SentinelOne integration

Accounts

List Accounts

This gets the Accounts and their data that match the filter. This command gives the account IDs, which other commands require.

Accounts

Create Account

This creates a new account. This command requires global permissions and an MSSP deployment.

Accounts

Get Account

This gets account data from a given account ID. To get an account ID, run the accounts.

Accounts

Update Account

This changes the data of an account. This command requires a global user or an account user and admin role.

Accounts

Revert Account Policy

This reverts the account policy to inherited settings.

Accounts

Reactivate Account

This reactivates an expired account. This command requires a global user or Support Consult with your SentinelOne SE.

Accounts

Expire An Account

This expires an account immediately. The user must have a global access or an account access with permissions for the account.

Accounts

Get Uninstall Password Metadata

This gets the uninstall password metadata, such as which user created and revoked it, and when.

Accounts

Get Uninstall Password

This gets the uninstall password to uninstall several agents of one account with one command.

Accounts

Generate Regenerate Uninstall Password

You can uninstall all agents of one account with one command that requires a password. This command sets a new account level uninstall password.

Accounts

Revoke Uninstall Password

This deletes the account level uninstall password. If you do not delete it, you or another console user can mistakenly use the account passphrase, and uninstall all agents when you mean to uninstall one agent.

Accounts

Export Accounts

This exports account data to a CSV for accounts that match the filter.

Activities

List Activities

This gets the Activities and their data that match the filters. We recommend that you set some values for the filters.

Activities

List Activity Types

This gets a list of activity types. This is useful to see valid values to filter activities in other commands.

Activities

Last Activity As Syslog Message

To see examples of Syslog messages, you can get the Syslog message that corresponds to the last activity that matches the filter. This is not intended for production purposes.

Activities

Export Activities

This exports the list of Activities.

Agent Actions

Broadcast Message

You can send a message through the agents that users can see.

Agent Actions

Connect To Network

After you run disconnect from network on endpoints, analyze the issue and mitigate threats. Use this command to reconnect to the network all the endpoints that match the filter. To learn more, see Disconnect from Network.

Agent Actions

Initiate Agent Scan

Use this command to run a full disk scan on agents that match the filter.

Agent Actions

Abort Scan

This immediately stops a full disk scan on all agents that match the filter. See Initiate scan to learn more about full disk scan.

Agent Actions

Disconnect From Network

Use this command to isolate quarantine endpoints from the network if the endpoints match the filter.

Agent Actions

Decommission

If a user is scheduled for time off or a device is scheduled for maintenance, you can decommission the agent.

Agent Actions

Restart

Use this command to restart endpoints that have an agent installed and that fit the filter. We recommend that you use the broadcast command to send a message to users of endpoints before you restart their computers.

Agent Actions

Uninstall

Use this command to uninstall agents that match the filter. For Windows and macOS, make sure that all remnants of the agent are removed, and reboot the endpoints after uninstall. Use the restart command.

Agent Actions

Shutdown

You can shut down endpoints remotely for performance maintenance or security. This command shuts down all endpoints that match the filter.

Agent Actions

Approve Uninstall

This approves an uninstall request that is sent to the management.

Agent Actions

Update Software

Use this command to update the agent version on endpoints that have the agent installed and that match the filter.

Agent Actions

Reset Local Config

This clears the SentinelCtl changes from all agents that match the filter.

Agent Actions

Set External ID

You can add a customer identifier string to identify each endpoint or to tag sets of endpoints. The string shows in the endpoint details of the management console.

Agent Actions

Fetch Files

This fetches files from endpoints up to MB for each command to analyze the root of threats that come from files of course.

Agent Actions

Move Between Sites

This command requires account or global level access.

Agent Actions

Fetch Firewall Rules

This fetches firewall rules from agents.

Agent Actions

Move To Console

You can move agents between management consoles.

Agent Actions

List Agent Applications

The Application Risk Management is an EA feature. Contact your partner or SentinelOne SE to learn how to join the EA program.

Agent Actions

Start Remote Shell

Remote shell is an opened websocket between the browser and the agent with a proprietary communication protocol that requires an unreasonable effort to run from the API. We recommend that you do not use this call.

Agent Actions

Check Remote Shell Availability

This lets you open full shell capabilities PowerShell on Windows and Bash on macOS and Linux to be able to run a remote shell session.

Agent Actions

Terminate Remote Shell

This terminates a remote shell on an agent.

Agent Actions

Fetch Firewall Logs

This gets Firewall Control events in the local log file written in clear text for Firewall Control events of an endpoint with Firewall Control enabled. This also enables the logs for agents that match the filter.

Agent Actions

Mark As Up To Date

The value of the agent version as up to date is a useful filter for many actions. There are scenarios where the management does not recognize a version as latest.

