SentinelOne delivers autonomous endpoint protection that prevents, detects, and responds to attacks across all major vectors. SentinelOne is an enterprise security platform that provides threat detection, hunting, and response features that enable organizations to discover vulnerabilities and protect IT operations.
D3 SOAR is providing REST operations to function with SentinelOne.
To connect to SentinelOne from D3 SOAR, please follow this part to collect the required information below:
Parameter
Description
Example
Server URL
The URL of the SentinelOne server.
https://usea1-partners.sentinelone.net
API Token
The API token for authentication.
JnHs************************************ug5S
API Version
The version of the APIs.
v2.1
Permission Requirements
Each endpoint in the SentinelOne API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command
Required Permission
Role Scope
Activate Star Custom Rules
Default Role (see Test Connection)
STAR Custom Rules
View + Manage
Add Notes To Threats
Default Role (see Test Connection)
Endpoint Threats
View + Update Incident Status
Add Threat To Blacklist
Default Role (see Test Connection)
Blocklist
View + Create
Block Hash
Default Role (see Test Connection)
Blocklist
View + Create
Block Remote Hosts
Global admin
Tenant permission is needed if set the Tenant parameter to true
Broadcast Message
Default Role (see Test Connection)
Endpoints
View + Send Message
Collect Files
Default Role (see Test Connection)
Endpoints
View + File Fetch
Activity
View
Connect Agent To Network
Default Role (see Test Connection)
Endpoints
View + Reconnect to Network
Create Exclusion
Default Role (see Test Connection)
Exclusions
View + Create
Create Group
Default Role (see Test Connection)
Groups
View + Create
Create IOC
Default Role (see Test Connection)
Threat Intelligence
View + Manage
Create Power Query
Default Role (see Test Connection)
SDL Query API (Previously Skylight)
View
Create Query
Default Role (see Test Connection)
SDL Search (Previously Skylight)
View
Create Star Custom Rule
Default Role (see Test Connection)
Endpoints
View + Disconnect From Network
Endpoint Threats
View + Mark Threat + Mark Suspicious
STAR Custom Rules
View + Manage
Delete Exclusions
Default Role (see Test Connection)
Exclusions
View + Delete
Delete Group
Default Role (see Test Connection)
Groups
View + Delete
Delete IOCs
Default Role (see Test Connection)
Threat Intelligence
View + Manage
Delete Star Custom Rules
Default Role (see Test Connection)
STAR Custom Rules
View + Manage
Disable Star Custom Rules
Default Role (see Test Connection)
STAR Custom Rules
View + Manage
Disconnect Agent From Network
Default Role (see Test Connection)
Endpoints
View + Disconnect From Network
Download Files
Default Role (see Test Connection)
Activity
View
Download Threat Files
Default Role (see Test Connection)
Activity
View
Fetch Event (Event Source = Threat)
Default Role (see Test Connection)
Endpoint Threats
View
Fetch Event (Event Source = Alert)
Default Role (see Test Connection)
STAR Rule Alerts
View
Fetch Files
Default Role (see Test Connection)
Endpoints
View + File Fetch
Fetch Threat File
Default Role (see Test Connection)
Endpoint Threats
View + Fetch Threat File
Get Account Policy
Default Role (see Test Connection)
Endpoint Policy
View
Get Activities
Default Role (see Test Connection)
Activity
View
Get Agent Applications
Default Role (see Test Connection)
Endpoints
View + Show Applications
Get Agent Info
Default Role (see Test Connection)
Endpoints
View
Get Agent Process
Default Role (see Test Connection)
Agent Packages
View
Get Alerts
Default Role (see Test Connection)
STAR Rule Alerts
View
Get Black List
Default Role (see Test Connection)
Blocklist
View
Get Events by Query ID and Type
Default Role (see Test Connection)
SDL Search (Previously Skylight)
View
Get Exclusions
Default Role (see Test Connection)
Exclusions
View
Get Global Policy
Default Role (see Test Connection)
Endpoint Policy
View
Get Groups
Default Role (see Test Connection)
Get Hash Reputations
Default Role (see Test Connection)
Blocklist
View
Get Query Status
Default Role (see Test Connection)
SDL Search (Previously Skylight)
View
Get Script Results
Default Role (see Test Connection)
RemoteOps
View
Get Scripts
Default Role (see Test Connection)
RemoteOps
View
Get Script Task Status
Default Role (see Test Connection)
RemoteOps
View
Get Sites
Default Role (see Test Connection)
Get Star Custom Rules
Default Role (see Test Connection)
STAR Custom Rules
View
Get System Info
Default Role (see Test Connection)
Get System Status
Default Role (see Test Connection)
Get Threat
Default Role (see Test Connection)
Endpoint Threats
View
Get Threat Analysis
Default Role (see Test Connection)
Endpoint Threats
View
Get Threat Events
Default Role (see Test Connection)
Endpoint Threats
View
Initiate Scan
Default Role (see Test Connection)
Endpoints
View + Endpoints Initiate Scan
Kill Processes
Default Role (see Test Connection)
Endpoint Threats
View + Update Analyst Verdict
Threat Actions
Kill
List Accounts
Default Role (see Test Connection)
List Agents
Default Role (see Test Connection)
Endpoints
View
List IOCs
Default Role (see Test Connection)
Threat Intelligence
View
Mark As Threat
Default Role (see Test Connection)
Endpoint Threats
View + Mark Threat
Mitigate Threats
Default Role (see Test Connection)
Endpoint Threats
View + Update Analyst Verdict + Unquarantine
Threat Actions
Rollback + Remediate + Quarantine + Kill
Move Agents
Default Role (see Test Connection)
Groups
View + Edit
Move Agents Between Sites
Default Role (see Test Connection)
Endpoints
View + Move To Another Site
Ping Power Query
Default Role (see Test Connection)
SD Search (Previously Skylight)
View
Quarantine Files
Default Role (see Test Connection)
Endpoints Threats
View + Update Analyst Verdict
Threat Actions
Quarantine + Kill
Quarantine Host
Default Role (see Test Connection)
Groups
View + Edit
Endpoints
View
Query
Default Role (see Test Connection)
SDL Search (Previously Skylight)
View
SDL Query API (Previously Skylight)
View
SDL API Keys (Previously Skylight)
View + Manage
Remove Items In Blacklist
Default Role (see Test Connection)
Blacklist
View + Edit
Resolve Threat
Default Role (see Test Connection)
Endpoints
View
Endpoint Threats
View
Restart Endpoints
Default Role (see Test Connection)
Endpoints
View + Reboot
Rollback Remediation
Default Role (see Test Connection)
Endpoint Threats
View + Update Analyst Verdict
Threat Actions
Rollback + Remediate + Quarantine + Kill
Run Script
Default Role (see Test Connection)
RemoteOps
View
Set Customer ID
Default Role (see Test Connection)
Endpoints
View + Endpoints Set Customer Identifier
Shutdown Endpoints
Default Role (see Test Connection)
Endpoints
View + Shut Down
Update Account Policy
Default Role (see Test Connection)
Endpoints Policy
View + Edit
Update Alert Analyst Verdict
Default Role (see Test Connection)
STAR Rule Alerts
View + Update Analyst Verdict
Update Alert Incident Status
Default Role (see Test Connection)
STAR Rule Alerts
View + Update Incident Status
Update Alert Verdict
Default Role (see Test Connection)
STAR Rule Alerts
View + Update Analyst Verdict
Update Threat Analyst Verdict
Default Role (see Test Connection)
Endpoint Threats
View + Update Analyst Verdict
Update Exclusion
Default Role (see Test Connection)
Exclusions
View + Edit
Update Global Policy
Global Admin
Update Incident Status
Default Role (see Test Connection)
Endpoint Threats
View + Update Incident Status
Update Star Custom Rule
Default Role (see Test Connection)
STAR Custom Rules
View + Manage
Update Threat Incident
Default Role (see Test Connection)
Endpoint Threats
View + Update Analyst Verdict + Update Incident Status
Test Connection
Account
View
Groups
View
Roles
View
Site
View
As SentinelOne is using role-based access control (RBAC), the API access token is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the SentinelOne console for each command in this integration.
Custom role has Account, Groups, Roles, Site permission with View scope as default. You cannot remove these permissions.
Configuring SentinelOne to Work with D3 SOAR
Log in to the SentinelOne portal with your credentials.
Input the 2FA verification code if you have enabled Two-Factor Authentication.
Click the username located on the top right corner, then click My User.
Under Options, click Generate to create an API Token if you have not already created one.
Click Copy to copy the API token for later use to build the D3 SOAR connection.
READER NOTE
You will only be able to see the token once. Store the token in a secure location for future reference. If you lose the token in the future, you will have to generate a new one.
How to Create a New Role
On the left sidebar menu, click Settings.
On the top menu, click Users, then select Roles. Under Actions, click New Role.
Enter a Role Name, and a Description (optional).
Use the left permissions category menu to find and select permissioins to allow for the role. See Permissions Requirements for a list of required permissions.
Click Save after selecting the desired permissions to allow for the role to confirm the configuration.
Select Users located on the left. Click Actions > New User. The Select Scope of Access window will appear. Under Access, select the desired Account or Site, and select the role you have created. Click Create User.
You can use the created user with limited access to generate an API key using the previous steps to build a connection with D3 SOAR.
READER NOTE
The created user must set up 2FA. Without setting up 2FA, they cannot log in or generate any API tokens. You can set up 2FA by selecting your created user, then navigating to Actions > 2FA Settings.
Configuring D3 SOAR to Work with SentinelOne
Log in to D3 SOAR.
Find the SentinelOne integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type SentinelOne in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to SentinelOne.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection. 1. Input your domain level Server URL. 2. Input your API Token. 3. Input the API Version. The default value is v1.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active. To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmarkappear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click +Add to create and add the configured connection.
Commands
SentinelOne includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Activate Star Custom Rules
Activates star custom rules based on a filter.
READER NOTE
Account IDs, Site IDs, Group IDs and Rule IDs are optional parameters to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.
Run the Get Star Custom Rules command to obtain Rule IDs. Rule IDs can be found in the raw data at the path $.data[*].id.
Although all parameters are optional, you have to define at least one parameter to filter.
Input
Input Parameter
Required/Optional
Description
Example
Account IDs
Optional
The account IDs to filter. Account IDs can be obtained using the List accounts command.
["131********791"]
Site IDs
Optional
The site IDs to filter. Site IDs can be obtained using the Get sites command.
