SentinelOne

the sentinelone connector enables seamless integration of sentinelone's advanced threat detection and response capabilities with the swimlane turbine platform sentinelone is a cutting edge cybersecurity platform that specializes in endpoint protection and offers automated threat detection and response capabilities by integrating with swimlane turbine, users can streamline their security operations, leveraging sentinelone's advanced features to quickly identify, analyze, and respond to security threats this integration empowers users to enhance their security posture and reduce response times without the need for complex coding prerequisites to effectively utilize the sentinelone connector with swimlane turbine, ensure you have the following prerequisites api key authentication url the endpoint url for the sentinelone management api api token your unique api token for authenticating requests to sentinelone obtaining an api token navigate to the sentinel one portal select your user in the upper right corner of the menu select the menu by your user account name, then select my user a modal will pop up displaying your account information select generate to generate a new api token and copy the value into the swimlane asset capabilities the sentinelone integration provides the following capabilities add threat note broadcast message connect agents create blacklist item create exclusion create power query and get query id deep visibility create query and get query id deep visibility get events by query id delete blocklist item delete threat note disconnect agents download from cloud fetch files fetch threat file get activities and so on initiate scan action full disk scan finds dormant suspicious activity, threats, and compliance violations, that are then mitigated according to the policy it scans the local file system full disk scan does not inspect drives that require user credentials (such as network drives) or external drives full disk scan does not work on hashes it does not check each file against the blacklist if the static ai determines a file is suspicious, the agent calculates its hash and sees if the hash is in the blacklist if a file is executed, all aspects of the process are inspected, including hash based analysis and blacklist checks full disk scan can run when the endpoint is offline, but when it is connected to the management, it can use the most updated cloud data to improve detection create firewall rule to keep it simple for the user, this action currently only supports adding remote hosts to a firewall rule should this action need to be expanded to support others, please contact swimlane support about deep visibility queries for complete query syntax, see query syntax in the knowledge base support sentinelone com or the console help configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required api token api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add threat note adds a note to identified threats within sentinelone using specified data and filters endpoint url web/api/v2 1/threats/notes method post input argument name type required description data object required response data text string required parameter for add threat note filter object optional parameter for add threat note ids array required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 14 nov 2022 21 12 44 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "f71d36aa c8c9 4fdd 8df6 86c97d631c69", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] broadcast message sends a custom message to sentinelone agents using specified filter criteria; requires 'data' and 'filter' parameters endpoint url web/api/v2 0/agents/actions/broadcast method post input argument name type required description filter object required parameter for broadcast message updatedat gte string optional parameter for broadcast message operationalstates array optional parameter for broadcast message type string optional type of the resource locationidsnin array optional unique identifier type string optional type of the resource minimum number optional parameter for broadcast message example string optional parameter for broadcast message lastsuccessfulscandate between string optional whether the operation was successful externalip contains array optional parameter for broadcast message type string optional type of the resource minlength number optional parameter for broadcast message groupids array optional unique identifier type string optional type of the resource minimum number optional parameter for broadcast message example string optional parameter for broadcast message threatrebootrequired array optional parameter for broadcast message type string optional type of the resource missingpermissions array optional parameter for broadcast message type string optional type of the resource example string optional parameter for broadcast message enum array optional parameter for broadcast message adusername contains array optional name of the resource type string optional type of the resource minlength number optional parameter for broadcast message output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any type string type of the resource data object response data affected string output field affected example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "errors" \[], "data" {} } } ] connect agents reconnect disconnected sentinelone endpoints using a specified filter to match and target agents endpoint url web/api/v2 1/agents/actions/connect method post input argument name type required description filter object required parameter for connect agents ids array required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 19 32 07 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "d448b9e3 ca4d 4bf2 b828 10a74f33c3be", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] create blacklist item creates a blacklist item in sentinelone using a sha1 hash to define scope filters for enhanced protection endpoint url web/api/v2 1/restrictions method post input argument name type required description filter object optional parameter for create blacklist item tenant boolean optional parameter for create blacklist item siteids array optional unique identifier data object required response data ostype string required type of the resource type string required type of the resource description string optional parameter for create blacklist item value string required value for the parameter source string optional parameter for create blacklist item output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any file name string name of the resource file string output field file data array response data scope object output field scope siteids array unique identifier tenant boolean output field tenant groupids array unique identifier accountids array unique identifier username string name of the resource userid string unique identifier updatedat string output field updatedat createdat string output field createdat notrecommended string output field notrecommended ostype string type of the resource source string output field source description string output field description value string value for the parameter type string type of the resource scopename string name of the resource id string unique identifier example \[ { "status code" 400, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 18 21 30 gmt", "content type" "application/json", "content length" "152", "connection" "keep alive", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat " }, "reason" "ok", "json body" { "errors" \[], "data" \[] } } ] create exclusion establish exclusions in sentinelone to suppress alerts and mitigate benign items, requiring 'data' and 'filter' inputs endpoint url /web/api/v2 1/exclusions method post input argument name type required description data object required response data ostype string required os type type string required exclusion item type value string required value for the item type actions array optional actions to perform description string optional description mode string optional exclusion mode (path exclusion only) pathexclusiontype string optional excluded path for a path exclusion list source string optional source filter object required parameter for create exclusion accountids array optional list of account ids to filter by groupids array optional list of group ids to filter by siteids array optional list of site ids to filter by tenant boolean optional indicates a tenant scope request output parameter type description status code number http status code of the response reason string response reason phrase data object response data scope object output field scope accountids array unique identifier groupids array unique identifier siteids array unique identifier tenant boolean output field tenant actions array output field actions createdat string output field createdat description string output field description id string unique identifier mode string output field mode notrecommended string output field notrecommended ostype string type of the resource pathexclusiontype string type of the resource scopename string name of the resource source string output field source type string type of the resource updatedat string output field updatedat userid string unique identifier username string name of the resource value string value for the parameter errors array error message if any example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {}, "errors" \[] } } ] create power query and get query id executes a deep visibility power query in sentinelone and provides a status with a unique query id for result retrieval requires fromdate, query, and todate endpoint url /web/api/v2 1/dv/events/pq method post input argument name type required description query string required events matching the query search term will be returned accountids string optional list of account ids to filter by siteids string optional list of site ids to filter by todate string required events created before or at this timestamp limit number optional limit number of returned items (1 100000) fromdate string required events created after this timestamp output parameter type description status code number http status code of the response reason string response reason phrase data object response data columns array output field columns file name string name of the resource file string output field file data array response data file name string name of the resource file string output field file externalid string unique identifier progress number output field progress queryid string unique identifier recommendations array output field recommendations file name string name of the resource file string output field file status string status value example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 22 apr 2024 08 49 49 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "32b46d87 e912 4ed0 9012 4e617cc9a015", "access control allow origin" "https //cns na1 sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] deep visibility create query and get query id executes a sentinelone deep visibility query using specified parameters and returns the unique query id endpoint url web/api/v2 1/dv/init query method post input argument name type required description query string required parameter for deep visibility create query and get query id fromdate string required date value todate string required date value querytype array optional type of the resource tenant boolean optional parameter for deep visibility create query and get query id siteids array optional unique identifier groupids array optional unique identifier accountids array optional unique identifier limit number optional parameter for deep visibility create query and get query id isverbose boolean optional show all fields or just priority fields timeframe string optional time frame that the query was performed on, when omitted defaults to "last 48 hours" output parameter type description status code number http status code of the response reason string response reason phrase data object response data queryid string unique identifier querymodeinfo object output field querymodeinfo lastactivatedat string output field lastactivatedat mode string output field mode example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 20 26 37 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "6b98f9cc a555 4fe3 8b6e ccf55ec6eacf", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] deep visibility get events by query id retrieves all deep visibility events linked to a specific queryid in sentinelone, following an 'init query' operation endpoint url web/api/v2 1/dv/events method get input argument name type required description queryid string required unique identifier limit number optional parameter for deep visibility get events by query id sortorder string optional parameter for deep visibility get events by query id cursor string optional cursor position returned by the last request should be used instead of skip cursor currently supports sort by with createdat, pid, processstarttime skip string optional skip first number of items (0 1000) to iterate over more than 1000 items, use "cursor" sortby string optional events sorted by field subquery string optional create a sub query to run on the data that was already pulled output parameter type description status code number http status code of the response reason string response reason phrase data array response data networkmethod string http method to use indicatorcategory string output field indicatorcategory agentversion string output field agentversion agentuuid string unique identifier createdat string output field createdat agentmachinetype string type of the resource forensicurl string url endpoint for the request filesize string output field filesize parentprocessuniquekey string output field parentprocessuniquekey filetype string type of the resource taskpath string output field taskpath oldfilemd5 string output field oldfilemd5 filemd5 string output field filemd5 truecontext string output field truecontext verifiedstatus string status value processisredirectedcommandprocessor string output field processisredirectedcommandprocessor agentisdecommissioned boolean output field agentisdecommissioned oldfilename string name of the resource indicatormetadata string response data dstip string output field dstip parentprocessname string name of the resource processimagepath string output field processimagepath example \[ { "status code" 400, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 20 00 44 gmt", "content type" "application/json", "content length" "97", "connection" "keep alive", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat " }, "reason" "bad request", "json body" { "data" \[], "pagination" {} } } ] delete blocklist item removes a specified item from the sentinelone blocklist, enabling agent access to the previously blocked file endpoint url /web/api/v2 1/restrictions method delete input argument name type required description data object required response data ids array optional unique identifier type string optional type output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected errors array error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "errors" \[] } } ] delete threat note removes a specific note from a threat in sentinelone using the provided threat and note ids endpoint url web/api/v2 1/threats/{{threat id}}/notes/{{note id}} method delete input argument name type required description threat id string required unique identifier note id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data success boolean whether the operation was successful example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 14 50 43 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "d005d0b4 d6c5 43f2 9a96 25ce505a3c7c", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] disconnect agents isolates endpoints from the network in sentinelone by applying a specified filter, effectively quarantining matching agents endpoint url web/api/v2 1/agents/actions/disconnect method post input argument name type required description filter object required parameter for disconnect agents ids array required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 19 37 27 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "1c2a1804 99be 4b04 98ec 502396e71534", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] download from cloud download a specific threat file from sentinelone cloud by using the unique threat id provided endpoint url /web/api/v2 1/threats/{{threat id}}/download from cloud method get input argument name type required description threat id string required threat id output parameter type description status code number http status code of the response reason string response reason phrase data object response data downloadurl string url endpoint for the request filename string name of the resource example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "sun, 21 apr 2024 17 19 47 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "6774d02e 05e6 4a51 8c4c 168411f6fd66", "access control allow origin" "https //cns na1 sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] fetch files fetches files up to 10 mb from specified endpoints within sentinelone for in depth threat analysis, requiring 'agent id' and 'data' endpoint url /web/api/v2 1/agents/{{agent id}}/actions/fetch files method post input argument name type required description agent id string required agent id data object required response data password string required file encryption password files string optional list of files to fetch (absolute paths, up to 10 files) output parameter type description status code number http status code of the response reason string response reason phrase data object response data success boolean whether the operation was successful example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "sun, 21 apr 2024 10 42 26 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "00326c00 9064 4459 b5cd 56ea0fd24ae2", "access control allow origin" "https //cns na1 sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] fetch threat file retrieves a file linked to a threat in sentinelone using filters 'fetch threat file' permissions are required endpoint url /web/api/v2 1/threats/fetch file method post input argument name type required description data object required response data password string required file encryption password filter object required use any of the filtering options to control the list of affected threats you can use any combination of filters to narrow down the list (for example "apply to only active threats from linux endpoints") you can also leave this field empty to apply to all available threats note filter must match exactly one threat bulk operations are not supported accountids string optional list of account ids to filter by agentids string optional list of agent ids agentisactive boolean optional include agents currently connected to the management console agentmachinetypes string optional include agent machine types agentmachinetypesnin string optional excluded agent machine types agenttagsdata string optional filter threats by assigned tags to the related agent given in form of a json where each key represents a tag key, and each value represents a list of string values to filter by to filter by unassigned tag values, use nin suffix in the tag key agentversions string optional include agent versions agentversionsnin string optional excluded agent versions analystverdicts string optional filter threats by a specific analyst verdict analystverdictsnin string optional exclude threats with specific analyst verdicts awsrole contains string optional free text filter by aws role(supports multiple values) awssecuritygroups contains string optional free text filter by aws securitygroups(supports multiple values) awssubnetids contains string optional free text filter by aws subnet ids (supports multiple values) azureresourcegroup contains string optional free text filter by azure resource group(supports multiple values) classifications string optional list of threat classifications to search classificationsnin string optional list of threat classifications not to search classificationsources string optional classification sources list classificationsourcesnin string optional classification sources list to exclude cloudaccount contains string optional free text filter by cloud account (supports multiple values) cloudimage contains string optional free text filter by cloud image (supports multiple values) cloudinstanceid contains string optional free text filter by cloud instance id(supports multiple values) cloudinstancesize contains string optional free text filter by cloud instance size(supports multiple values) output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {} } } ] get activities retrieve activity data from sentinelone with specified filters for relevant and manageable outcomes endpoint url /web/api/v2 1/activities method get input argument name type required description accountids string optional list of account ids to filter by activitytypes string optional return only these activity codes (comma separated list) select a code from the dropdown, or see the id field from the get activity types command activityuuids string optional return activities by specific activity uuids agentids string optional return activities related to specified agents alertids string optional return activities related to specified alerts countonly boolean optional if true, only total number of items will be returned, without any of the actual objects createdat between string optional get activities created in this range (inclusive) of a start timestamp and an end timestamp createdat gt string optional get activities created after this timestamp createdat gte string optional get activities created after or at this timestamp createdat lt string optional get activities created before this timestamp createdat lte string optional get activities created before or at this timestamp cursor string optional cursor position returned by the last request use to iterate over more than 1000 items groupids string optional list of group ids to filter by ids string optional filter activities by specific activity ids includehidden boolean optional include internal activities hidden from display limit number optional limit number of returned items (1 1000) ruleids string optional return activities related to specified rules siteids string optional list of site ids to filter by skip number optional skip first number of items (0 1000) to iterate over more than 1000 items, use "cursor" skipcount boolean optional if true, total number of items will not be calculated, which speeds up execution time sortby string optional the column to sort the results by sortorder string optional sort direction threatids string optional return activities related to specified threats useremails string optional email of the user who invoked the activity (if applicable) userids string optional the user who invoked the activity (if applicable) output parameter type description status code number http status code of the response reason string response reason phrase data array response data accountid string unique identifier accountname string name of the resource activitytype number type of the resource activityuuid string unique identifier agentid object unique identifier agentupdatedversion object output field agentupdatedversion comments object output field comments createdat string output field createdat data object response data accountname string name of the resource filename string name of the resource fullscopedetails string output field fullscopedetails fullscopedetailspath string output field fullscopedetailspath groupname object name of the resource ipaddress string output field ipaddress majorversion string output field majorversion minorversion string output field minorversion osarch string output field osarch packageid number unique identifier platformtype string type of the resource realuser object output field realuser scopelevel string output field scopelevel example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" \[], "pagination" {} } } ] get agent applications retrieve a list of installed applications for a specified sentinelone agent by providing the unique agent id endpoint url web/api/v2 1/agents/applications method get input argument name type required description ids array required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data array response data installeddate string date value name string name of the resource publisher string output field publisher size number output field size version string output field version example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 15 25 40 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "7bef9a86 f973 47ea 83b6 41f61dd8510b", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" \[] } } ] get agents obtain sentinelone agent data with specific filters to identify and utilize agent ids for subsequent operations endpoint url web/api/v2 1/agents method get input argument name type required description computername string optional name of the resource infected boolean optional parameter for get agents isactive boolean optional parameter for get agents activethreats array optional parameter for get agents domains array optional parameter for get agents networkstatuses array optional status value externalip contains string optional parameter for get agents ids array optional unique identifier accountids array optional unique identifier uuids array optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data array response data accountid string unique identifier accountname string name of the resource activedirectory object output field activedirectory computerdistinguishedname object name of the resource computermemberof array output field computermemberof file name string name of the resource file string output field file lastuserdistinguishedname object name of the resource lastusermemberof array output field lastusermemberof file name string name of the resource file string output field file activethreats number output field activethreats agentversion string output field agentversion allowremoteshell boolean output field allowremoteshell appsvulnerabilitystatus string status value cloudproviders object unique identifier esxi object output field esxi computername string name of the resource consolemigrationstatus string status value corecount number count value cpucount number count value cpuid string unique identifier example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 17 35 13 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "bd078c0d 1020 461b 885a 0028c992ac70", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" \[], "pagination" {} } } ] get alerts retrieve a list of sentinelone alerts to identify potential security threats within a specified scope endpoint url /web/api/v2 1/cloud detection/alerts method get input argument name type required description accountids string optional list of account ids to filter by analystverdict string optional filter threats by a analyst verdict containerimagename contains string optional free text filter by the endpoint container image name (supports multiple values) containerlabels contains string optional free text filter by the endpoint container labels (supports multiple values) containername contains string optional free text filter by the endpoint container name (supports multiple values) countonly boolean optional if true, only total number of items will be returned, without any of the actual objects createdat gt string optional created at greater than createdat gte string optional created at greater or equal than createdat lt string optional created at lesser than createdat lte string optional created at lesser or equal than cursor string optional cursor position returned by the last request use to iterate over more than 1000 items disablepagination boolean optional if true, all rules for requested scope will be returned groupids string optional list of group ids to filter by ids array optional a list of alert ids incidentstatus string optional filter threats by a incident status k8scluster contains string optional free text filter by the endpoint kubernetes cluster name (supports multiple values) k8scontrollerlabels contains string optional free text filter by the endpoint kubernetes controller labels (supports multiple values) k8scontrollername contains string optional free text filter by the endpoint kubernetes controller name (supports multiple values) k8snamespacelabels contains string optional free text filter by the endpoint kubernetes namespace labels (supports multiple values) k8snamespacename contains string optional free text filter by the endpoint kubernetes namespace name (supports multiple values) k8snode contains string optional free text filter by the endpoint kubernetes node name (supports multiple values) k8spod contains string optional free text filter by the endpoint kubernetes pod name (supports multiple values) k8spodlabels contains string optional free text filter by the endpoint kubernetes pod labels (supports multiple values) limit number optional limit number of returned items (1 1000) machinetype string optional agent machine type output parameter type description status code number http status code of the response reason string response reason phrase data array response data agentdetectioninfo object output field agentdetectioninfo accountid string unique identifier machinetype object type of the resource name object name of the resource osfamily object output field osfamily osname string name of the resource osrevision string output field osrevision siteid object unique identifier uuid object unique identifier version object output field version alertinfo object output field alertinfo alertid string unique identifier analystverdict string output field analystverdict createdat string output field createdat dnsrequest object output field dnsrequest dnsresponse object output field dnsresponse dstip object output field dstip dstport object output field dstport dveventid object unique identifier eventtype object type of the resource hittype string type of the resource incidentstatus string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" \[], "pagination" {} } } ] get blocklist items retrieves all items in the sentinelone blocklist based on filter criteria like hash values or threat ids endpoint url /web/api/v2 1/restrictions method get input argument name type required description accountids string optional list of account ids to filter by countonly boolean optional if true, only total number of items will be returned, without any of the actual objects createdat between string optional date range for creation time (format \<from timestamp> \<to timestamp>, inclusive) createdat gt string optional created after this timestamp createdat gte string optional created after or at this timestamp createdat lt string optional created before this timestamp createdat lte string optional created before or at this timestamp cursor string optional cursor position returned by the last request use to iterate over more than 1000 items description contains string optional free text filter by description groupids string optional list of group ids to filter by ids string optional list of ids to filter by imported boolean optional indication whether the hash was imported by a bulk operation or not includechildren boolean optional return filters from children scope levels includeparents boolean optional return filters from parent scope levels limit string optional limit number of returned items (1 1000) modes string optional list of modes to filter by (path exclusions only) ostypes string optional list of os types to filter by query string optional a free text search term, will match applicable attributes recommendations string optional list of recommendations to filter by siteids string optional list of site ids to filter by skip string optional skip first number of items (0 1000) to iterate over more than 1000 items, use "cursor" skipcount boolean optional if true, total number of items will not be calculated, which speeds up execution time sortby string optional the column to sort the results by sortorder string optional sort direction source string optional list sources to filter by output parameter type description status code number http status code of the response reason string response reason phrase data array response data createdat string output field createdat description string output field description id string unique identifier imported boolean output field imported includechildren boolean output field includechildren includeparents boolean output field includeparents notrecommended string output field notrecommended ostype string type of the resource scope object output field scope accountids array unique identifier groupids array unique identifier siteids array unique identifier tenant boolean output field tenant scopename string name of the resource scopepath string output field scopepath source string output field source type string type of the resource updatedat string output field updatedat userid string unique identifier username string name of the resource value string value for the parameter errors array error message if any example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" \[], "errors" \[], "pagination" {} } } ] get groups retrieve details of sentinelone groups using specified filter criteria to streamline management and analysis endpoint url /web/api/v2 1/groups method get input argument name type required description accountids string optional list of account ids to filter by countonly boolean optional if true, only total number of items will be returned, without any of the actual objects cursor string optional cursor position returned by the last request use to iterate over more than 1000 items description string optional the description for the group groupids string optional list of group ids to filter by id string optional id isdefault boolean optional if true, default group is set limit string optional limit number of returned items (1 300) name string optional name query string optional free text search on fields name, description rank string optional the rank sets the priority of a dynamic group over others registrationtoken string optional registration token siteids string optional list of site ids to filter by skip string optional skip first number of items (0 1000) to iterate over more than 1000 items, use "cursor" skipcount boolean optional if true, total number of items will not be calculated, which speeds up execution time sortby string optional the column to sort the results by sortorder string optional sort direction type string optional group type types string optional a list of group types updatedat gt string optional updated at greater than updatedat gte string optional updated at greater or equal than updatedat lt string optional updated at lesser than updatedat lte string optional updated at lesser or equal than output parameter type description status code number http status code of the response reason string response reason phrase data array response data createdat string output field createdat creator string output field creator creatorid string unique identifier filterid object unique identifier filtername object name of the resource id string unique identifier inherits boolean output field inherits isdefault boolean output field isdefault name string name of the resource rank object output field rank registrationtoken string output field registrationtoken siteid string unique identifier totalagents number output field totalagents type string type of the resource updatedat string output field updatedat pagination object output field pagination nextcursor object output field nextcursor totalitems number output field totalitems example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 11 jun 2024 11 26 21 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "112653fa 4329 4f71 a7a6 5dc163b97fd2", "access control allow origin" "https //cns na1 sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" \[], "pagination" {} } } ] get hash retrieve the classification of a specified hash from sentinelone, utilizing the hash as a path parameter endpoint url /web/api/v2 1/hashes/{{hash}}/reputation method get input argument name type required description hash string required parameter for get hash output parameter type description status code number http status code of the response reason string response reason phrase data object response data rank string output field rank example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 14 nov 2022 20 17 39 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "64e8155a 3841 4681 a3c7 27a64ebebf5a", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] get rogues settings retrieve the current configuration settings for rogue devices from sentinelone endpoint url /web/api/v2 1/rogues/settings method get input argument name type required description accountids array optional unique identifier siteids array optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data minagentsinnetworktoscan number output field minagentsinnetworktoscan accountid string unique identifier enabled boolean output field enabled usespecificports boolean output field usespecificports restrictions array output field restrictions annotation string output field annotation values array value for the parameter type string type of the resource specificports array output field specificports values array value for the parameter type string type of the resource errors array error message if any code number output field code detail object output field detail title string output field title example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {}, "errors" \[] } } ] get sites retrieves a list of sentinelone sites based on filter criteria to manage network topology endpoint url /web/api/v2 1/sites method get input argument name type required description accountid string optional account id accountids array optional list of account ids to filter by accountname contain array optional free text filter by account name (supports multiple values) activelicenses number optional active licenses adminonly boolean optional show sites the user has admin privileges to availablemovesites boolean optional only return sites the user can move agents through countonly boolean optional if true, only total number of items will be returned, without any of the actual objects createdat string optional timestamp of site creation cursor string optional cursor position returned by the last request use to iterate over more than 1000 items description string optional the description for the site description contains array optional free text filter by site description (supports multiple values) expiration string optional expiration externalid string optional id in a crm external system features array optional if sent return only sites that support this features healthstatus boolean optional health status isdefault boolean optional is default limit number optional limit number of returned items (1 1000) module string optional module name string optional name name contains array optional free text filter by site name (supports multiple values) query string optional full text search for fields name, account name, description (note on single account consoles account name will not be matched) registrationtoken string optional registration token siteids array optional list of site ids to filter by sitetype string optional site type skip number optional skip first number of items (0 1000) to iterate over more than 1000 items, use "cursor" output parameter type description status code number http status code of the response reason string response reason phrase data object response data allsites object output field allsites activelicenses number output field activelicenses totallicenses number output field totallicenses sites array output field sites accountid string unique identifier accountname string name of the resource activelicenses number output field activelicenses createdat string output field createdat creator string output field creator creatorid string unique identifier description object output field description expiration object output field expiration externalid object unique identifier healthstatus boolean status value id string unique identifier isdefault boolean output field isdefault licenses object output field licenses bundles array output field bundles displayname string name of the resource majorversion number output field majorversion minorversion number output field minorversion name string name of the resource example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 28 aug 2023 10 07 53 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "fb4ea2f2 3f64 4aa0 817d 7f77429fd646", "access control allow origin" "https //usea1 identity sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {}, "pagination" {} } } ] get threat analysis retrieve detailed information on a detected threat in sentinelone using the specified threat id endpoint url web/api/v2 1/private/threats/{{threat id}}/analysis method get input argument name type required description threat id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data agentdetectioninfo object output field agentdetectioninfo accountid string unique identifier accountname string name of the resource agentdetectionstate object output field agentdetectionstate agentdomain string output field agentdomain agentipv4 string output field agentipv4 agentipv6 string output field agentipv6 agentlastloggedinupn object output field agentlastloggedinupn agentlastloggedinusermail object output field agentlastloggedinusermail agentlastloggedinusername string name of the resource agentmitigationmode string output field agentmitigationmode agentosname string name of the resource agentosrevision string output field agentosrevision agentregisteredat string output field agentregisteredat agentuuid string unique identifier agentversion string output field agentversion cloudproviders object unique identifier externalip string output field externalip groupid string unique identifier groupname string name of the resource siteid string unique identifier sitename string name of the resource example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 14 nov 2022 21 44 11 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "fbaffde6 2d29 4834 946d d3c77ee169f9", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] get threat appearences retrieve infected endpoints and the frequency of a threat's appearances in sentinelone using a specified threat id endpoint url /web/api/v2 1/private/threats/{{threat id}}/appearances method get input argument name type required description threat id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data accounts number output field accounts agents number output field agents firstseen string output field firstseen groups number output field groups lastseen string output field lastseen sites number output field sites timesseen number output field timesseen example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 19 02 30 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "73e105d3 22fa 4f21 9985 f088bc4f75f4", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] get threat events retrieve all threat events linked to a specific 'threat id' in sentinelone, aiding in targeted incident analysis endpoint url /web/api/v2 1/threats/{{threat id}}/explore/events method get input argument name type required description threat id string required unique identifier eventid string optional unique identifier sortby string optional parameter for get threat events limit number optional parameter for get threat events skip number optional parameter for get threat events sortorder string optional parameter for get threat events skipcount boolean optional count value countonly boolean optional parameter for get threat events cursor string optional parameter for get threat events eventsubtypes array optional type of the resource processname like string optional name of the resource eventtypes array optional type of the resource output parameter type description status code number http status code of the response reason string response reason phrase data array response data activecontentfileid object unique identifier activecontenthash object response content activecontentpath object response content agentdomain string output field agentdomain agentgroupid string unique identifier agentid string unique identifier agentinfected boolean output field agentinfected agentip string output field agentip agentisactive boolean output field agentisactive agentisdecommissioned boolean output field agentisdecommissioned agentmachinetype string type of the resource agentname string name of the resource agentnetworkstatus string status value agentos string output field agentos agentuuid string unique identifier agentversion string output field agentversion connectionstatus object status value createdat string output field createdat direction object output field direction dnsrequest object output field dnsrequest dnsresponse object output field dnsresponse dstip object output field dstip example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 06 dec 2022 20 12 03 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "19f65f98 24e9 42e2 b9bc d1c075019219", "access control allow origin" "https //usea1 attivo sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" \[], "pagination" {} } } ] get threat notes retrieve all notes linked to a given threat id in sentinelone, utilizing the specified threat id endpoint url web/api/v2 1/threats/{{threat id}}/notes method get input argument name type required description threat id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data