Agent Actions

Enable Ranger

This enables the S1 ranger service.

Agent Actions

Disable Ranger

This disables the ranger from the agents that match the filter.

Agent Actions

Edit Agent Upgrade Site Authorization

This action makes edits when the authorization of local upgrades expires.

Agent Actions

Enable Agent

Use this command to enable disabled agents that match the filter.

Agent Actions

Disable Agent

Use this command to disable agents that match the filter.

Agent Actions

Start Remote Profiling

Use this command to start remote profiling on agents that match the filter.

Agent Actions

Stop Remote Profiling

Use this command to stop remote profiling on agents that match the filter. If the command returns insufficient permissions, make sure you have permissions for the account site or group and a role that allows Stop Remote Profiling Admin or IT.

Agent Actions

Approve Stateless Upgrades

This approves stateless upgrade for agents.

Agent Actions

Manage Endpoint Tags Add Remove Override

This override forces the new key and value to be added to the endpoints. If you use add to add a key when that key already exists with a different value, it will not take effect

Agent Actions

Set Persistent Configuration Overrides

This command requires global permissions or support.

Agent Actions

Fetch Logs

This gets the agent and endpoint logs from agents that match the filter.

Agent Actions

Reject Uninstall

This rejects uninstall requests for all agents that match the filter. To learn more about uninstall requests, see Approve Uninstall.

Agent Support Actions

Clear Remote Shell

Remote shell is a powerful way to respond remotely to events on an endpoint.

Agents

List Agents

This gets the Agents and their data that match the filter. This command gives the agent ID, which you can use in other commands. To save the list and data to a CSV file, use export agents.

Agents

Count Agents

This gets the count of Agents that match a filter. This command is useful to run before you run other commands. You will be able to manage agent maintenance better if you know how many Agents will get a command that takes time, such as update software.

Agents

Get Passphrase

This shows the passphrase for the Agents that match the filter. This is an important command as you will need the passphrase for most SentinelCtl and API commands.

Agents

Export Agent Logs

This gets agent logs from Agents that match the filter. You can filter by agent ID, run agents to get the ID, or run activity types to get the activity ID. Send the logs to SentinelOne Support for assistance.

Agents

List Agent Installed Applications

This gets the installed applications for a specific agent.

Agents

Get Local Upgrade Agent Authorization

This gets the time when authorization of local upgrades expires.

Agents

Export Agents

This exports agent data to a CSV for Agents that match the filter. This command exports up to items, and each datum is an item.

Agents

List The Endpoint Tags That Match The Filters

This gets the endpoint tags.

Agents

Export Agents Light

This exports agent data to a CSV for Agents that match the filter. This command exports up to items, and each datum is an item.

Alerts

List Alert Actions

This gets a list of all actions available on Alerts that match the filters.

Alerts

Disconnect Agents From Network

This disconnects agents from network using a filter list. This will create war events, which will be translated to MGMT incoming commands and from there, it will be executed on the management.

Alerts

Reconnect Agent To Network

This reconnects an agent to the network using a filter list. This will create war events, which will be translated to MGMT incoming commands and from there, it will be executed on the management.

Alerts

Mark Alert As Threat With SYPE Suspicious Malicious

This marks Alerts as threats using a filter list. This will create war events, which will be translated to MGMT incoming commands and from there, it will be executed on the management.

Alerts

Update Alert Analyst Verdict

This changes the verdict of an Alert.

Alerts

Update Threat Incident

This updates the incident details of an alert.

Alerts

List Alerts

This gets a list of alerts for a given scope.

Application Management

Inventory Endpoints Data Export

This exports application inventory endpoints data to CSV.

Application Management

Aggregated Application Risk Data Export

This exports aggregated application data to CSV.

Application Management

Application Risk Data Export

This exports application data to CSV.

Application Management

Risk Endpoint Data Export

This exports endpoint data to CSV.

Application Management

Application CVE Data Export

This exports CVE data to CSV.

Application Management

Count Endpoints

This shows a count of endpoints for each filter value.

Application Management

Count Risky Aggregated Applications

This shows a count of risky aggregated applications for each filter value.

Application Management

Count Risky Applications

This shows a count of risky applications for each filter value.

Application Management

Count Risky Endpoints

This shows a count of risky endpoints for each filter value.

Application Management

Count Risky CVEs

This shows a count of risky CVEs for each filter value.

Application Management

Inventory Data Export

This exports application inventory data to CSV.

Application Management

Risks Data Export

This exports risks data to CSV.

Application Management

Count Endpoints By Versions

This shows endpoint count for all versions of selected application.

Application Management

Count Applications

This shows a count of applications for each filter value.

Application Management

List Endpoints

This gets endpoint data for a specific application.

