| description |
|---|
This document outlines the requirements and setup for the SentinelOne integration. |
{% hint style="info" %} If you’re new to integrations in Rewst, read through our introductory integration documentation here. {% endhint %}
Our SentinelOne integration enables the automation of endpoint protection. Use the SentinelOne API within Rewst workflows to manage accounts, agents, forensics, and threats.
- Log in to the SentinelOne management console.
- Navigate to Settings > Users.
- Click Service Users.
- Click Actions > Create New Service User.
- Set a name and an expiration date for the account.
- Click Next.
- Select Account as the access level, then select the parent site.
- Set the role to Admin.
- Click Create User.
- Copy the API key information. Save it in a secure location. You'll need this information for further set up steps in Rewst.
{% hint style="info" %} SentinelOne API tokens have an expiration date, typically 6 months out. We suggest setting a reminder for checking and updating the keys to correspond with the expiration timeline. {% endhint %}
Once you have created an API account, you will need to configure the integration within the Rewst platform.
Follow the below steps to configure a new integration:
-
Navigate to Marketplace > Integrations in the left side menu of your Rewst platform.
-
Search for
SentinelOnein the integrations page. -
Click on the integration tile to launch the configuration setup page.
-
Under Parameters, enter the information copied from SentinelOne into the relevant fields:
- API Key: The API key that was generated for integration.
- Domain: This is the full URL to the SentinelOne tenant
-
Click Save Configuration.
-
Rewst will do a quick validation of your input. Once completed, you'll see a new section beneath the configuration form for organization mapping. Complete your mapping as desired.
{% hint style="success" %} Got an idea for a new Integration? Rewst is constantly adding new integrations to our integrations page. Submit your idea or upvote existing ideas here in our Canny feedback collector. {% endhint %}
| Category | Action | Description |
|---|---|---|
| Accounts | List Accounts | This gets the Accounts and their data that match the filter. This command gives the account IDs, which other commands require. |
| Accounts | Create Account | This creates a new account. This command requires global permissions and an MSSP deployment. |
| Accounts | Get Account | This gets account data from a given account ID. To get an account ID, run the accounts. |
| Accounts | Update Account | This changes the data of an account. This command requires a global user or an account user and admin role. |
| Accounts | Revert Account Policy | This reverts the account policy to inherited settings. |
| Accounts | Reactivate Account | This reactivates an expired account. This command requires a global user or Support Consult with your SentinelOne SE. |
| Accounts | Expire An Account | This expires an account immediately. The user must have a global access or an account access with permissions for the account. |
| Accounts | Get Uninstall Password Metadata | This gets the uninstall password metadata, such as which user created and revoked it, and when. |
| Accounts | Get Uninstall Password | This gets the uninstall password to uninstall several agents of one account with one command. |
| Accounts | Generate Regenerate Uninstall Password | You can uninstall all agents of one account with one command that requires a password. This command sets a new account level uninstall password. |
| Accounts | Revoke Uninstall Password | This deletes the account level uninstall password. If you do not delete it, you or another console user can mistakenly use the account passphrase, and uninstall all agents when you mean to uninstall one agent. |
| Accounts | Export Accounts | This exports account data to a CSV for accounts that match the filter. |
| Activities | List Activities | This gets the Activities and their data that match the filters. We recommend that you set some values for the filters. |
| Activities | List Activity Types | This gets a list of activity types. This is useful to see valid values to filter activities in other commands. |
| Activities | Last Activity As Syslog Message | To see examples of Syslog messages, you can get the Syslog message that corresponds to the last activity that matches the filter. This is not intended for production purposes. |
| Activities | Export Activities | This exports the list of Activities. |
| Agent Actions | Broadcast Message | You can send a message through the agents that users can see. |
| Agent Actions | Connect To Network | After you run disconnect from network on endpoints, analyze the issue and mitigate threats. Use this command to reconnect to the network all the endpoints that match the filter. To learn more, see Disconnect from Network. |
| Agent Actions | Initiate Agent Scan | Use this command to run a full disk scan on agents that match the filter. |
| Agent Actions | Abort Scan | This immediately stops a full disk scan on all agents that match the filter. See Initiate scan to learn more about full disk scan. |
| Agent Actions | Disconnect From Network | Use this command to isolate quarantine endpoints from the network if the endpoints match the filter. |
| Agent Actions | Decommission | If a user is scheduled for time off or a device is scheduled for maintenance, you can decommission the agent. |
| Agent Actions | Restart | Use this command to restart endpoints that have an agent installed and that fit the filter. We recommend that you use the broadcast command to send a message to users of endpoints before you restart their computers. |
| Agent Actions | Uninstall | Use this command to uninstall agents that match the filter. For Windows and macOS, make sure that all remnants of the agent are removed, and reboot the endpoints after uninstall. Use the restart command. |
| Agent Actions | Shutdown | You can shut down endpoints remotely for performance maintenance or security. This command shuts down all endpoints that match the filter. |
