SentinelOneV2

Integration version: 34.0

Configure SentinelOneV2 to work with Google Security Operations SOAR

New Authorization

For the new authorization, an API token is used instead of previously required Username and Password.

Benefits:

  • If the account has 2FA, the username-password method stops working but the token works.
  • A session token is created for a week, the API token is valid for 6 months, so you need to update credentials twice a year.

Generate an API Token from the WebUI

  1. In your Management Console, go to Settings > USERS.
  2. Click your username and click Edit.
  3. In Edit User > API Token, click Generate.

If the Revoke and Regenerate are present, you already have a token. If you revoke or regenerate it, scripts that use that token won't work. There is no confirmation. Revoke removes the token authorization, while Regenerate revokes the token and generates a new token. If you click Generate or Regenerate, a message shows the token string and the date that the token expires.

Configure SentinelOneV2 integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
API root String N/A Yes SentinelOne API root.
API Token String N/A Yes SentinelOne API token. Note: SentinelOne API token needs to be updated every 6 months. This is a SentinelOne policy.
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Sentinel public cloud server is valid.

Actions

Create Hash Exclusion Record

Add hash to the exclusion list in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Operation System String Windows Yes

Specify the OS for the hash.

Possible values: windows, windows_legacy, macos, linux.

Site IDs String N/A

No

Note: One of them is mandatory.

Specify a comma-separated list of site IDs, where hash needs to be sent to the exclusion list.
Group IDs String N/A

No

Note: One of them is mandatory.

Specify a comma-separated list of group IDs, where hash needs to be sent to the exclusion list.
Account IDs CSV N/A No Specify a comma-separated list of account IDs, where hash needs to be sent to the exclusion list.
Description String N/A No Specify additional information related to the hash.
Add to global exclusion list Checkbox Checked No

If enabled, the action adds a hash to the global exclusion list.

Note: When this parameter is enabled, the "Site IDs", "Group IDs" and "Account IDs" parameters are ignored.

Use cases

Analyst can create an exclusion item for an allowlist.

Run On

This action runs on the Hash entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
    `ENTITY_IDENTIFIER`:
        {ID: `WHITELISTED_ENTITY_ID`,
        Created Time: `TIME_THE_WHITELISTED_ITEM_WAS_CREATED`,
        Scope ID: `SITE_OR_GROUP_ID`,
        Scope Name: `SCOPE_NAME`}
    }
]
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

If successful for one hash (is_success=true): "Successfully added the following hashes to the exclusion list in SentinelOne:\n{0}".format(entity.identifier)

If already exist for at least one hash (is_success=true): "The following hashes were already a part of exclusion list in SentinelOne:\n{0}".format(entity.identifier)

If not successful for one hash (is_success=true): "Action wasn't able to add the following hashes to the exclusion list in SentinelOne:\n{0}".format(entity.identifier)

If not successful for all hashes (is_success=false): "No hashes were added to the exclusion list in SentinelOne."

If a critical error is reported: "Error executing action "Create Hash Exclusion Record". Reason: {0}".(traceback)

If the "Site IDs", "Group IDs", "Account IDs" parameters are not provided and the "Add to global exclusion list" parameter is not enabled: "Error executing action "Create Hash Exclusion Record". Reason: at least one value should be provided for "Site IDs" or "Group IDs" or "Account IDs" parameters or "Add to global exclusion list" should be enabled."

General

Create Path Exclusion Record

Add path to the exclusion list in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Path String N/A Yes Specify the path that needs to be added to the exclusion list.
Operation System String Windows Yes Specify the OS for the path. Possible values: windows, windows_legacy, macos, linux.
Site IDs String N/A

No

Note: One of them is mandatory.

Specify a comma-separated list of site IDs, where path needs to be sent to the exclusion list.
Group IDs String N/A

No

Note: One of them is Mandatory.

Specify a comma-separated list of group IDs, where path needs to be sent to the exclusion list.
Account IDs CSV N/A No Specify a comma-separated list of account IDs, where path needs to be sent to the exclusion list.
Description String N/A No Specify additional information related to the path.
Add to global exclusion list Checkbox Unchecked No

If enabled, the action adds the path to the global exclusion list.

Note: If this parameter is enabled, the "Site IDs", "Group IDs" and "Account IDs" parameters are ignored.

Include Subfolders Checkbox Unchecked No

If enabled, the action includes subfolders for the provided path.

This feature only works, if the user provides a folder path and not the file path.

Mode DDL

Suppress Alerts

Possible values:

  • Suppress Alerts
  • Interoperability
  • Interoperability - Extended
  • Performance Focus
  • Performance Focus - Extended
No Specify the mode that should be used for the excluded path.

Use cases

Analyst can create an exclusion item for an allowlist.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
    `ENTITY_IDENTIFIER`:
        {ID: `WHITELISTED_ENTITY_ID`,
        Created Time: `TIME_THE_WHITELISTED_ITEM_WAS_CREATED`,
        Scope ID: `SITE_OR_GROUP_ID`,
        Scope Name: `SCOPE_NAME`}
    }
]
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

If successful or errors/title="Already Exists" (is_success=true): "Successfully added path {0} to the exclusion list in SentinelOne:\n{0}".format(path value)

If the 400 status code is reported: "Action wasn't able to add path {0} to the exclusion list." Reason: {1}".format(path, errors/detail)

If critical error: "Error executing action "Create Path Exclusion Record". Reason: {0}".(traceback)

If the "Site IDs", "Group IDs", "Account IDs" parameters are not provided and the "Add to global exclusion list" parameter is not enabled: "Error executing action "Create Path Exclusion Record". Reason: at least one value should be provided for "Site IDs" or "Group IDs" or "Account IDs" parameters or "Add to global exclusion list" should be enabled."

