diff --git a/plugins/sentinelone/.CHECKSUM b/plugins/sentinelone/.CHECKSUM index 1c6b28e0c2..3896d26d2a 100644 --- a/plugins/sentinelone/.CHECKSUM +++ b/plugins/sentinelone/.CHECKSUM @@ -1,7 +1,7 @@ { - "spec": "dac00ac144819c2b6ce56c06dcb348b6", - "manifest": "2f573b690ac68f509865a057c164c217", - "setup": "5188937ffa1bab0ae8d41c9584a192e2", + "spec": "175814e9d6bf3496067ab005bc81ab74", + "manifest": "bf2f37bb010ec31daf0a4aee3ae45b89", + "setup": "1e8d3387ed4d46dc2171d7ee9c3c4a2c", "schemas": [ { "identifier": "activities_list/schema.py", diff --git a/plugins/sentinelone/Dockerfile b/plugins/sentinelone/Dockerfile index a8b07648cd..131a50764e 100755 --- a/plugins/sentinelone/Dockerfile +++ b/plugins/sentinelone/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.1.0 +FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.2 LABEL organization=rapid7 LABEL sdk=python diff --git a/plugins/sentinelone/bin/komand_sentinelone b/plugins/sentinelone/bin/komand_sentinelone index 8a09964571..752ccb6e9d 100755 --- a/plugins/sentinelone/bin/komand_sentinelone +++ b/plugins/sentinelone/bin/komand_sentinelone @@ -6,7 +6,7 @@ from sys import argv Name = "SentinelOne" Vendor = "rapid7" -Version = "11.1.2" +Version = "11.1.3" Description = "The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne" diff --git a/plugins/sentinelone/help.md b/plugins/sentinelone/help.md index 2443f55ebc..d5895f8533 100644 --- a/plugins/sentinelone/help.md +++ b/plugins/sentinelone/help.md @@ -767,7 +767,7 @@ Example input: |Name|Type|Required|Description|Example| | :--- | :--- | :--- | :--- | :--- | |errors|[]object|False|Errors|[]| -|events|[]eventData|False|Response events data|[{"accountId": "1000000000000000000", "agentDomain": "WORKGROUP", "agentGroupId": "1000000000000000000", "agentId": "1000000000000000000", "agentInfected": True, "agentIp": "198.51.100.1", "agentIsActive": True, "agentIsDecommissioned": False, "agentMachineType": "laptop", "agentName": "Example Name", "agentNetworkStatus": "connected", "agentOs": "windows", "agentTimestamp": "2023-10-23T00:00:00.000Z", "agentUuid": "9de5069c5afe602b2ea0a04b66beb2c0", "createdAt": "2023-10-23T00:00:00.000Z", "endpointMachineType": "desktop", "endpointName": "Example Name", "endpointOs": "windows", "eventTime": "2023-10-23T00:00:00.000Z", "eventType": "Task Update", "id": "1000000000000000000", "isAgentVersionFullySupportedForPg": False, "isAgentVersionFullySupportedForPgMessage": "Example message", "lastActivatedAt": "2023-10-23T00:00:00.000Z", "objectType": "scheduled_task", "parentProcessUniqueKey": "ABCD1234", "pid": "1234", "processGroupId": "ABCD1234", "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN", "processStartTime": "2023-10-23T00:00:00.000Z", "processUniqueKey": "ABCD1234", "relatedToThreat": "False", "siteId": "1000000000000000000", "storyline": "ABCD1234", "taskName": "Example Name", "trueContext": "ABCD1234"}, {"accountId": "1000000000000000001", "agentDomain": "WORKGROUP", "agentGroupId": "1000000000000000001", "agentId": "1000000000000000001", "agentInfected": True, "agentIp": "198.51.100.1", "agentIsActive": True, "agentIsDecommissioned": False, "agentMachineType": "laptop", "agentName": "Example Name", "agentNetworkStatus": "connected", "agentOs": "windows", "agentTimestamp": "2023-10-23T00:00:00.000Z", "agentUuid": "9de5069c5afe602b2ea0a04b66beb2c0", "createdAt": "2023-10-23T00:00:00.000Z", "endpointMachineType": "desktop", "endpointName": "Example Name", "endpointOs": "windows", "eventTime": "2023-10-23T00:00:00.000Z", "eventType": "Task Update", "id": "1000000000000000001", "isAgentVersionFullySupportedForPg": False, "isAgentVersionFullySupportedForPgMessage": "Example message", "lastActivatedAt": "2023-10-23T00:00:00.000Z", "objectType": "scheduled_task", "parentProcessUniqueKey": "ABCD1234", "pid": "1234", "processGroupId": "ABCD1234", "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN", "processStartTime": "2023-10-23T00:00:00.000Z", "processUniqueKey": "ABCD1234", "relatedToThreat": "False", "siteId": "1000000000000000001", "storyline": "ABCD1234", "taskName": "Example Name", "trueContext": "ABCD1234"}]| +|events|[]eventData|False|Response events