SentinelOne v2

Use the SentinelOne v2 integration to your organize your company's end points.
This integration was integrated and tested with version xx of SentinelOne Beta

Configure SentinelOne Beta on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for SentinelOne Beta.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://usea1.sentinelone.net )
    • Username
    • API Token
    • Trust any certificate (not secure)
    • Use system proxy
    • Fetch incidents
    • Fetch limit
    • Incident type
    • First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
    • Minimum risk score for importing incidents (0-10), where 0 is low risk and 10 is high risk
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get all agents: sentinelone-list-agents
  2. Create an exclusion: sentinelone-create-white-list-item
  3. Get all exclusion items: sentinelone-get-white-list
  4. Get the reputation of a hash: sentinelone-get-hash
  5. Get a threat list: sentinelone-get-threats
  6. Get a threat summary: sentinelone-threat-summary
  7. Mark suspicious threats: sentinelone-mark-as-threat
  8. Mitigate threats: sentinelone-mitigate-threat
  9. Resolve threats: sentinelone-resolve-threat
  10. Get agent details: sentinelone-get-agent
  11. Get a list of sites: sentinelone-get-sites
  12. Get a site list: sentinelone-get-site
  13. Reactivate a site: sentinelone-reactivate-site
  14. Get a list of activities: sentinelone-get-activities
  15. Get group data: sentinelone-get-groups
  16. Move agent: sentinelone-move-agent
  17. Delete a group: sentinelone-delete-group
  18. Retrieve agent processes: sentinelone-agent-processes
  19. Connect an agent: sentinelone-connect-agent
  20. Disconnect an agent: sentinelone-disconnect-agent
  21. Broadcast a message to agents: sentinelone-broadcast-message
  22. Get Deep Visibility events: sentinelone-get-events
  23. Create a Deep Visibility query: sentinelone-create-query
  24. Get a list of Deep Visibility events by process: sentinelone-get-processes
  25. Shutdown an agent: sentinelone-shutdown-agent
  26. Uninstall an agent: sentinelone-uninstall-agent

1. Get all agents


Gets a list of all agents.

Base Command

sentinelone-list-agents

Input
Argument Name Description Required
computer_name Filter by computer name. Optional
scan_status CSV list of scan statuses by which to filter the results, for example: “started,aborted”. Optional
os_type Included OS types, for example: “windows”. Optional
created_at Endpoint created at timestamp, for example: “2018-02-27T04:49:26.257525Z”. Optional
min_active_threats Minimum number of threats for an agent. Optional

Context Output
Path Type Description
SentinelOne.Agents.NetworkStatus string The agent network status.
SentinelOne.Agents.ID string The agent ID.
SentinelOne.Agents.AgentVersion string The agent software version.
SentinelOne.Agents.IsDecomissioned boolean Whether the agent is decommissioned.
SentinelOne.Agents.IsActive boolean Whether the agent is active.
SentinelOne.Agents.LastActiveDate date The last active date of the agent
SentinelOne.Agents.RegisteredAt date The registration date of the agent.
SentinelOne.Agents.ExternalIP string The agent IP address.
SentinelOne.Agents.ThreatCount number Number of active threats.
SentinelOne.Agents.EncryptedApplications boolean Whether disk encryption is enabled.
SentinelOne.Agents.OSName string Name of operating system.
SentinelOne.Agents.ComputerName string Name of agent computer.
SentinelOne.Agents.Domain string Domain name of the agent.
SentinelOne.Agents.CreatedAt date Creation time of the agent.
SentinelOne.Agents.SiteName string Site name associated with the agent.

Command Example
!sentinelone-list-agents
Context Example
{
    "SentinelOne.Agents": [
        {
            "ExternalIP": "73.92.194.57", 
            "Domain": "local", 
            "LastActiveDate": "2019-08-18T10:31:18.675994Z", 
            "NetworkStatus": "connected", 
            "EncryptedApplications": true, 
            "ThreatCount": 0, 
            "ComputerName": "Bills-MacBook-Pro", 
            "IsActive": false, 
            "OSName": "OS X", 
            "SiteName": "demisto", 
            "AgentVersion": "2.6.3.2538", 
            "IsDecomissioned": false, 
            "RegisteredAt": "2018-12-02T08:48:37.785644Z", 
            "ID": "507609079972387179", 
            "CreatedAt": "2018-12-02T08:48:37.792682Z"
        }, 
        {
            "ExternalIP": "3.122.240.42", 
            "Domain": "WORKGROUP", 
            "LastActiveDate": "2019-08-18T13:56:50.620408Z", 
            "NetworkStatus": "connected", 
            "EncryptedApplications": false, 
            "ThreatCount": 0, 
            "ComputerName": "EC2AMAZ-AJ0KANC", 
            "IsActive": true, 
            "OSName": "Windows Server 2016", 
            "SiteName": "demisto", 
            "AgentVersion": "3.1.3.38", 
            "IsDecomissioned": false, 
            "RegisteredAt": "2019-06-27T08:01:05.567249Z", 
            "ID": "657613730168123595", 
            "CreatedAt": "2019-06-27T08:01:05.571895Z"
        }, 
        {
            "ExternalIP": "34.100.71.242", 
            "Domain": "PALOALTONETWORK", 
            "LastActiveDate": "2019-08-16T06:32:48.683437Z", 
            "NetworkStatus": "connecting", 
            "EncryptedApplications": true, 
            "ThreatCount": 0, 
            "ComputerName": "TLVWIN9131Q1V", 
            "IsActive": false, 
            "OSName": "Windows 10", 
            "SiteName": "demisto", 
            "AgentVersion": "3.1.3.38", 
            "IsDecomissioned": false, 
            "RegisteredAt": "2019-06-27T12:09:43.590587Z", 
            "ID": "657738871640371668", 
            "CreatedAt": "2019-06-27T12:09:43.598071Z"
        }, 
        {
            "ExternalIP": "52.49.120.63", 
            "Domain": "WORKGROUP", 
            "LastActiveDate": "2019-08-06T07:38:35.677266Z", 
            "NetworkStatus": "connected", 
            "EncryptedApplications": false, 
            "ThreatCount": 0, 
            "ComputerName": "EC2AMAZ-55LV527", 
            "IsActive": false, 
            "OSName": "Windows Server 2016", 
            "SiteName": "demisto", 
            "AgentVersion": "3.1.5.63", 
            "IsDecomissioned": false, 
            "RegisteredAt": "2019-08-05T11:42:38.644242Z", 
            "ID": "685991494097052188", 
            "CreatedAt": "2019-08-05T11:42:38.648232Z"
        }, 
        {
            "ExternalIP": "18.202.247.204", 
            "Domain": "WORKGROUP", 
            "LastActiveDate": "2019-08-06T07:37:05.677281Z", 
            "NetworkStatus": "connecting", 
            "EncryptedApplications": false, 
            "ThreatCount": 0, 
            "ComputerName": "EC2AMAZ-TR9AE9E", 
            "IsActive": false, 
            "OSName": "Windows Server 2016", 
            "SiteName": "demisto", 
            "AgentVersion": "3.1.5.63", 
            "IsDecomissioned": false, 
            "RegisteredAt": "2019-08-05T11:46:49.681346Z", 
            "ID": "685993599964815937", 
            "CreatedAt": "2019-08-05T11:46:49.687519Z"
        }
    ]
}
Human Readable Output

Sentinel One - List of Agents

Provides summary information and details for all the agents that matched your search criteria.

Agent Version Computer Name Created At Domain Encrypted Applications External IP ID Is Active Is Decomissioned Last ActiveDate Network Status OS Name Registered At Site Name Threat Count
2.6.3.2538 Bills-MacBook-Pro 2018-12-02T08:48:37.792682Z local true 73.92.194.57 507609079972387179 false false 2019-08-18T10:31:18.675994Z connected OS X 2018-12-02T08:48:37.785644Z demisto 0
3.1.3.38 EC2AMAZ-AJ0KANC 2019-06-27T08:01:05.571895Z WORKGROUP false 3.122.240.42 657613730168123595 true false 2019-08-18T13:56:50.620408Z connected Windows Server 2016 2019-06-27T08:01:05.567249Z demisto 0
3.1.3.38 TLVWIN9131Q1V 2019-06-27T12:09:43.598071Z PALOALTONETWORK true 34.100.71.242 657738871640371668 false false 2019-08-16T06:32:48.683437Z connecting Windows 10 2019-06-27T12:09:43.590587Z demisto 0
3.1.5.63 EC2AMAZ-55LV527 2019-08-05T11:42:38.648232Z WORKGROUP false 52.49.120.63 685991494097052188 false false 2019-08-06T07:38:35.677266Z connected Windows Server 2016 2019-08-05T11:42:38.644242Z demisto 0
3.1.5.63 EC2AMAZ-TR9AE9E 2019-08-05T11:46:49.687519Z WORKGROUP false 18.202.247.204 685993599964815937 false false 2019-08-06T07:37:05.677281Z connecting Windows Server 2016 2019-08-05T11:46:49.681346Z demisto 0

2. Create an exclusion


Creates an exclusion item for a white list.

Base Command

sentinelone-create-white-list-item

Input
Argument Name Description Required
exclusion_type Exclusion item type. Can be “file_type”, “path”, “white_hash”, “certificate”, or “browser”. Required
exclusion_value Value of the exclusion item for the exclusion list. Required
os_type OS type. Can be “windows”, “windows_legacy”, “macos”, or “linux”. OS type is required for hash exclusions. Required
description Description for adding the item. Optional
exclusion_mode Exclusion mode (path exclusion only). Can be “suppress”, “disable_in_process_monitor_deep”, “disable_in_process_monitor”, “disable_all_monitors”, or “disable_all_monitors_deep”. Optional
path_exclusion_type Excluded path for a path exclusion list. Optional
group_ids CSV list of group IDs by which to filter. Can be “site_ids” or “group_ids”. Optional

Context Output
Path Type Description
SentinelOne.Exclusions.ID string The whitelisted entity ID.
SentinelOne.Exclusions.Type string The whitelisted item type.
SentinelOne.Exclusions.CreatedAt date Time when the whitelist item was created.

Command Example
  !sentinelone-create-white-list-item exclusion_type=browser exclusion_value=Chrome os_type=windows description=test group_ids=475482421375116388
Human Readable Output

###Sentinel One - Adding an exclusion item
##The provided item was successfully added to the exclusion list
|Created At|ID|Type|
|2019-08-18T13:50:14.454550Z| 695477800149743550|browser

3. Get all exclusion items: sentinelone-get-white-list


Gets all exclusion items in a white list.

Base Command

sentinelone-get-white-list

Input
Argument Name Description Required
item_ids List of IDs by which to filter, for example: “225494730938493804,225494730938493915”. Optional
os_types CSV list of OS types by which to filter, for example: “windows, linux”. Optional
exclusion_type Exclusion type. Can be “file_type”, “path”, “white_hash”, “certificate”, “browser”. Optional
limit The maximum number of items to return. Optional

Context Output
Path Type Description
SentinelOne.Exclusions.ID string The item ID.
SentinelOne.Exclusions.Type string The exclusion item type.
SentinelOne.Exclusions.CreatedAt date Timestamp when the item was added.
SentinelOne.Exclusions.Value string Value of the added item.
SentinelOne.Exclusions.Source string Source of the added item.
SentinelOne.Exclusions.UserID string User ID of the user that added the item.
SentinelOne.Exclusions.UpdatedAt date Timestamp when the item was updated
SentinelOne.Exclusions.OsType string OS type.
SentinelOne.Exclusions.UserName string User name of the user that added the item.
SentinelOne.Exclusions.Mode string CSV list of modes by which to filter (ath exclusions only), for example: “suppress”.

