Skip to main content

Mitigate Threats

Apply a mitigation action to a group of threats that match the filter. Your user role must have permissions to mitigate threats - Admin, IR Team, SOC. Only threats which you have permission to mitigate are countedas "affected" in response field.

You must use one of the filters before executing the action.

Basic Parameters

ParameterDescription
ActionChoose the mitigation action to apply.
Agents IDsA list of agent IDs to filter by.
Threats IDsList of threats IDs to filter by.

Advanced Parameters

ParameterDescription
Account IDsList of account IDs to filter by.
Analyst VerdictsFilter threats by an analyst verdict.Options:
  false_positive  suspicious  true_positive  undefined
Incident StatusesFilter threats by a specific incident status. Options:
  in_progress  resolved  unresolved

Example Output

{
"errors": [
{
"type": "object"
}
],
"data": {
"affected": "integer",
"details": [
{
"skipped": [
{
"action": "kill",
"description": "string",
"reason": "permissions"
}
],
"reports": [
{
"groupNotFound": "boolean",
"status": "success",
"mitigationEndedAt": "2018-02-27T04:49:26.257525Z",
"latestReport": "string",
"reportId": "225494730938493804",
"action": "kill",
"lastUpdate": "2018-02-27T04:49:26.257525Z",
"mitigationStartedAt": "2018-02-27T04:49:26.257525Z",
"agentSupportsReport": "boolean",
"actionsCounters": {
"notFound": "integer",
"total": "integer",
"failed": "integer",
"pendingReboot": "integer",
"success": "integer"
}
}
],
"threatId": "225494730938493804"
}
]
}
}

Workflow Library Example

Mitigate Threats with Sentinelone and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop