Mitigate Threats
Apply a mitigation action to a group of threats that match the filter. Your user role must have permissions to mitigate threats - Admin, IR Team, SOC. Only threats which you have permission to mitigate are countedas "affected" in response field.
You must use one of the filters before executing the action.
Basic Parameters
| Parameter | Description |
|---|---|
| Action | Choose the mitigation action to apply. |
| Agents IDs | A list of agent IDs to filter by. |
| Threats IDs | List of threats IDs to filter by. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Account IDs | List of account IDs to filter by. |
| Analyst Verdicts | Filter threats by an analyst verdict. Options: <br/> false_positive<br/> suspicious<br/> true_positive<br/> undefined<br/> |
| Incident Statuses | Filter threats by a specific incident status. Options: <br/> in_progress<br/> resolved<br/> unresolved<br/> |
Example Output
{
"errors": [
{
"type": "object"
}
],
"data": {
"affected": "integer",
"details": [
{
"skipped": [
{
"action": "kill",
"description": "string",
"reason": "permissions"
}
],
"reports": [
{
"groupNotFound": "boolean",
"status": "success",
"mitigationEndedAt": "2018-02-27T04:49:26.257525Z",
"latestReport": "string",
"reportId": "225494730938493804",
"action": "kill",
"lastUpdate": "2018-02-27T04:49:26.257525Z",
"mitigationStartedAt": "2018-02-27T04:49:26.257525Z",
"agentSupportsReport": "boolean",
"actionsCounters": {
"notFound": "integer",
"total": "integer",
"failed": "integer",
"pendingReboot": "integer",
"success": "integer"
}
}
],
"threatId": "225494730938493804"
}
]
}
}
Workflow Library Example
Mitigate Threats with Sentinelone and Send Results Via Email
Preview this Workflow on desktop