Command Example
!sentinelone-get-white-list exclusion_type=file_type
Context Example
{
    "SentinelOne.Exclusions": [
        {
            "UserName": "John Roe", 
            "UserID": "433273625970238486", 
            "Value": "MDF", 
            "Source": "user", 
            "Mode": null, 
            "UpdatedAt": "2018-11-05T18:48:49.070978Z", 
            "OsType": "windows", 
            "Type": "file_type", 
            "ID": "488342219732991235", 
            "CreatedAt": "2018-11-05T18:48:49.072116Z"
        }
    ]
}
Human Readable Output

Sentinel One - Listing exclusion items

Provides summary information and details for all the exclusion items that matched your search criteria.

CreatedAt ID OsType Source Type UpdatedAt UserID UserName Value
2018-11-05T18:48:49.072116Z 488342219732991235 windows user file_type 2018-11-05T18:48:49.070978Z 433273625970238486 John Roe MDF

4. Get the reputation of a hash


Gets the reputation of a hash.

Base Command

sentinelone-get-hash

Input
Argument Name Description Required
hash The content hash. Required

Context Output
Path Type Description
SentinelOne.Hash.Rank Number The hash reputation (1-10).
SentinelOne.Hash.Hash String The content hash.
SentinelOne.Hash.Classification String The hash classification.
SentinelOne.Hash.Classification Source String The hash classification source.

Command Example
!sentinelone-get-hash hash=3aacf35d3ff2e15288851e8afe8026576f7110eb
Context Example
{
    "SentinelOne.Hash": {
        "ClassificationSource": "Cloud", 
        "Hash": "3aacf35d3ff2e15288851e8afe8026576f7110eb", 
        "Rank": "6", 
        "Classification": "PUA"
    }
}
Human Readable Output

Sentinel One - Hash Reputation and Classification

Provides hash reputation (rank from 0 to 10):

Hash Rank ClassificationSource Classification
3aacf35d3ff2e15288851e8afe8026576f7110eb 6 Cloud PUA

5. Get a threat list


Gets a list of threats.

Base Command

sentinelone-get-threats

Input
Argument Name Description Required
content_hash The content hash of the threat. Optional
mitigation_status CSV list of mitigation statuses. Can be “mitigated”, “active”, “blocked”, “suspicious”, “pending”, or “suspicious_resolved”. Optional
created_before Searches for threats created before this date, for example: “2018-02-27T04:49:26.257525Z”. Optional
created_after Searches for threats created after this date, for example: “2018-02-27T04:49:26.257525Z”. Optional
created_until Searches for threats created on or before this date, for example: “2018-02-27T04:49:26.257525Z”. Optional
created_from Search for threats created on or after this date, for example: “2018-02-27T04:49:26.257525Z”. Optional
resolved Whether to only return resolved threats. Optional
display_name Threat display name. Can be a partial display name, not an exact match. Optional
limit The maximum number of threats to return. Default is 20. Optional
query Full free-text search for fields. Can be “content_hash”, “file_display_name”, “file_path”, “computer_name”, or “uuid”. Optional
threat_ids CSV list of threat IDs, for example: “225494730938493804,225494730938493915”. Optional
classifications CSV list of threat classifications to search, for example: “Malware”, “Network”, “Benign”. Optional
rank Risk level threshold to retrieve (1-10). Optional

Context Output
Path Type Description
SentinelOne.Threat.ID String The threat ID.
SentinelOne.Threat.AgentComputerName String The agent computer name.
SentinelOne.Threat.CreatedDate Date File created date.
SentinelOne.Threat.SiteID String The site ID.
SentinelOne.Threat.Classification string Classification name.
SentinelOne.Threat.MitigationStatus String The agent status.
SentinelOne.Threat.AgentID String The agent ID.
SentinelOne.Threat.Rank Number Number representing cloud reputation (1-10).
SentinelOne.Threat.MarkedAsBenign Boolean Whether the threat is marked as benign.

Command Example
!sentinelone-get-threats
Context Example
{
    "SentinelOne.Threat": [
        {
            "Username": "root", 
            "FileSha256": null, 
            "ThreatName": "eicar.com.txt", 
            "Description": "static-check-on-write", 
            "Classification": "Malware", 
            "FilePath": "/Users/yardensade/Downloads/eicar.com.txt", 
            "InQuarantine": null, 
            "Rank": 7, 
            "ID": "513526418089756174", 
            "MarkedAsBenign": false, 
            "FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2018-12-10T12:45:19.325000Z", 
            "AgentOsType": "macos", 
            "AgentID": "513505756159722818", 
            "AgentComputerName": "Yardens-MacBook-Pro", 
            "FileDisplayName": "eicar.com.txt", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }, 
        {
            "Username": "root", 
            "FileSha256": null, 
            "ThreatName": "eicar.com", 
            "Description": "static-check-on-write", 
            "Classification": "Malware", 
            "FilePath": "/Users/yardensade/Downloads/eicar.com", 
            "InQuarantine": null, 
            "Rank": 7, 
            "ID": "513526832755426837", 
            "MarkedAsBenign": false, 
            "FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2018-12-10T12:46:08.771000Z", 
            "AgentOsType": "macos", 
            "AgentID": "513505756159722818", 
            "AgentComputerName": "Yardens-MacBook-Pro", 
            "FileDisplayName": "eicar.com", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }, 
        {
            "Username": "root", 
            "FileSha256": null, 
            "ThreatName": "totally_not_a_virus.txt", 
            "Description": "static-check-on-write", 
            "Classification": "Malware", 
            "FilePath": "/Users/yardensade/Downloads/totally_not_a_virus.txt", 
            "InQuarantine": null, 
            "Rank": 7, 
            "ID": "513529274335282723", 
            "MarkedAsBenign": false, 
            "FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2018-12-10T12:50:59.855000Z", 
            "AgentOsType": "macos", 
            "AgentID": "513505756159722818", 
            "AgentComputerName": "Yardens-MacBook-Pro", 
            "FileDisplayName": "totally_not_a_virus.txt", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }, 
        {
            "Username": "root", 
            "FileSha256": null, 
            "ThreatName": "eicar.com (1).txt", 
            "Description": "scanner", 
            "Classification": "Malware", 
            "FilePath": "/Users/yardensade/Downloads/eicar.com (1).txt", 
            "InQuarantine": null, 
            "Rank": 7, 
            "ID": "523732151490265554", 
            "MarkedAsBenign": false, 
            "FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2018-12-24T14:42:17.533000Z", 
            "AgentOsType": "macos", 
            "AgentID": "513505756159722818", 
            "AgentComputerName": "Yardens-MacBook-Pro", 
            "FileDisplayName": "eicar.com (1).txt", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }, 
        {
            "Username": "root", 
            "FileSha256": null, 
            "ThreatName": "eicar.com (4).txt", 
            "Description": "scanner", 
            "Classification": "Malware", 
            "FilePath": "/Users/yardensade/Downloads/eicar.com (4).txt", 
            "InQuarantine": null, 
            "Rank": 7, 
            "ID": "523732178744852953", 
            "MarkedAsBenign": false, 
            "FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2018-12-24T14:42:20.792000Z", 
            "AgentOsType": "macos", 
            "AgentID": "513505756159722818", 
            "AgentComputerName": "Yardens-MacBook-Pro", 
            "FileDisplayName": "eicar.com (4).txt", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }, 
        {
            "Username": "root", 
            "FileSha256": null, 
            "ThreatName": "eicar.com (3).txt", 
            "Description": "scanner", 
            "Classification": "Malware", 
            "FilePath": "/Users/yardensade/Downloads/eicar.com (3).txt", 
            "InQuarantine": null, 
            "Rank": 7, 
            "ID": "523732180305134048", 
            "MarkedAsBenign": false, 
            "FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2018-12-24T14:42:20.972000Z", 
            "AgentOsType": "macos", 
            "AgentID": "513505756159722818", 
            "AgentComputerName": "Yardens-MacBook-Pro", 
            "FileDisplayName": "eicar.com (3).txt", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }, 
        {
            "Username": "root", 
            "FileSha256": null, 
            "ThreatName": "eicar.com (2).txt", 
            "Description": "scanner", 
            "Classification": "Malware", 
            "FilePath": "/Users/yardensade/Downloads/eicar.com (2).txt", 
            "InQuarantine": null, 
            "Rank": 7, 
            "ID": "523732207828156907", 
            "MarkedAsBenign": false, 
            "FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2018-12-24T14:42:24.275000Z", 
            "AgentOsType": "macos", 
            "AgentID": "513505756159722818", 
            "AgentComputerName": "Yardens-MacBook-Pro", 
            "FileDisplayName": "eicar.com (2).txt", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }, 
        {
            "Username": "", 
            "FileSha256": null, 
            "ThreatName": "Fusion.dll", 
            "Description": "malware detected - not mitigated yet (static engine)", 
            "Classification": "PUA", 
            "FilePath": "\\Device\\HarddiskVolume3\\Users\\Mayag\\AppData\\Local\\Temp\\nsi483E.tmp\\Fusion.dll", 
            "InQuarantine": null, 
            "Rank": 6, 
            "ID": "579478682051177175", 
            "MarkedAsBenign": null, 
            "FileContentHash": "42361f19d4b3db3a3af96b3e7dba7bce8a5df265", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2019-03-11T12:40:42.717000Z", 
            "AgentOsType": "windows", 
            "AgentID": "523685228116918098", 
            "AgentComputerName": "LAPTOP-MAYA", 
            "FileDisplayName": "Fusion.dll", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }, 
        {
            "Username": "", 
            "FileSha256": null, 
            "ThreatName": "BAFABC52CDF342A08CC06EFFE79F3D11.MAL", 
            "Description": "malware detected - not mitigated yet (static engine)", 
            "Classification": "PUA", 
            "FilePath": "\\Device\\HarddiskVolume3\\ProgramData\\Sentinel\\Quarantine\\BAFABC52CDF342A08CC06EFFE79F3D11.MAL", 
            "InQuarantine": null, 
            "Rank": 6, 
            "ID": "580921365667955680", 
            "MarkedAsBenign": null, 
            "FileContentHash": "42361f19d4b3db3a3af96b3e7dba7bce8a5df265", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2019-03-13T12:26:28.919000Z", 
            "AgentOsType": "windows", 
            "AgentID": "523685228116918098", 
            "AgentComputerName": "LAPTOP-MAYA", 
            "FileDisplayName": "BAFABC52CDF342A08CC06EFFE79F3D11.MAL", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }, 
        {
            "Username": "", 
            "FileSha256": null, 
            "ThreatName": "f_004dba", 
            "Description": "malware detected - not mitigated yet (static engine)", 
            "Classification": "PUA", 
            "FilePath": "\\Device\\HarddiskVolume3\\Users\\Mayag\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\f_004dba", 
            "InQuarantine": null, 
            "Rank": 6, 
            "ID": "582523025838244347", 
            "MarkedAsBenign": null, 
            "FileContentHash": "3aacf35d3ff2e15288851e8afe8026576f7110eb", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2019-03-15T17:29:17.973000Z", 
            "AgentOsType": "windows", 
            "AgentID": "523685228116918098", 
            "AgentComputerName": "LAPTOP-MAYA", 
            "FileDisplayName": "f_004dba", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }, 
        {
            "Username": "root", 
            "FileSha256": null, 
            "ThreatName": "eicar.com.txt", 
            "Description": "static-check-on-write", 
            "Classification": "Malware", 
            "FilePath": "/Users/yardensade/.Trash/eicar.com.txt", 
            "InQuarantine": null, 
            "Rank": 7, 
            "ID": "593894834529633491", 
            "MarkedAsBenign": false, 
            "FileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
            "SiteID": "475482421366727779", 
            "CreatedDate": "2019-03-31T10:03:01.109000Z", 
            "AgentOsType": "macos", 
            "AgentID": "513505756159722818", 
            "AgentComputerName": "Yardens-MacBook-Pro", 
            "FileDisplayName": "eicar.com.txt", 
            "MitigationStatus": "mitigated", 
            "FileMaliciousContent": null
        }
    ]
}
Human Readable Output

Sentinel One - Getting Threat List

Provides summary information and details for all the threats that matched your search criteria.

