SentinelOne v2

Use the SentinelOne v2 integration to your organize your company's end points.
This integration was integrated and tested with version xx of SentinelOne Beta

Configure SentinelOne Beta on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for SentinelOne Beta.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://usea1.sentinelone.net )
    • Username
    • API Token
    • Trust any certificate (not secure)
    • Use system proxy
    • Fetch incidents
    • Fetch limit
    • Incident type
    • First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
    • Minimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high risk
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get all agents: sentinelone-list-agents
  2. Create an exclusion: sentinelone-create-white-list-item
  3. Get all exclusion items: sentinelone-get-white-list
  4. Get the reputation of a hash: sentinelone-get-hash
  5. Get a threat list: sentinelone-get-threats
  6. Get a threat summary: sentinelone-threat-summary
  7. Mark suspicious threats: sentinelone-mark-as-threat
  8. Mitigate threats: sentinelone-mitigate-threat
  9. Resolve threats: sentinelone-resolve-threat
  10. Get agent details: sentinelone-get-agent
  11. Get a list of sites: sentinelone-get-sites
  12. Get a site list: sentinelone-get-site
  13. Reactivate a site: sentinelone-reactivate-site
  14. Get a list of activities: sentinelone-get-activities
  15. Get group data: sentinelone-get-groups
  16. Move agent: sentinelone-move-agent
  17. Delete a group: sentinelone-delete-group
  18. Retrieve agent processes: sentinelone-agent-processes
  19. Connect an agent: sentinelone-connect-agent
  20. Disconnect an agent: sentinelone-disconnect-agent
  21. Broadcast a message to agents: sentinelone-broadcast-message
  22. Get Deep Visibility events: sentinelone-get-events
  23. Create a Deep Visibility query: sentinelone-create-query
  24. Get a list of Deep Visibility events by process: sentinelone-get-processes
  25. Shutdown an agent: sentinelone-shutdown-agent
  26. Uninstall an agent: sentinelone-uninstall-agent

1. Get all agents


Gets a list of all agents.

Base Command

sentinelone-list-agents

Input
Argument Name Description Required
computer_name Filter by computer name. Optional
scan_status CSV list of scan statuses by which to filter the results, for example: “started,aborted”. Optional
os_type Included OS types, for example: “windows”. Optional
created_at Endpoint created at timestamp, for example: “2018-02-27T04:49:26.257525Z”. Optional
min_active_threats Minimum number of threats for an agent. Optional

Context Output
Path Type Description
SentinelOne.Agents.NetworkStatus string The agent network status.
SentinelOne.Agents.ID string The agent ID.
SentinelOne.Agents.AgentVersion string The agent software version.
SentinelOne.Agents.IsDecomissioned boolean Whether the agent is decommissioned.
SentinelOne.Agents.IsActive boolean Whether the agent is active.
SentinelOne.Agents.LastActiveDate date The last active date of the agent
SentinelOne.Agents.RegisteredAt date The registration date of the agent.
SentinelOne.Agents.ExternalIP string The agent IP address.
SentinelOne.Agents.ThreatCount number Number of active threats.
SentinelOne.Agents.EncryptedApplications boolean Whether disk encryption is enabled.
SentinelOne.Agents.OSName string Name of operating system.
SentinelOne.Agents.ComputerName string Name of agent computer.
SentinelOne.Agents.Domain string Domain name of the agent.
SentinelOne.Agents.CreatedAt date Creation time of the agent.
SentinelOne.Agents.SiteName string Site name associated with the agent.

