Skip to main content
Skip table of contents

SentinelOne

LAST UPDATED: 05/30/2024

Overview

SentinelOne delivers autonomous endpoint protection that prevents, detects, and responds to attacks across all major vectors. SentinelOne is an enterprise security platform that provides threat detection, hunting, and response features that enable organizations to discover vulnerabilities and protect IT operations.

D3 SOAR is providing REST operations to function with SentinelOne.

SentinelOne is available for use in:

D3 SOAR

V14.5.0+

Category

Endpoint Security

Deployment Options

Option II, Option IV

Known Limitations

Different calls in the API have specific rate limits. If a limit is hit, you can see an error message: HTTP 429 Too Many Requests.

API Rate Limits:

  • /web/api/v2.1/users/login - 1 call a second for each different IP address that communicates with the Console

  • /web/api/v2.1/update/agent/download/{package_id} - 2 calls a minute for each different user token

  • /web/api/v2.1/update/agent/download/{site_id}/{package_id} - 2 calls a minute for each user token

  • /web/api/v2.1/dv/init-query - 1 call a minute for each different user token

  • /web/api/v2.1/dv/query-status - 1 call a second for each different user token

  • /web/api/v2.1/system/status/cache - 1 call a second for each IP address that communicates with the Console

  • /web/api/v2.1/system/status/db - 1 call a second for each IP address that communicates with the Console

  • /web/api/v2.1/system/status - 1 call a second for each IP address that communicates with the Console

Please refer to SentinelOne API Rate Limits for detailed information.

Connection

To connect to SentinelOne from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The URL of the SentinelOne server.

https://usea1-partners.sentinelone.net

API Token

The API token for authentication.

JnHs************************************ug5S

API Version

The version of the APIs.

v2.1

Permission Requirements

Each endpoint in the SentinelOne API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command

Required Permission

Role Scope

Activate Star Custom Rules

Default Role (see Test Connection)

STAR Custom Rules

View + Manage

Add Notes To Threats

Default Role (see Test Connection)

Endpoint Threats

View + Update Incident Status

Add Threat To Blacklist

Default Role (see Test Connection)

Blocklist

View + Create

Block Hash

Default Role (see Test Connection)

Blocklist

View + Create

Block Remote Hosts

Global admin

Tenant permission is needed if set the Tenant parameter to true

Broadcast Message

Default Role (see Test Connection)

Endpoints

View + Send Message

Collect Files

Default Role (see Test Connection)

Endpoints

View + File Fetch

Activity

View

Connect Agent To Network

Default Role (see Test Connection)

Endpoints

View + Reconnect to Network

Create Exclusion

Default Role (see Test Connection)

Exclusions

View + Create

Create Group

Default Role (see Test Connection)

Groups

View + Create

Create IOC

Default Role (see Test Connection)

Threat Intelligence

View + Manage

Create Power Query

Default Role (see Test Connection)

SDL Query API (Previously Skylight)

View

Create Query

Default Role (see Test Connection)

SDL Search (Previously Skylight)

View

Create Star Custom Rule

Default Role (see Test Connection)

Endpoints

View + Disconnect From Network

Endpoint Threats

View + Mark Threat + Mark Suspicious

STAR Custom Rules

View + Manage

Delete Exclusions

Default Role (see Test Connection)

Exclusions

View + Delete

Delete Group

Default Role (see Test Connection)

Groups

View + Delete

Delete IOCs

Default Role (see Test Connection)

Threat Intelligence

View + Manage

Delete Star Custom Rules

Default Role (see Test Connection)

STAR Custom Rules

View + Manage

Disable Star Custom Rules

Default Role (see Test Connection)

STAR Custom Rules

View + Manage

Disconnect Agent From Network

Default Role (see Test Connection)

Endpoints

View + Disconnect From Network

Download Files

Default Role (see Test Connection)

Activity

View

Download Threat Files

Default Role (see Test Connection)

Activity

View

Fetch Event (Event Source = Threat)

Default Role (see Test Connection)

Endpoint Threats

View

Fetch Event (Event Source = Alert)

Default Role (see Test Connection)

STAR Rule Alerts

View

Fetch Files

Default Role (see Test Connection)

Endpoints

View + File Fetch

Fetch Threat File

Default Role (see Test Connection)

Endpoint Threats

View + Fetch Threat File

Get Account Policy

Default Role (see Test Connection)

Endpoint Policy

View

Get Activities

Default Role (see Test Connection)

Activity

View

Get Agent Applications

Default Role (see Test Connection)

Endpoints

View + Show Applications

Get Agent Info

Default Role (see Test Connection)

Endpoints

View

Get Agent Process

Default Role (see Test Connection)

Agent Packages

View

Get Alerts

Default Role (see Test Connection)

STAR Rule Alerts

View

Get Black List

Default Role (see Test Connection)

Blocklist

View

Get Events by Query ID and Type

Default Role (see Test Connection)

SDL Search (Previously Skylight)

View

Get Exclusions

Default Role (see Test Connection)

Exclusions

View

Get Global Policy

Default Role (see Test Connection)

Endpoint Policy

View

Get Groups

Default Role (see Test Connection)

Get Hash Reputations

Default Role (see Test Connection)

Blocklist

View

Get Query Status

Default Role (see Test Connection)

SDL Search (Previously Skylight)

View

Get Script Results

Default Role (see Test Connection)

RemoteOps

View

Get Scripts

Default Role (see Test Connection)

RemoteOps

View

Get Script Task Status

Default Role (see Test Connection)

RemoteOps

View

Get Sites

Default Role (see Test Connection)

Get Star Custom Rules

Default Role (see Test Connection)

STAR Custom Rules

View

Get System Info

Default Role (see Test Connection)

Get System Status

Default Role (see Test Connection)

Get Threat

Default Role (see Test Connection)

Endpoint Threats

View

Get Threat Analysis

Default Role (see Test Connection)

Endpoint Threats

View

Get Threat Events

Default Role (see Test Connection)

Endpoint Threats

View

Initiate Scan

Default Role (see Test Connection)

Endpoints

View + Endpoints Initiate Scan

Kill Processes

Default Role (see Test Connection)

Endpoint Threats

View + Update Analyst Verdict

Threat Actions

Kill

List Accounts

Default Role (see Test Connection)

List Agents

Default Role (see Test Connection)

Endpoints

View

List IOCs

Default Role (see Test Connection)

Threat Intelligence

View

Mark As Threat

Default Role (see Test Connection)

Endpoint Threats

View + Mark Threat

Mitigate Threats

Default Role (see Test Connection)

Endpoint Threats

View + Update Analyst Verdict + Unquarantine

Threat Actions

Rollback + Remediate + Quarantine + Kill

Move Agents

Default Role (see Test Connection)

Groups

View + Edit

Move Agents Between Sites

Default Role (see Test Connection)

Endpoints

View + Move To Another Site

Ping Power Query

Default Role (see Test Connection)

SD Search (Previously Skylight)

View

Quarantine Files

Default Role (see Test Connection)

Endpoints Threats

View + Update Analyst Verdict

Threat Actions

Quarantine + Kill

Quarantine Host

Default Role (see Test Connection)

Groups

View + Edit

Endpoints

View

Query

Default Role (see Test Connection)

SDL Search (Previously Skylight)

View

SDL Query API (Previously Skylight)

View

SDL API Keys (Previously Skylight)

View + Manage

Remove Items In Blacklist

Default Role (see Test Connection)

Blacklist

View + Edit

Resolve Threat

Default Role (see Test Connection)

Endpoints

View

Endpoint Threats

View

Restart Endpoints

Default Role (see Test Connection)

Endpoints

View + Reboot

Rollback Remediation

Default Role (see Test Connection)

Endpoint Threats

View + Update Analyst Verdict

Threat Actions

Rollback + Remediate + Quarantine + Kill

Run Script

Default Role (see Test Connection)

RemoteOps

View

Set Customer ID

Default Role (see Test Connection)

Endpoints

View + Endpoints Set Customer Identifier

Shutdown Endpoints

Default Role (see Test Connection)

Endpoints

View + Shut Down

Update Account Policy

Default Role (see Test Connection)

Endpoints Policy

View + Edit

Update Alert Analyst Verdict

Default Role (see Test Connection)

STAR Rule Alerts

View + Update Analyst Verdict

Update Alert Incident Status

Default Role (see Test Connection)

STAR Rule Alerts

View + Update Incident Status

Update Alert Verdict

Default Role (see Test Connection)

STAR Rule Alerts

View + Update Analyst Verdict

Update Threat Analyst Verdict

Default Role (see Test Connection)

Endpoint Threats

View + Update Analyst Verdict

Update Exclusion

Default Role (see Test Connection)

Exclusions

View + Edit

Update Global Policy

Global Admin

Update Incident Status

Default Role (see Test Connection)

Endpoint Threats

View + Update Incident Status

Update Star Custom Rule

Default Role (see Test Connection)

STAR Custom Rules

View + Manage

Update Threat Incident

Default Role (see Test Connection)

Endpoint Threats

View + Update Analyst Verdict + Update Incident Status

Test Connection

Account

View

Groups

View

Roles

View

Site

View

As SentinelOne is using role-based access control (RBAC), the API access token is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the SentinelOne console for each command in this integration.

Custom role has Account, Groups, Roles, Site permission with View scope as default. You cannot remove these permissions.

Configuring SentinelOne to Work with D3 SOAR

  1. Log in to the SentinelOne portal with your credentials.

  2. Input the 2FA verification code if you have enabled Two-Factor Authentication.

  3. Click the username located on the top right corner, then click My User.

  4. Under Options, click Generate to create an API Token if you have not already created one.

READER NOTE

You may experience issues when generating API Token. Please refer to FAQ Why is the Generate API token option not enabled? for potential solutions.

  1. Click Copy to copy the API token for later use to build the D3 SOAR connection.

READER NOTE

You will only be able to see the token once. Store the token in a secure location for future reference. If you lose the token in the future, you will have to generate a new one.

How to Create a New Role

  1. On the left sidebar menu, click Settings.

  2. On the top menu, click Users, then select Roles. Under Actions, click New Role.

  3. Enter a Role Name, and a Description (optional).

  4. Use the left permissions category menu to find and select permissioins to allow for the role. See Permissions Requirements for a list of required permissions.

  5. Click Save after selecting the desired permissions to allow for the role to confirm the configuration.

  6. Select Users located on the left. Click Actions > New User. The Select Scope of Access window will appear. Under Access, select the desired Account or Site, and select the role you have created. Click Create User.

  7. You can use the created user with limited access to generate an API key using the previous steps to build a connection with D3 SOAR.

READER NOTE

The created user must set up 2FA. Without setting up 2FA, they cannot log in or generate any API tokens. You can set up 2FA by selecting your created user, then navigating to Actions > 2FA Settings.

Configuring D3 SOAR to Work with SentinelOne

  1. Log in to D3 SOAR.

  2. Find the SentinelOne integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type SentinelOne in the search box to find the integration, then click it to select it.

    4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to SentinelOne.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the tick box to ensure the connection is available for use.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
      1. Input your domain level Server URL.
      2. Input your API Token.
      3. Input the API Version. The default value is v1.

    10. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
      To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

    11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

SentinelOne includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the SentinelOne API, please refer to the SentinelOne API reference.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring SentinelOne to Work with D3 SOAR for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

  1. Navigate to Configuration > Application Settings. Select Date/Time Format.

  2. Choose your desired date and time format.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Activate Star Custom Rules

Activates star custom rules based on a filter.

READER NOTE

Account IDs, Site IDs, Group IDs and Rule IDs are optional parameters to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.

  • Run the Get Star Custom Rules command to obtain Rule IDs. Rule IDs can be found in the raw data at the path $.data[*].id.

Although all parameters are optional, you have to define at least one parameter to filter.

Input

Input Parameter

Required/Optional

Description

Example

Account IDs

Optional

The account IDs to filter. Account IDs can be obtained using the List accounts command.

["131********791"]

Site IDs

Optional

The site IDs to filter. Site IDs can be obtained using the Get sites command.

["174********138"]

Group IDs

Optional

The group IDs to filter. Group IDs can be obtained using the Get groups command.

["151********497"]

Rule IDs

Optional

The star custom rule IDs to filter. Rule IDs can be obtained using the Get Star Custom Rules command.

["174********052"]

Creator

Optional

The free-text filter by rule creator.

["w**"]

Name

Optional

The free-text filter by rule name.

["test"]

Status

Optional

The status of rules to filter. The available inputs are Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft.

["Active"]

Query

Optional

The free-text filter by S1 query.

["test"]

Query Type

Optional

Retrieves the rules with the filtered type. The available inputs are events and processes.

["events"]

Expired

Optional

Whether the rule is expired or not.

Not Expired

s1ql

Optional

The free-text filter by S1 query.

["AgentName IS NOT EMPTY"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "affected": 1
    }
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Activate Star Custom Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Could not find rule with id: {'scope_id__in': [xxx]}.

Error Sample Data

Activate Star Custom Rules failed.

Status Code: 404.

Message: Could not find rule with id: {'scope_id__in': [xxx]}.

Add Notes To Threats

Adds a threat note to multiple threats.

Input

Input Parameter

Required/Optional

Description

Example

Filter

Required

The filtering options used to manage the list of threats to add notes to. It is possible to use any combination of filters to refine the list. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=threat-notes=add-note-to-multiple for more information on filters.

{
"computerName__contains": [
"DESKTOP-H****D3"
],
"analystVerdicts": [
"suspicious"
]
}

Note Text

Required

The text of the threat note to input.

Test Notes for suspicious threats 0421

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "affected": 10
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AffectedThreats": 10 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Notes To Threats failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid user input received. See error details for further information.

Error Sample Data

Add Notes To Threats failed.

Status Code: 400.

Message: Invalid user input received. See error details for further information.

Add Threat To Blacklist

Blacklists threats based on the specified target scope (Global, Account, Site or Group).

READER NOTE

Collection IDs and Site ID are required parameters to run this command.

  • Run the Get threat command to obtain Collection IDs. Collection IDs can be found in the raw data at the path $.data.threatInfo.collectionId.

  • Run the Get Sites command to obtain Site ID. Site IDs can be found in the raw data at the path $.data.agentDetectionInfo.siteId.

  • Please note that the collection ID and site ID must come from the same threat, meaning they should be under the same threat object. Obtain the pair of values by running the Get Threat command.

Input

Input Parameter

Required/Optional

Description

Example

Collection IDs

Required

The list of threat collection ID(s). Collection IDs can be obtained using the Get Threat command.

[

"947********369",

"752********846"

]

Site ID

Required

The site ID related to the threat. Site ID can be obtained using the Get Sites command.

947********671

Description

Optional

The description for the process.

Add threat to blacklist

Target Scope

Required

The target scope of the agent. Available options include group, site, and account. Please note this field is case-sensitive, only lowercase letters are accepted.

group

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "data": {
            "affected": 2
        }
    },
    {
        "data": {
            "affected": 2
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the $.data path from the returned raw data.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "affected": 2
    },
    {
        "affected": 2
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "Threat id": [
        "947********369",
        "752********846"
    ],
    "Block Ids": [
          "950*******869",
          "950********442"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Threat To Blacklist failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Add threat:xxx failed. Messages: {\"data\":{\"affected\":0}.

Error Sample Data

Add Threat To Blacklist failed.

Status Code: 400.

Message: Add threat:xxx failed. Messages: {\"data\":{\"affected\":0}.

Block Hash

Blocks threats by threat hashes.

READER NOTE

Site ID is a required parameter to run this command.

  • Run the Get Sites command to obtain Site ID. Site IDs can be found in the raw data at the path $.data.sites.id.

Please note that only SHA-1 hashes are accepted for this command. Existing hashes in the system cannot be blocked again. Otherwise, the error message “Hash XXX already exists” will return.

To get SHA-1 hashes from D3 SOAR, it is recommended to use the Get Hash Value utility command to obtain the Input String. Please follow the steps below:

  1. Select your desired site

  2. Input your desired search string

  3. Choose HashSHA1 for Hash Keys

  4. Click Test Command. The SHA-1 hash will return under Return Data. Copy and save this value to input for the Threat Hashes parameter.

Input

Input Parameter

Required/Optional

Description

Example

Threat Hashes

Required

The list of threat hashes to block.

[ "d25********225",

"a6d********d00"

]

OS Type

Required

The type of operating system of the Threat Hashes.

Windows

Site ID

Required

The site ID to filter. Site ID can be obtained using the Get Sites command.

[ "947********671" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "data": [
            {
                "createdAt": "2020-08-05T00:26:35.632468Z",
                "description": null,
                "id": "950*******869",
                "osType": "windows",
                "scope": {
                    "siteIds": [
                        "947********671"
                    ]
                },
                "scopeName": "D3",
                "source": "user",
                "type": "black_hash",
                "updatedAt": "2020-08-05T00:26:35.632065Z",
                "userId": "947*******716",
                "userName": "Pul*** Sa***",
                "value": "d25********225"
            }
        ]
    },
    {
        "data": [
            {
                "createdAt": "2020-08-05T00:26:35.878623Z",
                "description": null,
                "id": "950********442",
                "osType": "windows",
                "scope": {
                    "siteIds": [
                        "947********671"
                    ]
                },
                "scopeName": "D3",
                "source": "user",
                "type": "black_hash",
                "updatedAt": "2020-08-05T00:26:35.878158Z",
                "userId": "947*******716",
                "userName": "Pul*** Sa***",
                "value": "a6d********d00"
            }
        ]
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the $.data path from the returned raw data.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
No Sample Data
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "Hashes": [
        "d25********225",
        "a6d********d00"
    ],
    "Block Ids": [
        "950*******869",
        "950********442"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Block Hash failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: "Hash 'a6d********d00' already exists"

Error Sample Data

Block Hash failed.

Status Code: 400.

Message: "Hash 'a6d********d00' already exists"

Block Remote Hosts

Creates a firewall control rule to block specified remote host(s).

READER NOTE

Account ID, Site ID, and Group ID are optional parameters to run this command.

  • Run the List Accounts command to obtain Account ID. Account ID can be found in the raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site ID. Site ID can be found in the raw data at the path $.data.sites.id.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.

If the Tenant parameter is none or not specified, at least one of the following scopes must be specified: Account ID, Site ID, or Group ID.

Input

Input Parameter

Required/Optional

Description

Example

Rule Name

Required

The name of the Firewall Control Rule.

ruleAPI0405a26

Status

Optional

The rule is specified when Enabled. If not specified, the default value is Enabled.

Account ID

Optional

The Firewall Control rule is created for the specified account ID. Account ID can be obtained using the List Accounts command.

Site ID

Optional

The Firewall Control rule is created for the specified site ID. Site ID can be obtained using the Get Sites command.

947********671

Group ID

Optional

The Firewall Control rule is created for the specified group ID. Group ID can be obtained using the Get Groups command.

151********497

Tenant

Optional

The Firewall Control rule is created for the entire tenant if set to True. It is necessary to have tenant permission to be able to set this parameter to True. Please note, if Tenant is set to False or not specified, at least one scope must be specified: Account ID, Site ID or Group ID.

False

OS Types

Optional

The OS Types to which the rule applies. The available values are "windows", "macos" and "linux". If not specified, the default value is windows.

[ "windows", "macos", "linux" ]

Remote Host Type

Optional

The type of remote host(s). If not specified, the default type is Addresses.

CIDR

Remote Host Values

Required

The remote host value(s).The value(s) must match Remote Host Type.

[ "203.193.22.248/31" ]

Description

Optional

The description for the Firewall Control rule.

This is a test firewall control rule.

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "action": "Block",
        "application": {
            "type": "any",
            "values": []
        },
        "createdAt": "2024-04-06T00:57:36.017536Z",
        "creator": "Jon***** Y**",
        "creatorId": "138********959",
        "description": "This is a test firewall control rule.",
        "direction": "any",
        "editable": true,
        "id": "192********867",
        "localHost": {
            "type": "any",
            "values": []
        },
        "localPort": {
            "type": "any",
            "values": []
        },
        "location": {
            "type": "all",
            "values": []
        },
        "name": "rule*****23b",
        "order": 1,
        "osType": "macos",
        "osTypes": [
            "macos",
            "linux",
            "windows"
        ],
        "protocol": null,
        "remoteHost": {
            "type": "cidr",
            "values": [
                "203.193.**.***/**"
            ]
        },
        "remoteHosts": [
            {
                "type": "cidr",
                "values": [
                    "203.193.**.***/**"
                ]
            }
        ],
        "remotePort": {
            "type": "any",
            "values": []
        },
        "ruleCategory": "firewall",
        "scope": "account",
        "scopeId": "131********791",
        "status": "Enabled",
        "tag": "This is a test firewall control rule.",
        "tagIds": [],
        "tagNames": [],
        "tags": [],
        "updatedAt": "2024-04-06T00:57:36.015691Z"
    }
}
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "RuleID": [
        "192********000"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Block Remote Hosts failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: BAD REQUEST

Error Sample Data

Block Remote Hosts failed.

Status Code: 400.

Message: BAD REQUEST

Broadcast Message

Sends a message through the Agents that users can see. This command is supported on Windows and macOS endpoints (not supported on Linux). The message is sent to all endpoints that match the filter and the message must be 140 characters or less.

READER NOTE

The parameter Group IDs is optional to run this command.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.

Input

Input Parameter

Required/Optional

Description

Example

Host Names Or Internal IPs

Optional

The name(s) or internal IP address(es) of the computer(s) to which the message is sent. Please note that you must enter either this parameter or Group IDs, or both.

[ "192.168.**.***", "lab*-p**" ]

Group IDs

Optional

The ID of the group to which the message is sent. Group IDs can be obtained using the Get Groups command. Please note that you must enter either this parameter or Host Names Or Internal IPs, or both.

[ "138********378" ]

Message

Required

The message to broadcast.

Computer Maintenance will start in one hour. FYI.

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "results": [
        {
            "filter": {
                "computerName__contains": [
                    "lab*-p**"
                ],
                "groupIds": [
                    "138********378"
                ]
            },
            "data": {
                "affected": 1
            }
        },
        {
            "filter": {
                "networkInterfaceInet__contains": [
                    "192.168.**.***"
                ],
                "groupIds": [
                    "138********378"
                ]
            },
            "data": {
                "affected": 1
            }
        }
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Broadcast Message failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Server could not process the request.

Error Sample Data

Broadcast Message failed.

Status Code: 400.

Message: Server could not process the request.

Collect Files

Collects the files from endpoints (up to 10 MB for each command) to analyze the root of threats and uploads them to the Management.

READER NOTE

Agent ID is a required parameter to run this command.

  • Run the List Agents command to obtain Agent ID. Agent IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Agent ID

Required

The agent ID of the endpoint for fetching files. Agent ID can be obtained using the List agent command.

139********432

File Paths

Required

The list of files to collect (absolute paths, up to 10 files).

[

"C:\\AtomicRedTeam\\atomics\\T1548.***\\bin\\ua***.zip",

"C:\\Windows\\System32\\WindowsPowerShell\\V1.0\\powershell.exe"

]

Password

Required

The new password to generate, which will be used to open the archive of downloaded files. It must be 10 or more characters long and contain a mix of upper and lower case letters, numbers, and symbols.

MySecret******!

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "accountId": "131********791",
            "accountName": "D3 Security",
            "activityType": 81,
            "activityUuid": "fac********066",
            "agentId": "139********432",
            "agentUpdatedVersion": null,
            "comments": null,
            "createdAt": "2023-02-03T21:43:36.826869Z",
            "data": {
                "accountName": "D3 Security",
                "commandBatchUuid": "05d********92b",
                "computerName": "DESKTOP-H****D3",
                "externalIp": "216.251.***.***",
                "fullScopeDetails": "Group Default Group in Site site2 of Account D3 Security",
                "fullScopeDetailsPath": "Global / D3 Security / site2 / Default Group",
                "groupName": "Default Group",
                "groupType": "Manual",
                "ipAddress": null,
                "scopeLevel": "Group",
                "scopeName": "Default Group",
                "siteName": "site2",
                "username": "M** Hu***",
                "uuid": "cd8********661"
            },
            "description": null,
            "groupId": "138********378",
            "groupName": "Default Group",
            "hash": null,
            "id": "161********970",
            "osFamily": null,
            "primaryDescription": "The management user M** Hu*** initiated a fetch file command to the agent DESKTOP-H****D3 (216.251.***.***).",
            "secondaryDescription": null,
            "siteId": "138********161",
            "siteName": "site2",
            "threatId": null,
            "updatedAt": "2023-02-03T21:43:36.826875Z",
            "userId": "147********138"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "CommandBatchUUIDs": [
        "05d********92b"
    ],
    "CreatedTime": [
        "2023-02-03T21:43:36.826869Z"
    ],
    "AgentIDs": [
        "139********432"
    ],
    "ActivityUUIDs": [
        "fac********066"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Collect Files failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The agent with ID *** is not found.

Error Sample Data

Collect Files failed.

Status Code: 404.

Message: The agent with ID *** is not found.

Connect Agent To Network

Reconnects (unquarantine) quarantined agent(s) to the network matching the defined filter. If neither input parameters are defined, all applicable agents will be reconnected.

READER NOTE

The parameter Agent IDs is optional to run this command.

  • Run the List Agents command to obtain Agent IDs. Agent IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Agent IDs

Optional

The IDs of the agents to reconnect to the network. Agent IDs can be obtained using the List Agents command.

[ "139********392" ]

Filter

Optional

The applied filter ensures that only matched agents will be affected by the requested action. Leave this field empty to apply the action to all applicable agents. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=agent-actions=connect-to-network under body schema for more information about the filter syntax.

{ "computerName":"DESKTOP-6KJ****"

}

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "affected": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AffectedAgents": [
        "1"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Connect Agent To Network failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: User has insufficient permissions to perform the requested action.

Error Sample Data

Connect Agent To Network failed.

Status Code: 403.

Message: User has insufficient permissions to perform the requested action.

Create Exclusion

Creates exclusion(s) to instruct your agents to suppress alerts and mitigation for items that you consider to be benign or necessary for interoperability.

READER NOTE

Account IDs, Site IDs and Group IDs are optional parameters to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.

  • At least one of the Account IDs, Site IDs or Group IDs is required.

Input

Input Parameter

Required/Optional

Description

Example

Type

Required

The type of exclusion item.

Path

Operation System

Required

The operation system.

Windows Legacy

Value

Required

The valid values depend on the item type chosen.

C:\"Windows\"saas\"

Description

Optional

The description to be added to the created exclusion.

Test description

Mode

Optional

The exclusion mode which is restricted to Path only for the selected Type parameter.

Suppress Alerts

Path Exclusion Type

Optional

The excluded path for a path exclusion list. The available options are file, folder, subfolders.

subfolders

Account IDs

Optional

The account IDs for exclusion. Account IDs can be obtained using the List Accounts command. Please note that at least one of the account IDs, group IDs, or site IDs is required.

["131********791"]

Site IDs

Optional

The site IDs for exclusion. Site IDs can be obtained using the Get Sites command. Please note that at least one of account IDs, group IDs or site IDs is required.

["174********138"]

Group IDs

Optional

The group IDs for exclusion. Group IDs can be obtained using the Get Groups command. Please note that at least one of account IDs, group IDs or site IDs is required.

["151********497"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "actions": [
                "upload",
                "detect"
            ],
            "createdAt": "2023-08-10T23:26:52.141524Z",
            "description": "Test description",
            "id": "174********916",
            "inject": true,
            "mode": "suppress",
            "notRecommended": "NONE",
            "osType": "windows",
            "pathExclusionType": "subfolders",
            "scope": {
                "groupIds": [
                    "151********497"
                ]
            },
            "scopeName": "testGroupCustom2",
            "source": "user",
            "type": "path",
            "updatedAt": "2023-08-10T23:26:52.135176Z",
            "userId": "147********138",
            "userName": "M** Hu***",
            "value": "C:\"Windows\"saas\""
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ExclusionIDs": [
        "174********916"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Exclusion failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: User does not have required permissions.

Error Sample Data

Create Exclusion failed.

Status Code: 403.

Message: User does not have required permissions.

Create Group

Creates a new group. You must create the Group in a Site (run the Get Sites command to obtain Site IDs) you have permission to.

READER NOTE

Site ID is a required parameter to run this command.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

Input

Input Parameter

Required/Optional

Description

Example

Name

Required

The name of the new group.

D3*****5

Site ID

Required

The site ID of the site to which the group will be added. Site ID can be obtained using the Get Sites command.

947********671

Inherits

Required

The indication of whether the group will inherit the site policy or not.

True

Policy

Optional

The group policy to inherit if the Inherits parameter is set to False. Note: This parameter is required only if the Inherits parameter is set to False. If the Inherits parameter is set to True, any input value will be ignored. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=groups=create-group to see available fields.

{

"mitigationMode": "detect",

"autoImmuneOn": true,

"agentUiOn": true

}

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "createdAt": "2020-08-06T01:02:56.881074Z",
        "creator": "Pul*** Sa***",
        "creatorId": "947*******716",
        "filterId": null,
        "id": "951********939",
        "isDefault": false,
        "name": "D3*****5",
        "rank": null,
        "registrationToken": "eyJ********In0=",
        "siteId": "947********671",
        "type": "static",
        "updatedAt": "2020-08-06T01:02:56.880109Z"
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Conetxt Data by extracting the data from path $.data in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
No Sample Data
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "GroupId": [
        "951********900"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Group failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not a valid Identifier.

Error Sample Data

Create Group failed.

Status Code: 400.

Message: Not a valid Identifier.

Create IOC

Creates an IOC to the Threat Intelligence database.

READER NOTE

The parameter Account IDs is optional to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Account IDs

Optional

The List of account IDs. Account IDs can be obtained using the List Accounts command.

[ "131********791" ]

Source

Required

The source of the identified Threat Intelligence indicator. For example, "AlienVault".

AlienVault

Type

Required

The type of the Threat Intelligence indicator. The available types include: IPv4, IPv6, MD5, SHA1, SHA256, URL and DNS.

IPv4

IOC Value

Required

The value of the Threat Intelligence indicator. For example, "175.45.***.*".

175.45.***.*

Name

Optional

The name of the Threat Intelligence indicator.

test***1

Description

Optional

The description of the Threat Intelligence indicator.

test description

Valid Until

Optional

The expiration date for the Threat Intelligence indicator. If this parameter is left blank, by default it will be the upload date plus a default offset value:

  • 14 days for IPs

  • 90 days for URLs and domains

  • 180 days for file hashes (SHA1, SHA256, and MD5)

The maximum offset values allowed are:

  • 30 days for IPs

  • 180 days for URLs and Domains

  • 180 days for hashes (SHA1, SHA256, and MD5)

If the expiration date is later than the upload date plus the maximum offset value allowed, it will be adjusted to the upload date plus the maximum offset value allowed.

2023-08-20 00:00

Mitre Tactics

Optional

The MITRE Tactic(s) associated with the IOC.

[ "TA0001" ]

External ID

Optional

The unique identifier of the indicator as provided by the Threat Intelligence source.

123456

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "pagination": {
        "nextCursor": "YWd********DE=",
        "totalItems": 580
    },
    "data": [
        {
            "method": "EQUALS",
            "patternType": "string",
            "creationTime": "2018-02-27T04:49:26.257525Z",
            "description": "string",
            "threatActors": [
                {
                    "type": "string"
                }
            ],
            "validUntil": "2018-02-27T04:49:26.257525Z",
            "category": [
                {
                    "type": "string",
                    "x-nullable": true,
                    "description": "The categories of the Threat Intelligence indicator, e.g.  the malware type associated with the IOC"
                }
            ],
            "externalId": "string",
            "name": "string",
            "batchId": "string",
            "updatedAt": "2018-02-27T04:49:26.257525Z",
            "value": "string",
            "creator": "string",
            "scopeId": "225********804",
            "intrusionSets": [
                {
                    "type": "string"
                }
            ],
            "pattern": "string",
            "type": "DNS",
            "mitreTactic": [
                {
                    "type": "string"
                }
            ],
            "uploadTime": "2018-02-27T04:49:26.257525Z",
            "reference": [
                {
                    "type": "string",
                    "x-nullable": true,
                    "description": "External reference associated with the Threat Intelligence indicator"
                }
            ],
            "source": "string",
            "uuid": "string",
            "metadata": "string",
            "scope": "global"
        }
    ],
    "errors": [
        {
            "type": "object"
        }
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create IOC failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid user input received. See error details for further information.

Error Sample Data

Create IOC failed.

Status Code: 400.

Message: Invalid user input received. See error details for further information.

Create Power Query

Starts a Deep Visibility Power Query, get back status and potential results. If the query status is not FINISHED, please use Ping Power Query afterwards to get query result.

READER NOTE

Account IDs and Site IDs are optional parameters to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time (in UTC Time) of the time range for querying events that were created after the specified start time.

2023-05-20 00:00

End Time

Required

The end time (in UTC Time) of the time range for querying events that were created before the specified end time.

2023-06-02 00:00

Limit

Optional

The maximum number of items to return. A valid value is an integer between 1 and 100,000. The API default maximum limit is 20,000. Consult SentinelOne contact could increase the limit to maximum 100,000.

10

Query

Required

The queries to filter events. Please refer to Query Syntax in the Knowledge Base (support.sentinelone.com) or the Console Help. Please refer to https://assets.sentinelone.com/c/sentinel-one-dv-chea-2?x=u6040P for the field name syntax, or you can refer to PowerQuery Brings New Data Analytics Capabilities to Singularity XDR for power query samples.

event.time = * | columns eventTime = event.time, agentUuid = agent.uuid, siteId = site.id

Account IDs

Optional

The account IDs to create power query. Account ID can be obtained using the List Accounts command.

[ "131********791" ]

Site IDs

Optional

The valid site IDs to create power query. You can obtain the Site ID and check the site state using the Get Sites command.

[ "160********576" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "columns": [
            {
                "name": "eventTime",
                "type": "UNKNOWN"
            },
            {
                "name": "agentUuid",
                "type": "UNKNOWN"
            },
            {
                "name": "siteId",
                "type": "UNKNOWN"
            }
        ],
        "data": [],
        "externalId": "{\"lrqToken\":\"ea1********a56\",\"target\":\"__E1__7ik**8/rdk*******p2E-\"}",
        "progress": 100,
        "queryId": "pqc********b0a",
        "recommendations": [
            "Result set limited to 1000 rows by default. To display more rows, add a command like \"| limit 10000\"."
        ],
        "status": "FINISHED"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "QueryID": [
        "pqc********b0a"
    ],
    "Status": [
        "FINISHED"
    ],
    "Progress": [
        "100"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Power Query failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Deep Visibility currently retains data for 14 days, to increase your data retention, please contact S1.

Error Sample Data

Create Power Query failed.

Status Code: 400.

Message: Deep Visibility currently retains data for 14 days, to increase your data retention, please contact S1.

Create Query

Starts a Deep Visibility Query and returns a Query ID. For more about the complete query syntax, see Query Syntax in the Knowledge Base (support.sentinelone.com) or the Console Help. Note: The API rate limit is 1 call per minute for each unique user token.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time (in UTC Time) of the time range for initiating the query.

2022-09-18 00:00

End Time

Required

The end time (in UTC Time) of the time range for initiating the query.

2022-09-19 00:00

Limit

Optional

The maximum number of returned items. A valid value is an integer between 1 and 100000. Up to 100000 results will be returned if this field is left empty.

10

Query

Required

The queries to filter events. Please refer to Query Syntax in the Knowledge Base (https://support.sentinelone.com) or the Console Help for complete query syntax. Please also refer to the https://assets.sentinelone.com/c/sentinel-one-dv-chea-2?x=u6040P for the syntax of the field names.

processImagePath CONTAINS "svchost.exe"

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "queryId": "q93*******1dd",
        "queryModeInfo": {
            "mode": "presto"
        }
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "QueryID": [
        "q93*******1dd"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Query failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request - could not parse query.

Error Sample Data

Create Query failed.

Status Code: 400.

Message: Bad Request - could not parse query.

Create Star Custom Rule

Creates a Custom Detection Rule by a specified scope.

READER NOTE

Account IDs, Site IDs and Group IDs are optional parameters to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.

Input

Input Parameter

Required/Optional

Description

Example

Expiration Mode

Required

The expiration mode of the rule. The available options are Permanent or Temporary. When choosing Temporary, an expiration date is required to enter.

