SentinelOne | Marketplace

Details
Content
Dependencies
Version History

Endpoint protection

This pack enables you to use SentinelOne for endpoint protection.
You can receive alerts from endpoints, search for processes on endpoints, block endpoints and manage the endpoint protection policy.

What does this pack do?

This pack enables you to

Connect, disconnect, shutdown, and uninstall agents.
Get information about agents and agent groups, move an agent from one group to another, delete groups, and send broadcast messages to groups of agents.
Get information about threats, mark a suspicious behavior as a threat, and mitigate threats.
Get information about the system sites and reactivate a site if necessary.
Get information about activities, events and processes in the system.
The Sentinel One - Endpoint data collection playbook collects endpoint information by using SentinelOne commands.
The pack includes the SentinelOne v2 integration and the Sentinel One - Endpoint data collection playbook.

How does this pack work?

Create an instance of the SentinelOne v2 integration and start fetching information from the SentinelOne database.

Note: Support for this Pack moved to the partner on March, 23, 2023.
Please contact the partner directly via the support link on the right.

Pack Contributors:

nikstuckenbrock
Bryan van der Net
Anirudh Punaruru

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

This pack enables you to use SentinelOne for endpoint protection.
You can receive alerts from endpoints, search for processes on endpoints, block endpoints and manage the endpoint protection policy.

What does this pack do?

This pack enables you to

Connect, disconnect, shutdown, and uninstall agents.
Get information about agents and agent groups, move an agent from one group to another, delete groups, and send broadcast messages to groups of agents.
Get information about threats, mark a suspicious behavior as a threat, and mitigate threats.
Get information about the system sites and reactivate a site if necessary.
Get information about activities, events and processes in the system.
The Sentinel One - Endpoint data collection playbook collects endpoint information by using SentinelOne commands.
The pack includes the SentinelOne v2 integration and the Sentinel One - Endpoint data collection playbook.

How does this pack work?

Create an instance of the SentinelOne v2 integration and start fetching information from the SentinelOne database.

Note: Support for this Pack moved to the partner on March, 23, 2023.
Please contact the partner directly via the support link on the right.

Pack Contributors:

nikstuckenbrock
Bryan van der Net
Anirudh Punaruru

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
SentinelOne Classifier	Classifies SentinelOne incidents.
SentinelOne - Outgoing Mapper	SentinelOne mirror out mapper.
SentinelOne Incoming Mapper	SentinelOne Incoming Mapper

Incident Fields

Name	Description
SentinelOne Cloud Provider Network
SentinelOne Kubernetes Controller Kind
SentinelOne Cloud Provider Service Account
SentinelOne Cloud Provider Instance ID
SentinelOne Kubernetes isContainerQuarantine
SentinelOne UAM Alert Attack Surfaces
SentinelOne UAM Alert ID
SentinelOne UAM Alert Detection Product
SentinelOne Cloud Provider Security Group
SentinelOne Classification Source
SentinelOne Cloud Provider Tags
SentinelOne Kubernetes Namespace Labels
SentinelOne Cloud Provider Image
SentinelOne Kubernetes Node Labels
SentinelOne UAM Alert External Id
SentinelOne Cloud Provider Role
SentinelOne Account Name
SentinelOne Cloud Provider Location
SentinelOne Threat Analyst Verdict
SentinelOne Threat ID
SentinelOne Cloud Provider Account
SentinelOne UAM Alert Name
SentinelOne Account ID
SentinelOne Kubernetes Node
SentinelOne Kubernetes Cluster
SentinelOne Kubernetes Namespace
SentinelOne Group Name
SentinelOne Threat Story Line
SentinelOne Cloud Provider Resource Group
SentinelOne UAM Alert Analyst Verdict Mapped
SentinelOne UAM Alert Analyst Verdict
SentinelOne Kubernetes Controller Name
SentinelOne Site Name
SentinelOne Network Interface Details
SentinelOne Cloud Provider SubnetId
SentinelOne Cloud Provider	AWS, Azure, GCP
SentinelOne Agent Network Status
SentinelOne Kubernetes Pod Labels
SentinelOne UAM Alert Status
SentinelOne Kubernetes Pod
SentinelOne Site ID
SentinelOne Threat Status
SentinelOne Cloud Provider Instance Size
SentinelOne Group ID
SentinelOne Kubernetes Controller Labels

Incident Types

Name	Description
SentinelOne Incident

Integrations

Name	Description
SentinelOne (Deprecated) (Partner Contribution)	Deprecated. Use the SentinelOne v2 integration instead.
SentinelOne v2 (Partner Contribution)	Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database.