| Agent Actions | Approve Uninstall | This approves an uninstall request that is sent to the management. |
| Agent Actions | Update Software | Use this command to update the agent version on endpoints that have the agent installed and that match the filter. |
| Agent Actions | Reset Local Config | This clears the SentinelCtl changes from all agents that match the filter. |
| Agent Actions | Set External ID | You can add a customer identifier string to identify each endpoint or to tag sets of endpoints. The string shows in the endpoint details of the management console. |
| Agent Actions | Fetch Files | This fetches files from endpoints up to MB for each command to analyze the root of threats that come from files of course. |
| Agent Actions | Move Between Sites | This command requires account or global level access. |
| Agent Actions | Fetch Firewall Rules | This fetches firewall rules from agents. |
| Agent Actions | Move To Console | You can move agents between management consoles. |
| Agent Actions | List Agent Applications | The Application Risk Management is an EA feature. Contact your partner or SentinelOne SE to learn how to join the EA program. |
| Agent Actions | Start Remote Shell | Remote shell is an opened websocket between the browser and the agent with a proprietary communication protocol that requires an unreasonable effort to run from the API. We recommend that you do not use this call. |
| Agent Actions | Check Remote Shell Availability | This lets you open full shell capabilities PowerShell on Windows and Bash on macOS and Linux to be able to run a remote shell session. |
| Agent Actions | Terminate Remote Shell | This terminates a remote shell on an agent. |
| Agent Actions | Fetch Firewall Logs | This gets Firewall Control events in the local log file written in clear text for Firewall Control events of an endpoint with Firewall Control enabled. This also enables the logs for agents that match the filter. |
| Agent Actions | Mark As Up To Date | The value of the agent version as up to date is a useful filter for many actions. There are scenarios where the management does not recognize a version as latest. |
| Agent Actions | Enable Ranger | This enables the S1 ranger service. |
| Agent Actions | Disable Ranger | This disables the ranger from the agents that match the filter. |
| Agent Actions | Edit Agent Upgrade Site Authorization | This action makes edits when the authorization of local upgrades expires. |
| Agent Actions | Enable Agent | Use this command to enable disabled agents that match the filter. |
| Agent Actions | Disable Agent | Use this command to disable agents that match the filter. |
| Agent Actions | Start Remote Profiling | Use this command to start remote profiling on agents that match the filter. |
| Agent Actions | Stop Remote Profiling | Use this command to stop remote profiling on agents that match the filter. If the command returns insufficient permissions, make sure you have permissions for the account site or group and a role that allows Stop Remote Profiling Admin or IT. |
| Agent Actions | Approve Stateless Upgrades | This approves stateless upgrade for agents. |
| Agent Actions | Manage Endpoint Tags Add Remove Override | This override forces the new key and value to be added to the endpoints. If you use add to add a key when that key already exists with a different value, it will not take effect |
| Agent Actions | Set Persistent Configuration Overrides | This command requires global permissions or support. |
| Agent Actions | Fetch Logs | This gets the agent and endpoint logs from agents that match the filter. |
| Agent Actions | Reject Uninstall | This rejects uninstall requests for all agents that match the filter. To learn more about uninstall requests, see Approve Uninstall. |
| Agent Support Actions | Clear Remote Shell | Remote shell is a powerful way to respond remotely to events on an endpoint. |
| Agents | List Agents | This gets the Agents and their data that match the filter. This command gives the agent ID, which you can use in other commands. To save the list and data to a CSV file, use export agents. |
| Agents | Count Agents | This gets the count of Agents that match a filter. This command is useful to run before you run other commands. You will be able to manage agent maintenance better if you know how many Agents will get a command that takes time, such as update software. |
| Agents | Get Passphrase | This shows the passphrase for the Agents that match the filter. This is an important command as you will need the passphrase for most SentinelCtl and API commands. |
| Agents | Export Agent Logs | This gets agent logs from Agents that match the filter. You can filter by agent ID, run agents to get the ID, or run activity types to get the activity ID. Send the logs to SentinelOne Support for assistance. |
| Agents | List Agent Installed Applications | This gets the installed applications for a specific agent. |
| Agents | Get Local Upgrade Agent Authorization | This gets the time when authorization of local upgrades expires. |
| Agents | Export Agents | This exports agent data to a CSV for Agents that match the filter. This command exports up to items, and each datum is an item. |
| Agents | List The Endpoint Tags That Match The Filters | This gets the endpoint tags. |
| Agents | Export Agents Light | This exports agent data to a CSV for Agents that match the filter. This command exports up to items, and each datum is an item. |
| Alerts | List Alert Actions | This gets a list of all actions available on Alerts that match the filters. |
| Alerts | Disconnect Agents From Network | This disconnects agents from network using a filter list. This will create war events, which will be translated to MGMT incoming commands and from there, it will be executed on the management. |
| Alerts | Reconnect Agent To Network | This reconnects an agent to the network using a filter list. This will create war events, which will be translated to MGMT incoming commands and from there, it will be executed on the management. |