Agent Computer Name Agent ID Classification Created Date File Content Hash ID Marked As Benign Mitigation Status Rank Site ID Site Name
Yardens-MacBook-Pro 513505756159722818 Malware 2018-12-10T12:45:19.325000Z 3395856ce81f2b7382dee72602f798b642f14140 513526418089756174 false mitigated 7 475482421366727779 demisto
Yardens-MacBook-Pro 513505756159722818 Malware 2018-12-10T12:46:08.771000Z 3395856ce81f2b7382dee72602f798b642f14140 513526832755426837 false mitigated 7 475482421366727779 demisto
Yardens-MacBook-Pro 513505756159722818 Malware 2018-12-10T12:50:59.855000Z 3395856ce81f2b7382dee72602f798b642f14140 513529274335282723 false mitigated 7 475482421366727779 demisto
Yardens-MacBook-Pro 513505756159722818 Malware 2018-12-24T14:42:17.533000Z 3395856ce81f2b7382dee72602f798b642f14140 523732151490265554 false mitigated 7 475482421366727779 demisto
Yardens-MacBook-Pro 513505756159722818 Malware 2018-12-24T14:42:20.792000Z 3395856ce81f2b7382dee72602f798b642f14140 523732178744852953 false mitigated 7 475482421366727779 demisto
Yardens-MacBook-Pro 513505756159722818 Malware 2018-12-24T14:42:20.972000Z 3395856ce81f2b7382dee72602f798b642f14140 523732180305134048 false mitigated 7 475482421366727779 demisto
Yardens-MacBook-Pro 513505756159722818 Malware 2018-12-24T14:42:24.275000Z 3395856ce81f2b7382dee72602f798b642f14140 523732207828156907 false mitigated 7 475482421366727779 demisto
LAPTOP-MAYA 523685228116918098 PUA 2019-03-11T12:40:42.717000Z 42361f19d4b3db3a3af96b3e7dba7bce8a5df265 579478682051177175 mitigated 6 475482421366727779 demisto
LAPTOP-MAYA 523685228116918098 PUA 2019-03-13T12:26:28.919000Z 42361f19d4b3db3a3af96b3e7dba7bce8a5df265 580921365667955680 mitigated 6 475482421366727779 demisto
LAPTOP-MAYA 523685228116918098 PUA 2019-03-15T17:29:17.973000Z 3aacf35d3ff2e15288851e8afe8026576f7110eb 582523025838244347 mitigated 6 475482421366727779 demisto
Yardens-MacBook-Pro 513505756159722818 Malware 2019-03-31T10:03:01.109000Z 3395856ce81f2b7382dee72602f798b642f14140 593894834529633491 false mitigated 7 475482421366727779 demisto

6. Get a threat summary


Gets a threat summary.

Base Command

sentinelone-threat-summary

Input
Argument Name Description Required
group_ids CSV list of group IDs by which to filter, for example: “225494730938493804,225494730938493915”. Optional

Context Output
Path Type Description
SentinelOne.Threat.Active Number Number of active threats in the system.
SentinelOne.Threat.Total Number Total number of threats in the system.
SentinelOne.Threat.Mitigated Number Number of mitigated threats in the system.
SentinelOne.Threat.Suspicious Number Number of suspicious threats in the system.
SentinelOne.Threat.Blocked Number Number of blocked threats in the system.

Command Example
!sentinelone-threat-summary
Context Example
{
    "SentinelOne.Threat": {
        "Active": 0, 
        "Suspicious": 0, 
        "Mitigated": 11, 
        "Total": 11, 
        "Blocked": 0
    }
}
Human Readable Output

Sentinel One - Dashboard Threat Summary

Active Blocked Mitigated Suspicious Total
0 0 11 0 11

7. Mark suspicious threats


Marks suspicious threats as a threat.

Base Command

sentinelone-mark-as-threat

Input
Argument Name Description Required
threat_ids CSV list of threat IDs. Optional
target_scope Scope to use for exclusions. Can be “site” or “tenant”. Required

Context Output
Path Type Description
SentinelOne.Threat.ID String The threat ID.
SentinelOne.Threat.MarkedAsThreat Boolean Whether the suspicious threat was successfully marked as a threat.

Command Example
!sentinelone-mark-as-threat target_scope=site threat_ids=50925977558296070
Human Readable Output

Sentinel One - Marking suspicious threats as threats

Total of 1 provided threats were marked successfully

|ID|Marked As Threat|
|509259775582960700|true

8. Mitigate threats


Applies a mitigation action to a group of threats.

Base Command

sentinelone-mitigate-threat

Input
Argument Name Description Required
action Mitigation action. Can be “kill”, “quarantine”, “un-quarantine”, “remediate”, or “rollback-remediation”. Required
threat_ids CSV list of threat IDs. Required

Context Output
Path Type Description
SentinelOne.Threat.ID String The threat ID.
SentinelOne.Threat.Mitigated Boolean Whether the threat was successfully mitigated.
SentinelOne.Threat.Mitigation.Action Number Number of threats affected.

Command Example
!sentinelone-mitigate-threat action=quarantine threat_ids=509259775582960700
Context Example
{
    "SentinelOne.Threat": [
        {
            "Mitigated": true, 
            "Mitigation": {
                "Action": "quarantine"
            }, 
            "ID": "509259775582960700"
        }
    ]
}
Human Readable Output

Sentinel One - Mitigating threats

Total of 1 provided threats were mitigated successfully

ID Mitigation Action Mitigated
509259775582960700 quarantine true

9. Resolve threats


Resolves threats using the threat ID.

Base Command

sentinelone-resolve-threat

Input
Argument Name Description Required
threat_ids CSV list of threat IDs. Required

Context Output
Path Type Description
SentinelOne.Threat.ID String The threat ID.
SentinelOne.Threat.Resolved Boolean Whether the threat was successfully resolved.

Command Example
!sentinelone-resolve-threat threat_ids=509259775582960700
Context Example
{
    "SentinelOne.Threat": [
        {
            "Resolved": false, 
            "ID": "509259775582960700"
        }
    ]
}
Human Readable Output

Sentinel One - Resolving threats

No threats were resolved

ID Resolved
509259775582960700 false

10. Get agent details


Gets details of an agent by agent ID.

Base Command

sentinelone-get-agent

Input
Argument Name Description Required
agent_id The agent ID. Required

Context Output
Path Type Description
SentinelOne.Agent.NetworkStatus string The agent network status.
SentinelOne.Agent.ID string The agent ID.
SentinelOne.Agent.AgentVersion string The agent software version.
SentinelOne.Agent.IsDecomissioned boolean Whether the agent is decommissioned.
SentinelOne.Agent.IsActive boolean Whether the agent is active.
SentinelOne.Agent.LastActiveDate date The last active date of the agent.
SentinelOne.Agent.RegisteredAt date The registration date of the agent.
SentinelOne.Agent.ExternalIP string The agent IP address.
SentinelOne.Agent.ThreatCount number Number of active threats.
SentinelOne.Agent.EncryptedApplications boolean Whether disk encryption is enabled.
SentinelOne.Agent.OSName string Name of the operating system.
SentinelOne.Agent.ComputerName string Name of the agent computer.
SentinelOne.Agent.Domain string Domain name of the agent.
SentinelOne.Agent.CreatedAt date Agent creation time.
SentinelOne.Agent.SiteName string Site name associated with the agent.

Command Example
!sentinelone-get-agent agent_id=661361473466353783
Context Example
{
    "SentinelOne.Agent": [
        {
            "ExternalIP": "99.80.149.227", 
            "Domain": "WORKGROUP", 
            "LastActiveDate": "2019-07-15T22:01:30.896402Z", 
            "NetworkStatus": "connecting", 
            "EncryptedApplications": false, 
            "ThreatCount": 0, 
            "ComputerName": "EC2AMAZ-S5C73AI", 
            "IsActive": false, 
            "OSName": "Windows Server 2016", 
            "SiteName": "demisto", 
            "AgentVersion": "3.2.4.54", 
            "IsDecomissioned": true, 
            "RegisteredAt": "2019-07-02T12:07:11.384037Z", 
            "ID": "661361473466353783", 
            "CreatedAt": "2019-07-02T12:07:11.388038Z"
        }
    ]
}
Human Readable Output

Sentinel One - Get Agent Details

Provides details for the following agent ID : 661361473466353783

Agent Version Computer Name Created At Domain Encrypted Applications External IP ID Is Active Is Decomissioned Last ActiveDate Network Status OS Name Registered At Site Name Threat Count
3.2.4.54 EC2AMAZ-S5C73AI 2019-07-02T12:07:11.388038Z WORKGROUP false 99.80.149.227 661361473466353783 false true 2019-07-15T22:01:30.896402Z connecting Windows Server 2016 2019-07-02T12:07:11.384037Z demisto 0

11. Get a list of sites


Gets a list of all sites.

Base Command

sentinelone-get-sites

Input
Argument Name Description Required
updated_at Timestamp of last update, for example: “2018-02-27T04:49:26.257525Z”. Optional
query Full-text search for fields: name, account_name. Optional
site_type Site type. Can be “Trial”, “Paid”, “POC”, “DEV”, or “NFR”. Optional
features Returns sites that support the specified features. Can be “firewall-control”, “device-control”, or “ioc”. Optional
state Site state. Can be “active”, “deleted”, or “expired”. Optional
suite The suite of product features active for this site. Can be “Core” or “Complete”. Optional
admin_only Sites to which the user has Admin privileges. Optional
account_id Account ID, for example: “225494730938493804”. Optional
site_name Site name, for example: “My Site”. Optional
created_at Timestamp of site creation, for example: “2018-02-27T04:49:26.257525Z”. Optional
limit Maximum number of results to return. Optional

Context Output
Path Type Description
SentinelOne.Site.Creator string The creator name.
SentinelOne.Site.Name string The site name.
SentinelOne.Site.Type string The site type.
SentinelOne.Site.AccountName string The account name.
SentinelOne.Site.State string The site state.
SentinelOne.Site.HealthStatus boolean The health status of the site.
SentinelOne.Site.Suite string The suite to which the site belongs.
SentinelOne.Site.ActiveLicenses number Number of active licenses on the site.
SentinelOne.Site.ID string ID of the site.
SentinelOne.Site.TotalLicenses number Number of total licenses on the site.
SentinelOne.Site.CreatedAt date Timestamp when the site was created.
SentinelOne.Site.Expiration string Timestamp when the site will expire.
SentinelOne.Site.UnlimitedLicenses boolean Whether the site has unlimited licenses.

Command Example
!sentinelone-get-sites
Context Example
{
    "SentinelOne.Site": [
        {
            "UnlimitedLicenses": true, 
            "Name": "demisto", 
            "Creator": "John Roe", 
            "AccountName": "SentinelOne", 
            "State": "active", 
            "HealthStatus": true, 
            "Expiration": null, 
            "ActiveLicenses": 5, 
            "Suite": "Complete", 
            "TotalLicenses": 0, 
            "Type": "Paid", 
            "ID": "475482421366727779", 
            "CreatedAt": "2018-10-19T00:58:41.644879Z"
        }
    ]
}
Human Readable Output

Sentinel One - Getting List of Sites

Provides summary information and details for all sites that matched your search criteria.

Account Name Active Licenses Created At Creator Health Status ID Name State Suite Total Licenses Type Unlimited Licenses
SentinelOne 5 2018-10-19T00:58:41.644879Z John Roe true 475482421366727779 demisto active Complete 0 Paid true

12. Get a site list


Gets a site list by site ID.

