...
Cyber security that prevents threats at faster speed, greater scale, and higher accuracy than humanly possible.
Connect SentinelOne with Devo SOAR
Navigate to Automations > Integrations.
Search for SentinelOne.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Server URL: API URL for SentinelOne. Example: https://host/web/api/v2.1
Token: Token for authentication with SentinelOne server.
After you've entered all the details, click Connect.
Actions for SentinelOne
Connects Agent To Network
Connects agent to network
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Agent ID | Jinja-templated agent ID which is to be connected to the network. Example: {{agent_id_column}} | Required |
Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
...
| Code Block |
|---|
## Disconnects Agent From Network
Disconnects agent from network
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------------------------------------------ | :------------------------------------------------------------------------------------------------------------------------ | :------- |
| Agent ID | [Jinja-templated](doc:jinja-template) agent ID which is to be disconnected from the network. Example: {{agent_id_column}} | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Disconnects Agent From Network Data
``` {json}{
"locations":null,
"osStartTime":"2021-01-12T20:40:27Z",
"rangerVersion":null,
"cloudProviders":{
},
"osArch":"64 bit",
"licenseKey":"",
"updatedAt":"2021-09-06T16:36:34.926026Z",
"externalId":"",
"networkInterfaces":[
{
"name":"ens3",
"gatewayIp":"10.0.0.1",
"inet6":[
],
"gatewayMacAddress":"00:00:17:31:2e:8e",
"id":"1184207949927894021",
"inet":[
"10.0.0.2"
],
"physical":"02:00:17:09:AC:E4"
},
{
"name":"docker0",
"gatewayIp":null,
"inet6":[
],
"gatewayMacAddress":null,
"id":"1184207949927894022",
"inet":[
"172.17.0.1"
],
"physical":"02:42:2D:5A:F2:4C"
}
],
"lastActiveDate":"2021-09-06T16:35:30.729725Z",
"networkStatus":"connecting",
"locationEnabled":false,
"lastIpToMgmt":"10.0.0.2",
"accountName":"SentinelOne",
"threatRebootRequired":false,
"scanStartedAt":"2021-06-22T21:30:56.771107Z",
"domain":"sub01122036110.default.oraclevcn.com",
"uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
"lastLoggedInUserName":"",
"networkQuarantineEnabled":false,
"isUninstalled":false,
"scanStatus":"finished",
"userActionsNeeded":[
],
"osUsername":"root",
"cpuCount":1,
"storageType":null,
"coreCount":2,
"isPendingUninstall":false,
"firewallEnabled":true,
"accountId":"433241117337583618",
"mitigationMode":"protect",
"activeThreats":0,
"registeredAt":"2021-06-22T21:29:48.386746Z",
"machineType":"server",
"groupId":"1184166245199854505",
"infected":false,
"modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
"consoleMigrationStatus":"N/A",
"storageName":null,
"has_error":false,
"siteName":"LogicHub",
"id":"1184207949919505412",
"scanFinishedAt":"2021-06-23T00:03:51.386826Z",
"error":null,
"remoteProfilingStateExpiration":null,
"installerType":".rpm",
"groupName":"Default Group",
"encryptedApplications":false,
"remoteProfilingState":"disabled",
"osType":"linux",
"totalMemory":688,
"externalIp":"129.213.58.77",
"createdAt":"2021-06-22T21:29:48.389992Z",
"osName":"Linux",
"isActive":true,
"agentVersion":"21.6.3.7",
"inRemoteShellSession":false,
"isUpToDate":true,
"allowRemoteShell":true,
"cpuId":"AMD EPYC 7551 32-Core Processor",
"mitigationModeSuspicious":"detect",
"isDecommissioned":false,
"siteId":"1184166245183077288",
"computerName":"instance-20210112-1436",
"locationType":"not_supported",
"operationalStateExpiration":null,
"rangerStatus":"NotApplicable",
"scanAbortedAt":null,
"activeDirectory":{
"computerDistinguishedName":null,
"lastUserMemberOf":[
],
"computerMemberOf":[
],
"lastUserDistinguishedName":null
},
"operationalState":"na",
"osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
"appsVulnerabilityStatus":"not_applicable",
"groupIp":"129.213.58.x"
} |
Create Query
Runs a Deep Visibility Query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Query | Jinja-templated query used for creating the query. Example: EndpointName exists. | Required |
From Date | Jinja-templated from date used for creating the query. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48Z | Required |
To Date | Jinja-templated to date used for creating the query. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48Z | Required |
Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
...
