Get Threats
Get data of threats that match the filter.
Basic Parameters
| Parameter | Description |
|---|---|
| Analyst Verdicts | Filter alerts by an analyst verdict. Options: <br/> false_positive<br/> suspicious<br/> true_positive<br/> undefined<br/> |
| Count Only | If true, only total number of items will be returned, without any of the actual objects. |
| Created After | Created after a specified timestamp. |
| Created Before | Created before a specified timestamp. |
| Cursor | Cursor position returned by the last request. Use to iterate over more than 1000 items. Example: "YWdlbnRfaWQ6NTgwMjkzODE=". |
| Incident Statuses | Filter alerts by a specific incident status. Options: <br/> in_progress<br/> resolved<br/> unresolved<br/> |
| Limit | Limit number of returned items (1-1000). Example: 10. |
| Return All Pages | Automatically fetch all resources, page by page. |
| Sort By | The column to sort the results by. |
| Threats IDs | Filter by a list of threats IDs. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Account IDs | List of account IDs to filter by. Example: 225494730938493804,225494730938493915. |
Example Output
{
"errors": [
{
"type": "object"
}
],
"pagination": {
"nextCursor": "YWdlbnRfaWQ6NTgwMjkzODE=",
"totalItems": 580
},
"data": [
{
"containerInfo": {
"id": "string",
"isContainerQuarantine": "boolean",
"image": "string",
"name": "string",
"labels": [
{
"type": "string"
}
]
},
"whiteningOptions": [
{
"type": "string"
}
],
"id": "225494730938493804",
"agentDetectionInfo": {
"siteName": "string",
"agentRegisteredAt": "2018-02-27T04:49:26.257525Z",
"groupName": "string",
"agentMitigationMode": "detect",
"agentIpV6": "string",
"agentIpV4": "string",
"siteId": "225494730938493804",
"accountName": "string",
"agentDomain": "mybusiness.net",
"cloudProviders": "object",
"agentOsName": "string",
"agentLastLoggedInUserName": "janedoe3",
"groupId": "225494730938493804",
"agentDetectionState": "string",
"agentOsRevision": "string",
"externalIp": "string",
"agentLastLoggedInUserMail": "string",
"agentLastLoggedInUpn": "string",
"accountId": "225494730938493804",
"agentVersion": "3.6.1.14",
"agentUuid": "string"
},
"threatInfo": {
"md5": "string",
"initiatedByDescription": {
"readOnly": true,
"description": "Initiated by description"
},
"sha256": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c",
"threatName": "string",
"automaticallyResolved": "boolean",
"processUser": "string",
"mitigationStatusDescription": {
"readOnly": true,
"description": "Mitigation status description"
},
"classification": "string",
"filePath": {
"readOnly": true,
"description": "File path"
},
"initiatingUserId": "225494730938493804",
"originatorProcess": "string",
"engines": [
"reputation",
"pre_execution"
],
"pendingActions": "boolean",
"reachedEventsLimit": "boolean",
"fileVerificationType": "string",
"initiatedBy": "agent_policy",
"createdAt": "2018-02-27T04:49:26.257525Z",
"analystVerdictDescription": {
"readOnly": true,
"description": "Analyst verdict description"
},
"initiatingUsername": "string",
"publisherName": "string",
"identifiedAt": "2018-02-27T04:49:26.257525Z",
"storyline": "a00637fa-e18d-9b80-e803-f370524f8085",
"detectionEngines": [
"reputation",
"pre_execution"
],
"cloudFilesHashVerdict": "string",
"mitigatedPreemptively": "boolean",
"maliciousProcessArguments": "string",
"isFileless": {
"readOnly": true,
"description": "Is fileless"
},
"isValidCertificate": "boolean",
"mitigationStatus": "not_mitigated",
"sha1": "ddd5030a3d029f3845fc1052419829f08f312240",
"updatedAt": "2018-02-27T04:49:26.257525Z",
"detectionType": "static",
"incidentStatusDescription": {
"readOnly": true,
"description": "Incident status description"
},
"classificationSource": "Cloud",
"certificateId": "string",
"macroModules": [
{
"moduleName": "string",
"sha1": "string"
}
],
"browserType": "string",
"analystVerdict": "undefined",
"confidenceLevel": "malicious",
"incidentStatus": "unresolved",
"externalTicketId": "string",
"externalTicketExists": {
"readOnly": true,
"description": "External ticket exists"
},
"rebootRequired": "boolean",
"failedActions": "boolean",
"collectionId": "225494730938493804",
"threatId": "225494730938493804",
"fileExtensionType": "string",
"fileExtension": "string",
"fileSize": "integer"
},
}
]
}
Workflow Library Example
Get Threats with Sentinelone and Send Results Via Email
Preview this Workflow on desktop