SentinelOne

the sentinelone connector enables seamless integration of sentinelone's advanced threat detection and response capabilities with the swimlane turbine platform sentinelone is a cutting edge cybersecurity platform that specializes in endpoint protection and offers automated threat detection and response capabilities by integrating with swimlane turbine, users can streamline their security operations, leveraging sentinelone's advanced features to quickly identify, analyze, and respond to security threats this integration empowers users to enhance their security posture and reduce response times without the need for complex coding prerequisites to effectively utilize the sentinelone connector with swimlane turbine, ensure you have the following prerequisites api key authentication url the endpoint url for the sentinelone management api api token your unique api token for authenticating requests to sentinelone obtaining an api token navigate to the sentinel one portal select your user in the upper right corner of the menu select the menu by your user account name, then select my user a modal will pop up displaying your account information select generate to generate a new api token and copy the value into the swimlane asset capabilities the sentinelone integration provides the following capabilities add threat note broadcast message connect agents create blacklist item create exclusion create power query and get query id deep visibility create query and get query id deep visibility get events by query id delete blocklist item delete threat note disconnect agents download from cloud fetch files fetch threat file get activities and so on initiate scan action full disk scan finds dormant suspicious activity, threats, and compliance violations, that are then mitigated according to the policy it scans the local file system full disk scan does not inspect drives that require user credentials (such as network drives) or external drives full disk scan does not work on hashes it does not check each file against the blacklist if the static ai determines a file is suspicious, the agent calculates its hash and sees if the hash is in the blacklist if a file is executed, all aspects of the process are inspected, including hash based analysis and blacklist checks full disk scan can run when the endpoint is offline, but when it is connected to the management, it can use the most updated cloud data to improve detection create firewall rule to keep it simple for the user, this action currently only supports adding remote hosts to a firewall rule should this action need to be expanded to support others, please contact swimlane support about deep visibility queries for complete query syntax, see query syntax in the support sentinelone com or the console help notes the api documentation can be found on your sentinel one instance by doing the following select the arrow next to your user in the top right of the navigation bar select api doc and a new tab of the api documentation will open this connector was last tested against product version api v2 1 configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required api token api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add threat note adds a note to identified threats within sentinelone using specified data and filters endpoint url web/api/v2 1/threats/notes method post input argument name type required description data object optional response data data text string required response data filter object optional parameter for add threat note filter ids array required unique identifier input example {"json body" {"data" {"text" "this is a text"},"filter" {"ids" \["1311010475659095549"]}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 14 nov 2022 21 12 44 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "f71d36aa c8c9 4fdd 8df6 86c97d631c69","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se broadcast message sends a custom message to sentinelone agents using specified filter criteria; requires 'data' and 'filter' parameters endpoint url web/api/v2 0/agents/actions/broadcast method post input argument name type required description filter object optional parameter for broadcast message filter updatedat gte string optional parameter for broadcast message filter operationalstates array optional parameter for broadcast message filter operationalstates type string optional type of the resource filter locationidsnin array optional unique identifier filter locationidsnin type string optional unique identifier filter locationidsnin minimum number optional unique identifier filter locationidsnin example string optional unique identifier filter lastsuccessfulscandate between string optional whether the operation was successful filter externalip contains array optional parameter for broadcast message filter externalip contains type string optional type of the resource filter externalip contains minlength number optional parameter for broadcast message filter groupids array optional unique identifier filter groupids type string optional unique identifier filter groupids minimum number optional unique identifier filter groupids example string optional unique identifier filter threatrebootrequired array optional parameter for broadcast message filter threatrebootrequired type string optional type of the resource filter missingpermissions array optional parameter for broadcast message filter missingpermissions type string optional type of the resource filter missingpermissions example string optional parameter for broadcast message filter missingpermissions enum array optional parameter for broadcast message filter adusername contains array optional name of the resource filter adusername contains type string optional name of the resource filter adusername contains minlength number optional name of the resource input example {"filter" {"updatedat gte" "string","operationalstates" \[{"type" "string"}],"locationidsnin" \[{"type" "string","minimum" 123,"example" "string"}],"lastsuccessfulscandate between" "string","externalip contains" \[{"type" "string","minlength" 123}],"groupids" \[{"type" "string","minimum" 123,"example" "string"}],"threatrebootrequired" \[{"type" "string"}],"missingpermissions" \[{"type" "string","example" "string","enum" \["string"]}],"adusername contains" \[{"type" "string","minlength" 123}],"cloudtags contains" \[{"type" "string","minlength" 123}],"filterid" "string","machinetypesnin" \[{"type" "string","example" "string","enum" \["string"]}],"cloudinstancesize contains" \[{"type" "string","minlength" 123}],"missingpermissionsnin" \[{"type" "string","example" "string","enum" \["string"]}],"liveupdateid contains" \[{"type" "string","minlength" 123}],"siteids" \[{"type" "string","minimum" 123,"example" "string"}],"uuids" \[{"type" "string"}],"adusermember contains" \[{"type" "string","minlength" 123}],"k8sversion contains" \[{"type" "string","minlength" 123}],"agentversionsnin" \[{"type" "string","example" "string"}],"lastloggedinusername contains" \[{"type" "string","minlength" 123}],"machinetypes" \[{"type" "string","example" "string","enum" \["string"]}],"consolemigrationstatusesnin" \[{"type" "string","example" "string","enum" \["string"]}],"appsvulnerabilitystatuses" \[{"type" "string","example" "string","enum" \["string"]}],"adcomputermember contains" \[{"type" "string","minlength" 123}],"lastactivedate gte" "string","threatresolved" "string","ispendinguninstall" "string","cloudprovidernin" \[{"type" "string"}],"updatedat gt" "string","lastsuccessfulscandate lte" "string","useractionsneeded" \[{"type" "string","example" "string","enum" \["string"]}],"threatcreatedat gte" "string","createdat between" "string","ostypesnin" \[{"type" "string","description" "string","example" "string","enum" \["string"]}],"rsolevel" "string","agentnamespace contains" \[{"type" "string","minlength" 123}],"serialnumber contains" \[{"type" "string","minlength" 123}],"tagsdata" "string","activethreats" 123,"adcomputerquery contains" \[{"type" "string","minlength" 123}],"awssubnetids contains" \[{"type" "string","minlength" 123}],"remoteprofilingstates" \[{"type" "string"}],"decommissionedat gte" "string","corecount lte" "string","cpucount gt" "string","isuninstalled" \[{"type" "string"}],"lastactivedate lte" "string","networkquarantineenabled" \[{"type" "string"}],"haslocalconfiguration" "string"},"data" {"message" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors type string type of the resource data object response data data affected string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"errors" \[{}],"data" {"affected" "integer"}}} connect agents reconnect disconnected sentinelone endpoints using a specified filter to match and target agents endpoint url web/api/v2 1/agents/actions/connect method post input argument name type required description filter object optional parameter for connect agents filter ids array required unique identifier input example {"json body" {"filter" {"ids" \["1550901640146865256","1286438987267469377"]}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 19 32 07 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "d448b9e3 ca4d 4bf2 b828 10a74f33c3be","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se create blacklist item creates a blacklist item in sentinelone using a sha1 hash to define scope filters for enhanced protection endpoint url web/api/v2 1/restrictions method post input argument name type required description filter object optional parameter for create blacklist item filter tenant boolean optional parameter for create blacklist item filter siteids array optional unique identifier data object optional response data data ostype string required response data data type string required response data data description string optional response data data value string required response data data source string optional response data input example {"json body" {"filter" {"tenant"\ true,"siteids" \["1286405255257023125"]},"data" {"ostype" "windows legacy","type" "black hash","description" "string","value" "eb571ebfa53742df0e2e8375b7d15f94ab436a09","source" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors file name string name of the resource errors file string error message if any data array response data data scope object response data data scope siteids array response data data scope tenant boolean response data data scope groupids array response data data scope accountids array response data data username string response data data userid string response data data updatedat string response data data createdat string response data data notrecommended string response data data ostype string response data data source string response data data description string response data data value string response data data type string response data data scopename string response data data id string response data output example {"status code" 400,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 18 21 30 gmt","content type" "application/json","content length" "152","connection" "keep alive","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content security policy" "default src 'self' ; connect src 'self' create exclusion establish exclusions in sentinelone to suppress alerts and mitigate benign items, requiring 'data' and 'filter' inputs endpoint url /web/api/v2 1/exclusions method post input argument name type required description data object optional response data data ostype string required os type data type string required exclusion item type data value string required value for the item type data actions array optional actions to perform data description string optional description data mode string optional exclusion mode (path exclusion only) data pathexclusiontype string optional excluded path for a path exclusion list data source string optional source filter object optional parameter for create exclusion filter accountids array optional list of account ids to filter by filter groupids array optional list of group ids to filter by filter siteids array optional list of site ids to filter by filter tenant boolean optional indicates a tenant scope request input example {"data" {"ostype" "string","type" "string","value" "string","actions" \["string"],"description" "string","mode" "string","pathexclusiontype" "string","source" "string"},"filter" {"accountids" \["string"],"groupids" \["string"],"siteids" \["string"],"tenant"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data scope object response data data scope accountids array response data data scope groupids array response data data scope siteids array response data data scope tenant boolean response data data actions array response data data createdat string response data data description string response data data id string response data data mode string response data data notrecommended string response data data ostype string response data data pathexclusiontype string response data data scopename string response data data source string response data data type string response data data updatedat string response data data userid string response data data username string response data data value string response data errors array error message if any output example {"data" {"scope" {"accountids" \[],"groupids" \[],"siteids" \[],"tenant"\ true},"actions" \["string"],"createdat" "string","description" "string","id" "12345678 1234 1234 1234 123456789abc","mode" "string","notrecommended" "string","ostype" "string","pathexclusiontype" "string","scopename" "example name","source" "string","type" "string","updatedat" "string","userid" "string","username" "example name"},"errors" \[]} create power query and get query id executes a deep visibility power query in sentinelone and provides a status with a unique query id for result retrieval requires fromdate, query, and todate endpoint url /web/api/v2 1/dv/events/pq method post input argument name type required description query string optional events matching the query search term will be returned accountids string optional list of account ids to filter by siteids string optional list of site ids to filter by todate string optional events created before or at this timestamp limit number optional limit number of returned items (1 100000) fromdate string optional events created after this timestamp input example {"json body" {"query" "event time = | columns eventtime = event time, agentuuid = agent uuid, siteid = site id","accountids" "1286405255240245908,1286405255240245978","siteids" "1758952600032266153,1758952600032266135","todate" "2024 04 21t04 49 26 257525z","limit" 10,"fromdate" "2024 04 15t04 49 26 257525z"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data columns array response data data columns file name string response data data columns file string response data data data array response data data data file name string response data data data file string response data data externalid string response data data progress number response data data queryid string response data data recommendations array response data data recommendations file name string response data data recommendations file string response data data status string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 22 apr 2024 08 49 49 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "32b46d87 e912 4ed0 9012 4e617cc9a015","access control allow origin" "https //cns na1 sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content secu deep visibility create query and get query id executes a sentinelone deep visibility query using specified parameters and returns the unique query id endpoint url web/api/v2 1/dv/init query method post input argument name type required description query string optional parameter for deep visibility create query and get query id fromdate string optional date value todate string optional date value querytype array optional type of the resource tenant boolean optional parameter for deep visibility create query and get query id siteids array optional unique identifier groupids array optional unique identifier accountids array optional unique identifier limit number optional parameter for deep visibility create query and get query id isverbose boolean optional show all fields or just priority fields timeframe string optional time frame that the query was performed on, when omitted defaults to "last 48 hours" input example {"json body" {"query" "agentname is not empty","fromdate" "2022 11 14t22 01 32 962480z","todate" "2022 11 14t22 01 32 962480z","querytype" \["events"],"tenant"\ true,"siteids" \["1286405255257023125"],"groupids" \["1286405255265411734"],"accountids" \["1286405255240245908"],"limit" 10}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data queryid string response data data querymodeinfo object response data data querymodeinfo lastactivatedat string response data data querymodeinfo mode string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 20 26 37 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "6b98f9cc a555 4fe3 8b6e ccf55ec6eacf","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se deep visibility get events by query id retrieves all deep visibility events linked to a specific queryid in sentinelone, following an 'init query' operation endpoint url web/api/v2 1/dv/events method get input argument name type required description parameters queryid string required parameters for the deep visibility get events by query id action parameters limit number optional parameters for the deep visibility get events by query id action parameters sortorder string optional parameters for the deep visibility get events by query id action parameters cursor string optional cursor position returned by the last request should be used instead of skip cursor currently supports sort by with createdat, pid, processstarttime parameters skip string optional skip first number of items (0 1000) to iterate over more than 1000 items, use "cursor" parameters sortby string optional events sorted by field parameters subquery string optional create a sub query to run on the data that was already pulled input example {"parameters" {"queryid" "1286405255240245908","limit" 10,"sortorder" "asc"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data networkmethod string response data data indicatorcategory string response data data agentversion string response data data agentuuid string response data data createdat string response data data agentmachinetype string response data data forensicurl string response data data filesize string response data data parentprocessuniquekey string response data data filetype string response data data taskpath string response data data oldfilemd5 string response data data filemd5 string response data data truecontext string response data data verifiedstatus string response data data processisredirectedcommandprocessor string response data data agentisdecommissioned boolean response data data oldfilename string response data data indicatormetadata string response data data dstip string response data data parentprocessname string response data data processimagepath string response data output example {"status code" 400,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 20 00 44 gmt","content type" "application/json","content length" "97","connection" "keep alive","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content security policy" "default src 'self' ; connect src 'self' delete blocklist item removes a specified item from the sentinelone blocklist, enabling agent access to the previously blocked file endpoint url /web/api/v2 1/restrictions method delete input argument name type required description data object optional response data data ids array optional response data data type string optional type input example {"data" {"ids" \["string"],"type" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data errors array error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected" 1},"errors" \[{}]}} delete threat note removes a specific note from a threat in sentinelone using the provided threat and note ids endpoint url web/api/v2 1/threats/{{threat id}}/notes/{{note id}} method delete input argument name type required description path parameters threat id string required parameters for the delete threat note action path parameters note id string required parameters for the delete threat note action input example {"path parameters" {"threat id" "1311010475659095549","note id" "1553834980127175650"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data success boolean response data output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 14 50 43 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "d005d0b4 d6c5 43f2 9a96 25ce505a3c7c","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se disconnect agents isolates endpoints from the network in sentinelone by applying a specified filter, effectively quarantining matching agents endpoint url web/api/v2 1/agents/actions/disconnect method post input argument name type required description filter object optional parameter for disconnect agents filter ids array required unique identifier input example {"json body" {"filter" {"ids" \["1550901640146865256","1286438987267469377"]}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 19 37 27 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "1c2a1804 99be 4b04 98ec 502396e71534","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se download from cloud download a specific threat file from sentinelone cloud by using the unique threat id provided endpoint url /web/api/v2 1/threats/{{threat id}}/download from cloud method get input argument name type required description path parameters threat id string required threat id input example {"path parameters" {"threat id" "1724638395443766805"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data downloadurl string response data data filename string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "sun, 21 apr 2024 17 19 47 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "6774d02e 05e6 4a51 8c4c 168411f6fd66","access control allow origin" "https //cns na1 sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content secu fetch files fetches files up to 10 mb from specified endpoints within sentinelone for in depth threat analysis, requiring 'agent id' and 'data' endpoint url /web/api/v2 1/agents/{{agent id}}/actions/fetch files method post input argument name type required description path parameters agent id string required agent id data object optional response data data password string required file encryption password data files string optional list of files to fetch (absolute paths, up to 10 files) input example {"json body" {"data" {"password" "mysecretpass123!","files" \["/users/saikumar kondapalli/desktop/screenshot 2024 04 17 png"]}},"path parameters" {"agent id" "1286438987267469377"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data success boolean response data output example {"status code" 200,"response headers" {"server" "nginx","date" "sun, 21 apr 2024 10 42 26 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "00326c00 9064 4459 b5cd 56ea0fd24ae2","access control allow origin" "https //cns na1 sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content secu fetch threat file retrieves a file linked to a threat in sentinelone using filters 'fetch threat file' permissions are required endpoint url /web/api/v2 1/threats/fetch file method post input argument name type required description data object optional response data data password string required file encryption password filter object optional use any of the filtering options to control the list of affected threats you can use any combination of filters to narrow down the list (for example "apply to only active threats from linux endpoints") you can also leave this field empty to apply to all available threats note filter must match exactly one threat bulk operations are not supported filter accountids string optional list of account ids to filter by filter agentids string optional list of agent ids filter agentisactive boolean optional include agents currently connected to the management console filter agentmachinetypes string optional include agent machine types filter agentmachinetypesnin string optional excluded agent machine types filter agenttagsdata string optional filter threats by assigned tags to the related agent given in form of a json where each key represents a tag key, and each value represents a list of string values to filter by to filter by unassigned tag values, use nin suffix in the tag key filter agentversions string optional include agent versions filter agentversionsnin string optional excluded agent versions filter analystverdicts string optional filter threats by a specific analyst verdict filter analystverdictsnin string optional exclude threats with specific analyst verdicts filter awsrole contains string optional free text filter by aws role(supports multiple values) filter awssecuritygroups contains string optional free text filter by aws securitygroups(supports multiple values) filter awssubnetids contains string optional free text filter by aws subnet ids (supports multiple values) filter azureresourcegroup contains string optional free text filter by azure resource group(supports multiple values) filter classifications string optional list of threat classifications to search filter classificationsnin string optional list of threat classifications not to search filter classificationsources string optional classification sources list filter classificationsourcesnin string optional classification sources list to exclude filter cloudaccount contains string optional free text filter by cloud account (supports multiple values) filter cloudimage contains string optional free text filter by cloud image (supports multiple values) filter cloudinstanceid contains string optional free text filter by cloud instance id(supports multiple values) filter cloudinstancesize contains string optional free text filter by cloud instance size(supports multiple values) input example {"data" {"password" "string"},"filter" {"accountids" "string","agentids" "string","agentisactive"\ true,"agentmachinetypes" "string","agentmachinetypesnin" "string","agenttagsdata" "string","agentversions" "string","agentversionsnin" "string","analystverdicts" "string","analystverdictsnin" "string","awsrole contains" "string","awssecuritygroups contains" "string","awssubnetids contains" "string","azureresourcegroup contains" "string","classifications" "string","classificationsnin" "string","classificationsources" "string","classificationsourcesnin" "string","cloudaccount contains" "string","cloudimage contains" "string","cloudinstanceid contains" "string","cloudinstancesize contains" "string","cloudlocation contains" "string","cloudnetwork contains" "string","cloudprovider" "string","cloudprovidernin" "string","collectionids" "string","commandlinearguments contains" "string","computername contains" "example name","confidencelevels" "string","confidencelevelsnin" "string","containerimagename contains" "example name","containerlabels contains" "string","containername contains" "example name","contenthash contains" "string","contenthashes" "string","countsfor" "string","createdat gt" "string","createdat gte" "string","createdat lt" "string","createdat lte" "string","detectionagentdomain contains" "string","detectionagentversion contains" "string","detectionengines" "string","detectionenginesnin" "string","displayname" "example name","engines" "string","enginesnin" "string","externalticketexists"\ true,"externalticketid contains" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data output example {"data" {"affected" 1}} get activities retrieve activity data from sentinelone with specified filters for relevant and manageable outcomes endpoint url /web/api/v2 1/activities method get input argument name type required description parameters accountids string optional list of account ids to filter by parameters activitytypes string optional return only these activity codes (comma separated list) select a code from the dropdown, or see the id field from the get activity types command parameters activityuuids string optional return activities by specific activity uuids parameters agentids string optional return activities related to specified agents parameters alertids string optional return activities related to specified alerts parameters countonly boolean optional if true, only total number of items will be returned, without any of the actual objects parameters createdat between string optional get activities created in this range (inclusive) of a start timestamp and an end timestamp parameters createdat gt string optional get activities created after this timestamp parameters createdat gte string optional get activities created after or at this timestamp parameters createdat lt string optional get activities created before this timestamp parameters createdat lte string optional get activities created before or at this timestamp parameters cursor string optional cursor position returned by the last request use to iterate over more than 1000 items parameters groupids string optional list of group ids to filter by parameters ids string optional filter activities by specific activity ids parameters includehidden boolean optional include internal activities hidden from display parameters limit number optional limit number of returned items (1 1000) parameters ruleids string optional return activities related to specified rules parameters siteids string optional list of site ids to filter by parameters skip number optional skip first number of items (0 1000) to iterate over more than 1000 items, use "cursor" parameters skipcount boolean optional if true, total number of items will not be calculated, which speeds up execution time parameters sortby string optional the column to sort the results by parameters sortorder string optional sort direction parameters threatids string optional return activities related to specified threats parameters useremails string optional email of the user who invoked the activity (if applicable) parameters userids string optional the user who invoked the activity (if applicable) input example {"parameters" {"accountids" "string","activitytypes" "string","activityuuids" "string","agentids" "string","alertids" "string","countonly"\ true,"createdat between" "string","createdat gt" "string","createdat gte" "string","createdat lt" "string","createdat lte" "string","cursor" "string","groupids" "string","ids" "string","includehidden"\ true,"limit" 123,"ruleids" "string","siteids" "string","skip" 123,"skipcount"\ true,"sortby" "string","sortorder" "string","threatids" "string","useremails" "string","userids" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data accountid string response data data accountname string response data data activitytype number response data data activityuuid string response data data agentid object response data data agentupdatedversion object response data data comments object response data data createdat string response data data data object response data data data accountname string response data data data filename string response data data data fullscopedetails string response data data data fullscopedetailspath string response data data data groupname object response data data data ipaddress string response data data data majorversion string response data data data minorversion string response data data data osarch string response data data data packageid number response data data data platformtype string response data data data realuser object response data data data scopelevel string response data output example {"data" \[{"accountid" "string","accountname" "example name","activitytype" 123,"activityuuid" "string","agentid" {},"agentupdatedversion" {},"comments" {},"createdat" "string","data" {},"description" {},"groupid" {},"groupname" {},"hash" {},"id" "12345678 1234 1234 1234 123456789abc","osfamily" {}}],"pagination" {"nextcursor" "string","totalitems" 123}} get agent applications retrieve a list of installed applications for a specified sentinelone agent by providing the unique agent id endpoint url web/api/v2 1/agents/applications method get input argument name type required description parameters ids array required parameters for the get agent applications action input example {"parameters" {"ids" \["1286438987267469377"]}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data installeddate string response data data name string response data data publisher string response data data size number response data data version string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 15 25 40 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "7bef9a86 f973 47ea 83b6 41f61dd8510b","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se get agents obtain sentinelone agent data with specific filters to identify and utilize agent ids for subsequent operations endpoint url web/api/v2 1/agents method get input argument name type required description parameters computername string optional parameters for the get agents action parameters infected boolean optional parameters for the get agents action parameters isactive boolean optional parameters for the get agents action parameters activethreats array optional parameters for the get agents action parameters domains array optional parameters for the get agents action parameters networkstatuses array optional parameters for the get agents action parameters externalip contains string optional parameters for the get agents action parameters ids array optional parameters for the get agents action parameters accountids array optional parameters for the get agents action parameters uuids array optional parameters for the get agents action input example {"parameters" {"computername" "ubuntu","infected"\ false,"isactive"\ false,"activethreats" \[0,1,2],"domains" \["unknown","olympia"],"networkstatuses" \["connected"],"externalip contains" "96 79","ids" \["1550901640146865256"],"accountids" \["1286405255240245908"],"uuids" \["2e24b3bf 5769 e031 35af 7ebaf2f3dcf3"]}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data accountid string response data data accountname string response data data activedirectory object response data data activedirectory computerdistinguishedname object response data data activedirectory computermemberof array response data data activedirectory computermemberof file name string response data data activedirectory computermemberof file string response data data activedirectory lastuserdistinguishedname object response data data activedirectory lastusermemberof array response data data activedirectory lastusermemberof file name string response data data activedirectory lastusermemberof file string response data data activethreats number response data data agentversion string response data data allowremoteshell boolean response data data appsvulnerabilitystatus string response data data cloudproviders object response data data cloudproviders esxi object response data data computername string response data data consolemigrationstatus string response data data corecount number response data data cpucount number response data data cpuid string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 17 35 13 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "bd078c0d 1020 461b 885a 0028c992ac70","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se get alerts retrieve a list of sentinelone alerts to identify potential security threats within a specified scope endpoint url /web/api/v2 1/cloud detection/alerts method get input argument name type required description parameters accountids string optional list of account ids to filter by parameters analystverdict string optional filter threats by a analyst verdict parameters containerimagename contains string optional free text filter by the endpoint container image name (supports multiple values) parameters containerlabels contains string optional free text filter by the endpoint container labels (supports multiple values) parameters containername contains string optional free text filter by the endpoint container name (supports multiple values) parameters countonly boolean optional if true, only total number of items will be returned, without any of the actual objects parameters createdat gt string optional created at greater than parameters createdat gte string optional created at greater or equal than parameters createdat lt string optional created at lesser than parameters createdat lte string optional created at lesser or equal than parameters cursor string optional cursor position returned by the last request use to iterate over more than 1000 items parameters disablepagination boolean optional if true, all rules for requested scope will be returned parameters groupids string optional list of group ids to filter by parameters ids array optional a list of alert ids parameters incidentstatus string optional filter threats by a incident status parameters k8scluster contains string optional free text filter by the endpoint kubernetes cluster name (supports multiple values) parameters k8scontrollerlabels contains string optional free text filter by the endpoint kubernetes controller labels (supports multiple values) parameters k8scontrollername contains string optional free text filter by the endpoint kubernetes controller name (supports multiple values) parameters k8snamespacelabels contains string optional free text filter by the endpoint kubernetes namespace labels (supports multiple values) parameters k8snamespacename contains string optional free text filter by the endpoint kubernetes namespace name (supports multiple values) parameters k8snode contains string optional free text filter by the endpoint kubernetes node name (supports multiple values) parameters k8spod contains string optional free text filter by the endpoint kubernetes pod name (supports multiple values) parameters k8spodlabels contains string optional free text filter by the endpoint kubernetes pod labels (supports multiple values) parameters limit number optional limit number of returned items (1 1000) parameters machinetype string optional agent machine type input example {"parameters" {"accountids" "string","analystverdict" "string","containerimagename contains" "example name","containerlabels contains" "string","containername contains" "example name","countonly"\ true,"createdat gt" "string","createdat gte" "string","createdat lt" "string","createdat lte" "string","cursor" "string","disablepagination"\ true,"groupids" "string","ids" \["string"],"incidentstatus" "active","k8scluster contains" "string","k8scontrollerlabels contains" "string","k8scontrollername contains" "example name","k8snamespacelabels contains" "example name","k8snamespacename contains" "example name","k8snode contains" "string","k8spod contains" "string","k8spodlabels contains" "string","limit" 123,"machinetype" "string","origagentname contains" "example name","origagentosrevision contains" "string","origagentuuid contains" "string","origagentversion contains" "string","ostype" "string","query" "string","reportedat gt" "string","reportedat gte" "string","reportedat lt" "string","reportedat lte" "string","rulename contains" "example name","scopes" "string","severity" "string","siteids" "string","skip" 123,"skipcount"\ true,"sortby" "string","sortorder" "string","sourceprocesscommandline contains" "string","sourceprocessfilehashmd5 contains" "string","sourceprocessfilehashsha1 contains" "string","sourceprocessfilehashsha256 contains" "string","sourceprocessfilepath contains" "string","sourceprocessname contains" "example name","sourceprocessstoryline contains" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data agentdetectioninfo object response data data agentdetectioninfo accountid string response data data agentdetectioninfo machinetype object response data data agentdetectioninfo name object response data data agentdetectioninfo osfamily object response data data agentdetectioninfo osname string response data data agentdetectioninfo osrevision string response data data agentdetectioninfo siteid object response data data agentdetectioninfo uuid object response data data agentdetectioninfo version object response data data alertinfo object response data data alertinfo alertid string response data data alertinfo analystverdict string response data data alertinfo createdat string response data data alertinfo dnsrequest object response data data alertinfo dnsresponse object response data data alertinfo dstip object response data data alertinfo dstport object response data data alertinfo dveventid object response data data alertinfo eventtype object