: boolean
      description: Agent is Active
      required: false
    fromCloud:
      title: From Cloud
      type: boolean
      description: From cloud
      required: false
    mitigationMode:
      title: Mitigation Mode
      type: string
      description: Mitigation mode
      required: false
    agentDomain:
      title: Agent Domain
      type: string
      description: Agent domain
      required: false
    agentInfected:
      title: Agent Infected
      type: boolean
      description: Agent infected
      required: false
    threatAgentVersion:
      title: Threat Agent Version
      type: string
      description: Threat agent version
      required: false
    fileMaliciousContent:
      title: File Malicious Content
      type: boolean
      description: File malicious content
      required: false
  agent_data:
    scanFinishedAt:
      title: Scan Finished At
      description: Finish time of last scan
      type: string
      required: false
    inRemoteShellSession:
      title: In Remote Shell Session
      description: Is the Agent in a remote shell session
      type: boolean
      required: false
    externalIp:
      title: External IP
      description: External IPv4 address
      type: string
      required: false
    mitigationMode:
      title: Mitigation Mode
      description: Agent mitigation mode policy
      type: string
      required: false
    isUpToDate:
      title: Is Up To Date
      description: Indicates if the agent version is up to date
      type: boolean
      required: false
    scanAbortedAt:
      title: Scan Aborted At
      description: Abort time of last scan
      type: string
      required: false
    appsVulnerabilityStatus:
      title: Apps Vulnerability Status
      description: Apps vulnerability status
      type: string
      required: false
    rangerVersion:
      title: Ranger Version
      description: The version of Ranger
      type: string
      required: false
    createdAt:
      title: Created At
      description: Created at date
      type: string
      required: false
    userActionsNeeded:
      title: User Actions Needed
      description: A list of pending user actions
      type: "[]string"
      required: false
    groupId:
      title: Group ID
      description: A reference to the containing network group
      type: string
      required: false
    isPendingUninstall:
      title: Is Pending Uninstall
      description: Agent with a pending uninstall request
      type: boolean
      required: false
    accountName:
      title: Account Name
      description: Name of the containing account
      type: string
      required: false
    siteId:
      title: Site ID
      description: A reference to the containing site
      type: string
      required: false
    siteName:
      title: Site Name
      description: Name of the containing site
      type: string
      required: false
    osStartTime:
      title: OS Start Time
      description: Last boot time
      type: string
      required: false
    activeDirectory:
      title: Active Directory
      description: Active Directory data
      type: object
      required: false
    networkInterfaces:
      title: Network Interfaces
      description: Device's network interfaces
      type: "[]object"
      required: false
    rangerStatus:
      title: Ranger Status
      description: Is Agent disabled as a Ranger
      type: string
      required: false
    accountId:
      title: Account ID
      description: A reference to the containing account
      type: string
      required: false
    threatRebootRequired:
      title: Threat Reboot Required
      description: Has at least one threat with at least one mitigation action that is pending reboot to succeed
      type: boolean
      required: false
    osArch:
      title: OS Arch
      description: OS Arch
      type: string
      required: false
    activeThreats:
      title: Active Threats
      description: Current number of active threats
      type: integer
      required: false
    installerType:
      title: Installer Type
      description: Installer package type (file extension)
      type: string
      required: false
    scanStatus:
      title: Scan Status
      description: Last scan status
      type: string
      required: false
    groupName:
      title: Group Name
      description: Name of the containing network group
      type: string
      required: false
    consoleMigrationStatus:
      title: Console Migration Status
      description: What step the agent is at in the process of migrating to another console, if any
      type: string
      required: false
    infected:
      title: Infected
      description: Indicates if the Agent has active threats
      type: boolean
      required: false
    id:
      title: ID
      description: Agent ID
      type: string
      required: false
    updatedAt:
      title: Updated at
      description: Last updated date
      type: string
      required: false
    machineType:
      title: Machine Type
      description: Machine type
      type: string
      required: false
    isDecommissioned:
      title: Is Decommissioned
      description: Is Agent decommissioned
      type: boolean
      required: false
    osRevision:
      title: OS Revision
      description: OS revision
      type: string
      required: false
    scanStartedAt:
      title: Scan Started At
      description: Start time of last scan
      type: string
      required: false
    policyUpdatedAt:
      title: Policy Updated At
      description: Date of when the policy was last updated
      type: string
      required: false
    encryptedApplications:
      title: Encrypted Applications
      description: Disk encryption status
      type: boolean
      required: false
    locations:
      title: Locations
      description: A list of locations reported by the Agent
      type: "[]object"
      required: false
    domain:
      title: Domain
      description: Network domain 
      type: string
      required: false
    locationType:
      title: Location Type
      description: Reported location type
      type: string
      required: false
    registeredAt:
      title: Registered At
      description: Time of first registration to management console (similar to createdAt)
      type: string
      required: false
    totalMemory:
      title: Total Memory
      description: Memory size (MB)
      type: integer
      required: false
    groupUpdatedAt:
      title: Group Updated At
      description: Date of when the group was last updated
      type: string
      required: false
    computerName:
      title: Computer Name
      description: Computer name
      type: string
      required: false
    isUninstalled:
      title: Is Uninstalled
      description: Indicates if Agent was removed from the device
      type: boolean
      required: false
    uuid:
      title: UUID
      description: Agent's universally unique identifier
      type: string
      required: false
    licenseKey:
      title: License Key
      description: License key
      type: string
      required: false
    isActive:
      title: Is Active
      description: Indicates if the agent was recently active
      type: boolean
      required: false
    cpuCount:
      title: CPU Count
      description: Number of CPUs
      type: integer
      required: false
    modelName:
      title: Model Name
      description: Model name
      type: string
      required: false
    externalId:
      title: External ID
      description: External id set by customer
      type: string
      required: false
    coreCount:
      title: Core Count
      description: Number of CPU cores
      type: integer
      required: false
    allowRemoteShell:
      title: Allow Remote Shell
      description: Agent is capable and policy enabled for remote shell
      type: boolean
      required: false
    agentVersion:
      title: Agent Version
      description: Agent version
      type: string
      required: false
    groupIp:
      title: Group IP
      description: IP Address subnet
      type: string
      required: false
    osName:
      title: OS Name
      description: Os name
      type: string
      required: false
    mitigationModeSuspicious:
      title: Mitigation Mode Suspicious
      description: Mitigation mode policy for suspicious activity
      type: string
      required: false
    osUsername:
      title: OS Username
      description: Os username
      type: string
      required: false
    lastLoggedInUserName:
      title: Last Logged In User Name
      description: Last logged in user name
      type: string
      required: false
    cpuId:
      title: CPU ID
      description: CPU model
      type: string
      required: false
    lastActiveDate:
      title: Last Active Date
      description: Last active date
      type: string
      required: false
    osType:
      title: OS Type
      description: OS type
      type: string
      required: false
    networkStatus:
      title: Network Status
      description: Agent's network connectivity status
      type: string
      required: false
  quarantine_response:
    errors:
      title: Errors
      description: Errors
      type: "[]object"
      required: false
    data:
      title: Data
      description: Response data
      type: object
      required: false
connection:
  credentials:
    type: credential_username_password
    title: Credentials
    description: Username and password
    required: true
    example: '{"username": "user@example.com", "password": "mypassword"}'
  url:
    title: URL
    description: SentinelOne Console URL
    type: string
    required: true
    example: https://example.sentinelone.com
actions:
  get_threat_summary:
    title: Get Threat Summary
    description: Gets summary of all threats
    output:
      pagination:
        title: Pagination
        type: pagination
        description: Pagination
        required: false
      errors:
        title: Errors
        type: '[]object'
        description: Errors
        required: false
      data:
        title: Data
        type: '[]data'
        description: Data
        required: false
  blacklist_by_content_hash:
    title: Blacklist by Content Hash
    description: Add hashed content to global blacklist. The input makes use of contentHash
      from the threat summary
    input:
      hash:
        title: Hash
        description: Content hash to add to blacklist
        type: string
        required: true
    output:
      result:
        title: Result
        type: blacklist_data
        description: Result of hashing operation
        required: true
  blacklist_by_ioc_hash:
    title: Blacklist by IoC Hash
    description: Add hashed indicator of compromise to global blacklist
    input:
      hash:
        title: IoC Hash
        description: Indicator of compromise hash to add to blacklist
        type: string
        required: true
      agent_id:
        title: Agent ID
        description: Agent ID
        type: string
        required: true
    output:
      result:
        title: Result
        type: blacklist_data
        description: Result of hashing operation
        required: true
  create_ioc_threat:
    title: Create IOC Threat
    description: Create a threat from an IOC event
    input:
      hash:
        title: Hash
        description: SHA1 hash
        type: string
        required: true
      agent_id:
        title: Agent ID
        description: Agent ID for the slim threat
        type: string
        required: true
      annotation:
        title: Annotation
        description: Vigilance annotation
        type: string
        required: true
      annotation_url:
        title: Annotation URL
        description: Vigilance annotation URL
        type: string
        required: true
      group_id:
        title: Group ID
        description: Group ID
        type: string
        required: false
      path:
        title: Path
        description: Path
        type: string
        required: false
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  mitigate_threat:
    title: Mitigate Threat
    description: Apply a mitigation action to a threat
    input:
      threat_id:
        title: Threat ID
        description: ID of a threat
        type: string
        required: true
      action:
        title: Action
        description: Mitigation action
        type: string
        required: true
        enum:
        - rollback-remediation
        - quarantine
        - kill
        - remediate
        - un-quarantine
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  mark_as_benign:
    title: Mark as Benign
    description: Mark a threat as resolved
    input:
      threat_id:
        title: Threat ID
        description: ID of a threat
        type: string
        required: true
      target_scope:
        title: Target Scope
        description: Scope to be used for exclusions
        type: string
        required: true
        enum:
        - group
        - site
        - tenant
      whitening_option:
        title: Whitening Option
        description: Selected whitening option
        type: string
        required: false
        enum:
        - ''
        - browser-type
        - certificate
        - file-type
        - file_hash
        - path
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  mark_as_threat:
    title: Mark as Threat
    description: Mark a suspicious threat as a threat
    input:
      threat_id:
        title: Threat ID
        description: ID of a threat
        type: string
        required: true
      target_scope:
        title: Target Scope
        description: Scope to be used for exclusions
        type: string
        required: true
        enum:
        - group
        - site
        - tenant
      whitening_option:
        title: Whitening Option
        description: Selected whitening option
        type: string
        required: false
        enum:
        - ''
        - browser-type
        - certificate
        - file-type
        - file_hash
        - path
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  activities_list:
    title: Get Activities
    description: Get a list of activities
    input:
      group_ids:
        title: Group IDS
        description: Get a list of activities
        type: '[]string'
        required: false
      include_hidden:
        title: Include Hidden
        description: Include internal activities hidden from display?
        type: boolean
        required: false
      skip:
        title: Skip First N Items
        description: Skip first number of items (0-1000). For iterating over more than a 1000 items please use cursor instead
        type: integer
        required: false
      site_ids:
        title: Site IDS
        description: List of Site IDs to filter by
        type: '[]string'
        required: false
      agent_ids:
        title: Agent IDS
        description: Return activities related to specified agent ids
        type: '[]string'
        required: false
      skip_count:
        title: Skip Count
        description: If true, total number of items will not be calculated, which speeds up execution time
        type: boolean
        required: false
      ids:
        title: Activity IDS
        description: If true, total number of items will not be calculated, which speeds up execution time
        type: '[]string'
        required: false
      created_at_lt:
        title: Less Then Date
        description: Return activities created before this date in ISO-8601, example 2018-02-27T04:49:26.257525Z
        type: string
        required: false
      created_at_lte:
        title: Less Or Equal Date
        description: Return activities created before or at this date in ISO-8601, example 2018-02-27T04:49:26.257525Z
        type: string
        required: false
      created_at_gt:
        title: Greater Then Date
        description: Return activities created after or at this date in ISO-8601, example 2018-02-27T04:49:26.257525Z
        type: string
        required: false
      created_at_gte:
        title: Greater Or Equal Date
        description: Return activities created after or at this date in ISO-8601, example 2018-02-27T04:49:26.257525Z
        type: string
        required: false
      created_at_between:
        title: Between Dates
        description: Return activities created within this range (inclusive), example 1514978764288-1514978999999
        type: string
        required: false
      cursor:
        title: Cursor Position
        description: Cursor position returned by the last request. Should be used for iterating over more than 1000 items, example YWdlbnRfaWQ6NTgwMjkzODE=
        type: string
        required: false
      count_only:
        title: Count Only
        description: If true, only total number of items will be returned, without any of the actual objects
        type: boolean
        required: false
      account_ids:
        title: Account IDS
        description: List of Account IDs to filter by
        type: '[]string'
        required: false
      limit:
        title: Limit
        description: Limit number of returned items (1-100)
        type: integer
        required: false
      sort_by:
        title: Sort By
        description: The column to sort the results by
        type: string
        required: false
        enum:
          - id
          - activityType
          - createdAt
      activity_types:
        title: Activity Types
        description: Return only these activity codes
        type: '[]string'
        required: false
      threat_ids:
        title: Threat IDS
        description: Return only these activity codes
        type: '[]string'
        required: false
      sort_order:
        title: Sort Order
        description: Sort direction
        type: string
        enum:
          - asc
          - desc
        required: false
      user_emails:
        title: User Emails
        description: Email of the user who invoked the activity (If applicable)
        type: '[]string'
        required: false
      user_ids:
        title: User IDS
