InsightConnect Sentinelone trigger "get threats"

how exactly do we use the sentinelone plugin trigger “get threats” , i activated the workflow and set “get threat” as the trigger but still no jobs running. From what I understood it is suppose to check every 5 seconds. Can you explain?

Hello @adelima.

The SentinelOne Trigger is used to monitor your SentinelOne environment for “New” threats.

The trigger has the following configuration options:

Resolved: This should still pull a threat even if it is automatically resolved due to your SentinelOne policy configuration.

Classifications: This would allow you to trigger off of specific threat types such as: Trojan, Virus, Worm, etc.

Agent is active: Is the agent connected to the management console.

Engines: Perhaps you only wish to trigger off of specific detection engine(s), examples would be: Reputation, Lateral Movement, Remote Shell, etc.

And lastly frequency which as you stated is defaulted to every 5 seconds.

If you are looking to get threats that already exist in your environment as a summary you can do this, just not using SentinelOne as a trigger. You could instead setup something like a Microsoft Teams, or Slack trigger, send a message, and pull a summary for the threats in your environment. The SentinelOne action to do this is labeled Get Threats just like the trigger. The output of this action in raw format looks like this:

{
“accountId”: “”,
“accountName”: “”,
“agentComputerName”: “”,
“agentDomain”: “WORKGROUP”,
“agentId”: “”,
“agentInfected”:
“agentIp”:
“agentIsActive”:
“agentIsDecommissioned”:
“agentMachineType”:
“agentNetworkStatus”:
“agentOsType”:
“agentVersion”:
“annotation”:
“automaticallyResolved”:
“classification”:
“classificationSource”:
“classifierName”:
“cloudVerdict”:
“collectionId”:
“createdAt”:
“createdDate”:
“description”:
“engines”: [
“pre_execution”
],
“fileContentHash”:
“fileDisplayName”:
“fileExtensionType”:
“fileIsExecutable”: false,
“fileIsSystem”: false,
“fileObjectId”: “42B87ACFA567D214”,
“filePath”: “\Device\HarddiskVolume1\Users\IEUser\Desktop\eicar.com”,
“fileVerificationType”: “NotSigned”,
“fromCloud”: false,
“fromScan”: false,
“id”:
“indicators”: [],
“initiatedBy”: “agentPolicy”,
“initiatedByDescription”: “Agent Policy”,
“isCertValid”: false,
“isInteractiveSession”: false,
“isPartialStory”: false,
“maliciousGroupId”: “93B01EE00BE6D8B6”,
“markedAsBenign”: false,
“mitigationMode”: “protect”,
“mitigationReport”: {
“kill”: {
“status”: “success”
},
“network_quarantine”: {},
“quarantine”: {
“status”: “success”
},
“remediate”: {},
“rollback”: {},
“unquarantine”: {}
},
“mitigationStatus”: “active”,
“rank”: 5,
“resolved”: true,
“siteId”:
“siteName”: “Default site”,
“threatAgentVersion”: “21.6.6.1200”,
“threatName”: “eicar.com”,
“updatedAt”: “2022-10-13T18:26:16.242757Z”,
“username”:
“whiteningOptions”: [
“path”,
“hash”
]

If you are trying to grab this information for reporting purposes and are only interested in specific pieces you can add a loop step after the Get Threats action. The variable to loop over will be the .data variable. As an example If you name the SentinelOne Get Threats Action “GetThreats” the variable that you loop over will be called {{[“GetThreats”].[data]}}.

Hopefully this was helpful. If you have further questions please don’t hesitate to reach out.

1 Like