response data data alertinfo hittype string response data data alertinfo incidentstatus string response data output example {"data" \[{"agentdetectioninfo" {},"alertinfo" {},"containerinfo" {},"kubernetesinfo" {},"ruleinfo" {},"sourceparentprocessinfo" {},"sourceprocessinfo" {},"targetprocessinfo" {}}],"pagination" {"nextcursor" {},"totalitems" 123}} get blocklist items retrieves all items in the sentinelone blocklist based on filter criteria like hash values or threat ids endpoint url /web/api/v2 1/restrictions method get input argument name type required description parameters accountids string optional list of account ids to filter by parameters countonly boolean optional if true, only total number of items will be returned, without any of the actual objects parameters createdat between string optional date range for creation time (format \<from timestamp> \<to timestamp>, inclusive) parameters createdat gt string optional created after this timestamp parameters createdat gte string optional created after or at this timestamp parameters createdat lt string optional created before this timestamp parameters createdat lte string optional created before or at this timestamp parameters cursor string optional cursor position returned by the last request use to iterate over more than 1000 items parameters description contains string optional free text filter by description parameters groupids string optional list of group ids to filter by parameters ids string optional list of ids to filter by parameters imported boolean optional indication whether the hash was imported by a bulk operation or not parameters includechildren boolean optional return filters from children scope levels parameters includeparents boolean optional return filters from parent scope levels parameters limit string optional limit number of returned items (1 1000) parameters modes string optional list of modes to filter by (path exclusions only) parameters ostypes string optional list of os types to filter by parameters query string optional a free text search term, will match applicable attributes parameters recommendations string optional list of recommendations to filter by parameters siteids string optional list of site ids to filter by parameters skip string optional skip first number of items (0 1000) to iterate over more than 1000 items, use "cursor" parameters skipcount boolean optional if true, total number of items will not be calculated, which speeds up execution time parameters sortby string optional the column to sort the results by parameters sortorder string optional sort direction parameters source string optional list sources to filter by input example {"parameters" {"skip" 10,"sortorder" "asc","includeparents"\ false,"limit" 10,"includechildren"\ false,"skipcount"\ true,"countonly"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data createdat string response data data description string response data data id string response data data imported boolean response data data includechildren boolean response data data includeparents boolean response data data notrecommended string response data data ostype string response data data scope object response data data scope accountids array response data data scope groupids array response data data scope siteids array response data data scope tenant boolean response data data scopename string response data data scopepath string response data data source string response data data type string response data data updatedat string response data data userid string response data data username string response data data value string response data errors array error message if any output example {"data" \[{"createdat" "string","description" "string","id" "12345678 1234 1234 1234 123456789abc","imported"\ true,"includechildren"\ true,"includeparents"\ true,"notrecommended" "string","ostype" "string","scope" {},"scopename" "example name","scopepath" "string","source" "string","type" "string","updatedat" "string","userid" "string"}],"errors" \[],"pagination" {"nextcursor" "string","totalitems" 123}} get groups retrieve details of sentinelone groups using specified filter criteria to streamline management and analysis endpoint url /web/api/v2 1/groups method get input argument name type required description parameters accountids string optional list of account ids to filter by parameters countonly boolean optional if true, only total number of items will be returned, without any of the actual objects parameters cursor string optional cursor position returned by the last request use to iterate over more than 1000 items parameters description string optional the description for the group parameters groupids string optional list of group ids to filter by parameters id string optional id parameters isdefault boolean optional if true, default group is set parameters limit string optional limit number of returned items (1 300) parameters name string optional name parameters query string optional free text search on fields name, description parameters rank string optional the rank sets the priority of a dynamic group over others parameters registrationtoken string optional registration token parameters siteids string optional list of site ids to filter by parameters skip string optional skip first number of items (0 1000) to iterate over more than 1000 items, use "cursor" parameters skipcount boolean optional if true, total number of items will not be calculated, which speeds up execution time parameters sortby string optional the column to sort the results by parameters sortorder string optional sort direction parameters type string optional group type parameters types string optional a list of group types parameters updatedat gt string optional updated at greater than parameters updatedat gte string optional updated at greater or equal than parameters updatedat lt string optional updated at lesser than parameters updatedat lte string optional updated at lesser or equal than input example {"parameters" {"skip" 100,"limit" 10,"skipcount"\ true,"countonly"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data createdat string response data data creator string response data data creatorid string response data data filterid object response data data filtername object response data data id string response data data inherits boolean response data data isdefault boolean response data data name string response data data rank object response data data registrationtoken string response data data siteid string response data data totalagents number response data data type string response data data updatedat string response data pagination object output field pagination pagination nextcursor object output field pagination nextcursor pagination totalitems number output field pagination totalitems output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 11 jun 2024 11 26 21 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "112653fa 4329 4f71 a7a6 5dc163b97fd2","access control allow origin" "https //cns na1 sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content secu get hash retrieve the classification of a specified hash from sentinelone, utilizing the hash as a path parameter endpoint url /web/api/v2 1/hashes/{{hash}}/reputation method get input argument name type required description path parameters hash string required parameters for the get hash action input example {"path parameters" {"hash" "3395856ce81f2b7382dee72602f798b642f14140"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data rank string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 14 nov 2022 20 17 39 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "64e8155a 3841 4681 a3c7 27a64ebebf5a","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se get rogues settings retrieve the current configuration settings for rogue devices from sentinelone endpoint url /web/api/v2 1/rogues/settings method get input argument name type required description parameters accountids array optional parameters for the get rogues settings action parameters siteids array optional parameters for the get rogues settings action input example {"parameters" {"accountids" \["string"],"siteids" \["string"]}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data minagentsinnetworktoscan number response data data accountid string response data data enabled boolean response data data usespecificports boolean response data data restrictions array response data data restrictions annotation string response data data restrictions values array response data data restrictions type string response data data specificports array response data data specificports values array response data data specificports type string response data errors array error message if any errors code number error message if any errors detail object error message if any errors title string error message if any output example {"data" {"minagentsinnetworktoscan" 123,"accountid" "string","enabled"\ true,"usespecificports"\ true,"restrictions" \[{}],"specificports" \[{}]},"errors" \[{"code" 123,"detail" {},"title" "string"}]} get sites retrieves a list of sentinelone sites based on filter criteria to manage network topology endpoint url /web/api/v2 1/sites method get input argument name type required description parameters accountid string optional account id parameters accountids array optional list of account ids to filter by parameters accountname contain array optional free text filter by account name (supports multiple values) parameters activelicenses number optional active licenses parameters adminonly boolean optional show sites the user has admin privileges to parameters availablemovesites boolean optional only return sites the user can move agents through parameters countonly boolean optional if true, only total number of items will be returned, without any of the actual objects parameters createdat string optional timestamp of site creation parameters cursor string optional cursor position returned by the last request use to iterate over more than 1000 items parameters description string optional the description for the site parameters description contains array optional free text filter by site description (supports multiple values) parameters expiration string optional expiration parameters externalid string optional id in a crm external system parameters features array optional if sent return only sites that support this features parameters healthstatus boolean optional health status parameters isdefault boolean optional is default parameters limit number optional limit number of returned items (1 1000) parameters module string optional module parameters name string optional name parameters name contains array optional free text filter by site name (supports multiple values) parameters query string optional full text search for fields name, account name, description (note on single account consoles account name will not be matched) parameters registrationtoken string optional registration token parameters siteids array optional list of site ids to filter by parameters sitetype string optional site type parameters skip number optional skip first number of items (0 1000) to iterate over more than 1000 items, use "cursor" input example {"parameters" {"accountid" "string","accountids" \["string"],"accountname contain" \["string"],"activelicenses" 123,"adminonly"\ true,"availablemovesites"\ true,"countonly"\ true,"createdat" "string","cursor" "string","description" "string","description contains" \["string"],"expiration" "string","externalid" "string","features" \["string"],"healthstatus"\ true,"isdefault"\ true,"limit" 123,"module" "string","name" "example name","name contains" \["string"],"query" "string","registrationtoken" "string","siteids" \["string"],"sitetype" "string","skip" 123,"skipcount"\ true,"sku" "string","sortby" "string","sortorder" "string","state" "string","states" \["string"],"totallicenses" 123,"updatedat" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data allsites object response data data allsites activelicenses number response data data allsites totallicenses number response data data sites array response data data sites accountid string response data data sites accountname string response data data sites activelicenses number response data data sites createdat string response data data sites creator string response data data sites creatorid string response data data sites description object response data data sites expiration object response data data sites externalid object response data data sites healthstatus boolean response data data sites id string response data data sites isdefault boolean response data data sites licenses object response data data sites licenses bundles array response data data sites licenses bundles displayname string response data data sites licenses bundles majorversion number response data data sites licenses bundles minorversion number response data data sites licenses bundles name string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 28 aug 2023 10 07 53 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "fb4ea2f2 3f64 4aa0 817d 7f77429fd646","access control allow origin" "https //usea1 identity sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","conte get threat analysis retrieve detailed information on a detected threat in sentinelone using the specified threat id endpoint url web/api/v2 1/private/threats/{{threat id}}/analysis method get input argument name type required description path parameters threat id string required parameters for the get threat analysis action input