| Alerts | Mark Alert As Threat With SYPE Suspicious Malicious | This marks Alerts as threats using a filter list. This will create war events, which will be translated to MGMT incoming commands and from there, it will be executed on the management. |
| Alerts | Update Alert Analyst Verdict | This changes the verdict of an Alert. |
| Alerts | Update Threat Incident | This updates the incident details of an alert. |
| Alerts | List Alerts | This gets a list of alerts for a given scope. |
| Application Management | Inventory Endpoints Data Export | This exports application inventory endpoints data to CSV. |
| Application Management | Aggregated Application Risk Data Export | This exports aggregated application data to CSV. |
| Application Management | Application Risk Data Export | This exports application data to CSV. |
| Application Management | Risk Endpoint Data Export | This exports endpoint data to CSV. |
| Application Management | Application CVE Data Export | This exports CVE data to CSV. |
| Application Management | Count Endpoints | This shows a count of endpoints for each filter value. |
| Application Management | Count Risky Aggregated Applications | This shows a count of risky aggregated applications for each filter value. |
| Application Management | Count Risky Applications | This shows a count of risky applications for each filter value. |
| Application Management | Count Risky Endpoints | This shows a count of risky endpoints for each filter value. |
| Application Management | Count Risky CVEs | This shows a count of risky CVEs for each filter value. |
| Application Management | Inventory Data Export | This exports application inventory data to CSV. |
| Application Management | Risks Data Export | This exports risks data to CSV. |
| Application Management | Count Endpoints By Versions | This shows endpoint count for all versions of selected application. |
| Application Management | Count Applications | This shows a count of applications for each filter value. |
| Application Management | List Endpoints | This gets endpoint data for a specific application. |
| Application Management | Additional Risk Information | This gets additional information about a selected risk. |
| Application Management | Get Aggregated Applications With Risk | This gets data for all applications. This is available with the CVE Prioritization add-on license. |
| Application Management | List Risk Application Endpoints | This gets a list of all endpoints installed with a specific application. |
| Application Management | List Application CVEs | This gets CVE data for a specific application. |
| Application Management | Scan Availability | This gets information about application vulnerability scan times and availability. |
| Application Management | Get Application Management SKU | This gets whether Application Management SKU is available for the specified scopes. |
| Application Management | List Application Inventory | This gets application inventory data grouped by application name and vendor. |
| Application Management | Get CVE Data | This gets the CVE vulnerability data for each CVE. |
| Application Management | Initiate Application Vulnerability Scan | This initiates an application vulnerability scan. |
| Application Management | Risk Detail | This gets detailed information about a selected risk. |
| Application Risk | List Application Risk | This gets the applications and their data such as risk level installed on endpoints with Application Risk-enabled agents that match the filter. |
| Application Risk | List CVEs | This gets the known CVEs for applications that are installed on endpoints with application risk-enabled agents. Application Risk requires a complete SKU. |
| Application Risk | Export Applications | This exports the list of applications installed on endpoints with Application Risk-enabled agents and their properties. |
| Auto Upgrade Policy | List Available Packages | This lists available packages for upgrade policies. |
| Auto Upgrade Policy | Check if Policy Exists | This checks if upgrade policies exist for given scopes. |
| Auto Upgrade Policy | List Parent Policies | This gets paginated and ordered parent policies by a given scope. |
| Auto Upgrade Policy | List Upgrade Policies | This gets paginated and ordered policies by a given scope. |
| Auto Upgrade Policy | Deactivate Policies | This deactivates all policies. |
| Auto Upgrade Policy | Policies OS Count | This gets the number of policies for each OS for a given scope level and ID. |
| Auto Upgrade Policy | Create Policy | This adds a policy. |
| Auto Upgrade Policy | Update Policy | This updates an existing policy. |
| Auto Upgrade Policy | Policy Action | This performs an action on a certain policy. |
| Auto Upgrade Policy | Reorder Policies | This reorders policies. |
| Auto Upgrade Policy | Set Scope Inheriting | This sets scope inheritance for upgrade policies. |
| Cloud Funnel | Validate Bucket | This validates bucket permissions. |
| Cloud Funnel | Validate Query | This verifies that a query is valid before using it as a filter for a Cloud Funnel onboarding. |
| Cloud Funnel | Get Cloud Funnel Rule | This gets Cloud Funnel onboarding rule details. |
| Cloud Funnel | Post Onboarding Cloud Funnel | This posts the onboarding Cloud Funnel rule. |
| Cloud Funnel | Delete Cloud Funnel Rule | This deletes Cloud Funnel onboarding rule. |
| Cloud Funnel | List Estimate Size Of Events | This gets the estimate size of events in the bucket. You need the estimator ID, which can be generated by running the API Create Estimator ID. |
| Cloud Funnel | Create Estimator ID | This creates an estimator ID. This is needed to run the API get estimate size of events. |
| Cloud Provider Account | List Cloud Provider Account Active Health Events | This gets the Cloud Provider Account active health events. |
| Cloud Resources | Export Cloud Rogue Resources To CSV | This returns the results for given cloud rogues filter in a CSV format. |
| Cloud Resources | List Cloud Rogue Resources | This returns the cloud rogue resources for given filter. |
| Config Overrides | List Config Overrides | This views the configuration values that are changed for each agent that matches the filter. |