| Code Block |
|---|
## Get Agent
Get agent details by agent ID
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------------------------------------------ | :--------------------------------------------------------------------------------------------------- | :------- |
| Agent ID | [Jinja-templated](doc:jinja-template) agent ID which is to be fetched. Example: {{agent_id_column}} | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Agent Data
``` {json}{
"locations":null,
"osStartTime":"2021-01-12T20:40:27Z",
"rangerVersion":null,
"cloudProviders":{
},
"osArch":"64 bit",
"licenseKey":"",
"updatedAt":"2021-09-06T04:27:29.724745Z",
"externalId":"",
"networkInterfaces":[
{
"name":"ens3",
"gatewayIp":"10.0.0.1",
"inet6":[
],
"gatewayMacAddress":"00:00:17:31:2e:8e",
"id":"1184207949927894021",
"inet":[
"10.0.0.2"
],
"physical":"02:00:17:09:AC:E4"
},
{
"name":"docker0",
"gatewayIp":null,
"inet6":[
],
"gatewayMacAddress":null,
"id":"1184207949927894022",
"inet":[
"172.17.0.1"
],
"physical":"02:42:2D:5A:F2:4C"
}
],
"lastActiveDate":"2021-09-06T16:32:30.729967Z",
"networkStatus":"connected",
"locationEnabled":false,
"lastIpToMgmt":"10.0.0.2",
"accountName":"SentinelOne",
"threatRebootRequired":false,
"scanStartedAt":"2021-06-22T21:30:56.771107Z",
"domain":"sub01122036110.default.oraclevcn.com",
"uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
"lastLoggedInUserName":"",
"networkQuarantineEnabled":false,
"isUninstalled":false,
"scanStatus":"finished",
"userActionsNeeded":[
],
"osUsername":"root",
"cpuCount":1,
"storageType":null,
"coreCount":2,
"isPendingUninstall":false,
"firewallEnabled":true,
"accountId":"433241117337583618",
"mitigationMode":"protect",
"activeThreats":0,
"registeredAt":"2021-06-22T21:29:48.386746Z",
"machineType":"server",
"groupId":"1184166245199854505",
"infected":false,
"modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
"consoleMigrationStatus":"N/A",
"storageName":null,
"has_error":false,
"siteName":"LogicHub",
"id":"1184207949919505412",
"scanFinishedAt":"2021-06-23T00:03:51.386826Z",
"error":null,
"remoteProfilingStateExpiration":null,
"installerType":".rpm",
"groupName":"Default Group",
"encryptedApplications":false,
"remoteProfilingState":"disabled",
"osType":"linux",
"totalMemory":688,
"externalIp":"129.213.58.77",
"createdAt":"2021-06-22T21:29:48.389992Z",
"osName":"Linux",
"isActive":true,
"agentVersion":"21.6.3.7",
"inRemoteShellSession":false,
"isUpToDate":true,
"allowRemoteShell":true,
"cpuId":"AMD EPYC 7551 32-Core Processor",
"mitigationModeSuspicious":"detect",
"isDecommissioned":false,
"siteId":"1184166245183077288",
"computerName":"instance-20210112-1436",
"locationType":"not_supported",
"operationalStateExpiration":null,
"rangerStatus":"NotApplicable",
"scanAbortedAt":null,
"activeDirectory":{
"computerDistinguishedName":null,
"lastUserMemberOf":[
],
"computerMemberOf":[
],
"lastUserDistinguishedName":null
},
"operationalState":"na",
"osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
"appsVulnerabilityStatus":"not_applicable",
"groupIp":"129.213.58.x"
} |
Get Events
Fetch all deep visibility events that match the query.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Query ID | Jinja-templated query ID which is to be fetched. Example: {{query_id_column}} | Required |
Limit | Limit for number of events to be fetched. (Default is 100000) | Required |
Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
...