Base Command

sentinelone-get-site

Input
Argument Name Description Required
site_id ID of the site. Required

Context Output
Path Type Description
SentinelOne.Site.Creator string The creator name.
SentinelOne.Site.Name string The site name.
SentinelOne.Site.Type string The site type.
SentinelOne.Site.AccountName string The account name.
SentinelOne.Site.State string The site state.
SentinelOne.Site.HealthStatus boolean The health status of the site.
SentinelOne.Site.Suite string The suite to which the site belongs.
SentinelOne.Site.ActiveLicenses number Number of active licenses on the site.
SentinelOne.Site.ID string ID of the site.
SentinelOne.Site.TotalLicenses number Number of total licenses on the site.
SentinelOne.Site.CreatedAt date Timestamp when the site was created.
SentinelOne.Site.Expiration string Timestamp when the site will expire.
SentinelOne.Site.UnlimitedLicenses boolean Unlimited licenses boolean.
SentinelOne.Site.AccountID string Account ID.
SentinelOne.Site.IsDefault boolean Whether the site is the default site.

Command Example
!sentinelone-get-site site_id=475482421366727779
Context Example
{
    "SentinelOne.Site": [
        {
            "IsDefault": false, 
            "UnlimitedLicenses": true, 
            "Name": "demisto", 
            "Creator": "John Roe", 
            "AccountName": "SentinelOne", 
            "State": "active", 
            "HealthStatus": true, 
            "Expiration": null, 
            "ActiveLicenses": 5, 
            "Suite": "Complete", 
            "TotalLicenses": 0, 
            "Type": "Paid", 
            "ID": "475482421366727779", 
            "CreatedAt": "2018-10-19T00:58:41.644879Z", 
            "AccountID": "433241117337583618"
        }
    ]
}
Human Readable Output

Sentinel One - Summary About Site: 475482421366727779

Provides summary information and details for specific site ID.

Account Name AccountID Active Licenses Created At Creator Health Status ID IsDefault Name State Suite Total Licenses Type Unlimited Licenses
SentinelOne 433241117337583618 5 2018-10-19T00:58:41.644879Z John Roe true 475482421366727779 false demisto active Complete 0 Paid true

13. Reactivate a site


Reactivates an expired site.

Base Command

sentinelone-reactivate-site

Input
Argument Name Description Required
site_id Site ID. Example: “225494730938493804”. Required

Context Output
Path Type Description
SentinelOne.Site.ID string Site ID.
SentinelOne.Site.Reactivated boolean Whether the site was reactivated.

Command Example
!sentinelone-reactivate-site site_id=475482421366727779
Human Readable Output

Sentinel One - Reactivated Site: 475482421366727779

##‘Site has been reactivated successfully’

ID Reactivated
475482421366727779 success

14. Get a list of activities


Gets a list of activities.

Base Command

sentinelone-get-activities

Input
Argument Name Description Required
created_after Return activities created after this timestamp, for example: “2018-02-27T04:49:26.257525Z”. Optional
user_emails Email address of the user who invoked the activity (if applicable). Optional
group_ids List of Group IDs by which to filter, for example: “225494730938493804,225494730938493915”. Optional
created_until Return activities created on or before this timestamp, for example: “2018-02-27T04:49:26.257525Z”. Optional
include_hidden Include internal activities hidden from display, for example: “False”. Optional
activities_ids CSV list of activity IDs by which to filter, for example: “225494730938493804,225494730938493915”. Optional
created_before Return activities created before this timestamp, for example: “2018-02-27T04:49:26.257525Z”. Optional
threats_ids CSV list of threat IDs for which to return activities, for example: “225494730938493804,225494730938493915”. Optional
activity_types CSV of activity codes to return, for example: “52,53,71,72”. Optional
user_ids CSV list of user IDs for users that invoked the activity (if applicable), for example: “225494730938493804,225494730938493915”. Optional
created_from Return activities created on or after this timestamp, for example: “2018-02-27T04:49:26.257525Z”. Optional
created_between Return activities created within this range (inclusive), for example: “1514978764288-1514978999999”. Optional
agent_ids Return activities related to specified agents. Example: “225494730938493804,225494730938493915”. Optional
limit Maximum number of items to return (1-100). Optional

Context Output
Path Type Description
SentinelOne.Activity.AgentID String Related agent (if applicable).
SentinelOne.Activity.AgentUpdatedVersion String Agent’s new version (if applicable).
SentinelOne.Activity.SiteID String Related site (if applicable).
SentinelOne.Activity.UserID String The user who invoked the activity (if applicable).
SentinelOne.Activity.SecondaryDescription String Secondary description.
SentinelOne.Activity.OsFamily String Agent’s OS type (if applicable). Can be “linux”, “macos”, “windows”, or “windows_legacy”.
SentinelOne.Activity.ActivityType Number Activity type.
SentinelOne.Activity.data.SiteID String The site ID.
SentinelOne.Activity.data.SiteName String The site name.
SentinelOne.Activity.data.username String The name of the site creator.
SentinelOne.Activity.Hash String Threat file hash (if applicable).
SentinelOne.Activity.UpdatedAt Date Activity last updated time (UTC).
SentinelOne.Activity.Comments String Comments for the activity.
SentinelOne.Activity.ThreatID String Related threat (if applicable).
SentinelOne.Activity.PrimaryDescription String Primary description for the activity.
SentinelOne.Activity.GroupID String Related group (if applicable).
SentinelOne.Activity.ID String Activity ID.
SentinelOne.Activity.CreatedAt Date Activity creation time (UTC).
SentinelOne.Activity.Description String Extra activity information.