| Config Overrides | Create Config Override | This overrides the configuration of agents that match the filter. |
| Config Overrides | Delete Config Overrides | This deletes the override value. To get the required IDs, run the config override. |
| Config Overrides | Update Config Override | Use this command to change the value of one configuration value. To get the required ID, run Config Overrides. |
| Config Overrides | Delete Config Override | This deletes an override value. To get the required ID, run Config Overrides. |
| Create Exclusion | Create Unified Exclusion | This creates exclusions to make your agents suppress alerts and mitigation for items that you consider to be benign. |
| Custom Detection Rule | List Rule Actions | This gets a list of all actions available on rules that match the filters. |
| Custom Detection Rule | Disable Rules | This disables Custom Detection Rules based on a filter. |
| Custom Detection Rule | Activate Rules | This activates Custom Detection Rules based on a filter. |
| Custom Detection Rule | List Cloud Detection Rules | This gets a list of Custom Detection Rules for a given scope. Note: You can create and see rules only for your highest available scope. |
| Custom Detection Rule | Create Rule | This creates a Custom Detection Rule for a scope specified by ID. To get the ID, run accounts sites groups, set the tenant to true for global. |
| Custom Detection Rule | Delete Rule | This deletes Custom Detection Rules that match a filter |
| Custom Detection Rule | Update Rule | This changes the Custom Detection Rules. This command requires the rule ID. See Get Rules. |
| Deep Visibility | Create Deep Visibility Query | This starts a Deep Visibility query and gets the query ID. |
| Deep Visibility | Cancel Running Deep Visibility Query | This stops a a Deep Visibility query by query ID. The body is queryID string_ID. As well, this gets the ID of the Deep Visibility query or power query from the initial query. Deep Visibility requires a complete SKU. See Create Query and get Query ID. |
| Deep Visibility | List Deep Visibility Query Status | This gets that status of a Deep Visibility query. When the status is Finished, you can get the results with the queryId in Get Events. |
| Deep Visibility | List Deep Visibility Events | This gets all Deep Visibility events from a queryId. You can use this command to send a sub-query a new query to run on these events. This also gets the ID from the initial query. See Create Query and get Query ID. |
| Deep Visibility | Get Deep Visibility Process State | This gets the details of all Deep Visibility processes from a query ID. To get the ID from the initial query, See Create Query and get Query ID. |
| Deep Visibility | Get Events By Type | This gets the Deep Visibility results from the query that matches the valid values of the given event type. |
| Deep Visibility | Create Power Query | This starts a Deep Visibility power query. This gets back the status and potential result ping afterwards using the query ID if the query has not finished. |
| Deep Visibility | Download Source Process File | This downloads the source process file associated with a Deep Visibility event. |
| Device Control | List Device Rules | This gets the Device Control rules of a specified Account Site Group or Global tenant that match the filter |
| Device Control | Create Device Control Rule | Use this command to create a new Device Control rule. These rules allow or block devices based on the device identifiers. Rules apply to a scope global tenant account site or group. To learn the details of the fields, see HTTPS Support Sentinelone. |
| Device Control | Delete Device Control Rules | This deletes the Device Control rules that match the filter. |
| Device Control | Update Device Rule | This changes the Device Control rule that matches the filter. To learn more about the fields, see HTTPS Support Sentinelone. |
| Device Control | Copy Device Control Rules | You can copy a set of Device Control rules to use in other Accounts Sites or Groups Copy rules from a source. |
| Device Control | Move Device Control Rules | This command removes the rule from the source and copies to the targets. |
| Device Control | Reorder Device Control Rules | This reorders rules for the S1 filtering logic. |
| Device Control | Get Device Control Configuration | This gets the Device Control configuration for a given scope. |
| Device Control | Update Device Control Configuration | Use this command to change the Device Control configuration. |
| Device Control | Export Device Control Rules | This exports the Device Control rules to a CSV file. |
| Device Control | List Device Control Events | This gets the data of Device Control events on Windows and macOS endpoints with the Device Control enabled. Agents that match the filter Device Control requires Control SKU Linux. Agents do not support Device Control. |
| Device Control | Enable/Disable Device Control Rules | This changes the status of a rule between Enabled and Disabled. |
| Exclusions And Blocklist | Import Exclusions | This uploads a CSV file that contains exclusion entries to import to a scope in your Management. |
| Exclusions And Blocklist | Get Exclusion Import Validation Report | This gets the Validation Report generated for the import to help you fix entries that did not import successfully. |
| Exclusions And Blocklist | Import Blocklist Items | This uploads a CSV file that contains blocklist entries to import to a scope in your Management. |
| Exclusions And Blocklist | Get Blocklist Import Validation Report | This gets the Validation Report generated for the import to help you fix entries that did not import successfully. |
| Exclusions And Blocklist | List Exclusions | This gets a list of all the Exclusions that match the filter. |
| Exclusions And Blocklist | Update Exclusions | This changes the properties of an exclusion through the data fields. To get the original data, run Exclusions with a filter to give the item you want. |
| Exclusions And Blocklist | Create Exclusion | This creates Exclusions to make your agents suppress alerts and mitigation for items that you consider to be begin. |