Layouts

Name	Description
SentinelOne Incident Layout

Playbooks

Name	Description
Sentinel One - Endpoint data collection	Deprecated. No available replacement.
Sentinel One - Query Endpoints	Runs Query on Endpoints for SHA1 values

Classifiers

Name	Description
SentinelOne Classifier	Classifies SentinelOne incidents.
SentinelOne Incoming Mapper	SentinelOne Incoming Mapper
SentinelOne - Outgoing Mapper	SentinelOne mirror out mapper.

Incident Fields

Name	Description
SentinelOne Kubernetes Namespace
SentinelOne UAM Alert Name
SentinelOne Site ID
SentinelOne UAM Alert Analyst Verdict
SentinelOne UAM Alert External Id
SentinelOne Group Name
SentinelOne Cloud Provider Network
SentinelOne Account Name
SentinelOne Cloud Provider	AWS, Azure, GCP
SentinelOne Cloud Provider Role
SentinelOne UAM Alert Attack Surfaces
SentinelOne Cloud Provider Tags
SentinelOne Kubernetes Controller Labels
SentinelOne Cloud Provider Account
SentinelOne Cloud Provider Location
SentinelOne Threat Status
SentinelOne Threat Analyst Verdict
SentinelOne Kubernetes Node Labels
SentinelOne Cloud Provider Image
SentinelOne Cloud Provider Instance Size
SentinelOne Cloud Provider SubnetId
SentinelOne Kubernetes Cluster
SentinelOne Kubernetes Controller Kind
SentinelOne UAM Alert Analyst Verdict Mapped
SentinelOne Threat ID
SentinelOne Kubernetes Controller Name
SentinelOne Cloud Provider Resource Group
SentinelOne Site Name
SentinelOne Cloud Provider Service Account
SentinelOne UAM Alert Detection Product
SentinelOne Cloud Provider Security Group
SentinelOne Account ID
SentinelOne Kubernetes Namespace Labels
SentinelOne Agent Network Status
SentinelOne UAM Alert Status
SentinelOne Kubernetes Node
SentinelOne Cloud Provider Instance ID
SentinelOne UAM Alert ID
SentinelOne Group ID
SentinelOne Kubernetes Pod
SentinelOne Kubernetes Pod Labels
SentinelOne Classification Source
SentinelOne Network Interface Details
SentinelOne Threat Story Line
SentinelOne Kubernetes isContainerQuarantine

Incident Types

Name	Description
SentinelOne Incident

Integrations

Name	Description
SentinelOne Activity and Alerts	This integration fetches activities, threats, and alerts from SentinelOne.
SentinelOne v2 (Partner Contribution)	Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database.
SentinelOne (Deprecated) (Partner Contribution)	Deprecated. Use the SentinelOne v2 integration instead.

Layouts

Name	Description
SentinelOne Incident Layout

Modeling Rules

Name	Description
SentinelOne Modeling Rule

Playbooks

Name	Description
Sentinel One - Endpoint data collection	Deprecated. No available replacement.
Sentinel One - Query Endpoints	Runs Query on Endpoints for SHA1 values

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (4)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR

All level dependencies (7)

Pack Name	Pack By
Rasterize	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

3.3.10 - 10040983 (June 10, 2026)

Integrations

SentinelOne v2

Added support for query_lang argument in the sentinelone-update-star-rule command.
Added support for query_lang argument in the sentinelone-create-star-rule command.