Application Management

Additional Risk Information

This gets additional information about a selected risk.

Application Management

Get Aggregated Applications With Risk

This gets data for all applications. This is available with the CVE Prioritization add-on license.

Application Management

List Risk Application Endpoints

This gets a list of all endpoints installed with a specific application.

Application Management

List Application CVEs

This gets CVE data for a specific application.

Application Management

Scan Availability

This gets information about application vulnerability scan times and availability.

Application Management

Get Application Management SKU

This gets whether Application Management SKU is available for the specified scopes.

Application Management

List Application Inventory

This gets application inventory data grouped by application name and vendor.

Application Management

Get CVE Data

This gets the CVE vulnerability data for each CVE.

Application Management

Initiate Application Vulnerability Scan

This initiates an application vulnerability scan.

Application Management

Risk Detail

This gets detailed information about a selected risk.

Application Risk

List Application Risk

This gets the applications and their data such as risk level installed on endpoints with Application Risk-enabled agents that match the filter.

Application Risk

List CVEs

This gets the known CVEs for applications that are installed on endpoints with application risk-enabled agents. Application Risk requires a complete SKU.

Application Risk

Export Applications

This exports the list of applications installed on endpoints with Application Risk-enabled agents and their properties.

Auto Upgrade Policy

List Available Packages

This lists available packages for upgrade policies.

Auto Upgrade Policy

Check if Policy Exists

This checks if upgrade policies exist for given scopes.

Auto Upgrade Policy

List Parent Policies

This gets paginated and ordered parent policies by a given scope.

Auto Upgrade Policy

List Upgrade Policies

This gets paginated and ordered policies by a given scope.

Auto Upgrade Policy

Deactivate Policies

This deactivates all policies.

Auto Upgrade Policy

Policies OS Count

This gets the number of policies for each OS for a given scope level and ID.

Auto Upgrade Policy

Create Policy

This adds a policy.

Auto Upgrade Policy

Update Policy

This updates an existing policy.

Auto Upgrade Policy

Policy Action

This performs an action on a certain policy.

Auto Upgrade Policy

Reorder Policies

This reorders policies.

Auto Upgrade Policy

Set Scope Inheriting

This sets scope inheritance for upgrade policies.

Cloud Funnel

Validate Bucket

This validates bucket permissions.

Cloud Funnel

Validate Query

This verifies that a query is valid before using it as a filter for a Cloud Funnel onboarding.

Cloud Funnel

Get Cloud Funnel Rule

This gets Cloud Funnel onboarding rule details.

Cloud Funnel

Post Onboarding Cloud Funnel

This posts the onboarding Cloud Funnel rule.

Cloud Funnel

Delete Cloud Funnel Rule

This deletes Cloud Funnel onboarding rule.

Cloud Funnel

List Estimate Size Of Events

This gets the estimate size of events in the bucket. You need the estimator ID, which can be generated by running the API Create Estimator ID.

Cloud Funnel

Create Estimator ID

This creates an estimator ID. This is needed to run the API get estimate size of events.

Cloud Provider Account

List Cloud Provider Account Active Health Events

This gets the Cloud Provider Account active health events.

Cloud Resources

Export Cloud Rogue Resources To CSV

This returns the results for given cloud rogues filter in a CSV format.

Cloud Resources

List Cloud Rogue Resources

This returns the cloud rogue resources for given filter.

Config Overrides

List Config Overrides

This views the configuration values that are changed for each agent that matches the filter.

Config Overrides

Create Config Override

This overrides the configuration of agents that match the filter.

Config Overrides

Delete Config Overrides

This deletes the override value. To get the required IDs, run the config override.

Config Overrides

Update Config Override

Use this command to change the value of one configuration value. To get the required ID, run Config Overrides.

Config Overrides

Delete Config Override

This deletes an override value. To get the required ID, run Config Overrides.

Create Exclusion

Create Unified Exclusion

This creates exclusions to make your agents suppress alerts and mitigation for items that you consider to be benign.

Custom Detection Rule

List Rule Actions

This gets a list of all actions available on rules that match the filters.

Custom Detection Rule

Disable Rules

This disables Custom Detection Rules based on a filter.

Custom Detection Rule

Activate Rules

This activates Custom Detection Rules based on a filter.

Custom Detection Rule

List Cloud Detection Rules

This gets a list of Custom Detection Rules for a given scope. Note: You can create and see rules only for your highest available scope.

Custom Detection Rule

Create Rule

This creates a Custom Detection Rule for a scope specified by ID. To get the ID, run accounts sites groups, set the tenant to true for global.

Custom Detection Rule

Delete Rule

This deletes Custom Detection Rules that match a filter

Custom Detection Rule

Update Rule

This changes the Custom Detection Rules. This command requires the rule ID. See Get Rules.