| Exclusions And Blocklist | Delete Exclusions | Every exclusion opens a possible security hole. If you decide that an exclusion or multiple Exclusions is not required, use this command to delete it. To get the ID of the exclusion to delete, run the exclusions command. |
| Exclusions And Blocklist | List Blocklist Items | This gets a list of all the items in the Blocklist that match the filter. To filter the results for a scope. Global Make sure tenant is true and no other scope ID is given. Account Make sure tenant is false and at least one Account ID is given. |
| Exclusions And Blocklist | Update Blocklist Item | This changes the properties of a Blocklist item through the data fields. To get the original data, run restrictions with a filter to give the item you want. |
| Exclusions And Blocklist | Create Blocklist Item | This creates a blocklist item for a SHA hash for the scopes you enter in the filter fields. You can add the hash to multiple Groups Sites Accounts and to the Global list. |
| Exclusions And Blocklist | Delete Blocklist Item | This removes items from the Blocklist. |
| Exclusions And Blocklist | Validate Exclusion Item | This checks if an exclusion is on the list of SentinelOne items that are Not Allowed or Not Recommended. |
| Exclusions And Blocklist | Validate Blocklist Item | This checks if a hash is on the list of SentinelOne items that are Not Allowed or Not Recommended. |
| Exclusions And Blocklist | Export Exclusions | This gets a CSV of all the items in the Exclusions that match the filter. Note: To see items from the Global Exclusion scope, make sure the tenant is set to true and no other scope ID is given. |
| Exclusions And Blocklist | Export Blocklist | This gets a CSV of all the items in the Blocklist that match the filter. Note: To see items from the Global Blocklist, make sure the tenant is set to true and no other scope ID is given. |
| Filters | List Saved Filters | This gets the list of saved filters. See Save Filter. The response includes the ID of the filter, which you can use in other commands. |
| Filters | Save Filter | This saves a new filter to get a list of matching endpoints. |
| Filters | Update Filter | This updates an existing filters. |
| Filters | Delete Filter | This deletes a saved filter. |
| Filters | List Deep Visibility Filters | This gets the saved Deep Visibility queries with full data. See Save Deep Visibility Filters. The response includes the ID of the filter, which you can use in other commands. |
| Filters | Save Deep Visibility Filter | This saves a Deep Visibility query with data as a filter to get notifications of specific events sent to named recipients. |
| Filters | Update Deep Visibility Filter | This changes a saved Deep Visibility filter. To get the ID and fields to change, run the Get Deep Visibility filters. |
| Filters | Delete Deep Visibility Filter | This deletes a saved Deep Visibility query. |
| Filters | Upload CSV File | This uploads a CSV file for filtering. |
| Firewall Control | Update Firewall Rule | This changes a Firewall Control rule. This command requires the rule ID, which you can get from Firewall Control. See Get Firewall Rules, Firewall Control Unscoped, and Get Unscoped Rules. |
| Gateways | List Gateways | This gets the Gateways in your deployment that match the filter from a Ranger scan. Ranger requires a Ranger license. |
| Gateways | Update Gateways | This changes the status of filtered Gateways discovered by Ranger. You can set the archived status, whether the network behind the gateway may be scanned by Ranger and whether Ranger will scan only local networks. |
| Gateways | Update Gateway | This changes the Ranger scan configuration for a gateway that the Ranger discovers. |
| Generic Request | SentinelOne API Request | This is the generic action for making authenticated requests against the Synnex API. |
| Groups | List Groups | This gets the data of groups that match the filter. |
| Groups | Create Group | This creates a new Group. You must create the Group in a Site-run sites to get the Site ID for which you have permissions. If you create a dynamic Group, you must have the ID of a filter saved in the Site-run filters site IDs. |
| Groups | Regenerate Group Token | This gets a new Group Token for a static Group. |
| Groups | Get Group | This gets data of a given group. To get a Group ID, run Groups. This command responds with the ID of the site of the group and group name type, whether dynamic or static. Your username must have permissions for the site. |
| Groups | Update Group | This changes the properties of a group specified by its ID. |
| Groups | Delete Group | This deletes a group given by the required Group ID. |
| Groups | Revert Policy | A group can have a policy that is different from its site policy. Use this command to revert the changes on the group policy to inherit the site policy. Your user must have permissions on the site. |
| Groups | Move Agents | This moves agents that match the filter to a group. The Group ID is required to run groups, and there can only be one. This will move the matched agents that are in the same site as the given group. |
| Groups | Update Group Ranks | This updates the agent assignment rank for the group. |
| Groups | Get Group Site Registration Token | This gets the registration token of the group of the ID. |
| Hashes | Hash Reputation Verdict | This gets the verdict of the hash, given the required SHA. A hash, either malicious or non-malicious, means it has been marked as such by the Reputation's sources. An unknown answer is given for hashes that are not yet known by the Reputation. |
| Licenses | Update Sites Add Ons | This changes the add-ons of the sites by a given filter. |
| Live Updates | List Agent Merged Updates | This gets the agent's merged updates. |
| Locations | List Locations | This gets the locations of agents in a given scope that match the filter. |
| Locations | Create Location | This creates a location that defines the parameters of agents in a scope filter that the Parameters include. |