General

Mitigate Threat

Executes mitigation actions on the threats in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Mitigation action DDL

quarantine

Possible Values:

  • quarantine
  • kill
  • un-quarantine
  • remediate
  • rollback-remediate
Yes Specify the mitigation actions for the provided threats.
Threat IDs List N/A Yes Specify a comma-separated list of threat IDs that should be mitigated.

Use cases

Analyst can apply a mitigation action to a group of threats.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
        {
            "mitigated": true,
            "mitigation_action": "quarantine",
            "Threat_ID": "838490132706375118"
        }
]
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

If successful for one threat (is_success=true): "Successfully mitigated the following threats in SentinelOne: {0}".format(threat_ids)

If no successful for one threat (is_success=true): "Action wasn't able to mitigate the following threats in SentinelOne: {0}".format(threat_ids)

If no successful for all threats (is_success=false): "No threats were mitigated."

General

Resolve Threat

Resolve threats in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Threat IDs List N/A Yes Specify a comma-separated list of threat IDs that need to be resolved.
Annotation String N/A No Specify an annotation describing, why the threat can be resolved.

Use cases

Analyst can resolve threats.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[{"resolved": false,  "Threat_ID": "509259775582960700" } ]
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

If successful for one threat (is_success=true): "Successfully resolved the following threats in SentinelOne: {0}".format(threat_ids)

If no successful for one threat (is_success=true): "Action wasn't able to resolve the following threats in SentinelOne: {0}".format(threat_ids)

If no successful for any threat (is_success=false): "No threats were resolved."

General

Mark as Threat

Marks suspicious threats as a true positive threat in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Threat IDs List N/A Yes Specify a comma-separated list of threat IDs that should be marked.

Use cases

Analysts want to mark suspicious threats as a threat.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[{ID: `THREAT_ID`, marked_as_threat: `BOOLEAN`}] **
Case Wall
Result Type Value / Description Type
Output message*

If successful for one threat (is_success=true): "Successfully marked the following threats in SentinelOne: {0}".format(threat_ids)

If no successful for one threat (is_success=true): "Action wasn't able to mark the following threats in SentinelOne: {0}".format(threat_ids)

If no successful for any threat (is_success=false): "No threats were marked."

General

Get Threats

Retrieve information about threats in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Mitigation Status String N/A No

Specify a comma-separated list of threat statuses.

Only threats that match the statuses are returned.

Possible values: mitigated, active, blocked, suspicious, suspicious_resolved

Created until String N/A No

Specify the end time for the threats.


Example: 2020-03-02T21:30:13.014874Z

Created from String N/A No

Specify the start time for the threats.


Example: 2020-03-02T21:30:13.014874Z

Resolved Threats Checkbox Unchecked No If enabled, the action only returns resolved threats.
Threat Display Name String N/A No Specify a display name of the threat that you want to return. Partial name also works.
Limit Integer 10 No Specify the number of threats to return.
API Version DDL

2.0

Possible values:

  • 2.0
  • 2.1

Specify the version of API to use in the action.

If nothing is provided the connector uses the 2.1 version.

Note: The JSON result structure is different between API versions. It is recommended to use the latest one.

Use cases

Analysts want to know threat ID.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
            "accountId": "433241117337583618",
            "accountName": "SentinelOne",
            "agentComputerName": "desktop-43QNK0O",
            "agentDomain": "WORKGROUP",
            "agentId": "823949401337686055",
            "agentInfected": false,
            "agentIp": "76.112.223.210",
            "agentIsActive": false,
            "agentIsDecommissioned": false,
            "agentMachineType": "desktop",
            "agentNetworkStatus": "connected",
            "agentOsType": "windows",
            "agentVersion": "3.6.6.104",
            "annotation": null,
            "automaticallyResolved": false,
            "browserType": null,
            "certId": "",
            "classification": "generic.heuristic",
            "classificationSource": "Cloud",
            "classifierName": "MANUAL",
            "cloudVerdict": "provider_unknown",
            "collectionId": "838490132723152335",
            "commandId": "835975626369402963",
            "createdAt": "2020-03-02T21:30:13.014874Z",
            "createdDate": "2020-03-02T21:30:12.748000Z",
            "description": "malware detected - not mitigated yet",
            "engines": [
                "manual"
            ],
            "external_ticket_id": null,
            "fileContentHash": "fc5a9b5e806f35a7b285e012ef8df3f06f399492",
            "fileCreatedDate": null,
            "fileDisplayName": "GameBar.exe",
            "fileExtensionType": "Executable",
            "fileIsDotNet": null,
            "fileIsExecutable": true,
            "fileIsSystem": false,
            "fileMaliciousContent": null,
            "fileObjectId": "99FF941D82E382D1",
            "filePath": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Deleted\\Microsoft.XboxGamingOverlay_3.36.6003.0_x64__8wekyb3d8bbwe97f11a01-b980-4b88-806c-276c42d4d3d4\\GameBar.exe",
            "fileSha256": null,
            "fileVerificationType": "NotSigned",
            "fromCloud": false,
            "fromScan": false,
            "id": "838490132706375118",
            "indicators": [],
            "initiatedBy": "dvCommand",
            "initiatedByDescription": "Deep Visibility Command",
            "initiatingUserId": "823741543702652055",
            "isCertValid": false,
            "isInteractiveSession": false,
            "isPartialStory": false,
            "maliciousGroupId": "0BB46E119EF0AE51",
            "maliciousProcessArguments": "-ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca",
            "markedAsBenign": true,
            "mitigationMode": "protect",
            "mitigationReport": {
                "kill": {
                    "status": "success"
                },
                "network_quarantine": {
                    "status": null
                },
                "quarantine": {
                    "status": "success"
                },
                "remediate": {
                    "status": null
                },
                "rollback": {
                    "status": null
                },
                "unquarantine": {
                    "status": "sent"
                }
            },
            "mitigationStatus": "mitigated",
            "publisher": "",
            "rank": 2,
            "resolved": true,
            "siteId": "823740645903492137",
            "siteName": "Siemplify.co",
            "threatAgentVersion": "3.6.6.104",
            "threatName": "GameBar.exe",
            "updatedAt": "2020-07-07T17:19:48.260119Z",
            "username": "DESKTOP-43QNK0O\\ddiserens",
            "whiteningOptions": []
}
Case Wall
Result Type Value / Description Type
Output message*

If data is available (is_success=true): "Successfully retrieved information about the available threats in SentinelOne."

