Apply a mitigation action to a group of threats that match the filter. Your user role must have permissions to mitigate threats - Admin, IR Team, SOC. Only threats which you have permission to mitigate are countedas “affected” in response field. You must use one of the filters before executing the action.

Basic Parameters

ParameterDescription
ActionChoose the mitigation action to apply.
Agents IDsA list of agent IDs to filter by.
Threats IDsList of threats IDs to filter by.

Advanced Parameters

ParameterDescription
Account IDsList of account IDs to filter by.
Analyst VerdictsFilter threats by an analyst verdict.
Options:
false_positive
  suspicious
  true_positive
  undefined
Incident StatusesFilter threats by a specific incident status.
Options:
in_progress
  resolved
  unresolved

Example Output

{
	"errors": [
		{
			"type": "object"
		}
	],
	"data": {
		"affected": "integer",
		"details": [
			{
				"skipped": [
					{
						"action": "kill",
						"description": "string",
						"reason": "permissions"
					}
				],
				"reports": [
					{
						"groupNotFound": "boolean",
						"status": "success",
						"mitigationEndedAt": "2018-02-27T04:49:26.257525Z",
						"latestReport": "string",
						"reportId": "225494730938493804",
						"action": "kill",
						"lastUpdate": "2018-02-27T04:49:26.257525Z",
						"mitigationStartedAt": "2018-02-27T04:49:26.257525Z",
						"agentSupportsReport": "boolean",
						"actionsCounters": {
							"notFound": "integer",
							"total": "integer",
							"failed": "integer",
							"pendingReboot": "integer",
							"success": "integer"
						}
					}
				],
				"threatId": "225494730938493804"
			}
		]
	}
}

Workflow Library Example

Mitigate Threats with Sentinelone and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop