Get Events
Get all threat events.
Parameters
| Parameter | Description |
|---|---|
| Count Only | If true, only total number of items will be returned, without any of the actual objects. |
| Cursor | Cursor position returned by the last request. Use to iterate over more than 1000 items. Example: "YWdlbnRfaWQ6NTgwMjkzODE=". |
| Event ID | Filter by a specific process key and its children. |
| Limit | Limit number of returned items (1-1000). Example: 10. |
| Return All Pages | Automatically fetch all resources, page by page. |
| Sort By | The column to sort the results by. |
| Threat ID | The threat ID. |
Example Output
{
"errors": [
{
"type": "object"
}
],
"pagination": {
"nextCursor": "YWdlbnRfaWQ6NTgwMjkzODE=",
"totalItems": 580
},
"data": [
{
"siteId": "string",
"user": "string",
"agentId": "string",
"agentIsActive": "boolean",
"registryPath": "string",
"parentPid": "string",
"processStartTime": "2018-02-27T04:49:26.257525Z",
"networkMethod": "string",
"processImageSha1Hash": "string",
"taskPath": "string",
"fileId": "string",
"agentVersion": "string",
"processIntegrityLevel": "string",
"verifiedStatus": "string",
"taskName": "string",
"eventType": "string",
"fileFullName": "string",
"agentMachineType": "string",
"processSessionId": "string",
"processSubSystem": "string",
"agentIp": "string",
"agentName": "string",
"connectionStatus": "string",
"pid": "string",
"processName": "string",
"indicatorMetadata": "string",
"protocol": "string",
"trueContext": "string",
"parentProcessGroupId": "string",
"createdAt": "2018-02-27T04:49:26.257525Z",
"dstPort": "integer",
"rpid": "string",
"storyline": "string",
"processGroupId": "string",
"activeContentHash": "string",
"agentUuid": "string",
"siteName": "string",
"processRoot": "string",
"relatedToThreat": "boolean",
"agentOs": "macos",
"dnsRequest": "string",
"processIsMalicious": "boolean",
"oldFileSha1": "string",
"fileMd5": "string",
"agentDomain": "string",
"signatureSignedInvalidReason": "string",
"registryClassification": "string",
"publisher": "string",
"threatStatus": "string",
"indicatorDescription": "string",
"loginsUserName": "string",
"srcPort": "integer",
"networkUrl": "string",
"processDisplayName": "string",
"processImagePath": "string",
"signedStatus": "string",
"parentProcessIsMalicious": "boolean",
"dnsResponse": "string",
"registryId": "string",
"tid": "string",
"fileSha1": "string",
"indicatorCategory": "string",
"activeContentFileId": "string",
"fileSize": "string",
"md5": "string",
"fileType": "string",
"sha256": "string",
"agentGroupId": "string",
"objectType": "events",
"agentIsDecommissioned": "boolean",
"srcIp": "string",
"agentInfected": "boolean",
"processIsWow64": "string",
"indicatorName": "string",
"parentProcessUniqueKey": "string",
"direction": "string",
"fileSha256": "string",
"id": "string",
"processIsRedirectedCommandProcessor": "string",
"loginsBaseType": "string",
"oldFileSha256": "string",
"sha1": "string",
"activeContentPath": "string",
"dstIp": "string",
"processUniqueKey": "string",
"oldFileMd5": "string",
"processCmd": "string",
"hasActiveContent": "boolean",
"networkSource": "string",
"oldFileName": "string",
"processUserName": "string",
"parentProcessName": "string",
"agentNetworkStatus": "string"
}
]
}
Workflow Library Example
Get Events with Sentinelone and Send Results Via Email
Preview this Workflow on desktop