Fetch Threat File

description retrieves a file associated with a threat in sentinelone using specified filters 'fetch threat file' permissions required endpoint url /web/api/v2 1/threats/fetch file method post inputs json body (object) – required data (object) – required password (string) – required file encryption password filter (object) – required use any of the filtering options to control the list of affected threats you can use any combination of filters to narrow down the list (for example "apply to only active threats from linux endpoints") you can also leave this field empty to apply to all available threats note filter must match exactly one threat bulk operations are not supported accountids (string) list of account ids to filter by agentids (string) list of agent ids agentisactive (boolean) include agents currently connected to the management console agentmachinetypes (string) include agent machine types agentmachinetypesnin (string) excluded agent machine types agenttagsdata (string) filter threats by assigned tags to the related agent given in form of a json where each key represents a tag key, and each value represents a list of string values to filter by to filter by unassigned tag values, use nin suffix in the tag key agentversions (string) include agent versions agentversionsnin (string) excluded agent versions analystverdicts (string) filter threats by a specific analyst verdict analystverdictsnin (string) exclude threats with specific analyst verdicts awsrole contains (string) free text filter by aws role(supports multiple values) awssecuritygroups contains (string) free text filter by aws securitygroups(supports multiple values) awssubnetids contains (string) free text filter by aws subnet ids (supports multiple values) azureresourcegroup contains (string) free text filter by azure resource group(supports multiple values) classifications (string) list of threat classifications to search classificationsnin (string) list of threat classifications not to search classificationsources (string) classification sources list classificationsourcesnin (string) classification sources list to exclude cloudaccount contains (string) free text filter by cloud account (supports multiple values) cloudimage contains (string) free text filter by cloud image (supports multiple values) cloudinstanceid contains (string) free text filter by cloud instance id(supports multiple values) cloudinstancesize contains (string) free text filter by cloud instance size(supports multiple values) cloudlocation contains (string) free text filter by cloud location (supports multiple values) cloudnetwork contains (string) free text filter by cloud network (supports multiple values) cloudprovider (string) agents from which cloud provider cloudprovidernin (string) exclude agents from these cloud provider collectionids (string) list of collection ids to search commandlinearguments contains (string) free text filter by threat command line arguments (supports multiple values) computername contains (string) free text filter by computer name (supports multiple values) confidencelevels (string) filter threats by a specific confidence level confidencelevelsnin (string) exclude threats with specific confidence level containerimagename contains (string) free text filter by the endpoint container image name (supports multiple values) containerlabels contains (string) free text filter by the endpoint container labels (supports multiple values) containername contains (string) free text filter by the endpoint container name (supports multiple values) contenthash contains (string) free text filter by file content hash (supports multiple values) contenthashes (string) list of sha1 hashes to search for countsfor (string) comma separated list of fields to be shown createdat gt (string) created at greater than createdat gte (string) created at greater or equal than createdat lt (string) created at lesser than createdat lte (string) created at lesser or equal than detectionagentdomain contains (string) free text filter by agent domain at detection time (supports multiple values) detectionagentversion contains (string) free text filter by agent version at detection time (supports multiple values) detectionengines (string) included engines detectionenginesnin (string) excluded engines displayname (string) display name engines (string) included engines enginesnin (string) excluded engines externalticketexists (boolean) the threat contains ticket number externalticketid contains (string) free text filter by the threat external ticket id (supports multiple values) externalticketids (string) external ticket id for the threat failedactions (string) at least one action failed on the threat filepath contains (string) free text filter by file path (supports multiple values) gcpserviceaccount contains (string) free text filter by gcp service account (supports multiple values) groupids (string) list of group ids to filter by hasagenttags (boolean) include only threats whose agent is assigned any tags if true, or none if false ids (string) list of threat ids incidentstatuses (string) filter threats by a specific incident status incidentstatusesnin (string) exclude threats with specific incident statuses initiatedby (string) only include threats from specific initiating sources initiatedbynin (string) exclude threats with specific initiating sources initiatedbyusername contains (string) free text filter by the username that initiated that threat (supports multiple values) k8sclustername contains (string) free text filter by the endpoint kubernetes cluster name (supports multiple values) k8scontrollerlabels contains (string) free text filter by the endpoint kubernetes controller labels (supports multiple values) k8scontrollername contains (string) free text filter by the endpoint kubernetes controller name (supports multiple values) k8snamespacelabels contains (string) free text filter by the endpoint kubernetes namespace labels (supports multiple values) k8snamespacename contains (string) free text filter by the endpoint kubernetes namespace name (supports multiple values) k8snodelabels contains (string) free text filter by the endpoint kubernetes node labels (supports multiple values) k8snodename contains (string) free text filter by the endpoint kubernetes node name (supports multiple values) k8spodlabels contains (string) free text filter by the endpoint kubernetes pod labels (supports multiple values) k8spodname contains (string) free text filter by the endpoint kubernetes pod name (supports multiple values) mitigatedpreemptively (boolean) if the threat was detected pre execution or post execution mitigationstatuses (string) filter threats by a specific status mitigationstatusesnin (string) filter threats not by a specific status noteexists (boolean) the threat contains at least one note originatedprocess contains (string) free text filter by the originated process name of the threat (supports multiple values) osarchs (string) included os architectures osnames (string) os names osnamesnin (string) os names nin ostypes (string) included os types ostypesnin (string) excluded os types pendingactions (boolean) at least one action is pending for the agent for the threat publishername contains (string) free text filter by threat's publisher name (supports multiple values) query (string) full text search for fields like threat details, content hash, computer name, file path, uuid, detection agent version, realtime agent version, detection agent domain, command line arguments, initiated by username, storyline, originated process, k8s cluster name, k8s node name, k8s node labels, k8s namespace name, k8s namespace labels, k8s controller name, k8s controller labels, k8s pod name, k8s pod labels, container name, container image name, container labels, external ticket id realtimeagentversion contains (string) free text filter by agent version at current time (supports multiple values) rebootrequired (boolean) a reboot is required on any endpoint for at least one action on the threat resolved (boolean) this is used for backward compatibility with api 2 0 siteids (string) list of site ids to filter by storyline contains (string) free text filter by threat storyline (supports multiple values) storylines (array) list of agent context to search for tenant (boolean) indicates a tenant scope request threatdetails contains (string) free text filter by threat details(supports multiple values) updatedat gt (string) updated at greater than updatedat gte (string) updated at greater or equal than updatedat lt (string) updated at lesser than updatedat lte (string) updated at lesser or equal than uuid contains (string) free text filter by agent uuid (supports multiple values) output output parameters status code (number) reason (string) json body (object) data (object) affected (number) response headers header type server string date string content type string transfer encoding string connection string x rqid string access control allow origin string access control allow credentials string vary string strict transport security string x frame options string x content type options string content security policy string cache control string pragma string expires string content encoding string