Deep Visibility

Create Deep Visibility Query

This starts a Deep Visibility query and gets the query ID.

Deep Visibility

Cancel Running Deep Visibility Query

This stops a a Deep Visibility query by query ID. The body is queryID string_ID. As well, this gets the ID of the Deep Visibility query or power query from the initial query. Deep Visibility requires a complete SKU. See Create Query and get Query ID.

Deep Visibility

List Deep Visibility Query Status

This gets that status of a Deep Visibility query. When the status is Finished, you can get the results with the queryId in Get Events.

Deep Visibility

List Deep Visibility Events

This gets all Deep Visibility events from a queryId. You can use this command to send a sub-query a new query to run on these events. This also gets the ID from the initial query. See Create Query and get Query ID.

Deep Visibility

Get Deep Visibility Process State

This gets the details of all Deep Visibility processes from a query ID. To get the ID from the initial query, See Create Query and get Query ID.

Deep Visibility

Get Events By Type

This gets the Deep Visibility results from the query that matches the valid values of the given event type.

Deep Visibility

Create Power Query

This starts a Deep Visibility power query. This gets back the status and potential result ping afterwards using the query ID if the query has not finished.

Deep Visibility

Download Source Process File

This downloads the source process file associated with a Deep Visibility event.

Device Control

List Device Rules

This gets the Device Control rules of a specified Account Site Group or Global tenant that match the filter

Device Control

Create Device Control Rule

Use this command to create a new Device Control rule. These rules allow or block devices based on the device identifiers. Rules apply to a scope global tenant account site or group. To learn the details of the fields, see HTTPS Support Sentinelone.

Device Control

Delete Device Control Rules

This deletes the Device Control rules that match the filter.

Device Control

Update Device Rule

This changes the Device Control rule that matches the filter. To learn more about the fields, see HTTPS Support Sentinelone.

Device Control

Copy Device Control Rules

You can copy a set of Device Control rules to use in other Accounts Sites or Groups Copy rules from a source.

Device Control

Move Device Control Rules

This command removes the rule from the source and copies to the targets.

Device Control

Reorder Device Control Rules

This reorders rules for the S1 filtering logic.

Device Control

Get Device Control Configuration

This gets the Device Control configuration for a given scope.

Device Control

Update Device Control Configuration

Use this command to change the Device Control configuration.

Device Control

Export Device Control Rules

This exports the Device Control rules to a CSV file.

Device Control

List Device Control Events

This gets the data of Device Control events on Windows and macOS endpoints with the Device Control enabled. Agents that match the filter Device Control requires Control SKU Linux. Agents do not support Device Control.

Device Control

Enable/Disable Device Control Rules

This changes the status of a rule between Enabled and Disabled.

Exclusions And Blocklist

Import Exclusions

This uploads a CSV file that contains exclusion entries to import to a scope in your Management.

Exclusions And Blocklist

Get Exclusion Import Validation Report

This gets the Validation Report generated for the import to help you fix entries that did not import successfully.

Exclusions And Blocklist

Import Blocklist Items

This uploads a CSV file that contains blocklist entries to import to a scope in your Management.

Exclusions And Blocklist

Get Blocklist Import Validation Report

This gets the Validation Report generated for the import to help you fix entries that did not import successfully.

Exclusions And Blocklist

List Exclusions

This gets a list of all the Exclusions that match the filter.

Exclusions And Blocklist

Update Exclusions

This changes the properties of an exclusion through the data fields. To get the original data, run Exclusions with a filter to give the item you want.

Exclusions And Blocklist

Create Exclusion

This creates Exclusions to make your agents suppress alerts and mitigation for items that you consider to be begin.

Exclusions And Blocklist

Delete Exclusions

Every exclusion opens a possible security hole. If you decide that an exclusion or multiple Exclusions is not required, use this command to delete it. To get the ID of the exclusion to delete, run the exclusions command.

Exclusions And Blocklist

List Blocklist Items

This gets a list of all the items in the Blocklist that match the filter. To filter the results for a scope. Global Make sure tenant is true and no other scope ID is given. Account Make sure tenant is false and at least one Account ID is given.

Exclusions And Blocklist

Update Blocklist Item

This changes the properties of a Blocklist item through the data fields. To get the original data, run restrictions with a filter to give the item you want.

Exclusions And Blocklist

Create Blocklist Item

This creates a blocklist item for a SHA hash for the scopes you enter in the filter fields. You can add the hash to multiple Groups Sites Accounts and to the Global list.

Exclusions And Blocklist

Delete Blocklist Item

This removes items from the Blocklist.

Exclusions And Blocklist

Validate Exclusion Item

This checks if an exclusion is on the list of SentinelOne items that are Not Allowed or Not Recommended.