Command Example
!sentinelone-list-agents
Context Example
{
    "SentinelOne.Agents": [
        {
            "ExternalIP": "73.92.194.57", 
            "Domain": "local", 
            "LastActiveDate": "2019-08-18T10:31:18.675994Z", 
            "NetworkStatus": "connected", 
            "EncryptedApplications": true, 
            "ThreatCount": 0, 
            "ComputerName": "Prasens-MacBook-Pro", 
            "IsActive": false, 
            "OSName": "OS X", 
            "SiteName": "demisto", 
            "AgentVersion": "2.6.3.2538", 
            "IsDecomissioned": false, 
            "RegisteredAt": "2018-12-02T08:48:37.785644Z", 
            "ID": "507609079972387179", 
            "CreatedAt": "2018-12-02T08:48:37.792682Z"
        }, 
        {
            "ExternalIP": "3.122.240.42", 
            "Domain": "WORKGROUP", 
            "LastActiveDate": "2019-08-18T13:56:50.620408Z", 
            "NetworkStatus": "connected", 
            "EncryptedApplications": false, 
            "ThreatCount": 0, 
            "ComputerName": "EC2AMAZ-AJ0KANC", 
            "IsActive": true, 
            "OSName": "Windows Server 2016", 
            "SiteName": "demisto", 
            "AgentVersion": "3.1.3.38", 
            "IsDecomissioned": false, 
            "RegisteredAt": "2019-06-27T08:01:05.567249Z", 
            "ID": "657613730168123595", 
            "CreatedAt": "2019-06-27T08:01:05.571895Z"
        }, 
        {
            "ExternalIP": "34.100.71.242", 
            "Domain": "PALOALTONETWORK", 
            "LastActiveDate": "2019-08-16T06:32:48.683437Z", 
            "NetworkStatus": "connecting", 
            "EncryptedApplications": true, 
            "ThreatCount": 0, 
            "ComputerName": "TLVWIN9131Q1V", 
            "IsActive": false, 
            "OSName": "Windows 10", 
            "SiteName": "demisto", 
            "AgentVersion": "3.1.3.38", 
            "IsDecomissioned": false, 
            "RegisteredAt": "2019-06-27T12:09:43.590587Z", 
            "ID": "657738871640371668", 
            "CreatedAt": "2019-06-27T12:09:43.598071Z"
        }, 
        {
            "ExternalIP": "52.49.120.63", 
            "Domain": "WORKGROUP", 
            "LastActiveDate": "2019-08-06T07:38:35.677266Z", 
            "NetworkStatus": "connected", 
            "EncryptedApplications": false, 
            "ThreatCount": 0, 
            "ComputerName": "EC2AMAZ-55LV527", 
            "IsActive": false, 
            "OSName": "Windows Server 2016", 
            "SiteName": "demisto", 
            "AgentVersion": "3.1.5.63", 
            "IsDecomissioned": false, 
            "RegisteredAt": "2019-08-05T11:42:38.644242Z", 
            "ID": "685991494097052188", 
            "CreatedAt": "2019-08-05T11:42:38.648232Z"
        }, 
        {
            "ExternalIP": "18.202.247.204", 
            "Domain": "WORKGROUP", 
            "LastActiveDate": "2019-08-06T07:37:05.677281Z", 
            "NetworkStatus": "connecting", 
            "EncryptedApplications": false, 
            "ThreatCount": 0, 
            "ComputerName": "EC2AMAZ-TR9AE9E", 
            "IsActive": false, 
            "OSName": "Windows Server 2016", 
            "SiteName": "demisto", 
            "AgentVersion": "3.1.5.63", 
            "IsDecomissioned": false, 
            "RegisteredAt": "2019-08-05T11:46:49.681346Z", 
            "ID": "685993599964815937", 
            "CreatedAt": "2019-08-05T11:46:49.687519Z"
        }
    ]
}
Human Readable Output

Sentinel One - List of Agents

Provides summary information and details for all the agents that matched your search criteria.

Agent Version Computer Name Created At Domain Encrypted Applications External IP ID Is Active Is Decomissioned Last ActiveDate Network Status OS Name Registered At Site Name Threat Count
2.6.3.2538 Prasens-MacBook-Pro 2018-12-02T08:48:37.792682Z local true 73.92.194.57 507609079972387179 false false 2019-08-18T10:31:18.675994Z connected OS X 2018-12-02T08:48:37.785644Z demisto 0
3.1.3.38 EC2AMAZ-AJ0KANC 2019-06-27T08:01:05.571895Z WORKGROUP false 3.122.240.42 657613730168123595 true false 2019-08-18T13:56:50.620408Z connected Windows Server 2016 2019-06-27T08:01:05.567249Z demisto 0
3.1.3.38 TLVWIN9131Q1V 2019-06-27T12:09:43.598071Z PALOALTONETWORK true 34.100.71.242 657738871640371668 false false 2019-08-16T06:32:48.683437Z connecting Windows 10 2019-06-27T12:09:43.590587Z demisto 0
3.1.5.63 EC2AMAZ-55LV527 2019-08-05T11:42:38.648232Z WORKGROUP false 52.49.120.63 685991494097052188 false false 2019-08-06T07:38:35.677266Z connected Windows Server 2016 2019-08-05T11:42:38.644242Z demisto 0
3.1.5.63 EC2AMAZ-TR9AE9E 2019-08-05T11:46:49.687519Z