how exactly do we use the sentinelone plugin trigger “get threats” , i activated the workflow and set “get threat” as the trigger but still no jobs running. From what I understood it is suppose to check every 5 seconds. Can you explain?
1 Like
Hello @adelima.
The SentinelOne Trigger is used to monitor your SentinelOne environment for “New” threats.
The trigger has the following configuration options:
Resolved: This should still pull a threat even if it is automatically resolved due to your SentinelOne policy configuration.
Classifications: This would allow you to trigger off of specific threat types such as: Trojan, Virus, Worm, etc.
Agent is active: Is the agent connected to the management console.
Engines: Perhaps you only wish to trigger off of specific detection engine(s), examples would be: Reputation, Lateral Movement, Remote Shell, etc.
And lastly frequency which as you stated is defaulted to every 5 seconds.
If you are looking to get threats that already exist in your environment as a summary you can do this, just not using SentinelOne as a trigger. You could instead setup something like a Microsoft Teams, or Slack trigger, send a message, and pull a summary for the threats in your environment. The SentinelOne action to do this is labeled Get Threats just like the trigger. The output of this action in raw format looks like this:
{
“accountId”: “”,
“accountName”: “”,
“agentComputerName”: “”,
“agentDomain”: “WORKGROUP”,
“agentId”: “”,
“agentInfected”:
“agentIp”:
“agentIsActive”:
“agentIsDecommissioned”:
“agentMachineType”:
“agentNetworkStatus”:
“agentOsType”:
“agentVersion”:
“annotation”:
“automaticallyResolved”:
“classification”:
“classificationSource”:
“classifierName”:
“cloudVerdict”:
“collectionId”:
“createdAt”:
“createdDate”:
“description”:
“engines”: [
“pre_execution”
],
“fileContentHash”:
“fileDisplayName”:
“fileExtensionType”:
“fileIsExecutable”: false,
“fileIsSystem”: false,
“fileObjectId”: “42B87ACFA567D214”,
“filePath”: “\Device\HarddiskVolume1\Users\IEUser\Desktop\eicar.com”,
“fileVerificationType”: “NotSigned”,
“fromCloud”: false,
“fromScan”: false,
“id”:
“indicators”: [],
“initiatedBy”: “agentPolicy”,
“initiatedByDescription”: “Agent Policy”,
“isCertValid”: false,
“isInteractiveSession”: false,
“isPartialStory”: false,
“maliciousGroupId”: “93B01EE00BE6D8B6”,
“markedAsBenign”: false,
“mitigationMode”: “protect”,
“mitigationReport”: {
“kill”: {
“status”: “success”
},
“network_quarantine”: {},
“quarantine”: {
“status”: “success”
},
“remediate”: {},
“rollback”: {},
“unquarantine”: {}
},
“mitigationStatus”: “active”,
“rank”: 5,
“resolved”: true,
“siteId”:
“siteName”: “Default site”,
“threatAgentVersion”: “21.6.6.1200”,
“threatName”: “eicar.com”,
“updatedAt”: “2022-10-13T18:26:16.242757Z”,
“username”:
“whiteningOptions”: [
“path”,
“hash”
]
If you are trying to grab this information for reporting purposes and are only interested in specific pieces you can add a loop step after the Get Threats action. The variable to loop over will be the .data variable. As an example If you name the SentinelOne Get Threats Action “GetThreats” the variable that you loop over will be called {{[“GetThreats”].[data]}}.
Hopefully this was helpful. If you have further questions please don’t hesitate to reach out.
1 Like
Yeah I’ve set it up with both console and service user API keys with viewer and admin permissions. The test works and actions worked but the trigger has never seemed to function. I’ve triggered new alerts in Sentinel via EICAR tests and nada.
@tstory What version of the SentinelOne Plugin are you trying to use?
I am working on qualifying if a defect does exist.
I was able to get 8.0 to trigger. I haven’t been able to get 8.0.1 to trigger. I did set the alert resolved option to False.
If you want to give it a shot and let me know if changing the plugin version makes a difference that would be awesome.
Hello @tstory . I was curious if this is still an issue for you? If it is an issue still, can you tell me what version of the SentinelOne plugin you are using?
One thing to note, setting the alert resolution to True does not include True and False, it only includes resolved alerts, so you will likely want that set to false depending on what you are doing with the workflow.