Temporary

Name

Required

The name of the star custom rule.

D3**Rule

Query Type

Required

Returns rules with the filtered type. The available options are Events and Processes.

Events

S1ql

Required

The query of the rule. For complete query syntax, see Query Syntax in the Knowledge Base (support.sentinelone.com) or the Console Help.

AgentName IS NOT EMPTY

Severity

Required

The severity level of the rule.

Low

Status

Required

The status of rules to filter.

Active

Description

Optional

The description of the rule.

Test description

Expiration Date

Optional

The expiration date of the rule. The expiration date must be within the next six months. Only input the expiration date when choosing temporary expiration mode.

2024-11-08 00:00

Network Quarantine

Optional

The indication of whether to enable network quarantine. If enabled, the system automatically quarantines the alerted endpoints.

Disable

Treat As Threat

Optional

Defines treat as threat auto response. If enabled, the Agent generates a threat from the alert and applies a selected policy.

Suspicious

Account IDs

Optional

The account IDs to filter. Account IDs can be obtained using the List Accounts command.

["131********791"]

Site IDs

Optional

The site IDs to filter. Site IDs can be obtained using the Get Sites command.

["174********138"]

Group IDs

Optional

The group IDs to filter. Group IDs can be obtained using the Get Groups command.

["151********497"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "createdAt": "2023-08-11T21:58:51.650852Z",
        "creator": "mh****@d3security.com",
        "creatorId": "147********138",
        "description": "Test description",
        "expiration": "2024-01-11T00:00:00Z",
        "expirationMode": "Temporary",
        "expired": false,
        "id": "174********258",
        "name": "D3**Rule",
        "networkQuarantine": false,
        "queryLang": "1.0",
        "queryType": "events",
        "reachedLimit": false,
        "s1ql": "AgentName IS NOT EMPTY",
        "scope": "site",
        "scopeId": [
            "174********138"
        ],
        "severity": "Low",
        "status": "Activating",
        "statusReason": "Rule was activated by mh****@d3security.com and will become Active within an hour",
        "treatAsThreat": "Suspicious",
        "updatedAt": "2023-08-11T21:58:51.650170Z",
        "updaterId": "147********138"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "RuleID": [
        "174********258"
    ],
    "RuleName": [
        "D3**Rule"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Star Custom Rule failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: This scope cannot have custom rules with Process State queries.

Error Sample Data

Create Star Custom Rule failed.

Status Code: 403.

Message: This scope cannot have custom rules with Process State queries.

Delete Exclusions

Deletes a list of all the Exclusions that match the filter.

READER NOTE

Account IDs, Site IDs, Group IDs and Exclusion IDs are optional parameters to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.

  • Run the Get Exclusions command to obtain Exclusion IDs. Exclusion IDs can be found in the raw data at the path $.data.id.

  • If no parameter is specified, all exclusions will be deleted.

Input

Input Parameter

Required/Optional

Description

Example

Type

Optional

The exclusion item type to filter.

Path

Operation System

Optional

The operation system to filter.

Linux

Account IDs

Optional

The account IDs to filter. Account IDs can be obtained using the List Accounts command.

["131********791"]

Site IDs

Optional

The site IDs to filter. Site IDs can be obtained using the Get Sites command.

["174********138"]

Group IDs

Optional

The group IDs to filter. Group IDs can be obtained using the Get Groups command.

["151********497"]

Exclusion IDs

Optional

The exclusion IDs to filter. Exclusion IDs can be obtained using the Get Exclusions command.

["174********364"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "affected": 1
    }
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Exclusions failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not a valid Identifier.

Error Sample Data

Delete Exclusions failed.

Status Code: 400.

Message: Not a valid Identifier.

Delete Group

Deletes a Group given by the required Group ID. If there are Agents in the Group, and the Group is dynamic, the next dynamic Groups will collect matching Agents, and unmatched Agents will go to the Default Group. If this is a static or Pinned Group with Agents, all the Agents will go to the Default Group.

READER NOTE

There are three types of groups: Dynamic, Pinned and Static. To know your desired group type, run the Get Groups command.

  • Group IDs can be found in the raw data at the path $.data[*].id; Group Type can be found in the raw data at the path$.data[*].type.

If there are Agents in the Group:

  • Dynamic Group (Create an endpoint filter for this Group. All endpoints that match the filter automatically move to this Group, except for endpoints in Pinned Groups): the next dynamic Group will collect matching Agents, and unmatched Agents will go to the Default Group.

  • Static Group/Manual Group in UI (Select the endpoints that go in this Group. Endpoints move automatically from this Group to a Dynamic Group if they match a Dynamic Group filter): all the Agents will go to the Default Group.

  • Pinned Group (Select the endpoints that go in this Group. Endpoints are pinned to this Group and do not automatically move to other Groups): all the Agents will go to the Default Group.

Input

Input Parameter

Required/Optional

Description

Example

Group IDs

Required

The Group IDs to delete. Group IDs can be obtained using the Get Groups command.

[

"951********939",

"952********906"

]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "data": {
            "success": true
        }
    },
    {
        "data": {
            "success": true
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ids": [
        "951********939",
        "952********906"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Group failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

Error Sample Data

Delete Group failed.

Status Code: 404.

Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

Delete IOCs

Deletes IOC(s) from the Threat Intelligence database that matches a filter using the account ID and one other field.

READER NOTE

The parameter Account IDs is required to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Account IDs

Required

The list of Account IDs to delete. Account IDs can be obtained using the List Accounts command.

[ "131********791" ]

IOC Values

Optional

The value(s) of the Threat Intelligence indicator(s) to be deleted. Example: "175.45.***.*". Please note, you must input IOC Values or UUID, or both.

[ "175.45.***.*" ]

UUIDs

Optional

The unique ID(s) of the Threat Intelligence indicator(s) to delete. Please note, it is necessary to input IOC Values or UUID, or both.

IPv4

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "results": [
        {
            "filter": {
                "value": "175.45.***.*",
                "accountIds": [
                    "131********791"
                ]
            },
            "data": {
                "affected": 1
            }
        },
        {
            "filter": {
                "uuids": [
                    "UUID"
                ],
                "accountIds": [
                    "131********791"
                ]
            },
            "data": {
                "affected": 1
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
No Sample Data
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete IOCs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 4004.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

Error Sample Data

Delete IOCs failed.

Status Code: 404.

Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

Delete Star Custom Rules

Deletes Custom Detection Rules that match a filter.

READER NOTE

Account IDs, Site IDs, Group IDs and Rule IDs are optional parameters to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.

  • Run the Get Star Custom Rules command to obtain Rule IDs. Rule IDs can be found in the raw data at the path $.data[*].id.

At least one parameter must be defined to filter.

Once the star custom rule is deleted, it will be removed from the rule list. The same rule cannot be deleted twice.

Input

Input Parameter

Required/Optional

Description

Example

Account IDs

Optional

The account IDs to filter. Account IDs can be obtained using the List Accounts command.

["131********791"]

Site IDs

Optional

The site IDs to filter. Site IDs can be obtained using the Get Sites command.

["174********138"]

Group IDs

Optional

The group IDs to filter. Group IDs can be obtained using the Get Groups command.

["151********497"]

Rule IDs

Optional

The star custom rule IDs to filter. Rule IDs can be obtained using the Get Star Custom Rules command.

["174********364"]

Creator

Optional

The free-text filter by rule creator.

["w**"]

Name

Optional

The free-text filter by rule name.

["test"]

Status

Optional

The status of rules to filter. Available options include: Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft.

["Active"]

Query

Optional

The free-text filter by S1 query.

["test"]

Query Type

Optional

The return rules with the filtered type. Available options include: Events and Processes.

["events"]

Expired

Optional

Whether the rule is expired or not.

Not Expired

s1ql

Optional

The free-text filter by S1 query.

["AgentName IS NOT EMPTY"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "affected": 1
    }
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Star Custom Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Could not find rule with id: {'id__in': [xxx], 'scope_id__in': [xxx]}.

Error Sample Data

Delete Star Custom Rules failed.

Status Code: 404.

Message: Could not find rule with id: {'id__in': [xxx], 'scope_id__in': [xxx]}.

Disable Star Custom Rules

Disable Custom Detection Rules based on a filter.

READER NOTE

Account IDs, Site IDs, Group IDs and Rule IDs are optional parameters to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the returned raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the returned raw data at the path $.data.sites.id.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the returned raw data at the path $.data.id.

  • Run the Get Star Custom Rules to obtain Rule IDs. Rule IDs can be found in the returned raw data at the path $.data[*].id.

At least one parameter should be defined to filter.

Input

Input Parameter

Required/Optional

Description

Example

Account IDs

Optional

The account IDs to filter. Account IDs can be obtained using the List Accounts command.

["131********791"]

Site IDs

Optional

The site IDs to filter. Site IDs can be obtained using the Get Sites command.

["174********138"]

Group IDs

Optional

The group IDs to filter. Group IDs can be obtained using the Get Groups command.

["151********497"]

Rule IDs

Optional

The star custom rule IDs to filter. Rule IDs can be obtained using the Get Star Custom Rule command.

["174********364"]

Creator

Optional

The free-text filter by rule creator.

["w**"]

Name

Optional

The free-text filter by rule name.

["test"]

Status

Optional

The status of rules to filter. Available options includes Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft.

["Active"]

Query

Optional

The free-text filter by S1 query.

["test"]

Query Type

Optional

The return rules with the filtered type. The available options are events and processes.

["events"]

Expired

Optional

Whether the rule is expired or not.

Not Expired

s1ql

Optional

The free-text filter by S1 query.

["AgentName IS NOT EMPTY"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "affected": 1
    }
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Disable Star Custom Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Could not find rule with id: {'id__in': xxx, 'scope_id__in': xxx}.

Error Sample Data

Disable Star Custom Rules failed.

Status Code: 404.

Message: Could not find rule with id: {'id__in': xxx, 'scope_id__in': xxx}.

Disconnect Agent From Network

Isolates (quarantines) endpoints from the network.

READER NOTE

The parameter Agent IDs is required to run this command.

  • Run the List Agents command to obtain Agent IDs. Agent IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Agent IDs

Optional

The IDs of the agents to disconnect from the network. Agent IDs can be obtained using the List Agents command.

[ "139********392" ]

Filter

Optional

The applied filter. When used, only matched Agents will be affected by the requested action. Note: One of the following filter arguments must be supplied: ids, groupIds, filterId. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=agent-actions=disconnect-from-network for more information.

{

"computerName": "DESKTOP-6KJ****"

}

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "affected": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AffectedAgents": [
        "1"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Disconnect Agent From Network failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Authentication Failed.

Error Sample Data

Disconnect Agent From Network failed.

Status Code: 401.

Message: Authentication Failed.

Download Files

Downloads files from the management console.

READER NOTE

Agent ID and Command Batch UUIDs are required parameters to run this command.

  • Run the List Agents command to obtain Agent ID. Agent IDs can be found in the raw data at the path $.data[*].id.

  • Run the Collect Files command, the returned Command Batch UUIDs of the file can be used in the parameter. Command Batch UUIDs can be found in the raw data at the path $.data[*].data.commandBatchUuid.

Activity Created Time is an optional parameter to run this command.

  • Run the Collect Files command, the returned Create Time of the file can be used in this parameter. Create Time can be found in the raw data at the path $.data[*].createdAt.

Input

Input Parameter

Required/Optional

Description

Example

Agent ID

Required

The agent ID of the endpoint where the downloading files originate from. Agent ID can be obtained using the List Agents command.

138********274

Activity Created Time

Optional

The time to get activities created after this timestamp (UTC). Activity Created Time can use the returned Created Time of the Collect Files command.

2023-02-03 00:00

Command Batch UUIDs

Required

The Command Batch UUID(s) to filter files to download. Command Batch UUIDs can use the returned Command Batch UUID of the Collect Files command.

[ "ce1********276" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "accountId": "131********791",
            "accountName": "D3 Security",
            "activityType": 80,
            "activityUuid": "651********a67",
            "agentId": "138********274",
            "agentUpdatedVersion": null,
            "comments": null,
            "createdAt": "2023-02-03T17:43:59.003291Z",
            "data": {
                "accountName": "D3 Security",
                "commandBatchUuid": "ce1********276",
                "commandId": 161********300,
                "computerName": "DESKTOP-3****07",
                "downloadUrl": "/agents/138********274/uploads/161********678",
                "externalIp": "216.251.***.***",
                "filePath": "/agents/138********274/uploads/161********678",
                "filename": "DESKTOP_3****07_2023-02-03_17_43_58.982",
                "fullScopeDetails": "Group Default Group in Site Default site of Account D3 Security",
                "fullScopeDetailsPath": "Global / D3 Security / Default site / Default Group",
                "groupName": "Default Group",
                "ipAddress": "216.251.***.***",
                "scopeLevel": "Group",
                "scopeName": "Default Group",
                "siteName": "Default site",
                "uploadedFilename": "DESKTOP-3****07_2023-02-03_09:43:58.zip"
            },
            "description": null,
            "groupId": "131********617",
            "groupName": "Default Group",
            "hash": null,
            "id": "161********678",
            "osFamily": null,
            "primaryDescription": "Agent DESKTOP-3****07 (216.251.***.***) successfully uploaded DESKTOP-3****07_2023-02-03_09:43:58.zip.",
            "secondaryDescription": "IP address: 216.251.***.***",
            "siteId": "131********008",
            "siteName": "Default site",
            "threatId": null,
            "updatedAt": "2023-02-03T17:43:59.002412Z",
            "userId": null,
            "fileId": "270",
            "fileName": "DESKTOP-3****07_2023-02-03_09:43:58.zip",
            "md5": "B9F********473",
            "sha1": "D80********6FC",
            "sha256": "61D********853"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "CommandBatchUUIDs": [
        "05d********92b"
    ],
    "DownloadURL": [
        "/agents/139********432/uploads/161********499"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Download Files failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Authentication Failed.

Error Sample Data

Download Files failed.

Status Code: 401.

Message: Authentication Failed.

Download Threat Files

Downloads threat files from the management console.

READER NOTE

Agent ID, Threat ID and Command Batch UUIDs are required parameters to run this command.

  • Run the List Agents command to obtain Agent ID. Agent IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Threat command to obtain Threat ID. Threat IDs can be found in the raw data at the path $.data[*].id.

  • Run the Collect Files command, the returned Command Batch UUIDs of the file can be used in the parameter. Command Batch UUIDs can be found in the raw data at the path $.data[*].data.commandBatchUuid.

Input

Input Parameter

Required/Optional

Description

Example

Agent ID

Required

The agent ID of the endpoint where the downloading threat files originate from. Agent ID can be obtained using the List Agents command.

139********432

Threat ID

Required

The ID(s) of the threat(s) to download threat files.Threat ID can be obtained using the Get Threat command.

174********856

Command Batch UUIDs

Required

The Command Batch UUID(s) to filter files to download. Command Batch UUID of the Collect Files command.

It is possible to use Command Batch UUID from Collect Files.

[ "e1f********e87" ]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "accountId": "131********791",
            "accountName": "D3 Security",
            "activityType": 86,
            "activityUuid": "f59********e9d",
            "agentId": "162********407",
            "agentUpdatedVersion": null,
            "comments": null,
            "createdAt": "2023-08-22T22:24:40.833533Z",
            "data": {
                "accountName": "D3 Security",
                "commandBatchUuid": "e1f********e87",
                "commandId": 175*******600,
                "computerName": "lab3-**",
                "downloadUrl": "/agents/162********407/uploads/175********661",
                "escapedMaliciousProcessArguments": "\"start pushtoinstall registration\"",
                "externalIp": "216.251.***.***",
                "fileContentHash": "36d********8db",
                "fileDisplayName": "sc.exe (CLI 36d8)",
                "filePath": "/agents/162********407/uploads/175********661",
                "fileSize": 0,
                "filename": "lab3_********809.zip",
                "fullScopeDetails": "Group Default Group in Site D3****Viz of Account D3 Security",
                "fullScopeDetailsPath": "Global / D3 Security / D3****Viz / Default Group",
                "groupName": "Default Group",
                "ipAddress": null,
                "realUser": null,
                "siteName": "D3****Viz",
                "sourceType": "API",
                "storyline": "421********EE1",
                "threatClassification": "Infostealer",
                "threatClassificationSource": "Static",
                "uploadedFilename": "lab3-**_2023-08-22_*****.zip"
            },
            "description": null,
            "groupId": "174********355",
            "groupName": "Default Group",
            "hash": null,
            "id": "175********661",
            "osFamily": null,
            "primaryDescription": "Agent lab3-** (216.251.***.***) successfully uploaded a threat file.",
            "secondaryDescription": "lab3-**_2023-08-22_*****.zip (Group ID: 421********EE1).",
            "siteId": "174********138",
            "siteName": "D3****Viz",
            "threatId": "174********856",
            "updatedAt": "2023-08-22T22:24:40.832845Z",
            "userId": null,
            "fileId": "270",
            "fileName": "lab3-**_2023-08-22_15:11:34.zip",
            "md5": "B9F********473",
            "sha1": "D80********6FC",
            "sha256": "61D********853"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "FileNames": [
        "lab3_dc_2023-08-22_22_17_38.960.zip"
    ],
    "DownloadURL": [
        "/agents/162********407/uploads/175********842"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Download Threat Files failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Authentication Failed.

Error Sample Data

Download Threat Files failed.

Status Code: 401.

Message: Authentication Failed.

Fetch Event

Returns Events(Threats or Alerts) from the platform based on specified criteria.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The Start Time (in UTC Time) of the time range for fetching threats or alerts.

2021-08-01 00:00

End Time

Required

The End Time (in UTC Time) of the time range for fetching threats or alerts.

2022-09-14 00:00

Number of Event(s) Fetched

Optional

The number of the most recent Events(Threats or Alerts) to fetch. The valid value is from 1 to 1000. Up to 1000 events will be returned if not specified.

100

Search Condition

Optional

The query string to filter results. Please follow the following format: Parameter1=Value1a,Value1b=Value2=Value3… Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=threats=get-threats for the available parameters that can be used in the query string. Note: Do not use the createdAt__gte, createdAt__lt and limit fields as they are already defined by the Start Time, End Time, and Top Recent Event Number input parameters respectively.

computerName__contains=DESKTOP-H****D3

Sort By

Optional

The column to be sorted for the results. The available options are Created At, Updated At and ID. The default value of this field is Created At.

Created At

Direction

Optional

The results sorted in ascending or descending order. The default value is Descending.

Descending

Event Source

Optional

The type of events (i.e., Threat or Alert) to fetch. If this parameter is not defined, the default value is Threat.

Alert

Output

Return Data

Indicates one of the possible command execution states: Successful, Successful with No Event Data, or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "agentDetectionInfo": {
                "accountId": "131********791",
                "accountName": "D3 Security",
                "agentDetectionState": null,
                "agentDomain": "D3*****7",
                "agentIpV4": "192.168.**.***",
                "agentIpV6": "fe80::********:461f",
                "agentLastLoggedInUpn": null,
                "agentLastLoggedInUserMail": null,
                "agentLastLoggedInUserName": "user1",
                "agentMitigationMode": "protect",
                "agentOsName": "Windows 10 Pro",
                "agentOsRevision": "18362",
                "agentRegisteredAt": "2022-03-25T00:09:21.982842Z",
                "agentUuid": "b67********d3a",
                "agentVersion": "4.3.2.86",
                "cloudProviders": {},
                "externalIp": "216.251.***.***",
                "groupId": "131********617",
                "groupName": "Default Group",
                "siteId": "131********008",
                "siteName": "Default site"
            },
            "agentRealtimeInfo": {
                "accountId": "131********791",
                "accountName": "D3 Security",
                "activeThreats": 20,
                "agentComputerName": "DESKTOP-3****07",
                "agentDecommissionedAt": null,
                "agentDomain": "D3*****7",
                "agentId": "138********274",
                "agentInfected": true,
                "agentIsActive": true,
                "agentIsDecommissioned": false,
                "agentMachineType": "desktop",
                "agentMitigationMode": "detect",
                "agentNetworkStatus": "connected",
                "agentOsName": "Windows 10 Pro",
                "agentOsRevision": "19042",
                "agentOsType": "windows",
                "agentUuid": "b67********d3a",
                "agentVersion": "4.3.2.86",
                "groupId": "131********617",
                "groupName": "Default Group",
                "networkInterfaces": [
                    {
                        "id": "138********883",
                        "inet": [
                            "192.168.**.***"
                        ],
                        "inet6": [
                            "fe80::********:461f"
                        ],
                        "name": "Ethernet0",
                        "physical": "00:5*******2:1c"
                    }
                ],
                "operationalState": "na",
                "rebootRequired": true,
                "scanAbortedAt": null,
                "scanFinishedAt": "2022-04-19T19:10:46.596172Z",
                "scanStartedAt": "2022-04-18T19:08:36.610417Z",
                "scanStatus": "finished",
                "siteId": "131********008",
                "siteName": "Default site",
                "storageName": null,
                "storageType": null,
                "userActionsNeeded": [
                    "reboot_needed"
                ]
            },
            "containerInfo": {
                "id": null,
                "image": null,
                "labels": null,
                "name": null
            },
            "id": "138********115",
            "indicators": [],
            "kubernetesInfo": {
                "cluster": null,
                "controllerKind": null,
                "controllerLabels": null,
                "controllerName": null,
                "namespace": null,
                "namespaceLabels": null,
                "node": null,
                "pod": null,
                "podLabels": null
            },
            "mitigationStatus": [
                {
                    "action": "quarantine",
                    "actionsCounters": {
                        "failed": 0,
                        "notFound": 0,
                        "pendingReboot": 0,
                        "success": 1,
                        "total": 1
                    },
                    "agentSupportsReport": true,
                    "groupNotFound": false,
                    "lastUpdate": "2022-03-25T00:27:05.942032Z",
                    "latestReport": "/threats/mitigation-report/138********238",
                    "mitigationEndedAt": "2022-03-25T00:27:05.623000Z",
                    "mitigationStartedAt": "2022-03-25T00:27:05.623000Z",
                    "status": "success"
                },
                {
                    "action": "kill",
                    "actionsCounters": null,
                    "agentSupportsReport": true,
                    "groupNotFound": false,
                    "lastUpdate": "2022-03-25T00:27:05.836238Z",
                    "latestReport": null,
                    "mitigationEndedAt": "2022-03-25T00:27:05.830266Z",
                    "mitigationStartedAt": "2022-03-25T00:27:05.830265Z",
                    "status": "success"
                }
            ],
            "threatInfo": {
                "analystVerdict": "undefined",
                "analystVerdictDescription": "Undefined",
                "automaticallyResolved": false,
                "browserType": null,
                "certificateId": "",
                "classification": "Trojan",
                "classificationSource": "Cloud",
                "cloudFilesHashVerdict": "black",
                "collectionId": "752********846",
                "confidenceLevel": "malicious",
                "createdAt": "2022-03-25T00:27:05.727961Z",
                "detectionEngines": [
                    {
                        "key": "sentinelone_cloud",
                        "title": "SentinelOne Cloud"
                    }
                ],
                "detectionType": "static",
                "engines": [
                    "SentinelOne Cloud"
                ],
                "externalTicketExists": false,
                "externalTicketId": null,
                "failedActions": false,
                "fileExtension": "EXE",
                "fileExtensionType": "Executable",
                "filePath": "\\Device\\HarddiskVolume4\\Users\\user1\\Desktop\\T1***\\file0\\T1***.exe",
                "fileSize": 20992,
                "fileVerificationType": "NotSigned",
                "identifiedAt": "2022-03-25T00:27:05.608000Z",
                "incidentStatus": "unresolved",
                "incidentStatusDescription": "Unresolved",
                "initiatedBy": "agent_policy",
                "initiatedByDescription": "Agent Policy",
                "initiatingUserId": null,
                "initiatingUsername": null,
                "isFileless": false,
                "isValidCertificate": false,
                "maliciousProcessArguments": null,
                "md5": null,
                "mitigatedPreemptively": false,
                "mitigationStatus": "mitigated",
                "mitigationStatusDescription": "Mitigated",
                "originatorProcess": "powershell.exe (interactive session)",
                "pendingActions": false,
                "processUser": "D3*****7\\user1",
                "publisherName": "",
                "reachedEventsLimit": false,
                "rebootRequired": false,
                "sha1": "a6d********d00",
                "sha256": null,
                "storyline": "BC8********1BE",
                "threatId": "138********115",
                "threatName": "T1***.exe",
                "updatedAt": "2022-03-25T00:27:05.938639Z"
            },
            "whiteningOptions": [
                "hash"
            ]
        }
    ],
    "pagination": {
        "nextCursor": "eyJ********%3D",
        "totalItems": 296
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "EventIDs": [
        "134********034"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Fetch Event Field Mapping

Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.

If you require a custom field mapping, click +Add Field to add a custom field mapping. You can also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.

The SentinelOne integration in D3 SOAR has some pre-configured field mappings for the Threat and Alert, which correspond to the Default Event Source and Event Source for Alert mappings:

  • Default Event Source
    Configures the field mapping which are specific to the threat-related events. If a source field in the field mapping is not found, the corresponding field mapping will be ignored. The default event source has a “Main Event JSON Path” (i.e., $.data) that is used to extract a batch of events from the response raw data. Click Edit Event Source to view the “Main Event JSON Path”.

    • Main Event JSON Path: $.data
      The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.

      For example, the root node of a JSON Path is data. The child node denoting the Document ID field would be id. Putting it together, the JSON Path expression to extract the Document ID is $.data.id.

  • Event Source for Alert

Configures the field mapping which are specific to the alert-related events. If a source field in the field mapping is not found, the corresponding field mapping will be ignored. As the data of the alert-related events have a character that the value of the Type field is Alert, the alert-related events can be defined by the Search String: {$.Type}=Alert. Click Edit Event Source to view the Search String.

The pre-configured field mappings are detailed below:

Field Name

Source Field

Default Event Source (Main Event JSON Path: $.data)

Document ID

.id

AccountID

.agentDetectionInfo.accountId

AccountName

.agentDetectionInfo.accountName

SiteID

.agentDetectionInfo.siteId

SiteName

.agentDetectionInfo.siteName

InitiatingUserId

.threatInfo.initiatingUserId

Event Type

.threatInfo.classification

Description

.threatInfo.analystVerdictDescription

Start Time

.threatInfo.createdAt

Filepath

.threatInfo.filePath

File Hash MD5

.threatInfo.md5

File Hash SHA256

.threatInfo.sha256

Threat name

.threatInfo.threatName

Techniques

.indicators[*].tactics[*].techniques[*].name

Indicator Category

.indicators[*].category

Indicator Description

.indicators[*].description

Host Is Infected

.agentRealtimeInfo.agentInfected

Host Is Active

.agentRealtimeInfo.agentIsActive

Hostname

.agentRealtimeInfo.agentComputerName

Device IP address

.agentRealtimeInfo.agentIpV4

Operating System

.agentDetectionInfo.agentOsName

Agent ID

.agentRealtimeInfo.agentId

Status

.threatInfo.incidentStatus

Analyst Verdict

.threatInfo.analystVerdict

Source

.threatInfo.initiatedBy

Mitigation Status

.threatInfo.mitigationStatus

Confidence Level

.threatInfo.confidenceLevel

Storyline

.threatInfo.storyline

Process Name

.threatInfo.originatorProcess

Event name

.threatInfo.threatName

Process User

.threatInfo.processUser

External Ticket ID

.threatInfo.externalTicketId

Malicious Process Arguments

.threatInfo.maliciousProcessArguments

Event Source for Alert (Search String: {{$.Type}=Alert)

The search string format is {jsonpath}=value. If the value of the Type key is Alert in the event object under raw data, then the alert-related events will use the field mapping below.

Document ID

.alertInfo.alertId

AccountID

.agentDetectionInfo.accountId

SiteID

.agentDetectionInfo.siteId

Hostname

.agentDetectionInfo.name

Event Type

.alertInfo.eventType

Description

.alertInfo.indicatorDescription

Start Time

.alertInfo.createdAt

Operating System

.agentDetectionInfo.osName

Agent ID

.agentRealtimeInfo.id

Status

.alertInfo.incidentStatus

Analyst Verdict

.alertInfo.analystVerdict

Source

.alertInfo.source

Rule name

.ruleInfo.name

Severity

.ruleInfo.severity

Storyline

.storyline

Process Name

.sourceProcessInfo.name

Process ID

.sourceProcessInfo.pid

Process file path

.sourceProcessInfo.filePath

Process hashes MD5

.sourceProcessInfo.fileHashMd5

Process hashes SHA1

.sourceProcessInfo.fileHashSha1

Process hashes SHA256

.sourceProcessInfo.fileHashSha256

Parent process name

.sourceParentProcessInfo.name

Parent process ID

.sourceParentProcessInfo.pid

Parent process image path

.sourceParentProcessInfo.filePath

Parent Process Hash MD5

.sourceParentProcessInfo.fileHashMd5

Parent Process Hash SHA1

.sourceParentProcessInfo.fileHashSha1

Parent Process Hash SHA256

.sourceParentProcessInfo.fileHashSha256

Target process name

.targetProcessInfo.tgtProcName

Target process ID

.targetProcessInfo.tgtProcPid

Target Process File Path

.targetProcessInfo.tgtFilePath

Target Process Hash SHA1

.targetProcessInfo.tgtFileHashSha1

Target Process Hash SHA256

.targetProcessInfo.tgtFileHashSha256

Target image

.targetProcessInfo.tgtProcImagePath

Process command line

.sourceProcessInfo.commandline

Parent process commandline

.sourceParentProcessInfo.commandline

Target Process Commandline

.targetProcessInfo.tgtProcCmdLine

Source IP address

.alertInfo.srcIp

Source port

.alertInfo.srcPort

Destination IP address

.alertInfo.dstIp

Destination port

.alertInfo.dstPort

Module image path

.alertInfo.modulePath

Module Hash SHA1

.alertInfo.moduleSha1

Login User Name

.alertInfo.loginsUserName

Login Account Domain

.alertInfo.loginAccountDomain

DV Event ID

.alertInfo.dvEventId

Indicator Category

.alertInfo.indicatorCategory

Indicator Name

.alertInfo.indicatorName

Host Is Infected

.agentRealtimeInfo.infected

Host Is Active

.agentRealtimeInfo.isActive

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: dict_values(['xxx']): Unknown field.

Error Sample Data

Fetch Event failed.

Status Code: 400.

Message: dict_values(['xxx']): Unknown field.

Fetch Files

Retrieves files from endpoints to analyze the root of threats, accommodating up to 10 MB for each instance of running the command. Due to network issues or endpoint connection problems, it might prolong the file upload process from the agent to Sentinel One management console. To avoid command timeout, use the Collect Files and Download Files commands instead.

READER NOTE

Agent ID is a required parameter to run this command.

  • Run the List Agents command to obtain Agent ID. Agent IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Agent ID

Required

The Agent ID for fetching files. Agent ID can be obtained using the List Agents command.

134********951

Files Path

Required

The list of file path(s) to fetch files from.

[ "C:\\NPPSpy.txt" ]

Password

Required

The new password for the archive of downloaded files. The password must have 10 or more characters with a mix of upper and lower case letters, numbers and symbols.

MySecret******!

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "fileId": "270",
    "fileName": "\"WIN-EIJ****TA74_2020-11-23_14:27:34.zip\"",
    "md5": "B9F********473",
    "sha1": "D80********6FC",
    "sha256": "61D********853"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Files failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

Error Sample Data

Fetch Files failed.

Status Code: 404.

Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

Fetch Threat File

Fetches file(s) associated with the specified threat(s) by threat ID(s).

READER NOTE

The parameter Threat IDs is required to run this command.

  • Run the Get Threat command to obtain Threat ID. Threat IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Threat IDs

Required

The ID(s) of the threats for fetching threat files. Threat IDs can be obtained using the Get Threat command.

["174********856"]

Password

Required

The new password, which you will use to open the archive of downloaded files. The password must be 10 or more characters with a mix of upper and lower case letters, numbers, and symbols.

MySecret******!

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "accountId": "131********791",
            "accountName": "D3 Security",
            "activityType": 85,
            "activityUuid": "993********1af",
            "agentId": "162********407",
            "agentUpdatedVersion": null,
            "comments": null,
            "createdAt": "2023-08-15T23:15:07.951845Z",
            "data": {
                "accountName": "D3 Security",
                "commandBatchUuid": "e1f********e87",
                "computerName": "lab3-**",
                "escapedMaliciousProcessArguments": "\"start pushtoinstall registration\"",
                "externalIp": "216.251.***.***",
                "fileContentHash": "36d********8db",
                "fileDisplayName": "sc.exe (CLI 36d8)",
                "filePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\sc.exe (CLI 36d8)",
                "fullScopeDetails": "Group Default Group in Site D3****Viz of Account D3 Security",
                "fullScopeDetailsPath": "Global / D3 Security / D3****Viz / Default Group",
                "groupName": "Default Group",
                "groupType": "Manual",
                "ipAddress": null,
                "scopeLevel": "Group",
                "scopeName": "Default Group",
                "siteName": "D3****Viz",
                "storyline": "421********EE1",
                "threatClassification": "Infostealer",
                "threatClassificationSource": "Static",
                "username": "Jon***** Y**",
                "uuid": "2d1********f70"
            },
            "description": null,
            "groupId": "174********355",
            "groupName": "Default Group",
            "hash": null,
            "id": "175********650",
            "osFamily": null,
            "primaryDescription": "The management user Jon***** Y** initiated a fetch threat file command to the agent lab3-** (216.251.***.***).",
            "secondaryDescription": "sc.exe (CLI 36d8) (Group ID: 421********EE1)",
            "siteId": "174********138",
            "siteName": "D3****Viz",
            "threatId": "174********856",
            "updatedAt": "2023-08-15T23:15:07.951851Z",
            "userId": "138********959"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ComputerNames": [
        "lab3-**"
    ],
    "CreatedTime": [
        "2023-08-15T23:15:07.951845Z"
    ],
    "AgentIDs": [
        "162********407"
    ],
    "ThreatIDs": [
        "174********856"
    ],
    "ActivityUUIDs": [
        "993********1af"
    ],
    "CommandBatchUUIDs": [
        "e1f********e87"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Threat File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 502.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: All fetching threat file requests failed. Please refer to D3Errors in Raw Data for more details.

Error Sample Data

Fetch Threat File failed.

Status Code: 502.

Message: All fetching threat file requests failed. Please refer to D3Errors in Raw Data for more details.

Get Account Policy

Retrieves the policy for the Account given by ID.

READER NOTE

Account ID is a required parameter to run this command.

  • Run the List Accounts command to obtain Account ID. Account IDs can be found in the returned raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Account ID

Required

The Account ID which account policy is to be retrieved. Account ID can be obtained using the List Accounts command.

131********791

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "agentLoggingOn": true,
        "agentNotification": true,
        "agentUi": {
            "agentUiOn": true,
            "contactCompany": "",
            "contactDirectMessage": "",
            "contactEmail": "",
            "contactFreeText": "",
            "contactOther": "",
            "contactPhoneNumber": "",
            "contactSupportWebsite": "",
            "devicePopUpNotifications": true,
            "maxEventAgeDays": 30,
            "showAgentWarnings": false,
            "showDeviceTab": true,
            "showQuarantineTab": true,
            "showSupport": false,
            "showSuspicious": true,
            "threatPopUpNotifications": true
        },
        "agentUiOn": true,
        "allowRemoteShell": false,
        "antiTamperingOn": true,
        "autoDecommissionDays": 21,
        "autoDecommissionOn": true,
        "autoFileUpload": {
            "enabled": false
        },
        "autoImmuneOn": true,
        "autoMitigationAction": "mitigation.quarantineThreat",
        "cloudValidationOn": true,
        "createdAt": "2022-03-28T17:10:50.094941Z",
        "engines": {
            "applicationControl": "off",
            "dataFiles": "on",
            "executables": "on",
            "exploits": "on",
            "lateralMovement": "on",
            "penetration": "on",
            "preExecution": "on",
            "preExecutionSuspicious": "on",
            "pup": "on",
            "remoteShell": "on",
            "reputation": "on"
        },
        "fwForNetworkQuarantineEnabled": false,
        "inheritedFrom": null,
        "ioc": true,
        "iocAttributes": {
            "autoInstallBrowserExtensions": true,
            "behavioralIndicators": false,
            "commandScripts": false,
            "crossProcess": true,
            "dataMasking": false,
            "dllModuleLoad": false,
            "dns": true,
            "fds": false,
            "file": true,
            "headers": true,
            "ip": true,
            "login": true,
            "process": true,
            "registry": true,
            "scheduledTask": true,
            "url": true
        },
        "isDefault": false,
        "mitigationMode": "protect",
        "mitigationModeSuspicious": "detect",
        "monitorOnExecute": true,
        "monitorOnWrite": true,
        "networkQuarantineOn": false,
        "researchOn": true,
        "scanNewAgents": true,
        "snapshotsOn": true,
        "updatedAt": "2022-03-28T18:55:21.092542Z",
        "userFullName": "T*** F*",
        "userId": "131*********811"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "IsDefault": [
        "false"
    ],
    "MitigationMode": [
        "protect"
    ],
    "MitigationModeSuspicious ": [
        "detect"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Account Policy failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The account with ID xxx is not found.