example {"path parameters" {"threat id" "1311010474425970168"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data agentdetectioninfo object response data data agentdetectioninfo accountid string response data data agentdetectioninfo accountname string response data data agentdetectioninfo agentdetectionstate object response data data agentdetectioninfo agentdomain string response data data agentdetectioninfo agentipv4 string response data data agentdetectioninfo agentipv6 string response data data agentdetectioninfo agentlastloggedinupn object response data data agentdetectioninfo agentlastloggedinusermail object response data data agentdetectioninfo agentlastloggedinusername string response data data agentdetectioninfo agentmitigationmode string response data data agentdetectioninfo agentosname string response data data agentdetectioninfo agentosrevision string response data data agentdetectioninfo agentregisteredat string response data data agentdetectioninfo agentuuid string response data data agentdetectioninfo agentversion string response data data agentdetectioninfo cloudproviders object response data data agentdetectioninfo externalip string response data data agentdetectioninfo groupid string response data data agentdetectioninfo groupname string response data data agentdetectioninfo siteid string response data data agentdetectioninfo sitename string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 14 nov 2022 21 44 11 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "fbaffde6 2d29 4834 946d d3c77ee169f9","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se get threat appearences retrieve infected endpoints and the frequency of a threat's appearances in sentinelone using a specified threat id endpoint url /web/api/v2 1/private/threats/{{threat id}}/appearances method get input argument name type required description path parameters threat id string required parameters for the get threat appearences action input example {"path parameters" {"threat id" "1311010475659095549"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data accounts number response data data agents number response data data firstseen string response data data groups number response data data lastseen string response data data sites number response data data timesseen number response data output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 19 02 30 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "73e105d3 22fa 4f21 9985 f088bc4f75f4","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se get threat events retrieve all threat events linked to a specific 'threat id' in sentinelone, aiding in targeted incident analysis endpoint url /web/api/v2 1/threats/{{threat id}}/explore/events method get input argument name type required description path parameters threat id string required parameters for the get threat events action parameters eventid string optional parameters for the get threat events action parameters sortby string optional parameters for the get threat events action parameters limit number optional parameters for the get threat events action parameters skip number optional parameters for the get threat events action parameters sortorder string optional parameters for the get threat events action parameters skipcount boolean optional parameters for the get threat events action parameters countonly boolean optional parameters for the get threat events action parameters cursor string optional parameters for the get threat events action parameters eventsubtypes array optional parameters for the get threat events action parameters processname like string optional parameters for the get threat events action parameters eventtypes array optional parameters for the get threat events action input example {"path parameters" {"threat id" "1311010475659095549"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data activecontentfileid object response data data activecontenthash object response data data activecontentpath object response data data agentdomain string response data data agentgroupid string response data data agentid string response data data agentinfected boolean response data data agentip string response data data agentisactive boolean response data data agentisdecommissioned boolean response data data agentmachinetype string response data data agentname string response data data agentnetworkstatus string response data data agentos string response data data agentuuid string response data data agentversion string response data data connectionstatus object response data data createdat string response data data direction object response data data dnsrequest object response data data dnsresponse object response data data dstip object response data output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 06 dec 2022 20 12 03 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "19f65f98 24e9 42e2 b9bc d1c075019219","access control allow origin" "https //usea1 attivo sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content get threat notes retrieve all notes linked to a given threat id in sentinelone, utilizing the specified threat id endpoint url web/api/v2 1/threats/{{threat id}}/notes method get input argument name type required description path parameters threat id string required parameters for the get threat notes action input example {"path parameters" {"threat id" "1311010475659095549"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data createdat string response data data creator string response data data creatorid string response data data edited boolean response data data id string response data data text string response data data updatedat string response data pagination object output field pagination pagination nextcursor object output field pagination nextcursor pagination totalitems number output field pagination totalitems output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 14 nov 2022 21 30 46 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "2cc914c5 8abc 4253 8d67 eccaa991bc06","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se get threat timeline retrieve a detailed timeline of a specific threat in sentinelone using the unique threat id provided endpoint url web/api/v2 1/threats/{{threat id}}/timeline method get input argument name type required description path parameters threat id string required parameters for the get threat timeline action parameters sortorder string optional parameters for the get threat timeline action parameters skipcount boolean optional parameters for the get threat timeline action parameters activitytypes number optional parameters for the get threat timeline action parameters sortby string optional parameters for the get threat timeline action parameters countonly boolean optional parameters for the get threat timeline action input example {"parameters" {"sortorder" "asc","skipcount"\ false,"activitytypes" 4003,"sortby" "hash","countonly"\ false},"path parameters" {"threat id" "1503989642042428880"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data accountid string response data data activitytype number response data data agentid string response data data agentupdatedversion object response data data createdat string response data data data object response data data data accountname string response data data data computername string response data data data filecontenthash string response data data data filedisplayname string response data data data filepath string response data data data fullscopedetails string response data data data fullscopedetailspath string response data data data groupname string response data data data newstatus object response data data data originalstatus string response data data data sitename string response data data data threatclassification string response data data data threatclassificationsource string response data data data username string response data data groupid string response data data hash object response data output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 14 nov 2022 22 05 11 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "2a863e30 2f72 4519 9162 4e198dcb768d","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se get threats retrieve a comprehensive list of all identified threats from sentinelone endpoint url web/api/v2 1/threats method get input argument name type required description parameters accountids array optional parameters for the get threats action parameters agentids array optional parameters for the get threats action parameters agentisactive boolean optional parameters for the get threats action parameters agentmachinetypes array optional parameters for the get threats action parameters agentmachinetypesnin array optional parameters for the get threats action parameters agentversions array optional parameters for the get threats action parameters agentversionsnin array optional parameters for the get threats action parameters analystverdicts array optional parameters for the get threats action parameters analystverdictsnin array optional parameters for the get threats action parameters awsrole contains array optional parameters for the get threats action parameters awssecuritygroups contains array optional parameters for the get threats action parameters awssubnetids contains array optional parameters for the get threats action parameters azureresourcegroup contains array optional parameters for the get threats action parameters classifications array optional parameters for the get threats action parameters classificationsnin array optional parameters for the get threats action parameters classificationsources array optional parameters for the get threats action parameters classificationsourcesnin array optional parameters for the get threats action parameters cloudaccount contains array optional parameters for the get threats action parameters cloudimage contains array optional parameters for the get threats action parameters cloudinstanceid contains array optional parameters for the get threats action parameters cloudinstancesize contains array optional parameters for the get threats action parameters cloudlocation contains array optional parameters for the get threats action parameters cloudnetwork contains array optional parameters for the get threats action parameters cloudprovider array optional parameters for the get threats action parameters cloudprovidernin array optional parameters for the get threats action input example {"parameters" {"accountids" \["225494730938493804"],"agentids" \["225494730938493804"],"agentisactive"\ true,"agentmachinetypes" \["unknown"],"agentmachinetypesnin" \["unknown"],"agentversions" \["2 5 1 1320"],"agentversionsnin" \["2 5 1 1320"],"analystverdicts" \["true positive,suspicious"],"analystverdictsnin" \["true positive,suspicious"],"awsrole contains" \["aws role"],"awssecuritygroups contains" \["aws securitygroups"],"awssubnetids contains" \["aws subnet ids"],"azureresourcegroup contains" \["azure resource group"],"classifications" \["classification"],"classificationsnin" \["classificationsnin"],"classificationsources" \["cloud"],"classificationsourcesnin" \["cloud"],"cloudaccount contains" \["cloud account"],"cloudimage contains" \["cloud image"],"cloudinstanceid contains" \["225494730938493915"],"cloudinstancesize contains" \["cloud instance size"],"cloudlocation contains" \["cloud location"],"cloudnetwork contains" \["cloud network"],"cloudprovider" \["cloud provider"],"cloudprovidernin" \["cloud provider"],"collectionids" \["225494730938493804"],"commandlinearguments contains" \["/usr/sbin/,wget"],"computername contains" \["john office,win"],"confidencelevels" \["malicious"],"confidencelevelsnin" \["malicious"],"containerimagename contains" \["container image name"],"containerlabels contains" \["container labels"],"containername contains" \["container name"],"contenthash contains" \["5f09bcff3"],"contenthashes" \["d"],"countonly"\ true,"countsfor" "ostypes,machinetypes","createdat gt" "2018 02 27t04 49 26 257525z","createdat gte" "2018 02 27t04 49 26 257525z","createdat lt" "2018 02 27t04 49 26 257525z","createdat lte" "2018 02 27t04 49 26 257525z","cursor" "ywdlbnrfawq6ntgwmjkzode=","detectionagentdomain contains" \["sentinel,sentinelone com"],"detectionagentversion contains" \["1 1 1 1,2 2 "],"detectionengines" \["reputation"],"detectionenginesnin" \["reputation"],"displayname" "display name","engines" \["reputation"],"enginesnin" \["reputation"],"externalticketexists"\ true,"externalticketid contains" \["threat external ticket id"],"externalticketids" \["225494730938493918"],"failedactions"\ true,"filepath contains" \["myuser"],"gcpserviceaccount contains" \["gcp service account"],"groupids" \["225494730938493804,225494730938493915"],"ids" \["225494730938493804,225494730938493915"],"incidentstatuses" \["unresolved,in progress"],"incidentstatusesnin" \["unresolved,in progress"],"initiatedby" \["agent policy,dv command"],"initiatedbynin" \["agent policy,dv command"],"initiatedbyusername contains" \["john,john doe"],"k8sclustername contains" \["kubernetes cluster name"],"k8scontrollerlabels contains" \["kubernetes controller labels"],"k8scontrollername contains" \["kubernetes controller name"],"k8snamespacelabels contains" \["kubernetes namespace labels"],"k8snamespacename contains" \["kubernetes namespace name"],"k8snodelabels contains" \["kubernetes node labels"],"k8snodename contains" \["kubernetes node name"],"k8spodlabels contains" \["kubernetes pod labels"],"k8spodname contains" \["kubernetes pod name"],"limit" 10,"mitigatedpreemptively"\ true,"mitigationstatuses" \["not