["174********138"]
Group IDs
Optional
The group IDs to filter. Group IDs can be obtained using the Get groups command.
["151********497"]
Rule IDs
Optional
The star custom rule IDs to filter. Rule IDs can be obtained using the Get Star Custom Rules command.
["174********052"]
Creator
Optional
The free-text filter by rule creator.
["w**"]
Name
Optional
The free-text filter by rule name.
["test"]
Status
Optional
The status of rules to filter. The available inputs are Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft.
["Active"]
Query
Optional
The free-text filter by S1 query.
["test"]
Query Type
Optional
Retrieves the rules with the filtered type. The available inputs are events and processes.
["events"]
Expired
Optional
Whether the rule is expired or not.
Not Expired
s1ql
Optional
The free-text filter by S1 query.
["AgentName IS NOT EMPTY"]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
CODE
{
"data": {
"affected": 1
}
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Activate Star Custom Rules failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Could not find rule with id: {'scope_id__in': [xxx]}.
Error Sample Data
Activate Star Custom Rules failed.
Status Code: 404.
Message: Could not find rule with id: {'scope_id__in': [xxx]}.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"data": {
"affected": 10
}
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"AffectedThreats": 10
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Notes To Threats failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid user input received. See error details for further information.
Error Sample Data
Add Notes To Threats failed.
Status Code: 400.
Message: Invalid user input received. See error details for further information.
Add Threat To Blacklist
Blacklists threats based on the specified target scope (Global, Account, Site or Group).
READER NOTE
Collection IDs and Site ID are required parametersto run this command.
Run the Get threat command to obtain Collection IDs. Collection IDs can be found in the raw data at the path $.data.threatInfo.collectionId.
Run the Get Sites command to obtain Site ID. Site IDs can be found in the raw data at the path $.data.agentDetectionInfo.siteId.
Please note that the collection ID and site ID must come from the same threat, meaning they should be under the same threat object. Obtain the pair of values by running the Get Threat command.
Input
Input Parameter
Required/Optional
Description
Example
Collection IDs
Required
The list of threat collection ID(s). Collection IDs can be obtained using the Get Threat command.
[
"947********369",
"752********846"
]
Site ID
Required
The site ID related to the threat. Site ID can be obtained using the Get Sites command.
947********671
Description
Optional
The description for the process.
Add threat to blacklist
Target Scope
Required
The target scope of the agent. Available options include group, site, and account. Please note this field is case-sensitive, only lowercase letters are accepted.
group
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the $.data path from the returned raw data.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
[
{
"affected": 2
},
{
"affected": 2
}
]
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Threat To Blacklist failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Site ID is a required parameter to run this command.
Run the Get Sites command to obtain Site ID. Site IDs can be found in the raw data at the path $.data.sites.id.
Please note that only SHA-1 hashes are accepted for this command. Existing hashes in the system cannot be blocked again. Otherwise, the error message “Hash XXX already exists” will return.
To get SHA-1 hashes from D3 SOAR, it is recommended to use the Get Hash Value utility command to obtain the Input String. Please follow the steps below:
Select your desired site
Input your desired search string
Choose HashSHA1 for Hash Keys
Click Test Command. The SHA-1 hash will return under Return Data. Copy and save this value to input for the Threat Hashes parameter.
Input
Input Parameter
Required/Optional
Description
Example
Threat Hashes
Required
The list of threat hashes to block.
[ "d25********225",
"a6d********d00"
]
OS Type
Required
The type of operating system of the Threat Hashes.
Windows
Site ID
Required
The site ID to filter. Site ID can be obtained using the Get Sites command.
[ "947********671" ]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the $.data path from the returned raw data.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
No Sample Data
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Block Hash failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: "Hash 'a6d********d00' already exists"
Error Sample Data
Block Hash failed.
Status Code: 400.
Message: "Hash 'a6d********d00' already exists"
Block Remote Hosts
Creates a firewall control rule to block specified remote host(s).
READER NOTE
Account ID, Site ID, and Group ID are optional parameters to run this command.
Run the List Accounts command to obtain Account ID. Account ID can be found in the raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site ID. Site ID can be found in the raw data at the path $.data.sites.id.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.
If the Tenant parameter is none or not specified, at least one of the following scopes must be specified: Account ID, Site ID, or Group ID.
Input
Input Parameter
Required/Optional
Description
Example
Rule Name
Required
The name of the Firewall Control Rule.
ruleAPI0405a26
Status
Optional
The rule is specified when Enabled. If not specified, the default value is Enabled.
Account ID
Optional
The Firewall Control rule is created for the specified account ID. Account ID can be obtained using the List Accounts command.
Site ID
Optional
The Firewall Control rule is created for the specified site ID. Site ID can be obtained using the Get Sites command.
947********671
Group ID
Optional
The Firewall Control rule is created for the specified group ID. Group ID can be obtained using the Get Groups command.
151********497
Tenant
Optional
The Firewall Control rule is created for the entire tenant if set to True. It is necessary to have tenant permission to be able to set this parameter to True. Please note, if Tenant is set to False or not specified, at least one scope must be specified: Account ID, Site ID or Group ID.
False
OS Types
Optional
The OS Types to which the rule applies. The available values are "windows", "macos" and "linux". If not specified, the default value is windows.
[ "windows", "macos", "linux" ]
Remote Host Type
Optional
The type of remote host(s). If not specified, the default type is Addresses.
CIDR
Remote Host Values
Required
The remote host value(s).The value(s) must match Remote Host Type.
[ "203.193.22.248/31" ]
Description
Optional
The description for the Firewall Control rule.
This is a test firewall control rule.
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"RuleID": [
"192********000"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Block Remote Hosts failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: BAD REQUEST
Error Sample Data
Block Remote Hosts failed.
Status Code: 400.
Message: BAD REQUEST
Broadcast Message
Sends a message through the Agents that users can see. This command is supported on Windows and macOS endpoints (not supported on Linux). The message is sent to all endpoints that match the filter and the message must be 140 characters or less.
READER NOTE
The parameter Group IDs is optional to run this command.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.
Input
Input Parameter
Required/Optional
Description
Example
Host Names Or Internal IPs
Optional
The name(s) or internal IP address(es) of the computer(s) to which the message is sent. Please note that you must enter either this parameter or Group IDs, or both.
[ "192.168.**.***", "lab*-p**" ]
Group IDs
Optional
The ID of the group to which the message is sent. Group IDs can be obtained using the Get Groups command. Please note that you must enter either this parameter or Host Names Or Internal IPs, or both.
[ "138********378" ]
Message
Required
The message to broadcast.
Computer Maintenance will start in one hour. FYI.
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Broadcast Message failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Server could not process the request.
Error Sample Data
Broadcast Message failed.
Status Code: 400.
Message: Server could not process the request.
Collect Files
Collects the files from endpoints (up to 10 MB for each command) to analyze the root of threats and uploads them to the Management.
READER NOTE
Agent ID is a required parameter to run this command.
Run the List Agents command to obtain Agent ID. Agent IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Agent ID
Required
The agent ID of the endpoint for fetching files. Agent ID can be obtained using the List agent command.
139********432
File Paths
Required
The list of files to collect (absolute paths, up to 10 files).
The new password to generate, which will be used to open the archive of downloaded files. It must be 10 or more characters long and contain a mix of upper and lower case letters, numbers, and symbols.
MySecret******!
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Collect Files failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The agent with ID *** is not found.
Error Sample Data
Collect Files failed.
Status Code: 404.
Message: The agent with ID *** is not found.
Connect Agent To Network
Reconnects (unquarantine) quarantined agent(s) to the network matching the defined filter. If neither input parameters are defined, all applicable agents will be reconnected.
READER NOTE
The parameter Agent IDs is optional to run this command.
Run the List Agents command to obtain Agent IDs. Agent IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Agent IDs
Optional
The IDs of the agents to reconnect to the network. Agent IDs can be obtained using the List Agents command.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
CODE
{
"data": {
"affected": 1
}
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"AffectedAgents": [
"1"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Connect Agent To Network failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: User has insufficient permissions to perform the requested action.
Error Sample Data
Connect Agent To Network failed.
Status Code: 403.
Message: User has insufficient permissions to perform the requested action.
Create Exclusion
Creates exclusion(s) to instruct your agents to suppress alerts and mitigation for items that you consider to be benign or necessary for interoperability.
READER NOTE
Account IDs, Site IDs and Group IDs are optional parameters to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.
At least one of the Account IDs, Site IDs or Group IDs is required.
Input
Input Parameter
Required/Optional
Description
Example
Type
Required
The type of exclusion item.
Path
Operation System
Required
The operation system.
Windows Legacy
Value
Required
The valid values depend on the item type chosen.
C:\"Windows\"saas\"
Description
Optional
The description to be added to the created exclusion.
Test description
Mode
Optional
The exclusion mode which is restricted to Path only for the selected Type parameter.
Suppress Alerts
Path Exclusion Type
Optional
The excluded path for a path exclusion list. The available options are file, folder, subfolders.
subfolders
Account IDs
Optional
The account IDs for exclusion. Account IDs can be obtained using the List Accounts command. Please note that at least one of the account IDs, group IDs, or site IDs is required.
["131********791"]
Site IDs
Optional
The site IDs for exclusion. Site IDs can be obtained using the Get Sites command. Please note that at least one of account IDs, group IDs or site IDs is required.
["174********138"]
Group IDs
Optional
The group IDs for exclusion. Group IDs can be obtained using the Get Groups command. Please note that at least one of account IDs, group IDs or site IDs is required.
["151********497"]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"ExclusionIDs": [
"174********916"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Exclusion failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: User does not have required permissions.
Error Sample Data
Create Exclusion failed.
Status Code: 403.
Message: User does not have required permissions.
Create Group
Creates a new group. You must create the Group in a Site (run the Get Sites command to obtain Site IDs) you have permission to.
READER NOTE
Site ID is a required parameterto run this command.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Input
Input Parameter
Required/Optional
Description
Example
Name
Required
The name of the new group.
D3*****5
Site ID
Required
The site ID of the site to which the group will be added. Site ID can be obtained using the Get Sites command.
947********671
Inherits
Required
The indication of whether the group will inherit the site policy or not.
True
Policy
Optional
The group policy to inherit if the Inherits parameter is set to False. Note: This parameter is required only if the Inherits parameter is set to False. If the Inherits parameter is set to True, any input value will be ignored. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=groups=create-group to see available fields.