        description: The user who invoked the activity (If applicable)
        type: '[]string'
        required: false
    output:
      data:
        title: Data
        description: Result of activities list
        type: '[]activities_list'
        required: true
      pagination:
        title: Pagination
        description: Pagination object
        type: pagination
        required: true
  activities_types:
    title: Get Activity Types
    description: Get a list of activity types
    output:
      activity_types:
        title: Activity Types
        description: Result of activities types
        type: '[]activities_types'
        required: true
  apps_by_agent_ids:
    title: Agents Applications
    description: Retrieve running applications for a specific agent
    input:
      ids:
        title: Agent IDS
        description: Agent ID list
        type: '[]string'
        required: true
    output:
      data:
        title: Agent Applications
        description: List of installed applications
        type: '[]agent_applications'
        required: true
  agents_summary:
    title: Count Summary
    description: Summary of agents by numbers
    input:
      site_ids:
        title: Site IDS
        description: List of Site IDs to filter by
        type: '[]string'
        required: false
      account_ids:
        title: Account IDS
        description: List of Account IDs to filter by
        type: '[]string'
        required: false
    output:
      up_to_date:
        title: Up To Date Number
        description: Number of agents with the most up-to-date software version
        type: integer
        required: false
      out_of_date:
        title: Out of Date Number
        description: Number of agents running an older software version
        type: integer
        required: false
      total:
        title: Total
        description: Number of installed active agents
        type: integer
        required: false
      online:
        title: Online
        description: Number of online agents
        type: integer
        required: false
      decommissioned:
        title: Decommissioned
        description: Number of decommissioned agents
        type: integer
        required: false
      infected:
        title: Infected
        description: Number of agents with at least one active threat
        type: integer
        required: false
  name_available:
    title: Available Name
    description: Is the account name available for this account
    input:
      name:
        title: Name
        description: Account Name to validate
        type: string
        required: true
    output:
      available:
        title: Available
        description: Account Name to validate
        type: boolean
        required: true
  agents_decommission:
    title: Agent Decommission
    description: Decommissions all agents matching the input filter
    input:
      filter:
        title: Filter JSON
        description: Applied filter - only matched agents will be affected by the requested action. Note - one of the following filter arguments must be supplied - ids, groupIds, filterId
        type: object
        required: true
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  agents_disconnect:
    title: Disconnect Agents
    description: Disconnects agents associated to marked threats from network
    input:
      filter:
        title: Filter JSON
        description: Use any of the filtering options to control the list of affected threats. You can also leave this field empty to apply to all available threats
        type: object
        required: true
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  agents_processes:
    title: Agents Processes
    description: Retrieve running processes for a specific agent
    input:
      ids:
        title: IDS
        description: Agent ID list
        type: '[]string'
        required: true
    output:
      agents_processes:
        title: Agents Processes
        description: Agents processes entities
        type: '[]agents_processes'
        required: false
  agents_initiate:
    title: Initiate scan
    description: Sends a scan command to all agents matching the input filter
    input:
      filter:
        title: Filter JSON
        description: Applied filter - only matched agents will be affected by the requested action. Leave empty to apply the action on all applicable agents
        type: object
        required: true
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  agents_uninstall:
    title: Uninstall
    description: Sends an uninstall command to all agents matching the input filter
    input:
      filter:
        title: Filter JSON
        description: Applied filter - only matched agents will be affected by the requested action. Note - one of the following filter arguments must be supplied - ids, groupIds, filterId
        type: object
        required: true
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  agents_shutdown:
    title: Agents Shutdown
    description: Sends a shutdown command to all agents matching the input filter
    input:
      filter:
        title: Filter JSON
        description: Applied filter - only matched agents will be affected by the requested action. Note - one of the following filter arguments must be supplied - ids, groupIds, filterId
        type: object
        required: true
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  agents_restart:
    title: Agents Restart
    description: Sends a restart command to all agents matching the input filter
    input:
      filter:
        title: Filter JSON
        description: Applied filter - only matched agents will be affected by the requested action. Note - One of the following filter arguments must be supplied - ids, groupIds, filterId
        type: object
        required: true
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  agents_reload:
    title: Agents Reload
    description: Reload an agent module (applies to Windows agents only)
    input:
      filter:
        title: Filter JSON