If no data is available (is_success=false): "No information about threats was found based on the provided criteria."

General

Disconnect Agent From Network

Disconnect an agent from a network by its hostname or IP address.

Parameters

N/A

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False

Enrich Endpoints

Enrich information about the endpoint by IP Address or Hostname.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Create Insight Checkbox Checked No If enabled, the action creates an insight with information about endpoints.
Only Infected Endpoints Insights Checkbox Checked No If enabled, the action only creates insights for the infected endpoints.

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_succeed:False
JSON Result
{
    "accountId": "433241117337583618",
    "accountName": "SentinelOne",
    "activeDirectory": {
        "computerDistinguishedName": "CN=LP-YAIR,CN=Computers,DC=SIEMPLIFY,DC=LOCAL",
        "computerMemberOf": [],
        "lastUserDistinguishedName": "CN=Yair Stern,OU=Users,OU=PS,OU=IL,OU=Operations,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
        "lastUserMemberOf": [
            "CN=esx.cs,OU=ESX,OU=GROUPS,OU=IL,OU=IT,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
            "CN=Backup Operators,CN=Builtin,DC=SIEMPLIFY,DC=LOCAL",
            "CN=esx.product,OU=ESX,OU=GROUPS,OU=IL,OU=IT,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
            "CN=Siemplify_Admins,OU=QA,OU=IL,OU=IT,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
            "CN=Local Admin,OU=GROUPS,OU=IL,OU=IT,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
            "CN=CSM,OU=Operations,OU=Siemplify,DC=SIEMPLIFY,DC=LOCAL",
            "CN=Event Log Readers,CN=Builtin,DC=SIEMPLIFY,DC=LOCAL"
        ]
    },
    "activeThreats": 0,
    "agentVersion": "4.1.4.82",
    "allowRemoteShell": false,
    "appsVulnerabilityStatus": "patch_required",
    "computerName": "LP-Yair",
    "consoleMigrationStatus": "N/A",
    "coreCount": 8,
    "cpuCount": 8,
    "cpuId": "Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz",
    "createdAt": "2020-05-31T07:22:14.695136Z",
    "domain": "SIEMPLIFY",
    "encryptedApplications": false,
    "externalId": "",
    "externalIp": "84.109.241.91",
    "groupId": "863712577864500060",
    "groupIp": "84.109.241.x",
    "groupName": "Test Group",
    "id": "903293150232960453",
    "inRemoteShellSession": false,
    "infected": false,
    "installerType": ".msi",
    "isActive": false,
    "isDecommissioned": false,
    "isPendingUninstall": false,
    "isUninstalled": false,
    "isUpToDate": true,
    "lastActiveDate": "2021-01-12T12:59:43.143066Z",
    "lastIpToMgmt": "192.168.1.20",
    "lastLoggedInUserName": "yair",
    "licenseKey": "",
    "locationType": "fallback",
    "locations": [
        {
            "id": "629380164464502476",
            "name": "Fallback",
            "scope": "global"
        }
    ],
    "machineType": "laptop",
    "mitigationMode": "protect",
    "mitigationModeSuspicious": "protect",
    "modelName": "Dell Inc. - Latitude 7490",
    "networkInterfaces": [
        {
            "id": "931547468641304837",
            "inet": [
                "192.168.1.20"
            ],
            "inet6": [
                "2a10:8002:22a6:0:e4fd:4e37:4db6:f01c",
                "2a10:8002:22a6:0:d5a6:6a91:1281:acc6",
                "fe80::e4fd:4e37:4db6:f01c"
            ],
            "name": "Wi-Fi",
            "physical": "d0:c6:37:d6:f1:2d"
        },
        {
            "id": "1062894239338355970",
            "inet": [
                "192.168.193.193"
            ],
            "inet6": [
                "fe80::fcc6:8ba0:da2b:c22d"
            ],
            "name": "vEthernet (Default Switch)",
            "physical": "00:15:5d:45:7c:74"
        },
        {
            "id": "954982488643857092",
            "inet": [
                "10.0.75.1"
            ],
            "inet6": [
                "fe80::1ce0:8d0c:69ae:8616",
                "fe80::1ce0:8d0c:69ae:8616"
            ],
            "name": "vEthernet (DockerNAT)",
            "physical": "00:15:5d:0a:14:21"
        }
    ],
    "networkStatus": "connecting",
    "osArch": "64 bit",
    "osName": "Windows 10 Pro",
    "osRevision": "18363",
    "osStartTime": "2021-01-03T15:38:32Z",
    "osType": "windows",
    "osUsername": null,
    "rangerStatus": "NotApplicable",
    "rangerVersion": null,
    "registeredAt": "2020-05-31T07:22:14.691561Z",
    "scanAbortedAt": null,
    "scanFinishedAt": "2020-05-31T09:28:53.867014Z",
    "scanStartedAt": "2020-05-31T07:25:37.814972Z",
    "scanStatus": "finished",
    "siteId": "823740645903492137",
    "siteName": "Siemplify.co",
    "threatRebootRequired": false,
    "totalMemory": 16263,
    "updatedAt": "2021-01-18T13:33:43.834618Z",
    "userActionsNeeded": [],
    "uuid": "87511ad6ea63462594268bfdc4c546db"
}
Case Wall
Result Type Value / Description Type
Output message*

If successful (is_success=true): "Successfully retrieved information about the following endpoins from SentinelOne: \n{0}" .format(entity.identifier)

If not successful for some endpoints (is_success=true): "Action wasn't able to retrieve information about the following endpoins from SentinelOne: \n{0}" .format(entity.identifier)

If not successful for all endpoints (is_success=false): "No information was retrieved for the provided entities."