Command Example
!sentinelone-get-activities
Context Example
{
    "SentinelOne.Activity": [
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 5020, 
            "UserID": "433273625970238486", 
            "Comments": null, 
            "ID": "475482421492556909", 
            "PrimaryDescription": "The management user John Roe created demisto site.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-10-19T00:58:41.660287Z", 
            "AgentID": null, 
            "Data": {
                "siteName": "demisto", 
                "username": "John Roe", 
                "siteId": 475482421366727800
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-10-19T00:58:41.660278Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": "John Roe", 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 23, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "475482955955938476", 
            "PrimaryDescription": "The management user John Roe added user Jane Doe as admin.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-10-19T00:59:45.373592Z", 
            "AgentID": null, 
            "Data": {
                "byUser": "John Roe", 
                "username": "Jane Doe", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-10-19T00:59:45.373584Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "475553388201878769", 
            "PrimaryDescription": "The management user Jane Doe logged into management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-10-19T03:19:41.551249Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-10-19T03:19:41.551236Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "476162850050648822", 
            "PrimaryDescription": "The management user Jane Doe logged into management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-10-19T23:30:35.062505Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-10-19T23:30:35.062484Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "476162850092591864", 
            "PrimaryDescription": "The management user Jane Doe logged into management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-10-19T23:30:35.068827Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-10-19T23:30:35.068812Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "478078612361294941", 
            "PrimaryDescription": "The management user Jane Doe logged into management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-10-22T14:56:51.726777Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-10-22T14:56:51.726762Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "478078815793427551", 
            "PrimaryDescription": "The management user Jane Doe logged into management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-10-22T14:57:15.978615Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-10-22T14:57:15.978605Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "499090543532554580", 
            "PrimaryDescription": "The management user Jane Doe logged into management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-11-20T14:43:49.115665Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-11-20T14:43:49.115657Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "500911232606524037", 
            "PrimaryDescription": "The management user Jane Doe logged into management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-11-23T03:01:12.166753Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-11-23T03:01:12.166743Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "504856083882582151", 
            "PrimaryDescription": "The management user Jane Doe logged into management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-11-28T13:38:55.085497Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-11-28T13:38:55.085488Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": "", 
            "ActivityType": 17, 
            "UserID": null, 
            "Comments": null, 
            "ID": "507609080257599870", 
            "PrimaryDescription": "Bills-MBP subscribed and joined the group Default Group.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-02T08:48:37.826824Z", 
            "AgentID": "507609079972387179", 
            "Data": {
                "computerName": "Bills-MBP", 
                "group": "Default Group", 
                "optionalGroups": []
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-02T08:48:37.826816Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 71, 
            "UserID": null, 
            "Comments": null, 
            "ID": "507609080626698626", 
            "PrimaryDescription": "System initiated a full disk scan to the agent: Bills-MBP (98.234.105.153).", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-02T08:48:37.871144Z", 
            "AgentID": "507609079972387179", 
            "Data": {
                "externalIp": "98.234.105.153", 
                "computerName": "Bills-MBP", 
                "system": true, 
                "uuid": "9A532F6E-0F87-5F8E-B6AB-C0206599C568"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-02T08:48:37.871136Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 90, 
            "UserID": null, 
            "Comments": null, 
            "ID": "507609341168474555", 
            "PrimaryDescription": "Agent Bills-MBP started full disk scan at Sun, 02 Dec 2018, 08:49:08 UTC.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-02T08:49:08.929672Z", 
            "AgentID": "507609079972387179", 
            "Data": {
                "status": "started", 
                "computerName": "Bills-MBP", 
                "createdAt": "2018-12-02T08:49:08.908384Z"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-02T08:49:08.929660Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 92, 
            "UserID": null, 
            "Comments": null, 
            "ID": "508159023422660725", 
            "PrimaryDescription": "Agent Bills-MBP completed full disk scan at Mon, 03 Dec 2018, 03:01:16 UTC.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-03T03:01:16.160715Z", 
            "AgentID": "507609079972387179", 
            "Data": {
                "status": "finished", 
                "computerName": "Bills-MBP", 
                "createdAt": "2018-12-03T03:01:16.153462Z"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-03T03:01:16.160707Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "509259775582960700", 
            "SecondaryDescription": "/Users/bill/.Trash/eicar.com.txt", 
            "ActivityType": 18, 
            "UserID": null, 
            "Comments": null, 
            "ID": "509259775683623999", 
            "PrimaryDescription": "Threat detected, name: eicar.com.txt.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-04T15:28:16.055823Z", 
            "AgentID": "507609079972387179", 
            "Data": {
                "username": null, 
                "computerName": "Bills-MBP", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/bill/.Trash/eicar.com.txt", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "eicar.com.txt"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-04T15:28:16.055815Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "509259775582960700", 
            "SecondaryDescription": "/Users/bill/.Trash/eicar.com.txt", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "509259776623148097", 
            "PrimaryDescription": "The agent Bills-MBP successfully quarantined the threat: eicar.com.txt.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-04T15:28:16.168238Z", 
            "AgentID": "507609079972387179", 
            "Data": {
                "computerName": "Bills-MBP", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/bill/.Trash/eicar.com.txt", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "eicar.com.txt"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-04T15:28:16.168216Z"
        }, 
        {
            "OsFamily": "macos", 
            "AgentUpdatedVersion": null, 
            "Hash": "3395856ce81f2b7382dee72602f798b642f14140", 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": "3395856ce81f2b7382dee72602f798b642f14140", 
            "ActivityType": 3006, 
            "UserID": null, 
            "Comments": null, 
            "ID": "509259849436265543", 
            "PrimaryDescription": "Cloud has added macOS black hash.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-04T15:28:24.847663Z", 
            "AgentID": null, 
            "Data": {
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "osFamily": "osx", 
                "description": null
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-04T15:28:24.847654Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "510432832787879335", 
            "PrimaryDescription": "The management user Jane Doe logged into the management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-06T06:18:55.360302Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-06T06:18:55.360294Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 33, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "510434401356912041", 
            "PrimaryDescription": "The management user Jane Doe logged out of the management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-06T06:22:02.348128Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-06T06:22:02.348116Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "512980043203657099", 
            "PrimaryDescription": "The management user Jane Doe logged into the management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-09T18:39:46.504215Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-09T18:39:46.504206Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "513485626755302270", 
            "PrimaryDescription": "The management user Jane Doe logged into the management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T11:24:16.759935Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-10T11:24:16.759925Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": "Jane Doe", 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 23, 
            "UserID": "513488018280334208", 
            "Comments": null, 
            "ID": "513488018364220290", 
            "PrimaryDescription": "The management user Jane Doe added user Yarden Sade as admin.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T11:29:01.861735Z", 
            "AgentID": null, 
            "Data": {
                "byUser": "Jane Doe", 
                "username": "Yarden Sade", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-10T11:29:01.861727Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 33, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "513489064113259396", 
            "PrimaryDescription": "The management user Jane Doe logged out of the management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T11:31:06.525318Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-10T11:31:06.525307Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "513488018280334208", 
            "Comments": null, 
            "ID": "513489107926958983", 
            "PrimaryDescription": "The management user Yarden Sade logged into the management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T11:31:11.748582Z", 
            "AgentID": null, 
            "Data": {
                "username": "Yarden Sade", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-10T11:31:11.748574Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 5008, 
            "UserID": "513488018280334208", 
            "Comments": null, 
            "ID": "513490499303424908", 
            "PrimaryDescription": "The management user Yarden Sade has created New group Test.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T11:33:57.612933Z", 
            "AgentID": null, 
            "Data": {
                "username": "Yarden Sade", 
                "groupName": "Test", 
                "groupId": "513490499236316042"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-10T11:33:57.612924Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 33, 
            "UserID": "513488018280334208", 
            "Comments": null, 
            "ID": "513504037921146173", 
            "PrimaryDescription": "The management user Yarden Sade logged out of the management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:00:51.541682Z", 
            "AgentID": null, 
            "Data": {
                "username": "Yarden Sade", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-10T12:00:51.541671Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "513504203889755456", 
            "PrimaryDescription": "The management user Jane Doe logged into the management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:01:11.326905Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-10T12:01:11.326896Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": "", 
            "ActivityType": 17, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513505756310717775", 
            "PrimaryDescription": "164 subscribed and joined the group Default Group.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:04:16.390472Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "group": "Default Group", 
                "optionalGroups": []
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:04:16.390462Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 71, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513505756696593747", 
            "PrimaryDescription": "System initiated a full disk scan to the agent: 164 (94.188.164.68).", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:04:16.436092Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "externalIp": "94.188.164.68", 
                "computerName": "164", 
                "system": true, 
                "uuid": "46DBCBC2-216A-5732-A007-4348BB55B37F"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:04:16.436084Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 90, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513506023588545884", 
            "PrimaryDescription": "Agent 164 started full disk scan at Mon, 10 Dec 2018, 12:04:48 UTC.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:04:48.252701Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "status": "started", 
                "computerName": "164", 
                "createdAt": "2018-12-10T12:04:48.248338Z"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:04:48.252693Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513516799695046076", 
            "SecondaryDescription": "/Users/yardensade/WebstormProjects/content/TestData/EICAR.exe", 
            "ActivityType": 18, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513516799787320769", 
            "PrimaryDescription": "Threat detected, name: EICAR.exe.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:26:12.874792Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "username": null, 
                "computerName": "164", 
                "threatClassificationSource": null, 
                "filePath": "/Users/yardensade/WebstormProjects/content/TestData/EICAR.exe", 
                "threatClassification": null, 
                "fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62", 
                "fileDisplayName": "EICAR.exe"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:26:12.874784Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513516799695046076", 
            "SecondaryDescription": "/Users/yardensade/WebstormProjects/content/TestData/EICAR.exe", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513516801297270211", 
            "PrimaryDescription": "The agent 164 successfully quarantined the threat: EICAR.exe.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:26:13.054678Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/WebstormProjects/content/TestData/EICAR.exe", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62", 
                "fileDisplayName": "EICAR.exe"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:26:13.054666Z"
        }, 
        {
            "OsFamily": "macos", 
            "AgentUpdatedVersion": null, 
            "Hash": "cf8bd9dfddff007f75adf4c2be48005cea317c62", 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": "cf8bd9dfddff007f75adf4c2be48005cea317c62", 
            "ActivityType": 3006, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513516852300006858", 
            "PrimaryDescription": "Cloud has added macOS black hash.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:26:19.135226Z", 
            "AgentID": null, 
            "Data": {
                "fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62", 
                "osFamily": "osx", 
                "description": null
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-10T12:26:19.135218Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513516952292214236", 
            "SecondaryDescription": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe", 
            "ActivityType": 18, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513516952367711710", 
            "PrimaryDescription": "Threat detected, name: EICAR.exe.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:26:31.064576Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "username": null, 
                "computerName": "164", 
                "threatClassificationSource": "Cloud", 
                "filePath": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe", 
                "threatClassification": "Malware", 
                "fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62", 
                "fileDisplayName": "EICAR.exe"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:26:31.064568Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513516952292214236", 
            "SecondaryDescription": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513516953818940898", 
            "PrimaryDescription": "The agent 164 successfully quarantined the threat: EICAR.exe.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:26:31.236777Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Cloud", 
                "filePath": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe", 
                "threatClassification": "Malware", 
                "fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62", 
                "fileDisplayName": "EICAR.exe"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:26:31.236769Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513518844384691684", 
            "SecondaryDescription": "/Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe", 
            "ActivityType": 18, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513518844460189159", 
            "PrimaryDescription": "Threat detected, name: EICAR.exe.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:30:16.619432Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "username": null, 
                "computerName": "164", 
                "threatClassificationSource": "Cloud", 
                "filePath": "/Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe", 
                "threatClassification": "Malware", 
                "fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62", 
                "fileDisplayName": "EICAR.exe"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:30:16.619423Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513518844384691684", 
            "SecondaryDescription": "/Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513518845877863914", 
            "PrimaryDescription": "The agent 164 successfully quarantined the threat: EICAR.exe.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:30:16.788068Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Cloud", 
                "filePath": "/Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe", 
                "threatClassification": "Malware", 
                "fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62", 
                "fileDisplayName": "EICAR.exe"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:30:16.788059Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 92, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513519504073213420", 
            "PrimaryDescription": "Agent 164 completed full disk scan at Mon, 10 Dec 2018, 12:31:35 UTC.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:31:35.251329Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "status": "finished", 
                "computerName": "164", 
                "createdAt": "2018-12-10T12:31:35.248610Z"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:31:35.251320Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513526418089756174", 
            "SecondaryDescription": "/Users/yardensade/Downloads/eicar.com.txt", 
            "ActivityType": 18, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513526418156865040", 
            "PrimaryDescription": "Threat detected, name: eicar.com.txt.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:45:19.474339Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "username": null, 
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/Downloads/eicar.com.txt", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "eicar.com.txt"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:45:19.474330Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513526418089756174", 
            "SecondaryDescription": "/Users/yardensade/Downloads/eicar.com.txt", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513526419608094227", 
            "PrimaryDescription": "The agent 164 successfully quarantined the threat: eicar.com.txt.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:45:19.647320Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/Downloads/eicar.com.txt", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "eicar.com.txt"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:45:19.647311Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513526832755426837", 
            "SecondaryDescription": "/Users/yardensade/Downloads/eicar.com", 
            "ActivityType": 18, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513526832864478743", 
            "PrimaryDescription": "Threat detected, name: eicar.com.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:46:08.910934Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "username": null, 
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/Downloads/eicar.com", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "eicar.com"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:46:08.910923Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513526832755426837", 
            "SecondaryDescription": "/Users/yardensade/Downloads/eicar.com", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513526834374428187", 
            "PrimaryDescription": "The agent 164 successfully quarantined the threat: eicar.com.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:46:09.091198Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/Downloads/eicar.com", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "eicar.com"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:46:09.091186Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513526832755426837", 
            "SecondaryDescription": "/Users/yardensade/Downloads/eicar.com", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513526971268122141", 
            "PrimaryDescription": "The agent 164 successfully quarantined the threat: eicar.com.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:46:25.410362Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/Downloads/eicar.com", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "eicar.com"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:46:25.410353Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513526418089756174", 
            "SecondaryDescription": "/Users/yardensade/Downloads/eicar.com.txt", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513528784247637538", 
            "PrimaryDescription": "The agent 164 successfully quarantined the threat: eicar.com.txt.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:50:01.534329Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/Downloads/eicar.com.txt", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "eicar.com.txt"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:50:01.534321Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513529274335282723", 
            "SecondaryDescription": "/Users/yardensade/Downloads/totally_not_a_virus.txt", 
            "ActivityType": 18, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513529274402391589", 
            "PrimaryDescription": "Threat detected, name: totally_not_a_virus.txt.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:50:59.965549Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "username": null, 
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/Downloads/totally_not_a_virus.txt", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "totally_not_a_virus.txt"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:50:59.965541Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513529274335282723", 
            "SecondaryDescription": "/Users/yardensade/Downloads/totally_not_a_virus.txt", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513529275895563816", 
            "PrimaryDescription": "The agent 164 successfully quarantined the threat: totally_not_a_virus.txt.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:51:00.143471Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/Downloads/totally_not_a_virus.txt", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "totally_not_a_virus.txt"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:51:00.143461Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513529274335282723", 
            "SecondaryDescription": "/Users/yardensade/Downloads/totally_not_a_virus.txt", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513529459253757483", 
            "PrimaryDescription": "The agent 164 successfully quarantined the threat: totally_not_a_virus.txt.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:51:22.000536Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/Downloads/totally_not_a_virus.txt", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "totally_not_a_virus.txt"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:51:22.000526Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513529274335282723", 
            "SecondaryDescription": "/Users/yardensade/Downloads/totally_not_a_virus.txt", 
            "ActivityType": 2004, 
            "UserID": null, 
            "Comments": null, 
            "ID": "513533152942409262", 
            "PrimaryDescription": "The agent 164 successfully quarantined the threat: totally_not_a_virus.txt.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-10T12:58:42.323499Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Engine", 
                "filePath": "/Users/yardensade/Downloads/totally_not_a_virus.txt", 
                "threatClassification": "OSX.Malware", 
                "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", 
                "fileDisplayName": "totally_not_a_virus.txt"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-10T12:58:42.323491Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": "513516952292214236", 
            "SecondaryDescription": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe", 
            "ActivityType": 2009, 
            "UserID": null, 
            "Comments": null, 
            "ID": "514190868824249980", 
            "PrimaryDescription": "The agent 164 failed to quarantine the threat: EICAR.exe.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-11T10:45:28.166458Z", 
            "AgentID": "513505756159722818", 
            "Data": {
                "computerName": "164", 
                "threatClassificationSource": "Cloud", 
                "filePath": "/Users/yardensade/dev/demisto/content/TestData/EICAR.exe", 
                "threatClassification": "Malware", 
                "fileContentHash": "cf8bd9dfddff007f75adf4c2be48005cea317c62", 
                "fileDisplayName": "EICAR.exe"
            }, 
            "GroupID": "475482421375116388", 
            "CreatedAt": "2018-12-11T10:45:28.166449Z"
        }, 
        {
            "OsFamily": null, 
            "AgentUpdatedVersion": null, 
            "Hash": null, 
            "Description": null, 
            "ThreatID": null, 
            "SecondaryDescription": null, 
            "ActivityType": 27, 
            "UserID": "475482955872052394", 
            "Comments": null, 
            "ID": "514803118157132740", 
            "PrimaryDescription": "The management user Jane Doe logged into the management console.", 
            "SiteID": "475482421366727779", 
            "UpdatedAt": "2018-12-12T07:01:53.974164Z", 
            "AgentID": null, 
            "Data": {
                "username": "Jane Doe", 
                "source": "mgmt", 
                "role": "admin"
            }, 
            "GroupID": null, 
            "CreatedAt": "2018-12-12T07:01:53.974154Z"
        }
    ]
}
Human Readable Output

