Get Threat Events

8 min

description retrieve all threat events associated with a given 'threat id' in sentinelone for focused incident analysis endpoint url /web/api/v2 1/threats/{{threat id}}/explore/events method get inputs path parameters (object) – required threat id (string) – required parameters (object) eventid (string) sortby (string) limit (number) skip (number) sortorder (string) skipcount (boolean) countonly (boolean) cursor (string) eventsubtypes (array) processname like (string) eventtypes (array) output example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 06 dec 2022 20🕛03 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "19f65f98 24e9 42e2 b9bc d1c075019219", "access control allow origin" "https //usea1 attivo sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io data pendo io storage googleapis com sentry io sentry io google analytics com gstatic com unpkg com cdn auth0 com wss\ // sentinelone net https //www googletagmanager com https //cdnjs cloudflare com data ; script src 'self' 'unsafe inline' 'unsafe eval' cdn pendo io app pendo io pendo io static storage googleapis com cdn pendo io storage googleapis com data pendo io https //www google analytics com https //www googletagmanager com https //unpkg com https //cdnjs cloudflare com ; img src 'self' data https //www google analytics com cdn pendo io app pendo io sentinelone com storage googleapis com data pendo io ; style src 'self' 'unsafe inline' app pendo io cdn pendo io storage googleapis com https //fonts googleapis com https //cdnjs cloudflare com ; font src 'self' data https //fonts gstatic com https //cdn auth0 com ; frame src 'self' blob https //receptive io https // pendo io https //pendo io extensions storage googleapis com/ https // youtube com ; frame ancestors 'self' app pendo io ; object src 'none'", "cache control" "no store", "pragma" "no cache", "expires" " 1", "content encoding" "gzip" }, "reason" "ok", "json body" { "data" \[ { "activecontentfileid" null, "activecontenthash" null, "activecontentpath" null, "agentdomain" "", "agentgroupid" "1286405255265411734", "agentid" "1286438987267469377", "agentinfected" true, "agentip" "96 79 235 37", "agentisactive" true, "agentisdecommissioned" false, "agentmachinetype" "server", "agentname" "localhost localdomain", "agentnetworkstatus" "disconnected", "agentos" "linux", "agentuuid" "33b3a892 d388 d3e6 6ead a98acb5d054c", "agentversion" "21 10 1 6", "connectionstatus" null, "createdat" "2021 12 14t20 23 45 999000z", "direction" null, "dnsrequest" null, "dnsresponse" null, "dstip" null, "dstport" null, "eventtype" "process creation", "filefullname" null, "fileid" null, "filemd5" null, "filesha1" "3395856ce81f2b7382dee72602f798b642f14140", "filesha256" null, "filesize" null, "filetype" null, "hasactivecontent" null, "id" "1569749506546751259", "indicatorcategory" null, "indicatordescription" null, "indicatormetadata" null, "indicatorname" null, "loginsbasetype" null, "loginsusername" null, "md5" null, "networkmethod" null, "networksource" null, "networkurl" null, "objecttype" "process", "oldfilemd5" null, "oldfilename" null, "oldfilesha1" null, "oldfilesha256" null, "parentpid" null, "parentprocessname" null, "parentprocessuniquekey" null, "pid" "22566", "processcmd" null, "processdisplayname" "scp", "processgroupid" "da7e026e d34d 87c7 e3fa 4f67b761e4c9", "processimagepath" null, "processimagesha1hash" "3395856ce81f2b7382dee72602f798b642f14140", "processintegritylevel" null, "processisredirectedcommandprocessor" null, "processiswow64" null, "processname" "scp", "processroot" "true", "processsessionid" null, "processstarttime" null, "processsubsystem" null, "processuniquekey" "da7e026e d34d 87c7 e3fa 4f67b761e4c9 22566", "processusername" null, "protocol" null, "publisher" null, "registryclassification" null, "registryid" null, "registrypath" null, "relatedtothreat" false, "rpid" null, "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" null, "signaturesignedinvalidreason" null, "signedstatus" null, "sitename" "default site", "srcip" null, "srcport" null, "storyline" "da7e026e d34d 87c7 e3fa 4f67b761e4c9", "taskname" null, "taskpath" null, "threatstatus" null, "tid" null, "truecontext" "da7e026e d34d 87c7 e3fa 4f67b761e4c9", "user" null, "verifiedstatus" null }, { "activecontentfileid" null, "activecontenthash" null, "activecontentpath" null, "agentdomain" "", "agentgroupid" "1286405255265411734", "agentid" "1286438987267469377", "agentinfected" true, "agentip" "96 79 235 37", "agentisactive" true, "agentisdecommissioned" false, "agentmachinetype" "server", "agentname" "localhost