General

Get Agent Status

Retrieve information about the status of the agents on the endpoints based on the IP Address or Hostname entity.

Parameters

N/A

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
"status": "Not active"
}
Case Wall
Result Type Value / Description Type
Output message*

If successful (is_success=true): "Successfully retrieved information about agent status for the following endpoints: \n{0}".format(entity.identifier)"

If not successful for some endpoints (is_success=true): "Action wasn't able to retrieve information about agent status for the following endpoints: \n{0}".format(entity.identifier)"

If not successful for all endpoint (is_success=false): "No information about agent status was found for the provided endpoints."

General

Get Application List for Endpoint

Retrieve information about available applications on the endpoint by IP Address or Hostname.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Max Applications To Return Integer N/A No

Specify the number of applications to return.

If nothing is specified, the action returns all of the applications.

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "data": [
        {
            "installedDate": "2021-01-06T08:55:56.762000Z",
            "name": "Mozilla Firefox 84.0.1 (x64 en-US)",
            "publisher": "Mozilla",
            "size": 211562,
            "version": "84.0.1"
        }
    ]
}
Case Wall
Result Type Value / Description Type
Output message*

If successful (is_success=true): "Successfully retrieved available applications for the following endpoints: \n{0}".format(entity.identifier)"

If not successful for one endpoint (is_success=true): "Action wasn't able to retrieve available applications for the following endpoints: \n{0}".format(entity.identifier)"

If not successful for all endpoints (is_success=false): "No applications were retrieved for the provided endpoints."

General

Get Events for Endpoint Hours Back

Retrieve information about the latest events on the endpoint. Works with the IP Address and Hostname entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Hours Back String N/A Yes Specify the number hours backwards to fetch events.
Events Amount Limit String 50 No Specify the number of events to return per event type.
Include File Events Information Checkbox Unchecked No If enabled, the action also queries information about the file events.
Include Indicator Events Information Checkbox Unchecked No If enabled, the action also queries information about the indicator events.
Include DNS Events Information Checkbox Unchecked No If enabled, the action also queries information about the DNS events.
Include Network Actions Events Information Checkbox Unchecked No If enabled, the action also queries information about the "network actions" events.
Include URL Events Information Checkbox Unchecked No If enabled, the action also queries information about the URL events.
Include Registry Events Information Checkbox Unchecked No If enabled, the action also queries information about the registry events.
Include Scheduled Task Events Information Checkbox Unchecked No If enabled, the action also queries information about the scheduled task events.

Use cases

Analysts may use this action to get information about the latest events related to one endpoint, which can help in the triage process.

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "data": [
        {
            "activeContentFileId": null,
            "activeContentHash": null,
            "activeContentPath": null,
            "activeContentSignedStatus": null,
            "activeContentType": null,
            "agentDomain": "",
            "agentGroupId": "823740645928657962",
            "agentId": "849867819647755581",
            "agentInfected": false,
            "agentIp": "3.136.184.160",
            "agentIsActive": true,
            "agentIsDecommissioned": false,
            "agentMachineType": "server",
            "agentName": "ip-10-0-2-205",
            "agentNetworkStatus": "connected",
            "agentOs": "linux",
            "agentTimestamp": "2020-03-19T08:17:01.575Z",
            "agentUuid": "11dd65a0-9b2d-e631-73da-4cc15d6bbc9e",
            "agentVersion": "3.3.1.14",
            "attributes": [
                {
                    "display": "Created At",
                    "display_attribute": false,
                    "field_id": "agentTimestamp",
                    "priority": 3,
                    "queryable": false,
                    "section": "Main Attributes",
                    "value": "2020-03-19T08:17:01.575Z"
                },{
                    "display": "Site ID",
                    "display_attribute": false,
                    "field_id": "siteId",
                    "priority": 7,
                    "queryable": true,
                    "section": "Endpoint Info",
                    "value": null
                }
            ],
            "containerId": null,
            "containerImage": null,
            "containerLabels": null,
            "containerName": null,
            "createdAt": "2020-03-19T08:17:01.575000Z",
            "eventType": "Process Creation",
            "hasParent": true,
            "id": "401693219383738379",
            "k8sClusterName": null,
            "k8sControllerLabels": null,
            "k8sControllerName": null,
            "k8sControllerType": null,
            "k8sNamespace": null,
            "k8sNamespaceLabels": null,
            "k8sNode": null,
            "k8sPodLabels": null,
            "k8sPodName": null,
            "md5": null,
            "objectType": "process",
            "parentPid": "32461",
            "parentProcessName": "dash",
            "parentProcessStartTime": "2020-03-19T08:17:01.785Z",
            "parentProcessUniqueKey": "12f6fc9d-d213-474a-eae7-62240ec731c9",
            "pid": "32462",
            "processCmd": " run-parts --report /etc/cron.hourly",
            "processDisplayName": null,
            "processGroupId": "c98a4557-94b5-da31-5074-fe6360f17228",
            "processImagePath": "/bin/run-parts",
            "processImageSha1Hash": "66df74a1f7cc3509c87d6a190ff90ac86caf440d",
            "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
            "processIsRedirectedCommandProcessor": "False",
            "processIsWow64": "False",
            "processName": "run-parts",
            "processRoot": "False",
            "processSessionId": "0",
            "processStartTime": "2020-03-19T08:17:01.787Z",
            "processSubSystem": "SUBSYSTEM_UNKNOWN",
            "processUniqueKey": "c460aa89-aaf8-8366-e1ef-2554d291acb6",
            "publisher": null,
            "relatedToThreat": "False",
            "sha256": null,
            "signatureSignedInvalidReason": null,
            "signedStatus": "unsigned",
            "siteName": "Siemplify.co",
            "trueContext": "c98a4557-94b5-da31-5074-fe6360f17228",
            "user": "unknown",
            "verifiedStatus": null
        }
    ],
    "pagination": {
        "nextCursor": "eyJpZF9jb2x1bW4iOiAiaWQiLCAiaWRfdmFsdWUiOiAiNDAxNjkzMjE5MzgzNzM4Mzc5IiwgInNvcnRfYnlfY29sdW1uIjogImFnZW50VGltZXN0YW1wIiwgInNvcnRfYnlfdmFsdWUiOiAiMjAyMC0wMy0xOVQwODoxNzowMS41NzVaIiwgInNvcnRfb3JkZXIiOiAiZGVzYyJ9",
        "totalItems": 632
    }
}
Case Wall
Result Type Value / Description Type
Output message*