mitigated"],"mitigationstatusesnin" \["not mitigated"],"noteexists"\ true,"originatedprocess contains" \["process name of the threat"],"osarchs" \["32 bit"],"osnames" \["osnames"],"osnamesnin" \["osnamesnin"],"ostypes" \["linux"],"ostypesnin" \["linux"],"pendingactions"\ true,"publishername contains" \["google,apple inc "],"query" "threat details","realtimeagentversion contains" \["1 1 1 1,2 2 "],"rebootrequired"\ true,"resolved"\ true,"siteids" \["225494730938493804,225494730938493915"],"skip" 150,"skipcount"\ true,"sortby" "id","sortorder" "asc","storyline contains" \["0000c2e97648,0006fc73 77b4 470f aac7 "],"storylines" \["list of agent context to search for"],"tenant"\ true,"threatdetails contains" \["malware exe,virus exe"],"updatedat gt" "2018 02 27t04 49 26 257525z","updatedat gte" "2018 02 27t04 49 26 257525z","updatedat lt" "2018 02 27t04 49 26 257525z","updatedat lte" "2018 02 27t04 49 26 257525z","uuid contains" \["e92 01928,b055"]}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors type string type of the resource pagination object output field pagination pagination totalitems number output field pagination totalitems pagination nextcursor string output field pagination nextcursor data array response data data mitigationstatus array response data data mitigationstatus lastupdate string response data data mitigationstatus agentsupportsreport string response data data mitigationstatus latestreport string response data data mitigationstatus groupnotfound string response data data mitigationstatus mitigationendedat string response data data mitigationstatus action string response data data mitigationstatus actionscounters object response data data mitigationstatus actionscounters pendingreboot string response data data mitigationstatus actionscounters failed string response data data mitigationstatus actionscounters total string response data data mitigationstatus actionscounters notfound string response data data mitigationstatus actionscounters success string response data data mitigationstatus status string response data data mitigationstatus mitigationstartedat string response data data kubernetesinfo object response data data kubernetesinfo controllerkind string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 03 jul 2023 03 42 11 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "96f7b37b 0e6b 4cb7 ba52 1c6bffa6d0fe","access control allow origin" "https //usea1 identity sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","conte initiate scan executes a full disk scan on sentinelone agents using specified filters to identify threats endpoint url web/api/v2 1/agents/actions/initiate scan method post input argument name type required description data object optional response data filter object optional parameter for initiate scan filter uuids array optional unique identifier input example {"json body" {"data" {},"filter" {"uuids" \["33b3a892 d388 d3e6 6ead a98acb5d054c"]}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 14 nov 2022 20 10 56 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "39073fc2 f1d8 4ac6 880f 2f2c372ff37b","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se mitigate threats apply a specified mitigation action to threats in sentinelone, utilizing 'action' and 'filter' parameters for targeted response endpoint url /web/api/v2 1/threats/mitigate/{{action}} method post input argument name type required description path parameters action string required parameters for the mitigate threats action filter object optional parameter for mitigate threats filter k8spodlabels contains array optional parameter for mitigate threats filter updatedat gte string optional parameter for mitigate threats filter awssubnetids contains array optional unique identifier filter agentmachinetypes array optional type of the resource filter cloudaccount contains array optional parameter for mitigate threats filter agentversions array optional parameter for mitigate threats filter siteids array optional unique identifier filter classificationsourcesnin array optional parameter for mitigate threats filter storylines array optional parameter for mitigate threats filter detectionagentversion contains array optional parameter for mitigate threats filter createdat lt string optional parameter for mitigate threats filter resolved boolean optional parameter for mitigate threats filter mitigatedpreemptively boolean optional parameter for mitigate threats filter detectionengines array optional parameter for mitigate threats filter threatdetails contains array optional parameter for mitigate threats filter storyline contains array optional parameter for mitigate threats filter agentversionsnin array optional parameter for mitigate threats filter originatedprocess contains array optional parameter for mitigate threats filter tenant boolean optional parameter for mitigate threats filter cloudprovider array optional unique identifier filter pendingactions boolean optional parameter for mitigate threats filter agentids array optional unique identifier filter detectionagentdomain contains array optional parameter for mitigate threats input example {"json body" {"filter" {"k8spodlabels contains" \["string"],"updatedat gte" "2018 02 27t04 49 26 257525z","awssubnetids contains" \["string"],"agentmachinetypes" \["string"],"cloudaccount contains" \["string"],"agentversions" \["2 5 1 1320"],"siteids" \["225494730938493804"],"classificationsourcesnin" \["cloud"],"storylines" \["string"],"detectionagentversion contains" \["string"],"createdat lt" "2018 02 27t04 49 26 257525z","resolved"\ true,"mitigatedpreemptively"\ true,"detectionengines" \["reputation"],"threatdetails contains" \["string"],"storyline contains" \["string"],"agentversionsnin" \["2 5 1 1320"],"originatedprocess contains" \["string"],"tenant"\ true,"cloudprovider" \["string"],"pendingactions"\ true,"agentids" \["225494730938493804"],"detectionagentdomain contains" \["string"],"incidentstatusesnin" \["unresolved"],"updatedat gt" "2018 02 27t04 49 26 257525z","gcpserviceaccount contains" \["string"],"k8snodename contains" \["string"],"classifications" \["string"],"ids" \["225494730938493804"],"classificationsnin" \["string"],"confidencelevels" \["malicious"],"classificationsources" \["cloud"],"osarchs" \["32 bit"],"limit" 10,"k8sclustername contains" \["string"],"publishername contains" \["string"],"k8scontrollerlabels contains" \["string"],"externalticketid contains" \["string"],"cloudinstancesize contains" \["string"],"cloudinstanceid contains" \["string"],"k8snamespacelabels contains" \["string"],"noteexists"\ true,"k8snodelabels contains" \["string"],"uuid contains" \["string"],"updatedat lt" "2018 02 27t04 49 26 257525z","osnames" \["string"],"azureresourcegroup contains" \["string"],"confidencelevelsnin" \["malicious"],"createdat gt" "2018 02 27t04 49 26 257525z","enginesnin" \["reputation"],"groupids" \["225494730938493804"],"collectionids" \["225494730938493804"],"k8spodname contains" \["string"],"accountids" \["225494730938493804"],"analystverdicts" \["true positive"],"k8scontrollername contains" \["string"],"cloudprovidernin" \["string"],"mitigationstatusesnin" \["not mitigated"],"ostypes" \["linux"],"detectionenginesnin" \["reputation"],"initiatedbynin" \["agent policy"],"k8snamespacename contains" \["string"],"cloudimage contains" \["string"],"query" "string","containerimagename contains" \["string"],"ostypesnin" \["linux"],"contenthash contains" \["string"],"agentmachinetypesnin" \["desktop"],"rebootrequired"\ true,"commandlinearguments contains" \["string"],"realtimeagentversion contains" \["string"],"createdat lte" "2018 02 27t04 49 26 257525z","initiatedbyusername contains" \["string"],"failedactions"\ true,"containerlabels contains" \["string"],"cloudlocation contains" \["string"],"mitigationstatuses" \["not mitigated"],"createdat gte" "2018 02 27t04 49 26 257525z","awssecuritygroups contains" \["string"],"agentisactive"\ true,"engines" \["reputation"],"awsrole contains" \["string"],"updatedat lte" "2018 02 27t04 49 26 257525z","containername contains" \["string"],"cloudnetwork contains" \["string"],"displayname" "string","filepath contains" \["string"],"osnamesnin" \["string"],"analystverdictsnin" \["true positive"],"incidentstatuses" \["unresolved"],"countsfor" "ostypes,machinetypes","externalticketids" \["string"],"contenthashes" \["string"],"initiatedby" \["agent policy"],"computername contains" \["string"],"externalticketexists"\ true},"data" {}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 11 sep 2023 08 58 22 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "ca215f22 b23f 4683 a984 d5283635fed4","access control allow origin" "https //usea1 identity sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","conte new firewall rule create a sentinelone firewall control rule to manage network traffic for defined scopes and os, with a required json body input endpoint url web/api/v2 1/firewall control method post input argument name type required description filter object optional parameter for new firewall rule filter accountids array optional unique identifier filter siteids array optional unique identifier filter tenant boolean optional parameter for new firewall rule filter groupids array optional unique identifier data object optional response data data protocol string optional response data data application object optional response data data application type string optional response data data application values array optional response data data localhost object optional response data data localhost type string optional response data data localhost values array optional response data data remotehost object optional response data data remotehost type string optional response data data remotehost values array optional response data data ostypes array optional response data data action string optional response data data localport object optional response data data localport type string optional response data data localport values array optional response data data status string optional response data data remoteport object optional response data data remoteport type string optional response data data remoteport values array optional response data input example {"json body" {"filter" {"accountids" \["225494730938493915"],"siteids" \["1286405255257023125"],"tenant"\ true,"groupids" \["1286405255265411734"]},"data" {"protocol" "string","application" {"type" "any","values" \["libpcap"]},"localhost" {"type" "any","values" \["string"]},"remotehost" {"type" "any","values" \["string"]},"ostypes" \["windows legacy"],"action" "allow","localport" {"type" "any","values" \[80,443]},"status" "enabled","remoteport" {"type" "any","values" \[80,443]},"ostype" "windows legacy","location" {"type" "all","values" \[{"name" "office1","id" "225494730938493804"}]},"description" "string","direction" "any","remotehosts" \[{"type" "any","values" \["string"]}],"tagids" \["225494730938493804","225494730938493915"],"tag" "string","name" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data protocol string response data data createdat string response data data location object response data data location type string response data data location values array response data data location values name string response data data location values scope string response data data location values id string response data data tagids array response data data order number response data data name string response data data productid string response data data creatorid string response data data updatedat string response data data rulecategory string response data data description string response data data direction string response data data localport object response data data status string response data data scopeid string response data data id string response data data application object response data output example {"status code" 403,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 17 50 40 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content security policy" "default src 'self' ; connect src ping a power query initiates a follow up ping on a sentinelone deep visibility power query using the provided queryid to check for results endpoint url /web/api/v2 1/dv/events/pq ping method get input argument name type required description paramaters object optional parameter for ping a power query paramaters queryid string optional query id query param input example {"paramaters" {"queryid" "pq280e9119257107b9b6a8f5991f6ecb91"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data columns array response data data columns name string response data data columns type string response data data data array response data data data file name string response data data data file string response data data externalid string response data data progress number response data data queryid string response data data recommendations array response data data status string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 22 apr 2024 09 18 00 gmt","content type" "application/json","content length" "94","connection" "keep alive","access control allow origin" "https //cns na1 sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content security policy" "default src 'self' ; connect src 'self' update alert analyst verdict updates the analyst's verdict on an alert within sentinelone based on provided data and filter criteria endpoint url /web/api/v2 1/cloud detection/alerts/analyst verdict method post input argument name type required description filter object optional parameter for update alert analyst verdict filter containerimagename