{
"mitigationMode": "detect",
"autoImmuneOn": true,
"agentUiOn": true
}
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Conetxt Data by extracting the data from path $.data in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
No Sample Data
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"GroupId": [
"951********900"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Group failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Not a valid Identifier.
Error Sample Data
Create Group failed.
Status Code: 400.
Message: Not a valid Identifier.
Create IOC
Creates an IOC to the Threat Intelligence database.
READER NOTE
The parameter Account IDs is optional to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Account IDs
Optional
The List of account IDs. Account IDs can be obtained using the List Accounts command.
[ "131********791" ]
Source
Required
The source of the identified Threat Intelligence indicator. For example, "AlienVault".
AlienVault
Type
Required
The type of the Threat Intelligence indicator. The available types include: IPv4, IPv6, MD5, SHA1, SHA256, URL and DNS.
IPv4
IOC Value
Required
The value of the Threat Intelligence indicator. For example, "175.45.***.*".
175.45.***.*
Name
Optional
The name of the Threat Intelligence indicator.
test***1
Description
Optional
The description of the Threat Intelligence indicator.
test description
Valid Until
Optional
The expiration date for the Threat Intelligence indicator. If this parameter is left blank, by default it will be the upload date plus a default offset value:
14 days for IPs
90 days for URLs and domains
180 days for file hashes (SHA1, SHA256, and MD5)
The maximum offset values allowed are:
30 days for IPs
180 days for URLs and Domains
180 days for hashes (SHA1, SHA256, and MD5)
If the expiration date is later than the upload date plus the maximum offset value allowed, it will be adjusted to the upload date plus the maximum offset value allowed.
2023-08-20 00:00
Mitre Tactics
Optional
The MITRE Tactic(s) associated with the IOC.
[ "TA0001" ]
External ID
Optional
The unique identifier of the indicator as provided by the Threat Intelligence source.
123456
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create IOC failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid user input received. See error details for further information.
Error Sample Data
Create IOC failed.
Status Code: 400.
Message: Invalid user input received. See error details for further information.
Create Power Query
Starts a Deep Visibility Power Query, get back status and potential results. If the query status is not FINISHED, please use Ping Power Query afterwards to get query result.
READER NOTE
Account IDs and Site IDs are optional parameters to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The start time (in UTC Time) of the time range for querying events that were created after the specified start time.
2023-05-20 00:00
End Time
Required
The end time (in UTC Time) of the time range for querying events that were created before the specified end time.
2023-06-02 00:00
Limit
Optional
The maximum number of items to return. A valid value is an integer between 1 and 100,000. The API default maximum limit is 20,000. Consult SentinelOne contact could increase the limit to maximum 100,000.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Power Query failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Deep Visibility currently retains data for 14 days, to increase your data retention, please contact S1.
Error Sample Data
Create Power Query failed.
Status Code: 400.
Message: Deep Visibility currently retains data for 14 days, to increase your data retention, please contact S1.
Create Query
Starts a Deep Visibility Query and returns a Query ID. For more about the complete query syntax, see Query Syntax in the Knowledge Base (support.sentinelone.com) or the Console Help. Note: The API rate limit is 1 call per minute for each unique user token.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The start time (in UTC Time) of the time range for initiating the query.
2022-09-18 00:00
End Time
Required
The end time (in UTC Time) of the time range for initiating the query.
2022-09-19 00:00
Limit
Optional
The maximum number of returned items. A valid value is an integer between 1 and 100000. Up to 100000 results will be returned if this field is left empty.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"QueryID": [
"q93*******1dd"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Query failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Bad Request - could not parse query.
Error Sample Data
Create Query failed.
Status Code: 400.
Message: Bad Request - could not parse query.
Create Star Custom Rule
Creates a Custom Detection Rule by a specified scope.
READER NOTE
Account IDs, Site IDs and Group IDs are optional parameters to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.
Input
Input Parameter
Required/Optional
Description
Example
Expiration Mode
Required
The expiration mode of the rule. The available options are Permanent or Temporary. When choosing Temporary, an expiration date is required to enter.
Temporary
Name
Required
The name of the star custom rule.
D3**Rule
Query Type
Required
Returns rules with the filtered type. The available options are Events and Processes.
Events
S1ql
Required
The query of the rule. For complete query syntax, see Query Syntax in the Knowledge Base (support.sentinelone.com) or the Console Help.
AgentName IS NOT EMPTY
Severity
Required
The severity level of the rule.
Low
Status
Required
The status of rules to filter.
Active
Description
Optional
The description of the rule.
Test description
Expiration Date
Optional
The expiration date of the rule. The expiration date must be within the next six months. Only input the expiration date when choosing temporary expiration mode.
2024-11-08 00:00
Network Quarantine
Optional
The indication of whether to enable network quarantine. If enabled, the system automatically quarantines the alerted endpoints.
Disable
Treat As Threat
Optional
Defines treat as threat auto response. If enabled, the Agent generates a threat from the alert and applies a selected policy.
Suspicious
Account IDs
Optional
The account IDs to filter. Account IDs can be obtained using the List Accounts command.
["131********791"]
Site IDs
Optional
The site IDs to filter. Site IDs can be obtained using the Get Sites command.
["174********138"]
Group IDs
Optional
The group IDs to filter. Group IDs can be obtained using the Get Groups command.
["151********497"]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
CODE
{
"data": {
"createdAt": "2023-08-11T21:58:51.650852Z",
"creator": "mh****@d3security.com",
"creatorId": "147********138",
"description": "Test description",
"expiration": "2024-01-11T00:00:00Z",
"expirationMode": "Temporary",
"expired": false,
"id": "174********258",
"name": "D3**Rule",
"networkQuarantine": false,
"queryLang": "1.0",
"queryType": "events",
"reachedLimit": false,
"s1ql": "AgentName IS NOT EMPTY",
"scope": "site",
"scopeId": [
"174********138"
],
"severity": "Low",
"status": "Activating",
"statusReason": "Rule was activated by mh****@d3security.com and will become Active within an hour",
"treatAsThreat": "Suspicious",
"updatedAt": "2023-08-11T21:58:51.650170Z",
"updaterId": "147********138"
}
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Star Custom Rule failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: This scope cannot have custom rules with Process State queries.
Error Sample Data
Create Star Custom Rule failed.
Status Code: 403.
Message: This scope cannot have custom rules with Process State queries.
Delete Exclusions
Deletes a list of all the Exclusions that match the filter.
READER NOTE
Account IDs, Site IDs, Group IDs and Exclusion IDs are optional parameters to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.
Run the Get Exclusions command to obtain Exclusion IDs. Exclusion IDs can be found in the raw data at the path $.data.id.
If no parameter is specified, all exclusions will be deleted.
Input
Input Parameter
Required/Optional
Description
Example
Type
Optional
The exclusion item type to filter.
Path
Operation System
Optional
The operation system to filter.
Linux
Account IDs
Optional
The account IDs to filter. Account IDs can be obtained using the List Accounts command.
["131********791"]
Site IDs
Optional
The site IDs to filter. Site IDs can be obtained using the Get Sites command.
["174********138"]
Group IDs
Optional
The group IDs to filter. Group IDs can be obtained using the Get Groups command.
["151********497"]
Exclusion IDs
Optional
The exclusion IDs to filter. Exclusion IDs can be obtained using the Get Exclusions command.
["174********364"]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
CODE
{
"data": {
"affected": 1
}
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Exclusions failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Not a valid Identifier.
Error Sample Data
Delete Exclusions failed.
Status Code: 400.
Message: Not a valid Identifier.
Delete Group
Deletes a Group given by the required Group ID. If there are Agents in the Group, and the Group is dynamic, the next dynamic Groups will collect matching Agents, and unmatched Agents will go to the Default Group. If this is a static or Pinned Group with Agents, all the Agents will go to the Default Group.
READER NOTE
There are three types of groups: Dynamic, Pinned and Static. To know your desired group type, run the Get Groups command.
Group IDs can be found in the raw data at the path $.data[*].id; Group Type can be found in the raw data at the path$.data[*].type.
If there are Agents in the Group:
Dynamic Group (Create an endpoint filter for this Group. All endpoints that match the filter automatically move to this Group, except for endpoints in Pinned Groups): the next dynamic Group will collect matching Agents, and unmatched Agents will go to the Default Group.
Static Group/Manual Group in UI (Select the endpoints that go in this Group. Endpoints move automatically from this Group to a Dynamic Group if they match a Dynamic Group filter): all the Agents will go to the Default Group.
Pinned Group (Select the endpoints that go in this Group. Endpoints are pinned to this Group and do not automatically move to other Groups): all the Agents will go to the Default Group.
Input
Input Parameter
Required/Optional
Description
Example
Group IDs
Required
The Group IDs to delete. Group IDs can be obtained using the Get Groups command.
[
"951********939",
"952********906"
]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"ids": [
"951********939",
"952********906"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Group failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
Error Sample Data
Delete Group failed.
Status Code: 404.
Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
Delete IOCs
Deletes IOC(s) from the Threat Intelligence database that matches a filter using the account ID and one other field.
READER NOTE
The parameter Account IDs is required to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Account IDs
Required
The list of Account IDs to delete. Account IDs can be obtained using the List Accounts command.
[ "131********791" ]
IOC Values
Optional
The value(s) of the Threat Intelligence indicator(s) to be deleted. Example: "175.45.***.*". Please note, you must input IOC Values or UUID, or both.
[ "175.45.***.*" ]
UUIDs
Optional
The unique ID(s) of the Threat Intelligence indicator(s) to delete. Please note, it is necessary to input IOC Values or UUID, or both.
IPv4
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
No Sample Data
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete IOCs failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 4004.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
Error Sample Data
Delete IOCs failed.
Status Code: 404.
Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
Delete Star Custom Rules
Deletes Custom Detection Rules that match a filter.
READER NOTE
Account IDs, Site IDs, Group IDs and Rule IDs are optional parameters to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.
Run the Get Star Custom Rules command to obtain Rule IDs. Rule IDs can be found in the raw data at the path $.data[*].id.
At least one parameter must be defined to filter.
Once the star custom rule is deleted, it will be removed from the rule list. The same rule cannot be deleted twice.
Input
Input Parameter
Required/Optional
Description
Example
Account IDs
Optional
The account IDs to filter. Account IDs can be obtained using the List Accounts command.
["131********791"]
Site IDs
Optional
The site IDs to filter. Site IDs can be obtained using the Get Sites command.
["174********138"]
Group IDs
Optional
The group IDs to filter. Group IDs can be obtained using the Get Groups command.