Related pull requests:
- 44574
- 44316

Download

3.3.9 - 9264184 (May 25, 2026)

Integrations

SentinelOne v2

Documentation and metadata improvements.

Related pull requests:
- 44363
- 44358
- 42667
- 43952
- 43732
- 44181
- 44008
- 44052
- 44349
- 44357
- 44339
- 44344
- 43700

Download

3.3.8 - 8668717 (May 3, 2026)

Incident Fields

SentinelOne UAM Alert Analyst Verdict
Updated the SentinelOne UAM Alert Analyst Verdict incident field to support the mirroring of UAM Alerts.
New: SentinelOne UAM Alert Status
New: Added a new incident field- SentinelOne UAM Alert Status to support the mirroring of UAM Alerts.
New: SentinelOne UAM Alert Analyst Verdict Mapped
New: Added a new incident field- SentinelOne UAM Alert Analyst Verdict Mapped to support the mirroring of UAM Alerts.

Integrations

SentinelOne v2

Added support for sentinelone-update-uam-alert-verdict command that updates the analyst verdict for a group of uam alerts. relevant for api version 2.1.
Added support for sentinelone-update-uam-alert-status command that updates the status for a group of uam alerts. relevant for api version 2.1.
Added mirroring support for UAM Alerts, covering both Status and Analyst Verdict, for incoming and outgoing synchronization.
Updated the Docker image to: demisto/python3:3.12.13.8428455.

Layouts

SentinelOne Incident Layout
Updated the SentinelOne Incident Layout layout to include the newly supported Status and AnalystVerdict for UAM Alerts.

Mappers

SentinelOne - Outgoing Mapper

Updated the SentinelOne - Outgoing Mapper mapper to include the analyst verdict and status fields for UAM Alerts.

SentinelOne Incoming Mapper

Updated the SentinelOne Incoming Mapper mapper to include the status field.

Related pull requests:
- 44087
- 43651

Download

3.3.7 - 8515806 (April 27, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43940

Download

3.3.6 - 8210013 (April 13, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43748

Download

3.3.5 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

3.3.4 - 7756396 (March 18, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43492

Download

3.3.3 - 6830901 (January 22, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 42703

Download

3.3.2 - 6688262 (January 14, 2026)

Incident Fields

New: SentinelOne UAM Alert ID
New: Added a new incident field- SentinelOne UAM Alert ID.
New: SentinelOne UAM Alert Analyst Verdict
New: Added a new incident field- SentinelOne UAM Alert Analyst Verdict.
New: SentinelOne UAM Alert Attack Surfaces
New: Added a new incident field- SentinelOne UAM Alert Attack Surfaces.
New: SentinelOne UAM Alert Detection Product
New: Added a new incident field- SentinelOne UAM Alert Detection Product.
New: SentinelOne UAM Alert Name
New: Added a new incident field- SentinelOne UAM Alert Name.
New: SentinelOne UAM Alert External Id
New: Added a new incident field- SentinelOne UAM Alert External Id.

Integrations

SentinelOne v2

Added the parameter Fetch incidents from UAM Alert type. Use this parameter to fetch UAM type alerts.
Updated the Docker image to: demisto/python3:3.12.12.6391686.

Layouts

SentinelOne Incident Layout
Updated the SentinelOne Incident Layout layout to support new incident fields for UAM alert.

Mappers

SentinelOne Incoming Mapper

Updated the SentinelOne Incoming Mapper mapper to support new incident fields for UAM alert.

Related pull requests:
- 42476
- 42656

Download

3.3.1 - 6072035 (November 30, 2025)

Integrations

SentinelOne v2

Added support for Critical severity value for fetch_severity.
Added support for sentinelone-run-powerquery command that run a powerquery, where you can pipe one or many search expressions into a set of commands to transform, manipulate, group, and summarize your data.
Added support for sentinelone-endpoint-fetch-logs command that get the agent and endpoint logs from agents for provided agent ids.
Added support for sentinelone-create-bulk-ioc command that add bulk list of iocs to the threat intelligence database. relevant for api version 2.1.
Added support for sentinelone-threat-analysis command that returns threat analysis. can only be used with api v2.1.
Added support for sentinelone-abort-endpoint-scan command that abort the endpoint virus scan on provided agent ids.