Sentinel One Activities

ID Primary description Data User ID Created at Updated at Threat ID
475482421492556909 The management user John Roe created demisto site. siteId: 475482421366727779<br>siteName: demisto<br>username: John Roe 433273625970238486 2018-10-19T00:58:41.660278Z 2018-10-19T00:58:41.660287Z
475482955955938476 The management user John Roe added user Jane Doe as admin. byUser: John Roe<br>role: admin<br>username: Jane Doe 475482955872052394 2018-10-19T00:59:45.373584Z 2018-10-19T00:59:45.373592Z
475553388201878769 The management user Jane Doe logged into management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-10-19T03:19:41.551236Z 2018-10-19T03:19:41.551249Z
476162850050648822 The management user Jane Doe logged into management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-10-19T23:30:35.062484Z 2018-10-19T23:30:35.062505Z
476162850092591864 The management user Jane Doe logged into management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-10-19T23:30:35.068812Z 2018-10-19T23:30:35.068827Z
478078612361294941 The management user Jane Doe logged into management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-10-22T14:56:51.726762Z 2018-10-22T14:56:51.726777Z
478078815793427551 The management user Jane Doe logged into management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-10-22T14:57:15.978605Z 2018-10-22T14:57:15.978615Z
499090543532554580 The management user Jane Doe logged into management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-11-20T14:43:49.115657Z 2018-11-20T14:43:49.115665Z
500911232606524037 The management user Jane Doe logged into management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-11-23T03:01:12.166743Z 2018-11-23T03:01:12.166753Z
504856083882582151 The management user Jane Doe logged into management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-11-28T13:38:55.085488Z 2018-11-28T13:38:55.085497Z
507609080257599870 Bills-MBP subscribed and joined the group Default Group. computerName: Bills-MBP<br>group: Default Group<br>optionalGroups: 2018-12-02T08:48:37.826816Z 2018-12-02T08:48:37.826824Z
507609080626698626 System initiated a full disk scan to the agent: Bills-MBP (98.234.105.153). computerName: Bills-MBP<br>externalIp: 98.234.105.153<br>system: true<br>uuid: 9A532F6E-0F87-5F8E-B6AB-C0206599C568 2018-12-02T08:48:37.871136Z 2018-12-02T08:48:37.871144Z
507609341168474555 Agent Bills-MBP started full disk scan at Sun, 02 Dec 2018, 08:49:08 UTC. computerName: Bills-MBP<br>createdAt: 2018-12-02T08:49:08.908384Z<br>status: started 2018-12-02T08:49:08.929660Z 2018-12-02T08:49:08.929672Z
508159023422660725 Agent Bills-MBP completed full disk scan at Mon, 03 Dec 2018, 03:01:16 UTC. computerName: Bills-MBP<br>createdAt: 2018-12-03T03:01:16.153462Z<br>status: finished 2018-12-03T03:01:16.160707Z 2018-12-03T03:01:16.160715Z
509259775683623999 Threat detected, name: eicar.com.txt. computerName: Bills-MBP<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com.txt<br>filePath: /Users/bill/.Trash/eicar.com.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine<br>username: null 2018-12-04T15:28:16.055815Z 2018-12-04T15:28:16.055823Z 509259775582960700
509259776623148097 The agent Bills-MBP successfully quarantined the threat: eicar.com.txt. computerName: Bills-MBP<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com.txt<br>filePath: /Users/bill/.Trash/eicar.com.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine 2018-12-04T15:28:16.168216Z 2018-12-04T15:28:16.168238Z 509259775582960700
509259849436265543 Cloud has added macOS black hash. description: null<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>osFamily: osx 2018-12-04T15:28:24.847654Z 2018-12-04T15:28:24.847663Z
510432832787879335 The management user Jane Doe logged into the management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-12-06T06:18:55.360294Z 2018-12-06T06:18:55.360302Z
510434401356912041 The management user Jane Doe logged out of the management console. role: admin<br>username: Jane Doe 475482955872052394 2018-12-06T06:22:02.348116Z 2018-12-06T06:22:02.348128Z
512980043203657099 The management user Jane Doe logged into the management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-12-09T18:39:46.504206Z 2018-12-09T18:39:46.504215Z
513485626755302270 The management user Jane Doe logged into the management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-12-10T11:24:16.759925Z 2018-12-10T11:24:16.759935Z
513488018364220290 The management user Jane Doe added user Yarden Sade as admin. byUser: Jane Doe<br>role: admin<br>username: Yarden Sade 513488018280334208 2018-12-10T11:29:01.861727Z 2018-12-10T11:29:01.861735Z
513489064113259396 The management user Jane Doe logged out of the management console. role: admin<br>username: Jane Doe 475482955872052394 2018-12-10T11:31:06.525307Z 2018-12-10T11:31:06.525318Z
513489107926958983 The management user Yarden Sade logged into the management console. role: admin<br>source: mgmt<br>username: Yarden Sade 513488018280334208 2018-12-10T11:31:11.748574Z 2018-12-10T11:31:11.748582Z
513490499303424908 The management user Yarden Sade has created New group Test. groupId: 513490499236316042<br>groupName: Test<br>username: Yarden Sade 513488018280334208 2018-12-10T11:33:57.612924Z 2018-12-10T11:33:57.612933Z
513504037921146173 The management user Yarden Sade logged out of the management console. role: admin<br>username: Yarden Sade 513488018280334208 2018-12-10T12:00:51.541671Z 2018-12-10T12:00:51.541682Z
513504203889755456 The management user Jane Doe logged into the management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-12-10T12:01:11.326896Z 2018-12-10T12:01:11.326905Z
513505756310717775 164 subscribed and joined the group Default Group. computerName: 164<br>group: Default Group<br>optionalGroups: 2018-12-10T12:04:16.390462Z 2018-12-10T12:04:16.390472Z
513505756696593747 System initiated a full disk scan to the agent: 164 (94.188.164.68). computerName: 164<br>externalIp: 94.188.164.68<br>system: true<br>uuid: 46DBCBC2-216A-5732-A007-4348BB55B37F 2018-12-10T12:04:16.436084Z 2018-12-10T12:04:16.436092Z
513506023588545884 Agent 164 started full disk scan at Mon, 10 Dec 2018, 12:04:48 UTC. computerName: 164<br>createdAt: 2018-12-10T12:04:48.248338Z<br>status: started 2018-12-10T12:04:48.252693Z 2018-12-10T12:04:48.252701Z
513516799787320769 Threat detected, name: EICAR.exe. computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/WebstormProjects/content/TestData/EICAR.exe<br>threatClassification: null<br>threatClassificationSource: null<br>username: null 2018-12-10T12:26:12.874784Z 2018-12-10T12:26:12.874792Z 513516799695046076
513516801297270211 The agent 164 successfully quarantined the threat: EICAR.exe. computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/WebstormProjects/content/TestData/EICAR.exe<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine 2018-12-10T12:26:13.054666Z 2018-12-10T12:26:13.054678Z 513516799695046076
513516852300006858 Cloud has added macOS black hash. description: null<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>osFamily: osx 2018-12-10T12:26:19.135218Z 2018-12-10T12:26:19.135226Z
513516952367711710 Threat detected, name: EICAR.exe. computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/dev/demisto/content/TestData/EICAR.exe<br>threatClassification: Malware<br>threatClassificationSource: Cloud<br>username: null 2018-12-10T12:26:31.064568Z 2018-12-10T12:26:31.064576Z 513516952292214236
513516953818940898 The agent 164 successfully quarantined the threat: EICAR.exe. computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/dev/demisto/content/TestData/EICAR.exe<br>threatClassification: Malware<br>threatClassificationSource: Cloud 2018-12-10T12:26:31.236769Z 2018-12-10T12:26:31.236777Z 513516952292214236
513518844460189159 Threat detected, name: EICAR.exe. computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe<br>threatClassification: Malware<br>threatClassificationSource: Cloud<br>username: null 2018-12-10T12:30:16.619423Z 2018-12-10T12:30:16.619432Z 513518844384691684
513518845877863914 The agent 164 successfully quarantined the threat: EICAR.exe. computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/Documents/GitHub/content/TestData/EICAR.exe<br>threatClassification: Malware<br>threatClassificationSource: Cloud 2018-12-10T12:30:16.788059Z 2018-12-10T12:30:16.788068Z 513518844384691684
513519504073213420 Agent 164 completed full disk scan at Mon, 10 Dec 2018, 12:31:35 UTC. computerName: 164<br>createdAt: 2018-12-10T12:31:35.248610Z<br>status: finished 2018-12-10T12:31:35.251320Z 2018-12-10T12:31:35.251329Z
513526418156865040 Threat detected, name: eicar.com.txt. computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com.txt<br>filePath: /Users/yardensade/Downloads/eicar.com.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine<br>username: null 2018-12-10T12:45:19.474330Z 2018-12-10T12:45:19.474339Z 513526418089756174
513526419608094227 The agent 164 successfully quarantined the threat: eicar.com.txt. computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com.txt<br>filePath: /Users/yardensade/Downloads/eicar.com.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine 2018-12-10T12:45:19.647311Z 2018-12-10T12:45:19.647320Z 513526418089756174
513526832864478743 Threat detected, name: eicar.com. computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com<br>filePath: /Users/yardensade/Downloads/eicar.com<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine<br>username: null 2018-12-10T12:46:08.910923Z 2018-12-10T12:46:08.910934Z 513526832755426837
513526834374428187 The agent 164 successfully quarantined the threat: eicar.com. computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com<br>filePath: /Users/yardensade/Downloads/eicar.com<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine 2018-12-10T12:46:09.091186Z 2018-12-10T12:46:09.091198Z 513526832755426837
513526971268122141 The agent 164 successfully quarantined the threat: eicar.com. computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com<br>filePath: /Users/yardensade/Downloads/eicar.com<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine 2018-12-10T12:46:25.410353Z 2018-12-10T12:46:25.410362Z 513526832755426837
513528784247637538 The agent 164 successfully quarantined the threat: eicar.com.txt. computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: eicar.com.txt<br>filePath: /Users/yardensade/Downloads/eicar.com.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine 2018-12-10T12:50:01.534321Z 2018-12-10T12:50:01.534329Z 513526418089756174
513529274402391589 Threat detected, name: totally_not_a_virus.txt. computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: totally_not_a_virus.txt<br>filePath: /Users/yardensade/Downloads/totally_not_a_virus.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine<br>username: null 2018-12-10T12:50:59.965541Z 2018-12-10T12:50:59.965549Z 513529274335282723
513529275895563816 The agent 164 successfully quarantined the threat: totally_not_a_virus.txt. computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: totally_not_a_virus.txt<br>filePath: /Users/yardensade/Downloads/totally_not_a_virus.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine 2018-12-10T12:51:00.143461Z 2018-12-10T12:51:00.143471Z 513529274335282723
513529459253757483 The agent 164 successfully quarantined the threat: totally_not_a_virus.txt. computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: totally_not_a_virus.txt<br>filePath: /Users/yardensade/Downloads/totally_not_a_virus.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine 2018-12-10T12:51:22.000526Z 2018-12-10T12:51:22.000536Z 513529274335282723
513533152942409262 The agent 164 successfully quarantined the threat: totally_not_a_virus.txt. computerName: 164<br>fileContentHash: 3395856ce81f2b7382dee72602f798b642f14140<br>fileDisplayName: totally_not_a_virus.txt<br>filePath: /Users/yardensade/Downloads/totally_not_a_virus.txt<br>threatClassification: OSX.Malware<br>threatClassificationSource: Engine 2018-12-10T12:58:42.323491Z 2018-12-10T12:58:42.323499Z 513529274335282723
514190868824249980 The agent 164 failed to quarantine the threat: EICAR.exe. computerName: 164<br>fileContentHash: cf8bd9dfddff007f75adf4c2be48005cea317c62<br>fileDisplayName: EICAR.exe<br>filePath: /Users/yardensade/dev/demisto/content/TestData/EICAR.exe<br>threatClassification: Malware<br>threatClassificationSource: Cloud 2018-12-11T10:45:28.166449Z 2018-12-11T10:45:28.166458Z 513516952292214236
514803118157132740 The management user Jane Doe logged into the management console. role: admin<br>source: mgmt<br>username: Jane Doe 475482955872052394 2018-12-12T07:01:53.974154Z 2018-12-12T07:01:53.974164Z

15. Get group data


Gets data for the specified group.