Error Sample Data

Get Account Policy failed.

Status Code: 404.

Message: The account with ID xxx is not found.

Get Activities

Retrieves activities and their respective data matching the specified filters. The activities are sorted by creation time in descending order.

Input

Input Parameter

Required/Optional

Description

Example

Filter

Optional

The filter in JSON format to filter results. It is possible to use any combination of filters to narrow the list of results. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=activities=get-activities for more information about filters.

{

"limit": 2,

"agentIds":"138********274"

}

Limit

Optional

The limit number of returned items (0-1000). If you want to retrieve all activities matching filters, please set the limit to 0. If not specified, the default value is 10.

100

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "accountId": "131********791",
            "accountName": "D3 Security",
            "activityType": 71,
            "activityUuid": "71c********1b8",
            "agentId": "138********274",
            "agentUpdatedVersion": null,
            "comments": null,
            "createdAt": "2022-03-25T00:09:22.101018Z",
            "data": {
                "accountName": "D3 Security",
                "computerName": "DESKTOP-3****07",
                "externalIp": "216.251.***.***",
                "fullScopeDetails": "Group Default Group in Site Default site of Account D3 Security",
                "fullScopeDetailsPath": "Global / D3 Security / Default site / Default Group",
                "groupName": "Default Group",
                "scopeLevel": "Group",
                "scopeName": "Default Group",
                "siteName": "Default site",
                "system": true,
                "username": null,
                "uuid": "b67********d3a"
            },
            "description": null,
            "groupId": "131********617",
            "groupName": "Default Group",
            "hash": null,
            "id": "138********205",
            "osFamily": null,
            "primaryDescription": "System initiated a full disk scan to the agent: DESKTOP-3****07 (216.251.***.***).",
            "secondaryDescription": null,
            "siteId": "131********008",
            "siteName": "Default site",
            "threatId": null,
            "updatedAt": "2022-03-25T00:09:22.101022Z",
            "userId": null
        },
        {
            "accountId": "131********791",
            "accountName": "D3 Security",
            "activityType": 17,
            "activityUuid": "699********2fd",
            "agentId": "138********274",
            "agentUpdatedVersion": null,
            "comments": null,
            "createdAt": "2022-03-25T00:09:22.103082Z",
            "data": {
                "accountName": "D3 Security",
                "computerName": "DESKTOP-3****07",
                "fullScopeDetails": "Group Default Group in Site Default site of Account D3 Security",
                "fullScopeDetailsPath": "Global / D3 Security / Default site / Default Group",
                "group": "Default Group",
                "groupName": "Default Group",
                "optionalGroups": [],
                "siteName": "Default site"
            },
            "description": null,
            "groupId": "131********617",
            "groupName": "Default Group",
            "hash": null,
            "id": "138********424",
            "osFamily": null,
            "primaryDescription": "DESKTOP-3****07 subscribed and joined the group Default Group of site Default site.",
            "secondaryDescription": "",
            "siteId": "131********008",
            "siteName": "Default site",
            "threatId": null,
            "updatedAt": "2022-03-25T00:09:21.996724Z",
            "userId": null
        }
    ],
    "pagination": {
        "nextCursor": "eyJ***********************yJ9",
        "totalItems": 734
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting $.data path from the returned raw data.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
No Sample Data
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "activityIds": [
        "138********205",
        "138********424"
    ],
    "agentIds": [
        "138********274",
        "138********274"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Activities failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: User has insufficient permissions to perform the requested action.

Error Sample Data

Get Activities failed.

Status Code: 403.

Message: User has insufficient permissions to perform the requested action.

Get Agent Applications

Retrieves the installed applications for the specific Agents by their agent IDs.

READER NOTE

The parameter Agent IDs is required to run this command.

  • Run the List Agents command to obtain Agent IDs. Agent IDs can be found in raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Agent IDs

Required

The IDs of the agents to retrieve installed applications. Agent IDs can be obtained using the List Agents command.

["134********951", "134********111"]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "installedDate": "2020-09-29T22:33:53.606000Z",
            "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17",
            "publisher": "Microsoft Corporation",
            "size": 881,
            "version": "9.0.30729"
        },
        {
            "installedDate": "2020-08-02T01:16:16.290000Z",
            "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030",
            "publisher": "Microsoft Corporation",
            "size": 17800,
            "version": "11.0.61030.0"
        },
        {
            "installedDate": "2020-08-01T22:39:58.272000Z",
            "name": "AWS PV Drivers",
            "publisher": "Amazon Web Services",
            "size": 28692,
            "version": "8.3.3"
        }
    ]
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the $.data path from the returned raw data.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

    {
        "installedDate": "2020-09-29T22:33:53.606000Z",
        "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17",
        "publisher": "Microsoft Corporation",
        "size": 881,
        "version": "9.0.30729"
    },
    {
        "installedDate": "2020-08-02T01:16:16.290000Z",
        "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030",
        "publisher": "Microsoft Corporation",
        "size": 17800,
        "version": "11.0.61030.0"
    },
    {
        "installedDate": "2020-08-01T22:39:58.272000Z",
        "name": "AWS PV Drivers",
        "publisher": "Amazon Web Services",
        "size": 28692,
        "version": "8.3.3"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "Names": [
        "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17"
    ],
    "Publishers": [
        "Microsoft Corporation"
    ],
    "Installed Dates": [
        "2020-09-29T22:33:53.606000Z"
    ],
    "Sizes": [
        "881"
    ],
    "Versions": [
        "9.0.30729"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Agent Applications failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized access.

Error Sample Data

Get Agent Applications failed.

Status Code: 403.

Message: Unauthorized access.

Get Agent Info

Retrieves information of agents based on the specified Agent IDs.

READER NOTE

The parameter Agent IDs is required to run this command.

  • Run the List Agents command to obtain Agent IDs. Agent IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Agent IDs

Required

The IDs of the agents to return. Agent IDs can be obtained using the List Agents command.

[ "134********951", "134********111" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "accountId": "131********791",
            "accountName": "D3 Security",
            "activeDirectory": {
                "computerDistinguishedName": null,
                "computerMemberOf": [],
                "lastUserDistinguishedName": null,
                "lastUserMemberOf": []
            },
            "activeThreats": 66,
            "agentVersion": "21.7.5.1080",
            "allowRemoteShell": false,
            "appsVulnerabilityStatus": "up_to_date",
            "cloudProviders": {},
            "computerName": "DESKTOP-6KJ****",
            "consoleMigrationStatus": "N/A",
            "coreCount": 16,
            "cpuCount": 16,
            "cpuId": "Intel(R) Xeon(R) CPU E5-2690 0 @ 2.90GHz",
            "createdAt": "2022-02-04T00:18:48.831527Z",
            "detectionState": null,
            "domain": "WORKGROUP",
            "encryptedApplications": false,
            "externalId": "",
            "externalIp": "216.251.***.***",
            "firewallEnabled": true,
            "firstFullModeTime": null,
            "groupId": "138********378",
            "groupIp": "216.251.148.x",
            "groupName": "Default Group",
            "id": "134********951",
            "inRemoteShellSession": false,
            "infected": true,
            "installerType": ".exe",
            "isActive": true,
            "isDecommissioned": false,
            "isPendingUninstall": false,
            "isUninstalled": false,
            "isUpToDate": true,
            "lastActiveDate": "2022-03-29T22:20:08.491862Z",
            "lastIpToMgmt": "192.168.**.*24",
            "lastLoggedInUserName": "admin",
            "licenseKey": "",
            "locationEnabled": true,
            "locationType": "Fall****",
            "locations": [
                {
                    "id": "629********476",
                    "name": "Fall****",
                    "scope": "global"
                }
            ],
            "machineType": "desktop",
            "mitigationMode": "detect",
            "mitigationModeSuspicious": "detect",
            "modelName": "VMware, Inc. - VMware7,1",
            "networkInterfaces": [
                {
                    "gatewayIp": "192.168.**.*",
                    "gatewayMacAddress": "84:*****8:13",
                    "id": "134*******561",
                    "inet": [
                        "192.168.**.*24"
                    ],
                    "inet6": [
                        "fe80:********5c19"
                    ],
                    "name": "Ethernet0",
                    "physical": "00:5*****7:7f"
                }
            ],
            "networkQuarantineEnabled": false,
            "networkStatus": "connected",
            "operationalState": "na",
            "operationalStateExpiration": null,
            "osArch": "64 bit",
            "osName": "Windows 10 Pro",
            "osRevision": "19044",
            "osStartTime": "2022-03-20T04:11:39Z",
            "osType": "windows",
            "osUsername": null,
            "rangerStatus": "Enabled",
            "rangerVersion": "21.11.0.69",
            "registeredAt": "2022-02-04T00:18:48.825801Z",
            "remoteProfilingState": "disabled",
            "remoteProfilingStateExpiration": null,
            "scanAbortedAt": null,
            "scanFinishedAt": "2022-02-04T17:44:34.108856Z",
            "scanStartedAt": "2022-02-04T00:22:32.484233Z",
            "scanStatus": "finished",
            "siteId": "138********161",
            "siteName": "site2",
            "storageName": null,
            "storageType": null,
            "tags": {
                "sentinelone": []
            },
            "threatRebootRequired": false,
            "totalMemory": 16382,
            "updatedAt": "2022-03-29T21:32:07.482725Z",
            "userActionsNeeded": [],
            "uuid": "a7b********365"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 1
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the $.data path from the returned raw data.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "accountId": "131********791",
        "accountName": "D3 Security",
        "activeDirectory": {
            "computerDistinguishedName": null,
            "computerMemberOf": [],
            "lastUserDistinguishedName": null,
            "lastUserMemberOf": []
        },
        "activeThreats": 66,
        "agentVersion": "21.7.5.1080",
        "allowRemoteShell": false,
        "appsVulnerabilityStatus": "up_to_date",
        "cloudProviders": {},
        "computerName": "DESKTOP-6KJ****",
        "consoleMigrationStatus": "N/A",
        "coreCount": 16,
        "cpuCount": 16,
        "cpuId": "Intel(R) Xeon(R) CPU E5-2690 0 @ 2.90GHz",
        "createdAt": "2022-02-04T00:18:48.831527Z",
        "detectionState": null,
        "domain": "WORKGROUP",
        "encryptedApplications": false,
        "externalId": "",
        "externalIp": "216.251.***.***",
        "firewallEnabled": true,
        "firstFullModeTime": null,
        "groupId": "138********378",
        "groupIp": "216.251.148.x",
        "groupName": "Default Group",
        "id": "134********951",
        "inRemoteShellSession": false,
        "infected": true,
        "installerType": ".exe",
        "isActive": true,
        "isDecommissioned": false,
        "isPendingUninstall": false,
        "isUninstalled": false,
        "isUpToDate": true,
        "lastActiveDate": "2022-03-29T22:20:08.491862Z",
        "lastIpToMgmt": "192.168.**.*24",
        "lastLoggedInUserName": "admin",
        "licenseKey": "",
        "locationEnabled": true,
        "locationType": "Fall****",
        "locations": [
            {
                "id": "629********476",
                "name": "Fall****",
                "scope": "global"
            }
        ],
        "machineType": "desktop",
        "mitigationMode": "detect",
        "mitigationModeSuspicious": "detect",
        "modelName": "VMware, Inc. - VMware7,1",
        "networkInterfaces": [
            {
                "gatewayIp": "192.168.**.*",
                "gatewayMacAddress": "84:*****8:13",
                "id": "134*******561",
                "inet": [
                    "192.168.**.*24"
                ],
                "inet6": [
                    "fe80:********5c19"
                ],
                "name": "Ethernet0",
                "physical": "00:5*****7:7f"
            }
        ],
        "networkQuarantineEnabled": false,
        "networkStatus": "connected",
        "operationalState": "na",
        "operationalStateExpiration": null,
        "osArch": "64 bit",
        "osName": "Windows 10 Pro",
        "osRevision": "19044",
        "osStartTime": "2022-03-20T04:11:39Z",
        "osType": "windows",
        "osUsername": null,
        "rangerStatus": "Enabled",
        "rangerVersion": "21.11.0.69",
        "registeredAt": "2022-02-04T00:18:48.825801Z",
        "remoteProfilingState": "disabled",
        "remoteProfilingStateExpiration": null,
        "scanAbortedAt": null,
        "scanFinishedAt": "2022-02-04T17:44:34.108856Z",
        "scanStartedAt": "2022-02-04T00:22:32.484233Z",
        "scanStatus": "finished",
        "siteId": "138********161",
        "siteName": "site2",
        "storageName": null,
        "storageType": null,
        "tags": {
            "sentinelone": []
        },
        "threatRebootRequired": false,
        "totalMemory": 16382,
        "updatedAt": "2022-03-29T21:32:07.482725Z",
        "userActionsNeeded": [],
        "uuid": "a7b********365"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AgentIDs": [
        "134********951"
    ],
    "ExternalIps": [
        "216.251.***.***"
    ],
    "AgentNames": [
        "DESKTOP-6KJ****"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Agent Info failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid user input received.

Error Sample Data

Get Agent Info failed.

Status Code: 400.

Message: Invalid user input received.

Get Agent Process

Starts a Deep Visibility Query and retrieves events.

READER NOTE

Deep Visibility has limits for different accounts. The current trial account currently retains data for 14 days. If you see errors returned for your search period, contact SentineOne support to increase the data retention period if required.

https://usea1-partners.sentinelone.net/docs/en/date-and-time-reference.html#date-and-time-reference

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Optional

The Start Time (in UTC Time) of the time range.

2022-09-20 00:00

End Time

Optional

The End Time (in UTC Time) of the time range.

2022-09-26 00:00

Query

Optional

The queries defined to filter results. Please refer to Query Syntax in the Knowledge Base (support.sentinelone.com) or the Console Help. Please refer to https://assets.sentinelone.com/c/sentinel-one-dv-chea-2?x=u6040P for the field name syntax.

ProcessImagePath CONTAINS \"windows\"

Limit

Optional

The set maximum number of returned items (Between 1-1000). Up to 1000 results will be returned if you leave this field empty.

10

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "accountId": "131********791",
            "activeContentFileId": null,
            "activeContentHash": null,
            "activeContentPath": null,
            "activeContentSignedStatus": null,
            "activeContentType": null,
            "agentDomain": "WORKGROUP",
            "agentGroupId": "138********378",
            "agentId": "139********432",
            "agentInfected": true,
            "agentIp": "216.251.***.***",
            "agentIsActive": true,
            "agentIsDecommissioned": false,
            "agentMachineType": "desktop",
            "agentName": "DESKTOP-H****D3",
            "agentNetworkStatus": "connected",
            "agentOs": "windows",
            "agentTimestamp": "2022-09-28T01:45:56.535Z",
            "agentUuid": "cd8********661",
            "agentVersion": null,
            "childProcCount": null,
            "createdAt": "2022-09-28T01:45:56.535000Z",
            "crossProcCount": null,
            "crossProcDupRemoteProcHandleCount": null,
            "crossProcDupThreadHandleCount": null,
            "crossProcOpenProcCount": null,
            "crossProcOutOfStorylineCount": null,
            "crossProcThreadCreateCount": null,
            "dnsCount": null,
            "endpointMachineType": "desktop",
            "endpointName": "DESKTOP-H****D3",
            "endpointOs": "windows",
            "eventIndex": null,
            "eventRepetitionCount": null,
            "eventTime": "2022-09-28T01:45:56.535Z",
            "eventType": "Registry Value Modified",
            "fileIsExecutable": null,
            "fileMd5": null,
            "fileSha256": null,
            "id": "736********624",
            "indicatorBootConfigurationUpdateCount": null,
            "indicatorEvasionCount": null,
            "indicatorExploitationCount": null,
            "indicatorGeneralCount": null,
            "indicatorInfostealerCount": null,
            "indicatorInjectionCount": null,
            "indicatorPersistenceCount": null,
            "indicatorPostExploitationCount": null,
            "indicatorRansomwareCount": null,
            "indicatorReconnaissanceCount": null,
            "isAgentVersionFullySupportedForPg": false,
            "isAgentVersionFullySupportedForPgMessage": "The event generated from this Agent version does not contain all information needed for the Process Graph. The Graph is GA with Agent versions: Windows 22.1 EA2+, Linux 22.2 EA+ and macOS 21.12 GA+",
            "lastActivatedAt": "2022-07-31T08:10:36.000Z",
            "metaEventName": "REGVALUEMODIFIED",
            "moduleCount": null,
            "netConnCount": null,
            "netConnInCount": null,
            "netConnOutCount": null,
            "objectType": "registry",
            "osSrcChildProcCount": null,
            "osSrcCrossProcCount": null,
            "osSrcCrossProcDupRemoteProcHandleCount": null,
            "osSrcCrossProcDupThreadHandleCount": null,
            "osSrcCrossProcOpenProcCount": null,
            "osSrcCrossProcOutOfStorylineCount": null,
            "osSrcCrossProcThreadCreateCount": null,
            "osSrcDnsCount": null,
            "osSrcIndicatorBootConfigurationUpdateCount": null,
            "osSrcIndicatorEvasionCount": null,
            "osSrcIndicatorExploitationCount": null,
            "osSrcIndicatorGeneralCount": null,
            "osSrcIndicatorInfostealerCount": null,
            "osSrcIndicatorInjectionCount": null,
            "osSrcIndicatorPersistenceCount": null,
            "osSrcIndicatorPostExploitationCount": null,
            "osSrcIndicatorRansomwareCount": null,
            "osSrcIndicatorReconnaissanceCount": null,
            "osSrcModuleCount": null,
            "osSrcNetConnCount": null,
            "osSrcNetConnInCount": null,
            "osSrcNetConnOutCount": null,
            "osSrcProcActiveContentFileId": null,
            "osSrcProcActiveContentHash": null,
            "osSrcProcActiveContentPath": null,
            "osSrcProcActiveContentSignedStatus": null,
            "osSrcProcActiveContentType": null,
            "osSrcProcBinaryisExecutable": null,
            "osSrcProcCmdLine": null,
            "osSrcProcDisplayName": null,
            "osSrcProcImageMd5": null,
            "osSrcProcImagePath": null,
            "osSrcProcImageSha1": null,
            "osSrcProcImageSha256": null,
            "osSrcProcIntegrityLevel": null,
            "osSrcProcIsNative64Bit": null,
            "osSrcProcIsRedirectCmdProcessor": null,
            "osSrcProcIsStorylineRoot": null,
            "osSrcProcName": null,
            "osSrcProcParentActiveContentFileId": null,
            "osSrcProcParentActiveContentHash": null,
            "osSrcProcParentActiveContentPath": null,
            "osSrcProcParentActiveContentSignedStatus": null,
            "osSrcProcParentActiveContentType": null,
            "osSrcProcParentCmdLine": null,
            "osSrcProcParentDisplayName": null,
            "osSrcProcParentImageMd5": null,
            "osSrcProcParentImagePath": "C:\\******\\********\\*******.exe",
            "osSrcProcParentImageSha1": "1f9********b97",
            "osSrcProcParentImageSha256": null,
            "osSrcProcParentIntegrityLevel": null,
            "osSrcProcParentIsNative64Bit": null,
            "osSrcProcParentIsRedirectCmdProcessor": null,
            "osSrcProcParentIsStorylineRoot": null,
            "osSrcProcParentName": "svchost.exe",
            "osSrcProcParentPid": null,
            "osSrcProcParentPublisher": null,
            "osSrcProcParentReasonSignatureInvalid": null,
            "osSrcProcParentSessionId": null,
            "osSrcProcParentSignedStatus": null,
            "osSrcProcParentStartTime": "2022-08-24T00:55:24.193Z",
            "osSrcProcParentStorylineId": "AF0*****B0E",
            "osSrcProcParentUid": "257********EDC",
            "osSrcProcParentUser": null,
            "osSrcProcPid": null,
            "osSrcProcPublisher": null,
            "osSrcProcReasonSignatureInvalid": null,
            "osSrcProcRelatedToThreat": "False",
            "osSrcProcSessionId": null,
            "osSrcProcSignedStatus": null,
            "osSrcProcStartTime": null,
            "osSrcProcStorylineId": null,
            "osSrcProcSubsystem": null,
            "osSrcProcUid": null,
            "osSrcProcUser": null,
            "osSrcProcVerifiedStatus": null,
            "osSrcRegistryChangeCount": null,
            "osSrcTgtFileCreationCount": null,
            "osSrcTgtFileDeletionCount": null,
            "osSrcTgtFileModificationCount": null,
            "parentPid": null,
            "parentProcessName": "sihost.exe",
            "parentProcessStartTime": "2022-08-24T00:56:20.385Z",
            "parentProcessUniqueKey": "901********809",
            "pid": "12816",
            "processCmd": "\"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_********_x64__8we*****bwe\\HxTsr.exe\" -ServerName:Hx.IPC.Server",
            "processDisplayName": null,
            "processGroupId": "D7F********984",
            "processImagePath": "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_********_x64__8we*****bwe\\HxTsr.exe",
            "processImageSha1Hash": "da8********098",
            "processIntegrityLevel": "LOW",
            "processIsRedirectedCommandProcessor": null,
            "processIsWow64": null,
            "processName": "HxTsr.exe",
            "processRoot": null,
            "processSessionId": null,
            "processStartTime": "2022-09-28T01:46:22.725Z",
            "processSubSystem": null,
            "processUniqueKey": "901********809",
            "publisher": null,
            "registryChangeCount": null,
            "registryId": null,
            "registryKeyPath": "MACHINE\\SYSTEM\\ControlSet001\\Services\\bam\\State\\UserSettings\\S-1-5-21-7B5******2062641580********-500*000\\microsoft.windowscommunicationsapps_8we*****bwe",
            "registryOldValue": "7B5********000",
            "registryOldValueFullSize": null,
            "registryOldValueIsComplete": null,
            "registryOldValueType": "BINARY",
            "registryPath": "MACHINE\\SYSTEM\\ControlSet001\\Services\\bam\\State\\UserSettings\\S-1-5-21-7B5******2062641580********-500*000\\microsoft.windowscommunicationsapps_8we*****bwe",
            "registryUid": null,
            "registryUuid": null,
            "registryValue": "2EFF********000",
            "registryValueFullSize": null,
            "registryValueIsComplete": null,
            "registryValueType": null,
            "relatedToThreat": "False",
            "retentionPeriod": "14",
            "rpid": null,
            "signatureSignedInvalidReason": null,
            "signedStatus": "unsigned",
            "siteId": "138********161",
            "siteName": "site2",
            "srcProcActiveContentFileId": null,
            "srcProcActiveContentHash": null,
            "srcProcActiveContentPath": null,
            "srcProcActiveContentSignedStatus": null,
            "srcProcActiveContentType": null,
            "srcProcBinaryisExecutable": null,
            "srcProcCmdLine": "\"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_********_x64__8we*****bwe\\HxTsr.exe\" -ServerName:Hx.IPC.Server",
            "srcProcDisplayName": null,
            "srcProcImageMd5": null,
            "srcProcImagePath": "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_********_x64__8we*****bwe\\HxTsr.exe",
            "srcProcImageSha1": "da8********098",
            "srcProcImageSha256": null,
            "srcProcIntegrityLevel": "LOW",
            "srcProcIsNative64Bit": null,
            "srcProcIsRedirectCmdProcessor": null,
            "srcProcIsStorylineRoot": null,
            "srcProcName": "HxTsr.exe",
            "srcProcParentActiveContentFileId": null,
            "srcProcParentActiveContentHash": null,
            "srcProcParentActiveContentPath": null,
            "srcProcParentActiveContentSignedStatus": null,
            "srcProcParentActiveContentType": null,
            "srcProcParentCmdLine": null,
            "srcProcParentDisplayName": null,
            "srcProcParentImageMd5": null,
            "srcProcParentImagePath": "C:\\Windows\\System32\\sihost.exe",
            "srcProcParentImageSha1": "531********0cb",
            "srcProcParentImageSha256": null,
            "srcProcParentIntegrityLevel": null,
            "srcProcParentIsNative64Bit": null,
            "srcProcParentIsRedirectCmdProcessor": null,
            "srcProcParentIsStorylineRoot": null,
            "srcProcParentName": "sihost.exe",
            "srcProcParentPid": null,
            "srcProcParentProcUid": "282*******B02",
            "srcProcParentPublisher": null,
            "srcProcParentReasonSignatureInvalid": null,
            "srcProcParentSessionId": null,
            "srcProcParentSignedStatus": null,
            "srcProcParentStartTime": "2022-08-24T00:56:20.385Z",
            "srcProcParentStorylineId": "E69********891",
            "srcProcParentUid": "282*******B02",
            "srcProcParentUser": null,
            "srcProcPid": "12816",
            "srcProcPublisher": null,
            "srcProcReasonSignatureInvalid": null,
            "srcProcRelatedToThreat": "False",
            "srcProcRpid": null,
            "srcProcSessionId": null,
            "srcProcSignedStatus": "unsigned",
            "srcProcStartTime": "2022-09-28T01:46:22.725Z",
            "srcProcStorylineId": "D7F********984",
            "srcProcSubsystem": null,
            "srcProcTid": null,
            "srcProcUid": "901********809",
            "srcProcUser": "DESKTOP-H****D3\\Administrator",
            "srcProcVerifiedStatus": null,
            "storyline": "D7F********984",
            "tgtFileCreationCount": null,
            "tgtFileDeletionCount": null,
            "tgtFileModificationCount": null,
            "tiOriginalEventId": null,
            "tiOriginalEventIndex": null,
            "tiOriginalEventTraceId": null,
            "tid": null,
            "tiindicatorRelatedEventTime": null,
            "traceId": "01G********SHS",
            "trueContext": "D7F********984",
            "user": "DESKTOP-H****D3\\Administrator",
            "verifiedStatus": null
        }
    ],
    "pagination": {
        "nextCursor": "eyJ********yJ9",
        "totalItems": 695
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the $.data path from the returned raw data.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "accountId": "131********791",
        "activeContentFileId": null,
        "activeContentHash": null,
        "activeContentPath": null,
        "activeContentSignedStatus": null,
        "activeContentType": null,
        "agentDomain": "WORKGROUP",
        "agentGroupId": "138********378",
        "agentId": "139********432",
        "agentInfected": true,
        "agentIp": "216.251.***.***",
        "agentIsActive": true,
        "agentIsDecommissioned": false,
        "agentMachineType": "desktop",
        "agentName": "DESKTOP-H****D3",
        "agentNetworkStatus": "connected",
        "agentOs": "windows",
        "agentTimestamp": "2022-09-28T01:45:56.535Z",
        "agentUuid": "cd8********661",
        "agentVersion": null,
        "childProcCount": null,
        "createdAt": "2022-09-28T01:45:56.535000Z",
        "crossProcCount": null,
        "crossProcDupRemoteProcHandleCount": null,
        "crossProcDupThreadHandleCount": null,
        "crossProcOpenProcCount": null,
        "crossProcOutOfStorylineCount": null,
        "crossProcThreadCreateCount": null,
        "dnsCount": null,
        "endpointMachineType": "desktop",
        "endpointName": "DESKTOP-H****D3",
        "endpointOs": "windows",
        "eventIndex": null,
        "eventRepetitionCount": null,
        "eventTime": "2022-09-28T01:45:56.535Z",
        "eventType": "Registry Value Modified",
        "fileIsExecutable": null,
        "fileMd5": null,
        "fileSha256": null,
        "id": "736********624",
        "indicatorBootConfigurationUpdateCount": null,
        "indicatorEvasionCount": null,
        "indicatorExploitationCount": null,
        "indicatorGeneralCount": null,
        "indicatorInfostealerCount": null,
        "indicatorInjectionCount": null,
        "indicatorPersistenceCount": null,
        "indicatorPostExploitationCount": null,
        "indicatorRansomwareCount": null,
        "indicatorReconnaissanceCount": null,
        "isAgentVersionFullySupportedForPg": false,
        "isAgentVersionFullySupportedForPgMessage": "The event generated from this Agent version does not contain all information needed for the Process Graph. The Graph is GA with Agent versions: Windows 22.1 EA2+, Linux 22.2 EA+ and macOS 21.12 GA+",
        "lastActivatedAt": "2022-07-31T08:10:36.000Z",
        "metaEventName": "REGVALUEMODIFIED",
        "moduleCount": null,
        "netConnCount": null,
        "netConnInCount": null,
        "netConnOutCount": null,
        "objectType": "registry",
        "osSrcChildProcCount": null,
        "osSrcCrossProcCount": null,
        "osSrcCrossProcDupRemoteProcHandleCount": null,
        "osSrcCrossProcDupThreadHandleCount": null,
        "osSrcCrossProcOpenProcCount": null,
        "osSrcCrossProcOutOfStorylineCount": null,
        "osSrcCrossProcThreadCreateCount": null,
        "osSrcDnsCount": null,
        "osSrcIndicatorBootConfigurationUpdateCount": null,
        "osSrcIndicatorEvasionCount": null,
        "osSrcIndicatorExploitationCount": null,
        "osSrcIndicatorGeneralCount": null,
        "osSrcIndicatorInfostealerCount": null,
        "osSrcIndicatorInjectionCount": null,
        "osSrcIndicatorPersistenceCount": null,
        "osSrcIndicatorPostExploitationCount": null,
        "osSrcIndicatorRansomwareCount": null,
        "osSrcIndicatorReconnaissanceCount": null,
        "osSrcModuleCount": null,
        "osSrcNetConnCount": null,
        "osSrcNetConnInCount": null,
        "osSrcNetConnOutCount": null,
        "osSrcProcActiveContentFileId": null,
        "osSrcProcActiveContentHash": null,
        "osSrcProcActiveContentPath": null,
        "osSrcProcActiveContentSignedStatus": null,
        "osSrcProcActiveContentType": null,
        "osSrcProcBinaryisExecutable": null,
        "osSrcProcCmdLine": null,
        "osSrcProcDisplayName": null,
        "osSrcProcImageMd5": null,
        "osSrcProcImagePath": null,
        "osSrcProcImageSha1": null,
        "osSrcProcImageSha256": null,
        "osSrcProcIntegrityLevel": null,
        "osSrcProcIsNative64Bit": null,
        "osSrcProcIsRedirectCmdProcessor": null,
        "osSrcProcIsStorylineRoot": null,
        "osSrcProcName": null,
        "osSrcProcParentActiveContentFileId": null,
        "osSrcProcParentActiveContentHash": null,
        "osSrcProcParentActiveContentPath": null,
        "osSrcProcParentActiveContentSignedStatus": null,
        "osSrcProcParentActiveContentType": null,
        "osSrcProcParentCmdLine": null,
        "osSrcProcParentDisplayName": null,
        "osSrcProcParentImageMd5": null,
        "osSrcProcParentImagePath": "C:\\******\\********\\*******.exe",
        "osSrcProcParentImageSha1": "1f9********b97",
        "osSrcProcParentImageSha256": null,
        "osSrcProcParentIntegrityLevel": null,
        "osSrcProcParentIsNative64Bit": null,
        "osSrcProcParentIsRedirectCmdProcessor": null,
        "osSrcProcParentIsStorylineRoot": null,
        "osSrcProcParentName": "svchost.exe",
        "osSrcProcParentPid": null,
        "osSrcProcParentPublisher": null,
        "osSrcProcParentReasonSignatureInvalid": null,
        "osSrcProcParentSessionId": null,
        "osSrcProcParentSignedStatus": null,
        "osSrcProcParentStartTime": "2022-08-24T00:55:24.193Z",
        "osSrcProcParentStorylineId": "AF0*****B0E",
        "osSrcProcParentUid": "257********EDC",
        "osSrcProcParentUser": null,
        "osSrcProcPid": null,
        "osSrcProcPublisher": null,
        "osSrcProcReasonSignatureInvalid": null,
        "osSrcProcRelatedToThreat": "False",
        "osSrcProcSessionId": null,
        "osSrcProcSignedStatus": null,
        "osSrcProcStartTime": null,
        "osSrcProcStorylineId": null,
        "osSrcProcSubsystem": null,
        "osSrcProcUid": null,
        "osSrcProcUser": null,
        "osSrcProcVerifiedStatus": null,
        "osSrcRegistryChangeCount": null,
        "osSrcTgtFileCreationCount": null,
        "osSrcTgtFileDeletionCount": null,
        "osSrcTgtFileModificationCount": null,
        "parentPid": null,
        "parentProcessName": "sihost.exe",
        "parentProcessStartTime": "2022-08-24T00:56:20.385Z",
        "parentProcessUniqueKey": "901********809",
        "pid": "12816",
        "processCmd": "\"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_********_x64__8we*****bwe\\HxTsr.exe\" -ServerName:Hx.IPC.Server",
        "processDisplayName": null,
        "processGroupId": "D7F********984",
        "processImagePath": "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_********_x64__8we*****bwe\\HxTsr.exe",
        "processImageSha1Hash": "da8********098",
        "processIntegrityLevel": "LOW",
        "processIsRedirectedCommandProcessor": null,
        "processIsWow64": null,
        "processName": "HxTsr.exe",
        "processRoot": null,
        "processSessionId": null,
        "processStartTime": "2022-09-28T01:46:22.725Z",
        "processSubSystem": null,
        "processUniqueKey": "901********809",
        "publisher": null,
        "registryChangeCount": null,
        "registryId": null,
        "registryKeyPath": "MACHINE\\SYSTEM\\ControlSet001\\Services\\bam\\State\\UserSettings\\S-1-5-21-7B5******2062641580********-500*000\\microsoft.windowscommunicationsapps_8we*****bwe",
        "registryOldValue": "7B5********000",
        "registryOldValueFullSize": null,
        "registryOldValueIsComplete": null,
        "registryOldValueType": "BINARY",
        "registryPath": "MACHINE\\SYSTEM\\ControlSet001\\Services\\bam\\State\\UserSettings\\S-1-5-21-7B5******2062641580********-500*000\\microsoft.windowscommunicationsapps_8we*****bwe",
        "registryUid": null,
        "registryUuid": null,
        "registryValue": "2EFF********000",
        "registryValueFullSize": null,
        "registryValueIsComplete": null,
        "registryValueType": null,
        "relatedToThreat": "False",
        "retentionPeriod": "14",
        "rpid": null,
        "signatureSignedInvalidReason": null,
        "signedStatus": "unsigned",
        "siteId": "138********161",
        "siteName": "site2",
        "srcProcActiveContentFileId": null,
        "srcProcActiveContentHash": null,
        "srcProcActiveContentPath": null,
        "srcProcActiveContentSignedStatus": null,
        "srcProcActiveContentType": null,
        "srcProcBinaryisExecutable": null,
        "srcProcCmdLine": "\"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_********_x64__8we*****bwe\\HxTsr.exe\" -ServerName:Hx.IPC.Server",
        "srcProcDisplayName": null,
        "srcProcImageMd5": null,
        "srcProcImagePath": "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_********_x64__8we*****bwe\\HxTsr.exe",
        "srcProcImageSha1": "da8********098",
        "srcProcImageSha256": null,
        "srcProcIntegrityLevel": "LOW",
        "srcProcIsNative64Bit": null,
        "srcProcIsRedirectCmdProcessor": null,
        "srcProcIsStorylineRoot": null,
        "srcProcName": "HxTsr.exe",
        "srcProcParentActiveContentFileId": null,
        "srcProcParentActiveContentHash": null,
        "srcProcParentActiveContentPath": null,
        "srcProcParentActiveContentSignedStatus": null,
        "srcProcParentActiveContentType": null,
        "srcProcParentCmdLine": null,
        "srcProcParentDisplayName": null,
        "srcProcParentImageMd5": null,
        "srcProcParentImagePath": "C:\\Windows\\System32\\sihost.exe",
        "srcProcParentImageSha1": "531********0cb",
        "srcProcParentImageSha256": null,
        "srcProcParentIntegrityLevel": null,
        "srcProcParentIsNative64Bit": null,
        "srcProcParentIsRedirectCmdProcessor": null,
        "srcProcParentIsStorylineRoot": null,
        "srcProcParentName": "sihost.exe",
        "srcProcParentPid": null,
        "srcProcParentProcUid": "282*******B02",
        "srcProcParentPublisher": null,
        "srcProcParentReasonSignatureInvalid": null,
        "srcProcParentSessionId": null,
        "srcProcParentSignedStatus": null,
        "srcProcParentStartTime": "2022-08-24T00:56:20.385Z",
        "srcProcParentStorylineId": "E69********891",
        "srcProcParentUid": "282*******B02",
        "srcProcParentUser": null,
        "srcProcPid": "12816",
        "srcProcPublisher": null,
        "srcProcReasonSignatureInvalid": null,
        "srcProcRelatedToThreat": "False",
        "srcProcRpid": null,
        "srcProcSessionId": null,
        "srcProcSignedStatus": "unsigned",
        "srcProcStartTime": "2022-09-28T01:46:22.725Z",
        "srcProcStorylineId": "D7F********984",
        "srcProcSubsystem": null,
        "srcProcTid": null,
        "srcProcUid": "901********809",
        "srcProcUser": "DESKTOP-H****D3\\Administrator",
        "srcProcVerifiedStatus": null,
        "storyline": "D7F********984",
        "tgtFileCreationCount": null,
        "tgtFileDeletionCount": null,
        "tgtFileModificationCount": null,
        "tiOriginalEventId": null,
        "tiOriginalEventIndex": null,
        "tiOriginalEventTraceId": null,
        "tid": null,
        "tiindicatorRelatedEventTime": null,
        "traceId": "01G********SHS",
        "trueContext": "D7F********984",
        "user": "DESKTOP-H****D3\\Administrator",
        "verifiedStatus": null
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "Process IDs": [
        "736********624"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Agent Process failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Deep Visibility currently retains data for 14 days, to increase your data retention, please contact S1.

