SentinelOne | Marketplace

Details
Content
Dependencies
Version History

Endpoint protection

This pack enables you to use SentinelOne for endpoint protection.
You can receive alerts from endpoints, search for processes on endpoints, block endpoints and manage the endpoint protection policy.

What does this pack do?

This pack enables you to

Connect, disconnect, shutdown, and uninstall agents.
Get information about agents and agent groups, move an agent from one group to another, delete groups, and send broadcast messages to groups of agents.
Get information about threats, mark a suspicious behavior as a threat, and mitigate threats.
Get information about the system sites and reactivate a site if necessary.
Get information about activities, events and processes in the system.
The Sentinel One - Endpoint data collection playbook collects endpoint information by using SentinelOne commands.
The pack includes the SentinelOne v2 integration and the Sentinel One - Endpoint data collection playbook.

How does this pack work?

Create an instance of the SentinelOne v2 integration and start fetching information from the SentinelOne database.

Note: Support for this Pack moved to the partner on March, 23, 2023.
Please contact the partner directly via the support link on the right.

Pack Contributors:

nikstuckenbrock

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

This pack enables you to use SentinelOne for endpoint protection.
You can receive alerts from endpoints, search for processes on endpoints, block endpoints and manage the endpoint protection policy.

What does this pack do?

This pack enables you to

Connect, disconnect, shutdown, and uninstall agents.
Get information about agents and agent groups, move an agent from one group to another, delete groups, and send broadcast messages to groups of agents.
Get information about threats, mark a suspicious behavior as a threat, and mitigate threats.
Get information about the system sites and reactivate a site if necessary.
Get information about activities, events and processes in the system.
The Sentinel One - Endpoint data collection playbook collects endpoint information by using SentinelOne commands.
The pack includes the SentinelOne v2 integration and the Sentinel One - Endpoint data collection playbook.

How does this pack work?

Create an instance of the SentinelOne v2 integration and start fetching information from the SentinelOne database.

Note: Support for this Pack moved to the partner on March, 23, 2023.
Please contact the partner directly via the support link on the right.

Pack Contributors:

nikstuckenbrock

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
SentinelOne Classifier	Classifies SentinelOne incidents.
SentinelOne - Outgoing Mapper	SentinelOne mirror out mapper.
SentinelOne Incoming Mapper	SentinelOne Incoming Mapper

Incident Fields

Name	Description
SentinelOne Group Name
SentinelOne Kubernetes Namespace Labels
SentinelOne Account Name
SentinelOne Cloud Provider Instance Size
SentinelOne Kubernetes Pod Labels
SentinelOne Cloud Provider Instance ID
SentinelOne Account ID
SentinelOne Threat Analyst Verdict
SentinelOne Cloud Provider Service Account
SentinelOne Cloud Provider Image
SentinelOne Group ID
SentinelOne Kubernetes Pod
SentinelOne Cloud Provider	AWS, Azure, GCP
SentinelOne Threat Status
SentinelOne Kubernetes Controller Labels
SentinelOne Agent Network Status
SentinelOne Classification Source
SentinelOne Cloud Provider Role
SentinelOne Cloud Provider Network
SentinelOne Cloud Provider Location
SentinelOne Kubernetes Namespace
SentinelOne Cloud Provider Tags
SentinelOne Cloud Provider Resource Group
SentinelOne Site ID
SentinelOne Cloud Provider Security Group
SentinelOne Threat ID
SentinelOne Cloud Provider SubnetId
SentinelOne Kubernetes Controller Name
SentinelOne Kubernetes Cluster
SentinelOne Site Name
SentinelOne Cloud Provider Account
SentinelOne Kubernetes Controller Kind
SentinelOne Kubernetes Node Labels
SentinelOne Threat Story Line
SentinelOne Network Interface Details
SentinelOne Kubernetes Node
SentinelOne Kubernetes isContainerQuarantine

Incident Types

Name	Description
SentinelOne Incident

Integrations

Name	Description
SentinelOne (Deprecated) (Partner Contribution)	Deprecated. Use the SentinelOne v2 integration instead.
SentinelOne v2 (Partner Contribution)	Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database.

Layouts

Name	Description
SentinelOne Incident Layout

Playbooks

Name	Description
Sentinel One - Endpoint data collection	Deprecated. No available replacement.
Sentinel One - Query Endpoints	Runs Query on Endpoints for SHA1 values

Classifiers

Name	Description
SentinelOne Classifier	Classifies SentinelOne incidents.
SentinelOne - Outgoing Mapper	SentinelOne mirror out mapper.
SentinelOne Incoming Mapper	SentinelOne Incoming Mapper

Incident Fields

Name	Description
SentinelOne Threat Analyst Verdict
SentinelOne Classification Source
SentinelOne Site Name
SentinelOne Group ID
SentinelOne Kubernetes Pod Labels
SentinelOne Cloud Provider Tags
SentinelOne Kubernetes Namespace
SentinelOne Cloud Provider Network
SentinelOne Site ID
SentinelOne Agent Network Status
SentinelOne Kubernetes Cluster
SentinelOne Cloud Provider Role
SentinelOne Network Interface Details
SentinelOne Account ID
SentinelOne Group Name
SentinelOne Cloud Provider	AWS, Azure, GCP
SentinelOne Threat Story Line
SentinelOne Kubernetes Namespace Labels
SentinelOne Cloud Provider Resource Group
SentinelOne Cloud Provider SubnetId
SentinelOne Cloud Provider Instance ID
SentinelOne Cloud Provider Location
SentinelOne Kubernetes isContainerQuarantine
SentinelOne Kubernetes Controller Kind
SentinelOne Threat ID
SentinelOne Kubernetes Pod
SentinelOne Kubernetes Controller Name
SentinelOne Cloud Provider Instance Size
SentinelOne Cloud Provider Account
SentinelOne Cloud Provider Service Account
SentinelOne Threat Status
SentinelOne Cloud Provider Security Group
SentinelOne Kubernetes Node Labels
SentinelOne Kubernetes Node
SentinelOne Account Name
SentinelOne Kubernetes Controller Labels
SentinelOne Cloud Provider Image

Incident Types

Name	Description
SentinelOne Incident

Integrations

Name	Description
SentinelOne Activity and Alerts	This integration fetches activities, threats, and alerts from SentinelOne.
SentinelOne (Deprecated) (Partner Contribution)	Deprecated. Use the SentinelOne v2 integration instead.
SentinelOne v2 (Partner Contribution)	Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database.

Layouts

Name	Description
SentinelOne Incident Layout

Modeling Rules

Name	Description
SentinelOne Modeling Rule

Playbooks

Name	Description
Sentinel One - Endpoint data collection	Deprecated. No available replacement.
Sentinel One - Query Endpoints	Runs Query on Endpoints for SHA1 values

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (4)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Rasterize	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

3.2.34 - 1487718 (October 9, 2024)

Integrations

SentinelOne v2

Added the PowerQuery context output to the sentinelone-get-power-query-results command.

Related pull requests:
- 36576
- 36673

Download

3.2.33 - 1445410 (September 29, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 36547

Download

3.2.32 - 1417991 (September 22, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 36411

Download

3.2.31 - 1350055 (September 5, 2024)

Integrations

SentinelOne v2

Command sentinelone-create-power-query is deprecated. Use sentinelone-get-power-query-results instead.
Command sentinelone-ping-power-query is deprecated. Use sentinelone-get-power-query-results instead.
Added a new sentinelone-get-power-query-results command.
Updated the sentinelone-get-agent and sentinelone-list-agents commands by adding the MachineType output.

Related pull requests:
- 36033
- 36156

Download

3.2.30 - 1309186 (August 26, 2024)

Integrations

SentinelOne v2

Added 3 new commands:
- sentinelone-get-remote-script-task-status
- sentinelone-get-remote-script-task-results
- sentinelone-remote-script-automate-results
Updated the output_directory argument in the command sentinelone-run-remote-script.

Related pull requests:
- 35972
- 35721

Download

3.2.29 - 1277948 (August 15, 2024)

Integrations

SentinelOne v2

Updated the integration logo to align to the common SentinelOne logo.

Related pull requests:
- 35867

Download

3.2.28 - 1202417 (July 23, 2024)

Integrations

SentinelOne v2

Added tags to the output of the list agent endpoint

Related pull requests:
- 35358
- 35556

Download

3.2.27 - 1122733 (June 25, 2024)

Integrations

SentinelOne v2

Fixed an issue where the sentinelone-get-threats command only returns the first threat when a list of threats is given as input using the argument threat_ids.
Updated the Docker image to: demisto/python3:3.10.14.99144.

