Apply a mitigation action to a group of threats that match the filter. Your user role must have permissions to mitigate threats - Admin, IR Team, SOC. Only threats which you have permission to mitigate are countedas “affected” in response field.

You must use one of the filters before executing the action.

Basic Parameters

ParameterDescription
ActionChoose the mitigation action to apply.
Agents IDsA list of agent IDs to filter by.
Threats IDsList of threats IDs to filter by.

Advanced Parameters

ParameterDescription
Account IDsList of account IDs to filter by.
Analyst VerdictsFilter threats by an analyst verdict.Options: false_positive suspicious true_positive undefined
Incident StatusesFilter threats by a specific incident status. Options: in_progress resolved unresolved

Example Output

{
	"errors": [
		{
			"type": "object"
		}
	],
	"data": {
		"affected": "integer",
		"details": [
			{
				"skipped": [
					{
						"action": "kill",
						"description": "string",
						"reason": "permissions"
					}
				],
				"reports": [
					{
						"groupNotFound": "boolean",
						"status": "success",
						"mitigationEndedAt": "2018-02-27T04:49:26.257525Z",
						"latestReport": "string",
						"reportId": "225494730938493804",
						"action": "kill",
						"lastUpdate": "2018-02-27T04:49:26.257525Z",
						"mitigationStartedAt": "2018-02-27T04:49:26.257525Z",
						"agentSupportsReport": "boolean",
						"actionsCounters": {
							"notFound": "integer",
							"total": "integer",
							"failed": "integer",
							"pendingReboot": "integer",
							"success": "integer"
						}
					}
				],
				"threatId": "225494730938493804"
			}
		]
	}
}

Workflow Library Example

Mitigate Threats with Sentinelone and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?