Exclusions And Blocklist

Validate Blocklist Item

This checks if a hash is on the list of SentinelOne items that are Not Allowed or Not Recommended.

Exclusions And Blocklist

Export Exclusions

This gets a CSV of all the items in the Exclusions that match the filter. Note: To see items from the Global Exclusion scope, make sure the tenant is set to true and no other scope ID is given.

Exclusions And Blocklist

Export Blocklist

This gets a CSV of all the items in the Blocklist that match the filter. Note: To see items from the Global Blocklist, make sure the tenant is set to true and no other scope ID is given.

Filters

List Saved Filters

This gets the list of saved filters. See Save Filter. The response includes the ID of the filter, which you can use in other commands.

Filters

Save Filter

This saves a new filter to get a list of matching endpoints.

Filters

Update Filter

This updates an existing filters.

Filters

Delete Filter

This deletes a saved filter.

Filters

List Deep Visibility Filters

This gets the saved Deep Visibility queries with full data. See Save Deep Visibility Filters. The response includes the ID of the filter, which you can use in other commands.

Filters

Save Deep Visibility Filter

This saves a Deep Visibility query with data as a filter to get notifications of specific events sent to named recipients.

Filters

Update Deep Visibility Filter

This changes a saved Deep Visibility filter. To get the ID and fields to change, run the Get Deep Visibility filters.

Filters

Delete Deep Visibility Filter

This deletes a saved Deep Visibility query.

Filters

Upload CSV File

This uploads a CSV file for filtering.

Firewall Control

Update Firewall Rule

This changes a Firewall Control rule. This command requires the rule ID, which you can get from Firewall Control. See Get Firewall Rules, Firewall Control Unscoped, and Get Unscoped Rules.

Gateways

List Gateways

This gets the Gateways in your deployment that match the filter from a Ranger

scan. Ranger requires a Ranger license.

Gateways

Update Gateways

This changes the status of filtered Gateways discovered by Ranger. You can set the archived status, whether the network behind the gateway may be scanned by Ranger and whether Ranger will scan only local networks.

Gateways

Update Gateway

This changes the Ranger scan configuration for a gateway that the Ranger discovers.

Generic Request

SentinelOne API Request

This is the generic action for making authenticated requests against the Synnex API.

Groups

List Groups

This gets the data of groups that match the filter.

Groups

Create Group

This creates a new Group. You must create the Group in a Site-run sites to get the Site ID for which you have permissions. If you create a dynamic Group, you must have the ID of a filter saved in the Site-run filters site IDs.

Groups

Regenerate Group Token

This gets a new Group Token for a static Group.

Groups

Get Group

This gets data of a given group. To get a Group ID, run Groups. This command responds with the ID of the site of the group and group name type, whether dynamic or static. Your username must have permissions for the site.

Groups

Update Group

This changes the properties of a group specified by its ID.

Groups

Delete Group

This deletes a group given by the required Group ID.

Groups

Revert Policy

A group can have a policy that is different from its site policy. Use this command to revert the changes on the group policy to inherit the site policy. Your user must have permissions on the site.

Groups

Move Agents

This moves agents that match the filter to a group. The Group ID is required to run groups, and there can only be one. This will move the matched agents that are in the same site as the given group.

Groups

Update Group Ranks

This updates the agent assignment rank for the group.

Groups

Get Group Site Registration Token

This gets the registration token of the group of the ID.

Hashes

Hash Reputation Verdict

This gets the verdict of the hash, given the required SHA. A hash, either malicious or non-malicious, means it has been marked as such by the Reputation's sources. An unknown answer is given for hashes that are not yet known by the Reputation.

Licenses

Update Sites Add Ons

This changes the add-ons of the sites by a given filter.

Live Updates

List Agent Merged Updates

This gets the agent's merged updates.

Locations

List Locations

This gets the locations of agents in a given scope that match the filter.

Locations

Create Location

This creates a location that defines the parameters of agents in a scope filter that the Parameters include.

Locations

Delete Locations

This deletes the location definitions of a given location. To get the location IDs, run locations.

Locations

Update Location

This changes the parameter values of a location

definition. See Create Location.

Manage

Update Rule And Alert Limits Per Scope

This updates rules and alert limits for a specific scope.

Manage

Update Custom Hit Aggregation Window Time Per Scope

This updates custom hit aggregation window time for a specific scope.

Manage

Delete Custom Hit Aggregation Window Time

This deletes a custom hit aggregation window time configuration.

Marketplace

List Singularity Marketplace Availability

This returns the Singularity Marketplace availability.

Marketplace

List Singularity Applications Catalogs

This gets the Marketplace Application Catalog.

Marketplace

Update Singularity Application Configuration

This updates the installed application configuration.

Marketplace

Install Applications

This installs an application from the Application Catalog.

Marketplace

Delete Application

This deletes an application integration from your Marketplace.

Marketplace

List Configuration Fields

This gets the Catalog Application Configuration Fields.

Marketplace

Get Configuration Fields For Catalog Application

This returns the configuration schema for a requested Application Catalog.

Marketplace

Enable Or Disable Application

Use this command to enable or disable application integrations that match the filter.

Network Quarantine Control

Create Firewall Rule

This creates a Firewall Control rule for a scope specified by ID.

Network Quarantine Control

Delete Firewall Control Rule

This deletes Firewall Control rules that match the filter.

Network Quarantine Control

Copy Firewall Control Rules

This copies a set of rules to other scopes. In the filter of the body, enter the properties to define the source. In the data field of the body, define the targets by ID. To get a scope ID, run accounts sites or groups.

Network Quarantine Control

Move Firewall Control Rules

This removes Firewall Rules defined with the ID of the rules. This also runs Firewall Control from scopes specified by ID run account sites or groups

and adds the rules to the scope IDs in the data field. The Firewall Control requires a Control SKU.

Network Quarantine Control

Set Location Aware Firewall Control Location

This sets the location attributes for a Location Aware Firewall Control rule. These rules are applied by agents only if the network parameters of the endpoint match the properties of the location definition.

Network Quarantine Control

Reorder Firewall Control Rules

This changes the order of rules for a scope specified by ID run accounts sites or groups.

Network Quarantine Control

Get Firewall Control Configuration

This gets the Firewall Control configuration for a given scope.

Network Quarantine Control

Update Firewall Control Configuration

This changes the Firewall Control configuration for a given scope.

Network Quarantine Control

Export Firewall Control Rules

This exports Firewall Control rules that match the filter to a JSON file from a scope specified by ID.

Network Quarantine Control

Import Rules

This imports Firewall Control rules from an exported JSON file to scopes specified by ID. Run accounts sites groups or leave the scope empty and set the tenant to true. Firewall Control requires Control SKU in the target and in the source.

Network Quarantine Control

Enable/Disable Firewall Control Rules

This changes the status of a set of Firewall Control rules that match the filter to Enabled or Disabled. In one request, you can set one status or the other.

Network Quarantine Control

List Protocols

This gets a list of protocols that can be used in Firewall Control rules.

Network Quarantine Control

Add Rule Tags

This creates a Firewall Rule tag. This creates tags to represent Firewall policies a set of rules in a specific order. After you create the tag, add rules to it. Note: Tags apply to a scope and cannot be linked to rules from different scopes.

Network Quarantine Control

Remove Rule Tags

This removes firewall tags from rules matching the filter. Tags represent Firewall policies, a set of rules in a specific order. When you remove a rule with a tag, all scopes that subscribe to the tag get the change.

Policies

Get Group Policy

This gets the policy of the group given by ID.

Policies

Update Group Policy

This changes the policy for the group given by ID.

Policies

Get Site Policy

This gets the policy of the site given by ID. To get the ID of a site, run sites. See also Get Policy.

Policies

Update Site Policy

This changes the policy for the site given by ID.

Policies

Get Account Policy

This gets the policy for the account given by ID. To get the ID of an account run accounts. See also Get Policy.

Policies

Update Account Policy

This changes the policy for the account given by ID.

Policies

Get Global Policy

This gets the Global policy. This is the default policy for your deployment. See also Get Policy.

Policies

Update Global Policy

This changes the policy of your deployment.

Reports

S1 Rss Feed

This gets the SentinelOne RSS feed. In the SentinelOne Management Console, we show the feed contents in the Dashboard.

Reports

List Reports

This gets the reports that match the filter and the data of the reports.

Reports

List Report Tasks

This gets the tasks that were done to generate reports and to schedule future reports.

Reports

Create Report Task

This creates a task to generate a report immediately one time in the future or on a schedule.

Reports

Update Report Task

This updates the report task of the given ID. To get the task ID and the data to change, run the Get Report Tasks.

Reports

Delete Reports

This deletes the reports that match the filter. To delete a specific report, use its ID see Get Reports.

Reports

Delete Report Tasks

You can schedule a report to be generated on a routine. Use this command to remove a task to generate a report in the future. To get an ID to delete a specific task, see Get Report Tasks.

Reports

Download Report

When the Management generates a report, it is uploaded to the Management Console. Use this command to get the report as a PDF or HTML file. To get the ID of the report, see Get Reports.

Reports

List Insight Report Types

This gets the Insight Report types.

Rogues

Get Rogues Table

This gets the data for each row in the Rogues Device Inventory Table.