array response data createdat string output field createdat creator string output field creator creatorid string unique identifier edited boolean output field edited id string unique identifier text string output field text updatedat string output field updatedat pagination object output field pagination nextcursor object output field nextcursor totalitems number output field totalitems example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 14 nov 2022 21 30 46 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "2cc914c5 8abc 4253 8d67 eccaa991bc06", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" \[], "pagination" {} } } ] get threat timeline retrieve a detailed timeline of a specific threat in sentinelone using the unique threat id provided endpoint url web/api/v2 1/threats/{{threat id}}/timeline method get input argument name type required description threat id string required unique identifier sortorder string optional parameter for get threat timeline skipcount boolean optional count value activitytypes number optional type of the resource sortby string optional parameter for get threat timeline countonly boolean optional parameter for get threat timeline output parameter type description status code number http status code of the response reason string response reason phrase data array response data accountid string unique identifier activitytype number type of the resource agentid string unique identifier agentupdatedversion object output field agentupdatedversion createdat string output field createdat data object response data accountname string name of the resource computername string name of the resource filecontenthash string response content filedisplayname string name of the resource filepath string output field filepath fullscopedetails string output field fullscopedetails fullscopedetailspath string output field fullscopedetailspath groupname string name of the resource newstatus object status value originalstatus string status value sitename string name of the resource threatclassification string output field threatclassification threatclassificationsource string output field threatclassificationsource username string name of the resource groupid string unique identifier hash object output field hash example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 14 nov 2022 22 05 11 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "2a863e30 2f72 4519 9162 4e198dcb768d", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" \[], "pagination" {} } } ] get threats retrieve a comprehensive list of all identified threats from sentinelone endpoint url web/api/v2 1/threats method get input argument name type required description accountids array optional unique identifier agentids array optional unique identifier agentisactive boolean optional parameter for get threats agentmachinetypes array optional type of the resource agentmachinetypesnin array optional type of the resource agentversions array optional parameter for get threats agentversionsnin array optional parameter for get threats analystverdicts array optional parameter for get threats analystverdictsnin array optional parameter for get threats awsrole contains array optional parameter for get threats awssecuritygroups contains array optional parameter for get threats awssubnetids contains array optional unique identifier azureresourcegroup contains array optional parameter for get threats classifications array optional parameter for get threats classificationsnin array optional parameter for get threats classificationsources array optional parameter for get threats classificationsourcesnin array optional parameter for get threats cloudaccount contains array optional parameter for get threats cloudimage contains array optional parameter for get threats cloudinstanceid contains array optional unique identifier cloudinstancesize contains array optional parameter for get threats cloudlocation contains array optional parameter for get threats cloudnetwork contains array optional parameter for get threats cloudprovider array optional unique identifier cloudprovidernin array optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any type string type of the resource pagination object output field pagination totalitems number output field totalitems nextcursor string output field nextcursor data array response data mitigationstatus array status value lastupdate string date value agentsupportsreport string output field agentsupportsreport latestreport string output field latestreport groupnotfound string output field groupnotfound mitigationendedat string output field mitigationendedat action string output field action actionscounters object output field actionscounters pendingreboot string output field pendingreboot failed string output field failed total string output field total notfound string output field notfound success string whether the operation was successful status string status value mitigationstartedat string output field mitigationstartedat kubernetesinfo object output field kubernetesinfo controllerkind string output field controllerkind example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 03 jul 2023 03 42 11 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "96f7b37b 0e6b 4cb7 ba52 1c6bffa6d0fe", "access control allow origin" "https //usea1 identity sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' pendo io storage googleapis com cdn ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "errors" \[], "pagination" {}, "data" \[] } } ] initiate scan executes a full disk scan on sentinelone agents using specified filters to identify threats endpoint url web/api/v2 1/agents/actions/initiate scan method post input argument name type required description data object optional response data filter object optional parameter for initiate scan uuids array optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 14 nov 2022 20 10 56 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "39073fc2 f1d8 4ac6 880f 2f2c372ff37b", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] mitigate threats apply a specified mitigation action to threats in sentinelone, utilizing 'action' and 'filter' parameters for targeted response endpoint url /web/api/v2 1/threats/mitigate/{{action}} method post input argument name type required description action string required parameter for mitigate threats filter object required parameter for mitigate threats k8spodlabels contains array optional parameter for mitigate threats updatedat gte string optional parameter for mitigate threats awssubnetids contains array optional unique identifier agentmachinetypes array optional type of the resource cloudaccount contains array optional parameter for mitigate threats agentversions array optional parameter for mitigate threats siteids array optional unique identifier classificationsourcesnin array optional parameter for mitigate threats storylines array optional parameter for mitigate threats detectionagentversion contains array optional parameter for mitigate threats createdat lt string optional parameter for mitigate threats resolved boolean optional parameter for mitigate threats mitigatedpreemptively boolean optional parameter for mitigate threats detectionengines array optional parameter for mitigate threats threatdetails contains array optional parameter for mitigate threats storyline contains array optional parameter for mitigate threats agentversionsnin array optional parameter for mitigate threats originatedprocess contains array optional parameter for mitigate threats tenant boolean optional parameter for mitigate threats cloudprovider array optional unique identifier pendingactions boolean optional parameter for mitigate threats agentids array optional unique identifier detectionagentdomain contains array optional parameter for mitigate threats output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 11 sep 2023 08 58 22 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "ca215f22 b23f 4683 a984 d5283635fed4", "access control allow origin" "https //usea1 identity sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] new firewall rule create a sentinelone firewall control rule to manage network traffic for defined scopes and os, with a required json body input endpoint url web/api/v2 1/firewall control method post input argument name type required description filter object optional parameter for new firewall rule accountids array optional unique identifier siteids array optional unique identifier tenant boolean optional parameter for new firewall rule groupids array optional unique identifier data object optional response data protocol string optional parameter for new firewall rule application object optional parameter for new firewall rule type string optional type of the resource values array optional value for the parameter localhost object optional parameter for new firewall rule type string optional type of the resource values array optional value for the parameter remotehost object optional parameter for new firewall rule type string optional type of the resource values array optional value for the parameter ostypes array optional type of the resource action string optional parameter