data|[{"accountId": "1000000000000000000", "agentDomain": "WORKGROUP", "agentGroupId": "1000000000000000000", "agentId": "1000000000000000000", "agentInfected": True, "agentIp": "198.51.100.1", "agentIsActive": True, "agentIsDecommissioned": False, "agentMachineType": "laptop", "agentName": "Example Name", "agentNetworkStatus": "connected", "agentOs": "windows", "agentTimestamp": "2023-10-23T00:00:00.000Z", "agentUuid": "9de5069c5afe602b2ea0a04b66beb2c0", "createdAt": "2023-10-23T00:00:00.000Z", "endpointMachineType": "desktop", "endpointName": "Example Name", "endpointOs": "windows", "eventTime": "2023-10-23T00:00:00.000Z", "eventType": "Task Update", "id": "1000000000000000000", "isAgentVersionFullySupportedForPg": False, "isAgentVersionFullySupportedForPgMessage": "Example message", "lastActivatedAt": "2023-10-23T00:00:00.000Z", "objectType": "scheduled_task", "parentProcessUniqueKey": "ABCD1234", "pid": "1234", "processGroupId": "ABCD1234", "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN", "processStartTime": "2023-10-23T00:00:00.000Z", "processUniqueKey": "ABCD1234", "relatedToThreat": "False", "siteId": "1000000000000000000", "storyline": "ABCD1234", "taskName": "Example Name", "trueContext": "ABCD1234"}, {"accountId": "1000000000000000001", "agentDomain": "WORKGROUP", "agentGroupId": "1000000000000000001", "agentId": "1000000000000000001", "agentInfected": True, "agentIp": "198.51.100.1", "agentIsActive": True, "agentIsDecommissioned": False, "agentMachineType": "laptop", "agentName": "Example Name", "agentNetworkStatus": "connected", "agentOs": "windows", "agentTimestamp": "2023-10-23T00:00:00.000Z", "agentUuid": "9de5069c5afe602b2ea0a04b66beb2c0", "createdAt": "2023-10-23T00:00:00.000Z", "endpointMachineType": "desktop", "endpointName": "Example Name", "endpointOs": "windows", "eventTime": "2023-10-23T00:00:00.000Z", "eventType": "Task Update", "id": "1000000000000000001", "isAgentVersionFullySupportedForPg": False, "isAgentVersionFullySupportedForPgMessage": "Example message", "lastActivatedAt": "2023-10-23T00:00:00.000Z", "objectType": "scheduled_task", "parentProcessUniqueKey": "ABCD1234", "pid": "1234", "processGroupId": "ABCD1234", "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN", "processStartTime": "2023-10-23T00:00:00.000Z", "processUniqueKey": "ABCD1234", "relatedToThreat": "False", "siteId": "1000000000000000001", "storyline": "ABCD1234", "taskName": "Example Name", "trueContext": "ABCD1234"}]| Example output: @@ -884,8 +884,7 @@ Example input: |Name|Type|Required|Description|Example| | :--- | :--- | :--- | :--- | :--- | |errors|[]object|False|Errors|[]| -|events|[]eventData|False|Response events data|[{"accountId": "1000000000000000000", "agentDomain": "WORKGROUP", "agentGroupId": "1000000000000000000", "agentId": "1000000000000000000", "agentInfected": true, "agentIp": "198.51.100.1", "agentIsActive": true, "agentIsDecommissioned": false, "agentMachineType": "laptop", "agentName": "Example Name", "agentNetworkStatus": "connected", "agentOs": "windows", "agentTimestamp": "2023-10-23T00:00:00.000Z", "agentUuid": "9de5069c5afe602b2ea0a04b66beb2c0", "createdAt": "2023-10-23T00:00:00.000Z", "endpointMachineType": "desktop", "endpointName": "Example Name", "endpointOs": "windows", "eventTime": "2023-10-23T00:00:00.000Z", "eventType": "Task Update", "id": "1000000000000000000", "isAgentVersionFullySupportedForPg": false, "isAgentVersionFullySupportedForPgMessage": "Example message", "lastActivatedAt": "2023-10-23T00:00:00.000Z", "objectType": "scheduled_task", "parentProcessUniqueKey": "ABCD1234", "pid": "1234", "processGroupId": "ABCD1234", "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN", "processStartTime": "2023-10-23T00:00:00.000Z", "processUniqueKey": "ABCD1234", "relatedToThreat": "False", "siteId": "1000000000000000000", "storyline": "ABCD1234", "taskName": "Example Name", "trueContext": "ABCD1234"}, {"accountId": "1000000000000000001", "agentDomain": "WORKGROUP", "agentGroupId": "1000000000000000001", "agentId": "1000000000000000001", "agentInfected": true, "agentIp": "198.51.100.1", "agentIsActive": true, "agentIsDecommissioned": false, "agentMachineType": "laptop", "agentName": "Example Name", "agentNetworkStatus": "connected", "agentOs": "windows", "agentTimestamp": "2023-10-23T00:00:00.000Z", "agentUuid": "9de5069c5afe602b2ea0a04b66beb2c0", "createdAt": "2023-10-23T00:00:00.000Z", "endpointMachineType": "desktop", "endpointName": "Example Name", "endpointOs": "windows", "eventTime": "2023-10-23T00:00:00.000Z", "eventType": "Task Update", "id": "1000000000000000001", "isAgentVersionFullySupportedForPg": false, "isAgentVersionFullySupportedForPgMessage": "Example message", "lastActivatedAt": "2023-10-23T00:00:00.000Z", "objectType": "scheduled_task", "parentProcessUniqueKey": "ABCD1234", "pid": "1234", "processGroupId": "ABCD1234", "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN", "processStartTime": "2023-10-23T00:00:00.000Z", "processUniqueKey": "ABCD1234", "relatedToThreat": "False", "siteId": "1000000000000000001", "storyline": "ABCD1234", "taskName": "Example Name", "trueContext": "ABCD1234"}]| - +|events|[]eventData|False|Response events data|[{"accountId": "1000000000000000000", "agentDomain": "WORKGROUP", "agentGroupId": "1000000000000000000", "agentId": "1000000000000000000", "agentInfected": True, "agentIp": "198.51.100.1", "agentIsActive": True, "agentIsDecommissioned": False, "agentMachineType": "laptop", "agentName": "Example Name", "agentNetworkStatus": "connected", "agentOs": "windows", "agentTimestamp": "2023-10-23T00:00:00.000Z", "agentUuid": "9de5069c5afe602b2ea0a04b66beb2c0", "createdAt": "2023-10-23T00:00:00.000Z", "endpointMachineType": "desktop", "endpointName": "Example Name", "endpointOs": "windows", "eventTime": "2023-10-23T00:00:00.000Z", "eventType": "Task Update", "id": "1000000000000000000", "isAgentVersionFullySupportedForPg": False, "isAgentVersionFullySupportedForPgMessage": "Example message", "lastActivatedAt": "2023-10-23T00:00:00.000Z", "objectType": "scheduled_task", "parentProcessUniqueKey": "ABCD1234", "pid": "1234", "processGroupId": "ABCD1234", "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN", "processStartTime": "2023-10-23T00:00:00.000Z", "processUniqueKey": "ABCD1234", "relatedToThreat": "False", "siteId": "1000000000000000000", "storyline": "ABCD1234", "taskName": "Example Name", "trueContext": "ABCD1234"}, {"accountId": "1000000000000000001", "agentDomain": "WORKGROUP", "agentGroupId": "1000000000000000001", "agentId": "1000000000000000001", "agentInfected": True, "agentIp": "198.51.100.1", "agentIsActive": True, "agentIsDecommissioned": False, "agentMachineType": "laptop", "agentName": "Example Name", "agentNetworkStatus": "connected", "agentOs": "windows", "agentTimestamp": "2023-10-23T00:00:00.000Z", "agentUuid": "9de5069c5afe602b2ea0a04b66beb2c0", "createdAt": "2023-10-23T00:00:00.000Z", "endpointMachineType": "desktop", "endpointName": "Example Name", "endpointOs": "windows", "eventTime": "2023-10-23T00:00:00.000Z", "eventType": "Task Update", "id": "1000000000000000001", "isAgentVersionFullySupportedForPg": False, "isAgentVersionFullySupportedForPgMessage": "Example message", "lastActivatedAt": "2023-10-23T00:00:00.000Z", "objectType": "scheduled_task", "parentProcessUniqueKey": "ABCD1234", "pid": "1234", "processGroupId": "ABCD1234", "processIntegrityLevel": "INTEGRITY_LEVEL_UNKNOWN", "processStartTime": "2023-10-23T00:00:00.000Z", "processUniqueKey": "ABCD1234", "relatedToThreat": "False", "siteId": "1000000000000000001", "storyline": "ABCD1234", "taskName": "Example Name", "trueContext": "ABCD1234"}]| Example output: ``` @@ -1023,8 +1022,8 @@ This action is used to gets summary of all threats |Name|Type|Required|Description|Example| | :--- | :--- | :--- | :--- | :--- | -|data|[]threatData|False|Data|[{"agentOsType": "windows", "automaticallyResolved": False, "cloudVerdict": "black", "id": "1000000000000000000", "engines": ["reputation"], "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", "fromCloud": False, "mitigationMode": "protect", "mitigationReport": {"quarantine": {"status": "success"}, "kill": {"status": "success"}}, "rank": 7, "siteName": "Example Site", "whiteningOptions": ["hash"], "agentComputerName": "vagrant-pc", "collectionId": "1000000000000000000", "createdAt": "2019-02-21T16:05:49.251201Z", "mitigationStatus": "active", "classificationSource": "Static", "resolved": True, "accountName": "Example Account", "fileVerificationType": "NotSigned", "siteId": "1000000000000000000", "fileIsExecutable": False, "fromScan": False, "agentNetworkStatus": "disconnecting", "createdDate": "2019-02-21T16:05:49.175000Z", "accountId": "1000000000000000000", "initiatedBy": "agentPolicy", "initiatedByDescription": "Agent