SentinelOne SOAR Integration¶

This document details the tools provided by the SentinelOne SOAR integration.

Overview¶

SentinelOne is an endpoint security platform that provides prevention, detection, and response capabilities across endpoints. This integration allows Chronicle SOAR to interact with SentinelOne agents and the management console for investigation and response actions.

Tools¶

`sentinel_one_get_system_status`¶

Get SentinelOne system health status

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_disconnect_agent_from_network`¶

Disconnect agent from network connection

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_get_events_for_endpoint_by_time`¶

Get all events related to an endpoint

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
hours_back (str, required): How match time back fetch events from.
events_amount_limit (str, required): Events amount limit.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_enrich_endpoint`¶

Enrich endpoint entity with its system information

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_initiate_full_scan`¶

Initiate full disk scan on an endpoint

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_ping`¶

Test Connectivity

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_get_system_version`¶

Get SentinelOne system version

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_get_agent_status`¶

Get agent’s current status (active/inactive)

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_get_process_list_for_endpoint`¶

Get process list by an endpoint

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_reconnect_agent_to_the_network`¶

Reconnect a disconnected agent to the network

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_get_application_list_for_endpoint`¶

Get a list of applications by endpoint (host or IP address)

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_get_hash_reputation`¶

Get hash reputation by SHA1

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

`sentinel_one_update_exclusion_list_add_path`¶

Add a path to an existing exclusion list (Note - OS can be: Windows, OSX, Linux or Android)

Parameters:

case_id (str, required): The ID of the case.
alert_group_identifiers (List[str], required): Identifiers for the alert groups.
list_name (str, required): Exclusion list name.
path (str, required): Path to add to the list.
operation_system (str, required): Operation system, can be: windows, osx, linux or android.
target_entities (List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.
scope (str, optional, default=“All entities”): Defines the scope for the action.

SentinelOne SOAR Integration¶

Overview¶

Tools¶

sentinel_one_get_system_status¶

sentinel_one_disconnect_agent_from_network¶

sentinel_one_get_events_for_endpoint_by_time¶

sentinel_one_enrich_endpoint¶

sentinel_one_initiate_full_scan¶

sentinel_one_ping¶

sentinel_one_get_system_version¶

sentinel_one_get_agent_status¶

sentinel_one_get_process_list_for_endpoint¶

sentinel_one_reconnect_agent_to_the_network¶

sentinel_one_get_application_list_for_endpoint¶

sentinel_one_get_hash_reputation¶

sentinel_one_update_exclusion_list_add_path¶

`sentinel_one_get_system_status`¶

`sentinel_one_disconnect_agent_from_network`¶

`sentinel_one_get_events_for_endpoint_by_time`¶

`sentinel_one_enrich_endpoint`¶

`sentinel_one_initiate_full_scan`¶

`sentinel_one_ping`¶

`sentinel_one_get_system_version`¶

`sentinel_one_get_agent_status`¶

`sentinel_one_get_process_list_for_endpoint`¶

`sentinel_one_reconnect_agent_to_the_network`¶

`sentinel_one_get_application_list_for_endpoint`¶

`sentinel_one_get_hash_reputation`¶

`sentinel_one_update_exclusion_list_add_path`¶