for new firewall rule localport object optional parameter for new firewall rule type string optional type of the resource values array optional value for the parameter status string optional status value remoteport object optional parameter for new firewall rule type string optional type of the resource values array optional value for the parameter output parameter type description status code number http status code of the response reason string response reason phrase data object response data protocol string output field protocol createdat string output field createdat location object output field location type string type of the resource values array value for the parameter name string name of the resource scope string output field scope id string unique identifier tagids array unique identifier order number output field order name string name of the resource productid string unique identifier creatorid string unique identifier updatedat string output field updatedat rulecategory string output field rulecategory description string output field description direction string output field direction localport object output field localport status string status value scopeid string unique identifier id string unique identifier application object output field application example \[ { "status code" 403, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 17 50 40 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "content encoding" "gzip" }, "reason" "forbidden", "json body" { "data" {} } } ] ping a power query initiates a follow up ping on a sentinelone deep visibility power query using the provided queryid to check for results endpoint url /web/api/v2 1/dv/events/pq ping method get input argument name type required description paramaters object optional parameter for ping a power query queryid string optional query id query param output parameter type description status code number http status code of the response reason string response reason phrase data object response data columns array output field columns name string name of the resource type string type of the resource data array response data file name string name of the resource file string output field file externalid string unique identifier progress number output field progress queryid string unique identifier recommendations array output field recommendations status string status value example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 22 apr 2024 09 18 00 gmt", "content type" "application/json", "content length" "94", "connection" "keep alive", "access control allow origin" "https //cns na1 sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo " }, "reason" "ok", "json body" { "data" {} } } ] update alert analyst verdict updates the analyst's verdict on an alert within sentinelone based on provided data and filter criteria endpoint url /web/api/v2 1/cloud detection/alerts/analyst verdict method post input argument name type required description filter object required parameter for update alert analyst verdict containerimagename contains string optional free text filter by the endpoint container image name (supports multiple values) limit number optional limit reportedat gte string optional reported at greater or equal than tenant boolean optional indicates a tenant scope request reportedat lte string optional reported at lesser or equal than sourceprocessname contains string optional free text filter by source process name incidentstatus string optional filter threats by a incident status sourceprocesscommandline contains string optional free text filter by source commandline createdat lte string optional created at lesser or equal than k8snamespacelabels contains string optional free text filter by the endpoint kubernetes namespace labels (supports multiple values) k8spod contains string optional free text filter by the endpoint kubernetes pod name (supports multiple values) reportedat gt string optional reported at greater than sourceprocessfilehashsha1 contains string optional free text filter by source sha1 k8snode contains string optional free text filter by the endpoint kubernetes node name (supports multiple values) createdat gt string optional created at greater than origagentuuid contains string optional free text filter by agent uuid sourceprocessfilehashmd5 contains string optional free text filter by source md5 query string optional full text search for all fields ostype string optional included os types containername contains string optional free text filter by the endpoint container name (supports multiple values) analystverdict string optional filter threats by a analyst verdict createdat lt string optional created at lesser than origagentname contains string optional free text filter by agent name rulename contains string optional free text filter by rule name output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {} } } ] update alert incident updates an alert's incident details in sentinelone with provided data and filter criteria endpoint url /web/api/v2 1/cloud detection/alerts/incident method post input argument name type required description filter object required parameter for update alert incident containerimagename contains array optional free text filter by the endpoint container image name (supports multiple values) limit number optional limit reportedat gte string optional reported at greater or equal than tenant boolean optional indicates a tenant scope request reportedat lte string optional reported at lesser or equal than sourceprocessname contains array optional free text filter by source process name incidentstatus array optional filter threats by a incident status sourceprocesscommandline contains array optional free text filter by source commandline createdat lte string optional created at lesser or equal than k8snamespacelabels contains array optional free text filter by the endpoint kubernetes namespace labels (supports multiple values) k8spod contains array optional free text filter by the endpoint kubernetes pod name (supports multiple values) reportedat gt string optional reported at greater than sourceprocessfilehashsha1 contains array optional free text filter by source sha1 k8snode contains array optional free text filter by the endpoint kubernetes node name (supports multiple values) createdat gt string optional created at greater than origagentuuid contains array optional free text filter by agent uuid sourceprocessfilehashmd5 contains array optional free text filter by source md5 query string optional full text search for all fields ostype array optional included os types containername contains array optional free text filter by the endpoint container name (supports multiple values) analystverdict array optional filter threats by a analyst verdict createdat lt string optional created at lesser than origagentname contains array optional free text filter by agent name rulename contains array optional free text filter by rule name output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 18 apr 2024 00 12 38 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "d281729a 04f6 40d4 aeef 5f0add7d40a3", "access control allow origin" "https //cns us east 1 prod sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] update threat analyst verdict modify an analyst's verdict on a threat within sentinelone using filter criteria and provided data endpoint url /web/api/v2 1/threats/analyst verdict method post input argument name type required description filter object required parameter for update threat analyst verdict k8spodlabels contains array optional parameter for update threat analyst verdict updatedat gte string optional parameter for update threat analyst verdict awssubnetids contains array optional unique identifier agentmachinetypes array optional type of the resource cloudaccount contains array optional parameter for update threat analyst verdict agentversions array optional parameter for update threat analyst verdict siteids array optional unique identifier classificationsourcesnin array optional parameter for update threat analyst verdict storylines array optional parameter for update threat analyst verdict detectionagentversion contains array optional parameter for update threat analyst verdict createdat lt string optional parameter for update threat analyst verdict resolved boolean optional parameter for update threat analyst verdict mitigatedpreemptively boolean optional parameter for update threat analyst verdict detectionengines array optional parameter for update threat analyst verdict threatdetails contains array optional parameter for update threat analyst verdict storyline contains array optional parameter for update threat analyst verdict agentversionsnin array optional parameter for update threat analyst verdict originatedprocess contains array optional parameter for update threat analyst verdict tenant boolean optional parameter for update threat analyst verdict cloudprovider array optional unique identifier pendingactions boolean optional parameter for update threat analyst verdict agentids array optional unique identifier detectionagentdomain contains array optional parameter for update threat analyst verdict incidentstatusesnin array optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "fri, 08 sep 2023 06 49 11 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "5d8a267b 7a4c 4666 819e 54f3ae329128", "access control allow origin" "https //usea1 identity sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] update threat external ticket id change the external ticket id for a specified threat in sentinelone using a provided json body input endpoint url web/api/v2 1/threats/external ticket id method post input argument name type required description filter object optional parameter for update threat external ticket id accountids array optional unique identifier osarchs array optional parameter for update threat external ticket id agentmachinetypes array optional type of the resource commandlinearguments contains array optional parameter for update threat external ticket id cloudimage contains array optional parameter for update threat external ticket id limit number optional parameter for update threat external ticket id contenthashes string optional response content tenant boolean optional parameter for update threat external ticket id ids array optional unique identifier createdat lte string optional parameter for update threat external ticket id noteexists boolean optional parameter for update threat external ticket id k8spodname contains array optional name of the resource updatedat gte string optional parameter for update threat external ticket id updatedat lt string optional parameter for update threat external ticket id containerimagename contains array optional name of the resource classificationsources array optional parameter for update threat external ticket id confidencelevels array optional unique identifier cloudaccount contains array optional parameter for update threat external ticket id classificationsnin array optional parameter for update threat external ticket id k8scontrollerlabels contains array optional parameter for update threat external ticket id ostypes array optional type of the resource osnamesnin array optional name of the resource realtimeagentversion contains array optional parameter for update threat external ticket id awssecuritygroups contains array optional parameter for update threat external ticket id output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected example \[ { "status code" 500, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 20 32 59 gmt", "content type" "application/json", "content length" "111", "connection" "keep alive", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat " }, "reason" "internal server error", "json body" { "data" {} } } ] update threat incident updates a threat incident's details in sentinelone using specified data and filter criteria endpoint url /web/api/v2 1/threats/incident method post input argument name type required description data object required response data incidentstatus string required incident status to update for the threat analystverdict string optional the analyst verdict to set for the threat filter object required parameter for update threat incident createdat lt string optional created at lesser than createdat gt string optional created at greater than updatedat gt string optional updated at greater than updatedat lt string optional updated at lesser than ids array optional list of threat ids groupids array optional list of group ids to filter by siteids array optional list of site ids to filter by accountids array optional list of account ids to filter by incidentstatuses array optional filter threats by a specific incident status classificationsources array optional classification sources list classifications array optional list of threat classifications to search agentids array optional list of agent ids ostypes array optional included os types enginesnin array optional excluded engines ostypesnin array optional excluded os types containerimagename contains array optional free text filter by the endpoint container image name (supports multiple values) k8snodename contains array optional free text filter by the endpoint kubernetes node name (supports multiple values) k8snamespacename contains array optional free text filter by the endpoint kubernetes namespace name (supports multiple values) analystverdicts array optional filter threats by a specific analyst verdict agentisactive boolean optional include agents currently connected to the management console agentmachinetypes array optional include agent machine types output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected number output field affected details array output field details result string result of the operation analystverdict string output field analystverdict threatid string unique identifier errors object error message if any example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "data" {}, "errors" {} } } ] update threat note updates a specific threat note in sentinelone using the provided threat id, note id, and data content endpoint url web/api/v2 1/threats/{{threat id}}/notes/{{note id}} method put input argument name type required description threat id string required unique identifier note id string required unique identifier data object required response data text string required parameter for update threat note output parameter type description status code number http status code of the response reason string response reason phrase data object response data createdat string output field createdat edited boolean output field edited id string unique identifier text string output field text updatedat string output field updatedat example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 16 nov 2022 14 40 53 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "x rqid" "83d1f963 2f8f 4f59 86dc 29b6bba6c497", "access control allow origin" "https //attivo us sentinelone net", "access control allow credentials" "true", "vary" "origin", "strict transport security" "max age=31536000; includesubdomains", "x frame options" "sameorigin", "x content type options" "nosniff", "content security policy" "default src 'self' ; connect src 'self' cdn pendo io app pendo io pendo io dat ", "cache control" "no store", "pragma" "no cache" }, "reason" "ok", "json body" { "data" {} } } ] response headers header description example access control allow credentials http response header access control allow credentials true access control allow origin http response header access control allow origin https //attivo us sentinelone net https //attivo us sentinelone net cache control directives for caching mechanisms no store connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 97 content security policy http response header content security policy default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo io pendo io data pendo io scalyr com storage googleapis com sentry io sentry io google analytics com gstatic com unpkg com cdn auth0 com wss\ // sentinelone net https //www googletagmanager com https //www googletagmanager com https //cdnjs cloudflare com https //cdnjs cloudflare com https //dm64t97qsxvuz cloudfront net https //dm64t97qsxvuz cloudfront net data ; script src 'self' 'unsafe inline' 'unsafe eval' sentinelone net cdn pendo io app pendo io pendo io static storage googleapis com storage googleapis com data pendo io https //www google analytics com https //www google analytics com https //www googletagmanager com https //www googletagmanager com https //unpkg com https //unpkg com https //cdnjs cloudflare com https //cdnjs cloudflare com https //dm64t97qsxvuz cloudfront net https //dm64t97qsxvuz cloudfront net ; img src 'self' sentinelone net sentinelone com dm64t97qsxvuz cloudfront net data https //www google analytics com https //www google analytics com cdn pendo io app pendo io storage googleapis com data pendo io ; style src 'self' 'unsafe inline' sentinelone net app pendo io cdn pendo io storage googleapis com https //cdnjs cloudflare com https //dm64t97qsxvuz cloudfront net ; font src 'self' data sentinelone net https //cdn auth0 com https //dm64t97qsxvuz cloudfront net ; manifest src 'self' https //dm64t97qsxvuz cloudfront net ; frame src 'self' blob https //receptive io https // pendo io https //pendo io extensions storage googleapis com/ https // youtube com sentinelone net scalyr com; frame ancestors 'self' app pendo io sentinelone net; object src 'none' content type the media type of the resource application/json date the date and time at which the message was originated mon, 28 aug 2023 10 07 53 gmt expires the date/time after which the response is considered stale 1 pragma http response header pragma no cache server information about the software used by the origin server nginx set cookie http response header set cookie strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary origin x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x rqid http response header x rqid fbaffde6 2d29 4834 946d d3c77ee169f9 notes the api documentation can be found on your sentinel one instance by doing the following select the arrow next to your user in the top right of the navigation bar select api doc and a new tab of the api documentation will open this connector was last tested against product version api v2 1