Error Sample Data

Get Agent Process failed.

Status Code: 400.

Message: Deep Visibility currently retains data for 14 days, to increase your data retention, please contact S1.

Get Alerts

Retrieves a list of alerts based on filter parameters.

READER NOTE

Site IDs and Endpoint Names are optional parameters to run this command.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

  • Run the List Agents command to obtain Endpoint Names. Endpoint Names can be found in the raw data at the path $.data[*].computerName.

If you want to view alert related threats, you can use the Get Threat command with Storyline IDs obtained from this command as input parameter. Storyline IDs can be found in the raw data at the path $.data[*].sourceProcessInfo.storyline.

If your inputs are invalid, the command will return success with no result.

Input

Input Parameter

Required/Optional

Description

Example

Created After

Optional

Returns alerts which were created after or at this time.

2023-08-11 00:00

Created Before

Optional

Returns alerts which were created before or at this time.

2023-08-11 00:00

Incident Statuses

Optional

Filter alerts by incident status. The available statuses are RESOLVED, UNRESOLVED and IN_PROGRESS

[ "IN_PROGRESS" ]

Analyst Verdicts

Optional

Filter alerts by analyst verdict. The available analyst verdicts are FALSE_POSITIVE,TRUE_POSITIVE,SUSPICIOUS and UNDEFINED.

[ "SUSPICIOUS", "UNDEFINED" ]

Site IDs

Optional

List of Site IDs to filter by. You can get Site ID with Get Sites command.

[ "138********161" ]

Rule Names

Optional

Free-text filter by rule name. You can enter multiple rule names.

[ "Test rule", "testrule1" ]

Endpoint Names

Optional

Free-text filter by agent name. You can get Endpoint Name with List Agents command.

[ "lab3-***" ]

Severity

Optional

Filters by severity. Options are Critical, High, Medium and Low.

High

Query

Optional

Full text search for all fields. For example, you can query an artifact value, such as hash, process name, IP or URL etc. Or you can query a storyline ID.

[ "2d7********c1a" ]

Limit

Optional

Limit number of returned alerts. The valid value is an integer between 0 and 1000. If not specified, the default limit is 1000. If you want all alerts matching search criteria to be returned, please set limit to 0.

10

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "agentDetectionInfo": {
                "accountId": "131********791",
                "machineType": "desktop",
                "name": "lab3-***",
                "osFamily": "windows",
                "osName": "Windows 10 Pro N",
                "osRevision": "19045",
                "siteId": "138********161",
                "uuid": "5f0********c50",
                "version": "22.2.5.806"
            },
            "agentRealtimeInfo": {
                "id": "162*******234",
                "infected": false,
                "isActive": true,
                "isDecommissioned": false,
                "machineType": "desktop",
                "name": "lab3-***",
                "os": "windows",
                "uuid": "5f0********c50"
            },
            "alertInfo": {
                "alertId": "174********865",
                "analystVerdict": "Undefined",
                "createdAt": "2023-08-11T18:05:56.116000Z",
                "dnsRequest": null,
                "dnsResponse": null,
                "dstIp": null,
                "dstPort": null,
                "dvEventId": "01H********N0AE_25",
                "eventType": "SCHEDTASKUPDATE",
                "hitType": "Events",
                "incidentStatus": "Unresolved",
                "indicatorCategory": null,
                "indicatorDescription": null,
                "indicatorName": null,
                "isEdr": true,
                "loginAccountDomain": null,
                "loginAccountSid": null,
                "loginIsAdministratorEquivalent": null,
                "loginIsSuccessful": null,
                "loginType": null,
                "loginsUserName": null,
                "modulePath": null,
                "moduleSha1": null,
                "netEventDirection": null,
                "registryKeyPath": null,
                "registryOldValue": null,
                "registryOldValueType": null,
                "registryPath": null,
                "registryValue": null,
                "reportedAt": "2023-08-11T18:06:08.433359Z",
                "source": "STAR",
                "srcIp": null,
                "srcMachineIp": null,
                "srcPort": null,
                "tiIndicatorComparisonMethod": null,
                "tiIndicatorSource": null,
                "tiIndicatorType": null,
                "tiIndicatorValue": null,
                "updatedAt": "2023-08-11T18:06:08.433359Z"
            },
            "containerInfo": {
                "id": null,
                "image": null,
                "labels": null,
                "name": null
            },
            "kubernetesInfo": {
                "cluster": null,
                "controllerKind": null,
                "controllerLabels": null,
                "controllerName": null,
                "namespace": null,
                "namespaceLabels": null,
                "node": null,
                "pod": null,
                "podLabels": null
            },
            "ruleInfo": {
                "description": null,
                "id": "173********793",
                "name": "Test rule",
                "queryLang": "1.0",
                "queryType": "events",
                "s1ql": "EndpointName Contains \"lab\"",
                "scopeLevel": "account",
                "severity": "High",
                "treatAsThreat": "Suspicious"
            },
            "sourceParentProcessInfo": {
                "commandline": "C:\\WINDOWS\\system32\\services.exe",
                "fileHashMd5": "14b********bd2",
                "fileHashSha1": "2d7********c1a",
                "fileHashSha256": "e6f********317",
                "filePath": "C:\\Windows\\System32\\services.exe",
                "fileSignerIdentity": "MICROSOFT WINDOWS PUBLISHER",
                "integrityLevel": "system",
                "name": "services.exe",
                "pid": "712",
                "pidStarttime": "2023-08-09T03:53:40.442000Z",
                "storyline": "0BA********E72",
                "subsystem": "sys_win32",
                "uniqueId": "0AA********E72",
                "user": "NT AUTHORITY\\SYSTEM"
            },
            "sourceProcessInfo": {
                "commandline": "C:\\******\\********\\*******.exe -k wusvcs -p -s WaaSMedicSvc",
                "fileHashMd5": "b7f*******f6a",
                "fileHashSha1": "1bc*******0d1",
                "fileHashSha256": "add********fe88",
                "filePath": "C:\\******\\********\\*******.exe",
                "fileSignerIdentity": "MICROSOFT WINDOWS",
                "integrityLevel": "system",
                "name": "svchost.exe",
                "pid": "4948",
                "pidStarttime": "2023-08-11T17:59:31.297000Z",
                "storyline": "3A3******FE72",
                "subsystem": "sys_win32",
                "uniqueId": "393********FE72",
                "user": "NT AUTHORITY\\SYSTEM"
            },
            "targetProcessInfo": {
                "tgtFileCreatedAt": "1970-01-01T00:00:00Z",
                "tgtFileHashSha1": null,
                "tgtFileHashSha256": null,
                "tgtFileId": null,
                "tgtFileIsSigned": "signed",
                "tgtFileModifiedAt": "1970-01-01T00:00:00Z",
                "tgtFileOldPath": null,
                "tgtFilePath": null,
                "tgtProcCmdLine": null,
                "tgtProcImagePath": null,
                "tgtProcIntegrityLevel": "unknown",
                "tgtProcName": null,
                "tgtProcPid": null,
                "tgtProcSignedStatus": null,
                "tgtProcStorylineId": null,
                "tgtProcUid": null,
                "tgtProcessStartTime": "1970-01-01T00:00:00Z"
            }
        }
    ],
    "pagination": {
        "nextCursor": "eyJ******************%3D",
        "totalItems": 2
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AlertIDs": [
        "174********865"
    ],
    "AnalystVerdicts": [
        "Undefined"
    ],
    "IncidentStatuses": [
        "Unresolved"
    ],
    "AgentNames": [
        "lab3-***"
    ],
    "StorylineIDs": [
        "3A3******FE72"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Alerts failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized access.

Error Sample Data

Get Alerts failed.

Status Code: 403.

Message: Unauthorized access.

Get Black List

Retrieves item(s) from the blacklist.

Input

Input Parameter

Required/Optional

Description

Example

Limit

Optional

Sets the maximum number of items to return (between 1 to 1000). Up to 1000 blacklists will be returned if you leave this field empty.

10

Custom Input

Optional

Defines the queries in JSON format to filter results. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=exclusions-and-blacklist=get-blacklist for more information about query parameters.

{

"type": "black_hash",

"tenant": false,

"siteIds": "947********671"

}

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "createdAt": "2020-08-06T00:37:26.489403Z",
            "description": null,
            "id": "951********130",
            "osType": "windows",
            "scope": {
                "siteIds": [
                    "947********671"
                ]
            },
            "scopeName": "D3",
            "source": "user",
            "type": "black_hash",
            "updatedAt": "2020-08-06T00:37:26.489026Z",
            "userId": "947*******716",
            "userName": "Pul*** Sa***",
            "value": "d25********225"
        },
        {
            "createdAt": "2020-08-06T00:37:26.708571Z",
            "description": null,
            "id": "951********287",
            "osType": "windows",
            "scope": {
                "siteIds": [
                    "947********671"
                ]
            },
            "scopeName": "D3",
            "source": "user",
            "type": "black_hash",
            "updatedAt": "2020-08-06T00:37:26.708176Z",
            "userId": "947*******716",
            "userName": "Pul*** Sa***",
            "value": "a6d********d00"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 2
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the $.data path from the returned raw data.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "createdAt": "2020-08-06T00:37:26.489403Z",
        "description": null,
        "id": "951********130",
        "osType": "windows",
        "scope": {
            "siteIds": [
                "947********671"
            ]
        },
        "scopeName": "D3",
        "source": "user",
        "type": "black_hash",
        "updatedAt": "2020-08-06T00:37:26.489026Z",
        "userId": "947*******716",
        "userName": "Pul*** Sa***",
        "value": "d25********225"
    },
    {
        "createdAt": "2020-08-06T00:37:26.708571Z",
        "description": null,
        "id": "951********287",
        "osType": "windows",
        "scope": {
            "siteIds": [
                "947********671"
            ]
        },
        "scopeName": "D3",
        "source": "user",
        "type": "black_hash",
        "updatedAt": "2020-08-06T00:37:26.708176Z",
        "userId": "947*******716",
        "userName": "Pul*** Sa***",
        "value": "a6d********d00"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ItemIDs": [
        "951********130",
        "951********287"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Black List failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Custom Input) is invalid.

Error Sample Data

Get Black List failed.

Status Code: 400.

Message: The value for parameter (Custom Input) is invalid.

Get Events by Query ID and Type

Retrieves Deep Visibility events from the specified Query ID and/or Event Type.

READER NOTE

Query ID is a required parameter to run this command.

  • Run the Create Query command to obtain the Query ID. Query IDs can be found in the raw data at the path $.data.queryId.

Please note that only the query IDs under the created account can be used here. Which means query ID under account1 cannot be retrieved with this command under account2. No matter what the scopes are for those accounts.

Input

Input Parameter

Required/Optional

Description

Example

Query ID

Required

The Query ID of the query to retrieve events. Query ID can be obtained using the Create Query command.

qe1********bed

Event Type

Optional

The type of event to return. The valid event types are: DNS, Events, File, IP, Logins, Process, Registry, Scheduled Task and URL.