["151********497"]
Rule IDs
Optional
The star custom rule IDs to filter. Rule IDs can be obtained using the Get Star Custom Rules command.
["174********364"]
Creator
Optional
The free-text filter by rule creator.
["w**"]
Name
Optional
The free-text filter by rule name.
["test"]
Status
Optional
The status of rules to filter. Available options include: Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft.
["Active"]
Query
Optional
The free-text filter by S1 query.
["test"]
Query Type
Optional
The return rules with the filtered type. Available options include: Events and Processes.
["events"]
Expired
Optional
Whether the rule is expired or not.
Not Expired
s1ql
Optional
The free-text filter by S1 query.
["AgentName IS NOT EMPTY"]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
CODE
{
"data": {
"affected": 1
}
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Star Custom Rules failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Could not find rule with id: {'id__in': [xxx], 'scope_id__in': [xxx]}.
Error Sample Data
Delete Star Custom Rules failed.
Status Code: 404.
Message: Could not find rule with id: {'id__in': [xxx], 'scope_id__in': [xxx]}.
Disable Star Custom Rules
Disable Custom Detection Rules based on a filter.
READER NOTE
Account IDs, Site IDs, Group IDs and Rule IDs are optional parameters to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the returned raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the returned raw data at the path $.data.sites.id.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the returned raw data at the path $.data.id.
Run the Get Star Custom Rules to obtain Rule IDs. Rule IDs can be found in the returned raw data at the path $.data[*].id.
At least one parameter should be defined to filter.
Input
Input Parameter
Required/Optional
Description
Example
Account IDs
Optional
The account IDs to filter. Account IDs can be obtained using the List Accounts command.
["131********791"]
Site IDs
Optional
The site IDs to filter. Site IDs can be obtained using the Get Sites command.
["174********138"]
Group IDs
Optional
The group IDs to filter. Group IDs can be obtained using the Get Groups command.
["151********497"]
Rule IDs
Optional
The star custom rule IDs to filter. Rule IDs can be obtained using the Get Star Custom Rule command.
["174********364"]
Creator
Optional
The free-text filter by rule creator.
["w**"]
Name
Optional
The free-text filter by rule name.
["test"]
Status
Optional
The status of rules to filter. Available options includes Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft.
["Active"]
Query
Optional
The free-text filter by S1 query.
["test"]
Query Type
Optional
The return rules with the filtered type. The available options are events and processes.
["events"]
Expired
Optional
Whether the rule is expired or not.
Not Expired
s1ql
Optional
The free-text filter by S1 query.
["AgentName IS NOT EMPTY"]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
CODE
{
"data": {
"affected": 1
}
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Disable Star Custom Rules failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Could not find rule with id: {'id__in': xxx, 'scope_id__in': xxx}.
Error Sample Data
Disable Star Custom Rules failed.
Status Code: 404.
Message: Could not find rule with id: {'id__in': xxx, 'scope_id__in': xxx}.
Disconnect Agent From Network
Isolates (quarantines) endpoints from the network.
READER NOTE
The parameter Agent IDs is required to run this command.
Run the List Agents command to obtain Agent IDs. Agent IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Agent IDs
Optional
The IDs of the agents to disconnect from the network. Agent IDs can be obtained using the List Agents command.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
CODE
{
"data": {
"affected": 1
}
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"AffectedAgents": [
"1"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Disconnect Agent From Network failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Authentication Failed.
Error Sample Data
Disconnect Agent From Network failed.
Status Code: 401.
Message: Authentication Failed.
Download Files
Downloads files from the management console.
READER NOTE
Agent ID and Command Batch UUIDs are required parametersto run this command.
Run the List Agents command to obtain Agent ID. Agent IDs can be found in the raw data at the path $.data[*].id.
Run the Collect Files command, the returned Command Batch UUIDs of the file can be used in the parameter. Command Batch UUIDs can be found in the raw data at the path $.data[*].data.commandBatchUuid.
Activity Created Time is an optional parameter to run this command.
Run the Collect Files command, the returned Create Time of the file can be used in this parameter. Create Time can be found in the raw data at the path $.data[*].createdAt.
Input
Input Parameter
Required/Optional
Description
Example
Agent ID
Required
The agent ID of the endpoint where the downloading files originate from. Agent ID can be obtained using the List Agents command.
138********274
Activity Created Time
Optional
The time to get activities created after this timestamp (UTC). Activity Created Time can use the returned Created Time of the Collect Files command.
2023-02-03 00:00
Command Batch UUIDs
Required
The Command Batch UUID(s) to filter files to download. Command Batch UUIDs can use the returned Command Batch UUID of the Collect Files command.
[ "ce1********276" ]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Download Files failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Authentication Failed.
Error Sample Data
Download Files failed.
Status Code: 401.
Message: Authentication Failed.
Download Threat Files
Downloads threat files from the management console.
READER NOTE
Agent ID, Threat ID and Command Batch UUIDs are required parametersto run this command.
Run the List Agents command to obtain Agent ID. Agent IDs can be found in the raw data at the path $.data[*].id.
Run the Get Threat command to obtain Threat ID. Threat IDs can be found in the raw data at the path $.data[*].id.
Run the Collect Files command, the returned Command Batch UUIDs of the file can be used in the parameter. Command Batch UUIDs can be found in the raw data at the path $.data[*].data.commandBatchUuid.
Input
Input Parameter
Required/Optional
Description
Example
Agent ID
Required
The agent ID of the endpoint where the downloading threat files originate from. Agent ID can be obtained using the List Agents command.
139********432
Threat ID
Required
The ID(s) of the threat(s) to download threat files.Threat ID can be obtained using the Get Threat command.
174********856
Command Batch UUIDs
Required
The Command Batch UUID(s) to filter files to download. Command Batch UUID of the Collect Files command.
It is possible to use Command Batch UUID from Collect Files.
[ "e1f********e87" ]
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Download Threat Files failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Authentication Failed.
Error Sample Data
Download Threat Files failed.
Status Code: 401.
Message: Authentication Failed.
Fetch Event
Returns Events(Threats or Alerts) from the platform based on specified criteria.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The Start Time (in UTC Time) of the time range for fetching threats or alerts.
2021-08-01 00:00
End Time
Required
The End Time (in UTC Time) of the time range for fetching threats or alerts.
2022-09-14 00:00
Number of Event(s) Fetched
Optional
The number of the most recent Events(Threats or Alerts) to fetch. The valid value is from 1 to 1000. Up to 1000 events will be returned if not specified.
100
Search Condition
Optional
The query string to filter results. Please follow the following format: Parameter1=Value1a,Value1b=Value2=Value3… Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=threats=get-threats for the available parameters that can be used in the query string. Note: Do not use the createdAt__gte, createdAt__lt and limit fields as they are already defined by the Start Time, End Time, and Top Recent Event Number input parameters respectively.
computerName__contains=DESKTOP-H****D3
Sort By
Optional
The column to be sorted for the results. The available options are Created At, Updated At and ID. The default value of this field is Created At.
Created At
Direction
Optional
The results sorted in ascending or descending order. The default value is Descending.
Descending
Event Source
Optional
The type of events (i.e., Threat or Alert) to fetch. If this parameter is not defined, the default value is Threat.
Alert
Output
Return Data
Indicates one of the possible command execution states: Successful, Successful with No Event Data, or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"EventIDs": [
"134********034"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Fetch Event Field Mapping
Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.
If you require a custom field mapping, click +Add Field to add a custom field mapping. You can also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.
The SentinelOne integration in D3 SOAR has some pre-configured field mappings for the Threat and Alert, which correspond to the Default Event Source and Event Source for Alert mappings:
Default Event Source Configures the field mapping which are specific to the threat-related events. If a source field in the field mapping is not found, the corresponding field mapping will be ignored. The default event source has a “Main Event JSON Path” (i.e., $.data) that is used to extract a batch of events from the response raw data. Click Edit Event Source to view the “Main Event JSON Path”.
Main Event JSON Path: $.data The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.
For example, the root node of a JSON Path is data. The child node denoting the Document ID field would be id. Putting it together, the JSON Path expression to extract the Document ID is $.data.id.
Event Source for Alert
Configures the field mapping which are specific to the alert-related events. If a source field in the field mapping is not found, the corresponding field mapping will be ignored. As the data of the alert-related events have a character that the value of the Type field is Alert, the alert-related events can be defined by the Search String: {$.Type}=Alert. Click Edit Event Source to view the Search String.
The pre-configured field mappings are detailed below:
Event Source for Alert (Search String: {{$.Type}=Alert)
The search string format is {jsonpath}=value. If the value of the Type key is Alert in the event object under raw data, then the alert-related events will use the field mapping below.
Document ID
.alertInfo.alertId
AccountID
.agentDetectionInfo.accountId
SiteID
.agentDetectionInfo.siteId
Hostname
.agentDetectionInfo.name
Event Type
.alertInfo.eventType
Description
.alertInfo.indicatorDescription
Start Time
.alertInfo.createdAt
Operating System
.agentDetectionInfo.osName
Agent ID
.agentRealtimeInfo.id
Status
.alertInfo.incidentStatus
Analyst Verdict
.alertInfo.analystVerdict
Source
.alertInfo.source
Rule name
.ruleInfo.name
Severity
.ruleInfo.severity
Storyline
.storyline
Process Name
.sourceProcessInfo.name
Process ID
.sourceProcessInfo.pid
Process file path
.sourceProcessInfo.filePath
Process hashes MD5
.sourceProcessInfo.fileHashMd5
Process hashes SHA1
.sourceProcessInfo.fileHashSha1
Process hashes SHA256
.sourceProcessInfo.fileHashSha256
Parent process name
.sourceParentProcessInfo.name
Parent process ID
.sourceParentProcessInfo.pid
Parent process image path
.sourceParentProcessInfo.filePath
Parent Process Hash MD5
.sourceParentProcessInfo.fileHashMd5
Parent Process Hash SHA1
.sourceParentProcessInfo.fileHashSha1
Parent Process Hash SHA256
.sourceParentProcessInfo.fileHashSha256
Target process name
.targetProcessInfo.tgtProcName
Target process ID
.targetProcessInfo.tgtProcPid
Target Process File Path
.targetProcessInfo.tgtFilePath
Target Process Hash SHA1
.targetProcessInfo.tgtFileHashSha1
Target Process Hash SHA256
.targetProcessInfo.tgtFileHashSha256
Target image
.targetProcessInfo.tgtProcImagePath
Process command line
.sourceProcessInfo.commandline
Parent process commandline
.sourceParentProcessInfo.commandline
Target Process Commandline
.targetProcessInfo.tgtProcCmdLine
Source IP address
.alertInfo.srcIp
Source port
.alertInfo.srcPort
Destination IP address
.alertInfo.dstIp
Destination port
.alertInfo.dstPort
Module image path
.alertInfo.modulePath
Module Hash SHA1
.alertInfo.moduleSha1
Login User Name
.alertInfo.loginsUserName
Login Account Domain
.alertInfo.loginAccountDomain
DV Event ID
.alertInfo.dvEventId
Indicator Category
.alertInfo.indicatorCategory
Indicator Name
.alertInfo.indicatorName
Host Is Infected
.agentRealtimeInfo.infected
Host Is Active
.agentRealtimeInfo.isActive
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Fetch Event failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: dict_values(['xxx']): Unknown field.