Policy", "threatAgentVersion": "3.0.1.3", "username": "vagrant-pc\\\\vagrant", "agentVersion": "3.0.1.3", "classifierName": "STATIC", "fileExtensionType": "Executable", "agentDomain": "WORKGROUP", "fileIsSystem": False, "agentInfected": False, "isCertValid": False, "isInteractiveSession": False, "isPartialStory": False, "updatedAt": "2020-05-28T21:53:36.064425Z", "agentId": "1000000000000000000", "agentMachineType": "desktop", "classification": "Malware", "markedAsBenign": False, "threatName": "EICAR.com", "agentIsDecommissioned": True, "description": "malware detected - not mitigated yet (static engin...", "fileDisplayName": "EICAR.com", "agentIp": "198.51.100.1", "agentIsActive": False, "fileObjectId": "1234567890", "filePath": "\\\\Device\\\\HarddiskVolume2\\\\Users\\\\vagrant\\\\Desktop\\\\EICA...", "maliciousGroupId": "1234567890"}]| -|errors|[]object|False|Errors|[]| +|data|[]threatData|False|Data|[{"agentOsType": "windows", "automaticallyResolved": False, "cloudVerdict": "black", "id": "1000000000000000000", "engines": ["reputation"], "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", "fromCloud": False, "mitigationMode": "protect", "mitigationReport": {"quarantine": {"status": "success"}, "kill": {"status": "success"}}, "rank": 7, "siteName": "Example Site", "whiteningOptions": ["hash"], "agentComputerName": "vagrant-pc", "collectionId": "1000000000000000000", "createdAt": "2019-02-21T16:05:49.251201Z", "mitigationStatus": "active", "classificationSource": "Static", "resolved": True, "accountName": "Example Account", "fileVerificationType": "NotSigned", "siteId": "1000000000000000000", "fileIsExecutable": False, "fromScan": False, "agentNetworkStatus": "disconnecting", "createdDate": "2019-02-21T16:05:49.175000Z", "accountId": "1000000000000000000", "initiatedBy": "agentPolicy", "initiatedByDescription": "Agent Policy", "threatAgentVersion": "3.0.1.3", "username": "vagrant-pc\\vagrant", "agentVersion": "3.0.1.3", "classifierName": "STATIC", "fileExtensionType": "Executable", "agentDomain": "WORKGROUP", "fileIsSystem": False, "agentInfected": False, "isCertValid": False, "isInteractiveSession": False, "isPartialStory": False, "updatedAt": "2020-05-28T21:53:36.064425Z", "agentId": "1000000000000000000", "agentMachineType": "desktop", "classification": "Malware", "markedAsBenign": False, "threatName": "EICAR.com", "agentIsDecommissioned": True, "description": "malware detected - not mitigated yet (static engin...", "fileDisplayName": "EICAR.com", "agentIp": "198.51.100.1", "agentIsActive": False, "fileObjectId": "1234567890", "filePath": "\\Device\\HarddiskVolume2\\Users\\vagrant\\Desktop\\EICA...", "maliciousGroupId": "1234567890"}]| +|errors|[]object|False|Errors|[]|', '|data|[]threatData|False|Data|[{"agentOsType": "windows", "automaticallyResolved": False, "cloudVerdict": "black", "id": "1000000000000000000", "engines": ["reputation"], "fileContentHash": "3395856ce81f2b7382dee72602f798b642f14140", "fromCloud": False, "mitigationMode": "protect", "mitigationReport": {"quarantine": {"status": "success"}, "kill": {"status": "success"}}, "rank": 7, "siteName": "Example Site", "whiteningOptions": ["hash"], "agentComputerName": "vagrant-pc", "collectionId": "1000000000000000000", "createdAt": "2019-02-21T16:05:49.251201Z", "mitigationStatus": "active", "classificationSource": "Static", "resolved": True, "accountName": "Example Account", "fileVerificationType": "NotSigned", "siteId": "1000000000000000000", "fileIsExecutable": False, "fromScan": False, "agentNetworkStatus": "disconnecting", "createdDate": "2019-02-21T16:05:49.175000Z", "accountId": "1000000000000000000", "initiatedBy": "agentPolicy", "initiatedByDescription": "Agent Policy", "threatAgentVersion": "3.0.1.3", "username": "vagrant-pc\\\\vagrant", "agentVersion": "3.0.1.3", "classifierName": "STATIC", "fileExtensionType": "Executable", "agentDomain": "WORKGROUP", "fileIsSystem": False, "agentInfected": False, "isCertValid": False, "isInteractiveSession": False, "isPartialStory": False, "updatedAt": "2020-05-28T21:53:36.064425Z", "agentId": "1000000000000000000", "agentMachineType": "desktop", "classification": "Malware", "markedAsBenign": False, "threatName": "EICAR.com", "agentIsDecommissioned": True, "description": "malware