Events

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "accountId": null,
            "activeContentFileId": null,
            "activeContentHash": null,
            "activeContentPath": null,
            "activeContentSignedStatus": null,
            "activeContentType": null,
            "agentDomain": "WORKGROUP",
            "agentGroupId": "138********378",
            "agentId": "139********432",
            "agentInfected": true,
            "agentIp": "216.251.***.***",
            "agentIsActive": true,
            "agentIsDecommissioned": false,
            "agentMachineType": "desktop",
            "agentName": "DESKTOP-H****D3",
            "agentNetworkStatus": "connected",
            "agentOs": "windows",
            "agentTimestamp": "2022-04-22T00:10:52.725Z",
            "agentUuid": "cd8********661",
            "agentVersion": "21.7.5.1080",
            "childProcCount": "0",
            "containerId": null,
            "containerImage": null,
            "containerLabels": null,
            "containerName": null,
            "convictedBy": null,
            "createdAt": "2022-04-22T00:10:52.725000Z",
            "crossProcCount": "0",
            "crossProcDupRemoteProcHandleCount": "0",
            "crossProcDupThreadHandleCount": "0",
            "crossProcOpenProcCount": "0",
            "crossProcOutOfStorylineCount": "0",
            "crossProcThreadCreateCount": "0",
            "dnsCount": "0",
            "endpointMachineType": "desktop",
            "endpointName": "DESKTOP-H****D3",
            "endpointOs": "windows",
            "eventIndex": "7",
            "eventTime": "2022-04-22T00:10:52.725Z",
            "eventType": "File Rename",
            "fileCreatedAt": "2022-04-22T00:10:52.725Z",
            "fileFullName": "C:\\Windows\\System32\\sru\\SRU.log",
            "fileId": "DFA********9A8",
            "fileIsExecutable": "True",
            "fileLocation": "Local",
            "fileMd5": "cd1********c16",
            "fileModifyAt": "2022-04-22T00:10:52.725Z",
            "fileSha1": "647********e16",
            "fileSha256": "f3f********881",
            "fileSize": "65536",
            "fileType": "log",
            "id": "678********040",
            "indicatorBootConfigurationUpdateCount": "0",
            "indicatorEvasionCount": "0",
            "indicatorExploitationCount": "0",
            "indicatorGeneralCount": "5",
            "indicatorInfostealerCount": "0",
            "indicatorInjectionCount": "0",
            "indicatorPersistenceCount": "0",
            "indicatorPostExploitationCount": "0",
            "indicatorRansomwareCount": "0",
            "indicatorReconnaissanceCount": "0",
            "k8sClusterName": null,
            "k8sControllerLabels": null,
            "k8sControllerName": null,
            "k8sControllerType": null,
            "k8sNamespace": null,
            "k8sNamespaceLabels": null,
            "k8sNode": null,
            "k8sPodLabels": null,
            "k8sPodName": null,
            "lastActivatedAt": null,
            "metaEventName": "FILERENAME",
            "moduleCount": "293",
            "netConnCount": "0",
            "netConnInCount": "0",
            "netConnOutCount": "0",
            "newFileName": null,
            "objectType": "file",
            "oldFileMd5": null,
            "oldFileName": "C:\\Windows\\System32\\sru\\SRUtmp.log",
            "oldFileSha1": null,
            "oldFileSha256": null,
            "osSrcChildProcCount": null,
            "osSrcCrossProcCount": null,
            "osSrcCrossProcDupRemoteProcHandleCount": null,
            "osSrcCrossProcDupThreadHandleCount": null,
            "osSrcCrossProcOpenProcCount": null,
            "osSrcCrossProcOutOfStorylineCount": null,
            "osSrcCrossProcThreadCreateCount": null,
            "osSrcDnsCount": null,
            "osSrcIndicatorBootConfigurationUpdateCount": null,
            "osSrcIndicatorEvasionCount": null,
            "osSrcIndicatorExploitationCount": null,
            "osSrcIndicatorGeneralCount": null,
            "osSrcIndicatorInfostealerCount": null,
            "osSrcIndicatorInjectionCount": null,
            "osSrcIndicatorPersistenceCount": null,
            "osSrcIndicatorPostExploitationCount": null,
            "osSrcIndicatorRansomwareCount": null,
            "osSrcIndicatorReconnaissanceCount": null,
            "osSrcModuleCount": null,
            "osSrcNetConnCount": null,
            "osSrcNetConnInCount": null,
            "osSrcNetConnOutCount": null,
            "osSrcProcActiveContentFileId": null,
            "osSrcProcActiveContentHash": null,
            "osSrcProcActiveContentPath": null,
            "osSrcProcActiveContentSignedStatus": null,
            "osSrcProcActiveContentType": null,
            "osSrcProcBinaryisExecutable": null,
            "osSrcProcCmdLine": null,
            "osSrcProcDisplayName": null,
            "osSrcProcImageMd5": null,
            "osSrcProcImagePath": null,
            "osSrcProcImageSha1": null,
            "osSrcProcImageSha256": null,
            "osSrcProcIntegrityLevel": null,
            "osSrcProcIsNative64Bit": null,
            "osSrcProcIsRedirectCmdProcessor": null,
            "osSrcProcIsStorylineRoot": null,
            "osSrcProcName": null,
            "osSrcProcParentActiveContentFileId": null,
            "osSrcProcParentActiveContentHash": null,
            "osSrcProcParentActiveContentPath": null,
            "osSrcProcParentActiveContentSignedStatus": null,
            "osSrcProcParentActiveContentType": null,
            "osSrcProcParentCmdLine": null,
            "osSrcProcParentDisplayName": null,
            "osSrcProcParentImageMd5": null,
            "osSrcProcParentImagePath": null,
            "osSrcProcParentImageSha1": null,
            "osSrcProcParentImageSha256": null,
            "osSrcProcParentIntegrityLevel": null,
            "osSrcProcParentIsNative64Bit": null,
            "osSrcProcParentIsRedirectCmdProcessor": null,
            "osSrcProcParentIsStorylineRoot": null,
            "osSrcProcParentName": null,
            "osSrcProcParentPid": null,
            "osSrcProcParentPublisher": null,
            "osSrcProcParentReasonSignatureInvalid": null,
            "osSrcProcParentSessionId": null,
            "osSrcProcParentSignedStatus": null,
            "osSrcProcParentStartTime": null,
            "osSrcProcParentStorylineId": null,
            "osSrcProcParentUid": null,
            "osSrcProcParentUser": null,
            "osSrcProcPid": null,
            "osSrcProcPublisher": null,
            "osSrcProcReasonSignatureInvalid": null,
            "osSrcProcRelatedToThreat": "False",
            "osSrcProcSessionId": null,
            "osSrcProcSignedStatus": null,
            "osSrcProcStartTime": null,
            "osSrcProcStorylineId": null,
            "osSrcProcSubsystem": null,
            "osSrcProcUid": null,
            "osSrcProcUser": null,
            "osSrcProcVerifiedStatus": null,
            "osSrcRegistryChangeCount": null,
            "osSrcTgtFileCreationCount": null,
            "osSrcTgtFileDeletionCount": null,
            "osSrcTgtFileModificationCount": null,
            "parentPid": "956",
            "parentProcessName": "services.exe",
            "parentProcessStartTime": "2022-04-17T07:19:15.842Z",
            "parentProcessUniqueKey": "C70********231",
            "pid": "4120",
            "processCmd": "C:\\******\\********\\*******.exe -k LocalServiceNoNetwork -p -s DPS",
            "processDisplayName": "Host Process for Windows Services",
            "processGroupId": "17F*******736",
            "processImagePath": "C:\\******\\********\\*******.exe",
            "processImageSha1Hash": "1f9********b97",
            "processIntegrityLevel": "SYSTEM",
            "processIsRedirectedCommandProcessor": "False",
            "processIsWow64": "False",
            "processName": "svchost.exe",
            "processRoot": "True",
            "processSessionId": "0",
            "processStartTime": "2022-04-17T07:19:30.774Z",
            "processSubSystem": "SYS_WIN32",
            "processUniqueKey": "C70********231",
            "publisher": "MICROSOFT WINDOWS PUBLISHER",
            "registryChangeCount": "0",
            "relatedToThreat": "False",
            "retentionPeriod": null,
            "rpid": null,
            "signatureSignedInvalidReason": null,
            "signedStatus": "signed",
            "siteId": "138********161",
            "siteName": "site2",
            "srcProcActiveContentFileId": null,
            "srcProcActiveContentHash": null,
            "srcProcActiveContentPath": null,
            "srcProcActiveContentSignedStatus": null,
            "srcProcActiveContentType": null,
            "srcProcBinaryisExecutable": "True",
            "srcProcCmdLine": "C:\\******\\********\\*******.exe -k LocalServiceNoNetwork -p -s DPS",
            "srcProcDisplayName": "Host Process for Windows Services",
            "srcProcImageMd5": "cd1********c16",
            "srcProcImagePath": "C:\\******\\********\\*******.exe",
            "srcProcImageSha1": "1f9********b97",
            "srcProcImageSha256": "f3f********881",
            "srcProcIntegrityLevel": "SYSTEM",
            "srcProcIsNative64Bit": "False",
            "srcProcIsRedirectCmdProcessor": "False",
            "srcProcIsStorylineRoot": "True",
            "srcProcName": "svchost.exe",
            "srcProcParentActiveContentFileId": null,
            "srcProcParentActiveContentHash": null,
            "srcProcParentActiveContentPath": null,
            "srcProcParentActiveContentSignedStatus": null,
            "srcProcParentActiveContentType": null,
            "srcProcParentCmdLine": "C:\\WINDOWS\\system32\\services.exe",
            "srcProcParentDisplayName": "Services and Controller app",
            "srcProcParentImageMd5": "d8e********5a9",
            "srcProcParentImagePath": "C:\\Windows\\System32\\services.exe",
            "srcProcParentImageSha1": "d7a********e54",
            "srcProcParentImageSha256": "dfbe********a674",
            "srcProcParentIntegrityLevel": "SYSTEM",
            "srcProcParentIsNative64Bit": "False",
            "srcProcParentIsRedirectCmdProcessor": "False",
            "srcProcParentIsStorylineRoot": "True",
            "srcProcParentName": "services.exe",
            "srcProcParentPid": "956",
            "srcProcParentProcUid": "92C********F3C",
            "srcProcParentPublisher": "MICROSOFT WINDOWS PUBLISHER",
            "srcProcParentReasonSignatureInvalid": null,
            "srcProcParentSessionId": "0",
            "srcProcParentSignedStatus": "signed",
            "srcProcParentStartTime": "2022-04-17T07:19:15.842Z",
            "srcProcParentStorylineId": "B71********716",
            "srcProcParentUid": "92C********F3C",
            "srcProcParentUser": "NT AUTHORITY\\SYSTEM",
            "srcProcPid": "4120",
            "srcProcPublisher": "MICROSOFT WINDOWS PUBLISHER",
            "srcProcReasonSignatureInvalid": null,
            "srcProcRelatedToThreat": "False",
            "srcProcRpid": null,
            "srcProcSessionId": "0",
            "srcProcSignedStatus": "signed",
            "srcProcStartTime": "2022-04-17T07:19:30.774Z",
            "srcProcStorylineId": "17F*******736",
            "srcProcSubsystem": "SYS_WIN32",
            "srcProcTid": null,
            "srcProcUid": "C70********231",
            "srcProcUser": "NT AUTHORITY\\LOCAL SERVICE",
            "srcProcVerifiedStatus": "verified",
            "storyline": "17F*******736",
            "tgtFileConvictedBy": null,
            "tgtFileCreatedAt": "1601-01-01T00:00:00.000Z",
            "tgtFileCreationCount": "0",
            "tgtFileDeletionCount": "0",
            "tgtFileDescription": null,
            "tgtFileExtension": "log",
            "tgtFileId": "DFA********9A8",
            "tgtFileInternalName": null,
            "tgtFileIsExecutable": "False",
            "tgtFileIsSigned": null,
            "tgtFileLocation": "Local",
            "tgtFileMd5": "745********4eb",
            "tgtFileModificationCount": "0",
            "tgtFileModifiedAt": "1601-01-01T00:00:00.000Z",
            "tgtFileOldMd5": null,
            "tgtFileOldPath": "C:\\Windows\\System32\\sru\\SRUtmp.log",
            "tgtFileOldSha1": null,
            "tgtFileOldSha256": null,
            "tgtFilePath": "C:\\Windows\\System32\\sru\\SRU.log",
            "tgtFileSha1": "647********e16",
            "tgtFileSha256": "301********c16",
            "tgtFileSize": "65536",
            "tgtFileType": null,
            "tiOriginalEventId": null,
            "tiOriginalEventIndex": null,
            "tiOriginalEventTraceId": null,
            "tid": null,
            "tiindicatorRelatedEventTime": null,
            "traceId": "01G*******R0H",
            "trueContext": "17F*******736",
            "user": "NT AUTHORITY\\LOCAL SERVICE",
            "verifiedStatus": "verified"
        },
        {
            "accountId": null,
            "activeContentFileId": null,
            "activeContentHash": null,
            "activeContentPath": null,
            "activeContentSignedStatus": null,
            "activeContentType": null,
            "agentDomain": "WORKGROUP",
            "agentGroupId": "138********378",
            "agentId": "139********432",
            "agentInfected": true,
            "agentIp": "216.251.***.***",
            "agentIsActive": true,
            "agentIsDecommissioned": false,
            "agentMachineType": "desktop",
            "agentName": "DESKTOP-H****D3",
            "agentNetworkStatus": "connected",
            "agentOs": "windows",
            "agentTimestamp": "2022-04-22T00:10:52.722Z",
            "agentUuid": "cd8********661",
            "agentVersion": "21.7.5.1080",
            "childProcCount": "0",
            "containerId": null,
            "containerImage": null,
            "containerLabels": null,
            "containerName": null,
            "convictedBy": null,
            "createdAt": "2022-04-22T00:10:52.722000Z",
            "crossProcCount": "0",
            "crossProcDupRemoteProcHandleCount": "0",
            "crossProcDupThreadHandleCount": "0",
            "crossProcOpenProcCount": "0",
            "crossProcOutOfStorylineCount": "0",
            "crossProcThreadCreateCount": "0",
            "dnsCount": "0",
            "endpointMachineType": "desktop",
            "endpointName": "DESKTOP-H****D3",
            "endpointOs": "windows",
            "eventIndex": "6",
            "eventTime": "2022-04-22T00:10:52.722Z",
            "eventType": "File Rename",
            "fileCreatedAt": "2022-04-22T00:10:52.722Z",
            "fileFullName": "C:\\Windows\\System32\\sru\\SR****1D.log",
            "fileId": "E81********30B",
            "fileIsExecutable": "True",
            "fileLocation": "Local",
            "fileMd5": "cd1********c16",
            "fileModifyAt": "2022-04-22T00:10:52.722Z",
            "fileSha1": "5fe********39a",
            "fileSha256": "f3f********881",
            "fileSize": "65536",
            "fileType": "log",
            "id": "678********696",
            "indicatorBootConfigurationUpdateCount": "0",
            "indicatorEvasionCount": "0",
            "indicatorExploitationCount": "0",
            "indicatorGeneralCount": "5",
            "indicatorInfostealerCount": "0",
            "indicatorInjectionCount": "0",
            "indicatorPersistenceCount": "0",
            "indicatorPostExploitationCount": "0",
            "indicatorRansomwareCount": "0",
            "indicatorReconnaissanceCount": "0",
            "k8sClusterName": null,
            "k8sControllerLabels": null,
            "k8sControllerName": null,
            "k8sControllerType": null,
            "k8sNamespace": null,
            "k8sNamespaceLabels": null,
            "k8sNode": null,
            "k8sPodLabels": null,
            "k8sPodName": null,
            "lastActivatedAt": null,
            "metaEventName": "FILERENAME",
            "moduleCount": "293",
            "netConnCount": "0",
            "netConnInCount": "0",
            "netConnOutCount": "0",
            "newFileName": null,
            "objectType": "file",
            "oldFileMd5": null,
            "oldFileName": "C:\\Windows\\System32\\sru\\SRU.log",
            "oldFileSha1": null,
            "oldFileSha256": null,
            "osSrcChildProcCount": null,
            "osSrcCrossProcCount": null,
            "osSrcCrossProcDupRemoteProcHandleCount": null,
            "osSrcCrossProcDupThreadHandleCount": null,
            "osSrcCrossProcOpenProcCount": null,
            "osSrcCrossProcOutOfStorylineCount": null,
            "osSrcCrossProcThreadCreateCount": null,
            "osSrcDnsCount": null,
            "osSrcIndicatorBootConfigurationUpdateCount": null,
            "osSrcIndicatorEvasionCount": null,
            "osSrcIndicatorExploitationCount": null,
            "osSrcIndicatorGeneralCount": null,
            "osSrcIndicatorInfostealerCount": null,
            "osSrcIndicatorInjectionCount": null,
            "osSrcIndicatorPersistenceCount": null,
            "osSrcIndicatorPostExploitationCount": null,
            "osSrcIndicatorRansomwareCount": null,
            "osSrcIndicatorReconnaissanceCount": null,
            "osSrcModuleCount": null,
            "osSrcNetConnCount": null,
            "osSrcNetConnInCount": null,
            "osSrcNetConnOutCount": null,
            "osSrcProcActiveContentFileId": null,
            "osSrcProcActiveContentHash": null,
            "osSrcProcActiveContentPath": null,
            "osSrcProcActiveContentSignedStatus": null,
            "osSrcProcActiveContentType": null,
            "osSrcProcBinaryisExecutable": null,
            "osSrcProcCmdLine": null,
            "osSrcProcDisplayName": null,
            "osSrcProcImageMd5": null,
            "osSrcProcImagePath": null,
            "osSrcProcImageSha1": null,
            "osSrcProcImageSha256": null,
            "osSrcProcIntegrityLevel": null,
            "osSrcProcIsNative64Bit": null,
            "osSrcProcIsRedirectCmdProcessor": null,
            "osSrcProcIsStorylineRoot": null,
            "osSrcProcName": null,
            "osSrcProcParentActiveContentFileId": null,
            "osSrcProcParentActiveContentHash": null,
            "osSrcProcParentActiveContentPath": null,
            "osSrcProcParentActiveContentSignedStatus": null,
            "osSrcProcParentActiveContentType": null,
            "osSrcProcParentCmdLine": null,
            "osSrcProcParentDisplayName": null,
            "osSrcProcParentImageMd5": null,
            "osSrcProcParentImagePath": null,
            "osSrcProcParentImageSha1": null,
            "osSrcProcParentImageSha256": null,
            "osSrcProcParentIntegrityLevel": null,
            "osSrcProcParentIsNative64Bit": null,
            "osSrcProcParentIsRedirectCmdProcessor": null,
            "osSrcProcParentIsStorylineRoot": null,
            "osSrcProcParentName": null,
            "osSrcProcParentPid": null,
            "osSrcProcParentPublisher": null,
            "osSrcProcParentReasonSignatureInvalid": null,
            "osSrcProcParentSessionId": null,
            "osSrcProcParentSignedStatus": null,
            "osSrcProcParentStartTime": null,
            "osSrcProcParentStorylineId": null,
            "osSrcProcParentUid": null,
            "osSrcProcParentUser": null,
            "osSrcProcPid": null,
            "osSrcProcPublisher": null,
            "osSrcProcReasonSignatureInvalid": null,
            "osSrcProcRelatedToThreat": "False",
            "osSrcProcSessionId": null,
            "osSrcProcSignedStatus": null,
            "osSrcProcStartTime": null,
            "osSrcProcStorylineId": null,
            "osSrcProcSubsystem": null,
            "osSrcProcUid": null,
            "osSrcProcUser": null,
            "osSrcProcVerifiedStatus": null,
            "osSrcRegistryChangeCount": null,
            "osSrcTgtFileCreationCount": null,
            "osSrcTgtFileDeletionCount": null,
            "osSrcTgtFileModificationCount": null,
            "parentPid": "956",
            "parentProcessName": "services.exe",
            "parentProcessStartTime": "2022-04-17T07:19:15.842Z",
            "parentProcessUniqueKey": "C70********231",
            "pid": "4120",
            "processCmd": "C:\\******\\********\\*******.exe -k LocalServiceNoNetwork -p -s DPS",
            "processDisplayName": "Host Process for Windows Services",
            "processGroupId": "17F*******736",
            "processImagePath": "C:\\******\\********\\*******.exe",
            "processImageSha1Hash": "1f9********b97",
            "processIntegrityLevel": "SYSTEM",
            "processIsRedirectedCommandProcessor": "False",
            "processIsWow64": "False",
            "processName": "svchost.exe",
            "processRoot": "True",
            "processSessionId": "0",
            "processStartTime": "2022-04-17T07:19:30.774Z",
            "processSubSystem": "SYS_WIN32",
            "processUniqueKey": "C70********231",
            "publisher": "MICROSOFT WINDOWS PUBLISHER",
            "registryChangeCount": "0",
            "relatedToThreat": "False",
            "retentionPeriod": null,
            "rpid": null,
            "signatureSignedInvalidReason": null,
            "signedStatus": "signed",
            "siteId": "138********161",
            "siteName": "site2",
            "srcProcActiveContentFileId": null,
            "srcProcActiveContentHash": null,
            "srcProcActiveContentPath": null,
            "srcProcActiveContentSignedStatus": null,
            "srcProcActiveContentType": null,
            "srcProcBinaryisExecutable": "True",
            "srcProcCmdLine": "C:\\******\\********\\*******.exe -k LocalServiceNoNetwork -p -s DPS",
            "srcProcDisplayName": "Host Process for Windows Services",
            "srcProcImageMd5": "cd1********c16",
            "srcProcImagePath": "C:\\******\\********\\*******.exe",
            "srcProcImageSha1": "1f9********b97",
            "srcProcImageSha256": "f3f********881",
            "srcProcIntegrityLevel": "SYSTEM",
            "srcProcIsNative64Bit": "False",
            "srcProcIsRedirectCmdProcessor": "False",
            "srcProcIsStorylineRoot": "True",
            "srcProcName": "svchost.exe",
            "srcProcParentActiveContentFileId": null,
            "srcProcParentActiveContentHash": null,
            "srcProcParentActiveContentPath": null,
            "srcProcParentActiveContentSignedStatus": null,
            "srcProcParentActiveContentType": null,
            "srcProcParentCmdLine": "C:\\WINDOWS\\system32\\services.exe",
            "srcProcParentDisplayName": "Services and Controller app",
            "srcProcParentImageMd5": "d8e********5a9",
            "srcProcParentImagePath": "C:\\Windows\\System32\\services.exe",
            "srcProcParentImageSha1": "d7a********e54",
            "srcProcParentImageSha256": "dfbe********a674",
            "srcProcParentIntegrityLevel": "SYSTEM",
            "srcProcParentIsNative64Bit": "False",
            "srcProcParentIsRedirectCmdProcessor": "False",
            "srcProcParentIsStorylineRoot": "True",
            "srcProcParentName": "services.exe",
            "srcProcParentPid": "956",
            "srcProcParentProcUid": "92C********F3C",
            "srcProcParentPublisher": "MICROSOFT WINDOWS PUBLISHER",
            "srcProcParentReasonSignatureInvalid": null,
            "srcProcParentSessionId": "0",
            "srcProcParentSignedStatus": "signed",
            "srcProcParentStartTime": "2022-04-17T07:19:15.842Z",
            "srcProcParentStorylineId": "B71********716",
            "srcProcParentUid": "92C********F3C",
            "srcProcParentUser": "NT AUTHORITY\\SYSTEM",
            "srcProcPid": "4120",
            "srcProcPublisher": "MICROSOFT WINDOWS PUBLISHER",
            "srcProcReasonSignatureInvalid": null,
            "srcProcRelatedToThreat": "False",
            "srcProcRpid": null,
            "srcProcSessionId": "0",
            "srcProcSignedStatus": "signed",
            "srcProcStartTime": "2022-04-17T07:19:30.774Z",
            "srcProcStorylineId": "17F*******736",
            "srcProcSubsystem": "SYS_WIN32",
            "srcProcTid": null,
            "srcProcUid": "C70********231",
            "srcProcUser": "NT AUTHORITY\\LOCAL SERVICE",
            "srcProcVerifiedStatus": "verified",
            "storyline": "17F*******736",
            "tgtFileConvictedBy": null,
            "tgtFileCreatedAt": "1601-01-01T00:00:00.000Z",
            "tgtFileCreationCount": "0",
            "tgtFileDeletionCount": "0",
            "tgtFileDescription": null,
            "tgtFileExtension": "log",
            "tgtFileId": "E81********30B",
            "tgtFileInternalName": null,
            "tgtFileIsExecutable": "False",
            "tgtFileIsSigned": null,
            "tgtFileLocation": "Local",
            "tgtFileMd5": "0a3********52f",
            "tgtFileModificationCount": "0",
            "tgtFileModifiedAt": "1601-01-01T00:00:00.000Z",
            "tgtFileOldMd5": null,
            "tgtFileOldPath": "C:\\Windows\\System32\\sru\\SRU.log",
            "tgtFileOldSha1": null,
            "tgtFileOldSha256": null,
            "tgtFilePath": "C:\\Windows\\System32\\sru\\SR****1D.log",
            "tgtFileSha1": "5fe********39a",
            "tgtFileSha256": "c96********68b",
            "tgtFileSize": "65536",
            "tgtFileType": null,
            "tiOriginalEventId": null,
            "tiOriginalEventIndex": null,
            "tiOriginalEventTraceId": null,
            "tid": null,
            "tiindicatorRelatedEventTime": null,
            "traceId": "01G*******R0H",
            "trueContext": "17F*******736",
            "user": "NT AUTHORITY\\LOCAL SERVICE",
            "verifiedStatus": "verified"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 2
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the $.data path from the returned raw data.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "accountId": null,
        "activeContentFileId": null,
        "activeContentHash": null,
        "activeContentPath": null,
        "activeContentSignedStatus": null,
        "activeContentType": null,
        "agentDomain": "WORKGROUP",
        "agentGroupId": "138********378",
        "agentId": "139********432",
        "agentInfected": true,
        "agentIp": "216.251.***.***",
        "agentIsActive": true,
        "agentIsDecommissioned": false,
        "agentMachineType": "desktop",
        "agentName": "DESKTOP-H****D3",
        "agentNetworkStatus": "connected",
        "agentOs": "windows",
        "agentTimestamp": "2022-04-22T00:10:52.725Z",
        "agentUuid": "cd8********661",
        "agentVersion": "21.7.5.1080",
        "childProcCount": "0",
        "containerId": null,
        "containerImage": null,
        "containerLabels": null,
        "containerName": null,
        "convictedBy": null,
        "createdAt": "2022-04-22T00:10:52.725000Z",
        "crossProcCount": "0",
        "crossProcDupRemoteProcHandleCount": "0",
        "crossProcDupThreadHandleCount": "0",
        "crossProcOpenProcCount": "0",
        "crossProcOutOfStorylineCount": "0",
        "crossProcThreadCreateCount": "0",
        "dnsCount": "0",
        "endpointMachineType": "desktop",
        "endpointName": "DESKTOP-H****D3",
        "endpointOs": "windows",
        "eventIndex": "7",
        "eventTime": "2022-04-22T00:10:52.725Z",
        "eventType": "File Rename",
        "fileCreatedAt": "2022-04-22T00:10:52.725Z",
        "fileFullName": "C:\\Windows\\System32\\sru\\SRU.log",
        "fileId": "DFA********9A8",
        "fileIsExecutable": "True",
        "fileLocation": "Local",
        "fileMd5": "cd1********c16",
        "fileModifyAt": "2022-04-22T00:10:52.725Z",
        "fileSha1": "647********e16",
        "fileSha256": "f3f********881",
        "fileSize": "65536",
        "fileType": "log",
        "id": "678********040",
        "indicatorBootConfigurationUpdateCount": "0",
        "indicatorEvasionCount": "0",
        "indicatorExploitationCount": "0",
        "indicatorGeneralCount": "5",
        "indicatorInfostealerCount": "0",
        "indicatorInjectionCount": "0",
        "indicatorPersistenceCount": "0",
        "indicatorPostExploitationCount": "0",
        "indicatorRansomwareCount": "0",
        "indicatorReconnaissanceCount": "0",
        "k8sClusterName": null,
        "k8sControllerLabels": null,
        "k8sControllerName": null,
        "k8sControllerType": null,
        "k8sNamespace": null,
        "k8sNamespaceLabels": null,
        "k8sNode": null,
        "k8sPodLabels": null,
        "k8sPodName": null,
        "lastActivatedAt": null,
        "metaEventName": "FILERENAME",
        "moduleCount": "293",
        "netConnCount": "0",
        "netConnInCount": "0",
        "netConnOutCount": "0",
        "newFileName": null,
        "objectType": "file",
        "oldFileMd5": null,
        "oldFileName": "C:\\Windows\\System32\\sru\\SRUtmp.log",
        "oldFileSha1": null,
        "oldFileSha256": null,
        "osSrcChildProcCount": null,
        "osSrcCrossProcCount": null,
        "osSrcCrossProcDupRemoteProcHandleCount": null,
        "osSrcCrossProcDupThreadHandleCount": null,
        "osSrcCrossProcOpenProcCount": null,
        "osSrcCrossProcOutOfStorylineCount": null,
        "osSrcCrossProcThreadCreateCount": null,
        "osSrcDnsCount": null,
        "osSrcIndicatorBootConfigurationUpdateCount": null,
        "osSrcIndicatorEvasionCount": null,
        "osSrcIndicatorExploitationCount": null,
        "osSrcIndicatorGeneralCount": null,
        "osSrcIndicatorInfostealerCount": null,
        "osSrcIndicatorInjectionCount": null,
        "osSrcIndicatorPersistenceCount": null,
        "osSrcIndicatorPostExploitationCount": null,
        "osSrcIndicatorRansomwareCount": null,
        "osSrcIndicatorReconnaissanceCount": null,
        "osSrcModuleCount": null,
        "osSrcNetConnCount": null,
        "osSrcNetConnInCount": null,
        "osSrcNetConnOutCount": null,
        "osSrcProcActiveContentFileId": null,
        "osSrcProcActiveContentHash": null,
        "osSrcProcActiveContentPath": null,
        "osSrcProcActiveContentSignedStatus": null,
        "osSrcProcActiveContentType": null,
        "osSrcProcBinaryisExecutable": null,
        "osSrcProcCmdLine": null,
        "osSrcProcDisplayName": null,
        "osSrcProcImageMd5": null,
        "osSrcProcImagePath": null,
        "osSrcProcImageSha1": null,
        "osSrcProcImageSha256": null,
        "osSrcProcIntegrityLevel": null,
        "osSrcProcIsNative64Bit": null,
        "osSrcProcIsRedirectCmdProcessor": null,
        "osSrcProcIsStorylineRoot": null,
        "osSrcProcName": null,
        "osSrcProcParentActiveContentFileId": null,
        "osSrcProcParentActiveContentHash": null,
        "osSrcProcParentActiveContentPath": null,
        "osSrcProcParentActiveContentSignedStatus": null,
        "osSrcProcParentActiveContentType": null,
        "osSrcProcParentCmdLine": null,
        "osSrcProcParentDisplayName": null,
        "osSrcProcParentImageMd5": null,
        "osSrcProcParentImagePath": null,
        "osSrcProcParentImageSha1": null,
        "osSrcProcParentImageSha256": null,
        "osSrcProcParentIntegrityLevel": null,
        "osSrcProcParentIsNative64Bit": null,
        "osSrcProcParentIsRedirectCmdProcessor": null,
        "osSrcProcParentIsStorylineRoot": null,
        "osSrcProcParentName": null,
        "osSrcProcParentPid": null,
        "osSrcProcParentPublisher": null,
        "osSrcProcParentReasonSignatureInvalid": null,
        "osSrcProcParentSessionId": null,
        "osSrcProcParentSignedStatus": null,
        "osSrcProcParentStartTime": null,
        "osSrcProcParentStorylineId": null,
        "osSrcProcParentUid": null,
        "osSrcProcParentUser": null,
        "osSrcProcPid": null,
        "osSrcProcPublisher": null,
        "osSrcProcReasonSignatureInvalid": null,
        "osSrcProcRelatedToThreat": "False",
        "osSrcProcSessionId": null,
        "osSrcProcSignedStatus": null,
        "osSrcProcStartTime": null,
        "osSrcProcStorylineId": null,
        "osSrcProcSubsystem": null,
        "osSrcProcUid": null,
        "osSrcProcUser": null,
        "osSrcProcVerifiedStatus": null,
        "osSrcRegistryChangeCount": null,
        "osSrcTgtFileCreationCount": null,
        "osSrcTgtFileDeletionCount": null,
        "osSrcTgtFileModificationCount": null,
        "parentPid": "956",
        "parentProcessName": "services.exe",
        "parentProcessStartTime": "2022-04-17T07:19:15.842Z",
        "parentProcessUniqueKey": "C70********231",
        "pid": "4120",
        "processCmd": "C:\\******\\********\\*******.exe -k LocalServiceNoNetwork -p -s DPS",
        "processDisplayName": "Host Process for Windows Services",
        "processGroupId": "17F*******736",
        "processImagePath": "C:\\******\\********\\*******.exe",
        "processImageSha1Hash": "1f9********b97",
        "processIntegrityLevel": "SYSTEM",
        "processIsRedirectedCommandProcessor": "False",
        "processIsWow64": "False",
        "processName": "svchost.exe",
        "processRoot": "True",
        "processSessionId": "0",
        "processStartTime": "2022-04-17T07:19:30.774Z",
        "processSubSystem": "SYS_WIN32",
        "processUniqueKey": "C70********231",
        "publisher": "MICROSOFT WINDOWS PUBLISHER",
        "registryChangeCount": "0",
        "relatedToThreat": "False",
        "retentionPeriod": null,
        "rpid": null,
        "signatureSignedInvalidReason": null,
        "signedStatus": "signed",
        "siteId": "138********161",
        "siteName": "site2",
        "srcProcActiveContentFileId": null,
        "srcProcActiveContentHash": null,
        "srcProcActiveContentPath": null,
        "srcProcActiveContentSignedStatus": null,
        "srcProcActiveContentType": null,
        "srcProcBinaryisExecutable": "True",
        "srcProcCmdLine": "C:\\******\\********\\*******.exe -k LocalServiceNoNetwork -p -s DPS",
        "srcProcDisplayName": "Host Process for Windows Services",
        "srcProcImageMd5": "cd1********c16",
        "srcProcImagePath": "C:\\******\\********\\*******.exe",
        "srcProcImageSha1": "1f9********b97",
        "srcProcImageSha256": "f3f********881",
        "srcProcIntegrityLevel": "SYSTEM",
        "srcProcIsNative64Bit": "False",
        "srcProcIsRedirectCmdProcessor": "False",
        "srcProcIsStorylineRoot": "True",
        "srcProcName": "svchost.exe",
        "srcProcParentActiveContentFileId": null,
        "srcProcParentActiveContentHash": null,
        "srcProcParentActiveContentPath": null,
        "srcProcParentActiveContentSignedStatus": null,
        "srcProcParentActiveContentType": null,
        "srcProcParentCmdLine": "C:\\WINDOWS\\system32\\services.exe",
        "srcProcParentDisplayName": "Services and Controller app",
        "srcProcParentImageMd5": "d8e********5a9",
        "srcProcParentImagePath": "C:\\Windows\\System32\\services.exe",
        "srcProcParentImageSha1": "d7a********e54",
        "srcProcParentImageSha256": "dfbe********a674",
        "srcProcParentIntegrityLevel": "SYSTEM",
        "srcProcParentIsNative64Bit": "False",
        "srcProcParentIsRedirectCmdProcessor": "False",
        "srcProcParentIsStorylineRoot": "True",
        "srcProcParentName": "services.exe",
        "srcProcParentPid": "956",
        "srcProcParentProcUid": "92C********F3C",
        "srcProcParentPublisher": "MICROSOFT WINDOWS PUBLISHER",
        "srcProcParentReasonSignatureInvalid": null,
        "srcProcParentSessionId": "0",
        "srcProcParentSignedStatus": "signed",
        "srcProcParentStartTime": "2022-04-17T07:19:15.842Z",
        "srcProcParentStorylineId": "B71********716",
        "srcProcParentUid": "92C********F3C",
        "srcProcParentUser": "NT AUTHORITY\\SYSTEM",
        "srcProcPid": "4120",
        "srcProcPublisher": "MICROSOFT WINDOWS PUBLISHER",
        "srcProcReasonSignatureInvalid": null,
        "srcProcRelatedToThreat": "False",
        "srcProcRpid": null,
        "srcProcSessionId": "0",
        "srcProcSignedStatus": "signed",
        "srcProcStartTime": "2022-04-17T07:19:30.774Z",
        "srcProcStorylineId": "17F*******736",
        "srcProcSubsystem": "SYS_WIN32",
        "srcProcTid": null,
        "srcProcUid": "C70********231",
        "srcProcUser": "NT AUTHORITY\\LOCAL SERVICE",
        "srcProcVerifiedStatus": "verified",
        "storyline": "17F*******736",
        "tgtFileConvictedBy": null,
        "tgtFileCreatedAt": "1601-01-01T00:00:00.000Z",
        "tgtFileCreationCount": "0",
        "tgtFileDeletionCount": "0",
        "tgtFileDescription": null,
        "tgtFileExtension": "log",
        "tgtFileId": "DFA********9A8",
        "tgtFileInternalName": null,
        "tgtFileIsExecutable": "False",
        "tgtFileIsSigned": null,
        "tgtFileLocation": "Local",
        "tgtFileMd5": "745********4eb",
        "tgtFileModificationCount": "0",
        "tgtFileModifiedAt": "1601-01-01T00:00:00.000Z",
        "tgtFileOldMd5": null,
        "tgtFileOldPath": "C:\\Windows\\System32\\sru\\SRUtmp.log",
        "tgtFileOldSha1": null,
        "tgtFileOldSha256": null,
        "tgtFilePath": "C:\\Windows\\System32\\sru\\SRU.log",
        "tgtFileSha1": "647********e16",
        "tgtFileSha256": "301********c16",
        "tgtFileSize": "65536",
        "tgtFileType": null,
        "tiOriginalEventId": null,
        "tiOriginalEventIndex": null,
        "tiOriginalEventTraceId": null,
        "tid": null,
        "tiindicatorRelatedEventTime": null,
        "traceId": "01G*******R0H",
        "trueContext": "17F*******736",
        "user": "NT AUTHORITY\\LOCAL SERVICE",
        "verifiedStatus": "verified"
    },
    {
        "accountId": null,
        "activeContentFileId": null,
        "activeContentHash": null,
        "activeContentPath": null,
        "activeContentSignedStatus": null,
        "activeContentType": null,
        "agentDomain": "WORKGROUP",
        "agentGroupId": "138********378",
        "agentId": "139********432",
        "agentInfected": true,
        "agentIp": "216.251.***.***",
        "agentIsActive": true,
        "agentIsDecommissioned": false,
        "agentMachineType": "desktop",
        "agentName": "DESKTOP-H****D3",
        "agentNetworkStatus": "connected",
        "agentOs": "windows",
        "agentTimestamp": "2022-04-22T00:10:52.722Z",
        "agentUuid": "cd8********661",
        "agentVersion": "21.7.5.1080",
        "childProcCount": "0",
        "containerId": null,
        "containerImage": null,
        "containerLabels": null,
        "containerName": null,
        "convictedBy": null,
        "createdAt": "2022-04-22T00:10:52.722000Z",
        "crossProcCount": "0",
        "crossProcDupRemoteProcHandleCount": "0",
        "crossProcDupThreadHandleCount": "0",
        "crossProcOpenProcCount": "0",
        "crossProcOutOfStorylineCount": "0",
        "crossProcThreadCreateCount": "0",
        "dnsCount": "0",
        "endpointMachineType": "desktop",
        "endpointName": "DESKTOP-H****D3",
        "endpointOs": "windows",
        "eventIndex": "6",
        "eventTime": "2022-04-22T00:10:52.722Z",
        "eventType": "File Rename",
        "fileCreatedAt": "2022-04-22T00:10:52.722Z",
        "fileFullName": "C:\\Windows\\System32\\sru\\SR****1D.log",
        "fileId": "E81********30B",
        "fileIsExecutable": "True",
        "fileLocation": "Local",
        "fileMd5": "cd1********c16",
        "fileModifyAt": "2022-04-22T00:10:52.722Z",
        "fileSha1": "5fe********39a",
        "fileSha256": "f3f********881",
        "fileSize": "65536",
        "fileType": "log",
        "id": "678********696",
        "indicatorBootConfigurationUpdateCount": "0",
        "indicatorEvasionCount": "0",
        "indicatorExploitationCount": "0",
        "indicatorGeneralCount": "5",
        "indicatorInfostealerCount": "0",
        "indicatorInjectionCount": "0",
        "indicatorPersistenceCount": "0",
        "indicatorPostExploitationCount": "0",
        "indicatorRansomwareCount": "0",
        "indicatorReconnaissanceCount": "0",
        "k8sClusterName": null,
        "k8sControllerLabels": null,
        "k8sControllerName": null,
        "k8sControllerType": null,
        "k8sNamespace": null,
        "k8sNamespaceLabels": null,
        "k8sNode": null,
        "k8sPodLabels": null,
        "k8sPodName": null,
        "lastActivatedAt": null,
        "metaEventName": "FILERENAME",
        "moduleCount": "293",
        "netConnCount": "0",
        "netConnInCount": "0",
        "netConnOutCount": "0",
        "newFileName": null,
        "objectType": "file",
        "oldFileMd5": null,
        "oldFileName": "C:\\Windows\\System32\\sru\\SRU.log",
        "oldFileSha1": null,
        "oldFileSha256": null,
        "osSrcChildProcCount": null,
        "osSrcCrossProcCount": null,
        "osSrcCrossProcDupRemoteProcHandleCount": null,
        "osSrcCrossProcDupThreadHandleCount": null,
        "osSrcCrossProcOpenProcCount": null,
        "osSrcCrossProcOutOfStorylineCount": null,
        "osSrcCrossProcThreadCreateCount": null,
        "osSrcDnsCount": null,
        "osSrcIndicatorBootConfigurationUpdateCount": null,
        "osSrcIndicatorEvasionCount": null,
        "osSrcIndicatorExploitationCount": null,
        "osSrcIndicatorGeneralCount": null,
        "osSrcIndicatorInfostealerCount": null,
        "osSrcIndicatorInjectionCount": null,
        "osSrcIndicatorPersistenceCount": null,
        "osSrcIndicatorPostExploitationCount": null,
        "osSrcIndicatorRansomwareCount": null,
        "osSrcIndicatorReconnaissanceCount": null,
        "osSrcModuleCount": null,
        "osSrcNetConnCount": null,
        "osSrcNetConnInCount": null,
        "osSrcNetConnOutCount": null,
        "osSrcProcActiveContentFileId": null,
        "osSrcProcActiveContentHash": null,
        "osSrcProcActiveContentPath": null,
        "osSrcProcActiveContentSignedStatus": null,
        "osSrcProcActiveContentType": null,
        "osSrcProcBinaryisExecutable": null,
        "osSrcProcCmdLine": null,
        "osSrcProcDisplayName": null,
        "osSrcProcImageMd5": null,
        "osSrcProcImagePath": null,
        "osSrcProcImageSha1": null,
        "osSrcProcImageSha256": null,
        "osSrcProcIntegrityLevel": null,
        "osSrcProcIsNative64Bit": null,
        "osSrcProcIsRedirectCmdProcessor": null,
        "osSrcProcIsStorylineRoot": null,
        "osSrcProcName": null,
        "osSrcProcParentActiveContentFileId": null,
        "osSrcProcParentActiveContentHash": null,
        "osSrcProcParentActiveContentPath": null,
        "osSrcProcParentActiveContentSignedStatus": null,
        "osSrcProcParentActiveContentType": null,
        "osSrcProcParentCmdLine": null,
        "osSrcProcParentDisplayName": null,
        "osSrcProcParentImageMd5": null,
        "osSrcProcParentImagePath": null,
        "osSrcProcParentImageSha1": null,
        "osSrcProcParentImageSha256": null,
        "osSrcProcParentIntegrityLevel": null,
        "osSrcProcParentIsNative64Bit": null,
        "osSrcProcParentIsRedirectCmdProcessor": null,
        "osSrcProcParentIsStorylineRoot": null,
        "osSrcProcParentName": null,
        "osSrcProcParentPid": null,
        "osSrcProcParentPublisher": null,
        "osSrcProcParentReasonSignatureInvalid": null,
        "osSrcProcParentSessionId": null,
        "osSrcProcParentSignedStatus": null,
        "osSrcProcParentStartTime": null,
        "osSrcProcParentStorylineId": null,
        "osSrcProcParentUid": null,
        "osSrcProcParentUser": null,
        "osSrcProcPid": null,
        "osSrcProcPublisher": null,
        "osSrcProcReasonSignatureInvalid": null,
        "osSrcProcRelatedToThreat": "False",
        "osSrcProcSessionId": null,
        "osSrcProcSignedStatus": null,
        "osSrcProcStartTime": null,
        "osSrcProcStorylineId": null,
        "osSrcProcSubsystem": null,
        "osSrcProcUid": null,
        "osSrcProcUser": null,
        "osSrcProcVerifiedStatus": null,
        "osSrcRegistryChangeCount": null,
        "osSrcTgtFileCreationCount": null,
        "osSrcTgtFileDeletionCount": null,
        "osSrcTgtFileModificationCount": null,
        "parentPid": "956",
        "parentProcessName": "services.exe",
        "parentProcessStartTime": "2022-04-17T07:19:15.842Z",
        "parentProcessUniqueKey": "C70********231",
        "pid": "4120",
        "processCmd": "C:\\******\\********\\*******.exe -k LocalServiceNoNetwork -p -s DPS",
        "processDisplayName": "Host Process for Windows Services",
        "processGroupId": "17F*******736",
        "processImagePath": "C:\\******\\********\\*******.exe",
        "processImageSha1Hash": "1f9********b97",
        "processIntegrityLevel": "SYSTEM",
        "processIsRedirectedCommandProcessor": "False",
        "processIsWow64": "False",
        "processName": "svchost.exe",
        "processRoot": "True",
        "processSessionId": "0",
        "processStartTime": "2022-04-17T07:19:30.774Z",
        "processSubSystem": "SYS_WIN32",
        "processUniqueKey": "C70********231",
        "publisher": "MICROSOFT WINDOWS PUBLISHER",
        "registryChangeCount": "0",
        "relatedToThreat": "False",
        "retentionPeriod": null,
        "rpid": null,
        "signatureSignedInvalidReason": null,
        "signedStatus": "signed",
        "siteId": "138********161",
        "siteName": "site2",
        "srcProcActiveContentFileId": null,
        "srcProcActiveContentHash": null,
        "srcProcActiveContentPath": null,
        "srcProcActiveContentSignedStatus": null,
        "srcProcActiveContentType": null,
        "srcProcBinaryisExecutable": "True",
        "srcProcCmdLine": "C:\\******\\********\\*******.exe -k LocalServiceNoNetwork -p -s DPS",
        "srcProcDisplayName": "Host Process for Windows Services",
        "srcProcImageMd5": "cd1********c16",
        "srcProcImagePath": "C:\\******\\********\\*******.exe",
        "srcProcImageSha1": "1f9********b97",
        "srcProcImageSha256": "f3f********881",
        "srcProcIntegrityLevel": "SYSTEM",
        "srcProcIsNative64Bit": "False",
        "srcProcIsRedirectCmdProcessor": "False",
        "srcProcIsStorylineRoot": "True",
        "srcProcName": "svchost.exe",
        "srcProcParentActiveContentFileId": null,
        "srcProcParentActiveContentHash": null,
        "srcProcParentActiveContentPath": null,
        "srcProcParentActiveContentSignedStatus": null,
        "srcProcParentActiveContentType": null,
        "srcProcParentCmdLine": "C:\\WINDOWS\\system32\\services.exe",
        "srcProcParentDisplayName": "Services and Controller app",
        "srcProcParentImageMd5": "d8e********5a9",
        "srcProcParentImagePath": "C:\\Windows\\System32\\services.exe",
        "srcProcParentImageSha1": "d7a********e54",
        "srcProcParentImageSha256": "dfbe********a674",
        "srcProcParentIntegrityLevel": "SYSTEM",
        "srcProcParentIsNative64Bit": "False",
        "srcProcParentIsRedirectCmdProcessor": "False",
        "srcProcParentIsStorylineRoot": "True",
        "srcProcParentName": "services.exe",
        "srcProcParentPid": "956",
        "srcProcParentProcUid": "92C********F3C",
        "srcProcParentPublisher": "MICROSOFT WINDOWS PUBLISHER",
        "srcProcParentReasonSignatureInvalid": null,
        "srcProcParentSessionId": "0",
        "srcProcParentSignedStatus": "signed",
        "srcProcParentStartTime": "2022-04-17T07:19:15.842Z",
        "srcProcParentStorylineId": "B71********716",
        "srcProcParentUid": "92C********F3C",
        "srcProcParentUser": "NT AUTHORITY\\SYSTEM",
        "srcProcPid": "4120",
        "srcProcPublisher": "MICROSOFT WINDOWS PUBLISHER",
        "srcProcReasonSignatureInvalid": null,
        "srcProcRelatedToThreat": "False",
        "srcProcRpid": null,
        "srcProcSessionId": "0",
        "srcProcSignedStatus": "signed",
        "srcProcStartTime": "2022-04-17T07:19:30.774Z",
        "srcProcStorylineId": "17F*******736",
        "srcProcSubsystem": "SYS_WIN32",
        "srcProcTid": null,
        "srcProcUid": "C70********231",
        "srcProcUser": "NT AUTHORITY\\LOCAL SERVICE",
        "srcProcVerifiedStatus": "verified",
        "storyline": "17F*******736",
        "tgtFileConvictedBy": null,
        "tgtFileCreatedAt": "1601-01-01T00:00:00.000Z",
        "tgtFileCreationCount": "0",
        "tgtFileDeletionCount": "0",
        "tgtFileDescription": null,
        "tgtFileExtension": "log",
        "tgtFileId": "E81********30B",
        "tgtFileInternalName": null,
        "tgtFileIsExecutable": "False",
        "tgtFileIsSigned": null,
        "tgtFileLocation": "Local",
        "tgtFileMd5": "0a3********52f",
        "tgtFileModificationCount": "0",
        "tgtFileModifiedAt": "1601-01-01T00:00:00.000Z",
        "tgtFileOldMd5": null,
        "tgtFileOldPath": "C:\\Windows\\System32\\sru\\SRU.log",
        "tgtFileOldSha1": null,
        "tgtFileOldSha256": null,
        "tgtFilePath": "C:\\Windows\\System32\\sru\\SR****1D.log",
        "tgtFileSha1": "5fe********39a",
        "tgtFileSha256": "c96********68b",
        "tgtFileSize": "65536",
        "tgtFileType": null,
        "tiOriginalEventId": null,
        "tiOriginalEventIndex": null,
        "tiOriginalEventTraceId": null,
        "tid": null,
        "tiindicatorRelatedEventTime": null,
        "traceId": "01G*******R0H",
        "trueContext": "17F*******736",
        "user": "NT AUTHORITY\\LOCAL SERVICE",
        "verifiedStatus": "verified"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AgentIDs": [
        "134********951"
    ],
    "AgentNames": [
        "DESKTOP-6KJ****"
    ],
    "EventIDs": [
        "670040005769560069"
    ],
    "AgentIPs": [
        "216.251.***.***"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Events by Query ID and Type failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request: ['Invalid query ID'].

Error Sample Data

Get Events by Query ID and Type failed.

Status Code: 400.

Message: Bad Request: ['Invalid query ID'].

Get Exclusions

Retrieves a list of all the Exclusions that match the filter.

READER NOTE

Account IDs, Site IDs, Group IDs and Exclusion IDs are optional parameters to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.

Input

Input Parameter

Required/Optional

Description

Example

Type

Optional

The exclusion item type.

Path

Operation System

Optional

The operation system to filter.

Linux

Account IDs

Optional

The account IDs to filter. Account IDs can be obtained using the List Accounts command.

["131********791"]

Site IDs

Optional

The site IDs to filter. Site IDs can be obtained using the Get Sites command.

["174********138"]

Group IDs

Optional

The group IDs to filter. Group IDs can be obtained using the Get Groups command.

["151********497"]

Exclusion IDs

Optional

The exclusion IDs to filter.

["174********364"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": [
        {
            "actions": null,
            "applicationName": null,
            "createdAt": "2023-08-09T22:53:08.374314Z",
            "description": "test Exclusion 0809E",
            "id": "174********364",
            "imported": false,
            "inAppInventory": false,
            "includeChildren": false,
            "includeParents": false,
            "notRecommended": "NONE",
            "osType": "linux",
            "scope": {
                "accountIds": [
                    "131********791"
                ]
            },
            "scopeName": "account",
            "scopePath": "Global\\D3 Security",
            "source": "user",
            "type": "white_hash",
            "updatedAt": "2023-08-09T22:53:08.373053Z",
            "userId": "138********959",
            "userName": "Jon***** Y**",
            "value": "d25********220"
        },
        {
            "actions": null,
            "applicationName": null,
            "createdAt": "2023-08-09T23:20:38.721748Z",
            "description": "test Exclusion 0809f",
            "id": "174********255",
            "imported": false,
            "inAppInventory": false,
            "includeChildren": false,
            "includeParents": false,
            "notRecommended": "NONE",
            "osType": "linux",
            "scope": {
                "accountIds": [
                    "131********791"
                ]
            },
            "scopeName": "account",
            "scopePath": "Global\\D3 Security",
            "source": "user",
            "type": "white_hash",
            "updatedAt": "2023-08-09T23:20:38.720532Z",
            "userId": "138********959",
            "userName": "Jon***** Y**",
            "value": "d25*******330"
        },
        {
            "actions": null,
            "applicationName": null,
            "createdAt": "2023-08-09T23:52:24.421472Z",
            "description": "test Exclusion 0809f",
            "id": "174********595",
            "imported": false,
            "inAppInventory": false,
            "includeChildren": false,
            "includeParents": false,
            "notRecommended": "NONE",
            "osType": "macos",
            "scope": {
                "accountIds": [
                    "131********791"
                ]
            },
            "scopeName": "account",
            "scopePath": "Global\\D3 Security",
            "source": "user",
            "type": "white_hash",
            "updatedAt": "2023-08-09T23:52:24.421014Z",
            "userId": "138********959",
            "userName": "Jon***** Y**",
            "value": "d25*******330"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ExclusionIDs": [
        "174********364"
    ],
    "Types": [
        "white_hash"
    ],
    "Values": [
        "d25********220"
    ],
    "osTypes": [
        "linux"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Exclusions failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: groupIds: 0: Not a valid Identifier.

Error Sample Data

Get Exclusions failed.

Status Code: 400.

Message: groupIds: 0: Not a valid Identifier.

Get Global Policy

Get the Global policy. This is the default policy for your deployment.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "agentLoggingOn": true,
        "agentNotification": true,
        "agentUi": {
            "agentUiOn": true,
            "contactCompany": "",
            "contactDirectMessage": "",
            "contactEmail": "",
            "contactFreeText": "",
            "contactOther": "",
            "contactPhoneNumber": "",
            "contactSupportWebsite": "",
            "devicePopUpNotifications": true,
            "maxEventAgeDays": 30,
            "showAgentWarnings": false,
            "showDeviceTab": false,
            "showQuarantineTab": true,
            "showSupport": false,
            "showSuspicious": true,
            "threatPopUpNotifications": true
        },
        "agentUiOn": true,
        "allowRemoteShell": true,
        "antiTamperingOn": true,
        "autoDecommissionDays": 21,
        "autoDecommissionOn": true,
        "autoFileUpload": {
            "enabled": false
        },
        "autoImmuneOn": true,
        "autoMitigationAction": "mitigation.quarantineThreat",
        "cloudValidationOn": true,
        "createdAt": "2018-08-21T18:12:47.810942Z",
        "engines": {
            "applicationControl": "off",
            "dataFiles": "on",
            "executables": "on",
            "exploits": "on",
            "lateralMovement": "on",
            "penetration": "on",
            "preExecution": "on",
            "preExecutionSuspicious": "on",
            "pup": "on",
            "remoteShell": "on",
            "reputation": "on"
        },
        "fwForNetworkQuarantineEnabled": false,
        "ioc": true,
        "iocAttributes": {
            "autoInstallBrowserExtensions": true,
            "behavioralIndicators": true,
            "commandScripts": true,
            "crossProcess": true,
            "dataMasking": false,
            "dllModuleLoad": true,
            "dns": true,
            "fds": true,
            "file": true,
            "headers": true,
            "ip": true,
            "login": true,
            "process": true,
            "registry": true,
            "scheduledTask": true,
            "url": true
        },
        "isDefault": true,
        "mitigationMode": "protect",
        "mitigationModeSuspicious": "detect",
        "monitorOnExecute": true,
        "monitorOnWrite": true,
        "networkQuarantineOn": false,
        "researchOn": true,
        "scanNewAgents": true,
        "snapshotsOn": true,
        "updatedAt": "2022-04-22T20:18:53.287056Z",
        "userFullName": "SA-API",
        "userId": "140********884"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "IsDefault": [
        "true"
    ],
    "MitigationMode": [
        "protect"
    ],
    "MitigationModeSuspicious": [
        "detect"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Global Policy failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized access.

Error Sample Data

Get Global Policy failed.

Status Code: 403.

Message: Unauthorized access.

Get Groups

Retrieves data from groups of the specified site IDs.

READER NOTE

The parameter Site IDs is required to run this command.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

Input

Input Parameter

Required/Optional

Description

Example

Site IDs

Required

The ID(s) of sites to retrieve groups from. Site IDs can be obtained using the Get Sites command.

947********671

Custom Input

Optional

The defined queries in JSON format to filter results. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=groups=get-groups for more information about query parameters.