Error Sample Data
Fetch Event failed.
Status Code: 400.
Message: dict_values(['xxx']): Unknown field.
Fetch Files
Retrieves files from endpoints to analyze the root of threats, accommodating up to 10 MB for each instance of running the command. Due to network issues or endpoint connection problems, it might prolong the file upload process from the agent to Sentinel One management console. To avoid command timeout, use the Collect Files and Download Files commands instead.
READER NOTE
Agent ID is a required parameterto run this command.
Run the List Agents command to obtain Agent ID. Agent IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Agent ID
Required
The Agent ID for fetching files. Agent ID can be obtained using the List Agents command.
134********951
Files Path
Required
The list of file path(s) to fetch files from.
[ "C:\\NPPSpy.txt" ]
Password
Required
The new password for the archive of downloaded files. The password must have 10 or more characters with a mix of upper and lower case letters, numbers and symbols.
MySecret******!
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Fetch Files failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
Error Sample Data
Fetch Files failed.
Status Code: 404.
Message: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
Fetch Threat File
Fetches file(s) associated with the specified threat(s) by threat ID(s).
READER NOTE
The parameter Threat IDs is required to run this command.
Run the Get Threat command to obtain Threat ID. Threat IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Threat IDs
Required
The ID(s) of the threats for fetching threat files. Threat IDs can be obtained using the Get Threat command.
["174********856"]
Password
Required
The new password, which you will use to open the archive of downloaded files. The password must be 10 or more characters with a mix of upper and lower case letters, numbers, and symbols.
MySecret******!
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Fetch Threat File failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 502.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: All fetching threat file requests failed. Please refer to D3Errors in Raw Data for more details.
Error Sample Data
Fetch Threat File failed.
Status Code: 502.
Message: All fetching threat file requests failed. Please refer to D3Errors in Raw Data for more details.
Get Account Policy
Retrieves the policy for the Account given by ID.
READER NOTE
Account ID is a required parameter to run this command.
Run the List Accounts command to obtain Account ID. Account IDs can be found in the returned raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Account ID
Required
The Account ID which account policy is to be retrieved. Account ID can be obtained using the List Accounts command.
131********791
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Account Policy failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The account with ID xxx is not found.
Error Sample Data
Get Account Policy failed.
Status Code: 404.
Message: The account with ID xxx is not found.
Get Activities
Retrieves activities and their respective data matching the specified filters. The activities are sorted by creation time in descending order.
The limit number of returned items (0-1000). If you want to retrieve all activities matching filters, please set the limit to 0. If not specified, the default value is 10.
100
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
CODE
{
"data": [
{
"accountId": "131********791",
"accountName": "D3 Security",
"activityType": 71,
"activityUuid": "71c********1b8",
"agentId": "138********274",
"agentUpdatedVersion": null,
"comments": null,
"createdAt": "2022-03-25T00:09:22.101018Z",
"data": {
"accountName": "D3 Security",
"computerName": "DESKTOP-3****07",
"externalIp": "216.251.***.***",
"fullScopeDetails": "Group Default Group in Site Default site of Account D3 Security",
"fullScopeDetailsPath": "Global / D3 Security / Default site / Default Group",
"groupName": "Default Group",
"scopeLevel": "Group",
"scopeName": "Default Group",
"siteName": "Default site",
"system": true,
"username": null,
"uuid": "b67********d3a"
},
"description": null,
"groupId": "131********617",
"groupName": "Default Group",
"hash": null,
"id": "138********205",
"osFamily": null,
"primaryDescription": "System initiated a full disk scan to the agent: DESKTOP-3****07 (216.251.***.***).",
"secondaryDescription": null,
"siteId": "131********008",
"siteName": "Default site",
"threatId": null,
"updatedAt": "2022-03-25T00:09:22.101022Z",
"userId": null
},
{
"accountId": "131********791",
"accountName": "D3 Security",
"activityType": 17,
"activityUuid": "699********2fd",
"agentId": "138********274",
"agentUpdatedVersion": null,
"comments": null,
"createdAt": "2022-03-25T00:09:22.103082Z",
"data": {
"accountName": "D3 Security",
"computerName": "DESKTOP-3****07",
"fullScopeDetails": "Group Default Group in Site Default site of Account D3 Security",
"fullScopeDetailsPath": "Global / D3 Security / Default site / Default Group",
"group": "Default Group",
"groupName": "Default Group",
"optionalGroups": [],
"siteName": "Default site"
},
"description": null,
"groupId": "131********617",
"groupName": "Default Group",
"hash": null,
"id": "138********424",
"osFamily": null,
"primaryDescription": "DESKTOP-3****07 subscribed and joined the group Default Group of site Default site.",
"secondaryDescription": "",
"siteId": "131********008",
"siteName": "Default site",
"threatId": null,
"updatedAt": "2022-03-25T00:09:21.996724Z",
"userId": null
}
],
"pagination": {
"nextCursor": "eyJ***********************yJ9",
"totalItems": 734
}
}
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting $.data path from the returned raw data.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
No Sample Data
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Activities failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: User has insufficient permissions to perform the requested action.
Error Sample Data
Get Activities failed.
Status Code: 403.
Message: User has insufficient permissions to perform the requested action.
Get Agent Applications
Retrieves the installed applications for the specific Agents by their agent IDs.
READER NOTE
The parameter Agent IDs is required to run this command.
Run the List Agents command to obtain Agent IDs. Agent IDs can be found in raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Agent IDs
Required
The IDs of the agents to retrieve installed applications. Agent IDs can be obtained using the List Agents command.
["134********951", "134********111"]
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the $.data path from the returned raw data.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Agent Applications failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unauthorized access.
Error Sample Data
Get Agent Applications failed.
Status Code: 403.
Message: Unauthorized access.
Get Agent Info
Retrieves information of agents based on the specified Agent IDs.
READER NOTE
The parameter Agent IDs is required to run this command.
Run the List Agents command to obtain Agent IDs. Agent IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Agent IDs
Required
The IDs of the agents to return. Agent IDs can be obtained using the List Agents command.
[ "134********951", "134********111" ]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the $.data path from the returned raw data.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Agent Info failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid user input received.
Error Sample Data
Get Agent Info failed.
Status Code: 400.
Message: Invalid user input received.
Get Agent Process
Starts a Deep Visibility Query and retrieves events.
READER NOTE
Deep Visibility has limits for different accounts. The current trial account currently retains data for 14 days. If you see errors returned for your search period, contact SentineOne support to increase the data retention period if required.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the $.data path from the returned raw data.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"Process IDs": [
"736********624"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Agent Process failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Deep Visibility currently retains data for 14 days, to increase your data retention, please contact S1.
Error Sample Data
Get Agent Process failed.
Status Code: 400.
Message: Deep Visibility currently retains data for 14 days, to increase your data retention, please contact S1.
Get Alerts
Retrieves a list of alerts based on filter parameters.
READER NOTE
Site IDs and Endpoint Names are optional parameters to run this command.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Run the List Agents command to obtain Endpoint Names. Endpoint Names can be found in the raw data at the path $.data[*].computerName.
If you want to view alert related threats, you can use the Get Threat command with Storyline IDs obtained from this command as input parameter. Storyline IDs can be found in the raw data at the path $.data[*].sourceProcessInfo.storyline.
If your inputs are invalid, the command will return success with no result.
Input
Input Parameter
Required/Optional
Description
Example
Created After
Optional
Returns alerts which were created after or at this time.
2023-08-11 00:00
Created Before
Optional
Returns alerts which were created before or at this time.
2023-08-11 00:00
Incident Statuses
Optional
Filter alerts by incident status. The available statuses are RESOLVED, UNRESOLVED and IN_PROGRESS
[ "IN_PROGRESS" ]
Analyst Verdicts
Optional
Filter alerts by analyst verdict. The available analyst verdicts are FALSE_POSITIVE,TRUE_POSITIVE,SUSPICIOUS and UNDEFINED.
[ "SUSPICIOUS", "UNDEFINED" ]
Site IDs
Optional
List of Site IDs to filter by. You can get Site ID with Get Sites command.
[ "138********161" ]
Rule Names
Optional
Free-text filter by rule name. You can enter multiple rule names.
[ "Test rule", "testrule1" ]
Endpoint Names
Optional
Free-text filter by agent name. You can get Endpoint Name with List Agents command.
[ "lab3-***" ]
Severity
Optional
Filters by severity. Options are Critical, High, Medium and Low.
High
Query
Optional
Full text search for all fields. For example, you can query an artifact value, such as hash, process name, IP or URL etc. Or you can query a storyline ID.
[ "2d7********c1a" ]
Limit
Optional
Limit number of returned alerts. The valid value is an integer between 0 and 1000. If not specified, the default limit is 1000. If you want all alerts matching search criteria to be returned, please set limit to 0.
10
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Alerts failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unauthorized access.
Error Sample Data
Get Alerts failed.
Status Code: 403.
Message: Unauthorized access.
Get Black List
Retrieves item(s) from the blacklist.
Input
Input Parameter
Required/Optional
Description
Example
Limit
Optional
Sets the maximum number of items to return (between 1 to 1000). Up to 1000 blacklists will be returned if you leave this field empty.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the $.data path from the returned raw data.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Black List failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The value for parameter (Custom Input) is invalid.
Error Sample Data
Get Black List failed.
Status Code: 400.
Message: The value for parameter (Custom Input) is invalid.
Get Events by Query ID and Type
Retrieves Deep Visibility events from the specified Query ID and/or Event Type.
READER NOTE
Query ID is a required parameterto run this command.
Run the Create Query command to obtain the Query ID. Query IDs can be found in the raw data at the path $.data.queryId.