If found at least one event: "Successfully retrieved information about the events for the following endpoints: \n{0}".format(entity.identifier)"

If not found event for one endpoint: "Action wasn't able to find any events for the following endpoints:\n {0}".format(entity.identifier)"

If not found event for all endpoints: "No information events for the provided endpoints."

General

Get Group Details

Retrieve detailed information about the provided groups.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Group Names String N/A Yes Specify a comma-separated list of group names for which you want to retrieve details.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[{`GROUP_NAME`:response.get('data')}]
Case Wall
Result Type Value / Description Type
Output message*

The action should neither fail nor stop a playbook execution:

If successful for one group: "Successfully retrieved information about the following groups in SentinelOne: \n {group name}"

If not successful for one group: "Action wasn't able to retrieve information about the following groups in SentinelOne:\n {group name}"

If not successful for all groups: "No information about the provided groups was found"


The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Get Group Details". Reason: {0}''.format(error.Stacktrace)

General
CSV

Table Name: SentinelOne Groups

Table Columns:

  • ID
  • Name
  • Type
  • Rank
  • Creator
  • Creation Time
General

Get Hash Reputation

Retrieve information about the hashes from SentinelOne.

Parameters

entities
Parameter Display Name Type Default Value Is Mandatory Description
Reputation ThresholdInteger 5 No

Specify the reputation threshold in order to be marked as suspicious.

If nothing is provided, the action does not mark entities as suspicious.

Maximum: 10

Create Insight Checkbox Checked No If enabled, the action creates an insight containing information about the reputation.
Only Suspicious Hashes Insight Checkbox Checked No If enabled, the action only creates insight for hashes that have higher or equal reputation to the "Reputation Threshold" value.

Run On

This action runs on the Hash entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Enrichment Table
Enrichment Field Name Logic - When to apply
SENO_reputation = rank Returns if it exists in JSON result.

Get Process List for Endpoint

Get System Status

Retrieve the status of a system.

Parameters

N/A

Use cases

Analysts may use this action to check that SentinelOne is working properly.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "system_status": {
        "data": {
            "health": "ok"
        }},
    "db_status": {
        "data": {
            "health": "ok"
        }},
    "cache_status": {
        "data": {
            "health": "ok"
        }
    }
}

Get System Version

Retrieve the version of a system.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False

Initiate Full Scan

Initiate a full disk scan on the endpoint in SentinelOne.

Parameters

N/A

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

If successful for at least one endpoint (is_success=true): "Successfully started the full disk scan on the following endpoints in SentinelOne: {0}".format(entity.identifier)

If not successful for at least one endpoint (is_success=true): "Action wasn't able to start a full disk scan on the following endpoints in SentinelOne: {0}".format(entity.identifier)

If not successful for all endpoints (is_success=false): "No full disk scans were initiated."

General

Move Agents

Move agents to the provided group. This action works with the Hostname and IP Address entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Group ID String N/A No Specify the ID of the group, where to move the agents.
Group Name String N/A No

Specify the name of the group, where to move the agents.

Note: If both the "Group ID" parameter and the "Group Name" parameter are provided, the action puts the "Group ID" parameter in the priority.

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

If successful for at least one endpoint: "Successfully moved the following endpoints to the group with {0} {1} in SentinelOne:\n{2}".format("ID"/"Name", group_id/group_name,entity.identity)

If no successful for at least one endpoint: "Action wasn't able to move the following endpoints to the group with {0} {1} in SentinelOne:\n{2}".format("ID"/"Name", group_id/group_name,entity.identity)

If no successful for all endpoint: "No endpoints were moved to the group {0} {1} in SentinelOne".format("ID"/"Name", group_id/group_name)

If the group is not found: "Action wasn't able to move endpoints to the group with {0} {1} in SentinelOne. Reason: Group was not found.".format("ID"/"Name", group_id/group_name)

If the "Group Name" or "Group ID" parameter is not provided (fail): "Error executing action "Move Agents". Reason: either "Group Name" or "Group ID" should be provided."

General

Ping

Test integration connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False

Reconnect Agent to the Network

Reconnect disconnected endpoint to the network. Works with the Hostname and IP Address entities.

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False

Create Hash Black List Record

Add hashes to a blocklist in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Operating System String windows Yes

Specify the OS for the hash.

Possible values: windows, windows_legacy, macos, linux.

Site IDs Array N/A No Specify a comma-separated list of site IDs, where hash needs to be sent to the blocklist.
Group IDs Array N/A No Specify a comma-separated list of group IDs, where hash needs to be sent to the blocklist.
Account IDs Array N/A No Specify a comma-separated list of account IDs, where hash needs to be sent to the blocklist.
Description String "" No Specify additional information related to the hash.
Add to global blocklist Checkbox Unchecked Yes

If enabled, the action adds the hash to the global blocklist.