{

"groupIds": "951********411,947*******716",

"isDefault": false,

"type": "static",

"updatedAt__gte": "2020-08-01 16:42:07"

}

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "affected": 1
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the $.data path from the returned raw data.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "createdAt": "2020-07-30T14:48:56.079539Z",
        "creator": "Chris Go****an",
        "creatorId": "917********818",
        "filterId": null,
        "filterName": null,
        "id": "947********888",
        "inherits": true,
        "isDefault": true,
        "name": "Default Group",
        "rank": null,
        "registrationToken": "eyJ********In0=",
        "siteId": "947********671",
        "totalAgents": 0,
        "type": "static",
        "updatedAt": "2020-08-06T16:21:05.47294Z"
    },
    {
        "createdAt": "2020-08-04T18:18:54.567143Z",
        "creator": "Pul*** Sa***",
        "creatorId": "947*******716",
        "filterId": null,
        "filterName": null,
        "id": "950********984",
        "inherits": true,
        "isDefault": false,
        "name": "string",
        "rank": null,
        "registrationToken": "eyJ********In0=",
        "siteId": "947********671",
        "totalAgents": 1,
        "type": "static",
        "updatedAt": "2020-08-06T09:14:47.286682Z"
    },
    {
        "createdAt": "2020-08-04T19:18:10.504244Z",
        "creator": "Pul*** Sa***",
        "creatorId": "947*******716",
        "filterId": null,
        "filterName": null,
        "id": "950********145",
        "inherits": true,
        "isDefault": false,
        "name": "D3test",
        "rank": null,
        "registrationToken": "eyJ********In0=",
        "siteId": "947********671",
        "totalAgents": 0,
        "type": "static",
        "updatedAt": "2020-08-04T19:18:10.502906Z"
    },
    {
        "createdAt": "2020-08-05T16:42:07.730927Z",
        "creator": "Pul*** Sa***",
        "creatorId": "947*******716",
        "filterId": null,
        "filterName": null,
        "id": "951********411",
        "inherits": true,
        "isDefault": false,
        "name": "MyGroup",
        "rank": null,
        "registrationToken": "eyJ********In0=",
        "siteId": "947********671",
        "totalAgents": 0,
        "type": "static",
        "updatedAt": "2020-08-05T16:42:07.729609Z"
    },
    {
        "createdAt": "2020-08-05T16:43:05.89472Z",
        "creator": "Pul*** Sa***",
        "creatorId": "947*******716",
        "filterId": null,
        "filterName": null,
        "id": "951********194",
        "inherits": true,
        "isDefault": false,
        "name": "MyGroup1",
        "rank": null,
        "registrationToken": "eyJ1***********DM1In0=",
        "siteId": "947********671",
        "totalAgents": 0,
        "type": "static",
        "updatedAt": "2020-08-05T16:43:05.893152Z"
    },
    {
        "createdAt": "2020-08-05T16:44:59.60081Z",
        "creator": "Pul*** Sa***",
        "creatorId": "947*******716",
        "filterId": null,
        "filterName": null,
        "id": "951********508",
        "inherits": true,
        "isDefault": false,
        "name": "MyGroup2",
        "rank": null,
        "registrationToken": "eyJ********DY3In0=",
        "siteId": "947********671",
        "totalAgents": 0,
        "type": "static",
        "updatedAt": "2020-08-05T16:44:59.599846Z"
    },
    {
        "createdAt": "2020-08-05T16:52:22.488823Z",
        "creator": "Pul*** Sa***",
        "creatorId": "947*******716",
        "filterId": null,
        "filterName": null,
        "id": "951********499",
        "inherits": true,
        "isDefault": false,
        "name": "MyGroup3",
        "rank": null,
        "registrationToken": "eyJ1********TFiIn0=",
        "siteId": "947********671",
        "totalAgents": 0,
        "type": "static",
        "updatedAt": "2020-08-05T16:52:22.487863Z"
    },
    {
        "createdAt": "2020-08-05T23:30:59.156637Z",
        "creator": "Pul*** Sa***",
        "creatorId": "947*******716",
        "filterId": null,
        "filterName": null,
        "id": "951********953",
        "inherits": true,
        "isDefault": false,
        "name": "D3group",
        "rank": null,
        "registrationToken": "eyJ********In0=",
        "siteId": "947********671",
        "totalAgents": 0,
        "type": "static",
        "updatedAt": "2020-08-05T23:30:59.155709Z"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "Group id": [
        "947********888",
        "950********984",
        "950********145",
        "951********411",
        "951********194",
        "951********508",
        "951********499",
        "951********953"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Groups failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not a valid Identifier.

Error Sample Data

Get Groups failed.

Status Code: 400.

Message: Not a valid Identifier.

Get Hash Reputations

Retrieves the hash reputation of an input SHA-1 value.

READER NOTE

The parameter File Hashes is required to run this command.

  • Run the Fetch Event command to obtain File Hashes. File Hashes can be found in the raw data at the path $.data[*].threatInfo.sha1.

If the hash is invalid/not found, it could return success with no result

Input

Input Parameter

Required/Optional

Description

Example

File Hashes

Required

The SHA1 value of the file content hash. File Hashes can be obtained using the Fetch Event command.

[ "a6d********d00" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "rank": "10"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "Ranks": [
        "10"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Hash Reputations failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized access.

Error Sample Data

Get Hash Reputations failed.

Status Code: 403.

Message: Unauthorized access.

Get Query Status

Retrieves that status of a Deep Visibility Query.

READER NOTE

Query ID is a required parameter to run this command.

  • Run the Create Query command to obtain the Query ID. Query IDs can be found in the raw data at the path $.data.queryId.

Input

Input Parameter

Required/Optional

Description

Example

Query ID

Required

The Query ID obtained when creating a query. Query ID can be obtained using the Create Query command.

q5b************069

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "progressStatus": 100,
        "queryModeInfo": {
            "mode": "presto"
        },
        "responseState": "FINISHED"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ProgressStatus": [
        "100"
    ],
    "ResponseState": [
        "FINISHED"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Query Status failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad Request: ['Invalid query ID'].

Error Sample Data

Get Query Status failed.

Status Code: 400.

Message: Bad Request: ['Invalid query ID'].

Get Script Results

Retrieves script result URLs. One of the Task IDs or Computer Names parameters must be defined. Note: Only one input parameter can be used to filter results for an instance of running the command.

READER NOTE

The parameter Task IDs is optional to run this command.

  • Run the Get Script Task Status command to obtain Task IDs. Task IDs can be found in the raw data at the path $.data[*].id.

To run the Run Script command, the specified Computer Names must be included. Simply put this information in the Filter parameter, and then execute the Run Script command.

Please note that not all scripts are guaranteed to produce results. If your input Task IDs do not yield any results, D3 will return “Success” but with no returned data.

Input

Input Parameter

Required/Optional

Description

Example

Task IDs

Optional

The list of Task IDs to retrieve a download link for. Task IDs can be obtained using the Get Script Task Status command.

[ ***** ]

Computer Names

Optional

The list of computer names (partial or whole) to retrieve a download link. The computers listed should have run scripts prior.

[ "DESKTOP-*****" ]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "download_links": [
            {
                "downloadUrl": "https://*****.s3.amazonaws.com/*****/*****?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=*****%***************.zip&X-Amz-Signature=*****",
                "fileName": "*****.zip",
                "taskId": *****
            }
        ],
        "errors": []
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "FileNames": ["*****.zip"], 
  "TaskIDs": [*****],  
  "DownloadUrls": ["https://*****.s3.amazonaws.com/*****/*****?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=*****%*****%**********.zip&X-Amz-Signature=*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ta

{'download_links': [{'downloadUrl': 'https://*****.s3.amazonaws.com/*****/*****?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=*****%***************.zip&X-Amz-Signature=*****', 'fileName': '*****.zip', 'taskId': *****}], 'errors': []}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Script Results failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Task IDs) is invalid.

Error Sample Data

Get Script Results failed.

Status Code: 400.

Message: The value for parameter (Task IDs) is invalid.

Get Scripts

Retrieves data of the scripts in the SentinelOne Script Library. If you don’t have global scope permission, you can only access the scripts of your specific scope.

READER NOTE

Account IDs and Site IDs are optional parameters to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

Retrieve data from the scripts in the SentinelOne Script Library. If you lack global scope permission, you will only have access to scripts within your specific scope. Navigate to view scope by clicking Global Scope>Account Scope>Site Scope.

Users with lower scope permissions cannot view scripts under higher scopes, resulting in limited script visibility. To determine the scope of the account your connector is using, click on the user to view details.

For example, if a user is under the “D3 Security” account scope, they can retrieve all scripts within that account by entering D3 Security’s account ID in the Account IDs parameter. If this parameter is left empty, it will automatically fetch all scripts under the “D3 Security” account.

In this scenario, if you input site IDs within the same account (they must be from within the account and not from another account), it will fetch all scripts specific to those sites, resulting in fewer scripts compared to the entire account.

Input

Input Parameter

Required/Optional

Description

Example

Account IDs

Optional

The list of Account IDs to filter by. Account ID can be obtained using the List Accounts command.

[ "*****" ]

Site IDs

Optional

The list of Site IDs to filter by. Site IDs can be obtained using the Get Sites command.

[ "*****" ]

Script Type

Optional

The script type to filter by. If not specified, scripts of all script types will be returned.

Action

OS Type

Optional

The operating system type to filter by. If not specified, scripts of all OS types will be returned.

Windows

Query

Optional

The full or partial script name to filter by.

testscript0427

Limit

Optional

The limit number of returned items, the available value is an integer between 1 and 1000. If not specified, the default value is 10.

10

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": [
        {
            "bucketName": "*****",
            "createdAt": "2022-04-27T17:39:37.351259Z",
            "createdByUser": "*****@*****.***",
            "createdByUserId": "*****",
            "creator": "*****@*****.***",
            "creatorId": "*****",
            "fileName": "*****/None/*****/*****/*****",
            "id": "*****",
            "inputExample": "",
            "inputInstructions": "",
            "inputRequired": false,
            "mgmtId": "*****",
            "osTypes": [
                "linux"
            ],
            "outputFilePaths": null,
            "scopeId": "*****",
            "scopeLevel": "account",
            "scopeName": "D3 Security",
            "scopePath": "Global\\D3 Security",
            "scriptName": "testScript0427b",
            "scriptRuntimeTimeoutSeconds": 3600,
            "scriptType": "action",
            "shortFileName": "*****",
            "signature": "*****+n8/*****=",
            "signatureType": "SHA-256",
            "updatedAt": "2022-04-27T17:39:37.350499Z",
            "updater": null,
            "updaterId": null,
            "version": "1.0.0"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "ScriptNames": ["testScript0427b"],
  "ScriptIDs": ["*****"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

data

  • {'bucketName': '*****', 'createdAt': '2022-04-27T17:39:37.351259Z', 'createdByUser': '*****@*****.***', 'createdByUserId': '*****', 'creator': '*****@*****.***', 'creatorId': '*****', 'fileName': '*****/None/*****/*****/*****', 'id': '*****', 'inputExample': '', 'inputInstructions': '', 'inputRequired': False, 'mgmtId': '*****', 'osTypes': ['linux'], 'outputFilePaths': None, 'scopeId': '*****', 'scopeLevel': 'account', 'scopeName': 'D3 Security', 'scopePath': 'Global\\D3 Security', 'scriptName': 'testScript0427b', 'scriptRuntimeTimeoutSeconds': 3600, 'scriptType': 'action', 'shortFileName': '*****', 'signature': '*****+n8/*****=', 'signatureType': 'SHA-256', 'updatedAt': '2022-04-27T17:39:37.350499Z', 'updater': None, 'updaterId': None, 'version': '1.0.0'}

pagination

{'nextCursor': None, 'totalItems': 1}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Scripts failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: accountIds: 0: Not a valid Identifier.

Error Sample Data

Get Scripts failed.

Status Code: 400.

Message: accountIds: 0: Not a valid Identifier.

Get Script Task Status

Retrieves remote script tasks based on the specified filters.

READER NOTE

The parameter Parent Task IDs is required to run this command.

  • Run the Run Script command to obtain Parent Task IDs. Parent Task IDs can be found in the raw data at the path $.data.parentTaskId.

If you run this command and see a value in the "nextcursor" field of the returned raw data, you can use that value in the Next Page parameter to retrieve the data on the next page.

Input

Input Parameter

Required/Optional

Description

Example

Parent Task IDs

Required

The list of Parent Task IDs to filter by. Parent Task IDs can be obtained using the Run Script command.

["*****"]

Computer Name Contains

Optional

The free-text filter by agent computer names. Multiple values are supported.

["DESKTOP", "AWS"]

Updated After

Optional

The filter to return tasks that were updated after the specified time.

2022-09-27 00:00

Updated Before

Optional

The filter to return tasks that were updated before the specified time.

2022-09-28 00:00

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": [
        {
            "accountId": "*****",
            "accountName": "D3 Security",
            "agentComputerName": "DESKTOP-*****",
            "agentId": "*****",
            "agentIsActive": true,
            "agentIsDecommissioned": false,
            "agentMachineType": "desktop",
            "agentOsType": "windows",
            "agentUuid": "*****",
            "createdAt": "2022-04-27T18:40:09.398069Z",
            "description": "test task desc0427b",
            "detailedStatus": "Execution completed successfully",
            "groupId": "*****",
            "groupName": "Default Group",
            "id": "*****",
            "initiatedBy": "*****",
            "initiatedById": "*****",
            "parentTaskId": "*****",
            "scriptResultsSignature": "*****",
            "siteId": "*****",
            "siteName": "site2",
            "status": "completed",
            "statusDescription": "Completed",
            "type": "script_execution",
            "updatedAt": "2022-04-27T18:41:20.726595Z"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "TaskIDs": ["*****"],
  "ParentTaskIDs": ["*****"],
  "Statuses": ["completed"],
  "Descriptions": [ "test task desc0427b" ] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Script Task Status failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized access.

Error Sample Data

Get Script Task Status failed.

Status Code: 403.

Message: Unauthorized access.

Get Sites

Retrieves sites of the specified criteria.

READER NOTE

The parameter Account IDs is optional to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

If you run this command and see "nextcursor" field has value in the returned raw data, it can be used in the Next Page parameter to get the data in next page.

Input

Input Parameter

Required/Optional

Description

Example

Site IDs

Optional

The list of Site IDs to filter sites.

[

"*****",

"*****"

]

Account IDs

Optional

The list of Account IDs to filter sites. Account IDs can be obtained using the List Accounts command.

[

"*****",

"

info

*****"

]

Query

Optional

The query string for full-text search of fields. The available fields are name, account_name and description.

name

State

Optional

The state (i.e. active, deleted, or expired) of the sites to filter results.

Active

Limit

Optional

The maximum number of results to return (between 1-1000). Up to 1000 results will be returned if you leave this field empty.

100

Offset

Optional

The number up to which result to skip. For example, if the defined value is 50, results from 1 to 50 will be skipped. To skip more than 1000 results, use the Next Page input parameter.

1

Sort By

Optional

The column (if selected) to sort results by. Available inputs are activeLicenses, createdAt, expiration, siteType, sku, id, state, suite, totalLicenses and updatedAt.

Create At

Direction

Optional

The results sorted in ascending or descending order. The default value is Ascending.

Ascending

Next Page

Optional

The pagination through collections of data by setting the parameter with the nextCursor attribute returned by a previous request's response metadata.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "allSites": {
            "activeLicenses": 2,
            "totalLicenses": 25
        },
        "sites": [
            {
                "accountId": "*****",
                "accountName": "D3 Security",
                "activeLicenses": 2,
                "createdAt": "2021-12-14T19:19:37.297355Z",
                "creator": "*****",
                "creatorId": "*****",
                "description": "updated descpt 1",
                "expiration": "2022-12-31T11:00:00Z",
                "externalId": "*****",
                "healthStatus": true,
                "id": "*****",
                "isDefault": true,
                "licenses": {
                    "bundles": [
                        {
                            "displayName": "Core",
                            "majorVersion": 1,
                            "minorVersion": 1,
                            "name": "core",
                            "surfaces": [
                                {
                                    "count": 25,
                                    "name": "Total Agents"
                                }
                            ],
                            "totalSurfaces": 25
                        }
                    ],
                    "modules": [],
                    "settings": [
                        {
                            "displayName": "365 Days",
                            "settingGroup": "malicious_data_retention",
                            "settingGroupDisplayName": "Malicious Data Retention"
                        },
                        {
                            "displayName": "Available",
                            "settingGroup": "marketplace_access_status",
                            "settingGroupDisplayName": "Marketplace Access"
                        }
                    ]
                },
                "name": "Default site",
                "registrationToken": "*****",
                "siteType": "Paid",
                "sku": "Core",
                "state": "active",
                "suite": "Core",
                "totalLicenses": 25,
                "unlimitedExpiration": false,
                "unlimitedLicenses": false,
                "updatedAt": "2022-07-20T00:58:26.337906Z"
            }
        ]
    },
    "pagination": {
        "nextCursor": "*****",
        "totalItems": 2
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "SiteNames": ["Default site", "site2" ],
  "AccountIDs": ["*****","*****"],
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

data

{'allSites': {'activeLicenses': 2, 'totalLicenses': 25}, 'sites': [{'accountId': '*****', 'accountName': 'D3 Security', 'activeLicenses': 2, 'createdAt': '2021-12-14T19:19:37.297355Z', 'creator': '*****', 'creatorId': '*****', 'description': 'updated descpt 1', 'expiration': '2022-12-31T11:00:00Z', 'externalId': '*****', 'healthStatus': True, 'id': '*****', 'isDefault': True, 'licenses': {'bundles': [{'displayName': 'Core', 'majorVersion': 1, 'minorVersion': 1, 'name': 'core', 'surfaces': [{'count': 25, 'name': 'Total Agents'}], 'totalSurfaces': 25}], 'modules': [], 'settings': [{'displayName': '365 Days', 'settingGroup': 'malicious_data_retention', 'settingGroupDisplayName': 'Malicious Data Retention'}, {'displayName': 'Available', 'settingGroup': 'marketplace_access_status', 'settingGroupDisplayName': 'Marketplace Access'}]}, 'name': 'Default site', 'registrationToken': '*****', 'siteType': 'Paid', 'sku': 'Core', 'state': 'active', 'suite': 'Core', 'totalLicenses': 25, 'unlimitedExpiration': False, 'unlimitedLicenses': False, 'updatedAt': '2022-07-20T00:58:26.337906Z'}]}

pagination

{'nextCursor': '*****', 'totalItems': 2}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Sites failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: accountIds: 0: Not a valid Identifier.

Error Sample Data

Get Sites failed.

Status Code: 400.

Message: accountIds: 0: Not a valid Identifier.

Get Star Custom Rules

Retrieves a list of star custom rules for a given scope.

READER NOTE

Account IDs, Site IDs, Group IDs are optional parameters to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.

Input

Input Parameter

Required/Optional

Description

Example

Account IDs

Optional

The account IDs to filter. Account IDs can be obtained using the List Accounts command.

["*****"]

Site IDs

Optional

The site IDs to filter. Site IDs can be obtained using the Get Sites command.

["*****"]

Group IDs

Optional

The group IDs to filter. Group IDs can be obtained using the Get Groups command.

["*****"]

Rule IDs

Optional

The star custom rule IDs to filter.

["*****"]

Creator

Optional

The free-text filtered by rule creator.

[ "*****" ]

Name

Optional

The free-text filtered by rule name.

[ "test" ]

Status

Optional

The status of rules to filter. Available options include Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft.

[ "Active" ]

Query

Optional

The free-text filtered by S1 query.

[ "test" ]

Query Type

Optional

The return rules filter by type. The available options are Events and Processes.

[ "events" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": [
        {
            "accountId": "*****",
            "accountName": "D3 Security",
            "activeResponse": true,
            "createdAt": "2022-03-28T17:25:51.263572Z",
            "creator": "*****@*****.***",
            "creatorId": "*****",
            "description": "ps",
            "editable": true,
            "expiration": null,
            "expirationMode": "Permanent",
            "expired": false,
            "generatedAlerts": 0,
            "id": "*****",
            "lastAlertTime": null,
            "name": "testRule2",
            "networkQuarantine": false,
            "queryLang": "1.0",
            "queryType": "events",
            "reachedLimit": false,
            "s1ql": "SrcProcParentName Contains Anycase \"powershell.exe (interactive session)\"",
            "scope": "account",
            "scopeId": [
                "*****"
            ],
            "scopeName": "D3 Security",
            "severity": "High",
            "siteId": null,
            "siteName": null,
            "status": "Active",
            "statusReason": "Rule was activated by *****@*****.***",
            "treatAsThreat": "Suspicious",
            "updatedAt": "2022-03-29T19:35:50.728863Z",
            "updater": "*****@*****.***",
            "updaterId": "*****"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "RuleIDs": ["*****"],
  "RuleNames": ["testRule2"], 
  "Statuses": ["Active"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Star Custom Rules failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: accountIds: 0: Not a valid Identifier.

Error Sample Data

Get Star Custom Rules failed.

Status Code: 400.

Message: accountIds: 0: Not a valid Identifier.

Get System Info

Retrieves the console build, version, patch, and release information.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "build": "29",
        "latestAgentVersion": "22.3",
        "patch": "",
        "release": "X",
        "version": "32"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "Version": "32",
  "LatestAgentVersion": "22.3"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get System Info failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized access.

Error Sample Data

Get System Info failed.

Status Code: 403.

Message: Unauthorized access.

Get System Status

Retrieves an indication of the system's health status.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "health": "ok"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "HealthStatus": "ok" 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get System Status failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized access.

Error Sample Data

Get System Status failed.

Status Code: 403.

Message: Unauthorized access.

Get Threat

Returns a list of threats matching the specified criteria. The threats will be listed in ascending order (from oldest to latest).

READER NOTE

The parameter Storylines is an optional parameter to run this command.

  • Run the Get Alerts command to obtain Storylines. Storylines can be found in the raw data at the path $.data[*].sourceProcessInfo.storyline.

To view threats related to an alert, use the Get Threat command with Storylines obtained from this command as the input parameter.

Input

Input Parameter

Required/Optional

Description

Example

Limit

Optional

The maximum number of returned items (between 1-1000). Up to 1000 threats will be returned if you leave this field empty.

2

Custom Input

Optional

The defining of a query in JSON format to filter results. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=threats=get-threats for more information about the available custom inputs.

{

"createdAt__gt": "2020-07-30 17:53:25"

}

Storylines

Optional

The storyline ID(s) to retrieve related threats. Storylines can be obtained using the Get Alerts command to retrieve alert related threats.

[ "*****" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": [
        {
            "agentDetectionInfo": {
                "accountId": "*****",
                "accountName": "D3 Security",
                "agentDetectionState": null,
                "agentDomain": "D3CYBER7",
                "agentIpV4": "***.***.***.***",
                "agentIpV6": "****::****:****:****:****",
                "agentLastLoggedInUpn": null,
                "agentLastLoggedInUserMail": null,
                "agentLastLoggedInUserName": "user1",
                "agentMitigationMode": "protect",
                "agentOsName": "Windows 10 Pro",
                "agentOsRevision": "19042",
                "agentRegisteredAt": "2022-01-28T21:27:27.075208Z",
                "agentUuid": "*****",
                "agentVersion": "***.***.***.***",
                "cloudProviders": {},
                "externalIp": "***.***.***.***",
                "groupId": "*****",
                "groupName": "Default Group",
                "siteId": "*****",
                "siteName": "Default site"
            },
            "agentRealtimeInfo": {
                "accountId": "*****",
                "accountName": "D3 Security",
                "activeThreats": 0,
                "agentComputerName": "D3cyber7CE",
                "agentDecommissionedAt": true,
                "agentDomain": "MISSING DOMAIN",
                "agentId": "*****",
                "agentInfected": false,
                "agentIsActive": false,
                "agentIsDecommissioned": true,
                "agentMachineType": "desktop",
                "agentMitigationMode": "detect",
                "agentNetworkStatus": "connected",
                "agentOsName": "Windows 10 Pro",
                "agentOsRevision": "19044",
                "agentOsType": "windows",
                "agentUuid": "*****",
                "agentVersion": "***.***.***.***",
                "groupId": "*****",
                "groupName": "Default Group",
                "networkInterfaces": [
                    {
                        "id": "*****",
                        "inet": [
                            "***.***.***.***"
                        ],
                        "inet6": [
                            "****::****:****:****:****"
                        ],
                        "name": "Ethernet0",
                        "physical": "**:**:**:**:**:**"
                    }
                ],
                "operationalState": "na",
                "rebootRequired": false,
                "scanAbortedAt": null,
                "scanFinishedAt": "2022-01-28T23:08:52.562407Z",
                "scanStartedAt": "2022-01-28T21:29:32.558712Z",
                "scanStatus": "finished",
                "siteId": "*****",
                "siteName": "Default site",
                "storageName": null,
                "storageType": null,
                "userActionsNeeded": []
            },
            "containerInfo": {
                "id": null,
                "image": null,
                "labels": null,
                "name": null
            },
            "id": "*****",
            "indicators": [],
            "kubernetesInfo": {
                "cluster": null,
                "controllerKind": null,
                "controllerLabels": null,
                "controllerName": null,
                "namespace": null,
                "namespaceLabels": null,
                "node": null,
                "pod": null,
                "podLabels": null
            },
            "mitigationStatus": [
                {
                    "action": "quarantine",
                    "actionsCounters": {
                        "failed": 1,
                        "notFound": 0,
                        "pendingReboot": 0,
                        "success": 0,
                        "total": 1
                    },
                    "agentSupportsReport": true,
                    "groupNotFound": false,
                    "lastUpdate": "2022-01-28T21:52:13.196930Z",
                    "latestReport": "/threats/mitigation-report/*****",
                    "mitigationEndedAt": "2022-01-28T21:52:08.129000Z",
                    "mitigationStartedAt": "2022-01-28T21:52:08.129000Z",
                    "status": "failed"
                },
                {
                    "action": "kill",
                    "actionsCounters": null,
                    "agentSupportsReport": true,
                    "groupNotFound": false,
                    "lastUpdate": "2022-01-28T21:52:12.798812Z",
                    "latestReport": null,
                    "mitigationEndedAt": "2022-01-28T21:52:12.792052Z",
                    "mitigationStartedAt": "2022-01-28T21:52:12.792051Z",
                    "status": "success"
                }
            ],
            "threatInfo": {
                "analystVerdict": "true_positive",
                "analystVerdictDescription": "True positive",
                "automaticallyResolved": true,
                "browserType": null,
                "certificateId": "",
                "classification": "Trojan",
                "classificationSource": "Cloud",
                "cloudFilesHashVerdict": "black",
                "collectionId": "*****",
                "confidenceLevel": "malicious",
                "createdAt": "2022-01-28T21:52:08.323075Z",
                "detectionEngines": [
                    {
                        "key": "sentinelone_cloud",
                        "title": "SentinelOne Cloud"
                    }
                ],
                "detectionType": "static",
                "engines": [
                    "SentinelOne Cloud"
                ],
                "externalTicketExists": false,
                "externalTicketId": null,
                "failedActions": true,
                "fileExtension": "EXE",
                "fileExtensionType": "Executable",
                "filePath": "\\***\\***\\***\\**\\***.exe",
                "fileSize": 20992,
                "fileVerificationType": "Other",
                "identifiedAt": "2022-01-28T21:52:08.113000Z",
                "incidentStatus": "resolved",
                "incidentStatusDescription": "Resolved",
                "initiatedBy": "agent_policy",
                "initiatedByDescription": "Agent Policy",
                "initiatingUserId": null,
                "initiatingUsername": null,
                "isFileless": false,
                "isValidCertificate": false,
                "maliciousProcessArguments": null,
                "md5": null,
                "mitigatedPreemptively": false,
                "mitigationStatus": "not_mitigated",
                "mitigationStatusDescription": "Not mitigated",
                "originatorProcess": "powershell.exe (interactive session)",
                "pendingActions": false,
                "processUser": "***\\***",
                "publisherName": "",
                "reachedEventsLimit": false,
                "rebootRequired": false,
                "sha1": "*****",
                "sha256": null,
                "storyline": "*****",
                "threatId": "*****",
                "threatName": "*****.exe",
                "updatedAt": "2022-09-15T23:18:04.041510Z"
            },
            "whiteningOptions": [
                "hash"
            ]
        }
    ],
    "pagination": {
        "nextCursor": "*****",
        "totalItems": 507
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "Threat id": ["*****","*****"],
  "sha1": ["*****","*****"],  
  "collectionId": ["*****","*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

agentDetectionInfo

agentRealtimeInfo

containerInfo

id

indicators

kubernetesInfo

mitigationStatus

threatInfo

whiteningOptions

{'accountId': '*****', 'accountName': 'D3 Security', 'agentDetectionState': None, 'agentDomain': 'D3CYBER7', 'agentIpV4': '***.***.***.***', 'agentIpV6': '****::****:****:****:****', 'agentLastLoggedInUpn': None, 'agentLastLoggedInUserMail': None, 'agentLastLoggedInUserName': 'user1', 'agentMitigationMode': 'protect', 'agentOsName': 'Windows 10 Pro', 'agentOsRevision': '19042', 'agentRegisteredAt': '2022-01-28T21:27:27.075208Z', 'agentUuid': '*****', 'agentVersion': '***.***.***.***', 'cloudProviders': {}, 'externalIp': '***.***.***.***', 'groupId': '*****', 'groupName': 'Default Group', 'siteId': '*****', 'siteName': 'Default site'}

{'accountId': '*****', 'accountName': 'D3 Security', 'activeThreats': 0, 'agentComputerName': 'D3cyber7CE', 'agentDecommissionedAt': True, 'agentDomain': 'MISSING DOMAIN', 'agentId': '*****', 'agentInfected': False, 'agentIsActive': False, 'agentIsDecommissioned': True, 'agentMachineType': 'desktop', 'agentMitigationMode': 'detect', 'agentNetworkStatus': 'connected', 'agentOsName': 'Windows 10 Pro', 'agentOsRevision': '19044', 'agentOsType': 'windows', 'agentUuid': '*****', 'agentVersion': '***.***.***.***', 'groupId': '*****', 'groupName': 'Default Group', 'networkInterfaces': [{'id': '*****', 'inet': ['***.***.***.***'], 'inet6': ['****::****:****:****:****'], 'name': 'Ethernet0', 'physical': '**:**:**:**:**:**'}], 'operationalState': 'na', 'rebootRequired': False, 'scanAbortedAt': None, 'scanFinishedAt': '2022-01-28T23:08:52.562407Z', 'scanStartedAt': '2022-01-28T21:29:32.558712Z', 'scanStatus': 'finished', 'siteId': '*****', 'siteName': 'Default site', 'storageName': None, 'storageType': None, 'userActionsNeeded': []}

{'id': None, 'image': None, 'labels': None, 'name': None}

*****

[]

{'cluster': None, 'controllerKind': None, 'controllerLabels': None, 'controllerName': None, 'namespace': None, 'namespaceLabels': None, 'node': None, 'pod': None, 'podLabels': None}

[{'action': 'quarantine', 'actionsCounters': {'failed': 1, 'notFound': 0, 'pendingReboot': 0, 'success': 0, 'total': 1}, 'agentSupportsReport': True, 'groupNotFound': False, 'lastUpdate': '2022-01-28T21:52:13.196930Z', 'latestReport': '/threats/mitigation-report/*****', 'mitigationEndedAt': '2022-01-28T21:52:08.129000Z', 'mitigationStartedAt': '2022-01-28T21:52:08.129000Z', 'status': 'failed'}, {'action': 'kill', 'actionsCounters': None, 'agentSupportsReport': True, 'groupNotFound': False, 'lastUpdate': '2022-01-28T21:52:12.798812Z', 'latestReport': None, 'mitigationEndedAt': '2022-01-28T21:52:12.792052Z', 'mitigationStartedAt': '2022-01-28T21:52:12.792051Z', 'status': 'success'}]

{'analystVerdict': 'true_positive', 'analystVerdictDescription': 'True positive', 'automaticallyResolved': True, 'browserType': None, 'certificateId': '', 'classification': 'Trojan', 'classificationSource': 'Cloud', 'cloudFilesHashVerdict': 'black', 'collectionId': '*****', 'confidenceLevel': 'malicious', 'createdAt': '2022-01-28T21:52:08.323075Z', 'detectionEngines': [{'key': 'sentinelone_cloud', 'title': 'SentinelOne Cloud'}], 'detectionType': 'static', 'engines': ['SentinelOne Cloud'], 'externalTicketExists': False, 'externalTicketId': None, 'failedActions': True, 'fileExtension': 'EXE', 'fileExtensionType': 'Executable', 'filePath': '\\***\\***\\***\\**\\***.exe', 'fileSize': 20992, 'fileVerificationType': 'Other', 'identifiedAt': '2022-01-28T21:52:08.113000Z', 'incidentStatus': 'resolved', 'incidentStatusDescription': 'Resolved', 'initiatedBy': 'agent_policy', 'initiatedByDescription': 'Agent Policy', 'initiatingUserId': None, 'initiatingUsername': None, 'isFileless': False, 'isValidCertificate': False, 'maliciousProcessArguments': None, 'md5': None, 'mitigatedPreemptively': False, 'mitigationStatus': 'not_mitigated', 'mitigationStatusDescription': 'Not mitigated', 'originatorProcess': 'powershell.exe (interactive session)', 'pendingActions': False, 'processUser': 'D3CYBER7\\user1', 'publisherName': '', 'reachedEventsLimit': False, 'rebootRequired': False, 'sha1': '*****', 'sha256': None, 'storyline': '*****', 'threatId': '*****', 'threatName': '*****.exe', 'updatedAt': '2022-09-15T23:18:04.041510Z'}

['hash']

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Threat failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Insufficient permissions.

Error Sample Data

Get Threat failed.

Status Code: 403.

Message: Insufficient permissions.

Get Threat Analysis

Retrieves detailed threat analysis information of a specified threat. Note: This command will only work with a private API connection.

READER NOTE

Threat ID is a required parameter to run this command.

  • Run the Get Threat command to obtain Threat ID. Threat IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Threat ID

Required

The Threat ID to retrieve the corresponding threat analysis information. Threat ID can be obtained using the Get Threat command.

*****

Components

Optional

The threat components to return. If this parameter is not defined, all components will be returned. The available modules are agentDetectionInfo, agentRealtimeInfo, containerInfo, customDetectionRules, indicators, kubernetesInfo, mitigationStatus, threatInfo or whiteningOptions.

[

"threatInfo",

"indicators"

]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "threatInfo": {
            "analystVerdict": "false_positive",
            "analystVerdictDescription": "False positive",
            "automaticallyResolved": true,
            "browserType": null,
            "certificateId": "",
            "classification": "Trojan",
            "classificationSource": "Cloud",
            "cloudFilesHashVerdict": "black",
            "collectionId": "*****",
            "confidenceLevel": "malicious",
            "createdAt": "2022-01-28T21:52:08.323075Z",
            "detectionEngines": [
                {
                    "key": "sentinelone_cloud",
                    "title": "SentinelOne Cloud"
                }
            ],
            "detectionType": "static",
            "engines": [
                "SentinelOne Cloud"
            ],
            "externalTicketExists": false,
            "externalTicketId": null,
            "failedActions": true,
            "fileExtension": "EXE",
            "fileExtensionType": "Executable",
            "filePath": "\\***\\***\\***\\***\\***\\***\\***\\***.exe",
            "fileSize": 20992,
            "fileVerificationType": "Other",
            "identifiedAt": "2022-01-28T21:52:08.113000Z",
            "incidentStatus": "unresolved",
            "incidentStatusDescription": "Unresolved",
            "initiatedBy": "agent_policy",
            "initiatedByDescription": "Agent Policy",
            "initiatingUserId": null,
            "initiatingUsername": null,
            "isFileless": false,
            "isValidCertificate": false,
            "maliciousProcessArguments": null,
            "md5": null,
            "mitigatedPreemptively": false,
            "mitigationStatus": "marked_as_benign",
            "mitigationStatusDescription": "Marked as benign",
            "originatorProcess": "powershell.exe (interactive session)",
            "pendingActions": false,
            "processUser": "***\\***",
            "publisherName": "",
            "reachedEventsLimit": false,
            "rebootRequired": false,
            "sha1": "*****",
            "sha256": null,
            "storyline": "*****",
            "threatId": "*****",
            "threatName": "T1055.exe",
            "updatedAt": "2022-07-07T22:15:41.966262Z"
        }
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "ThreatID": *****,
  "ThreatName": T1055.exe
  "AnalystVerdict": false_positive,
  "ConfidenceLevel":  "malicious"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

data

{'threatInfo': {'analystVerdict': 'false_positive', 'analystVerdictDescription': 'False positive', 'automaticallyResolved': True, 'browserType': None, 'certificateId': '', 'classification': 'Trojan', 'classificationSource': 'Cloud', 'cloudFilesHashVerdict': 'black', 'collectionId': '*****', 'confidenceLevel': 'malicious', 'createdAt': '2022-01-28T21:52:08.323075Z', 'detectionEngines': [{'key': 'sentinelone_cloud', 'title': 'SentinelOne Cloud'}], 'detectionType': 'static', 'engines': ['SentinelOne Cloud'], 'externalTicketExists': False, 'externalTicketId': None, 'failedActions': True, 'fileExtension': 'EXE', 'fileExtensionType': 'Executable', 'filePath': '\\***\\***\\***\\***\\***\\***\\***\\***.exe', 'fileSize': 20992, 'fileVerificationType': 'Other', 'identifiedAt': '2022-01-28T21:52:08.113000Z', 'incidentStatus': 'unresolved', 'incidentStatusDescription': 'Unresolved', 'initiatedBy': 'agent_policy', 'initiatedByDescription': 'Agent Policy', 'initiatingUserId': None, 'initiatingUsername': None, 'isFileless': False, 'isValidCertificate': False, 'maliciousProcessArguments': None, 'md5': None, 'mitigatedPreemptively': False, 'mitigationStatus': 'marked_as_benign', 'mitigationStatusDescription': 'Marked as benign', 'originatorProcess': 'powershell.exe (interactive session)', 'pendingActions': False, 'processUser': 'D3CYBER7\\user1', 'publisherName': '', 'reachedEventsLimit': False, 'rebootRequired': False, 'sha1': '*****', 'sha256': None, 'storyline': '*****', 'threatId': '*****', 'threatName': 'T1055.exe', 'updatedAt': '2022-07-07T22:15:41.966262Z'}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Threat Analysis failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Threat ID xxx was not found.