Related pull requests:
- 41931
- 42085

Download

3.3.0 - 5917085 (November 18, 2025)

Integrations

SentinelOne v2

Added the sentinelone-threat-download-from-cloud command to download a file associated with a threat from the cloud (binaryvault).

Related pull requests:
- 41918
- 41486

Download

3.2.55 - 5818832 (November 11, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41805

Download

3.2.54 - 5801457 (November 10, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41857

Download

3.2.53 - 5698874 (November 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41748

Download

3.2.52 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

3.2.51 - 5591931 (October 27, 2025)

Integrations

SentinelOne v2

Enhanced Add-hash-to-blocklist and remove-hash-from-blocklist commands to fully support SHA256 in addition to SHA1.
Command arguments now accept both sha1 and sha256Value for adding or removing hashes.
Updated the Docker image to: demisto/python3:3.12.11.4819260.

Related pull requests:
- 41490
- 41608

Download

3.2.50 - R5469292 (October 20, 2025)

Documentation and metadata improvements.

Related pull requests:
- 41444

Download

3.2.49 - 4770511 (September 4, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41158

Download

3.2.48 - 4712962 (August 31, 2025)

Scripts

Updated the documentation and metadata.

Related pull requests:
- 41083

Download

3.2.47 - 4583601 (August 20, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 40974

Download

3.2.46 - 4536372 (August 15, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40940

Download

3.2.45 - R4512458 (August 13, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 40879

Download

3.2.44 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 44363
- 44358
- 42667
- 43952
- 43732
- 44181
- 44008
- 44052
- 44349
- 44357
- 44339
- 44344
- 43700

Download

3.3.8 - 8668717 (May 3, 2026)

Incident Fields

SentinelOne UAM Alert Analyst Verdict
Updated the SentinelOne UAM Alert Analyst Verdict incident field to support the mirroring of UAM Alerts.
New: SentinelOne UAM Alert Status
New: Added a new incident field- SentinelOne UAM Alert Status to support the mirroring of UAM Alerts.
New: SentinelOne UAM Alert Analyst Verdict Mapped
New: Added a new incident field- SentinelOne UAM Alert Analyst Verdict Mapped to support the mirroring of UAM Alerts.

Integrations

SentinelOne v2

Added support for sentinelone-update-uam-alert-verdict command that updates the analyst verdict for a group of uam alerts. relevant for api version 2.1.
Added support for sentinelone-update-uam-alert-status command that updates the status for a group of uam alerts. relevant for api version 2.1.
Added mirroring support for UAM Alerts, covering both Status and Analyst Verdict, for incoming and outgoing synchronization.
Updated the Docker image to: demisto/python3:3.12.13.8428455.

Layouts

SentinelOne Incident Layout
Updated the SentinelOne Incident Layout layout to include the newly supported Status and AnalystVerdict for UAM Alerts.

Mappers

SentinelOne - Outgoing Mapper

Updated the SentinelOne - Outgoing Mapper mapper to include the analyst verdict and status fields for UAM Alerts.

SentinelOne Incoming Mapper

Updated the SentinelOne Incoming Mapper mapper to include the status field.

Related pull requests:
- 44087
- 43651

Download

3.3.7 - 8542515 (April 28, 2026)

Modeling Rules

SentinelOne Modeling Rule

Documentation and metadata improvements.

Related pull requests:
- 43940

Download

3.3.6 - 8210013 (April 13, 2026)

Integrations

SentinelOne Activity and Alerts

Documentation and metadata improvements.

Related pull requests:
- 43748

Download

3.3.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

3.3.4 - 7756396 (March 18, 2026)

Modeling Rules

SentinelOne Modeling Rule

Updated the SentinelOne Modeling Rule to extract additional fields for the Activity event type.