Note: If this parameter is enabled, the "Site IDs", "Group IDs", and "Account IDs" parameters are ignored.

Run On

This action runs on the Hash entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "Entity": "36F9CA40B3CE96FCEE1CF1D4A7222935536FD25A",
        "EntityResult": [{
            "userName": "user",
            "description": "Created by Siemplify.",
            "userId": "8237415437026xxxxx",
            "scopeName": "Test Group",
            "value": "36F9CA40B3CE96FCEE1CF1D4A7222935536FD25A",
            "source": "user",
            "updatedAt": "2020-07-02T14:41:20.678280Z",
            "osType": "windows",
            "scope": {
                "groupIds": ["863712577864500060"]
            },
            "type": "white_hash",
            "id": "926706979756730756",
            "createdAt": "2020-07-02T14:41:20.678690Z"
        }, {
            "userName": "user",
            "description": "Created by Siemplify.",
            "userId": "8237415437026xxxxx",
            "scopeName": "Test Group 2",
            "value": "36F9CA40B3CE96FCEE1CF1D4A7222935536FD25A",
            "source": "user",
            "updatedAt": "2020-07-02T14:41:20.683858Z",
            "osType": "windows",
            "scope": {
                "groupIds": ["926559911218143489"]
            },
            "type": "white_hash",
            "id": "926706979807062407",
            "createdAt": "2020-07-02T14:41:20.684677Z"
        }]
    }
]
Case Wall
Result Type Value / Description Type
Output message*

If successful for one hash (is_success=true): "Successfully added the following hashes to the blacklist in SentinelOne:\n{0}".format(entity.identifier)

If already exist for at least one (is_success=true): "The following hashes were already a part of blacklist in SentinelOne:\n{0}".format(entity.identifier)

If not successful for one hash (is_success=true): "Action wasn't able to add the following hashes to the blacklist in SentinelOne:\n{0}".format(entity.identifier)

If not successful for all hashes (is_success=false): "No hashes were added to the blacklist in SentinelOne."

If a critical error is reported: "Error executing action "Create Hash Blacklist Record". Reason: {0}".(traceback)

If the "Site IDs", "Group IDs", "Account IDs" are not provided and the "Add to global black list" parameter is not enabled: "Error executing action "Create Hash Blacklist Record". Reason: at least one value should be provided for "Site IDs" or "Group IDs" or "Account IDs" parameters or "Add to global black list" should be enabled.

General

Get Blacklist

Get a list of all the items available in the blocklist in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Hash String N/A No

Specify a comma-separated list of hashes that need to be checked in the blocklist. Only hashes that were found are returned.

If nothing is specified here the action returns all hashes.

Note: If the "Hash" parameter is provided then the "Limit" parameter is ignored.

Site IDs Array N/A No Specify a comma-separated list of site IDs, which should be used to return blocklist items.
Group IDs Array N/A No Specify a comma-separated list of group IDs, which should be used to return blocklist items.
Account Ids Array N/A No Specify a comma-separated list of account IDs, which should be used to return blocklist items.
Limit Integer 50 No

Specify the number of blocklist items that should be returned.

Note: If the "Hash" parameter has values, then this parameter is ignored.

Maximum: 1000

Query String N/A No Specify the query that needs to be used in order to filter the results.
Use Global Blacklist Checkbox Unchecked No If enabled, the action also returns hashes from the global blacklist.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "userName": "Example",
        "description": "test",
        "userId": "8237415437026xxxxx",
        "scopeName": "Siemplify.co",
        "value": "cf23df2207d99a74fbe169e3eba035e633bxxxxx",
        "source": "user",
        "updatedAt": "2020-02-27T15:02:54.686991Z",
        "osType": "windows",
        "scope": {
            "siteIds": ["8237406459034xxxxx"]
        },
        "type": "black_hash",
        "id": "8353960925573xxxxx",
        "createdAt": "2020-02-27T15:02:54.687675Z"
    }, {
        "description": "Detected by SentinelOne Cloud",
        "userId": null,
        "scopeName": "Siemplify.co",
        "value": "3395856ce81f2b7382dee72602f798b642fxxxxx",
        "source": "cloud",
        "updatedAt": "2020-03-18T14:42:02.730095Z",
        "osType": "linux",
        "scope": {
            "siteIds": ["8237406459034xxxxx"]
        },
        "type": "black_hash",
        "id": "8498811050050xxxxx",
        "createdAt": "2020-03-18T14:42:02.730449Z"
    }, {
        "description": "Detected by SentinelOne Cloud",
        "userId": null,
        "scopeName": "Siemplify.co",
        "value": "df531d66173235167ac502b867f3cae2170xxxxx",
        "source": "cloud",
        "updatedAt": "2020-04-08T07:27:35.686775Z",
        "osType": "linux",
        "scope": {
            "siteIds": ["8237406459034xxxxx"]
        },
        "type": "black_hash",
        "id": "8648827291549xxxxx",
        "createdAt": "2020-04-08T07:27:35.687168Z"
    }
]
Case Wall
Result Type Value / Description Type
Output message*

If successful and has results (is_success=true): "Successfully retrieved blacklisted hashes based on the provided filter criteria in SentinelOne.".

If successful and no results are found (is_success=false): "No blacklisted hashes were found for the provided criteria in SentinelOne."

If a critical error is reported: "Error executing action "Get Blacklist". Reason: {0}".(traceback)

If the "Site IDs", "Group IDs", "Account IDs" parameters are not provided and the "Use Global Blacklist" parameter is not enabled: "Error executing action "Get Blacklist". Reason: at least one value should be provided for "Site IDs" or "Group IDs" or "Account IDs" parameters or "Use Global Blacklist" should be enabled.

General
Table

Table Name: Blacklist Hashes

Table Columns:

  • Hash
  • Scope
  • Description
  • OS
  • User
General

Get Deep Visibility Query Result

Retrieve information about deep visibility query results.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Query ID String N/A Yes

Specify the ID of the query for which you want to return results.

