soar
SentinelOne
Splunk SOAR Cloud
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
This app integrates with the SentinelOne Singularity platform to perform prevention, detection, remediation, and forensic endpoint management tasks
Supported Actions Version 2.2.9
- test connectivity: Validate the asset configuration for connectivity using supplied configuration
- block hash: Add a file hash to the global blocklist
- unblock hash: Remove a hash from the global blocklist
- quarantine device: Quarantine an endpoint
- unquarantine device: Unquarantine an endpoint
- mitigate threat: Mitigate an identified threat
- abort scan: Stop a Full Disk Scan on endpoint/agent
- shutdown endpoint: Shutdown an endpoint
- broadcast message: Send a Message through the Agents that users can see
- get file: Fetch files from endpoints to analyze the root of threats
- fetch firewall rules: Fetch the firewall rules
- fetch firewall logs: Fetch the firewall logs
- scan endpoint: Start a Full Disk Scan on endpoint/agent
- get endpoint info: Get detailed information about an endpoint/agent
- get threat info: Get detailed information about a threat
- list applications: Get the applications, and their data, installed on endpoints
- get cves: Get known CVEs for applications that are installed on endpoints with Application Risk-enabled Agents
- get devicecontrol events: Get the data of Device Control events on Windows and macOS endpoints
- list firewall rules: Get the Firewall Control rules for a scope specified
- create firewall rule: Create a Firewall Control rule
- hash reputation: Get the reputation of a hash, given the required SHA1
- get threat notes: Get the threat notes
- add threat note: Add a threat note to multiple threats
- export threat timeline: Export a threat's timeline
- export mitigation report: Export the mitigation report of threat
- export threats: Export data of threats
- fetch threat file: Fetch a file associated with the threat
- update threat analystverdict: Change the verdict of a threat, as determined by a Console user
- get threat timeline: Get a threat's timeline
- update threat incident: Update the incident details of a threat
- download from cloud: Download threat file from cloud
- on poll: Callback action for the on_poll ingest functionality
Supported Actions Version 2.2.8
- test connectivity: Validate the asset configuration for connectivity using supplied configuration
- block hash: Add a file hash to the global blocklist
- unblock hash: Remove a hash from the global blocklist
- quarantine device: Quarantine an endpoint
- unquarantine device: Unquarantine an endpoint
- mitigate threat: Mitigate an identified threat
- abort scan: Stop a Full Disk Scan on endpoint/agent
- shutdown endpoint: Shutdown an endpoint
- broadcast message: Send a Message through the Agents that users can see
- get file: Fetch files from endpoints to analyze the root of threats
- fetch firewall rules: Fetch the firewall rules
- fetch firewall logs: Fetch the firewall logs
- scan endpoint: Start a Full Disk Scan on endpoint/agent
- get endpoint info: Get detailed information about an endpoint/agent
- get threat info: Get detailed information about a threat
- list applications: Get the applications, and their data, installed on endpoints
- get cves: Get known CVEs for applications that are installed on endpoints with Application Risk-enabled Agents
- get devicecontrol events: Get the data of Device Control events on Windows and macOS endpoints
- list firewall rules: Get the Firewall Control rules for a scope specified
- create firewall rule: Create a Firewall Control rule
- hash reputation: Get the reputation of a hash, given the required SHA1
- get threat notes: Get the threat notes
- add threat note: Add a threat note to multiple threats
- export threat timeline: Export a threat's timeline
- export mitigation report: Export the mitigation report of threat
- export threats: Export data of threats
- fetch threat file: Fetch a file associated with the threat
- update threat analystverdict: Change the verdict of a threat, as determined by a Console user
- get threat timeline: Get a threat's timeline
- update threat incident: Update the incident details of a threat
- download from cloud: Download threat file from cloud
- on poll: Callback action for the on_poll ingest functionality
Supported Actions Version 2.2.7
- test connectivity: Validate the asset configuration for connectivity using supplied configuration
- block hash: Add a file hash to the global blocklist
- unblock hash: Remove a hash from the global blocklist
- quarantine device: Quarantine an endpoint
- unquarantine device: Unquarantine an endpoint
- mitigate threat: Mitigate an identified threat
- abort scan: Stop a Full Disk Scan on endpoint/agent
- shutdown endpoint: Shutdown an endpoint
- broadcast message: Send a Message through the Agents that users can see
- get file: Fetch files from endpoints to analyze the root of threats
- fetch firewall rules: Fetch the firewall rules
- fetch firewall logs: Fetch the firewall logs
- scan endpoint: Start a Full Disk Scan on endpoint/agent
- get endpoint info: Get detailed information about an endpoint/agent
- get threat info: Get detailed information about a threat
- list applications: Get the applications, and their data, installed on endpoints
- get cves: Get known CVEs for applications that are installed on endpoints with Application Risk-enabled Agents