Error Sample Data

Get Threat Analysis failed.

Status Code: 404.

Message: Threat ID xxx was not found.

Get Threat Events

Retrieves events of a specified Threat ID and filters results based on the specified criteria.

READER NOTE

Threat ID is a required parameter to run this command.

  • Run the Fetch Event command to obtain Threat ID. Choose the Event Source parameter to Threat. Threat ID is the threat event id, which can be found in the raw data at the path $.id.

  • You should not use the Get Threat command since not all threats are events. If you use the not event threat ID, then this command will return success with no result.

Process Name is an optional parameter to run this command.

  • Get Threat Events command to obtain Process Name. Process Names can be found in the raw data at the path $.data[*].processName.

If you run this command and get "nextCursor" field in the returned raw data, you may use the value to input in the NextPage parameter to obtain the next page data

Input

Input Parameter

Required/Optional

Description

Example

Threat ID

Required

The Threat ID to retrieve events from. Threat ID can be obtained using the Fetch Event command.

*****

Use Private Call

Optional

The command will retrieve events using a private API (True) or public API (False).

True

Event ID

Optional

The Event ID (Process Unique Key) to filter events.

*****

Event Types

Optional

The event types available options include: events, dns, logins, module, registry, url, scheduled_task, process, file, indicators and ip to filter events. Please note that this field is case sensitive, only lowercase can be accepted. Event Types can be obtained using the Get Threat Events command with the Event ID parameter left empty. After running the command, the EventTypes can be found in the raw data at the path $.data[*].objectType.

[

"events",

"file",

"ip",

"process"

]

Event Sub Types

Optional

The event subtypes to filter events. Event Sub Types can be obtained using the Get Threat Events command from the Key Fields. The possible inputs are categorized as the subtypes of files below: FILEDELETION, FILEMODIFICATION, FILECREATION, FILERENAME, FILESCAN. Subtypes of processes: PROCESSCREATION, PROCESSMODIFICATION, PROCESSTERMINATION. Subtypes of IPs: TCPV4, TCPV4LISTEN, TCPV6, TCPV6LISTEN. Subtypes of indicators: BEHAVIORALINDICATORS. Subtypes of logins: LOGIN, LOGOUT. Subtypes of module: MODULE. Subtypes of DNS: DNS. Subtypes of URL: HTTP. Subtypes of registry: REGISTRYACTION, REGKEYCREATE, REGKEYDELETE, REGKEYEXPORT, REGKEYIMPORT, REGKEYRENAME, REGKEYSECURITYCHANGED, REGVALUECREATE, REGVALUEMODIFIED. Subtypes of scheduled_task: SCHEDTASKDELETE, SCHEDTASKREGISTER, SCHEDTASKSTART, SCHEDTASKTRIGGER, SCHEDTASKUPDATE. Please note that this field is case sensitive, only uppercase letters are valid.

[

"FILEDELETION",

"FILEMODIFICATION"

]

Process Name

Optional

The process name (partial or whole) to filter events.

conhost.exe

Count Only

Optional

The total count of events in the returned Raw Data under the key "totalItems", if True is selected. The default value is False.

False

Skip Count

Optional

The selection of True will skip the total event count function to reduce the running time of the command. If True is selected in this parameter, the "totalItems" in returned Raw Data will be 0. The default value is False.

False

Limit

Optional

The maximum number of events to return (between 1 to 1000). Up to 1000 results will be returned if this field is left empty.

100

Offset

Optional

The number up to which results to skip. To skip more than 1000 results, use the Next Page input parameter.

1

Sort By

Optional

The column selected and used to sort results.

Create At

Direction

Optional

The results sorted in ascending or descending order. The default value is Ascending.

Ascending

Next Page

Optional

The pagination through collections of data by setting the parameter with the nextCursor attribute returned by a previous request's response_metadata.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": [
        {
            "activeContentFileId": null,
            "activeContentHash": null,
            "activeContentPath": null,
            "agentDomain": "WORKGROUP",
            "agentGroupId": "*****",
            "agentId": "*****",
            "agentInfected": true,
            "agentIp": "***.***.***.***",
            "agentIsActive": false,
            "agentIsDecommissioned": true,
            "agentMachineType": "desktop",
            "agentName": "DESKTOP-*****",
            "agentNetworkStatus": "connected",
            "agentOs": "windows",
            "agentUuid": "*****",
            "agentVersion": "***.***.***.***",
            "attributes": [
                {
                    "display": "Target Process Root",
                    "displayAttribute": true,
                    "fieldId": "processRoot",
                    "section": "Other Attributes",
                    "type": "boolean",
                    "value": "False"
                },
                {
                    "display": "Target Process Name",
                    "displayAttribute": true,
                    "fieldId": "processName",
                    "section": "Other Attributes",
                    "type": "string",
                    "value": "powershell.exe (CLI interpreter)"
                },
                {
                    "display": "Source Process Name",
                    "displayAttribute": true,
                    "fieldId": "parentProcessName",
                    "section": "Other Attributes",
                    "type": "string",
                    "value": null
                },
                {
                    "display": "Has Active Content",
                    "displayAttribute": true,
                    "fieldId": "hasActiveContent",
                    "section": "Other Attributes",
                    "type": "boolean",
                    "value": null
                }
            ],
            "connectionStatus": null,
            "createdAt": "2022-04-27T18:29:03.999000Z",
            "direction": null,
            "dnsRequest": null,
            "dnsResponse": null,
            "dstIp": null,
            "dstPort": null,
            "eventType": "Process Creation",
            "fileFullName": null,
            "fileId": null,
            "fileMd5": null,
            "fileSha1": "",
            "fileSha256": null,
            "fileSize": null,
            "fileType": null,
            "hasActiveContent": null,
            "id": "*****",
            "indicatorCategory": null,
            "indicatorDescription": null,
            "indicatorMetadata": null,
            "indicatorName": null,
            "loginsBaseType": null,
            "loginsUserName": null,
            "md5": null,
            "networkMethod": null,
            "networkSource": null,
            "networkUrl": null,
            "objectType": "process",
            "oldFileMd5": null,
            "oldFileName": null,
            "oldFileSha1": null,
            "oldFileSha256": null,
            "parentPid": null,
            "parentProcessName": null,
            "parentProcessUniqueKey": null,
            "pid": "*****",
            "processCmd": "-executionpolicy bypass \"&\"C:\\***\\***\\***\\***\\***\"\"  2>>\"C:\\***\\***\\***\\***\" 1>>\"C:\\Pr***\\***\\***\\***\"",
            "processDisplayName": "powershell.exe (CLI interpreter)",
            "processGroupId": "*****",
            "processImagePath": "",
            "processImageSha1Hash": "",
            "processIntegrityLevel": null,
            "processIsRedirectedCommandProcessor": null,
            "processIsWow64": null,
            "processName": "powershell.exe (CLI interpreter)",
            "processRoot": "False",
            "processSessionId": null,
            "processStartTime": "2022-04-27T18:30:11.543000Z",
            "processSubSystem": null,
            "processUniqueKey": "*****",
            "processUserName": null,
            "protocol": null,
            "publisher": null,
            "registryClassification": null,
            "registryId": null,
            "registryPath": null,
            "relatedToThreat": true,
            "rpid": null,
            "sha1": "",
            "sha256": null,
            "signatureSignedInvalidReason": null,
            "signedStatus": null,
            "siteName": "site2",
            "srcIp": null,
            "srcPort": null,
            "storyline": "*****",
            "taskName": null,
            "taskPath": null,
            "threatStatus": "not_mitigated",
            "tid": null,
            "trueContext": "*****",
            "user": null,
            "verifiedStatus": null
        }
    ],
    "pagination": {
        "nextCursor": "*****",
        "totalItems": 16
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "EventIDs": ["*****","*****"],
  "EventTypes": ["process","ip"],
  "EventSubTypes": ["ProcessCreation","IPConnect"],
  "ProccessNames": [ "powershell.exe (CLI interpreter)", "conhost.exe" ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

data

  • {'activeContentFileId': None, 'activeContentHash': None, 'activeContentPath': None, 'agentDomain': 'WORKGROUP', 'agentGroupId': '*****', 'agentId': '*****', 'agentInfected': True, 'agentIp': '***.***.***.***', 'agentIsActive': False, 'agentIsDecommissioned': True, 'agentMachineType': 'desktop', 'agentName': 'DESKTOP-*****', 'agentNetworkStatus': 'connected', 'agentOs': 'windows', 'agentUuid': '*****', 'agentVersion': '***.***.***.***', 'attributes': [{'display': 'Target Process Root', 'displayAttribute': True, 'fieldId': 'processRoot', 'section': 'Other Attributes', 'type': 'boolean', 'value': 'False'}, {'display': 'Target Process Name', 'displayAttribute': True, 'fieldId': 'processName', 'section': 'Other Attributes', 'type': 'string', 'value': 'powershell.exe (CLI interpreter)'}, {'display': 'Source Process Name', 'displayAttribute': True, 'fieldId': 'parentProcessName', 'section': 'Other Attributes', 'type': 'string', 'value': None}, {'display': 'Has Active Content', 'displayAttribute': True, 'fieldId': 'hasActiveContent', 'section': 'Other Attributes', 'type': 'boolean', 'value': None}], 'connectionStatus': None, 'createdAt': '2022-04-27T18:29:03.999000Z', 'direction': None, 'dnsRequest': None, 'dnsResponse': None, 'dstIp': None, 'dstPort': None, 'eventType': 'Process Creation', 'fileFullName': None, 'fileId': None, 'fileMd5': None, 'fileSha1': '', 'fileSha256': None, 'fileSize': None, 'fileType': None, 'hasActiveContent': None, 'id': '*****', 'indicatorCategory': None, 'indicatorDescription': None, 'indicatorMetadata': None, 'indicatorName': None, 'loginsBaseType': None, 'loginsUserName': None, 'md5': None, 'networkMethod': None, 'networkSource': None, 'networkUrl': None, 'objectType': 'process', 'oldFileMd5': None, 'oldFileName': None, 'oldFileSha1': None, 'oldFileSha256': None, 'parentPid': None, 'parentProcessName': None, 'parentProcessUniqueKey': None, 'pid': '*****', 'processCmd': '-executionpolicy bypass "&"C:\\***\\***\\***\\***\\***"" 2>>"C:\\***\\***\\***\\***" 1>>"C:\\Pr***\\***\\***\\***"', 'processDisplayName': 'powershell.exe (CLI interpreter)', 'processGroupId': '*****', 'processImagePath': '', 'processImageSha1Hash': '', 'processIntegrityLevel': None, 'processIsRedirectedCommandProcessor': None, 'processIsWow64': None, 'processName': 'powershell.exe (CLI interpreter)', 'processRoot': 'False', 'processSessionId': None, 'processStartTime': '2022-04-27T18:30:11.543000Z', 'processSubSystem': None, 'processUniqueKey': '*****', 'processUserName': None, 'protocol': None, 'publisher': None, 'registryClassification': None, 'registryId': None, 'registryPath': None, 'relatedToThreat': True, 'rpid': None, 'sha1': '', 'sha256': None, 'signatureSignedInvalidReason': None, 'signedStatus': None, 'siteName': 'site2', 'srcIp': None, 'srcPort': None, 'storyline': '*****', 'taskName': None, 'taskPath': None, 'threatStatus': 'not_mitigated', 'tid': None, 'trueContext': '*****', 'user': None, 'verifiedStatus': None}

pagination

{'nextCursor': '*****', 'totalItems': 16}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Threat Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Threat ID xxx not found.

Error Sample Data

Get Threat Events failed.

Status Code: 404.

Message: Threat ID xxx not found.

Initiate Scan

Initiates a Full Disk Scan on Agents that match the specified filters. Full Disk Scan finds dormant suspicious activity, threats, and compliance violations in the local file system, that are then mitigated according to the policy. If both optional input parameters are not defined, all Agents will be scanned.

READER NOTE

The parameter Agent IDs is optional to run this command.

  • Run the List Agent command to obtain Agent IDs. Agent IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Agent IDs

Optional

The IDs of the agents to scan. Agent ID can be obtained using the List Agent command.

[ "*****" ]

Filter

Optional

The filter to scan Agents. Leave this parameter empty to scan all applicable agents. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=agent-actions=initiate-scan for more information about the filter syntax.

{

"computerName": "DESKTOP-*****"

}

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "affected": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AffectedAgents": 1
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

data

{'affected': 1}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Initiate Scan failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Authentication Failed.

Error Sample Data

Initiate Scan failed.

Status Code: 401.

Message: Authentication Failed.

Kill Processes

Stops all processes related to the threat(s) matching filter on the specified host(s).

READER NOTE

The parameter Threat IDs is optional to run this command.

  • Run the Get Threat command to obtain Threat IDs. Threat IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Computer Names

Required

The name(s) of the computer(s) on which the processes are killed.

[ "lab3-pc1" ]

Originated Process Names

Optional

The originated process name(s) of the threat(s) whose processes will be killed.

[ "svchost.exe" ]

Threat IDs

Optional

The ID(s) of the threat(s) whose processes will be killed. Threat IDs can be obtained using the Get Threat command.

[ "*****" ]

File Paths

Optional

The file path(s) to search.

[ "\***\***\***\***\***.exe" ]

Content Hashes

Optional

The SHA-1 Hash value(s) to search.

[ "*****" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "affected": 1,
        "details": [
            {
                "reports": [],
                "skipped": [
                    {
                        "action": "kill",
                        "description": "Mitigation action already in progress / finished.",
                        "reason": "triggered"
                    }
                ],
                "threatId": "*****"
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AffectedThreats": 1
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

data

{'affected': 1, 'details': [{'reports': [], 'skipped': [{'action': 'kill', 'description': 'Mitigation action already in progress / finished.', 'reason': 'triggered'}], 'threatId': '*****'}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Kill Processes failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: UNAUTHORIZED. Please check D3Error object in RawData for more details.

Error Sample Data

Kill Processes failed.

Status Code: 401.

Message: UNAUTHORIZED. Please check D3Error object in RawData for more details.

List Accounts

Retrieves a list of accounts that match the specified filter.

READER NOTE

If you run this command and see "nextcursor" field has value in the returned raw data, it can be used in the Next Page parameter to get the data in next page.

Input

Input Parameter

Required/Optional

Description

Example

Account IDs

Optional

The account ID(s) to filter the results.

[

"*****",

"*****"

]

Name

Optional

The string to apply a full-text search of account names (full or partial names).

D3 Security

State

Optional

The accounts filtered by state.

[ Active ]

Limit

Optional

The maximum number of returned results (between 1-1000). Up to 1000 results will be returned if this field is left empty.

100

Offset

Optional

The number up to which result to skip. For example, if the defined value is 50, results from 1 to 50 will be skipped. To skip more than 1000 results, use the Next Page input parameter.

1

Sort By

Optional

The column to sort results by. Available options are Creation Time, Update Time, Account ID, Name, State and Usage Type.

Creation Time

Direction

Optional

The results sorted in ascending or descending order. The default value is Ascending.

Ascending

Next Page

Optional

The pagination through collections of data by setting the parameter with the nextCursor attribute returned by a previous request's response metadata.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": [
        {
            "accountType": "Paid",
            "activeAgents": 2,
            "agentsInCompleteSku": 0,
            "agentsInControlSku": 0,
            "agentsInCoreSku": 2,
            "completeSites": 1,
            "controlSites": 0,
            "coreSites": 1,
            "createdAt": "2021-12-14T19:19:37.295127Z",
            "creator": "Sandeep Minhas",
            "creatorId": "*****",
            "expiration": "2022-12-31T11:00:00Z",
            "externalId": "*****",
            "id": "*****",
            "isDefault": false,
            "licenses": {
                "bundles": [
                    {
                        "displayName": "Core",
                        "majorVersion": 1,
                        "minorVersion": 1,
                        "name": "core",
                        "surfaces": [
                            {
                                "count": 25,
                                "name": "Total Agents"
                            }
                        ],
                        "totalSurfaces": 25
                    },
                    {
                        "displayName": "Control",
                        "majorVersion": 1,
                        "minorVersion": 1,
                        "name": "control",
                        "surfaces": [
                            {
                                "count": 25,
                                "name": "Total Agents"
                            }
                        ],
                        "totalSurfaces": 25
                    },
                    {
                        "displayName": "Complete",
                        "majorVersion": 1,
                        "minorVersion": 1,
                        "name": "complete",
                        "surfaces": [
                            {
                                "count": 25,
                                "name": "Total Agents"
                            }
                        ],
                        "totalSurfaces": 25
                    }
                ],
                "modules": [
                    {
                        "displayName": "Remote Script Orchestration",
                        "majorVersion": 1,
                        "name": "rso"
                    },
                    {
                        "displayName": "STAR",
                        "majorVersion": 1,
                        "name": "star"
                    }
                ],
                "settings": [
                    {
                        "displayName": "14 Days",
                        "settingGroup": "dv_retention",
                        "settingGroupDisplayName": "Deep Visibility Data Retention"
                    },
                    {
                        "displayName": "365 Days",
                        "settingGroup": "malicious_data_retention",
                        "settingGroupDisplayName": "Malicious Data Retention"
                    },
                    {
                        "displayName": "Enabled",
                        "settingGroup": "remote_shell_availability",
                        "settingGroupDisplayName": "Remote Shell"
                    },
                    {
                        "displayName": "Available",
                        "settingGroup": "marketplace_access_status",
                        "settingGroupDisplayName": "Marketplace Access"
                    }
                ]
            },
            "name": "D3 Security",
            "numberOfSites": 2,
            "skus": [
                {
                    "agentsInSku": 0,
                    "totalLicenses": 25,
                    "type": "Core",
                    "unlimited": false
                },
                {
                    "agentsInSku": 0,
                    "totalLicenses": 25,
                    "type": "Control",
                    "unlimited": false
                },
                {
                    "agentsInSku": 0,
                    "totalLicenses": 25,
                    "type": "Complete",
                    "unlimited": false
                }
            ],
            "state": "active",
            "totalComplete": 25,
            "totalControl": 25,
            "totalCore": 25,
            "totalLicenses": 75,
            "unlimitedComplete": false,
            "unlimitedControl": false,
            "unlimitedCore": false,
            "unlimitedExpiration": false,
            "updatedAt": "2022-07-19T16:35:21.244915Z"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 1
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AccountIDs": ["*****","*****"],
  "AccountNames": [ "D3 Security", "D3 Security2" ],
  "AccountStates": ["active","deleted"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

data

{'accountType': 'Paid', 'activeAgents': 2, 'agentsInCompleteSku': 0, 'agentsInControlSku': 0, 'agentsInCoreSku': 2, 'completeSites': 1, 'controlSites': 0, 'coreSites': 1, 'createdAt': '2021-12-14T19:19:37.295127Z', 'creator': 'Sandeep Minhas', 'creatorId': '*****', 'expiration': '2022-12-31T11:00:00Z', 'externalId': '*****c', 'id': '*****', 'isDefault': False, 'licenses': {'bundles': [{'displayName': 'Core', 'majorVersion': 1, 'minorVersion': 1, 'name': 'core', 'surfaces': [{'count': 25, 'name': 'Total Agents'}], 'totalSurfaces': 25}, {'displayName': 'Control', 'majorVersion': 1, 'minorVersion': 1, 'name': 'control', 'surfaces': [{'count': 25, 'name': 'Total Agents'}], 'totalSurfaces': 25}, {'displayName': 'Complete', 'majorVersion': 1, 'minorVersion': 1, 'name': 'complete', 'surfaces': [{'count': 25, 'name': 'Total Agents'}], 'totalSurfaces': 25}], 'modules': [{'displayName': 'Remote Script Orchestration', 'majorVersion': 1, 'name': 'rso'}, {'displayName': 'STAR', 'majorVersion': 1, 'name': 'star'}], 'settings': [{'displayName': '14 Days', 'settingGroup': 'dv_retention', 'settingGroupDisplayName': 'Deep Visibility Data Retention'}, {'displayName': '365 Days', 'settingGroup': 'malicious_data_retention', 'settingGroupDisplayName': 'Malicious Data Retention'}, {'displayName': 'Enabled', 'settingGroup': 'remote_shell_availability', 'settingGroupDisplayName': 'Remote Shell'}, {'displayName': 'Available', 'settingGroup': 'marketplace_access_status', 'settingGroupDisplayName': 'Marketplace Access'}]}, 'name': 'D3 Security', 'numberOfSites': 2, 'skus': [{'agentsInSku': 0, 'totalLicenses': 25, 'type': 'Core', 'unlimited': False}, {'agentsInSku': 0, 'totalLicenses': 25, 'type': 'Control', 'unlimited': False}, {'agentsInSku': 0, 'totalLicenses': 25, 'type': 'Complete', 'unlimited': False}], 'state': 'active', 'totalComplete': 25, 'totalControl': 25, 'totalCore': 25, 'totalLicenses': 75, 'unlimitedComplete': False, 'unlimitedControl': False, 'unlimitedCore': False, 'unlimitedExpiration': False, 'updatedAt': '2022-07-19T16:35:21.244915Z'}

pagination

{'nextCursor': None, 'totalItems': 1}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Accounts failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid user input received.

Error Sample Data

List Accounts failed.

Status Code: 400.

Message: Invalid user input received.

List Agents

Retrieves a list of agents that match the specified filter.

Input

Input Parameter

Required/Optional

Description

Example

Computer Name

Optional

The computer name of the agent to list. Both partial and full names are accepted.

DESKTOP-*****

Query

Optional

The free-text search term, will match applicable attributes including agentVersion, domain, externalIp, gatewayIp, inet, inet6, physical, lastLoggedInUserName, machineType,uuid, osType, osName.

***.***.***.***

Limit

Optional

The number of agents matching the query condition (between 1-1000) to return. Up to 1000 agents will be listed if you leave this field empty.

10

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": [
        {
            "accountId": "*****",
            "accountName": "D3 Security",
            "activeDirectory": {
                "computerDistinguishedName": null,
                "computerMemberOf": [],
                "lastUserDistinguishedName": null,
                "lastUserMemberOf": []
            },
            "activeThreats": 66,
            "agentVersion": "***.***.***.***",
            "allowRemoteShell": false,
            "appsVulnerabilityStatus": "up_to_date",
            "cloudProviders": {},
            "computerName": "DESKTOP-*****",
            "consoleMigrationStatus": "N/A",
            "coreCount": 16,
            "cpuCount": 16,
            "cpuId": "Intel(R) Xeon(R) CPU E5-2690 0 @ 2.90GHz",
            "createdAt": "2022-02-04T00:18:48.831527Z",
            "detectionState": null,
            "domain": "WORKGROUP",
            "encryptedApplications": false,
            "externalId": "",
            "externalIp": "***.***.***.***",
            "firewallEnabled": true,
            "firstFullModeTime": null,
            "groupId": "*****",
            "groupIp": "***.***.***.***",
            "groupName": "Default Group",
            "id": "*****",
            "inRemoteShellSession": false,
            "infected": true,
            "installerType": ".exe",
            "isActive": true,
            "isDecommissioned": false,
            "isPendingUninstall": false,
            "isUninstalled": false,
            "isUpToDate": true,
            "lastActiveDate": "2022-03-29T22:20:08.491862Z",
            "lastIpToMgmt": "***.***.***.***",
            "lastLoggedInUserName": "admin",
            "licenseKey": "",
            "locationEnabled": true,
            "locationType": "fallback",
            "locations": [
                {
                    "id": "*****",
                    "name": "Fallback",
                    "scope": "global"
                }
            ],
            "machineType": "desktop",
            "mitigationMode": "detect",
            "mitigationModeSuspicious": "detect",
            "modelName": "VMware, Inc. - VMware7,1",
            "networkInterfaces": [
                {
                    "gatewayIp": "***.***.***.***",
                    "gatewayMacAddress": "**:**:**:**:**:**",
                    "id": "*****",
                    "inet": [
                        "***.***.***.***"
                    ],
                    "inet6": [
                        "****::****:****:***:****"
                    ],
                    "name": "Ethernet0",
                    "physical": "c"
                }
            ],
            "networkQuarantineEnabled": false,
            "networkStatus": "connected",
            "operationalState": "na",
            "operationalStateExpiration": null,
            "osArch": "64 bit",
            "osName": "Windows 10 Pro",
            "osRevision": "19044",
            "osStartTime": "2022-03-20T04:11:39Z",
            "osType": "windows",
            "osUsername": null,
            "rangerStatus": "Enabled",
            "rangerVersion": "**.**.*.**",
            "registeredAt": "2022-02-04T00:18:48.825801Z",
            "remoteProfilingState": "disabled",
            "remoteProfilingStateExpiration": null,
            "scanAbortedAt": null,
            "scanFinishedAt": "2022-02-04T17:44:34.108856Z",
            "scanStartedAt": "2022-02-04T00:22:32.484233Z",
            "scanStatus": "finished",
            "siteId": "*****",
            "siteName": "site2",
            "storageName": null,
            "storageType": null,
            "tags": {
                "sentinelone": []
            },
            "threatRebootRequired": false,
            "totalMemory": 16382,
            "updatedAt": "2022-03-29T21:32:07.482725Z",
            "userActionsNeeded": [],
            "uuid": "*****"
        }
    ],
    "pagination": {
        "nextCursor": null,
        "totalItems": 1
    }
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customized the Context Data by extracting the $.data path from the returned raw data.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "accountId": "*****",
        "accountName": "D3 Security",
        "activeDirectory": {
            "computerDistinguishedName": null,
            "computerMemberOf": [],
            "lastUserDistinguishedName": null,
            "lastUserMemberOf": []
        },
        "activeThreats": 66,
        "agentVersion": "***.***.***.***",
        "allowRemoteShell": false,
        "appsVulnerabilityStatus": "up_to_date",
        "cloudProviders": {},
        "computerName": "DESKTOP-*****",
        "consoleMigrationStatus": "N/A",
        "coreCount": 16,
        "cpuCount": 16,
        "cpuId": "Intel(R) Xeon(R) CPU E5-2690 0 @ 2.90GHz",
        "createdAt": "2022-02-04T00:18:48.831527Z",
        "detectionState": null,
        "domain": "WORKGROUP",
        "encryptedApplications": false,
        "externalId": "",
        "externalIp": "***.***.***.***",
        "firewallEnabled": true,
        "firstFullModeTime": null,
        "groupId": "*****",
        "groupIp": "***.***.***.***",
        "groupName": "Default Group",
        "id": "*****",
        "inRemoteShellSession": false,
        "infected": true,
        "installerType": ".exe",
        "isActive": true,
        "isDecommissioned": false,
        "isPendingUninstall": false,
        "isUninstalled": false,
        "isUpToDate": true,
        "lastActiveDate": "2022-03-29T22:20:08.491862Z",
        "lastIpToMgmt": "***.***.***.***",
        "lastLoggedInUserName": "admin",
        "licenseKey": "",
        "locationEnabled": true,
        "locationType": "fallback",
        "locations": [
            {
                "id": "*****",
                "name": "Fallback",
                "scope": "global"
            }
        ],
        "machineType": "desktop",
        "mitigationMode": "detect",
        "mitigationModeSuspicious": "detect",
        "modelName": "VMware, Inc. - VMware7,1",
        "networkInterfaces": [
            {
                "gatewayIp": "***.***.***.***",
                "gatewayMacAddress": "**:**:**:**:**:**",
                "id": "*****",
                "inet": [
                    "***.***.***.***"
                ],
                "inet6": [
                    "****::****:****:***:****"
                ],
                "name": "Ethernet0",
                "physical": "**:**:**:**:**:**"
            }
        ],
        "networkQuarantineEnabled": false,
        "networkStatus": "connected",
        "operationalState": "na",
        "operationalStateExpiration": null,
        "osArch": "64 bit",
        "osName": "Windows 10 Pro",
        "osRevision": "19044",
        "osStartTime": "2022-03-20T04:11:39Z",
        "osType": "windows",
        "osUsername": null,
        "rangerStatus": "Enabled",
        "rangerVersion": "**.**.*.**",
        "registeredAt": "2022-02-04T00:18:48.825801Z",
        "remoteProfilingState": "disabled",
        "remoteProfilingStateExpiration": null,
        "scanAbortedAt": null,
        "scanFinishedAt": "2022-02-04T17:44:34.108856Z",
        "scanStartedAt": "2022-02-04T00:22:32.484233Z",
        "scanStatus": "finished",
        "siteId": "*****",
        "siteName": "site2",
        "storageName": null,
        "storageType": null,
        "tags": {
            "sentinelone": []
        },
        "threatRebootRequired": false,
        "totalMemory": 16382,
        "updatedAt": "2022-03-29T21:32:07.482725Z",
        "userActionsNeeded": [],
        "uuid": "*****"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AgentIDs": ["*****"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

accountId

accountName

activeDirectory

activeThreats

agentVersion

allowRemoteShell

appsVulnerabilityStatus

cloudProviders

computerName

consoleMigrationStatus

coreCount

cpuCount

cpuId

createdAt

detectionState

domain

encryptedApplications

externalId

externalIp

firewallEnabled

firstFullModeTime

groupId

groupIp

groupName

id

inRemoteShellSession

infected

installerType

isActive

isDecommissioned

isPendingUninstall

isUninstalled

isUpToDate

lastActiveDate

lastIpToMgmt

lastLoggedInUserName

licenseKey

locationEnabled

locationType

locations

machineType

mitigationMode

mitigationModeSuspicious

modelName

networkInterfaces

networkQuarantineEnabled

networkStatus

operationalState

operationalStateExpiration

osArch

osName

osRevision

osStartTime

osType

osUsername

rangerStatus

rangerVersion

registeredAt

remoteProfilingState

remoteProfilingStateExpiration

scanAbortedAt

scanFinishedAt

scanStartedAt

scanStatus

siteId

siteName

storageName

storageType

tags

threatRebootRequired

totalMemory

updatedAt

userActionsNeeded

uuid

*****

D3 Security

{'computerDistinguishedName': None, 'computerMemberOf': [], 'lastUserDistinguishedName': None, 'lastUserMemberOf': []}

66

***.***.***.***

False

up_to_date

{}

DESKTOP-*****

N/A

16

16

Intel(R) Xeon(R) CPU E5-2690 0 @ 2.90GHz

2022-02-04T00:18:48.831527Z

None

WORKGROUP

False

***.***.***.***

True

None

*****

***.***.***.***

Default Group

*****

False

True

.exe

True

False

False

False

True

2022-03-29T22:20:08.491862Z

***.***.***.***

admin

True

fallback

[{'id': '*****', 'name': 'Fallback', 'scope': 'global'}]

desktop

detect

detect

VMware, Inc. - VMware7,1

[{'gatewayIp': '***.***.***.***', 'gatewayMacAddress': '**:**:**:**:**:**', 'id': '*****', 'inet': ['***.***.***.***'], 'inet6': ['****::****:****:***:****'], 'name': 'Ethernet0', 'physical': '**:**:**:**:**:**'}]

False

connected

na

None

64 bit

Windows 10 Pro

19044

2022-03-20T04:11:39Z

windows

None

Enabled

**.**.*.**

2022-02-04T00:18:48.825801Z

disabled

None

None

2022-02-04T17:44:34.108856Z

2022-02-04T00:22:32.484233Z

finished

*****

site2

None

None

{'sentinelone': []}

False

16382

2022-03-29T21:32:07.482725Z

[]

*****

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Agents failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid user input received.

Error Sample Data

List Agents failed.

Status Code: 400.

Message: Invalid user input received.

List IOCs

Retrieves the IOCs of a specified account that match the filter.

READER NOTE

The parameter Account IDs is required to run this command.

  • Run the List Accounts command to obtain Account IDs. Account IDs can be found in the returned raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Account IDs

Required

The account IDs to filter. Account IDs can be obtained using the List Accounts command.

[ "*****" ]

IOC Names

Optional

The free-text filtered by the Indicator name (which supports multiple values).

[ "foo.dll" ]

IOC Value

Optional

The value of the Threat Intelligence indicator.

***.***.***.***

Type

Optional

The type of the Threat Intelligence indicator. The available types include: IPv4, IPv6, MD5, SHA1, SHA256, URL and DNS.

IPv4

Source

Optional

The list of the sources of the identified Threat Intelligence indicator.

AlienVault

Categories

Optional

The categories of the Threat Intelligence indicator.

[ "the malware type associated with the IOC" ]

Description

Optional

The free-text filtered by the description of the indicator (which supports multiple values).

[ "Malicious-activity" ]

Creator

Optional

The free-text filtered by the user that uploaded the Threat Intelligence indicator (which supports multiple values).

[ "admin@sentinelone.com" ]

Created After

Optional

The creation time set by the user after or equal to the specified timestamp.

2022-03-20 00:00

Created Before

Optional

The creation time set by the user before or equal to the specified timestamp.

2022-03-21 00:00

Updated After

Optional

The time at which the indicator was last updated in SentinelOne DB after or equal to the specified timestamp.

2022-04-20 00:00

Updated Before

Optional

The time at which the indicator was last updated in SentinelOne DB before or equal to the specified timestamp.

2022-04-30 00:00

Limit

Optional

The limit number of returned IOCs. The valid value is an integer between 0 and 1000. If not specified, the default limit is 1000. To obtain all IOCs matching search criteria to be returned, set the limit to 0.

10

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": [
        {
            "method": "EQUALS",
            "patternType": "string",
            "creationTime": "2018-02-27T04:49:26.257525Z",
            "description": "string",
            "threatActors": [
                {
                    "type": "string"
                }
            ],
            "validUntil": "2018-02-27T04:49:26.257525Z",
            "category": [
                {
                    "type": "string",
                    "x-nullable": true,
                    "description": "The categories of the Threat Intelligence indicator, e.g.  the malware type associated with the IOC"
                }
            ],
            "externalId": "string",
            "name": "string",
            "batchId": "string",
            "updatedAt": "2018-02-27T04:49:26.257525Z",
            "value": "string",
            "creator": "string",
            "scopeId": "*****",
            "intrusionSets": [
                {
                    "type": "string"
                }
            ],
            "pattern": "string",
            "type": "DNS",
            "mitreTactic": [
                {
                    "type": "string"
                }
            ],
            "uploadTime": "2018-02-27T04:49:26.257525Z",
            "reference": [
                {
                    "type": "string",
                    "x-nullable": true,
                    "description": "External reference associated with the Threat Intelligence indicator"
                }
            ],
            "source": "string",
            "uuid": "string",
            "metadata": "string",
            "scope": "global"
        }
    ],
    "errors": [
        {
            "type": "object"
        }
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List IOCs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Insufficient permissions.

Error Sample Data

List IOCs failed.

Status Code: 401.

Message: Insufficient permissions.

Mark As Threat

Marks suspicious threats as threat detections. Can only be used with API V2.0.

READER NOTE

The parameter Threat IDs is required to run this command.

  • Run the Get Threat command to obtain Threat IDs. Threat IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Threat IDs

Required

The list of threat IDs. Threat IDs can be obtained using the Get Threat command.

["*****", "*****"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "affected": 1
    }
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Mark As Threat failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized access.

Error Sample Data

Mark As Threat failed.

Status Code: 403.

Message: Unauthorized access.

Mitigate Threats

Applies a mitigation action to threats matching the specified filters. Only threats which you have permission to mitigate are counted as "affected" in the response field. Rollback is applied only on Windows. Remediate is applied only on macOS and Windows.

Input

Input Parameter

Required/Optional

Description

Example

Filter

Required

The filtering options to control the list of affected threats. It is possible to use any combination of filters to narrow the list. For example, "apply to only active threats from Linux endpoints". It is also possible to leave this field empty to apply to all available threats. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=threats=mitigate-threats for more information about filters.