Please note that only the query IDs under the created account can be used here. Which means query ID under account1 cannot be retrieved with this command under account2. No matter what the scopes are for those accounts.
Input
Input Parameter
Required/Optional
Description
Example
Query ID
Required
The Query ID of the query to retrieve events. Query ID can be obtained using the Create Query command.
qe1********bed
Event Type
Optional
The type of event to return. The valid event types are: DNS, Events, File, IP, Logins, Process, Registry, Scheduled Task and URL.
Events
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the $.data path from the returned raw data.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Events by Query ID and Type failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Bad Request: ['Invalid query ID'].
Error Sample Data
Get Events by Query ID and Type failed.
Status Code: 400.
Message: Bad Request: ['Invalid query ID'].
Get Exclusions
Retrieves a list of all the Exclusions that match the filter.
READER NOTE
Account IDs, Site IDs, Group IDs and Exclusion IDs are optional parameters to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.
Input
Input Parameter
Required/Optional
Description
Example
Type
Optional
The exclusion item type.
Path
Operation System
Optional
The operation system to filter.
Linux
Account IDs
Optional
The account IDs to filter. Account IDs can be obtained using the List Accounts command.
["131********791"]
Site IDs
Optional
The site IDs to filter. Site IDs can be obtained using the Get Sites command.
["174********138"]
Group IDs
Optional
The group IDs to filter. Group IDs can be obtained using the Get Groups command.
["151********497"]
Exclusion IDs
Optional
The exclusion IDs to filter.
["174********364"]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Exclusions failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: groupIds: 0: Not a valid Identifier.
Error Sample Data
Get Exclusions failed.
Status Code: 400.
Message: groupIds: 0: Not a valid Identifier.
Get Global Policy
Get the Global policy. This is the default policy for your deployment.
Input
N/A
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Global Policy failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unauthorized access.
Error Sample Data
Get Global Policy failed.
Status Code: 403.
Message: Unauthorized access.
Get Groups
Retrieves data from groups of the specified site IDs.
READER NOTE
The parameter Site IDs is required to run this command.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Input
Input Parameter
Required/Optional
Description
Example
Site IDs
Required
The ID(s) of sites to retrieve groups from. Site IDs can be obtained using the Get Sites command.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
CODE
{
"data": {
"affected": 1
}
}
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the $.data path from the returned raw data.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Groups failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Not a valid Identifier.
Error Sample Data
Get Groups failed.
Status Code: 400.
Message: Not a valid Identifier.
Get Hash Reputations
Retrieves the hash reputation of an input SHA-1 value.
READER NOTE
The parameter File Hashes is required to run this command.
Run the Fetch Event command to obtain File Hashes. File Hashes can be found in the raw data at the path $.data[*].threatInfo.sha1.
If the hash is invalid/not found, it could return success with no result
Input
Input Parameter
Required/Optional
Description
Example
File Hashes
Required
The SHA1 value of the file content hash. File Hashes can be obtained using the Fetch Event command.
[ "a6d********d00" ]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
CODE
{
"data": {
"rank": "10"
}
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"Ranks": [
"10"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Hash Reputations failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unauthorized access.
Error Sample Data
Get Hash Reputations failed.
Status Code: 403.
Message: Unauthorized access.
Get Query Status
Retrieves that status of a Deep Visibility Query.
READER NOTE
Query ID is a required parameterto run this command.
Run the Create Query command to obtain the Query ID. Query IDs can be found in the raw data at the path $.data.queryId.
Input
Input Parameter
Required/Optional
Description
Example
Query ID
Required
The Query ID obtained when creating a query. Query ID can be obtained using the Create Query command.
q5b************069
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Query Status failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Bad Request: ['Invalid query ID'].
Error Sample Data
Get Query Status failed.
Status Code: 400.
Message: Bad Request: ['Invalid query ID'].
Get Script Results
Retrieves script result URLs. One of the Task IDs or Computer Names parameters must be defined. Note: Only one input parameter can be used to filter results for an instance of running the command.
READER NOTE
The parameter Task IDs is optional to run this command.
Run the Get Script Task Status command to obtain Task IDs. Task IDs can be found in the raw data at the path $.data[*].id.
To run the Run Script command, the specified Computer Names must be included. Simply put this information in the Filter parameter, and then execute the Run Script command.
Please note that not all scripts are guaranteed to produce results. If your input Task IDs do not yield any results, D3 will return “Success” but with no returned data.
Input
Input Parameter
Required/Optional
Description
Example
Task IDs
Optional
The list of Task IDs to retrieve a download link for. Task IDs can be obtained using the Get Script Task Status command.
[ ***** ]
Computer Names
Optional
The list of computer names (partial or whole) to retrieve a download link. The computers listed should have run scripts prior.
[ "DESKTOP-*****" ]
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Script Results failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The value for parameter (Task IDs) is invalid.
Error Sample Data
Get Script Results failed.
Status Code: 400.
Message: The value for parameter (Task IDs) is invalid.
Get Scripts
Retrieves data of the scripts in the SentinelOne Script Library. If you don’t have global scope permission, you can only access the scripts of your specific scope.
READER NOTE
Account IDs and Site IDs are optional parameters to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Retrieve data from the scripts in the SentinelOne Script Library. If you lack global scope permission, you will only have access to scripts within your specific scope. Navigate to view scope by clicking Global Scope>Account Scope>Site Scope.
Users with lower scope permissions cannot view scripts under higher scopes, resulting in limited script visibility. To determine the scope of the account your connector is using, click on the user to view details.
For example, if a user is under the “D3 Security” account scope, they can retrieve all scripts within that account by entering D3 Security’s account ID in the Account IDs parameter. If this parameter is left empty, it will automatically fetch all scripts under the “D3 Security” account.
In this scenario, if you input site IDs within the same account (they must be from within the account and not from another account), it will fetch all scripts specific to those sites, resulting in fewer scripts compared to the entire account.
Input
Input Parameter
Required/Optional
Description
Example
Account IDs
Optional
The list of Account IDs to filter by. Account ID can be obtained using the List Accounts command.
[ "*****" ]
Site IDs
Optional
The list of Site IDs to filter by. Site IDs can be obtained using the Get Sites command.
[ "*****" ]
Script Type
Optional
The script type to filter by. If not specified, scripts of all script types will be returned.
Action
OS Type
Optional
The operating system type to filter by. If not specified, scripts of all OS types will be returned.
Windows
Query
Optional
The full or partial script name to filter by.
testscript0427
Limit
Optional
The limit number of returned items, the available value is an integer between 1 and 1000. If not specified, the default value is 10.
10
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Scripts failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: accountIds: 0: Not a valid Identifier.
Error Sample Data
Get Scripts failed.
Status Code: 400.
Message: accountIds: 0: Not a valid Identifier.
Get Script Task Status
Retrieves remote script tasks based on the specified filters.
READER NOTE
The parameter Parent Task IDs is required to run this command.
Run the Run Script command to obtain Parent Task IDs. Parent Task IDs can be found in the raw data at the path $.data.parentTaskId.
If you run this command and see a value in the "nextcursor" field of the returned raw data, you can use that value in the Next Page parameter to retrieve the data on the next page.
Input
Input Parameter
Required/Optional
Description
Example
Parent Task IDs
Required
The list of Parent Task IDs to filter by. Parent Task IDs can be obtained using the Run Script command.
["*****"]
Computer Name Contains
Optional
The free-text filter by agent computer names. Multiple values are supported.
["DESKTOP", "AWS"]
Updated After
Optional
The filter to return tasks that were updated after the specified time.
2022-09-27 00:00
Updated Before
Optional
The filter to return tasks that were updated before the specified time.
2022-09-28 00:00
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Script Task Status failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unauthorized access.
Error Sample Data
Get Script Task Status failed.
Status Code: 403.
Message: Unauthorized access.
Get Sites
Retrieves sites of the specified criteria.
READER NOTE
The parameter Account IDs is optional to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
If you run this command and see "nextcursor" field has value in the returned raw data, it can be used in the Next Page parameter to get the data in next page.
Input
Input Parameter
Required/Optional
Description
Example
Site IDs
Optional
The list of Site IDs to filter sites.
[
"*****",
"*****"
]
Account IDs
Optional
The list of Account IDs to filter sites. Account IDs can be obtained using the List Accounts command.
[
"*****",
"
info
*****"
]
Query
Optional
The query string for full-text search of fields. The available fields are name, account_name and description.
name
State
Optional
The state (i.e. active, deleted, or expired) of the sites to filter results.
Active
Limit
Optional
The maximum number of results to return (between 1-1000). Up to 1000 results will be returned if you leave this field empty.
100
Offset
Optional
The number up to which result to skip. For example, if the defined value is 50, results from 1 to 50 will be skipped. To skip more than 1000 results, use the Next Page input parameter.
1
Sort By
Optional
The column (if selected) to sort results by. Available inputs are activeLicenses, createdAt, expiration, siteType, sku, id, state, suite, totalLicenses and updatedAt.
Create At
Direction
Optional
The results sorted in ascending or descending order. The default value is Ascending.
Ascending
Next Page
Optional
The pagination through collections of data by setting the parameter with the nextCursor attribute returned by a previous request's response metadata.
*****
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Sites failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: accountIds: 0: Not a valid Identifier.
Error Sample Data
Get Sites failed.
Status Code: 400.
Message: accountIds: 0: Not a valid Identifier.
Get Star Custom Rules
Retrieves a list of star custom rules for a given scope.
READER NOTE
Account IDs, Site IDs, Group IDs are optional parameters to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the raw data at the path $.data[*].id.
Run the Get Sites command to obtain Site IDs. Site IDs can be found in the raw data at the path $.data.sites.id.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.
Input
Input Parameter
Required/Optional
Description
Example
Account IDs
Optional
The account IDs to filter. Account IDs can be obtained using the List Accounts command.
["*****"]
Site IDs
Optional
The site IDs to filter. Site IDs can be obtained using the Get Sites command.
["*****"]
Group IDs
Optional
The group IDs to filter. Group IDs can be obtained using the Get Groups command.
["*****"]
Rule IDs
Optional
The star custom rule IDs to filter.
["*****"]
Creator
Optional
The free-text filtered by rule creator.
[ "*****" ]
Name
Optional
The free-text filtered by rule name.
[ "test" ]
Status
Optional
The status of rules to filter. Available options include Activating, Active, Deleted, Deleting, Disabled, Disabling and Draft.