contains string optional free text filter by the endpoint container image name (supports multiple values) filter limit number optional limit filter reportedat gte string optional reported at greater or equal than filter tenant boolean optional indicates a tenant scope request filter reportedat lte string optional reported at lesser or equal than filter sourceprocessname contains string optional free text filter by source process name filter incidentstatus string optional filter threats by a incident status filter sourceprocesscommandline contains string optional free text filter by source commandline filter createdat lte string optional created at lesser or equal than filter k8snamespacelabels contains string optional free text filter by the endpoint kubernetes namespace labels (supports multiple values) filter k8spod contains string optional free text filter by the endpoint kubernetes pod name (supports multiple values) filter reportedat gt string optional reported at greater than filter sourceprocessfilehashsha1 contains string optional free text filter by source sha1 filter k8snode contains string optional free text filter by the endpoint kubernetes node name (supports multiple values) filter createdat gt string optional created at greater than filter origagentuuid contains string optional free text filter by agent uuid filter sourceprocessfilehashmd5 contains string optional free text filter by source md5 filter query string optional full text search for all fields filter ostype string optional included os types filter containername contains string optional free text filter by the endpoint container name (supports multiple values) filter analystverdict string optional filter threats by a analyst verdict filter createdat lt string optional created at lesser than filter origagentname contains string optional free text filter by agent name filter rulename contains string optional free text filter by rule name input example {"filter" {"containerimagename contains" "example name","limit" 123,"reportedat gte" "string","tenant"\ true,"reportedat lte" "string","sourceprocessname contains" "example name","incidentstatus" "active","sourceprocesscommandline contains" "string","createdat lte" "string","k8snamespacelabels contains" "example name","k8spod contains" "string","reportedat gt" "string","sourceprocessfilehashsha1 contains" "string","k8snode contains" "string","createdat gt" "string","origagentuuid contains" "string","sourceprocessfilehashmd5 contains" "string","query" "string","ostype" "string","containername contains" "example name","analystverdict" "string","createdat lt" "string","origagentname contains" "example name","rulename contains" "example name","origagentosrevision contains" "string","sourceprocessfilepath contains" "string","k8scontrollerlabels contains" "string","siteids" "string","containerlabels contains" "string","k8snamespacename contains" "example name","groupids" "string","accountids" "string","machinetype" "string","k8scontrollername contains" "example name","severity" "string","k8scluster contains" "string","ids" "string","scopes" "string","createdat gte" "string","sourceprocessstoryline contains" "string","origagentversion contains" "string","reportedat lt" "string","k8spodlabels contains" "string","sourceprocessfilehashsha256 contains" "string"},"data" {"analystverdict" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data output example {"data" {"affected" 0}} update alert incident updates an alert's incident details in sentinelone with provided data and filter criteria endpoint url /web/api/v2 1/cloud detection/alerts/incident method post input argument name type required description filter object optional parameter for update alert incident filter containerimagename contains array optional free text filter by the endpoint container image name (supports multiple values) filter limit number optional limit filter reportedat gte string optional reported at greater or equal than filter tenant boolean optional indicates a tenant scope request filter reportedat lte string optional reported at lesser or equal than filter sourceprocessname contains array optional free text filter by source process name filter incidentstatus array optional filter threats by a incident status filter sourceprocesscommandline contains array optional free text filter by source commandline filter createdat lte string optional created at lesser or equal than filter k8snamespacelabels contains array optional free text filter by the endpoint kubernetes namespace labels (supports multiple values) filter k8spod contains array optional free text filter by the endpoint kubernetes pod name (supports multiple values) filter reportedat gt string optional reported at greater than filter sourceprocessfilehashsha1 contains array optional free text filter by source sha1 filter k8snode contains array optional free text filter by the endpoint kubernetes node name (supports multiple values) filter createdat gt string optional created at greater than filter origagentuuid contains array optional free text filter by agent uuid filter sourceprocessfilehashmd5 contains array optional free text filter by source md5 filter query string optional full text search for all fields filter ostype array optional included os types filter containername contains array optional free text filter by the endpoint container name (supports multiple values) filter analystverdict array optional filter threats by a analyst verdict filter createdat lt string optional created at lesser than filter origagentname contains array optional free text filter by agent name filter rulename contains array optional free text filter by rule name input example {"filter" {"containerimagename contains" \["string"],"limit" 123,"reportedat gte" "string","tenant"\ true,"reportedat lte" "string","sourceprocessname contains" \["string"],"incidentstatus" \["string"],"sourceprocesscommandline contains" \["string"],"createdat lte" "string","k8snamespacelabels contains" \["string"],"k8spod contains" \["string"],"reportedat gt" "string","sourceprocessfilehashsha1 contains" \["string"],"k8snode contains" \["string"],"createdat gt" "string","origagentuuid contains" \["string"],"sourceprocessfilehashmd5 contains" \["string"],"query" "string","ostype" \["string"],"containername contains" \["string"],"analystverdict" \["string"],"createdat lt" "string","origagentname contains" \["string"],"rulename contains" \["string"],"origagentosrevision contains" \["string"],"sourceprocessfilepath contains" \["string"],"k8scontrollerlabels contains" \["string"],"siteids" \["string"],"containerlabels contains" \["string"],"k8snamespacename contains" \["string"],"groupids" \["string"],"accountids" \["string"],"machinetype" \["string"],"k8scontrollername contains" \["string"],"severity" \["string"],"k8scluster contains" \["string"],"ids" \["string"],"scopes" \["string"],"createdat gte" "string","sourceprocessstoryline contains" \["string"],"origagentversion contains" \["string"],"reportedat lt" "string","k8spodlabels contains" \["string"],"sourceprocessfilehashsha256 contains" \["string"]},"data" {"incidentstatus" "active"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 18 apr 2024 00 12 38 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "d281729a 04f6 40d4 aeef 5f0add7d40a3","access control allow origin" "https //cns us east 1 prod sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","c update threat analyst verdict modify an analyst's verdict on a threat within sentinelone using filter criteria and provided data endpoint url /web/api/v2 1/threats/analyst verdict method post input argument name type required description filter object optional parameter for update threat analyst verdict filter k8spodlabels contains array optional parameter for update threat analyst verdict filter updatedat gte string optional parameter for update threat analyst verdict filter awssubnetids contains array optional unique identifier filter agentmachinetypes array optional type of the resource filter cloudaccount contains array optional parameter for update threat analyst verdict filter agentversions array optional parameter for update threat analyst verdict filter siteids array optional unique identifier filter classificationsourcesnin array optional parameter for update threat analyst verdict filter storylines array optional parameter for update threat analyst verdict filter detectionagentversion contains array optional parameter for update threat analyst verdict filter createdat lt string optional parameter for update threat analyst verdict filter resolved boolean optional parameter for update threat analyst verdict filter mitigatedpreemptively boolean optional parameter for update threat analyst verdict filter detectionengines array optional parameter for update threat analyst verdict filter threatdetails contains array optional parameter for update threat analyst verdict filter storyline contains array optional parameter for update threat analyst verdict filter agentversionsnin array optional parameter for update threat analyst verdict filter originatedprocess contains array optional parameter for update threat analyst verdict filter tenant boolean optional parameter for update threat analyst verdict filter cloudprovider array optional unique identifier filter pendingactions boolean optional parameter for update threat analyst verdict filter agentids array optional unique identifier filter detectionagentdomain contains array optional parameter for update threat analyst verdict filter incidentstatusesnin array optional unique identifier input example {"json body" {"filter" {"k8spodlabels contains" \["string"],"updatedat gte" "2018 02 27t04 49 26 257525z","awssubnetids contains" \["string"],"agentmachinetypes" \["string"],"cloudaccount contains" \["string"],"agentversions" \["2 5 1 1320"],"siteids" \["225494730938493804"],"classificationsourcesnin" \["cloud"],"storylines" \["string"],"detectionagentversion contains" \["string"],"createdat lt" "2018 02 27t04 49 26 257525z","resolved"\ true,"mitigatedpreemptively"\ true,"detectionengines" \["reputation"],"threatdetails contains" \["string"],"storyline contains" \["string"],"agentversionsnin" \["2 5 1 1320"],"originatedprocess contains" \["string"],"tenant"\ true,"cloudprovider" \["string"],"pendingactions"\ true,"agentids" \["225494730938493804"],"detectionagentdomain contains" \["string"],"incidentstatusesnin" \["unresolved"],"updatedat gt" "2018 02 27t04 49 26 257525z","gcpserviceaccount contains" \["string"],"k8snodename contains" \["string"],"classifications" \["string"],"ids" \["225494730938493804"],"classificationsnin" \["string"],"confidencelevels" \["malicious"],"classificationsources" \["cloud"],"osarchs" \["32 bit"],"limit" 10,"k8sclustername contains" \["string"],"publishername contains" \["string"],"k8scontrollerlabels contains" \["string"],"externalticketid contains" \["string"],"cloudinstancesize contains" \["string"],"cloudinstanceid contains" \["string"],"k8snamespacelabels contains" \["string"],"noteexists"\ true,"k8snodelabels contains" \["string"],"uuid contains" \["string"],"updatedat lt" "2018 02 27t04 49 26 257525z","osnames" \["string"],"azureresourcegroup contains" \["string"],"confidencelevelsnin" \["malicious"],"createdat gt" "2018 02 27t04 49 26 257525z","enginesnin" \["reputation"],"groupids" \["225494730938493804"],"collectionids" \["225494730938493804"],"k8spodname contains" \["string"],"accountids" \["225494730938493804"],"analystverdicts" \["true positive"],"k8scontrollername contains" \["string"],"cloudprovidernin" \["string"],"mitigationstatusesnin" \["not mitigated"],"ostypes" \["linux"],"detectionenginesnin" \["reputation"],"initiatedbynin" \["agent policy"],"k8snamespacename contains" \["string"],"cloudimage contains" \["string"],"query" "string","containerimagename contains" \["string"],"ostypesnin" \["linux"],"contenthash contains" \["string"],"agentmachinetypesnin" \["desktop"],"rebootrequired"\ true,"commandlinearguments contains" \["string"],"realtimeagentversion contains" \["string"],"createdat lte" "2018 02 27t04 49 26 257525z","initiatedbyusername contains" \["string"],"failedactions"\ true,"containerlabels contains" \["string"],"cloudlocation contains" \["string"],"mitigationstatuses" \["not mitigated"],"createdat gte" "2018 02 27t04 49 26 257525z","awssecuritygroups contains" \["string"],"agentisactive"\ true,"engines" \["reputation"],"awsrole contains" \["string"],"updatedat lte" "2018 02 27t04 49 26 257525z","containername contains" \["string"],"cloudnetwork contains" \["string"],"displayname" "string","filepath contains" \["string"],"osnamesnin" \["string"],"analystverdictsnin" \["true positive"],"incidentstatuses" \["unresolved"],"countsfor" "ostypes,machinetypes","externalticketids" \["string"],"contenthashes" \["string"],"initiatedby" \["agent policy"],"computername contains" \["string"],"externalticketexists"\ true},"data" {"analystverdict" "undefined"}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 08 sep 2023 06 49 11 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "5d8a267b 7a4c 4666 819e 54f3ae329128","access control allow origin" "https //usea1 identity sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","conte update threat external ticket id change the external ticket id for a specified threat in sentinelone using a provided json body input endpoint url web/api/v2 1/threats/external ticket id method post input argument name type required description filter object optional parameter for update threat external ticket id filter accountids array optional