| Locations | Delete Locations | This deletes the location definitions of a given location. To get the location IDs, run locations. |
| Locations | Update Location | This changes the parameter values of a location definition. See Create Location. |
| Manage | Update Rule And Alert Limits Per Scope | This updates rules and alert limits for a specific scope. |
| Manage | Update Custom Hit Aggregation Window Time Per Scope | This updates custom hit aggregation window time for a specific scope. |
| Manage | Delete Custom Hit Aggregation Window Time | This deletes a custom hit aggregation window time configuration. |
| Marketplace | List Singularity Marketplace Availability | This returns the Singularity Marketplace availability. |
| Marketplace | List Singularity Applications Catalogs | This gets the Marketplace Application Catalog. |
| Marketplace | Update Singularity Application Configuration | This updates the installed application configuration. |
| Marketplace | Install Applications | This installs an application from the Application Catalog. |
| Marketplace | Delete Application | This deletes an application integration from your Marketplace. |
| Marketplace | List Configuration Fields | This gets the Catalog Application Configuration Fields. |
| Marketplace | Get Configuration Fields For Catalog Application | This returns the configuration schema for a requested Application Catalog. |
| Marketplace | Enable Or Disable Application | Use this command to enable or disable application integrations that match the filter. |
| Network Quarantine Control | Create Firewall Rule | This creates a Firewall Control rule for a scope specified by ID. |
| Network Quarantine Control | Delete Firewall Control Rule | This deletes Firewall Control rules that match the filter. |
| Network Quarantine Control | Copy Firewall Control Rules | This copies a set of rules to other scopes. In the filter of the body, enter the properties to define the source. In the data field of the body, define the targets by ID. To get a scope ID, run accounts sites or groups. |
| Network Quarantine Control | Move Firewall Control Rules | This removes Firewall Rules defined with the ID of the rules. This also runs Firewall Control from scopes specified by ID run account sites or groups and adds the rules to the scope IDs in the data field. The Firewall Control requires a Control SKU. |
| Network Quarantine Control | Set Location Aware Firewall Control Location | This sets the location attributes for a Location Aware Firewall Control rule. These rules are applied by agents only if the network parameters of the endpoint match the properties of the location definition. |
| Network Quarantine Control | Reorder Firewall Control Rules | This changes the order of rules for a scope specified by ID run accounts sites or groups. |
| Network Quarantine Control | Get Firewall Control Configuration | This gets the Firewall Control configuration for a given scope. |
| Network Quarantine Control | Update Firewall Control Configuration | This changes the Firewall Control configuration for a given scope. |
| Network Quarantine Control | Export Firewall Control Rules | This exports Firewall Control rules that match the filter to a JSON file from a scope specified by ID. |
| Network Quarantine Control | Import Rules | This imports Firewall Control rules from an exported JSON file to scopes specified by ID. Run accounts sites groups or leave the scope empty and set the tenant to true. Firewall Control requires Control SKU in the target and in the source. |
| Network Quarantine Control | Enable/Disable Firewall Control Rules | This changes the status of a set of Firewall Control rules that match the filter to Enabled or Disabled. In one request, you can set one status or the other. |
| Network Quarantine Control | List Protocols | This gets a list of protocols that can be used in Firewall Control rules. |
| Network Quarantine Control | Add Rule Tags | This creates a Firewall Rule tag. This creates tags to represent Firewall policies a set of rules in a specific order. After you create the tag, add rules to it. Note: Tags apply to a scope and cannot be linked to rules from different scopes. |
| Network Quarantine Control | Remove Rule Tags | This removes firewall tags from rules matching the filter. Tags represent Firewall policies, a set of rules in a specific order. When you remove a rule with a tag, all scopes that subscribe to the tag get the change. |
| Policies | Get Group Policy | This gets the policy of the group given by ID. |
| Policies | Update Group Policy | This changes the policy for the group given by ID. |
| Policies | Get Site Policy | This gets the policy of the site given by ID. To get the ID of a site, run sites. See also Get Policy. |
| Policies | Update Site Policy | This changes the policy for the site given by ID. |
| Policies | Get Account Policy | This gets the policy for the account given by ID. To get the ID of an account run accounts. See also Get Policy. |
| Policies | Update Account Policy | This changes the policy for the account given by ID. |
| Policies | Get Global Policy | This gets the Global policy. This is the default policy for your deployment. See also Get Policy. |
| Policies | Update Global Policy | This changes the policy of your deployment. |
| Reports | S1 Rss Feed | This gets the SentinelOne RSS feed. In the SentinelOne Management Console, we show the feed contents in the Dashboard. |
| Reports | List Reports | This gets the reports that match the filter and the data of the reports. |
| Reports | List Report Tasks | This gets the tasks that were done to generate reports and to schedule future reports. |
| Reports | Create Report Task | This creates a task to generate a report immediately one time in the future or on a schedule. |
| Reports | Update Report Task | This updates the report task of the given ID. To get the task ID and the data to change, run the Get Report Tasks. |
| Reports | Delete Reports | This deletes the reports that match the filter. To delete a specific report, use its ID see Get Reports. |