{

"computerName__contains": [

"DESKTOP-*****"

]

}

Mitigate Action

Required

The mitigation action selected to apply to the group of threats that matches the filter. Note: The Rollback mitigation action is only applied on Windows systems; the Remediate mitigation action is only applied on Windows and macOS systems.

Quarantine

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "affected": 15
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AffectedThreats": 15 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Mitigate Threats failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized access.

Error Sample Data

Mitigate Threats failed.

Status Code: 403.

Message: Unauthorized access.

Move Agents

Moves Agents to a new group by host name(s) or internal IP(s). Please note, you cannot move agents to a group which is not in the same site as the original group, and you must move the agents to the new site before you move agents to the group belonging to that site. To do this, you can use the Move Agents Between Sites command.

READER NOTE

Group ID is a required parameter to run this command.

  • Run the Get Groups command to obtain Group ID. Group IDs can be found in the raw data at the path $.data.id.

Input

Input Parameter

Required/Optional

Description

Example

Host Names Or Internal IPs

Required

The name(s) or internal IP(s) of the computer(s) to be moved to the specified group.

[ "***.***.***.***", "lab3-pc1" ]

Group ID

Required

The ID of the Group to which the agents will be moved. Group ID can be obtained using the Get Groups command.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "filter": {
                "computerName__contains": [
                    "lab3-pc1"
                ]
            },
            "data": {
                "agentsMoved": 1
            }
        },
        {
            "filter": {
                "networkInterfaceInet__contains": [
                    "***.***.***.***"
                ]
            },
            "data": {
                "agentsMoved": 1
            }
        }
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Move Agents failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The group with ID **** is not found.

Error Sample Data

Move Agents failed.

Status Code: 404.

Message: The group with ID **** is not found.

Move Agents Between Sites

Moves Agents from one Site to a different Site. Agents will be moved to the best matching dynamic group, or to the Default group if no dynamic group matches.

READER NOTE

Site ID is a required parameter to run this command.

  • Run the Get Sites command to obtain Site ID. Site IDs can be found in the raw data at the path $.data.sites.id.

Input

Input Parameter

Required/Optional

Description

Example

Host Names Or Internal IPs

Required

The name(s) or internal IP(s) of the computer(s) to be moved to the specified site.

[ "***.***.***.***", "lab3-pc1" ]

Site ID

Required

The ID of the site where the agents will be moved. Site ID can be obtained using the Get Sites command.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "filter": {
                "computerName__contains": [
                    "lab3-pc1"
                ]
            },
            "data": {
                "affected": 1
            }
        },
        {
            "filter": {
                "networkInterfaceInet__contains": [
                    "***.***.***.***"
                ]
            },
            "data": {
                "affected": 1
            }
        }
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Move Agents Between Sites failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Authentication Failed.

Error Sample Data

Move Agents Between Sites failed.

Status Code: 401.

Message: Authentication Failed.

Ping Power Query

Ping Deep Visibility Power Query(s) using the query ID(s) if results have not returned from the initial Power Query or a previous ping.

READER NOTE

The parameter Query IDs is required to run this command.

  • Run the Create Power Query command to obtain Query IDs. Query IDs can be found in the raw data in the path $.results[*].queryId.

Input

Input Parameter

Required/Optional

Description

Example

Query IDs

Required

The unique identifier for specific queries to execute or manage. Query ID(s) can be obtained using the Create Power Query command to ping.

[ "*****" ]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "columns": [
                {
                    "name": "eventTime",
                    "type": "UNKNOWN"
                },
                {
                    "name": "agentUuid",
                    "type": "UNKNOWN"
                },
                {
                    "name": "siteId",
                    "type": "UNKNOWN"
                }
            ],
            "data": [],
            "externalId": "{\"lrqToken\":\"*****\",\"target\":\"__E1__*****/*****-\"}",
            "progress": 100,
            "queryId": "*****",
            "recommendations": [
                "Result set limited to 1000 rows by default. To display more rows, add a command like \"| limit 10000\"."
            ],
            "status": "FINISHED"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "QueryIDs": ["*****"],
  "Status": ["FINISHED"],
  "Progress": [100] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Power Queries Count

1

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Ping Power Query failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Multiple errors found, please check D3Errors in command Raw Data.

Error Sample Data

Ping Power Query failed.

Status Code: 401.

Message: Multiple errors found, please check D3Errors in command Raw Data.

Quarantine Files

Encrypts and moves the threat and its executables files to a quarantine folder. Please note, this action performs Kill Processes related to the threat(s) before Quarantine.

READER NOTE

The parameter Threat IDs is optional to run this command.

  • Run the Get Threat command to obtain Threat IDs. Threat IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Computer Names

Required

The name(s) of the computer(s) on which the files are quarantined.

[ "lab3-pc1" ]

Originated Process Names

Optional

The originated process name(s) of the threat(s) whose files will be quarantined.

[ "svchost.exe" ]

Threat IDs

Optional

The ID(s) of the threat(s) whose files will be quarantined. Threat IDs can be obtained using the Get Threat command.

[ "*****" ]

File Paths

Optional

The file path(s) to search.

[ "\***\***\***\***\***.exe" ]

Content Hashes

Optional

The SHA-1 Hash value(s) to search.

[ "*****" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "affected": 1,
        "details": [
            {
                "reports": [],
                "skipped": [
                    {
                        "action": "quarantine",
                        "description": "Mitigation action already in progress / finished.",
                        "reason": "triggered"
                    },
                    {
                        "action": "kill",
                        "description": "Mitigation action already in progress / finished.",
                        "reason": "triggered"
                    }
                ],
                "threatId": "*****"
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AffectedThreats": 1 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

data

{'affected': 1, 'details': [{'reports': [], 'skipped': [{'action': 'quarantine', 'description': 'Mitigation action already in progress / finished.', 'reason': 'triggered'}, {'action': 'kill', 'description': 'Mitigation action already in progress / finished.', 'reason': 'triggered'}], 'threatId': '*****'}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Quarantine Files failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: UNAUTHORIZED. Please check D3Error object in RawData for more details.

Error Sample Data

Quarantine Files failed.

Status Code: 401.

Message: UNAUTHORIZED. Please check D3Error object in RawData for more details.

Query

Retrieves Deep Visibility events based on specified query conditions. Note: The API rate limit is 1 call per minute for each unique user token.

READER NOTE

Deep Visibility has limits for different accounts. The current trial account currently retains data for 14 days. If you see errors returned for your search period, contact SentineOne support to increase the data retention period if required.

https://usea1-partners.sentinelone.net/docs/en/date-and-time-reference.html#date-and-time-refer

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time (in UTC Time) of the time range for querying events that are created after the specified start time.

2022-09-22 00:00

End Time

Required

The end time (in UTC Time) of the time range for querying events that are created before the specified end time.

2022-09-23 00:00

Limit

Optional

The maximum number of items to return. A valid value is an integer between 1 and 100,000. Up to 100,000 results will be returned if you leave this field empty.

10

Query

Required

The queries to filter events. Please refer to Query Syntax in the Knowledge Base (https://support.sentinelone.com) or the Console Help. Please also refer to

https://assets.sentinelone.com/c/sentinel-one-dv-chea-2?x=u6040P

for the field name syntax.

processImagePath CONTAINS "svchost.exe"

Timeout (Seconds)

Optional

The specification of how many seconds to allow before aborting the query if the query status is not finished. If this parameter is not defined, the query will not be canceled. The minimum valid input value is 300.

300

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": [
        {
            "accountId": "*****",
            "activeContentFileId": null,
            "activeContentHash": null,
            "activeContentPath": null,
            "activeContentSignedStatus": null,
            "activeContentType": null,
            "agentDomain": "WORKGROUP",
            "agentGroupId": "*****",
            "agentId": "*****",
            "agentInfected": true,
            "agentIp": "***.***.***.***",
            "agentIsActive": true,
            "agentIsDecommissioned": false,
            "agentMachineType": "desktop",
            "agentName": "DESKTOP-HELLOD3",
            "agentNetworkStatus": "connected",
            "agentOs": "windows",
            "agentTimestamp": "2022-09-27T23:59:55.795Z",
            "agentUuid": "*****",
            "agentVersion": "***.***.***.***",
            "childProcCount": "0",
            "containerId": null,
            "containerImage": null,
            "containerLabels": null,
            "containerName": null,
            "convictedBy": null,
            "createdAt": "2022-09-27T23:59:55.795000Z",
            "crossProcCount": "0",
            "crossProcDupRemoteProcHandleCount": "0",
            "crossProcDupThreadHandleCount": "0",
            "crossProcOpenProcCount": "0",
            "crossProcOutOfStorylineCount": "0",
            "crossProcThreadCreateCount": "0",
            "dnsCount": "0",
            "endpointMachineType": "desktop",
            "endpointName": "DESKTOP-HELLOD3",
            "endpointOs": "windows",
            "eventIndex": null,
            "eventRepetitionCount": null,
            "eventTime": "2022-09-27T23:59:55.795Z",
            "eventType": "File Rename",
            "fileCreatedAt": "2022-09-27T23:59:55.786Z",
            "fileFullName": "C:\\***\\***\\***\\***\\***\\***\\***\\",
            "fileId": "*****",
            "fileIsExecutable": "True",
            "fileLocation": "Local",
            "fileMd5": "*****",
            "fileModifyAt": "2022-09-27T23:59:55.786Z",
            "fileSha1": null,
            "fileSha256": "*****",
            "fileSize": "0",
            "fileType": "interim",
            "forensicUrl": "https://***/***/***/***/***/",
            "id": "736338976389070848",
            "indicatorBootConfigurationUpdateCount": "0",
            "indicatorEvasionCount": "0",
            "indicatorExploitationCount": "0",
            "indicatorGeneralCount": "0",
            "indicatorInfostealerCount": "0",
            "indicatorInjectionCount": "0",
            "indicatorPersistenceCount": "0",
            "indicatorPostExploitationCount": "0",
            "indicatorRansomwareCount": "0",
            "indicatorReconnaissanceCount": "0",
            "isAgentVersionFullySupportedForPg": false,
            "isAgentVersionFullySupportedForPgMessage": "The event generated from this Agent version does not contain all information needed for the Process Graph. The Graph is GA with Agent versions: Windows 22.1 EA2+, Linux 22.2 EA+ and macOS 21.12 GA+",
            "k8sClusterName": null,
            "k8sControllerLabels": null,
            "k8sControllerName": null,
            "k8sControllerType": null,
            "k8sNamespace": null,
            "k8sNamespaceLabels": null,
            "k8sNode": null,
            "k8sPodLabels": null,
            "k8sPodName": null,
            "lastActivatedAt": "2022-07-31T08:10:36.000Z",
            "metaEventName": "FILERENAME",
            "moduleCount": "70",
            "netConnCount": "0",
            "netConnInCount": "0",
            "netConnOutCount": "0",
            "newFileName": null,
            "objectType": "file",
            "oldFileMd5": null,
            "oldFileName": "C:\\***\\***\\***\\***\\***\\***\\***\\***",
            "oldFileSha1": null,
            "oldFileSha256": null,
            "osSrcChildProcCount": null,
            "osSrcCrossProcCount": null,
            "osSrcCrossProcDupRemoteProcHandleCount": null,
            "osSrcCrossProcDupThreadHandleCount": null,
            "osSrcCrossProcOpenProcCount": null,
            "osSrcCrossProcOutOfStorylineCount": null,
            "osSrcCrossProcThreadCreateCount": null,
            "osSrcDnsCount": null,
            "osSrcIndicatorBootConfigurationUpdateCount": null,
            "osSrcIndicatorEvasionCount": null,
            "osSrcIndicatorExploitationCount": null,
            "osSrcIndicatorGeneralCount": null,
            "osSrcIndicatorInfostealerCount": null,
            "osSrcIndicatorInjectionCount": null,
            "osSrcIndicatorPersistenceCount": null,
            "osSrcIndicatorPostExploitationCount": null,
            "osSrcIndicatorRansomwareCount": null,
            "osSrcIndicatorReconnaissanceCount": null,
            "osSrcModuleCount": null,
            "osSrcNetConnCount": null,
            "osSrcNetConnInCount": null,
            "osSrcNetConnOutCount": null,
            "osSrcProcActiveContentFileId": null,
            "osSrcProcActiveContentHash": null,
            "osSrcProcActiveContentPath": null,
            "osSrcProcActiveContentSignedStatus": null,
            "osSrcProcActiveContentType": null,
            "osSrcProcBinaryisExecutable": null,
            "osSrcProcCmdLine": null,
            "osSrcProcDisplayName": null,
            "osSrcProcImageMd5": null,
            "osSrcProcImagePath": null,
            "osSrcProcImageSha1": null,
            "osSrcProcImageSha256": null,
            "osSrcProcIntegrityLevel": null,
            "osSrcProcIsNative64Bit": null,
            "osSrcProcIsRedirectCmdProcessor": null,
            "osSrcProcIsStorylineRoot": null,
            "osSrcProcName": null,
            "osSrcProcParentActiveContentFileId": null,
            "osSrcProcParentActiveContentHash": null,
            "osSrcProcParentActiveContentPath": null,
            "osSrcProcParentActiveContentSignedStatus": null,
            "osSrcProcParentActiveContentType": null,
            "osSrcProcParentCmdLine": "C:\\***\\***\\***.exe",
            "osSrcProcParentDisplayName": "Services and Controller app",
            "osSrcProcParentImageMd5": "*****",
            "osSrcProcParentImagePath": "C:\\***\\***\\***.exe",
            "osSrcProcParentImageSha1": "*****",
            "osSrcProcParentImageSha256": "*****",
            "osSrcProcParentIntegrityLevel": "SYSTEM",
            "osSrcProcParentIsNative64Bit": "False",
            "osSrcProcParentIsRedirectCmdProcessor": "False",
            "osSrcProcParentIsStorylineRoot": "True",
            "osSrcProcParentName": "services.exe",
            "osSrcProcParentPid": "*****",
            "osSrcProcParentPublisher": "MICROSOFT WINDOWS PUBLISHER",
            "osSrcProcParentReasonSignatureInvalid": null,
            "osSrcProcParentSessionId": "***",
            "osSrcProcParentSignedStatus": "signed",
            "osSrcProcParentStartTime": "2022-08-24T00:55:23.414Z",
            "osSrcProcParentStorylineId": "*****",
            "osSrcProcParentUid": "*****",
            "osSrcProcParentUser": "NT AUTHORITY\\SYSTEM",
            "osSrcProcPid": null,
            "osSrcProcPublisher": null,
            "osSrcProcReasonSignatureInvalid": null,
            "osSrcProcRelatedToThreat": "True",
            "osSrcProcSessionId": null,
            "osSrcProcSignedStatus": null,
            "osSrcProcStartTime": null,
            "osSrcProcStorylineId": null,
            "osSrcProcSubsystem": null,
            "osSrcProcUid": null,
            "osSrcProcUser": null,
            "osSrcProcVerifiedStatus": null,
            "osSrcRegistryChangeCount": null,
            "osSrcTgtFileCreationCount": null,
            "osSrcTgtFileDeletionCount": null,
            "osSrcTgtFileModificationCount": null,
            "parentPid": "*****",
            "parentProcessName": "msiexec.exe",
            "parentProcessStartTime": "2022-04-14T19:44:56.530Z",
            "parentProcessUniqueKey": "*****",
            "pid": "*****",
            "processCmd": "\"C:\\***\\***\\***\\***\\***\\***\\\" --config \"C:\\***\\***\\***\\***\\***\\***\\\" --service",
            "processDisplayName": "MongoDB Database Server",
            "processGroupId": "*****",
            "processImagePath": "C:\\***\\***\\***\\***\\***\\***\\",
            "processImageSha1Hash": "*****",
            "processIntegrityLevel": "SYSTEM",
            "processIsRedirectedCommandProcessor": "False",
            "processIsWow64": "False",
            "processName": "mongod.exe",
            "processRoot": "False",
            "processSessionId": "0",
            "processStartTime": "2022-08-24T00:55:28.167Z",
            "processSubSystem": "SYS_WIN32",
            "processUniqueKey": "*****",
            "publisher": null,
            "registryChangeCount": "0",
            "relatedToThreat": "True",
            "retentionPeriod": "14",
            "rpid": null,
            "signatureSignedInvalidReason": null,
            "signedStatus": "unsigned",
            "signer": null,
            "siteId": "*****",
            "siteName": "site2",
            "srcProcActiveContentFileId": null,
            "srcProcActiveContentHash": null,
            "srcProcActiveContentPath": null,
            "srcProcActiveContentSignedStatus": null,
            "srcProcActiveContentType": null,
            "srcProcBinaryisExecutable": "True",
            "srcProcCmdLine": "\"C:\\***\\***\\***\\***\\***\\***\\\" --config \"C:\\***\\***\\***\\***\\***\\***\\\" --service",
            "srcProcDisplayName": "MongoDB Database Server",
            "srcProcImageMd5": "*****",
            "srcProcImagePath": "C:\\***\\***\\***\\***\\***\\***\\",
            "srcProcImageSha1": "*****",
            "srcProcImageSha256": "*****",
            "srcProcIntegrityLevel": "SYSTEM",
            "srcProcIsNative64Bit": "False",
            "srcProcIsRedirectCmdProcessor": "False",
            "srcProcIsStorylineRoot": "False",
            "srcProcName": "mongod.exe",
            "srcProcParentActiveContentFileId": null,
            "srcProcParentActiveContentHash": null,
            "srcProcParentActiveContentPath": null,
            "srcProcParentActiveContentSignedStatus": null,
            "srcProcParentActiveContentType": null,
            "srcProcParentCmdLine": "\"C:\\***\\***\\***\" /i \"C:\\***\\***\\***\\***\"",
            "srcProcParentDisplayName": "Windows® installer",
            "srcProcParentImageMd5": "*****",
            "srcProcParentImagePath": "C:\\***\\***\\***",
            "srcProcParentImageSha1": "*****",
            "srcProcParentImageSha256": "*****",
            "srcProcParentIntegrityLevel": "HIGH",
            "srcProcParentIsNative64Bit": "False",
            "srcProcParentIsRedirectCmdProcessor": "False",
            "srcProcParentIsStorylineRoot": "True",
            "srcProcParentName": "msiexec.exe",
            "srcProcParentPid": "*****",
            "srcProcParentProcUid": "*****",
            "srcProcParentPublisher": "MICROSOFT WINDOWS",
            "srcProcParentReasonSignatureInvalid": null,
            "srcProcParentSessionId": "***",
            "srcProcParentSignedStatus": "signed",
            "srcProcParentStartTime": "2022-04-14T19:44:56.530Z",
            "srcProcParentStorylineId": "*****",
            "srcProcParentUid": "*****",
            "srcProcParentUser": "***\\***",
            "srcProcPid": "*****",
            "srcProcPublisher": null,
            "srcProcReasonSignatureInvalid": null,
            "srcProcRelatedToThreat": "True",
            "srcProcRpid": null,
            "srcProcSessionId": "***",
            "srcProcSignedStatus": "unsigned",
            "srcProcStartTime": "2022-08-24T00:55:28.167Z",
            "srcProcStorylineId": "*****",
            "srcProcSubsystem": "SYS_WIN32",
            "srcProcTid": null,
            "srcProcUid": "*****",
            "srcProcUser": "***\\***",
            "srcProcVerifiedStatus": null,
            "storyline": "*****",
            "tgtFileConvictedBy": null,
            "tgtFileCreatedAt": "2022-09-27T23:59:55.786Z",
            "tgtFileCreationCount": "325494",
            "tgtFileDeletionCount": "9525",
            "tgtFileDescription": null,
            "tgtFileExtension": "interim",
            "tgtFileId": "*****",
            "tgtFileInternalName": null,
            "tgtFileIsExecutable": "False",
            "tgtFileIsSigned": null,
            "tgtFileLocation": "Local",
            "tgtFileMd5": null,
            "tgtFileModificationCount": "926346",
            "tgtFileModifiedAt": "2022-09-27T23:59:55.786Z",
            "tgtFileOldMd5": null,
            "tgtFileOldPath": "C:\\***\\***\\***\\***\\***\\***\\***\\***",
            "tgtFileOldSha1": null,
            "tgtFileOldSha256": null,
            "tgtFilePath": "C:\\***\\***\\***\\***\\***\\***\\***\\",
            "tgtFileSha1": null,
            "tgtFileSha256": null,
            "tgtFileSize": "0",
            "tgtFileType": "UNKNOWN",
            "threatStatus": "OldMitigationStatus.SUSPICIOUS_RESOLVED",
            "tiOriginalEventId": null,
            "tiOriginalEventIndex": null,
            "tiOriginalEventTraceId": null,
            "tid": null,
            "tiindicatorRelatedEventTime": null,
            "traceId": "*****",
            "trueContext": "*****",
            "user": "***\\***",
            "verifiedStatus": null
        }
    ],
    "pagination": {
        "nextCursor": "*****",
        "totalItems": 10
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AgentIDs": ["*****"],
  "AgentIPs": ["***.***.***.***"],
  "AgentNames": ["DESKTOP-*****"],
  "EventIDs" ["*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

data

{'accountId': '*****', 'activeContentFileId': None, 'activeContentHash': None, 'activeContentPath': None, 'activeContentSignedStatus': None, 'activeContentType': None, 'agentDomain': 'WORKGROUP', 'agentGroupId': '*****', 'agentId': '*****', 'agentInfected': True, 'agentIp': '***.***.***.***', 'agentIsActive': True, 'agentIsDecommissioned': False, 'agentMachineType': 'desktop', 'agentName': 'DESKTOP-HELLOD3', 'agentNetworkStatus': 'connected', 'agentOs': 'windows', 'agentTimestamp': '2022-09-27T23:59:55.795Z', 'agentUuid': '*****', 'agentVersion': '***.***.***.***', 'childProcCount': '0', 'containerId': None, 'containerImage': None, 'containerLabels': None, 'containerName': None, 'convictedBy': None, 'createdAt': '2022-09-27T23:59:55.795000Z', 'crossProcCount': '0', 'crossProcDupRemoteProcHandleCount': '0', 'crossProcDupThreadHandleCount': '0', 'crossProcOpenProcCount': '0', 'crossProcOutOfStorylineCount': '0', 'crossProcThreadCreateCount': '0', 'dnsCount': '0', 'endpointMachineType': 'desktop', 'endpointName': 'DESKTOP-HELLOD3', 'endpointOs': 'windows', 'eventIndex': None, 'eventRepetitionCount': None, 'eventTime': '2022-09-27T23:59:55.795Z', 'eventType': 'File Rename', 'fileCreatedAt': '2022-09-27T23:59:55.786Z', 'fileFullName': 'C:\\***\\***\\***\\***\\***\\***\\***\\', 'fileId': '*****', 'fileIsExecutable': 'True', 'fileLocation': 'Local', 'fileMd5': '*****', 'fileModifyAt': '2022-09-27T23:59:55.786Z', 'fileSha1': None, 'fileSha256': '*****', 'fileSize': '0', 'fileType': 'interim', 'forensicUrl': 'https://***/***/***/***/***/', 'id': '736338976389070848', 'indicatorBootConfigurationUpdateCount': '0', 'indicatorEvasionCount': '0', 'indicatorExploitationCount': '0', 'indicatorGeneralCount': '0', 'indicatorInfostealerCount': '0', 'indicatorInjectionCount': '0', 'indicatorPersistenceCount': '0', 'indicatorPostExploitationCount': '0', 'indicatorRansomwareCount': '0', 'indicatorReconnaissanceCount': '0', 'isAgentVersionFullySupportedForPg': False, 'isAgentVersionFullySupportedForPgMessage': 'The event generated from this Agent version does not contain all information needed for the Process Graph. The Graph is GA with Agent versions: Windows 22.1 EA2+, Linux 22.2 EA+ and macOS 21.12 GA+', 'k8sClusterName': None, 'k8sControllerLabels': None, 'k8sControllerName': None, 'k8sControllerType': None, 'k8sNamespace': None, 'k8sNamespaceLabels': None, 'k8sNode': None, 'k8sPodLabels': None, 'k8sPodName': None, 'lastActivatedAt': '2022-07-31T08:10:36.000Z', 'metaEventName': 'FILERENAME', 'moduleCount': '70', 'netConnCount': '0', 'netConnInCount': '0', 'netConnOutCount': '0', 'newFileName': None, 'objectType': 'file', 'oldFileMd5': None, 'oldFileName': 'C:\\***\\***\\***\\***\\***\\***\\***\\***', 'oldFileSha1': None, 'oldFileSha256': None, 'osSrcChildProcCount': None, 'osSrcCrossProcCount': None, 'osSrcCrossProcDupRemoteProcHandleCount': None, 'osSrcCrossProcDupThreadHandleCount': None, 'osSrcCrossProcOpenProcCount': None, 'osSrcCrossProcOutOfStorylineCount': None, 'osSrcCrossProcThreadCreateCount': None, 'osSrcDnsCount': None, 'osSrcIndicatorBootConfigurationUpdateCount': None, 'osSrcIndicatorEvasionCount': None, 'osSrcIndicatorExploitationCount': None, 'osSrcIndicatorGeneralCount': None, 'osSrcIndicatorInfostealerCount': None, 'osSrcIndicatorInjectionCount': None, 'osSrcIndicatorPersistenceCount': None, 'osSrcIndicatorPostExploitationCount': None, 'osSrcIndicatorRansomwareCount': None, 'osSrcIndicatorReconnaissanceCount': None, 'osSrcModuleCount': None, 'osSrcNetConnCount': None, 'osSrcNetConnInCount': None, 'osSrcNetConnOutCount': None, 'osSrcProcActiveContentFileId': None, 'osSrcProcActiveContentHash': None, 'osSrcProcActiveContentPath': None, 'osSrcProcActiveContentSignedStatus': None, 'osSrcProcActiveContentType': None, 'osSrcProcBinaryisExecutable': None, 'osSrcProcCmdLine': None, 'osSrcProcDisplayName': None, 'osSrcProcImageMd5': None, 'osSrcProcImagePath': None, 'osSrcProcImageSha1': None, 'osSrcProcImageSha256': None, 'osSrcProcIntegrityLevel': None, 'osSrcProcIsNative64Bit': None, 'osSrcProcIsRedirectCmdProcessor': None, 'osSrcProcIsStorylineRoot': None, 'osSrcProcName': None, 'osSrcProcParentActiveContentFileId': None, 'osSrcProcParentActiveContentHash': None, 'osSrcProcParentActiveContentPath': None, 'osSrcProcParentActiveContentSignedStatus': None, 'osSrcProcParentActiveContentType': None, 'osSrcProcParentCmdLine': 'C:\\***\\***\\***.exe', 'osSrcProcParentDisplayName': 'Services and Controller app', 'osSrcProcParentImageMd5': '*****', 'osSrcProcParentImagePath': 'C:\\***\\***\\***.exe', 'osSrcProcParentImageSha1': '*****', 'osSrcProcParentImageSha256': '*****', 'osSrcProcParentIntegrityLevel': 'SYSTEM', 'osSrcProcParentIsNative64Bit': 'False', 'osSrcProcParentIsRedirectCmdProcessor': 'False', 'osSrcProcParentIsStorylineRoot': 'True', 'osSrcProcParentName': 'services.exe', 'osSrcProcParentPid': '*****', 'osSrcProcParentPublisher': 'MICROSOFT WINDOWS PUBLISHER', 'osSrcProcParentReasonSignatureInvalid': None, 'osSrcProcParentSessionId': '*****', 'osSrcProcParentSignedStatus': 'signed', 'osSrcProcParentStartTime': '2022-08-24T00:55:23.414Z', 'osSrcProcParentStorylineId': '*****', 'osSrcProcParentUid': '*****', 'osSrcProcParentUser': 'NT AUTHORITY\\SYSTEM', 'osSrcProcPid': None, 'osSrcProcPublisher': None, 'osSrcProcReasonSignatureInvalid': None, 'osSrcProcRelatedToThreat': 'True', 'osSrcProcSessionId': None, 'osSrcProcSignedStatus': None, 'osSrcProcStartTime': None, 'osSrcProcStorylineId': None, 'osSrcProcSubsystem': None, 'osSrcProcUid': None, 'osSrcProcUser': None, 'osSrcProcVerifiedStatus': None, 'osSrcRegistryChangeCount': None, 'osSrcTgtFileCreationCount': None, 'osSrcTgtFileDeletionCount': None, 'osSrcTgtFileModificationCount': None, 'parentPid': '*****', 'parentProcessName': 'msiexec.exe', 'parentProcessStartTime': '2022-04-14T19:44:56.530Z', 'parentProcessUniqueKey': '*****', 'pid': '*****', 'processCmd': '"C:\\***\\***\\***\\***\\***\\***\\" --config "C:\\***\\***\\***\\***\\***\\***\\" --service', 'processDisplayName': 'MongoDB Database Server', 'processGroupId': '*****', 'processImagePath': 'C:\\***\\***\\***\\***\\***\\***\\', 'processImageSha1Hash': '*****', 'processIntegrityLevel': 'SYSTEM', 'processIsRedirectedCommandProcessor': 'False', 'processIsWow64': 'False', 'processName': 'mongod.exe', 'processRoot': 'False', 'processSessionId': '***', 'processStartTime': '2022-08-24T00:55:28.167Z', 'processSubSystem': 'SYS_WIN32', 'processUniqueKey': '*****', 'publisher': None, 'registryChangeCount': '0', 'relatedToThreat': 'True', 'retentionPeriod': '14', 'rpid': None, 'signatureSignedInvalidReason': None, 'signedStatus': 'unsigned', 'signer': None, 'siteId': '*****', 'siteName': 'site2', 'srcProcActiveContentFileId': None, 'srcProcActiveContentHash': None, 'srcProcActiveContentPath': None, 'srcProcActiveContentSignedStatus': None, 'srcProcActiveContentType': None, 'srcProcBinaryisExecutable': 'True', 'srcProcCmdLine': '"C:\\***\\***\\***\\***\\***\\***\\" --config "C:\\***\\***\\***\\***\\***\\***\\" --service', 'srcProcDisplayName': 'MongoDB Database Server', 'srcProcImageMd5': '*****', 'srcProcImagePath': 'C:\\***\\***\\***\\***\\***\\***\\', 'srcProcImageSha1': '*****', 'srcProcImageSha256': '*****', 'srcProcIntegrityLevel': 'SYSTEM', 'srcProcIsNative64Bit': 'False', 'srcProcIsRedirectCmdProcessor': 'False', 'srcProcIsStorylineRoot': 'False', 'srcProcName': 'mongod.exe', 'srcProcParentActiveContentFileId': None, 'srcProcParentActiveContentHash': None, 'srcProcParentActiveContentPath': None, 'srcProcParentActiveContentSignedStatus': None, 'srcProcParentActiveContentType': None, 'srcProcParentCmdLine': '"C:\\***\\***\\***" /i "C:\\***\\***\\***\\***"', 'srcProcParentDisplayName': 'Windows® installer', 'srcProcParentImageMd5': '*****', 'srcProcParentImagePath': 'C:\\***\\***\\***', 'srcProcParentImageSha1': '*****', 'srcProcParentImageSha256': '*****', 'srcProcParentIntegrityLevel': 'HIGH', 'srcProcParentIsNative64Bit': 'False', 'srcProcParentIsRedirectCmdProcessor': 'False', 'srcProcParentIsStorylineRoot': 'True', 'srcProcParentName': 'msiexec.exe', 'srcProcParentPid': '*****', 'srcProcParentProcUid': '*****', 'srcProcParentPublisher': 'MICROSOFT WINDOWS', 'srcProcParentReasonSignatureInvalid': None, 'srcProcParentSessionId': '*****', 'srcProcParentSignedStatus': 'signed', 'srcProcParentStartTime': '2022-04-14T19:44:56.530Z', 'srcProcParentStorylineId': '*****', 'srcProcParentUid': '*****', 'srcProcParentUser': '***\\***', 'srcProcPid': '*****', 'srcProcPublisher': None, 'srcProcReasonSignatureInvalid': None, 'srcProcRelatedToThreat': 'True', 'srcProcRpid': None, 'srcProcSessionId': '0', 'srcProcSignedStatus': 'unsigned', 'srcProcStartTime': '2022-08-24T00:55:28.167Z', 'srcProcStorylineId': '*****', 'srcProcSubsystem': 'SYS_WIN32', 'srcProcTid': None, 'srcProcUid': '*****', 'srcProcUser': '***\\***', 'srcProcVerifiedStatus': None, 'storyline': '*****', 'tgtFileConvictedBy': None, 'tgtFileCreatedAt': '2022-09-27T23:59:55.786Z', 'tgtFileCreationCount': '325494', 'tgtFileDeletionCount': '9525', 'tgtFileDescription': None, 'tgtFileExtension': 'interim', 'tgtFileId': '*****', 'tgtFileInternalName': None, 'tgtFileIsExecutable': 'False', 'tgtFileIsSigned': None, 'tgtFileLocation': 'Local', 'tgtFileMd5': None, 'tgtFileModificationCount': '926346', 'tgtFileModifiedAt': '2022-09-27T23:59:55.786Z', 'tgtFileOldMd5': None, 'tgtFileOldPath': 'C:\\***\\***\\***\\***\\***\\***\\***\\***', 'tgtFileOldSha1': None, 'tgtFileOldSha256': None, 'tgtFilePath': 'C:\\***\\***\\***\\***\\***\\***\\***\\', 'tgtFileSha1': None, 'tgtFileSha256': None, 'tgtFileSize': '0', 'tgtFileType': 'UNKNOWN', 'threatStatus': 'OldMitigationStatus.SUSPICIOUS_RESOLVED', 'tiOriginalEventId': None, 'tiOriginalEventIndex': None, 'tiOriginalEventTraceId': None, 'tid': None, 'tiindicatorRelatedEventTime': None, 'traceId': '*****', 'trueContext': '*****', 'user': '***\\***', 'verifiedStatus': None}

pagination

{'nextCursor': '*****', 'totalItems': 10}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Authentication Failed.

Error Sample Data

Query failed.

Status Code: 401.

Message: Authentication Failed.

Remove Items In Blacklist

Removes threats from the blacklist

READER NOTE

The parameter Item IDs is optional to run this command.

  • Run the Get Blacklist command to obtain Item IDs. Item IDs can be found in the raw data at the path $.data.id.

Input

Input Parameter

Required/Optional

Description

Example

Item IDs

Optional

The ID(s) of the blacklisted items to remove. Item IDs can be obtained using the Get Blacklist command.

[

"*****",

"*****"

]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "data": {
            "affected": 1
        }
    },
    {
        "data": {
            "affected": 1
        }
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "affected": 1
    },
    {
        "affected": 1
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "Item id": ["*****","*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

affected

1

1

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Remove Items In Blacklist failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Authentication Failed.

Error Sample Data

Remove Items In Blacklist failed.

Status Code: 401.

Message: Authentication Failed.

Resolve Threat

Updates status of specified threats to resolve.

READER NOTE

Threat IDs and Agent ID are required parameters to run this command.

  • Run the Get Threat command to obtain Threat IDs. Threat IDs can be found in the raw data at the path $.data[*].id.

  • Run the List Agents command to obtain Agent ID. Agent ID can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Threat IDs

Required

The list of Threat ID(s) to resolve. Threat ID(s) can be obtained using the Get Threat command.

[

"*****",

"*****"

]

Agent ID

Required

The Agent ID associated with the threat. Agent ID can be obtained using the List Agents command.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "data": {
            "affected": 15
        }
    },
    {
        "data": {
            "affected": 15
        }
    }
] 
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "affected": 15
    },
    {
        "affected": 15
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "Threat id": ["*****","*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Resolve Threat failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Authentication Failed.

Error Sample Data

Resolve Threat failed.

Status Code: 401.

Message: Authentication Failed.

Restart Endpoints

Restarts endpoints that have an Agent installed and that fit the filter. We recommend that you use the Broadcast Message command to send a message to users of endpoints before you restart their computers.

READER NOTE

Agent IDs and Group IDs are optional parameters to run this command.

  • Run the List Agents command to obtain Agent IDs. Agent IDs can be found in the raw data at the path $.data[*].id.

  • Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.

Input

Input Parameter

Required/Optional

Description

Example

Agent IDs

Optional

The ID(s) of the agent(s) to restart endpoints. Agent IDs can be obtained using the List Agents command. Please note, either Agent IDs or Group IDs, or both should be entered. If both are entered, the Agent IDs in the Groups wil