detected - not mitigated yet (static engin...", "fileDisplayName": "EICAR.com", "agentIp": "198.51.100.1", "agentIsActive": False, "fileObjectId": "1234567890", "filePath": "\\\\Device\\\\HarddiskVolume2\\\\Users\\\\vagrant\\\\Desktop\\\\EICA...", "maliciousGroupId": "1234567890"}]| |pagination|pagination|False|Pagination|{'totalItems': 1}| Example output: @@ -1400,7 +1399,7 @@ Example input: |Name|Type|Required|Description|Example| | :--- | :--- | :--- | :--- | :--- | -|agents|[]agentData|False|Detailed information about agents found|[{"accountId": "100000000000000000", "accountName": "Example Name", "activeThreats": 0, "agentVersion": "1.0.2.3", "allowRemoteShell": False, "appsVulnerabilityStatus": "up_to_date", "computerName": "hostname123", "consoleMigrationStatus": "N/A", "coreCount": 1, "cpuCount": 1, "cpuId": "CPU A0 v1 @ 3.00GHz", "createdAt": "2023-01-01T00:00:00.000000Z", "domain": "WORKGROUP", "encryptedApplications": False, "externalIp": "198.51.100.1", "firewallEnabled": True, "groupId": "100000000000000000", "groupIp": "1.2.3.x", "groupName": "Example Group", "id": "100000000000000000", "inRemoteShellSession": False, "infected": False, "installerType": ".exe", "isActive": True, "isDecommissioned": False, "isPendingUninstall": False, "isUninstalled": False, "isUpToDate": True, "lastActiveDate": "2023-01-01T00:00:00.000000Z", "lastIpToMgmt": "198.51.100.1", "locationEnabled": True, "locationType": "fallback", "locations": [{"id": "100000000000000000", "name": "Fallback", "scope": "global"}], "machineType": "server", "mitigationMode": "protect", "mitigationModeSuspicious": "detect", "modelName": "Example Model", "networkInterfaces": [{"id": "100000000000000000", "inet": ["198.51.100.1"], "inet6": ["2001:db8:1:1:1:1:1:1"], "name": "Ethernet", "physical": "12-34-56-67-89-12"}], "networkQuarantineEnabled": False, "networkStatus": "disconnected", "operationalState": "na", "operationalStateExpiration": "None", "osArch": "64 bit", "osName": "System Name", "osRevision": "9200", "osStartTime": "2023-01-01T00:00:00Z", "osType": "windows", "osUsername": "None", "rangerStatus": "NotApplicable", "rangerVersion": "None", "registeredAt": "2023-01-01T00:00:00.000000Z", "remoteProfilingState": "disabled", "remoteProfilingStateExpiration": "None", "scanAbortedAt": "None", "scanFinishedAt": "2023-01-01T00:00:00.000000Z", "scanStartedAt": "2023-01-01T00:00:00.000000Z", "scanStatus": "finished", "siteId": "100000000000000000", "siteName": "Example Site", "threatRebootRequired": False, "totalMemory": 1023, "updatedAt": "2023-01-01T00:00:00.000000Z", "uuid": "9de5069c5afe602b2ea0a04b66beb2c0"}]| +|agents|[]agentData|False|Detailed information about agents found|[{"accountId": "100000000000000000", "accountName": "Example Name", "activeThreats": 0, "agentVersion": "1.0.2.3", "allowRemoteShell": False, "appsVulnerabilityStatus": "up_to_date", "computerName": "hostname123", "consoleMigrationStatus": "N/A", "coreCount": 1, "cpuCount": 1, "cpuId": "CPU A0 v1 @ 3.00GHz", "createdAt": "2023-01-01T00:00:00.000000Z", "domain": "WORKGROUP", "encryptedApplications": False, "externalIp": "198.51.100.1", "firewallEnabled": True, "groupId": "100000000000000000", "groupIp": "1.2.3.x", "groupName": "Example Group", "id": "100000000000000000", "inRemoteShellSession": False, "infected": False, "installerType": ".exe", "isActive": True, "isDecommissioned": False, "isPendingUninstall": False, "isUninstalled": False, "isUpToDate": True, "lastActiveDate": "2023-01-01T00:00:00.000000Z", "lastIpToMgmt": "198.51.100.1", "locationEnabled": True, "locationType": "fallback", "locations": [{"id": "100000000000000000", "name": "Fallback", "scope": "global"}], "machineType": "server", "mitigationMode": "protect", "mitigationModeSuspicious": "detect", "modelName": "Example Model", "networkInterfaces": [{"id": "100000000000000000", "inet": ["198.51.100.1"], "inet6": ["2001:db8:1:1:1:1:1:1"], "name": "Ethernet", "physical": "12-34-56-67-89-12"}], "networkQuarantineEnabled": False, "networkStatus": "disconnected", "operationalState": "na", "operationalStateExpiration": "None", "osArch": "64 bit", "osName": "System