Rogues

Export Rogues Data

This exports Rogues data into CSV. You can set filters to get only the relevant data. The response sends the CSV data as text.

Rogues

List Rogues Settings

This lists settings for S1 Rogue Service.

Rogues

Update Rogues Settings

This changes the Rogues Settings.

Service Users

List Service Users

This gets a list of service users.

Service Users

Create Service User

This creates a new service user.

Service Users

Export Service Users

This exports Service User data into a CSV for Service Users that match the filter.

Service Users

Update Service User

This changes the properties of the service user with the given ID.

Service Users

Delete Service User

This deletes a service user by ID.

Service Users

Bulk Delete Service Users

This deletes all service users that match the filter.

Settings

Get Application Management Settings

This gets the Application Management settings.

Settings

Update Application Management Settings

This updates the Application Management settings.

Sites

List Sites

This gets the Sites that match the filters. The response includes the IDs of Sites, which you can use in other commands.

Sites

Create Site

This creates a Site. This requires an Admin role with a Global scope or Account scope that has permissions over the Account to which the Site will belong. You must have a license for a new Site. In the body of this request, include the policy.

Sites

Export Sites

This exports Sites data to a CSV for Sites that match the filter.

Sites

Get Site

This gets the data of the Site of the ID. To get the ID, run sites. The response shows the Site expiration date, SKU licenses total, active token, Account name and ID, who and when it was created or changed, and its status.

Sites

Update Site

This changes the policy and properties of the Site given by ID. To get the ID, run sites.

Sites

Delete Site

This deletes the Site of the given ID. To get the ID, run sites. You must have an Admin role with scope access that includes the Site.

Sites

Get Site Registration Token

This gets the registration token of the Site of the ID.

Sites

Revert Site Policy

When a Site is created through the Console, it gets the Global policy. If you change the policy and later want it set to the Global policy, use this command. The site_id is required. You can get it from sites.

Sites

Create Site And User

This creates a Site and an Admin role user. This requires an Admin role with a Global scope or Account scope that has permissions over the Account to which the Site will belong. You must have a license for a new Site.

Sites

Regenerate Site Key

This regenerates the key for the given Site. To get the site_id, use sites.

Sites

Reactivate Site

This reactivates an expired Site. You must have an Admin role with scope access that includes this Site, and you must have a license for the Site. To get the site_id run sites.

Sites

Expire Site

This expires the Site of the given ID. Run the sites to get the ID. You must have an Admin role with scope access that includes this Site.

Sites

Update Sites

This changes the properties of the Sites given by IDs. To get the IDs, run the sites.

Sites

Get Local Upgrade Site Authorization

This gets the time when authorization of local upgrades expires, as well as the number of Agents authorized for local upgrade in this Site.

Sites

Edit Local Upgrade Site Authorization

Use the Edit function when authorization of local upgrades expires. This returns the number of Agents authorized for local upgrade in this Site.

Sites

Get A CSV File Of Local Upgrade Site Authorization Data

This gets a CSV file containing the Agents authorized for local upgrade in this Site.

System

System Info

This gets the Console build version patch and release information.

System

System Status

This gets an indication of the system's health status.

System

Get System Config

This gets the configuration of your SentinelOne system. The response shows the basic information of the deployed SKUs, licenses FA, and the Management URL.

System

Set System Config

This changes the system configuration. Before you run this, see Get System Config. This command requires a Global Admin user or Support.

Tag Manager

Create A New Endpoint Tag

Each tag must contain a type endpoint. Key value is optional but recommended. A description is optional.

Tag Manager

Delete Endpoint Tags

This deletes all tags that match the filters.

Tag Manager

Edit Endpoint Tag

This changes the key value or description of a tag.

Tags

List Tags

This gets a list of tags that match the filter.

Tags

Create Tags

This adds tags to create user defined logical groups.

Tags

Delete Tags

This deletes tags by given filter.

Tags

Edit Tag

This changes the properties of a tag.

Tags

Delete Tag

This deletes a tag by ID.

Tasks

Get Task Configuration

This gets the task configuration of a scope.

Tasks

Create Task

This creates a task configuration.

Tasks

Check if Task Configuration has Child Scopes

From a given scope, this allows you to see if there are scopes under it that have local explicit tasks. The response returns True if a subscope has a local, not inherited task configuration.

Tasks

Get Child Scope Task Configuration

This gets the task configuration of child scopes of the given scope if the tasks are not inherited.

Threat Intelligence

Update Custom Custom App Configuration Per Scope

This update a custom app configuration for a specific scope.

Threat Intelligence

Delete Custom Config App

This deletes a custom app configuration.

Threat Intelligence

List IoCs

This gets the IOCs of a specified Account that match the filter.