Related pull requests:
- 43492

Download

3.3.3 - 6840082 (January 22, 2026)

Integrations

SentinelOne Activity and Alerts

Added the new _EXTERNAL_URL field to all events for easy navigation to the SentinelOne console

Related pull requests:
- 42703

Download

3.3.2 - 6688262 (January 14, 2026)

Incident Fields

New: SentinelOne UAM Alert ID
New: Added a new incident field- SentinelOne UAM Alert ID.
New: SentinelOne UAM Alert Analyst Verdict
New: Added a new incident field- SentinelOne UAM Alert Analyst Verdict.
New: SentinelOne UAM Alert Attack Surfaces
New: Added a new incident field- SentinelOne UAM Alert Attack Surfaces.
New: SentinelOne UAM Alert Detection Product
New: Added a new incident field- SentinelOne UAM Alert Detection Product.
New: SentinelOne UAM Alert Name
New: Added a new incident field- SentinelOne UAM Alert Name.
New: SentinelOne UAM Alert External Id
New: Added a new incident field- SentinelOne UAM Alert External Id.

Integrations

SentinelOne v2

Added the parameter Fetch incidents from UAM Alert type. Use this parameter to fetch UAM type alerts.
Updated the Docker image to: demisto/python3:3.12.12.6391686.

Layouts

SentinelOne Incident Layout
Updated the SentinelOne Incident Layout layout to support new incident fields for UAM alert.

Mappers

SentinelOne Incoming Mapper

Updated the SentinelOne Incoming Mapper mapper to support new incident fields for UAM alert.

Related pull requests:
- 42476
- 42656

Download

3.3.1 - 6072035 (November 30, 2025)

Integrations

SentinelOne v2

Added support for Critical severity value for fetch_severity.
Added support for sentinelone-run-powerquery command that run a powerquery, where you can pipe one or many search expressions into a set of commands to transform, manipulate, group, and summarize your data.
Added support for sentinelone-endpoint-fetch-logs command that get the agent and endpoint logs from agents for provided agent ids.
Added support for sentinelone-create-bulk-ioc command that add bulk list of iocs to the threat intelligence database. relevant for api version 2.1.
Added support for sentinelone-threat-analysis command that returns threat analysis. can only be used with api v2.1.
Added support for sentinelone-abort-endpoint-scan command that abort the endpoint virus scan on provided agent ids.

Related pull requests:
- 41931
- 42085

Download

3.3.0 - 5917085 (November 18, 2025)

Integrations

SentinelOne v2

Added the sentinelone-threat-download-from-cloud command to download a file associated with a threat from the cloud (binaryvault).

Related pull requests:
- 41918
- 41486

Download

3.2.55 - 5818832 (November 11, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41805

Download

3.2.54 - 5801457 (November 10, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41857

Download

3.2.53 - 5698874 (November 2, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41748

Download

3.2.52 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

3.2.51 - 5591931 (October 27, 2025)

Integrations

SentinelOne v2

Enhanced Add-hash-to-blocklist and remove-hash-from-blocklist commands to fully support SHA256 in addition to SHA1.
Command arguments now accept both sha1 and sha256Value for adding or removing hashes.
Updated the Docker image to: demisto/python3:3.12.11.4819260.

Related pull requests:
- 41490
- 41608

Download

3.2.50 - R5456168 (October 19, 2025)

Documentation and metadata improvements.

Related pull requests:
- 41444

Download

3.2.49 - R4788028 (September 7, 2025)

Integrations

SentinelOne Activity and Alerts

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

3.2.48 - 4712962 (August 31, 2025)

Scripts

Updated the documentation and metadata.

Related pull requests:
- 41083

Download

3.2.47 - 4583601 (August 20, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 40974

Download

3.2.46 - 4532879 (August 14, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40940

Download

3.2.45 - R4524270 (August 14, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 40879

Download

3.2.44 - 4486728 (August 11, 2025)

Added support for the 'Preference Center' feature for selected commands.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40192

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	September 23, 2020
Last Release	June 10, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.