Name", "osRevision": "9200", "osStartTime": "2023-01-01T00:00:00Z", "osType": "windows", "osUsername": "None", "rangerStatus": "NotApplicable", "rangerVersion": "None", "registeredAt": "2023-01-01T00:00:00.000000Z", "remoteProfilingState": "disabled", "remoteProfilingStateExpiration": "None", "scanAbortedAt": "None", "scanFinishedAt": "2023-01-01T00:00:00.000000Z", "scanStartedAt": "2023-01-01T00:00:00.000000Z", "scanStatus": "finished", "siteId": "100000000000000000", "siteName": "Example Site", "threatRebootRequired": False, "totalMemory": 1023, "updatedAt": "2023-01-01T00:00:00.000000Z", "uuid": "9de5069c5afe602b2ea0a04b66beb2c0"}]| Example output: @@ -1729,7 +1728,7 @@ This task is used to monitor for new activities, device control events, and thre |Name|Type|Required|Description|Example| | :--- | :--- | :--- | :--- | :--- | -|logs|[]object|False|List of activity, device control event, and threat logs within the specified time range|[{"id": "225494730938493804", "userId": "225494730938493804", "data": {"computer_name": "COMP_1234", "username": "my_user"}, "secondaryDescription": "string", "threatId": "225494730938493804", "siteName": "string", "accountName": "string", "accountId": "225494730938493804", "updatedAt": "2018-02-27T04:49:26.257525Z", "agentUpdatedVersion": "2.5.1.1320", "groupId": "225494730938493804", "hash": "string", "description": "string", "activityUuid": "string", "comments": "string", "activityType": 0, "agentId": "225494730938493804", "osFamily": "windows", "siteId": "225494730938493804", "primaryDescription": "string", "groupName": "string", "createdAt": "2018-02-27T04:49:26.257525Z"}, {"eventType": "string", "accessPermission": "Read-Only", "deviceClass": "02h", "deviceName": "string", "id": "225494730938493804", "updatedAt": "2018-02-27T04:49:26.257525Z", "ruleId": "225494730938493804", "computerName": "JOHN-WIN-4125", "profileUuids": "string", "lastLoggedInUserName": "janedoe3", "deviceId": "02", "eventTime": "2018-02-27T04:49:26.257525Z", "serviceClass": "02", "interface": "USB", "agentId": "225494730938493804", "vendorId": "02", "uId": "02", "lmpVersion": "string", "eventId": "string", "createdAt": "2018-02-27T04:49:26.257525Z", "productId": "02", "minorClass": "string"}, {"mitigationStatus": [{"groupNotFound": False, "latestReport": "string", "mitigationStartedAt": "2018-02-27T04:49:26.257525Z", "action": "kill", "mitigationEndedAt": "2018-02-27T04:49:26.257525Z", "actionsCounters": {"total": 0, "success": 0, "notFound": 0, "failed": 0, "pendingReboot": 0}, "status": "success", "agentSupportsReport": False, "lastUpdate": "2018-02-27T04:49:26.257525Z", "reportId": "225494730938493804"}], "ecsInfo": {"taskAvailabilityZone": "string", "serviceArn": "string", "taskDefinitionArn": "string", "clusterName": "string", "taskDefinitionFamily": "string", "serviceName": "string", "version": "string", "taskDefinitionRevision": "string", "type": "string", "taskArn": "string"}, "agentDetectionInfo": {"agentIpV6": "string", "agentMitigationMode": "detect", "agentOsRevision": "string", "agentIpV4": "string", "agentLastLoggedInUpn": "string", "agentRegisteredAt": "2018-02-27T04:49:26.257525Z", "agentLastLoggedInUserName": "janedoe3", "accountId": "225494730938493804", "siteId": "225494730938493804", "agentLastLoggedInUserMail": "string", "groupName": "string", "agentOsName": "string", "siteName": "string", "agentVersion": "3.6.1.14", "agentDetectionState": "string", "groupId": "225494730938493804", "agentUuid": "string", "externalIp": "string", "accountName": "string", "cloudProviders": {}, "agentDomain": "mybusiness.net"}, "id": "225494730938493804", "agentRealtimeInfo": {"agentOsRevision": "string", "agentVersion": "3.6.1.14", "agentId": "225494730938493804", "agentMitigationMode": "detect", "siteName": "string", "accountName": "string", "accountId": "225494730938493804", "agentInfected": False, "agentDomain": "string", "agentNetworkStatus": "connected", "networkInterfaces": [{"name": "string", "id": "225494730938493804", "physical": "00:25:96:FF:FE:12:34:56", "inet": [{"type": "string"}], "inet6": [{"type": "string"}]}], "groupId": "225494730938493804", "agentComputerName": "string", "scanStartedAt": "2018-02-27T04:49:26.257525Z", "scanStatus": "none", "agentUuid": "string", "operationalState": "string", "scanFinishedAt": "2018-02-27T04:49:26.257525Z", "activeThreats": 0, "scanAbortedAt": "2018-02-27T04:49:26.257525Z", "agentDecommissionedAt": False, "agentOsName": "string", "rebootRequired": False, "agentIsActive": False, "siteId": "225494730938493804", "groupName": "string", "agentIsDecommissioned": False, "storageName": "string", "storageType": "string", "agentMachineType": "unknown", "userActionsNeeded": [{"type": "string", "example": "none", "enum": ["none", "user_action_needed", "reboot_needed", "upgrade_needed", "incompatible_os", "unprotected", "rebootless_without_dynamic_detection", "extended_exclusions_partially_accepted", "reboot_required", "pending_deprecation", "ne_not_running", "ne_cf_not_active"]}], "agentOsType": "windows"}, "containerInfo": {"image": "string", "name": "string", "id": "string", "labels": [{"type": "string"}], "isContainerQuarantine": False}, "threatInfo": {"mitigationStatus": "not_mitigated", "maliciousProcessArguments": "string", "initiatedByDescription": {"readOnly": True, "description": "Initiated by description"}, "analystVerdictDescription": {"readOnly": True, "description": "Analyst verdict description"}, "storyline": "a00637fa-e18d-9b80-e803-f370524f8085", "pendingActions": False, "engines": ["reputation", "pre_execution"], "threatId": "225494730938493804", "state": "running", "pendingActionsCounter": 0, "mitigationMode": "prevent", "automaticDetection": True, "storylineParentId": "225494730938493804", "threatLevel": "0", "targetOfDetection": "process", "evidenceUuid": "225494730938493804", "hidden": False, "siteName": "string", "initiatedBy": "string", "analystVerdict": "string", "organizationId": "225494730938493804", "evidenceId": "225494730938493804", "tags": ["string"], "detectorId": "225494730938493804", "pendingActionsType": "none", "threatName": "string", "fileInfo": {"fileMaliciousContent": "string", "fileType": "string", "fileCreatedAt": "2018-02-27T04:49:26.257525Z", "filePath": "string", "fileMd5": "string", "fileSize": "0", "fileSha1": "string", "fileSha256": "string", "fileMagic": "string", "fileIsExecutable": False, "fileExtension": "string", "fileMaliciousClassification": "string"}, "resolvedBy": "string", "organizationName": "string", "processInfo": {"parentCommandLine": "string", "parentPid": "0", "commandLine": "string", "parentProcessGroup": "string", "username": "string", "pid": "0", "command": "string", "processGroup": "string", "md5": "string", "sha1": "string", "sha256": "string"}, "reportedAt": "2018-02-27T04:49:26.257525Z", "secondaryDescription": "string", "siteId": "225494730938493804", "primaryDescription": "string"}}]| +|logs|[]object|False|List of activity, device control event, and threat logs within the specified time range|[{"id": "225494730938493804", "userId": "225494730938493804", "data": {"computer_name": "COMP_1234", "username": "my_user"}, "secondaryDescription": "string", "threatId": "225494730938493804", "siteName": "string", "accountName": "string", "accountId": "225494730938493804", "updatedAt": "2018-02-27T04:49:26.257525Z", "agentUpdatedVersion": "2.5.1.1320", "groupId": "225494730938493804", "hash": "string", "description": "string", "activityUuid": "string", "comments": "string", "activityType": 0, "agentId": "225494730938493804", "osFamily": "windows", "siteId": "225494730938493804", "primaryDescription": "string", "groupName": "string", "createdAt": "2018-02-27T04:49:26.257525Z"}, {"eventType": "string", "accessPermission": "Read-Only", "deviceClass": "02h", "deviceName": "string", "id": "225494730938493804", "updatedAt": "2018-02-27T04:49:26.257525Z", "ruleId": "225494730938493804", "computerName": "JOHN-WIN-4125", "profileUuids": "string", "lastLoggedInUserName": "janedoe3", "deviceId": "02", "eventTime": "2018-02-27T04:49:26.257525Z", "serviceClass": "02", "interface": "USB", "agentId": "225494730938493804", "vendorId": "02", "uId": "02", "lmpVersion": "string", "eventId": "string", "createdAt": "2018-02-27T04:49:26.257525Z", "productId": "02", "minorClass": "string"}, {"mitigationStatus": [{"groupNotFound": False, "latestReport": "string", "mitigationStartedAt": "2018-02-27T04:49:26.257525Z", "action": "kill", "mitigationEndedAt": "2018-02-27T04:49:26.257525Z", "actionsCounters": {"total": 0, "success": 0, "notFound": 0, "failed": 0, "pendingReboot": 