| Reports | Delete Report Tasks | You can schedule a report to be generated on a routine. Use this command to remove a task to generate a report in the future. To get an ID to delete a specific task, see Get Report Tasks. |
| Reports | Download Report | When the Management generates a report, it is uploaded to the Management Console. Use this command to get the report as a PDF or HTML file. To get the ID of the report, see Get Reports. |
| Reports | List Insight Report Types | This gets the Insight Report types. |
| Rogues | Get Rogues Table | This gets the data for each row in the Rogues Device Inventory Table. |
| Rogues | Export Rogues Data | This exports Rogues data into CSV. You can set filters to get only the relevant data. The response sends the CSV data as text. |
| Rogues | List Rogues Settings | This lists settings for S1 Rogue Service. |
| Rogues | Update Rogues Settings | This changes the Rogues Settings. |
| Service Users | List Service Users | This gets a list of service users. |
| Service Users | Create Service User | This creates a new service user. |
| Service Users | Export Service Users | This exports Service User data into a CSV for Service Users that match the filter. |
| Service Users | Update Service User | This changes the properties of the service user with the given ID. |
| Service Users | Delete Service User | This deletes a service user by ID. |
| Service Users | Bulk Delete Service Users | This deletes all service users that match the filter. |
| Settings | Get Application Management Settings | This gets the Application Management settings. |
| Settings | Update Application Management Settings | This updates the Application Management settings. |
| Sites | List Sites | This gets the Sites that match the filters. The response includes the IDs of Sites, which you can use in other commands. |
| Sites | Create Site | This creates a Site. This requires an Admin role with a Global scope or Account scope that has permissions over the Account to which the Site will belong. You must have a license for a new Site. In the body of this request, include the policy. |
| Sites | Export Sites | This exports Sites data to a CSV for Sites that match the filter. |
| Sites | Get Site | This gets the data of the Site of the ID. To get the ID, run sites. The response shows the Site expiration date, SKU licenses total, active token, Account name and ID, who and when it was created or changed, and its status. |
| Sites | Update Site | This changes the policy and properties of the Site given by ID. To get the ID, run sites. |
| Sites | Delete Site | This deletes the Site of the given ID. To get the ID, run sites. You must have an Admin role with scope access that includes the Site. |
| Sites | Get Site Registration Token | This gets the registration token of the Site of the ID. |
| Sites | Revert Site Policy | When a Site is created through the Console, it gets the Global policy. If you change the policy and later want it set to the Global policy, use this command. The site_id is required. You can get it from sites. |
| Sites | Create Site And User | This creates a Site and an Admin role user. This requires an Admin role with a Global scope or Account scope that has permissions over the Account to which the Site will belong. You must have a license for a new Site. |
| Sites | Regenerate Site Key | This regenerates the key for the given Site. To get the site_id, use sites. |
| Sites | Reactivate Site | This reactivates an expired Site. You must have an Admin role with scope access that includes this Site, and you must have a license for the Site. To get the site_id run sites. |
| Sites | Expire Site | This expires the Site of the given ID. Run the sites to get the ID. You must have an Admin role with scope access that includes this Site. |
| Sites | Update Sites | This changes the properties of the Sites given by IDs. To get the IDs, run the sites. |
| Sites | Get Local Upgrade Site Authorization | This gets the time when authorization of local upgrades expires, as well as the number of Agents authorized for local upgrade in this Site. |
| Sites | Edit Local Upgrade Site Authorization | Use the Edit function when authorization of local upgrades expires. This returns the number of Agents authorized for local upgrade in this Site. |
| Sites | Get A CSV File Of Local Upgrade Site Authorization Data | This gets a CSV file containing the Agents authorized for local upgrade in this Site. |
| System | System Info | This gets the Console build version patch and release information. |
| System | System Status | This gets an indication of the system's health status. |
| System | Get System Config | This gets the configuration of your SentinelOne system. The response shows the basic information of the deployed SKUs, licenses FA, and the Management URL. |
| System | Set System Config | This changes the system configuration. Before you run this, see Get System Config. This command requires a Global Admin user or Support. |
| Tag Manager | Create A New Endpoint Tag | Each tag must contain a type endpoint. Key value is optional but recommended. A description is optional. |
| Tag Manager | Delete Endpoint Tags | This deletes all tags that match the filters. |
| Tag Manager | Edit Endpoint Tag | This changes the key value or description of a tag. |
| Tags | List Tags | This gets a list of tags that match the filter. |
| Tags | Create Tags | This adds tags to create user defined logical groups. |
| Tags | Delete Tags | This deletes tags by given filter. |
| Tags | Edit Tag | This changes the properties of a tag. |
| Tags | Delete Tag | This deletes a tag by ID. |
| Tasks | Get Task Configuration | This gets the task configuration of a scope. |
| Tasks | Create Task | This creates a task configuration. |
| Tasks | Check if Task Configuration has Child Scopes | From a given scope, this allows you to see if there are scopes under it that have local explicit tasks. The response returns True if a subscope has a local, not inherited task configuration. |
| Tasks | Get Child Scope Task Configuration | This gets the task configuration of child scopes of the given scope if the tasks are not inherited. |