Related pull requests:
- 34988
- 35041
- 34988

Download

3.2.26 - 1103228 (June 18, 2024)

Incident Fields

New: SentinelOne Account ID
New: SentinelOne Account Name
New: SentinelOne Agent Network Status
New: SentinelOne Classification Source
New: SentinelOne Cloud Provider Image
New: SentinelOne Cloud Provider Instance ID
New: SentinelOne Cloud Provider Instance Size
New: SentinelOne Cloud Provider Location
New: SentinelOne Cloud Provider Network
New: SentinelOne Cloud Provider Tags
New: SentinelOne Cloud Provider Account
New: SentinelOne Cloud Provider Role
New: SentinelOne Cloud Provider Security Group
New: SentinelOne Cloud Provider SubnetId
New: SentinelOne Cloud Provider Resource Group
New: SentinelOne Cloud Provider Service Account
New: SentinelOne Group ID
New: SentinelOne Group Name
New: SentinelOne Kubernetes Cluster
New: SentinelOne Kubernetes Controller Kind
New: SentinelOne Kubernetes Controller Labels
New: SentinelOne Kubernetes Controller Name
New: SentinelOne Kubernetes Namespace
New: SentinelOne Kubernetes Namespace Labels
New: SentinelOne Kubernetes Node
New: SentinelOne Kubernetes Node Labels
New: SentinelOne Kubernetes Pod
New: SentinelOne Kubernetes Pod Labels
New: SentinelOne Kubernetes isContainerQuarantine
New: SentinelOne Network Interface Details
New: SentinelOne Site ID
New: SentinelOne Site Name
New: SentinelOne Threat Story Line

Incident Types

SentinelOne Incident
Updated incident type, now it will fetch the indicators from specific mentioned fields of data.

Layouts

SentinelOne Incident Layout
Updated the layout to include a grid for network interface details and some new sections for remaining details.
Added a new section of buttons designed to trigger commands upon execution and also added a brand for the buttons.
Added a new tab for the threat Kubernetes details and also added display filters for the same. The tab includes sections for each detail, such as Kubernetes cluster, pod, and node details.
Added a new tab for the threat cloud provider details and also added display filters for the same. The tab includes a generic section for AWS, GCP, and AZURE cloud provider details.
Added a new tab in the layout specifically for "Related Incidents".

Mappers

SentinelOne Incoming Mapper

Updated the mapper by properly mapping the available fields to ensure accurate data population.
Updated the mapper by making "dontMapEventToLabels" value to False, so that unmapped fields will fall under the labels.

Related pull requests:
- 34619
- 34911

Download

3.2.25 - 1070867 (June 5, 2024)

Integrations

SentinelOne v2

Fixed an issue where the sentinelone-disconnect-agent and sentinelone-connect-agent commands would only return the first Agent ID and its network status among the IDs given as inputs.
Added the output SentinelOne.Agent.NetworkStatus for the sentinelone-connect-agent command, which will display the network status of each agent given as input.
Updated the Docker image to: demisto/python3:3.10.14.96411.

Related pull requests:
- 34672
- 34372

Download

3.2.24 - R1051712 (May 28, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 34119
- 34470

Download

3.2.23 - 924992 (March 31, 2024)

Integrations

SentinelOne v2

Updated the sentinelone-get-hash command to output the Hash Reputation Verdict, instead of the Hash Reputation Rank as SentinelOne has deprecated /rank API endpoint and recommend /verdict API which fetches Hash Reputation Verdict.
Updated the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 33649
- 33422

Download

3.2.22 - 849166 (February 25, 2024)

Integrations

SentinelOne v2

Updated the incident context data by removing the both details and labels.
Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 33005
- 33057

Download

3.2.21 - 839519 (February 20, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 33007

Download

3.2.20 - 798475 (February 1, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 32533

Download

3.2.19 - 772178 (January 19, 2024)

Integrations

SentinelOne v2

Fixed an issue where sentinelone-remove-hash-from-blocklist command would not remove from scoped blocklists.
Updated the Docker image to: demisto/python3:3.10.13.85415.

Related pull requests:
- 32262
- 32116

Download

3.2.18 - 767481 (January 17, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 32259

Download

3.2.17 - 750759 (January 9, 2024)

Integrations

SentinelOne v2

Updated the argument computer_name of the sentinelone-list-agents command so it can now match a partial computer name value (substring).