Base Command

sentinelone-get-groups

Input
Argument Name Description Required
group_type Group type, for example: “static”. Optional
group_ids CSV list of group IDs by which to filter, for example: “225494730938493804,225494730938493915”. Optional
group_id Group ID by which to filter, for example: “225494730938493804”. Optional
is_default Whether this is the default group. Optional
name The name of the group. Optional
query Free-text search on fields name. Optional
rank The rank sets the priority of a dynamic group over others, for example, “1”, which is the highest priority. Optional
limit Maximum number of items to return (1-200). Optional

Context Output
Path Type Description
SentinelOne.Group.siteId String The ID of the site of which this group is a member.
SentinelOne.Group.filterName String If the group is dynamic, the name of the filter which is used to associate agents.
SentinelOne.Group.creatorId String The ID of the user that created the group.
SentinelOne.Group.name String The name of the group.
SentinelOne.Group.creator String The user that created the group.
SentinelOne.Group.rank Number The rank, which sets the priority of a dynamic group over others.
SentinelOne.Group.updatedAt Date Timestamp of the last update.
SentinelOne.Group.totalAgents Number Number of agents in the group.
SentinelOne.Group.filterId String If the group is dynamic, the group ID of the filter that is used to associate agents.
SentinelOne.Group.isDefault Boolean Whether the groups is the default group of the site.
SentinelOne.Group.inherits Boolean Whether the policy is inherited from a site. “False” if the group has its own edited policy.
SentinelOne.Group.type String Group type. Can be static or dynamic
SentinelOne.Group.id String The ID of the group.
SentinelOne.Group.createdAt Date Timestamp of group creation.

Command Example
!sentinelone-get-groups
Context Example
{
    "SentinelOne.Group": [
        {
            "inherits": true, 
            "name": "Default Group", 
            "creator": "John Roe", 
            "filterName": null, 
            "updatedAt": "2019-07-25T07:23:58.622476Z", 
            "filterId": null, 
            "rank": null, 
            "registrationToken": "eyJ1cmwiOiAiaHR0cHM6Ly91c2VhMS1wYXJ0bmVycy5zZW50aW5lbG9uZS5uZXQiLCAic2l0ZV9rZXkiOiAiZ184NjJiYWQzNTIwN2ZmNTJmIn0=", 
            "siteId": "475482421366727779", 
            "isDefault": true, 
            "creatorId": "433273625970238486", 
            "totalAgents": 5, 
            "type": "static", 
            "id": "475482421375116388", 
            "createdAt": "2018-10-19T00:58:41.646045Z"
        }
    ]
}
Human Readable Output

Sentinel One Groups

ID Name Type Creator Creator ID Created at
475482421375116388 Default Group static John Roe 433273625970238486 2018-10-19T00:58:41.646045Z

16. Move agent


Moves agents to a new group.

Base Command

sentinelone-move-agent

Input
Argument Name Description Required
group_id The ID of the group to move the agent to. Required
agents_ids Agents IDs. Optional

Context Output
Path Type Description
SentinelOne.Agent.AgentsMoved Number The number of agents that were moved to another group.

17. Delete a group


Deletes a group by the group ID.

Base Command
sentinelone-delete-group
Input
Argument Name Description Required
group_id The ID of the group to delete. Required

Context Output

There is no context output for this command.

Command Example
!sentinelone-delete-group group_id=661564034148420567
Human Readable Output

The group was deleted successfully

18. Retrieve agent processes


Retrieves running processes for a specific agent.

Base Command
sentinelone-agent-processes
Input
Argument Name Description Required
agents_ids The ID of the agent from which to retrieve the processes. Required

Context Output
Path Type Description
SentinelOne.Agent.memoryUsage Number Memory usage (MB).
SentinelOne.Agent.startTime Date The process start time.
SentinelOne.Agent.pid Number The process ID.
SentinelOne.Agent.processName String The name of the process.
SentinelOne.Agent.cpuUsage Number CPU usage (%).
SentinelOne.Agent.executablePath String Executable path.

19. Connect an agent


Connects agents to a network.

Base Command
sentinelone-connect-agent
Input
Argument Name Description Required
agent_id A CSV list of agent IDs to connect to the network. Run the list-agents command to get a list of agent IDs. Required

Context Output
Path Type Description
SentinelOne.Agent.AgentsAffected Number The number of affected agents.
SentinelOne.Agent.ID String The IDs of the affected agents.

Command Example
!sentinelone-connect-agent agent_id=657738871640371668
Context Example
{
    "SentinelOne.Agent": {
        "ID": "657738871640371668", 
        "NetworkStatus": "connecting"
    }
}
Human Readable Output

1 agent(s) successfully connected to the network.

20. Disconnect an agent


Disconnects an agents from a network.

Base Command

sentinelone-disconnect-agent

Input
Argument Name Description Required
agent_id A CSV list of agent IDs to disconnect from the network. Run the list-agents command to get a list of agent IDs. Required

Context Output
Path Type Description
SentinelOne.Agent.NetworkStatus String Agent network status.
SentinelOne.Agent.ID String The IDs of the affected agents.

Command Example
!sentinelone-disconnect-agent agent_id=657738871640371668
Context Example
{
    "SentinelOne.Agent": {
        "ID": "657738871640371668", 
        "NetworkStatus": "connecting"
    }
}
Human Readable Output

1 agent(s) successfully disconnected from the network.

21. Broadcast a message to agents


Broadcasts a message to all agents.

Base Command
sentinelone-broadcast-message
Input
Argument Name Description Required
message The Message to broadcast to agents. Required
active_agent Whether to only include active agents. Default is “false”. Optional
group_id List of Group IDs by which to filter the results. Optional
agent_id A list of Agent IDs by which to filter the results. Optional
domain Included network domains. Optional

Context Output

There is no context output for this command.

Command Example
!sentinelone-broadcast-message message="Hello World"
Human Readable Output

The message was successfully delivered to the agent(s)

22. Get Deep Visibility events


Gets all Deep Visibility events that match the query.

Base Command
sentinelone-get-events
Input
Argument Name Description Required
limit Maximum number of items to return (1-100). Default is “50”. Optional
query_id Query ID obtained when creating a query in the sentinelone-create-query command. Example: “q1xx2xx3”. Required

Context Output
Path Type Description
SentinelOne.Event.ProcessUID String Process unique identifier.
SentinelOne.Event.SHA256 String SHA256 hash of the file.
SentinelOne.Event.AgentOS String OS type. Can be “windows”, “linux”, “macos”, or “windows_legac”.
SentinelOne.Event.ProcessID Number The process ID.
SentinelOne.Event.User String User assigned to the event.
SentinelOne.Event.Time Date Process start time.
SentinelOne.Event.Endpoint String The agent name.
SentinelOne.Event.SiteName String Site name.
SentinelOne.Event.EventType String Event type. Can be “events”, “file”, “ip”, “url”, “dns”, “process”, “registry”, “scheduled_task”, or “logins”.
SentinelOne.Event.ProcessName String The name of the process.
SentinelOne.Event.MD5 String MD5 hash of the file.
Event.ID String Event process ID.
Event.Name String Event name.
Event.Type String Event type.

Command Example
!sentinelone-get-events limit="10" query_id="q5b327f7c84162549eb1d568c968ff655"
Context Example
{
    "Event": [
        {
            "Type": "process", 
            "ID": "5556", 
            "Name": "svchost.exe"
        }, 
        {
            "Type": "process", 
            "ID": "5432", 
            "Name": "VSSVC.exe"
        }, 
        {
            "Type": "ip", 
            "ID": "1636", 
            "Name": "amazon-ssm-agent.exe"
        }, 
        {
            "Type": "file", 
            "ID": "3996", 
            "Name": "Google Chrome"
        }, 
        {
            "Type": "file", 
            "ID": "3996", 
            "Name": "Google Chrome"
        }, 
        {
            "Type": "file", 
            "ID": "3996", 
            "Name": "Google Chrome"
        }, 
        {
            "Type": "file", 
            "ID": "3996", 
            "Name": "Google Chrome"
        }, 
        {
            "Type": "file", 
            "ID": "3996", 
            "Name": "Google Chrome"
        }, 
        {
            "Type": "file", 
            "ID": "3996", 
            "Name": "Google Chrome"
        }, 
        {
            "Type": "file", 
            "ID": "3996", 
            "Name": "Google Chrome"
        }
    ], 
    "SentinelOne.Event": [
        {
            "ProcessID": "5556", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "EventType": "process", 
            "ProcessUID": "10EEF25AF81502CD", 
            "ProcessName": "svchost.exe", 
            "User": null, 
            "Time": "2019-08-04T04:48:36.440Z", 
            "SHA256": "438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7", 
            "AgentOS": "windows", 
            "MD5": "36f670d89040709013f6a460176767ec"
        }, 
        {
            "ProcessID": "5432", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "EventType": "process", 
            "ProcessUID": "DAB10F03FC995CCA", 
            "ProcessName": "VSSVC.exe", 
            "User": null, 
            "Time": "2019-08-04T04:48:26.439Z", 
            "SHA256": "29c18ccdb5077ee158ee591e2226f2c95d27a0f26f259c16c621ecc20b499bed", 
            "AgentOS": "windows", 
            "MD5": "adf381b23416fd54d5dbb582dbb7992d"
        }, 
        {
            "ProcessID": "1636", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "EventType": "ip", 
            "ProcessUID": "1525CEC635947A9A", 
            "ProcessName": "amazon-ssm-agent.exe", 
            "User": null, 
            "Time": "2019-06-27T08:01:32.077Z", 
            "SHA256": null, 
            "AgentOS": "windows", 
            "MD5": null
        }, 
        {
            "ProcessID": "3996", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "EventType": "file", 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "User": null, 
            "Time": "2019-06-30T13:50:54.280Z", 
            "SHA256": null, 
            "AgentOS": "windows", 
            "MD5": null
        }, 
        {
            "ProcessID": "3996", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "EventType": "file", 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "User": null, 
            "Time": "2019-06-30T13:50:54.280Z", 
            "SHA256": null, 
            "AgentOS": "windows", 
            "MD5": null
        }, 
        {
            "ProcessID": "3996", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "EventType": "file", 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "User": null, 
            "Time": "2019-06-30T13:50:54.280Z", 
            "SHA256": null, 
            "AgentOS": "windows", 
            "MD5": null
        }, 
        {
            "ProcessID": "3996", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "EventType": "file", 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "User": null, 
            "Time": "2019-06-30T13:50:54.280Z", 
            "SHA256": null, 
            "AgentOS": "windows", 
            "MD5": null
        }, 
        {
            "ProcessID": "3996", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "EventType": "file", 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "User": null, 
            "Time": "2019-06-30T13:50:54.280Z", 
            "SHA256": null, 
            "AgentOS": "windows", 
            "MD5": null
        }, 
        {
            "ProcessID": "3996", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "EventType": "file", 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "User": null, 
            "Time": "2019-06-30T13:50:54.280Z", 
            "SHA256": null, 
            "AgentOS": "windows", 
            "MD5": null
        }, 
        {
            "ProcessID": "3996", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "EventType": "file", 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "User": null, 
            "Time": "2019-06-30T13:50:54.280Z", 
            "SHA256": null, 
            "AgentOS": "windows", 
            "MD5": null
        }
    ]
}
Human Readable Output

SentinelOne Events

EventType SiteName Time AgentOS ProcessID ProcessUID ProcessName MD5 SHA256
process demisto 2019-08-04T04:48:36.440Z windows 5556 10EEF25AF81502CD svchost.exe 36f670d89040709013f6a460176767ec 438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7
process demisto 2019-08-04T04:48:26.439Z windows 5432 DAB10F03FC995CCA VSSVC.exe adf381b23416fd54d5dbb582dbb7992d 29c18ccdb5077ee158ee591e2226f2c95d27a0f26f259c16c621ecc20b499bed
ip demisto 2019-06-27T08:01:32.077Z windows 1636 1525CEC635947A9A amazon-ssm-agent.exe
file demisto 2019-06-30T13:50:54.280Z windows 3996 84FEED6A0CB9C211 Google Chrome
file demisto 2019-06-30T13:50:54.280Z windows 3996 84FEED6A0CB9C211 Google Chrome
file demisto 2019-06-30T13:50:54.280Z windows 3996 84FEED6A0CB9C211 Google Chrome
file demisto 2019-06-30T13:50:54.280Z windows 3996 84FEED6A0CB9C211 Google Chrome
file demisto 2019-06-30T13:50:54.280Z windows 3996 84FEED6A0CB9C211 Google Chrome
file demisto 2019-06-30T13:50:54.280Z windows 3996 84FEED6A0CB9C211 Google Chrome
file demisto 2019-06-30T13:50:54.280Z windows 3996 84FEED6A0CB9C211 Google Chrome

23. Create a Deep Visibility query


Runs a Deep Visibility Query and returns the query ID. You can use the query ID for all other commands, such as the sentinelone-get-events command.