[ "Active" ]
Query
Optional
The free-text filtered by S1 query.
[ "test" ]
Query Type
Optional
The return rules filter by type. The available options are Events and Processes.
[ "events" ]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Star Custom Rules failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: accountIds: 0: Not a valid Identifier.
Error Sample Data
Get Star Custom Rules failed.
Status Code: 400.
Message: accountIds: 0: Not a valid Identifier.
Get System Info
Retrieves the console build, version, patch, and release information.
Input
N/A
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"Version": "32",
"LatestAgentVersion": "22.3"
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get System Info failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unauthorized access.
Error Sample Data
Get System Info failed.
Status Code: 403.
Message: Unauthorized access.
Get System Status
Retrieves an indication of the system's health status.
Input
N/A
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"data": {
"health": "ok"
}
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"HealthStatus": "ok"
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get System Status failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unauthorized access.
Error Sample Data
Get System Status failed.
Status Code: 403.
Message: Unauthorized access.
Get Threat
Returns a list of threats matching the specified criteria. The threats will be listed in ascending order (from oldest to latest).
READER NOTE
The parameter Storylines is an optional parameter to run this command.
Run the Get Alerts command to obtain Storylines. Storylines can be found in the raw data at the path $.data[*].sourceProcessInfo.storyline.
To view threats related to an alert, use the Get Threat command with Storylines obtained from this command as the input parameter.
Input
Input Parameter
Required/Optional
Description
Example
Limit
Optional
The maximum number of returned items (between 1-1000). Up to 1000 threats will be returned if you leave this field empty.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Threat failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Insufficient permissions.
Error Sample Data
Get Threat failed.
Status Code: 403.
Message: Insufficient permissions.
Get Threat Analysis
Retrieves detailed threat analysis information of a specified threat. Note: This command will only work with a private API connection.
READER NOTE
Threat ID is a required parameterto run this command.
Run the Get Threat command to obtain Threat ID. Threat IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Threat ID
Required
The Threat ID to retrieve the corresponding threat analysis information. Threat ID can be obtained using the Get Threat command.
*****
Components
Optional
The threat components to return. If this parameter is not defined, all components will be returned. The available modules are agentDetectionInfo, agentRealtimeInfo, containerInfo, customDetectionRules, indicators, kubernetesInfo, mitigationStatus, threatInfo or whiteningOptions.
[
"threatInfo",
"indicators"
]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Threat Analysis failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Threat ID xxx was not found.
Error Sample Data
Get Threat Analysis failed.
Status Code: 404.
Message: Threat ID xxx was not found.
Get Threat Events
Retrieves events of a specified Threat ID and filters results based on the specified criteria.
READER NOTE
Threat ID is a required parameterto run this command.
Run the Fetch Event command to obtain Threat ID. Choose the Event Source parameter to Threat. Threat ID is the threat event id, which can be found in the raw data at the path $.id.
You should not use the Get Threat command since not all threats are events. If you use the not event threat ID, then this command will return success with no result.
Process Name is an optional parameter to run this command.
Get Threat Events command to obtain Process Name. Process Names can be found in the raw data at the path $.data[*].processName.
If you run this command and get "nextCursor" field in the returned raw data, you may use the value to input in the NextPage parameter to obtain the next page data
Input
Input Parameter
Required/Optional
Description
Example
Threat ID
Required
The Threat ID to retrieve events from. Threat ID can be obtained using the Fetch Event command.
*****
Use Private Call
Optional
The command will retrieve events using a private API (True) or public API (False).
True
Event ID
Optional
The Event ID (Process Unique Key) to filter events.
*****
Event Types
Optional
The event types available options include: events, dns, logins, module, registry, url, scheduled_task, process, file, indicators and ip to filter events. Please note that this field is case sensitive, only lowercase can be accepted. Event Types can be obtained using the Get Threat Events command with the Event ID parameter left empty. After running the command, the EventTypes can be found in the raw data at the path $.data[*].objectType.
[
"events",
"file",
"ip",
"process"
]
Event Sub Types
Optional
The event subtypes to filter events. Event Sub Types can be obtained using the Get Threat Events command from the Key Fields. The possible inputs are categorized as the subtypes of files below: FILEDELETION, FILEMODIFICATION, FILECREATION, FILERENAME, FILESCAN. Subtypes of processes: PROCESSCREATION, PROCESSMODIFICATION, PROCESSTERMINATION. Subtypes of IPs: TCPV4, TCPV4LISTEN, TCPV6, TCPV6LISTEN. Subtypes of indicators: BEHAVIORALINDICATORS. Subtypes of logins: LOGIN, LOGOUT. Subtypes of module: MODULE. Subtypes of DNS: DNS. Subtypes of URL: HTTP. Subtypes of registry: REGISTRYACTION, REGKEYCREATE, REGKEYDELETE, REGKEYEXPORT, REGKEYIMPORT, REGKEYRENAME, REGKEYSECURITYCHANGED, REGVALUECREATE, REGVALUEMODIFIED. Subtypes of scheduled_task: SCHEDTASKDELETE, SCHEDTASKREGISTER, SCHEDTASKSTART, SCHEDTASKTRIGGER, SCHEDTASKUPDATE. Please note that this field is case sensitive, only uppercase letters are valid.
[
"FILEDELETION",
"FILEMODIFICATION"
]
Process Name
Optional
The process name (partial or whole) to filter events.
conhost.exe
Count Only
Optional
The total count of events in the returned Raw Data under the key "totalItems", if True is selected. The default value is False.
False
Skip Count
Optional
The selection of True will skip the total event count function to reduce the running time of the command. If True is selected in this parameter, the "totalItems" in returned Raw Data will be 0. The default value is False.
False
Limit
Optional
The maximum number of events to return (between 1 to 1000). Up to 1000 results will be returned if this field is left empty.
100
Offset
Optional
The number up to which results to skip. To skip more than 1000 results, use the Next Page input parameter.
1
Sort By
Optional
The column selected and used to sort results.
Create At
Direction
Optional
The results sorted in ascending or descending order. The default value is Ascending.
Ascending
Next Page
Optional
The pagination through collections of data by setting the parameter with the nextCursor attribute returned by a previous request's response_metadata.
*****
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Threat Events failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Threat ID xxx not found.
Error Sample Data
Get Threat Events failed.
Status Code: 404.
Message: Threat ID xxx not found.
Initiate Scan
Initiates a Full Disk Scan on Agents that match the specified filters. Full Disk Scan finds dormant suspicious activity, threats, and compliance violations in the local file system, that are then mitigated according to the policy. If both optional input parameters are not defined, all Agents will be scanned.
READER NOTE
The parameter Agent IDs is optional to run this command.
Run the List Agent command to obtain Agent IDs. Agent IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Agent IDs
Optional
The IDs of the agents to scan. Agent ID can be obtained using the List Agent command.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"data": {
"affected": 1
}
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"AffectedAgents": 1
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
data
{'affected': 1}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Initiate Scan failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Authentication Failed.
Error Sample Data
Initiate Scan failed.
Status Code: 401.
Message: Authentication Failed.
Kill Processes
Stops all processes related to the threat(s) matching filter on the specified host(s).
READER NOTE
The parameter Threat IDs is optional to run this command.
Run the Get Threat command to obtain Threat IDs. Threat IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Computer Names
Required
The name(s) of the computer(s) on which the processes are killed.
[ "lab3-pc1" ]
Originated Process Names
Optional
The originated process name(s) of the threat(s) whose processes will be killed.
[ "svchost.exe" ]
Threat IDs
Optional
The ID(s) of the threat(s) whose processes will be killed. Threat IDs can be obtained using the Get Threat command.
[ "*****" ]
File Paths
Optional
The file path(s) to search.
[ "\***\***\***\***\***.exe" ]
Content Hashes
Optional
The SHA-1 Hash value(s) to search.
[ "*****" ]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Kill Processes failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: UNAUTHORIZED. Please check D3Error object in RawData for more details.
Error Sample Data
Kill Processes failed.
Status Code: 401.
Message: UNAUTHORIZED. Please check D3Error object in RawData for more details.
List Accounts
Retrieves a list of accounts that match the specified filter.
READER NOTE
If you run this command and see "nextcursor" field has value in the returned raw data, it can be used in the Next Page parameter to get the data in next page.
Input
Input Parameter
Required/Optional
Description
Example
Account IDs
Optional
The account ID(s) to filter the results.
[
"*****",
"*****"
]
Name
Optional
The string to apply a full-text search of account names (full or partial names).
D3 Security
State
Optional
The accounts filtered by state.
[ Active ]
Limit
Optional
The maximum number of returned results (between 1-1000). Up to 1000 results will be returned if this field is left empty.
100
Offset
Optional
The number up to which result to skip. For example, if the defined value is 50, results from 1 to 50 will be skipped. To skip more than 1000 results, use the Next Page input parameter.
1
Sort By
Optional
The column to sort results by. Available options are Creation Time, Update Time, Account ID, Name, State and Usage Type.
Creation Time
Direction
Optional
The results sorted in ascending or descending order. The default value is Ascending.
Ascending
Next Page
Optional
The pagination through collections of data by setting the parameter with the nextCursor attribute returned by a previous request's response metadata.
*****
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Accounts failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid user input received.
Error Sample Data
List Accounts failed.
Status Code: 400.
Message: Invalid user input received.
List Agents
Retrieves a list of agents that match the specified filter.
Input
Input Parameter
Required/Optional
Description
Example
Computer Name
Optional
The computer name of the agent to list. Both partial and full names are accepted.
DESKTOP-*****
Query
Optional
The free-text search term, will match applicable attributes including agentVersion, domain, externalIp, gatewayIp, inet, inet6, physical, lastLoggedInUserName, machineType,uuid, osType, osName.
***.***.***.***
Limit
Optional
The number of agents matching the query condition (between 1-1000) to return. Up to 1000 agents will be listed if you leave this field empty.
10
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customized the Context Data by extracting the $.data path from the returned raw data.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Agents failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid user input received.
Error Sample Data
List Agents failed.
Status Code: 400.
Message: Invalid user input received.
List IOCs
Retrieves the IOCs of a specified account that match the filter.
READER NOTE
The parameter Account IDs is required to run this command.
Run the List Accounts command to obtain Account IDs. Account IDs can be found in the returned raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Account IDs
Required
The account IDs to filter. Account IDs can be obtained using the List Accounts command.
[ "*****" ]
IOC Names
Optional
The free-text filtered by the Indicator name (which supports multiple values).