| Code Block |
|---|
## List Agents
List all agents matching the input filter
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------------------------------------------ | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Minimum Active Threats | [Jinja-templated](doc:jinja-template) minimum active threats. Agents with active threats greater than this value will be fetched. Example: {{minimum_active_threats}} | Required |
| Computer Name | [Jinja-templated](doc:jinja-template) computer name. Example: {{computer_name_column}} | Required |
| Scan Status | [Jinja-templated](doc:jinja-template) scan status. Example: {{scan_status_column}} | Required |
| OS Type | [Jinja-templated](doc:jinja-template) OS type. Example: {{os_type_column}} | Required |
| Created At | [Jinja-templated](doc:jinja-template) date representing created date of the agent. Format: %Y-%m-%dT%H:%M:%SZ, Example: 2021-06-22T21:29:48Z | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List Agents Data
``` {json}{
"locations":null,
"osStartTime":"2021-01-12T20:40:27Z",
"rangerVersion":null,
"cloudProviders":{
},
"osArch":"64 bit",
"licenseKey":"",
"updatedAt":"2021-09-06T04:27:29.724745Z",
"externalId":"",
"networkInterfaces":[
{
"gatewayIp":"10.0.0.1",
"gatewayMacAddress":"00:00:17:31:2e:8e",
"id":"1184207949927894021",
"inet":[
"10.0.0.2"
],
"inet6":[
],
"name":"ens3",
"physical":"02:00:17:09:AC:E4"
},
{
"gatewayIp":null,
"gatewayMacAddress":null,
"id":"1184207949927894022",
"inet":[
"172.17.0.1"
],
"inet6":[
],
"name":"docker0",
"physical":"02:42:2D:5A:F2:4C"
}
],
"lastActiveDate":"2021-09-06T16:19:00.729942Z",
"networkStatus":"connected",
"locationEnabled":false,
"lastIpToMgmt":"10.0.0.2",
"accountName":"SentinelOne",
"threatRebootRequired":false,
"scanStartedAt":"2021-06-22T21:30:56.771107Z",
"domain":"sub01122036110.default.oraclevcn.com",
"uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf",
"lastLoggedInUserName":"",
"networkQuarantineEnabled":false,
"isUninstalled":false,
"scanStatus":"finished",
"userActionsNeeded":[
],
"osUsername":"root",
"cpuCount":1,
"storageType":null,
"coreCount":2,
"isPendingUninstall":false,
"firewallEnabled":true,
"accountId":"433241117337583618",
"mitigationMode":"protect",
"activeThreats":0,
"registeredAt":"2021-06-22T21:29:48.386746Z",
"machineType":"server",
"groupId":"1184166245199854505",
"infected":false,
"modelName":"QEMU Standard PC (i440FX + PIIX, 1996)",
"consoleMigrationStatus":"N/A",
"storageName":null,
"has_error":false,
"siteName":"LogicHub",
"id":"1184207949919505412",
"scanFinishedAt":"2021-06-23T00:03:51.386826Z",
"error":null,
"remoteProfilingStateExpiration":null,
"installerType":".rpm",
"groupName":"Default Group",
"encryptedApplications":false,
"remoteProfilingState":"disabled",
"osType":"linux",
"totalMemory":688,
"externalIp":"129.213.58.77",
"createdAt":"2021-06-22T21:29:48.389992Z",
"osName":"Linux",
"isActive":true,
"agentVersion":"21.6.3.7",
"inRemoteShellSession":false,
"isUpToDate":true,
"allowRemoteShell":true,
"cpuId":"AMD EPYC 7551 32-Core Processor",
"mitigationModeSuspicious":"detect",
"isDecommissioned":false,
"siteId":"1184166245183077288",
"computerName":"instance-20210112-1436",
"locationType":"not_supported",
"operationalStateExpiration":null,
"rangerStatus":"NotApplicable",
"scanAbortedAt":null,
"activeDirectory":{
"computerDistinguishedName":null,
"computerMemberOf":[
],
"lastUserDistinguishedName":null,
"lastUserMemberOf":[
]
},
"operationalState":"na",
"osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64",
"appsVulnerabilityStatus":"not_applicable",
"groupIp":"129.213.58.x"
} |
Shutdown Agent
Shutdown agent via filters
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Query | Jinja-templated query for shutting down the agents. Example: {{query_column}} | Required |
Agent IDs | Jinja-templated comma separated Agent IDs which are to be shutdown. Example: {{agent_id_column}} | Required |
Group IDs | Jinja-templated comma separated Group ID. Example: {{group_id_column}} | Required |
Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
Output
A JSON object containing multiple rows of result:
...
| Code Block |
|---|
## Dashboard Threat Summary
Dashboard threat summary for sites and groups
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------------------------------------------ | :--------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Site IDs | [Jinja-templated](doc:jinja-template) comma separated site IDs for which threat summary needs to be pulled. Example: {{site_id_column}} | Required |
| Group IDs | [Jinja-templated](doc:jinja-template) comma separated group IDs. Example: {{group_id_column}} | Required |
| Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds. (Default is 0 milliseconds). | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Dashboard Threat Summary Data
``` {json}{
"has_error":false,
"data":{
"notResolved":0,
"resolved":0,
"suspiciousNotMitigatedNotResolved":0,
"suspiciousNotResolved":0,
"notMitigatedNotResolved":0,
"inProgress":0,
"total":0,
"maliciousNotResolved":0,
"notMitigated":0
},
"error":null
} |
Get Activities
Get the activities, and their data, that match the filters.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Params | Jinja-templated JSON containing the params for the sentinel one API. | Optional |
Limit | Limit for number of events to be fetched. (Default is 100000) | Optional |
Output
JSON containing the following items:
...