        description: Applied filter - only matched agents will be affected by the requested action. Leave empty to apply the action on all applicable agents
        type: object
        required: true
      module:
        title: Data Module
        description: Agent module to reload
        type: string
        required: true
        enum:
          - monitor
          - static
          - agent
          - log
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  agents_fetch_logs:
    title: Agents Fetch Logs
    description: Sends a fetch logs command to all agents matching the input filter
    input:
      filter:
        title: Filter JSON
        description: Applied filter - only matched agents will be affected by the requested action. Leave empty to apply the action on all applicable agents
        type: object
        required: true
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  agents_abort_scan:
    title: Agents Abort Scan
    description: Aborts running scan on all agents matching the input filter
    input:
      filter:
        title: Filter JSON
        description: Applied filter - only matched agents will be affected by the requested action. Leave empty to apply the action on all applicable agents
        type: object
        required: true
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false
  agents_connect:
    title: Connect to network
    description: Sends a connect to network command to all agents matching the input filter
    input:
      filter:
        title: Filter JSON
        description: Applied filter - only matched agents will be affected by the requested action. Leave empty to apply the action on all applicable agents
        type: object
        required: true
    output:
      affected:
        title: Affected
        description: Number of entities affected by the requested operation
        type: integer
        required: false

  search_agents:
    title: Search Agents
    description: Search for agents
    input:
      agent:
        title: Agent
        description: Agent to retrieve device information from. Accepts IP address, MAC address, hostname, UUID or agent ID
        type: string
        example: hostname123
        required: true
    output:
      agents:
        title: Agents
        description: Detailed information about agents found
        type: "[]agent_data"
        required: false

  get_agent_details:
    title: Get Agent Details
    description: Retrieve agent details
    input:
      agent:
        title: Agent
        description: Agent to retrieve device information from. Accepts IP address, MAC address, hostname, UUID or agent ID
        type: string
        example: hostname123
        required: true
    output:
      agent:
        title: Agent
        description: Detailed information about agent found
        type: agent_data
        required: false

  quarantine:
    title: Quarantine
    description: Isolate (quarantine) endpoint from the network 
    input:
      agent:
        title: Agent
        description: Agent to perform quarantine action on. Accepts IP address, MAC address, hostname, UUID or agent ID
        type: string
        example: hostname123
        required: true
      quarantine_state:
        title: Quarantine State
        description: True to quarantine host, false to unquarantine host
        type: boolean
        example: true
        required: true
      whitelist:
        title: Whitelist
        description: This list contains a set of devices that should not be blocked. This can include IPs, hostnames, UUIDs and agent IDs
        type: "[]string"
        example: ["198.51.100.100", "hostname123", "901345720792880606", "28db47168fa54f89aeed99769ac8d4dc"]
        required: false
    output:
      response:
        title: Response
        description: SentinelOne API call response data
        type: quarantine_response
        required: false

  blacklist:
    title: Blacklist
    description: Blacklist and unblacklist a SHA1 hash
    input:
      hash:
        title: Hash
        description: Create a blacklist item from a SHA1 hash
        type: string
        required: true
        example: "3395856ce81f2b7382dee72602f798b642f14140"
      description:
        title: Description
        description: Description for why the hash is blacklisted
        type: string
        default: "Hash Blacklisted from InsightConnect"
        required: false
        example: "Hash Blacklisted from InsightConnect"
      blacklist_state:
        title: Blacklist State
        description: True to create blacklist hash, false to unblacklist hash
        type: boolean
        required: true
        default: true
        example: true
    output:
      success:
        title: Success
        description: Return true if blacklist item was created or deleted
        type: boolean
        required: true

triggers:
  get_threats:
    title: Get Threats
    description: Get threats
    input:
      resolved:
        title: Resolved
        description: Include resolved threats
        type: boolean
        required: false
      classifications:
        title: Classifications
        description: List of classifications to search
        type: '[]string'
        required: false
      agent_is_active:
        title: Agent is Active
        description: Include agents currently connected to the management console
        type: boolean
        required: false
      engines:
        title: Engines
        description: Included engines
        type: '[]string'
        required: false
      frequency:
        title: Frequency
        description: Poll frequency in seconds
        type: integer
        required: false
        default: 5
    output:
      threat:
        title: Threat
        description: Threat
        type: data
        required: false
Other plugins
Ivanti Security Controls
Rapid7   |   v1.5.0
Plugin
Get
McAfee ePO
Rapid7   |   v5.0.0
Plugin
Get
BlackBerry CylancePROTECT
Rapid7   |   v1.1.0
Plugin
Get
Fortinet FortiGate
Rapid7   |   v4.0.4
Plugin
Get
Jira
Rapid7   |   v6.0.1
Plugin
Get