Cyber security that prevents threats at faster speed, greater scale, and higher accuracy than humanly possible.

Connect SentinelOne with Devo SOAR

1. Navigate to Automations > Integrations.

2. Search for SentinelOne.

3. Click Details, then the + icon. Enter the required information in the following fields.

4. Label: Enter a connection name.

5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

8. Server URL: API URL for SentinelOne. Example: https://host/web/api/v2.1

9. Token: Token for authentication with SentinelOne server.

10. After you've entered all the details, click Connect.

Actions for SentinelOne

Connects Agent To Network

Connects agent to network

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Connects Agent To Network Data

``` {json}{ "locations":null, "osStartTime":"2021-01-12T20:40:27Z", "rangerVersion":null, "cloudProviders":{

}, "osArch":"64 bit", "licenseKey":"", "updatedAt":"2021-09-06T16:36:34.926026Z", "externalId":"", "networkInterfaces":[ { "name":"ens3", "gatewayIp":"10.0.0.1", "inet6":[

], "lastActiveDate":"2021-09-06T16:35:30.729725Z", "networkStatus":"connecting", "locationEnabled":false, "lastIpToMgmt":"10.0.0.2", "accountName":"SentinelOne", "threatRebootRequired":false, "scanStartedAt":"2021-06-22T21:30:56.771107Z", "domain":"sub01122036110.default.oraclevcn.com", "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf", "lastLoggedInUserName":"", "networkQuarantineEnabled":false, "isUninstalled":false, "scanStatus":"finished", "userActionsNeeded":[

], "osUsername":"root", "cpuCount":1, "storageType":null, "coreCount":2, "isPendingUninstall":false, "firewallEnabled":true, "accountId":"433241117337583618", "mitigationMode":"protect", "activeThreats":0, "registeredAt":"2021-06-22T21:29:48.386746Z", "machineType":"server", "groupId":"1184166245199854505", "infected":false, "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)", "consoleMigrationStatus":"N/A", "storageName":null, "has_error":false, "siteName":"LogicHub", "id":"1184207949919505412", "scanFinishedAt":"2021-06-23T00:03:51.386826Z", "error":null, "remoteProfilingStateExpiration":null, "installerType":".rpm", "groupName":"Default Group", "encryptedApplications":false, "remoteProfilingState":"disabled", "osType":"linux", "totalMemory":688, "externalIp":"129.213.58.77", "createdAt":"2021-06-22T21:29:48.389992Z", "osName":"Linux", "isActive":true, "agentVersion":"21.6.3.7", "inRemoteShellSession":false, "isUpToDate":true, "allowRemoteShell":true, "cpuId":"AMD EPYC 7551 32-Core Processor", "mitigationModeSuspicious":"detect", "isDecommissioned":false, "siteId":"1184166245183077288", "computerName":"instance-20210112-1436", "locationType":"not_supported", "operationalStateExpiration":null, "rangerStatus":"NotApplicable", "scanAbortedAt":null, "activeDirectory":{ "computerDistinguishedName":null, "lastUserMemberOf":[

}, "operationalState":"na", "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64", "appsVulnerabilityStatus":"not_applicable", "groupIp":"129.213.58.x" }

Create Query

Runs a Deep Visibility Query and returns the queryId. You can use the queryId for all other commands, such as the sentinelone-get-events command.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Create Query Data

``` {json}{ "has_error":false, "data":{ "queryId":"qe4080a5f8088b188b423b9edcc768252" }, "error":null }

Get Events

Fetch all deep visibility events that match the query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Get Events Data

``` {json}{ "has_error":false, "noResults":"no results returned", "error":null }

Shutdown Agent

Shutdown agent via filters

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

A JSON object containing multiple rows of result:

• has_error: True/False

• error: message/null

• result: Shutdown Agent Data

``` {json}{ "locations":null, "osStartTime":"2021-01-12T20:40:27Z", "rangerVersion":null, "cloudProviders":{

}, "osArch":"64 bit", "licenseKey":"", "updatedAt":"2021-09-06T16:36:34.926026Z", "externalId":"", "networkInterfaces":[ { "name":"ens3", "gatewayIp":"10.0.0.1", "inet6":[

], "lastActiveDate":"2021-09-06T16:35:30.729725Z", "networkStatus":"connecting", "locationEnabled":false, "lastIpToMgmt":"10.0.0.2", "accountName":"SentinelOne", "threatRebootRequired":false, "scanStartedAt":"2021-06-22T21:30:56.771107Z", "domain":"sub01122036110.default.oraclevcn.com", "uuid":"8680d9d2-16d3-2915-b736-2b4d2f4d6faf", "lastLoggedInUserName":"", "networkQuarantineEnabled":false, "isUninstalled":false, "scanStatus":"finished", "userActionsNeeded":[

], "osUsername":"root", "cpuCount":1, "storageType":null, "coreCount":2, "isPendingUninstall":false, "firewallEnabled":true, "accountId":"433241117337583618", "mitigationMode":"protect", "activeThreats":0, "registeredAt":"2021-06-22T21:29:48.386746Z", "machineType":"server", "groupId":"1184166245199854505", "infected":false, "modelName":"QEMU Standard PC (i440FX + PIIX, 1996)", "consoleMigrationStatus":"N/A", "storageName":null, "has_error":false, "siteName":"LogicHub", "id":"1184207949919505412", "scanFinishedAt":"2021-06-23T00:03:51.386826Z", "error":null, "remoteProfilingStateExpiration":null, "installerType":".rpm", "groupName":"Default Group", "encryptedApplications":false, "remoteProfilingState":"disabled", "osType":"linux", "totalMemory":688, "externalIp":"129.213.58.77", "createdAt":"2021-06-22T21:29:48.389992Z", "osName":"Linux", "isActive":true, "agentVersion":"21.6.3.7", "inRemoteShellSession":false, "isUpToDate":true, "allowRemoteShell":true, "cpuId":"AMD EPYC 7551 32-Core Processor", "mitigationModeSuspicious":"detect", "isDecommissioned":false, "siteId":"1184166245183077288", "computerName":"instance-20210112-1436", "locationType":"not_supported", "operationalStateExpiration":null, "rangerStatus":"NotApplicable", "scanAbortedAt":null, "activeDirectory":{ "computerDistinguishedName":null, "lastUserMemberOf":[

}, "operationalState":"na", "osRevision":"Oracle Server release 7.9 5.4.17-2036.102.0.2.el7uek.x86_64", "appsVulnerabilityStatus":"not_applicable", "groupIp":"129.213.58.x" }

Get Activities

Get the activities, and their data, that match the filters.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

JSON containing the following items:

JSON

Disconnect From Network

Use this action to isolate (quarantine) endpoints from the network, if the endpoints match the filter.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Output

JSON containing the following items:

JSON

Release Notes

• v2.1.1 - Added 2 new actions: Get Activities and Disconnect From Network

• v2.0.0 - Updated architecture to support IO via filesystem

• v1.1.1 - Added documentation link in the automation library.