Get Threat Analysis

8 min

description retrieve detailed information on a detected threat in sentinelone using the specified threat id endpoint url web/api/v2 1/private/threats/{{threat id}}/analysis method get inputs path parameters (object) – required threat id (string) – required output example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 14 nov 2022 21 44 11 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "fbaffde6 2d29 4834 946d d3c77ee169f9", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io data pendo io storage googleapis com sentry io sentry io google analytics com gstatic com unpkg com cdn auth0 com wss\ // sentinelone net https //www googletagmanager com https //cdnjs cloudflare com data ; script src 'self' 'unsafe inline' 'unsafe eval' cdn pendo io app pendo io pendo io static storage googleapis com cdn pendo io storage googleapis com data pendo io https //www google analytics com https //www googletagmanager com https //unpkg com https //cdnjs cloudflare com ; img src 'self' data https //www google analytics com cdn pendo io app pendo io sentinelone com storage googleapis com data pendo io ; style src 'self' 'unsafe inline' app pendo io cdn pendo io storage googleapis com https //fonts googleapis com https //cdnjs cloudflare com ; font src 'self' data https //fonts gstatic com https //cdn auth0 com ; frame src 'self' blob https //receptive io https // pendo io https //pendo io extensions storage googleapis com/ https // youtube com ; frame ancestors 'self' app pendo io ; object src 'none'", "cache control" "no store", "pragma" "no cache", "expires" " 1", "content encoding" "gzip" }, "reason" "ok", "json body" { "data" { "agentdetectioninfo" { "accountid" "1286405255240245908", "accountname" "swimlane", "agentdetectionstate" null, "agentdomain" "", "agentipv4" "10 32 0 165,172 18 0 1,172 17 0 1", "agentipv6" "fe80 7d 1cff\ feeb 36b,fe80 70da 4eff\ fe05 1e14,fe80 42 94ff\ fe48\ e0bf,fe80 4cca\ b0ff\ fec1 86e4,fe80 3013 22ff\ fed7 6ba8,fe80 250 56ff\ febd 78a0", "agentlastloggedinupn" null, "agentlastloggedinusermail" null, "agentlastloggedinusername" "", "agentmitigationmode" "protect", "agentosname" "linux", "agentosrevision" "centos release 7 8 2003 (core) 3 10 0 1127 el7 x86 64", "agentregisteredat" "2021 11 10t22 44 37 714973z", "agentuuid" "33b3a892 d388 d3e6 6ead a98acb5d054c", "agentversion" "21 10 1 6", "cloudproviders" {}, "externalip" "96 79 235 37", "groupid" "1286405255265411734", "groupname" "default group", "siteid" "1286405255257023125", "sitename" "default site" }, "agentrealtimeinfo" { "accountid" "1286405255240245908", "accountname" "swimlane", "activethreats" 0, "agentcomputername" "localhost localdomain", "agentdecommissionedat" null, "agentdomain" "", "agentid" "1286438987267469377", "agentinfected" false, "agentisactive" true, "agentisdecommissioned" false, "agentmachinetype" "server", "agentmitigationmode" "protect", "agentnetworkstatus" "connected", "agentosname" "linux", "agentosrevision" "centos release 7 8 2003 (core) 3 10 0 1127 el7 x86 64", "agentostype" "linux", "agentuuid" "33b3a892 d388 d3e6 6ead a98acb5d054c", "agentversion" "21 10 1 6", "groupid" "1286405255265411734", "groupname" "default group", "networkinterfaces" \[ { "id" "1543172592000726460", "inet" \[], "inet6" \[ "fe80 40b2 6aff\ fe95 383e" ], "name" "vethee3d644", "physical" "42\ b2 6a 95 38 3e" }, { "id" "1543172592000726459", "inet" \[], "inet6" \[ "fe80 6015 78ff\ fea9\ c83f" ], "name" "vethe80c0de", "physical" "62 15 78\ a9\ c8 3f" }, { "id" "1543172592000726458", "inet" \[ "172 18 0 1" ], "inet6" \[ "fe80 42 7aff\ fe65 8d5d" ], "name" "br fff54108db6c", "physical" "02 42 7a 65 8d 5d" }, { "id" "1543172591992337849", "inet" \[], "inet6" \[ "fe80 d49d 8eff\ fe3e 7c96" ], "name" "veth4eead3a", "physical" "d6 9d 8e 3e 7c 96" }, { "id" "1543172591992337848", "inet" \[], "inet6" \[ "fe80 98cf\ d7ff\ feaa\ df6d" ], "name" "veth9ec7d68", "physical" "9a\ cf\ d7\ aa\ df 6d" }, { "id" "1543147384250434231", "inet" \[ "172 17 0 1" ], "inet6" \[], "name" "docker0", "physical" "02 42\ c9 05\ ad\ aa" }, { "id" "1286438987267469378", "inet" \[ "10 32 0 165" ], "inet6" \[ "fe80 250 56ff\ febd 78a0" ], "name" "eth0", "physical" "00 50 56\ bd 78\ a0" } ], "operationalstate" "na", "rebootrequired" false, "scanabortedat" null, "scanfinishedat" "2022 09 07t02 40 59 261750z", "scanstartedat" "2022 11 14t20🕚25 369554z", "scanstatus" "started", "siteid" "1286405255257023125", "sitename" "default site", "storagename" null, "storagetype" null, "useractionsneeded" \[] }, "containerinfo" { "id" null, "image" null, "iscontainerquarantine" null, "labels" null, "name" null }, "customdetectionrules" \[], "indicators" \[], "kubernetesinfo" { "cluster" null, "controllerkind" null, "controllerlabels" null, "controllername" null, "iscontainerquarantine" null, "namespace" null, "namespacelabels" null, "node" null, "pod" null, "podlabels" null }, "mitigationstatus" \[ { "action" "quarantine", "actionscounters" { "failed" 0, "notfound" 0, "pendingreboot" 0, "success" 1, "total" 1 }, "agentsupportsreport" true, "groupnotfound" false, "lastupdate" "2021 12 14t20 23 47 484537z", "latestreport" "/threats/mitigation report/1311010476397293060", "mitigationendedat" "2021 12 14t20 23 47 484543z", "mitigationstartedat" "2021 12 14t20 23 47 