Threat Intelligence

Create IoCs

This adds an IoC to the Threat Intelligence database.

Threat Intelligence

Delete IoCs

This deletes an IoC from the Threat Intelligence database that matches a filter using the accountID and one other field.

Threat Intelligence

Get IOC Enrichment For Threat

This gets IoC enrichment of a specified threat and the events associated with the threat.

Threat Notes

List Threat Notes

This gets the threat notes that match the filter.

Threat Notes

Add Note To Multiple

This adds a threat note to multiple threats.

Threat Notes

Update Threat Note

This changes the text of a threat note.

Threat Notes

Delete Threat Note

This deletes a threat note.

Threats

List Threats

This gets the data of threats that match the filter.

Threats

Mitigate Threats

This applies a mitigation action to a group of threats that match the filter.

Threats

Add To Blocklist

This adds threats that have a SHA hash and that matchs the filter to the Blocklist of the target scope Global Account Site or Group.

Threats

Fetch Threat File

This fetches a file associated with the threat that matches the filter. Your user role must have permissions to Fetch Threat File Admin IR Team SOC.

Threats

Disable Engines

If your list of threats shows too many False Positives, use this command to troubleshoot the Agent Engines that return unexpected results in your deployment.

Threats

Exclusion Options

This gets the Exclusion types that can be created from the detection data.

Threats

List Threat Events

This gets all the threat events.

Threats

Add Threat to Exclusions

This adds a threat to exclusions.

Threats

Export Threats

This exports data of threats as seen in the Console Incidents that match the filter Note: Use the filter. This command exports only items; each datum is an item.

Threats

Add To Blocklist Deep Visibility

This adds a SHA hash to the Blocklist from Deep Visibility results.

Threats

Mark Deep Visibility Event As Threat

This marks an event from Deep Visibility data as a threat.

Threats

Export Mitigation Report

This exports the mitigation report as a CSV file.

Threats

Updated Threat Incident

This updates the incident details of a threat.

Threats

Update Threat Analyst Verdict

This changes the verdict of a threat as determined by a Console user.

Threats

Update Threat External Ticket ID

This changes the external ticket ID of a threat.

Threats

Download From Cloud

This downloads the threat file from the cloud.

Threats

Disconnect Container

This performs a network quarantine on a specific container.

Threats

Reconnect Container

This restores network to a container that was disconnected.

Threats

Get Threat Timeline

This gets a threat's

timeline.

Threats

Export Threat Timeline

This exports a threat s timeline.

Threats

Export Events

This exports threat events in CSV or JSON format.

Update Exclusion

Update Unified Exclusion

This changes the properties of an exclusion through the data fields. To get the original data, run exclusions with a filter to give the item you want.

Updates

List Latest Agent Agent Packages

This gets the agent packages that are uploaded to your Management. The response shows the data of each package, including the IDs, which you can use in other commands.

Updates

Delete Agent Packages

This deletes agent packages from your Management Use the IDs from Get Latest Packages.

Updates

Update Agent Package

This updates the metadata for an existing package.

Users

List Users

This gets a list of users.

Users

Create User

This creates a new user.

Users

Export Users

This exports user data to a CSV for users that match the filter.

Users

Get User

This gets a user by ID.

Users

Update User

This changes the properties of the user of the given ID.

Users

Delete User

This deletes a user by ID.

Users

Bulk Delete Users

This deletes all users that match the filter.

Users

Enable 2FA

This enables the 2FActor authentication for a given user.

Users

Disable 2FA

This disables the 2FActor Authentication for one user. This requires the ID of the user run users.

Users

Enable 2FA App

This enables support for the FA app such as Duo or Google Authenticator that your Console users will use to log in.

Users

Change Password

This changes the user password.

Users

Check Global User

This allows you to see if logged in user is a user with the Global scope of access.

Users

Check Remote Shell Permissions

This allows you to see if the logged-in user is allowed to use Remote Shell.

Users

Check if User is Viewer

This allows you to see if the logged-in user only has viewer permissions.

Users

Send Verification Email

This sends verification email to users that match the filter. Warning: Active users will be locked out of the Management Console until they verify unless set_user_password_methods is on their email.

Users

Reset 2FA

This resets the FA for

users.

Users

Delete 2FA

This deletes the 2FA for

users.

Users

Enroll 2FA

This enrolls users for FA setup.

Users

Update 2FA Email

This updates the 2FActor Authentication recovery email.

Users

Verify 2FA Code

This verifies FA code for

user.

Users

Set A New Password

This sets a new password for the user. This is used for forced password reset and password expiration flows. This accepts temporary tokens from users login with error codes.

Users

Send Reset Password Email

This prompts to reset the password for users.

Users

Reset Password On Next Login

This forces users to reset their password on next login.