unique identifier filter osarchs array optional parameter for update threat external ticket id filter agentmachinetypes array optional type of the resource filter commandlinearguments contains array optional parameter for update threat external ticket id filter cloudimage contains array optional parameter for update threat external ticket id filter limit number optional parameter for update threat external ticket id filter contenthashes string optional response content filter tenant boolean optional parameter for update threat external ticket id filter ids array optional unique identifier filter createdat lte string optional parameter for update threat external ticket id filter noteexists boolean optional parameter for update threat external ticket id filter k8spodname contains array optional name of the resource filter updatedat gte string optional parameter for update threat external ticket id filter updatedat lt string optional parameter for update threat external ticket id filter containerimagename contains array optional name of the resource filter classificationsources array optional parameter for update threat external ticket id filter confidencelevels array optional unique identifier filter cloudaccount contains array optional parameter for update threat external ticket id filter classificationsnin array optional parameter for update threat external ticket id filter k8scontrollerlabels contains array optional parameter for update threat external ticket id filter ostypes array optional type of the resource filter osnamesnin array optional name of the resource filter realtimeagentversion contains array optional parameter for update threat external ticket id filter awssecuritygroups contains array optional parameter for update threat external ticket id input example {"json body" {"filter" {"accountids" \["225494730938493804","225494730938493915"],"osarchs" \["32 bit"],"agentmachinetypes" \["unknown"],"commandlinearguments contains" \["/usr/sbin/","wget"],"cloudimage contains" \["string"],"limit" 0,"contenthashes" "ddd5030a3d029f3845fc1052419829f08f312240","tenant"\ true,"ids" \["225494730938493804","225494730938493915"],"createdat lte" "2018 02 27t04 49 26 257525z","noteexists"\ true,"k8spodname contains" \["string"],"updatedat gte" "2018 02 27t04 49 26 257525z","updatedat lt" "2018 02 27t04 49 26 257525z","containerimagename contains" \["string"],"classificationsources" \["cloud"],"confidencelevels" \["malicious"],"cloudaccount contains" \["string"],"classificationsnin" \["string"],"k8scontrollerlabels contains" \["string"],"ostypes" \["windows legacy"],"osnamesnin" \["windows 10 pro"],"realtimeagentversion contains" \["1 1 1 1","2 2 "],"awssecuritygroups contains" \["string"],"mitigatedpreemptively"\ true,"siteids" \["225494730938493804","225494730938493915"],"awsrole contains" \["string"],"detectionagentdomain contains" \["sentinel","sentinelone com"],"agentids" \["225494730938493804","225494730938493915"],"storylines" \["string"],"createdat lt" "2018 02 27t04 49 26 257525z","gcpserviceaccount contains" \["string"],"failedactions"\ true,"collectionids" \["225494730938493804","225494730938493915"],"pendingactions"\ true,"query" "string","externalticketid contains" \["string"],"storyline contains" \["0000c2e97648","0006fc73 77b4 470f aac7 "],"initiatedbynin" \["agent policy","dv command"],"cloudnetwork contains" \["string"],"externalticketids" \["string"],"cloudprovidernin" \["string"],"displayname" "string","countsfor" "ostypes,machinetypes","analystverdicts" \["true positive","suspicious"],"detectionenginesnin" \["reputation"],"contenthash contains" \["5f09bcff3"],"confidencelevelsnin" \["malicious"],"computername contains" \["john office","win"],"threatdetails contains" \["malware exe","virus exe"],"initiatedby" \["agent policy","dv command"],"containername contains" \["string"],"ostypesnin" \["windows legacy"],"azureresourcegroup contains" \["string"],"detectionagentversion contains" \["1 1 1 1","2 2 "],"awssubnetids contains" \["string"],"cloudprovider" \["string"],"agentisactive"\ true,"groupids" \["225494730938493804","225494730938493915"],"cloudinstanceid contains" \["string"],"incidentstatuses" \["unresolved","in progress"],"updatedat gt" "2018 02 27t04 49 26 257525z","containerlabels contains" \["string"],"agentversionsnin" \["2 5 1 1320"],"rebootrequired"\ true,"createdat gte" "2018 02 27t04 49 26 257525z","detectionengines" \["reputation"],"classifications" \["string"],"k8snamespacelabels contains" \["string"],"filepath contains" \["\\\myuser\\\downloads"],"agentversions" \["2 5 1 1320"],"agentmachinetypesnin" \["unknown"],"analystverdictsnin" \["true positive","suspicious"],"mitigationstatuses" \["not mitigated"],"k8snodename contains" \["string"],"k8scontrollername contains" \["string"],"initiatedbyusername contains" \["john","john doe"],"originatedprocess contains" \["string"],"k8sclustername contains" \["string"],"k8spodlabels contains" \["string"],"classificationsourcesnin" \["cloud"],"mitigationstatusesnin" \["not mitigated"],"engines" \["reputation"],"k8snamespacename contains" \["string"],"uuid contains" \["e92 01928","b055"],"cloudlocation contains" \["string"],"enginesnin" \["reputation"],"incidentstatusesnin" \["unresolved","in progress"],"resolved"\ true,"externalticketexists"\ true,"cloudinstancesize contains" \["string"],"createdat gt" "2018 02 27t04 49 26 257525z","publishername contains" \["google","apple inc "],"osnames" \["windows 10 pro"],"updatedat lte" "2018 02 27t04 49 26 257525z"},"data" {"externalticketid" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data output example {"status code" 500,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 20 32 59 gmt","content type" "application/json","content length" "111","connection" "keep alive","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content security policy" "default src 'self' ; connect src 'self' update threat incident updates a threat incident's details in sentinelone using specified data and filter criteria endpoint url /web/api/v2 1/threats/incident method post input argument name type required description data object optional response data data incidentstatus string required incident status to update for the threat data analystverdict string optional the analyst verdict to set for the threat filter object optional parameter for update threat incident filter createdat lt string optional created at lesser than filter createdat gt string optional created at greater than filter updatedat gt string optional updated at greater than filter updatedat lt string optional updated at lesser than filter ids array optional list of threat ids filter groupids array optional list of group ids to filter by filter siteids array optional list of site ids to filter by filter accountids array optional list of account ids to filter by filter incidentstatuses array optional filter threats by a specific incident status filter classificationsources array optional classification sources list filter classifications array optional list of threat classifications to search filter agentids array optional list of agent ids filter ostypes array optional included os types filter enginesnin array optional excluded engines filter ostypesnin array optional excluded os types filter containerimagename contains array optional free text filter by the endpoint container image name (supports multiple values) filter k8snodename contains array optional free text filter by the endpoint kubernetes node name (supports multiple values) filter k8snamespacename contains array optional free text filter by the endpoint kubernetes namespace name (supports multiple values) filter analystverdicts array optional filter threats by a specific analyst verdict filter agentisactive boolean optional include agents currently connected to the management console filter agentmachinetypes array optional include agent machine types input example {"data" {"incidentstatus" "active","analystverdict" "string"},"filter" {"createdat lt" "string","createdat gt" "string","updatedat gt" "string","updatedat lt" "string","ids" \["string"],"groupids" \["string"],"siteids" \["string"],"accountids" \["string"],"incidentstatuses" \["string"],"classificationsources" \["string"],"classifications" \["string"],"agentids" \["string"],"ostypes" \["string"],"enginesnin" \["string"],"ostypesnin" \["string"],"containerimagename contains" \["string"],"k8snodename contains" \["string"],"k8snamespacename contains" \["string"],"analystverdicts" \["string"],"agentisactive"\ true,"agentmachinetypes" \["string"],"agentmachinetypesnin" \["string"],"agenttagsdata" "string","agentversions" \["string"],"agentversionsnin" \["string"],"analystverdictsnin" \["string"],"awsrole contains" \["string"],"awssecuritygroups contains" \["string"],"awssubnetids contains" \["string"],"azureresourcegroup contains" \["string"],"classificationsnin" \["string"],"classificationsourcesnin" \["string"],"cloudaccount contains" \["string"],"cloudimage contains" \["string"],"cloudinstanceid contains" \["string"],"cloudinstancesize contains" \["string"],"cloudlocation contains" \["string"],"cloudnetwork contains" \["string"],"cloudprovider" \["string"],"cloudprovidernin" \["string"],"collectionids" \["string"],"commandlinearguments contains" \["string"],"computername contains" \["string"],"confidencelevels" \["string"],"confidencelevelsnin" \["string"],"containerlabels contains" \["string"],"containername contains" \["string"],"contenthash contains" \["string"],"contenthashes" \["string"],"countsfor" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected number response data data details array response data data details result string response data data details analystverdict string response data data details threatid string response data errors object error message if any output example {"data" {"affected" 0,"details" \[{}]},"errors"\ null} update threat note updates a specific threat note in sentinelone using the provided threat id, note id, and data content endpoint url web/api/v2 1/threats/{{threat id}}/notes/{{note id}} method put input argument name type required description path parameters threat id string required parameters for the update threat note action path parameters note id string required parameters for the update threat note action data object optional response data data text string required response data input example {"json body" {"data" {"text" "this is a text"}},"path parameters" {"threat id" "1311010475659095549","note id" "1553834980127175650"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data createdat string response data data edited boolean response data data id string response data data text string response data data updatedat string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 16 nov 2022 14 40 53 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x rqid" "83d1f963 2f8f 4f59 86dc 29b6bba6c497","access control allow origin" "https //attivo us sentinelone net","access control allow credentials" "true","vary" "origin","strict transport security" "max age=31536000; includesubdomains","x frame options" "sameorigin","x content type options" "nosniff","content se response headers header description example access control allow credentials http response header access control allow credentials true access control allow origin http response header access control allow origin https //attivo us sentinelone net cache control directives for caching mechanisms no store connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 97 content security policy http response header content security policy default src 'self' ; connect src 'self' sentinelone net cdn pendo io app pendo io pendo io data pendo io scalyr com storage googleapis com sentry io sentry io google analytics com gstatic com unpkg com cdn auth0 com wss\ // sentinelone net https //www googletagmanager com https //cdnjs cloudflare com https //dm64t97qsxvuz cloudfront net data ; script src 'self' 'unsafe inline' 'unsafe eval' blob sentinelone net cdn pendo io app pendo io pendo io static storage googleapis com storage googleapis com data pendo io https //www google analytics com https //www googletagmanager com https //unpkg com https //cdnjs cloudflare com https //dm64t97qsxvuz cloudfront net ; img src 'self' blob sentinelone net sentinelone com dm64t97qsxvuz cloudfront net data https //www google analytics com cdn pendo io app pendo io storage googleapis com data pendo io ; style src 'self' 'unsafe inline' sentinelone net app pendo io cdn pendo io storage googleapis com https //cdnjs cloudflare com https //dm64t97qsxvuz cloudfront net ; font src 'self' data sentinelone net https //cdn auth0 com https //dm64t97qsxvuz cloudfront net ; manifest src 'self' https //dm64t97qsxvuz cloudfront net ; frame src 'self' blob https //receptive io https // pendo io https //pendo io extensions storage googleapis com/ https // youtube com sentinelone net scalyr com; frame ancestors 'self' app pendo io sentinelone net; object src 'none' ; worker src 'self' blob ; content type the media type of the resource application/json date the date and time at which the message was originated wed, 16 nov 2022 20 00 44 gmt expires the date/time after which the response is considered stale 1 pragma http response header pragma no cache server information about the software used by the origin server nginx set cookie http response header set cookie strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary origin x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x rqid http response header x rqid d8a2bc17 abd3 4c0e 8792 3f84fb1b0688