Base Command
sentinelone-create-query
Input
Argument Name Description Required
query The query string for which to return events. Required
from_date Query start date, for example, “2019-08-03T04:49:26.257525Z”. Required
to_date Query end date, for example, “2019-08-03T04:49:26.257525Z”. Required

Context Output
Path Type Description
SentinelOne.Query.FromDate Date Query start date.
SentinelOne.Query.Query String The search query string.
SentinelOne.Query.QueryID String The query ID.
SentinelOne.Query.ToDate Date Query end date.

Command Example
!sentinelone-create-query query="AgentName Is Not Empty" from_date="2019-08-02T04:49:26.257525Z" to_date="2019-08-04T04:49:26.257525Z"

24. Get a list of Deep Visibility events by process


Gets a list of Deep Visibility events from query by event type process.

Base Command
sentinelone-get-processes
Input
Argument Name Description Required
query_id The queryId that is returned when creating a query under Create Query. Example: “q1xx2xx3”. Get the query_id from the “get-query-id” command. Required
limit Maximum number of items to return (1-100). Default is “50”. Optional

Context Output
Path Type Description
SentinelOne.Event.ParentProcessID Number Parent process ID.
SentinelOne.Event.ProcessUID String The process unique identifier.
SentinelOne.Event.SHA1 String SHA1 hash of the process image.
SentinelOne.Event.SubsystemType String Process sub-system.
SentinelOne.Event.ParentProcessStartTime Date The parent process start time.
SentinelOne.Event.ProcessID Number The process ID.
SentinelOne.Event.ParentProcessUID String Parent process unique identifier.
SentinelOne.Event.User String User assigned to the event.
SentinelOne.Event.Time Date Start time of the process.
SentinelOne.Event.ParentProcessName String Parent process name.
SentinelOne.Event.SiteName String Site name.
SentinelOne.Event.EventType String The event type.
SentinelOne.Event.Endpoint String The agent name (endpoint).
SentinelOne.Event.IntegrityLevel String Process integrity level.
SentinelOne.Event.CMD String Process CMD.
SentinelOne.Event.ProcessName String Process name.
SentinelOne.Event.ProcessDisplayName String Process display name.

Command Example

!sentinelone-get-processes query_id="q5b327f7c84162549eb1d568c968ff655"

Context Example
{
    "SentinelOne.Event": [
        {
            "ProcessID": "5556", 
            "Time": "2019-08-04T04:48:36.440Z", 
            "CMD": null, 
            "ParentProcessStartTime": "2019-06-27T08:01:30.957Z", 
            "SHA1": "0dac68816ae7c09efc24d11c27c3274dfd147dee", 
            "ParentProcessID": "560", 
            "ProcessDisplayName": "Host Process for Windows Services", 
            "EventType": "process", 
            "ParentProcessName": "Services and Controller app", 
            "SubsystemType": "SYS_WIN32", 
            "ProcessUID": "10EEF25AF81502CD", 
            "ProcessName": "svchost.exe", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "CFEE347DA897CF4C", 
            "IntegrityLevel": "SYSTEM"
        }, 
        {
            "ProcessID": "5432", 
            "Time": "2019-08-04T04:48:26.439Z", 
            "CMD": null, 
            "ParentProcessStartTime": "2019-06-27T08:01:30.957Z", 
            "SHA1": "cd5e7c15e7688d40d51d32b8286c2e1804a97349", 
            "ParentProcessID": "560", 
            "ProcessDisplayName": "Microsoft\u00ae Volume Shadow Copy Service", 
            "EventType": "process", 
            "ParentProcessName": "Services and Controller app", 
            "SubsystemType": "SYS_WIN32", 
            "ProcessUID": "DAB10F03FC995CCA", 
            "ProcessName": "VSSVC.exe", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "CFEE347DA897CF4C", 
            "IntegrityLevel": "SYSTEM"
        }, 
        {
            "ProcessID": "1636", 
            "Time": "2019-06-27T08:01:32.077Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "ip", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "1525CEC635947A9A", 
            "ProcessName": "amazon-ssm-agent.exe", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "1525CEC635947A9A", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "dns", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3840", 
            "Time": "2019-08-04T04:17:52.041Z", 
            "CMD": null, 
            "ParentProcessStartTime": "2019-06-30T13:50:54.280Z", 
            "SHA1": "03ffc95e7d54a40b7fd42aba048248f64026ae24", 
            "ParentProcessID": "3996", 
            "ProcessDisplayName": "Google Chrome", 
            "EventType": "process", 
            "ParentProcessName": "Google Chrome", 
            "SubsystemType": "SYS_WIN32", 
            "ProcessUID": "73CBEE7BFDEA4128", 
            "ProcessName": "chrome.exe", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": "LOW"
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "dns", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3996", 
            "Time": "2019-06-30T13:50:54.280Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "file", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "84FEED6A0CB9C211", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "84FEED6A0CB9C211", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3872", 
            "Time": "2019-06-30T13:50:55.249Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "dns", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "25C25C96C5DED63C", 
            "ProcessName": "Google Chrome", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "25C25C96C5DED63C", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "3308", 
            "Time": "2019-06-27T08:04:32.183Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "scheduled_task", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "C4CBCB781DAA7B5F", 
            "ProcessName": "Windows Problem Reporting", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "C4CBCB781DAA7B5F", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "2508", 
            "Time": "2019-08-04T04:12:38.608Z", 
            "CMD": null, 
            "ParentProcessStartTime": "2019-06-27T08:01:31.423Z", 
            "SHA1": "f5cf72933752e92e5c41d1f6683a7c0863450670", 
            "ParentProcessID": "872", 
            "ProcessDisplayName": "Windows Problem Reporting", 
            "EventType": "process", 
            "ParentProcessName": "Host Process for Windows Services", 
            "SubsystemType": "SYS_WIN32", 
            "ProcessUID": "B25C1F9FCC7A718B", 
            "ProcessName": "wermgr.exe", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "6DCFCCC56860944F", 
            "IntegrityLevel": "SYSTEM"
        }, 
        {
            "ProcessID": "3308", 
            "Time": "2019-06-27T08:04:32.183Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "scheduled_task", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "C4CBCB781DAA7B5F", 
            "ProcessName": "Windows Problem Reporting", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "C4CBCB781DAA7B5F", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "4624", 
            "Time": "2019-08-04T04:09:34.054Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "dns", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "55F0E146874E0114", 
            "ProcessName": "Google Installer", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "55F0E146874E0114", 
            "IntegrityLevel": null
        }, 
        {
            "ProcessID": "4624", 
            "Time": "2019-08-04T04:09:34.054Z", 
            "CMD": null, 
            "ParentProcessStartTime": null, 
            "SHA1": null, 
            "ParentProcessID": null, 
            "ProcessDisplayName": null, 
            "EventType": "ip", 
            "ParentProcessName": null, 
            "SubsystemType": null, 
            "ProcessUID": "55F0E146874E0114", 
            "ProcessName": "Google Installer", 
            "Endpoint": "EC2AMAZ-AJ0KANC", 
            "SiteName": "demisto", 
            "User": null, 
            "ParentProcessUID": "55F0E146874E0114", 
            "IntegrityLevel": null
        }
    ]
}
Human Readable Output

SentinelOne Processes

EventType SiteName Time ParentProcessID ParentProcessUID ProcessName ParentProcessName ProcessDisplayName ProcessID ProcessUID SHA1 SubsystemType IntegrityLevel ParentProcessStartTime
process demisto 2019-08-04T04:48:36.440Z 560 CFEE347DA897CF4C svchost.exe Services and Controller app Host Process for Windows Services 5556 10EEF25AF81502CD 0dac68816ae7c09efc24d11c27c3274dfd147dee SYS_WIN32 SYSTEM 2019-06-27T08:01:30.957Z
process demisto 2019-08-04T04:48:26.439Z 560 CFEE347DA897CF4C VSSVC.exe Services and Controller app Microsoft® Volume Shadow Copy Service 5432 DAB10F03FC995CCA cd5e7c15e7688d40d51d32b8286c2e1804a97349 SYS_WIN32 SYSTEM 2019-06-27T08:01:30.957Z
ip demisto 2019-06-27T08:01:32.077Z 1525CEC635947A9A amazon-ssm-agent.exe 1636 1525CEC635947A9A
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
dns demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
file demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
file demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
file demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
file demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
process demisto 2019-08-04T04:17:52.041Z 3996 84FEED6A0CB9C211 chrome.exe Google Chrome Google Chrome 3840 73CBEE7BFDEA4128 03ffc95e7d54a40b7fd42aba048248f64026ae24 SYS_WIN32 LOW 2019-06-30T13:50:54.280Z
dns demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
file demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
file demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
file demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
file demisto 2019-06-30T13:50:54.280Z 84FEED6A0CB9C211 Google Chrome 3996 84FEED6A0CB9C211
dns demisto 2019-06-30T13:50:55.249Z 25C25C96C5DED63C Google Chrome 3872 25C25C96C5DED63C
scheduled_task demisto 2019-06-27T08:04:32.183Z C4CBCB781DAA7B5F Windows Problem Reporting 3308 C4CBCB781DAA7B5F
process demisto 2019-08-04T04:12:38.608Z 872 6DCFCCC56860944F wermgr.exe Host Process for Windows Services Windows Problem Reporting 2508 B25C1F9FCC7A718B f5cf72933752e92e5c41d1f6683a7c0863450670 SYS_WIN32 SYSTEM 2019-06-27T08:01:31.423Z
scheduled_task demisto 2019-06-27T08:04:32.183Z C4CBCB781DAA7B5F Windows Problem Reporting 3308 C4CBCB781DAA7B5F
dns demisto 2019-08-04T04:09:34.054Z 55F0E146874E0114 Google Installer 4624 55F0E146874E0114
ip demisto 2019-08-04T04:09:34.054Z 55F0E146874E0114 Google Installer 4624 55F0E146874E0114

25. Shutdown agent


Shutdowns an agent by agent ID.

Base Command
sentinelone-shutdown-agent
Input
Argument Name Description Required
query A free-text search term, will match applicable attributes (sub-string match). Note: A device’s physical addresses will only be matched if they start with the search term (not if they contain the search term). Optional
agent_id A CSV list of agents IDs to shutdown. Optional
group_id The ID of the network group. Optional

Context Output
Path Type Description
SentinelOne.Agent.ID String The ID of the agent that was shutdown.

Command Example
!sentinelone-shutdown-agent agent_id=685993599964815937
Human Readable Output

Shutting down 1 agent(s).

26. Uninstall an agent


Uninstalls agent by agent ID.

Base Command
sentinelone-uninstall-agent
Input
Argument Name Description Required
query A free-text search term, will match applicable attributes (sub-string match). Note: A device’s physical addresses will only be matched if they start with the search term (not if they contain the search term). Optional
agent_id A CSV list of agents IDs to shutdown. Optional
group_id The ID of the network group. Optional

Context Output

There is no context output for this command.

Command Example
!sentinelone-uninstall-agent agent_id=685993599964815937
Human Readable Output

Uninstall was sent to 1 agent(s).