Get data of threats that match the filter.

Basic Parameters

ParameterDescription
Analyst VerdictsFilter alerts by an analyst verdict.Options: false_positive suspicious true_positive undefined
Count OnlyIf true, only total number of items will be returned, without any of the actual objects.
Created AfterCreated after a specified timestamp.
Created BeforeCreated before a specified timestamp.
CursorCursor position returned by the last request. Use to iterate over more than 1000 items. Example: “YWdlbnRfaWQ6NTgwMjkzODE=”.
Incident StatusesFilter alerts by a specific incident status. Options: in_progress resolved unresolved
LimitLimit number of returned items (1-1000). Example: 10.
Return All PagesAutomatically fetch all resources, page by page.
Sort ByThe column to sort the results by.
Threats IDsFilter by a list of threats IDs.

Advanced Parameters

ParameterDescription
Account IDsList of account IDs to filter by. Example: 225494730938493804,225494730938493915.

Example Output

{
	"errors": [
		{
			"type": "object"
		}
	],
	"pagination": {
		"nextCursor": "YWdlbnRfaWQ6NTgwMjkzODE=",
		"totalItems": 580
	},
	"data": [
    {
      "containerInfo": {
          "id": "string",
          "isContainerQuarantine": "boolean",
          "image": "string",
          "name": "string",
          "labels": [
              {
                  "type": "string"
              }
          ]
      },
      "whiteningOptions": [
          {
              "type": "string"
          }
      ],
      "id": "225494730938493804",
      "agentDetectionInfo": {
          "siteName": "string",
          "agentRegisteredAt": "2018-02-27T04:49:26.257525Z",
          "groupName": "string",
          "agentMitigationMode": "detect",
          "agentIpV6": "string",
          "agentIpV4": "string",
          "siteId": "225494730938493804",
          "accountName": "string",
          "agentDomain": "mybusiness.net",
          "cloudProviders": "object",
          "agentOsName": "string",
          "agentLastLoggedInUserName": "janedoe3",
          "groupId": "225494730938493804",
          "agentDetectionState": "string",
          "agentOsRevision": "string",
          "externalIp": "string",
          "agentLastLoggedInUserMail": "string",
          "agentLastLoggedInUpn": "string",
          "accountId": "225494730938493804",
          "agentVersion": "3.6.1.14",
          "agentUuid": "string"
      },
      "threatInfo": {
          "md5": "string",
          "initiatedByDescription": {
              "readOnly": true,
              "description": "Initiated by description"
          },
          "sha256": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c",
          "threatName": "string",
          "automaticallyResolved": "boolean",
          "processUser": "string",
          "mitigationStatusDescription": {
              "readOnly": true,
              "description": "Mitigation status description"
          },
          "classification": "string",
          "filePath": {
              "readOnly": true,
              "description": "File path"
          },
          "initiatingUserId": "225494730938493804",
          "originatorProcess": "string",
          "engines": [
              "reputation",
              "pre_execution"
          ],
          "pendingActions": "boolean",
          "reachedEventsLimit": "boolean",
          "fileVerificationType": "string",
          "initiatedBy": "agent_policy",
          "createdAt": "2018-02-27T04:49:26.257525Z",
          "analystVerdictDescription": {
              "readOnly": true,
              "description": "Analyst verdict description"
          },
          "initiatingUsername": "string",
          "publisherName": "string",
          "identifiedAt": "2018-02-27T04:49:26.257525Z",
          "storyline": "a00637fa-e18d-9b80-e803-f370524f8085",
          "detectionEngines": [
              "reputation",
              "pre_execution"
          ],
          "cloudFilesHashVerdict": "string",
          "mitigatedPreemptively": "boolean",
          "maliciousProcessArguments": "string",
          "isFileless": {
              "readOnly": true,
              "description": "Is fileless"
          },
          "isValidCertificate": "boolean",
          "mitigationStatus": "not_mitigated",
          "sha1": "ddd5030a3d029f3845fc1052419829f08f312240",
          "updatedAt": "2018-02-27T04:49:26.257525Z",
          "detectionType": "static",
          "incidentStatusDescription": {
              "readOnly": true,
              "description": "Incident status description"
          },
          "classificationSource": "Cloud",
          "certificateId": "string",
          "macroModules": [
              {
                  "moduleName": "string",
                  "sha1": "string"
              }
          ],
          "browserType": "string",
          "analystVerdict": "undefined",
          "confidenceLevel": "malicious",
          "incidentStatus": "unresolved",
          "externalTicketId": "string",
          "externalTicketExists": {
              "readOnly": true,
              "description": "External ticket exists"
          },
          "rebootRequired": "boolean",
          "failedActions": "boolean",
          "collectionId": "225494730938493804",
          "threatId": "225494730938493804",
          "fileExtensionType": "string",
          "fileExtension": "string",
          "fileSize": "integer"
      },
    }
  ]
}

Workflow Library Example

Get Threats with Sentinelone and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?