Related pull requests:
- 31988
- 32037

Download

3.2.16 - 722180 (December 28, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 31828

Download

3.2.15 - 7254058 (December 24, 2023)

Integrations

SentinelOne v2

Fixed bug for the sentinelone-run-remote-script command, removing the empty values from the payload of an API call.

Related pull requests:
- 31687
- 31595

Download

3.2.14 - 7153835 (December 13, 2023)

Integrations

SentinelOne v2

Added the include_resolved_param argument to the command sentinelone-get-threats which allows ignoring the resolved argument in order to get threats no matter what their status is.
Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31433
- 31355

Download

3.2.13 - 7076512 (December 5, 2023)

Integrations

SentinelOne v2

Added 2 commands:
- sentinelone-get-accounts
- sentinelone-get-threat-notes
Added the columns argument to the commands sentinelone-list-agents and sentinelone-get-events.
Updated the description and type of the output SentinelOne.Threat.Mitigation.Action from the command sentinelone-mitigate-threat as they were incorrect.
Updated the Docker image to: demisto/python3:3.10.13.82467.

Related pull requests:
- 31312

Download

3.2.12 - 6834680 (November 8, 2023)

Classifiers

SentinelOne Classifier

Fixed an issue where the SentinelOne Classifier unable to mapped with the Incident Type whose name is incident.

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.13.80014.
Improved implementation of the fetch-threats functionality, so that it will fetch the selected threat statuses from the configuration.

Related pull requests:
- 30740
- 30626

Download

3.2.11 - 6679159 (October 23, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 30084

Download

3.2.10 - R6592021 (October 13, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.13.75921.
Fixed an issue with the Classifier where some incidents fall under the incorrect incident_type. This causes a red numbered mark on the classifier tab in XSOAR UI, which is considered as an unclassified incident.

Related pull requests:
- 29993
- 29841

Download

3.2.9 - 6367558 (September 19, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.13.73190.
Fixed an issue with the sentinelone-create-star-rule and sentinelone-update-star-rule commands, where the filters query parameter, when provided with empty values for any of site_ids, group_ids, or account_ids, was causing a validation error.
Updated the sentinelone-get-threats command by including new argument: incident_statuses.
Added filter options while fetching threats.

Related pull requests:
- 29549
- 29722

Download

3.2.8 - 6253250 (September 6, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 29440

Download

3.2.7 - 6133197 (August 23, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 29157

Download

3.2.6 - 6069807 (August 16, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 29000

Download

3.2.5 - 5925411 (August 1, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 28643

Download

3.2.4 - R5866730 (July 25, 2023)

Integrations

SentinelOne v2

Removed pack version from script.

Related pull requests:
- 28181

Download

3.2.3 - 5746599 (July 12, 2023)

Integrations

SentinelOne v2

Updated the sentinelone-run-remote-script command by including new arguments: singularity_xdr_Keyword, singularity_xdr_Url, api_key, input_params, password, script_runtime_timeout_seconds and requires_approval.
Fixed an issue in fetch incidents by defaulting the fetch type to Threats in the code.
Bug fixes.

Mappers

SentinelOne Incoming Mapper

Added a new common field Verdict by mapping it to the analyst verdict of the incident.

Playbooks

Sentinel One - Endpoint data collection

Deprecated. No available replacement.

Related pull requests:
- 27909
- 28072

Download

3.2.2 - 5668905 (July 2, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27820

Download

3.2.1 - 5558549 (June 18, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 27520

Download

3.2.0 - 5422508 (June 1, 2023)

Integrations

SentinelOne v2

Updated the Docker image to: demisto/python3:3.10.11.61265.
Updated the created_until argument from required to optional in sentinelone-get-alerts command.
Updated the created_until and created_from arguments to accept input in the form of "10 days", "2 hours","5 months" in the sentinelone-get-alerts command.
Updated the created_after created_before created_from and created_until arguments to accept input in the form of "10 days", "2 hours","5 months" in the sentinelone-get-threats command.
Updated the fetch-incidents command to fetch threats, alerts or both, including additional filtering options.
Added a new command sentinelone-get-dv-query-status: returns status of a Deep Visibility Query.
Added a new command sentinelone-get-agent-mac: returns network interface details for a given Agent ID. This includes MAC address details and interface description.

Playbooks

New: Sentinel One - Query Endpoints

Runs Query on Endpoints for SHA1 values

Related pull requests:
- 26566
- 27137

Download

3.1.4 - 5304600 (May 19, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 26640

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	September 23, 2020
Last Release	October 9, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.