This ID is available in the JSON result of the "Initiate Deep Visibility Query" action as the "query_id" parameter.

Limit String 50 No

Specify the number of events to return.

Maximum: 100

Run On

This action doesn't run on any entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
##### Case Wall
Result Type Value / Description Type
Output message*

The action should neither fail nor stop a playbook execution:

If successful: "Successfully found events for query: <query id>."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Get Deep Visibility Query Result". Reason: {0}''.format(error.Stacktrace

If the 400 status code is reported (fail): "Error executing action "Get Deep Visibility Query Result". Reason: {0}".format(errors/detail)

If the query status is not set to "Finished" (fail): "Error executing action "Get Deep Visibility Query Result". Reason: status of the query - {0}. Please run action 'Initialize Deep Visibility Query' again.".format(query status)

General
CSV Table

Table Title: SentinelOne Events

Table Columns:

  • Event Type
  • Site Name
  • Time
  • Agent OS
  • Process ID
  • Process UID
  • Process Name
  • MD5
  • SHA256
General

Initiate Deep Visibility Query

Initiate a Deep Visibility Query search. Returns the Query ID, which should be used in the "Get Deep Visibility Query Result" action.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Query String N/A Yes Specify the query for the search.
Start Date String N/A No

Specify the start date for the search.

If nothing is specified, the action fetches events from 30 days ago.

End Date String N/A No

Specify the end date for the search.

If nothing is specified, the action uses current time.

Run On

This action doesn't run on any entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[{"query_id\":\"q0794f2c18433b38115982b501017c636"}]",
Case Wall
Result Type Value / Description Type
Output message*

The action should neither fail nor stop a playbook execution:

If successful: "Successfully created a deep visibility query. Query ID: <query ID value>"

If failed to run (no data): "Failed to create a deep visibility query"

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection, other is reported: "Error executing action "Initiate a Deep Visibility Query". Reason: {0}''.format(error.Stacktrace)

If the 400 status code is reported (fail): "Error executing action 'Initiate Deep Visibility Query'. Reason: {0}".format(errors/detail)

General

Download Threat File

Download a file related to the threat in SentinelOne.

Known Limitation

Sometimes SentinelOne initiates a file fetch, but doesn't provide a download URL. In that case, action runs into a timeout. To confirm this situation, you need to navigate to the timeline of the threat.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Threat ID String N/A Yes Specify the ID of the threat for which you want to download the file.
Password Password N/A Yes

Specify the password for the zip that contains the threat file.

Password requirements:

At least 10 characters

Needs to include: uppercase, lowercase, digits, special symbols

Maximum length is 256 characters.

Download Folder Path String N/A Yes Specify the path to the folder, where you want to store the threat file.
Overwrite Checkbox Unchecked Yes If enabled, the action overwrites the file with the same name.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
"absolute_path": "`ABSOLUTE_PATH_TO_THE_FILE`"
}
Case Wall
Result Type Value / Description Type
Output message*

The action should neither fail nor stop a playbook execution:


If the file is downloaded (is_success = true): "Successfully downloaded the file related to threat {0} in SentinelOne ".format(threat_id)

If activityType=86 is not found (is_success=false): "Action wasn't able to download the file related to threat {threat_id}. Reason: action was able to initiate the downloading of the file, but SentinelOne didn't return a download URL."

Async message: "Waiting for the download link to appear in SentinelOne"

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, folder doesn't exist, other is reported: "Error executing action "Download Threat File". Reason: {0}''.format(error.Stacktrace)

If the 400 status code is reported: "Error executing action "Download Threat File". Reason: {0}".format(errors/detail)

If the file with the same name already exists, but "Overwrite" is set to false: "Error executing action "Download Threat File". Reason: file with path {0} already exists. Please delete the file or set "Overwrite" to true."

General

Update Analyst Verdict

Update analyst verdict of the threat in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Threat ID String N/A Yes Specify a comma-separated list of threat IDs for which you want to update the analyst verdict.
Analyst Verdict DDL

Undefined

Possible Values:

  • True Positive
  • False Positive
  • Suspicious
  • Undefined
Yes Specify the analyst verdict.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

If successful for some threats (is_success=true): "Successfully updated analyst verdict for the following threats

in SentinelOne: {threat id}."

If not successful for some threats (is_success=true): "Action wasn't able to update analyst verdict for the following threats in SentinelOne: {threat id}."

If not successful for some threats (is_success=false): "Action wasn't able to update analyst verdict for the provided threats in SentinelOne."

General

Update Incident Status

Update threat incident status in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Threat ID String N/A Yes Specify a comma-separated list of threat ids for which you want to update the incident status.
Status DDL

Resolved

Possible Values:

  • Unresolved
  • In Progress
  • Resolved
Yes Specify the incident status.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

If successful for some incidents (is_success=true): "Successfully updated incident status for the following threats

in SentinelOne: {threat id}."

If not successful for some incidents (is_success=true): "Action wasn't able to update incident status for the following threats in SentinelOne: {threat id}."

If not successful for some incidents (is_success=false): "Action wasn't able to update incident status for the provided threats in SentinelOne."

General

Add Threat Note

Add a note to the threat in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Threat ID String N/A Yes Specify the ID of the threat for which you want to add a note.
Note String N/A Yes Specify the note that needs to be added to the threat.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should neither fail nor stop a playbook execution:


If successful (is_success=true): "Successfully added note to the threat {threat id} in SentinelOne."