localdomain", "agentnetworkstatus" "disconnected", "agentos" "linux", "agentuuid" "33b3a892 d388 d3e6 6ead a98acb5d054c", "agentversion" "21 10 1 6", "connectionstatus" null, "createdat" "2021 12 14t20 23 46z", "direction" null, "dnsrequest" null, "dnsresponse" null, "dstip" null, "dstport" null, "eventtype" "file creation", "filefullname" "/home/swimlane host/eicar com", "fileid" "110885 fanotify", "filemd5" null, "filesha1" "3395856ce81f2b7382dee72602f798b642f14140", "filesha256" null, "filesize" null, "filetype" "", "hasactivecontent" null, "id" "1569749506538362650", "indicatorcategory" null, "indicatordescription" null, "indicatormetadata" null, "indicatorname" null, "loginsbasetype" null, "loginsusername" null, "md5" null, "networkmethod" null, "networksource" null, "networkurl" null, "objecttype" "file", "oldfilemd5" null, "oldfilename" null, "oldfilesha1" null, "oldfilesha256" null, "parentpid" null, "parentprocessname" null, "parentprocessuniquekey" null, "pid" "22566", "processcmd" null, "processdisplayname" "scp", "processgroupid" "da7e026e d34d 87c7 e3fa 4f67b761e4c9", "processimagepath" null, "processimagesha1hash" "3395856ce81f2b7382dee72602f798b642f14140", "processintegritylevel" null, "processisredirectedcommandprocessor" null, "processiswow64" null, "processname" "scp", "processroot" null, "processsessionid" null, "processstarttime" null, "processsubsystem" null, "processuniquekey" "da7e026e d34d 87c7 e3fa 4f67b761e4c9 22566", "processusername" null, "protocol" null, "publisher" null, "registryclassification" null, "registryid" null, "registrypath" null, "relatedtothreat" false, "rpid" null, "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" null, "signaturesignedinvalidreason" null, "signedstatus" null, "sitename" "default site", "srcip" null, "srcport" null, "storyline" "da7e026e d34d 87c7 e3fa 4f67b761e4c9", "taskname" null, "taskpath" null, "threatstatus" null, "tid" null, "truecontext" "da7e026e d34d 87c7 e3fa 4f67b761e4c9", "user" null, "verifiedstatus" "" } ], "pagination" { "nextcursor" null, "totalitems" 2 } } } ] output parameters status code (number) reason (string) json body (object) data (array) activecontentfileid (object) activecontenthash (object) activecontentpath (object) agentdomain (string) agentgroupid (string) agentid (string) agentinfected (boolean) agentip (string) agentisactive (boolean) agentisdecommissioned (boolean) agentmachinetype (string) agentname (string) agentnetworkstatus (string) agentos (string) agentuuid (string) agentversion (string) connectionstatus (object) createdat (string) direction (object) dnsrequest (object) dnsresponse (object) dstip (object) dstport (object) eventtype (string) filefullname (string) fileid (string) filemd5 (object) filesha1 (string) filesha256 (object) filesize (object) filetype (string) hasactivecontent (object) id (string) indicatorcategory (object) indicatordescription (object) indicatormetadata (object) indicatorname (object) loginsbasetype (object) loginsusername (object) md5 (object) networkmethod (object) networksource (object) networkurl (object) objecttype (string) oldfilemd5 (object) oldfilename (object) oldfilesha1 (object) oldfilesha256 (object) parentpid (object) parentprocessname (object) parentprocessuniquekey (object) pid (string) processcmd (object) processdisplayname (string) processgroupid (string) processimagepath (object) processimagesha1hash (string) processintegritylevel (object) processisredirectedcommandprocessor (object) processiswow64 (object) processname (string) processroot (object) processsessionid (object) processstarttime (object) processsubsystem (object) processuniquekey (string) processusername (object) protocol (object) publisher (object) registryclassification (object) registryid (object) registrypath (object) relatedtothreat (boolean) rpid (object) sha1 (string) sha256 (object) signaturesignedinvalidreason (object) signedstatus (object) sitename (string) srcip (object) srcport (object) storyline (string) taskname (object) taskpath (object) threatstatus (object) tid (object) truecontext (string) user (object) verifiedstatus (string) pagination (object) nextcursor (object) totalitems (number) response headers header type server string date string content type string transfer encoding string connection string x rqid string access control allow origin string access control allow credentials string vary string strict transport security string x frame options string x content type options string content security policy string cache control string pragma string expires string content encoding string

Get Threat Appearences

Get Threat Notes