| Threat Intelligence | Update Custom Custom App Configuration Per Scope | This update a custom app configuration for a specific scope. |
| Threat Intelligence | Delete Custom Config App | This deletes a custom app configuration. |
| Threat Intelligence | List IoCs | This gets the IOCs of a specified Account that match the filter. |
| Threat Intelligence | Create IoCs | This adds an IoC to the Threat Intelligence database. |
| Threat Intelligence | Delete IoCs | This deletes an IoC from the Threat Intelligence database that matches a filter using the accountID and one other field. |
| Threat Intelligence | Get IOC Enrichment For Threat | This gets IoC enrichment of a specified threat and the events associated with the threat. |
| Threat Notes | List Threat Notes | This gets the threat notes that match the filter. |
| Threat Notes | Add Note To Multiple | This adds a threat note to multiple threats. |
| Threat Notes | Update Threat Note | This changes the text of a threat note. |
| Threat Notes | Delete Threat Note | This deletes a threat note. |
| Threats | List Threats | This gets the data of threats that match the filter. |
| Threats | Mitigate Threats | This applies a mitigation action to a group of threats that match the filter. |
| Threats | Add To Blocklist | This adds threats that have a SHA hash and that matchs the filter to the Blocklist of the target scope Global Account Site or Group. |
| Threats | Fetch Threat File | This fetches a file associated with the threat that matches the filter. Your user role must have permissions to Fetch Threat File Admin IR Team SOC. |
| Threats | Disable Engines | If your list of threats shows too many False Positives, use this command to troubleshoot the Agent Engines that return unexpected results in your deployment. |
| Threats | Exclusion Options | This gets the Exclusion types that can be created from the detection data. |
| Threats | List Threat Events | This gets all the threat events. |
| Threats | Add Threat to Exclusions | This adds a threat to exclusions. |
| Threats | Export Threats | This exports data of threats as seen in the Console Incidents that match the filter Note: Use the filter. This command exports only items; each datum is an item. |
| Threats | Add To Blocklist Deep Visibility | This adds a SHA hash to the Blocklist from Deep Visibility results. |
| Threats | Mark Deep Visibility Event As Threat | This marks an event from Deep Visibility data as a threat. |
| Threats | Export Mitigation Report | This exports the mitigation report as a CSV file. |
| Threats | Updated Threat Incident | This updates the incident details of a threat. |
| Threats | Update Threat Analyst Verdict | This changes the verdict of a threat as determined by a Console user. |
| Threats | Update Threat External Ticket ID | This changes the external ticket ID of a threat. |
| Threats | Download From Cloud | This downloads the threat file from the cloud. |
| Threats | Disconnect Container | This performs a network quarantine on a specific container. |
| Threats | Reconnect Container | This restores network to a container that was disconnected. |
| Threats | Get Threat Timeline | This gets a threat's timeline. |
| Threats | Export Threat Timeline | This exports a threat s timeline. |
| Threats | Export Events | This exports threat events in CSV or JSON format. |
| Update Exclusion | Update Unified Exclusion | This changes the properties of an exclusion through the data fields. To get the original data, run exclusions with a filter to give the item you want. |
| Updates | List Latest Agent Agent Packages | This gets the agent packages that are uploaded to your Management. The response shows the data of each package, including the IDs, which you can use in other commands. |
| Updates | Delete Agent Packages | This deletes agent packages from your Management Use the IDs from Get Latest Packages. |
| Updates | Update Agent Package | This updates the metadata for an existing package. |
| Users | List Users | This gets a list of users. |
| Users | Create User | This creates a new user. |
| Users | Export Users | This exports user data to a CSV for users that match the filter. |
| Users | Get User | This gets a user by ID. |
| Users | Update User | This changes the properties of the user of the given ID. |
| Users | Delete User | This deletes a user by ID. |
| Users | Bulk Delete Users | This deletes all users that match the filter. |
| Users | Enable 2FA | This enables the 2FActor authentication for a given user. |
| Users | Disable 2FA | This disables the 2FActor Authentication for one user. This requires the ID of the user run users. |
| Users | Enable 2FA App | This enables support for the FA app such as Duo or Google Authenticator that your Console users will use to log in. |
| Users | Change Password | This changes the user password. |
| Users | Check Global User | This allows you to see if logged in user is a user with the Global scope of access. |
| Users | Check Remote Shell Permissions | This allows you to see if the logged-in user is allowed to use Remote Shell. |
| Users | Check if User is Viewer | This allows you to see if the logged-in user only has viewer permissions. |
| Users | Send Verification Email | This sends verification email to users that match the filter. Warning: Active users will be locked out of the Management Console until they verify unless set_user_password_methods is on their email. |
| Users | Reset 2FA | This resets the FA for users. |
| Users | Delete 2FA | This deletes the 2FA for users. |
| Users | Enroll 2FA | This enrolls users for FA setup. |
| Users | Update 2FA Email | This updates the 2FActor Authentication recovery email. |
| Users | Verify 2FA Code | This verifies FA code for user. |
| Users | Set A New Password | This sets a new password for the user. This is used for forced password reset and password expiration flows. This accepts temporary tokens from users login with error codes. |
| Users | Send Reset Password Email | This prompts to reset the password for users. |
| Users | Reset Password On Next Login | This forces users to reset their password on next login. |