If not successful (is_success=false): "Action wasn't able to add a note to the threat {threat id} in SentinelOne."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Threat Note". Reason: {0}''.format(error.Stacktrace)

General

Delete Hash Blacklist Record

Delete hashes from a blocklist in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Site IDs String N/A No Specify a comma-separated list of site IDs, from where the hash needs to be removed.
Group IDs String N/A No Specify a comma-separated list of group IDs, from where the hash needs to be removed.
Account IDs String N/A No Specify a comma-separated list of account IDs, from where the hash needs to be removed.
Remove from global black list Checkbox Unchecked No

If enabled, the action removes the hash from the global blocklist.

Note: If this parameter is enabled, the "Site IDs", "Group IDs" and "Account IDs" parameters are ignored.

Run On

This action runs on the Hash entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should neither fail nor stop a playbook execution:

If successful for one entity (is_success=true): "Successfully removed the following hashes from blacklist in SentinelOne: {\n entity.identifier}"

If not successful for one (not SHA1) (is_success=true): "Action wasn't able to remove the following hashes from blacklist in SentinelOne: {\n entity.identifier}"

If the hash is not found (is_success=true): "The following hashes were not found in the blacklist in SentinelOne: {\n entity.identifier}"

If not successful for all entities (is_success=false): "No hashes were removed from blacklist in SentinelOne."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Delete Hash Blacklist Record". Reason: {error traceback}"

If the "Site IDs", "Group IDs", "Account IDs" parameters are not provided: "Error executing action "Delete Hash Blacklist Record". Reason: at least one value should be provided for "Site IDs" or "Group IDs".

If the "Site IDs", "Group IDs", "Account IDs" parameters are not provided and the "Remove from global black list" is not enabled: "Error executing action "Delete Hash Blacklist Record". Reason: at least one value should be provided for "Site IDs" or "Group IDs" or "Account IDs" parameters or "Remove from global black list" should be enabled."

General

List Sites

List available sites in SentinelOne.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Filter Key DDL

Select One

Possible Values:

  • Name
  • ID
No Specify the key that needs to be used to filter sites.
Filter Logic DDL

Not Specified

Possible Values:

  • Not Specified
  • Equal
  • Contains
No Specify the filter logic that should be applied. Filtering logic is working based on the value provided in the "Filter Key" parameter.
Filter Value String N/A No

Specify the value that should be used in the filter.

If "Equal" is selected, the action tries to find the exact match among results.

If "Contains" is selected, the action tries to find results that contain the specified substring.

If nothing is provided in this parameter, the filter is not applied.

Filtering logic works based on the value provided in the "Filter Key" parameter.

Max Records To Return Integer 50 No Specify the number of records to return.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should neither fail nor stop a playbook execution:

If data is available (is_success = true): "Successfully found sites for the provided criteria in SentinelOne".

If data is not available (is_success=false): "No sites were found for the provided criteria in {product name}"

If the "Filter Value" parameter is empty (is_success=true):

"The filter was not applied, because parameter "Filter Value" has an empty value."

The action should fail and stop a playbook execution:

If the "Filter Key" parameter is set to "Select One" and the "Filter Logic" is set to "Equal" or "Contains":

"Error executing action "{action name}"." Reason: you need to select a field from the "Filter Key" parameter.

If the "Filter Logic" parameter is set to "Equal" or "Contains":

"Error executing action "{action name}"." Reason: you need to select a field from the "Filter Key" parameter.

If an invalid value is provided for the "Max Records to Return" parameter:

"Error executing action "{action name}"." Reason: "Invalid value was provided for "Max Records to Return": . Positive number should be provided".

If a fatal error, like wrong credentials, no connection to the server, other is reported:

"Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace)"

General
Case Wall Table

Table Name: Available Sites

Table Columns:

  • Name
  • ID
  • Creator
  • Expiration
  • Type
  • State
General

Connectors

SentinelOne - Threats Connector

Pull threats from SentinelOne.

For this connector we are changing the authorization method, adding an ability to filter alerts based on whitelists.

Authorization changes

Username and Password fields are removed and API Token is added.

Whitelist logic

The connector is able to filter alerts based on the Alert Name. A new connector parameter, Use whitelist as a blacklist, is introduced - which will change the logic, based on the value.

Use whitelist as a blacklist = false

With these conditions, allowlist is used as intended. Only alerts that have alert_names in the allowlist will be ingested into Google Security Operations SOAR.

Use whitelist as a blacklist = true.

With these conditions, allowlist is used as a blocklist. Only alerts that don't have alert_names in the allowlist will be ingested into Google Security Operations SOAR.

If there are no Alert Names in the allowlist, all alerts are ingested.

Use cases and examples

Analysts may use this connector to get threats from SentinelOne.

Configure SentinelOne - Threats Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String siemplify_event Yes Describes the name of the field where the product name is stored.
Event Field Name String classificationSource Yes Describes the name of the field where the event name is stored.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regular expression pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field using the regular expression logic.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
API Root String https://usea1-partners.sentinelone.net/ Yes Address of SentinelOne API root.
API Token String N/A Yes SentinelOne API token.
API Version String 2.0

Specify what version of api to use in the connector. If nothing is provided connector will use version 2.1.

Fetch Max Days Backwards Integer 1 No Amount of days from where to fetch threats.
Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, allowlist will be used as a blocklist.
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Sentinel public cloud server is valid.
Proxy Server Address String N/A No The address of the proxy server to use
Proxy Username String N/A No The proxy username to authenticate with
Proxy Password Password N/A No The proxy password to authenticate with
Event Object Type Filter CSV N/A No

A comma-separated list of event objects that need to be returned alongside threat info. This parameter is used as a filter to only return certain objects.

Examples: process,ip,indicators.

If nothing is provided, the connector ingests all event object types.

Event Type Filter CSV N/A No

A comma-separated list of event types that need to be returned alongside threat info. This parameter is used as a filter to only return certain event types.

Examples: Process Creation, Behavioral Indicators

Max Events To Return Integer 199 No

Specify the number of events to return per threat.

Maximum: 199

Connector rules

The connector supports proxy.

The connector supports allowlist and blocklist.