[ "foo.dll" ]
IOC Value
Optional
The value of the Threat Intelligence indicator.
***.***.***.***
Type
Optional
The type of the Threat Intelligence indicator. The available types include: IPv4, IPv6, MD5, SHA1, SHA256, URL and DNS.
IPv4
Source
Optional
The list of the sources of the identified Threat Intelligence indicator.
AlienVault
Categories
Optional
The categories of the Threat Intelligence indicator.
[ "the malware type associated with the IOC" ]
Description
Optional
The free-text filtered by the description of the indicator (which supports multiple values).
[ "Malicious-activity" ]
Creator
Optional
The free-text filtered by the user that uploaded the Threat Intelligence indicator (which supports multiple values).
The creation time set by the user after or equal to the specified timestamp.
2022-03-20 00:00
Created Before
Optional
The creation time set by the user before or equal to the specified timestamp.
2022-03-21 00:00
Updated After
Optional
The time at which the indicator was last updated in SentinelOne DB after or equal to the specified timestamp.
2022-04-20 00:00
Updated Before
Optional
The time at which the indicator was last updated in SentinelOne DB before or equal to the specified timestamp.
2022-04-30 00:00
Limit
Optional
The limit number of returned IOCs. The valid value is an integer between 0 and 1000. If not specified, the default limit is 1000. To obtain all IOCs matching search criteria to be returned, set the limit to 0.
10
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List IOCs failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Insufficient permissions.
Error Sample Data
List IOCs failed.
Status Code: 401.
Message: Insufficient permissions.
Mark As Threat
Marks suspicious threats as threat detections. Can only be used with API V2.0.
READER NOTE
The parameter Threat IDs is required to run this command.
Run the Get Threat command to obtain Threat IDs. Threat IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Threat IDs
Required
The list of threat IDs. Threat IDs can be obtained using the Get Threat command.
["*****", "*****"]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"data": {
"affected": 1
}
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Mark As Threat failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unauthorized access.
Error Sample Data
Mark As Threat failed.
Status Code: 403.
Message: Unauthorized access.
Mitigate Threats
Applies a mitigation action to threats matching the specified filters. Only threats which you have permission to mitigate are counted as "affected" in the response field. Rollback is applied only on Windows. Remediate is applied only on macOS and Windows.
Input
Input Parameter
Required/Optional
Description
Example
Filter
Required
The filtering options to control the list of affected threats. It is possible to use any combination of filters to narrow the list. For example, "apply to only active threats from Linux endpoints". It is also possible to leave this field empty to apply to all available threats. Please refer to https://usea1-partners.sentinelone.net/api-doc/api-details?category=threats=mitigate-threats for more information about filters.
{
"computerName__contains": [
"DESKTOP-*****"
]
}
Mitigate Action
Required
The mitigation action selected to apply to the group of threats that matches the filter. Note: The Rollback mitigation action is only applied on Windows systems; the Remediate mitigation action is only applied on Windows and macOS systems.
Quarantine
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"data": {
"affected": 15
}
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"AffectedThreats": 15
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Mitigate Threats failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Unauthorized access.
Error Sample Data
Mitigate Threats failed.
Status Code: 403.
Message: Unauthorized access.
Move Agents
Moves Agents to a new group by host name(s) or internal IP(s). Please note, you cannot move agents to a group which is not in the same site as the original group, and you must move the agents to the new site before you move agents to the group belonging to that site. To do this, you can use the Move Agents Between Sites command.
READER NOTE
Group ID is a required parameterto run this command.
Run the Get Groups command to obtain Group ID. Group IDs can be found in the raw data at the path $.data.id.
Input
Input Parameter
Required/Optional
Description
Example
Host Names Or Internal IPs
Required
The name(s) or internal IP(s) of the computer(s) to be moved to the specified group.
[ "***.***.***.***", "lab3-pc1" ]
Group ID
Required
The ID of the Group to which the agents will be moved. Group ID can be obtained using the Get Groups command.
*****
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Move Agents failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The group with ID **** is not found.
Error Sample Data
Move Agents failed.
Status Code: 404.
Message: The group with ID **** is not found.
Move Agents Between Sites
Moves Agents from one Site to a different Site. Agents will be moved to the best matching dynamic group, or to the Default group if no dynamic group matches.
READER NOTE
Site ID is a required parameterto run this command.
Run the Get Sites command to obtain Site ID. Site IDs can be found in the raw data at the path $.data.sites.id.
Input
Input Parameter
Required/Optional
Description
Example
Host Names Or Internal IPs
Required
The name(s) or internal IP(s) of the computer(s) to be moved to the specified site.
[ "***.***.***.***", "lab3-pc1" ]
Site ID
Required
The ID of the site where the agents will be moved. Site ID can be obtained using the Get Sites command.
*****
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Move Agents Between Sites failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Authentication Failed.
Error Sample Data
Move Agents Between Sites failed.
Status Code: 401.
Message: Authentication Failed.
Ping Power Query
Ping Deep Visibility Power Query(s) using the query ID(s) if results have not returned from the initial Power Query or a previous ping.
READER NOTE
The parameter Query IDs is required to run this command.
Run the Create Power Query command to obtain Query IDs. Query IDs can be found in the raw data in the path $.results[*].queryId.
Input
Input Parameter
Required/Optional
Description
Example
Query IDs
Required
The unique identifier for specific queries to execute or manage. Query ID(s) can be obtained using the Create Power Query command to ping.
[ "*****" ]
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"results": [
{
"columns": [
{
"name": "eventTime",
"type": "UNKNOWN"
},
{
"name": "agentUuid",
"type": "UNKNOWN"
},
{
"name": "siteId",
"type": "UNKNOWN"
}
],
"data": [],
"externalId": "{\"lrqToken\":\"*****\",\"target\":\"__E1__*****/*****-\"}",
"progress": 100,
"queryId": "*****",
"recommendations": [
"Result set limited to 1000 rows by default. To display more rows, add a command like \"| limit 10000\"."
],
"status": "FINISHED"
}
]
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
Power Queries Count
1
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Ping Power Query failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Multiple errors found, please check D3Errors in command Raw Data.
Error Sample Data
Ping Power Query failed.
Status Code: 401.
Message: Multiple errors found, please check D3Errors in command Raw Data.
Quarantine Files
Encrypts and moves the threat and its executables files to a quarantine folder. Please note, this action performs Kill Processes related to the threat(s) before Quarantine.
READER NOTE
The parameter Threat IDs is optional to run this command.
Run the Get Threat command to obtain Threat IDs. Threat IDs can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Computer Names
Required
The name(s) of the computer(s) on which the files are quarantined.
[ "lab3-pc1" ]
Originated Process Names
Optional
The originated process name(s) of the threat(s) whose files will be quarantined.
[ "svchost.exe" ]
Threat IDs
Optional
The ID(s) of the threat(s) whose files will be quarantined. Threat IDs can be obtained using the Get Threat command.
[ "*****" ]
File Paths
Optional
The file path(s) to search.
[ "\***\***\***\***\***.exe" ]
Content Hashes
Optional
The SHA-1 Hash value(s) to search.
[ "*****" ]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Quarantine Files failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: UNAUTHORIZED. Please check D3Error object in RawData for more details.
Error Sample Data
Quarantine Files failed.
Status Code: 401.
Message: UNAUTHORIZED. Please check D3Error object in RawData for more details.
Query
Retrieves Deep Visibility events based on specified query conditions. Note: The API rate limit is 1 call per minute for each unique user token.
READER NOTE
Deep Visibility has limits for different accounts. The current trial account currently retains data for 14 days. If you see errors returned for your search period, contact SentineOne support to increase the data retention period if required.
The start time (in UTC Time) of the time range for querying events that are created after the specified start time.
2022-09-22 00:00
End Time
Required
The end time (in UTC Time) of the time range for querying events that are created before the specified end time.
2022-09-23 00:00
Limit
Optional
The maximum number of items to return. A valid value is an integer between 1 and 100,000. Up to 100,000 results will be returned if you leave this field empty.
10
Query
Required
The queries to filter events. Please refer to Query Syntax in the Knowledge Base (https://support.sentinelone.com) or the Console Help. Please also refer to
The specification of how many seconds to allow before aborting the query if the query status is not finished. If this parameter is not defined, the query will not be canceled. The minimum valid input value is 300.
300
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Query failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Authentication Failed.
Error Sample Data
Query failed.
Status Code: 401.
Message: Authentication Failed.
Remove Items In Blacklist
Removes threats from the blacklist
READER NOTE
The parameter Item IDs is optional to run this command.
Run the Get Blacklist command to obtain Item IDs. Item IDs can be found in the raw data at the path $.data.id.
Input
Input Parameter
Required/Optional
Description
Example
Item IDs
Optional
The ID(s) of the blacklisted items to remove. Item IDs can be obtained using the Get Blacklist command.
[
"*****",
"*****"
]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
[
{
"affected": 1
},
{
"affected": 1
}
]
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"Item id": ["*****","*****"]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
affected
1
1
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Remove Items In Blacklist failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Authentication Failed.
Error Sample Data
Remove Items In Blacklist failed.
Status Code: 401.
Message: Authentication Failed.
Resolve Threat
Updates status of specified threats to resolve.
READER NOTE
Threat IDs and Agent ID are required parametersto run this command.
Run the Get Threat command to obtain Threat IDs. Threat IDs can be found in the raw data at the path $.data[*].id.
Run the List Agents command to obtain Agent ID. Agent ID can be found in the raw data at the path $.data[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Threat IDs
Required
The list of Threat ID(s) to resolve. Threat ID(s) can be obtained using the Get Threat command.
[
"*****",
"*****"
]
Agent ID
Required
The Agent ID associated with the threat. Agent ID can be obtained using the List Agents command.
*****
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
[
{
"affected": 15
},
{
"affected": 15
}
]
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"Threat id": ["*****","*****"]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Resolve Threat failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SentinelOne portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Authentication Failed.
Error Sample Data
Resolve Threat failed.
Status Code: 401.
Message: Authentication Failed.
Restart Endpoints
Restarts endpoints that have an Agent installed and that fit the filter. We recommend that you use the Broadcast Message command to send a message to users of endpoints before you restart their computers.
READER NOTE
Agent IDs and Group IDs are optional parametersto run this command.
Run the List Agents command to obtain Agent IDs. Agent IDs can be found in the raw data at the path $.data[*].id.
Run the Get Groups command to obtain Group IDs. Group IDs can be found in the raw data at the path $.data.id.