- get devicecontrol events: Get the data of Device Control events on Windows and macOS endpoints
- list firewall rules: Get the Firewall Control rules for a scope specified
- create firewall rule: Create a Firewall Control rule
- hash reputation: Get the reputation of a hash, given the required SHA1
- get threat notes: Get the threat notes
- add threat note: Add a threat note to multiple threats
- export threat timeline: Export a threat's timeline
- export mitigation report: Export the mitigation report of threat
- export threats: Export data of threats
- fetch threat file: Fetch a file associated with the threat
- update threat analystverdict: Change the verdict of a threat, as determined by a Console user
- get threat timeline: Get a threat's timeline
- update threat incident: Update the incident details of a threat
- download from cloud: Download threat file from cloud
- on poll: Callback action for the on_poll ingest functionality
Supported Actions Version 2.2.6
- test connectivity: Validate the asset configuration for connectivity using supplied configuration
- block hash: Add a file hash to the global blocklist
- unblock hash: Remove a hash from the global blocklist
- quarantine device: Quarantine an endpoint
- unquarantine device: Unquarantine an endpoint
- mitigate threat: Mitigate an identified threat
- abort scan: Stop a Full Disk Scan on endpoint/agent
- shutdown endpoint: Shutdown an endpoint
- broadcast message: Send a Message through the Agents that users can see
- get file: Fetch files from endpoints to analyze the root of threats
- fetch firewall rules: Fetch the firewall rules
- fetch firewall logs: Fetch the firewall logs
- scan endpoint: Start a Full Disk Scan on endpoint/agent
- get endpoint info: Get detailed information about an endpoint/agent
- get threat info: Get detailed information about a threat
- list applications: Get the applications, and their data, installed on endpoints
- get cves: Get known CVEs for applications that are installed on endpoints with Application Risk-enabled Agents
- get devicecontrol events: Get the data of Device Control events on Windows and macOS endpoints
- list firewall rules: Get the Firewall Control rules for a scope specified
- create firewall rule: Create a Firewall Control rule
- hash reputation: Get the reputation of a hash, given the required SHA1
- get threat notes: Get the threat notes
- add threat note: Add a threat note to multiple threats
- export threat timeline: Export a threat's timeline
- export mitigation report: Export the mitigation report of threat
- export threats: Export data of threats
- fetch threat file: Fetch a file associated with the threat
- update threat analystverdict: Change the verdict of a threat, as determined by a Console user
- get threat timeline: Get a threat's timeline
- update threat incident: Update the incident details of a threat
- download from cloud: Download threat file from cloud
- on poll: Callback action for the on_poll ingest functionality
Supported Actions Version 2.1.1
- test connectivity: Validate the asset configuration for connectivity using supplied configuration
- block hash: Add a file hash to the global blocklist
- unblock hash: Remove a hash from the global blocklist
- quarantine device: Quarantine an endpoint
- unquarantine device: Unquarantine an endpoint
- mitigate threat: Mitigate an identified threat
- scan endpoint: Scan an endpoint for dormant threats
- get endpoint info: Get detailed information about an endpoint/agent
- get threat info: Get detailed information about a threat
- on poll: Callback action for the on_poll ingest functionality
Release Notes
Version 2.2.9
April 28, 2025
- Update Python dependencies for vulnerabilities, package updates, and platform built-in removals
- Update Python dependencies for Python 3.13 support
- Update NOTICE file with updated dependencies
- Apply pre-commit fixes
Version 2.2.8
Feb. 2, 2023
- Update test connectivity endpoint [PAPP-29334]
- Bug fix on ingestion pagination error [PAPP-29334]
- Add new asset configuration parameter for maximum container ingestion count [PAPP-29324]
Version 2.2.6
Jan. 31, 2022
SentinelOne Release Notes - Published by SentinelOne January 31, 2022
Version 2.2.6 - Released January 31, 2022
- The following actions are modified so that they work with IP addresses too:
- Quarantine device
- Unquarantine device
- Scan endpoint
- Get endpoint info
- Modified command to support new SentinelOne API
- Block hash
- The following new actions are implemented
- Abort Scan
- Broadcast Message
- Fetch Files (P1)
- Fetch Firewall Logs
- Fetch Firewall Rules
- Shutdown
- Get Applications
- Get CVEs
- Get Device Control Events (given a hostname or IP)
- Get Firewall Rules
- Create Firewall Rule
- Hash Reputation
- Add Note to Multiple
- Get Threat Notes
- Download from cloud
- Export Mitigation Report
- Export Threat Timeline
- Export Threats
- Fetch Threat File
- Update Threat Analyst Verdict
- Get Threat Timeline
- Update Threat Incident
Version 2.1.1
Sept. 21, 2021
SentinelOne Release Notes - Published by SentinelOne February 25, 2021
Version 2.1.1 - Released February 25, 2019
- Compatibility changes for Python 3 support
- Added two new actions 'on poll', 'get threat info'
- Exception handling for errors returned from APIs
- Added licensing details in all files
- Removed 'list endpoints', 'list processes' actions