484548z", "status" "success" } ], "threatinfo" { "analystverdict" "undefined", "analystverdictdescription" "undefined", "automaticallyresolved" false, "browsertype" null, "certificateid" null, "classification" "malware", "classificationsource" "static", "cloudfileshashverdict" "black", "collectionid" "433377870883088367", "confidencelevel" "malicious", "createdat" "2021 12 14t20 23 47 249133z", "detectionengines" \[ { "key" "pre execution", "title" "on write static ai" } ], "detectiontype" "static", "engines" \[ "on write dfi" ], "externalticketexists" false, "externalticketid" null, "failedactions" false, "fileextension" null, "fileextensiontype" null, "filepath" "/home/swimlane host/eicar com", "filesize" 68, "fileverificationtype" null, "identifiedat" "2021 12 14t20 23 47 143694z", "incidentstatus" "unresolved", "incidentstatusdescription" "unresolved", "initiatedby" "agent policy", "initiatedbydescription" "agent policy", "initiatinguserid" null, "initiatingusername" null, "isfileless" false, "isvalidcertificate" null, "maliciousprocessarguments" null, "md5" null, "mitigatedpreemptively" false, "mitigationstatus" "mitigated", "mitigationstatusdescription" "mitigated", "originatorprocess" "scp", "pendingactions" false, "processuser" "swimlane host", "publishername" null, "reachedeventslimit" null, "rebootrequired" false, "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" null, "storyline" "9e6d373b b7b7 c6fc e703 6acca4842e53", "threatid" "1311010474425970168", "threatname" "eicar com", "updatedat" "2021 12 14t20 23 47 481644z" }, "whiteningoptions" \[ "path", "hash" ] } } } ] output parameters status code (number) reason (string) json body (object) data (object) agentdetectioninfo (object) accountid (string) accountname (string) agentdetectionstate (object) agentdomain (string) agentipv4 (string) agentipv6 (string) agentlastloggedinupn (object) agentlastloggedinusermail (object) agentlastloggedinusername (string) agentmitigationmode (string) agentosname (string) agentosrevision (string) agentregisteredat (string) agentuuid (string) agentversion (string) cloudproviders (object) externalip (string) groupid (string) groupname (string) siteid (string) sitename (string) agentrealtimeinfo (object) accountid (string) accountname (string) activethreats (number) agentcomputername (string) agentdecommissionedat (object) agentdomain (string) agentid (string) agentinfected (boolean) agentisactive (boolean) agentisdecommissioned (boolean) agentmachinetype (string) agentmitigationmode (string) agentnetworkstatus (string) agentosname (string) agentosrevision (string) agentostype (string) agentuuid (string) agentversion (string) groupid (string) groupname (string) networkinterfaces (array) id (string) inet (array) inet6 (array) name (string) physical (string) operationalstate (string) rebootrequired (boolean) scanabortedat (object) scanfinishedat (string) scanstartedat (string) scanstatus (string) siteid (string) sitename (string) storagename (object) storagetype (object) useractionsneeded (array) file name (string) – required file (string) – required containerinfo (object) id (object) image (object) iscontainerquarantine (object) labels (object) name (object) customdetectionrules (array) file name (string) – required file (string) – required indicators (array) file name (string) – required file (string) – required kubernetesinfo (object) cluster (object) controllerkind (object) controllerlabels (object) controllername (object) iscontainerquarantine (object) namespace (object) namespacelabels (object) node (object) pod (object) podlabels (object) mitigationstatus (array) action (string) actionscounters (object) failed (number) notfound (number) pendingreboot (number) success (number) total (number) agentsupportsreport (boolean) groupnotfound (boolean) lastupdate (string) latestreport (string) mitigationendedat (string) mitigationstartedat (string) status (string) threatinfo (object) analystverdict (string) analystverdictdescription (string) automaticallyresolved (boolean) browsertype (object) certificateid (object) classification (string) classificationsource (string) cloudfileshashverdict (string) collectionid (string) confidencelevel (string) createdat (string) detectionengines (array) key (string) title (string) detectiontype (string) engines (array) externalticketexists (boolean) externalticketid (object) failedactions (boolean) fileextension (object) fileextensiontype (object) filepath (string) filesize (number) fileverificationtype (object) identifiedat (string) incidentstatus (string) incidentstatusdescription (string) initiatedby (string) initiatedbydescription (string) initiatinguserid (object) initiatingusername (object) isfileless (boolean) isvalidcertificate (object) maliciousprocessarguments (object) md5 (object) mitigatedpreemptively (boolean) mitigationstatus (string) mitigationstatusdescription (string) originatorprocess (string) pendingactions (boolean) processuser (string) publishername (object) reachedeventslimit (object) rebootrequired (boolean) sha1 (string) sha256 (object) storyline (string) threatid (string) threatname (string) updatedat (string) whiteningoptions (array) response headers header type server string date string content type string transfer encoding string connection string x rqid string access control allow origin string access control allow credentials string vary string strict transport security string x frame options string x content type options string content security policy string cache control string pragma string expires string content encoding string

Get Sites

Get Threat Appearences