| Code Block |
|---|
{
"accountId":"234523452345",
"accountName":"SOME COMPANY",
"activityType":3456,
"activityUuid":"3aasdfasdf-asdf-4709-asdf-c12341234",
"agentId":"1212341234653467471242",
"agentUpdatedVersion":null,
"comments":null,
"createdAt":"2022-06-12T07:53:35.342143Z",
"data":{
"accountName":"SOME COMPANY",
"agentipv4":"192.168.1.1",
"alertid":1234534635156700,
"detectedat":1655020403994,
"dnsrequest":"",
"dnsresponse":"",
"dstip":"",
"dstport":0,
"dveventid":"",
"dveventtype":"PROCESSCREATION",
"externalip":"1.16.5.19",
"fullScopeDetails":"Group Default group in Site Default site of Account SOME COMPANY",
"fullScopeDetailsPath":"Global / Default site / Default group",
"groupName":"Default group",
"indicatorcategory":"",
"indicatordescription":"",
"indicatorname":"",
"k8sclustername":"",
"k8scontainerid":"",
"k8scontainerimage":"",
"k8scontainerlabels":"",
"k8scontainername":"",
"k8scontrollerkind":"",
"k8scontrollerlabels":"",
"k8scontrollername":"",
"k8snamespace":"",
"k8snamespacelabels":"",
"k8snode":"",
"k8spod":"",
"k8spodlabels":"",
"loginaccountdomain":"",
"loginaccountsid":"",
"loginisadministratorequivalent":"",
"loginissuccessful":"",
"loginsusername":"",
"logintype":"",
"modulepath":"",
"modulesha1":"",
"neteventdirection":"",
"origagentmachinetype":"laptop",
"origagentname":"DFGH-123",
"origagentosfamily":"windows",
"origagentosname":"Windows 10 Pro",
"origagentosrevision":"19044",
"origagentsiteid":"92345234523452345",
"origagentuuid":"7f23f524d5s2f52345d1fds5xe11fb",
"origagentversion":"1.7.5.80",
"physical":"f1:12:01:5r:5h:d9",
"registrykeypath":"",
"registryoldvalue":"",
"registryoldvaluetype":"",
"registrypath":"",
"registryvalue":"",
"ruledescription":"Rule to monitor new process creation where proc name contains AnyDesk.",
"ruleid":23452345345,
"rulename":"block-somesoft",
"rulescopeid":9234523456324515400,
"rulescopelevel":"E_TENANT",
"scopeId":951234512451345,
"scopeLevel":"Group",
"scopeName":"Default group",
"severity":"E_LOW",
"siteName":"Default site",
"sourcename":"STAR",
"sourceparentprocesscommandline":"wininit.exe",
"sourceparentprocessintegritylevel":"system",
"sourceparentprocesskey":"4BADB78887DE5F2F",
"userName":"RANDOM name",
"some more fields here": "asdfasdf"
},
"description":null,
"error":null,
"groupId":"9123412354567567",
"groupName":"Default group",
"has_error":false,
"hash":null,
"id":"3457478654763456595",
"osFamily":null,
"primaryDescription":"Alert created for services.exe",
"secondaryDescription":"d7a345y3t4t243r2r2345twas4t51de54",
"siteId":"9523456467534234583",
"siteName":"Default site",
"threatId":null,
"updatedAt":"2022-06-12T07:53:35.339591Z",
"userId":"134567456472345234511"
} |
Disconnect From Network
Use this action to isolate (quarantine) endpoints from the network, if the endpoints match the filter.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Params | Jinja-templated JSON containing the params for the sentinel one API. | Optional |
Body | Jinja-templated JSON containing the body for the sentinel one API. | Optional |
Output
JSON containing the following items:
...
| Code Block |
|---|
{
"has_error":true,
"error_response":{
"errors":[
{
"code":4030010,
"detail":null,
"title":"Insufficient permissions"
}
]
},
"error":"An error occurred: 403 Client Error: FORBIDDEN for url: https://test.sentinelone.net/web/api/v2.1/agents/actions/disconnect"
} |
Release Notes
v2.1.1- Added 2 new actions:Get ActivitiesandDisconnect From Networkv2.0.0- Updated architecture to support IO via filesystemv1.1.1- Added documentation link in the automation library.
...