0}, "status": "success", "agentSupportsReport": False, "lastUpdate": "2018-02-27T04:49:26.257525Z", "reportId": "225494730938493804"}], "ecsInfo": {"taskAvailabilityZone": "string", "serviceArn": "string", "taskDefinitionArn": "string", "clusterName": "string", "taskDefinitionFamily": "string", "serviceName": "string", "version": "string", "taskDefinitionRevision": "string", "type": "string", "taskArn": "string"}, "agentDetectionInfo": {"agentIpV6": "string", "agentMitigationMode": "detect", "agentOsRevision": "string", "agentIpV4": "string", "agentLastLoggedInUpn": "string", "agentRegisteredAt": "2018-02-27T04:49:26.257525Z", "agentLastLoggedInUserName": "janedoe3", "accountId": "225494730938493804", "siteId": "225494730938493804", "agentLastLoggedInUserMail": "string", "groupName": "string", "agentOsName": "string", "siteName": "string", "agentVersion": "3.6.1.14", "agentDetectionState": "string", "groupId": "225494730938493804", "agentUuid": "string", "externalIp": "string", "accountName": "string", "cloudProviders": {}, "agentDomain": "mybusiness.net"}, "id": "225494730938493804", "agentRealtimeInfo": {"agentOsRevision": "string", "agentVersion": "3.6.1.14", "agentId": "225494730938493804", "agentMitigationMode": "detect", "siteName": "string", "accountName": "string", "accountId": "225494730938493804", "agentInfected": False, "agentDomain": "string", "agentNetworkStatus": "connected", "networkInterfaces": [{"name": "string", "id": "225494730938493804", "physical": "00:25:96:FF:FE:12:34:56", "inet": [{"type": "string"}], "inet6": [{"type": "string"}]}], "groupId": "225494730938493804", "agentComputerName": "string", "scanStartedAt": "2018-02-27T04:49:26.257525Z", "scanStatus": "none", "agentUuid": "string", "operationalState": "string", "scanFinishedAt": "2018-02-27T04:49:26.257525Z", "activeThreats": 0, "scanAbortedAt": "2018-02-27T04:49:26.257525Z", "agentDecommissionedAt": False, "agentOsName": "string", "rebootRequired": False, "agentIsActive": False, "siteId": "225494730938493804", "groupName": "string", "agentIsDecommissioned": False, "storageName": "string", "storageType": "string", "agentMachineType": "unknown", "userActionsNeeded": [{"type": "string", "example": "none", "enum": ["none", "user_action_needed", "reboot_needed", "upgrade_needed", "incompatible_os", "unprotected", "rebootless_without_dynamic_detection", "extended_exclusions_partially_accepted", "reboot_required", "pending_deprecation", "ne_not_running", "ne_cf_not_active"]}], "agentOsType": "windows"}, "containerInfo": {"image": "string", "name": "string", "id": "string", "labels": [{"type": "string"}], "isContainerQuarantine": False}, "threatInfo": {"mitigationStatus": "not_mitigated", "maliciousProcessArguments": "string", "initiatedByDescription": {"readOnly": True, "description": "Initiated by description"}, "analystVerdictDescription": {"readOnly": True, "description": "Analyst verdict description"}, "storyline": "a00637fa-e18d-9b80-e803-f370524f8085", "pendingActions": False, "engines": ["reputation", "pre_execution"], "threatId": "225494730938493804", "state": "running", "pendingActionsCounter": 0, "mitigationMode": "prevent", "automaticDetection": True, "storylineParentId": "225494730938493804", "threatLevel": "0", "targetOfDetection": "process", "evidenceUuid": "225494730938493804", "hidden": False, "siteName": "string", "initiatedBy": "string", "analystVerdict": "string", "organizationId": "225494730938493804", "evidenceId": "225494730938493804", "tags": ["string"], "detectorId": "225494730938493804", "pendingActionsType": "none", "threatName": "string", "fileInfo": {"fileMaliciousContent": "string", "fileType": "string", "fileCreatedAt": "2018-02-27T04:49:26.257525Z", "filePath": "string", "fileMd5": "string", "fileSize": "0", "fileSha1": "string", "fileSha256": "string", "fileMagic": "string", "fileIsExecutable": False, "fileExtension": "string", "fileMaliciousClassification": "string"}, "resolvedBy": "string", "organizationName": "string", "processInfo": {"parentCommandLine": "string", "parentPid": "0", "commandLine": "string", "parentProcessGroup": "string", "username": "string", "pid": "0", "command": "string", "processGroup": "string", "md5": "string", "sha1": "string", "sha256": "string"}, "reportedAt": "2018-02-27T04:49:26.257525Z", "secondaryDescription": "string", "siteId": "225494730938493804", "primaryDescription": "string"}}]| Example output: @@ -2352,6 +2351,7 @@ Example output: # Version History +* 11.1.3 - Updated SDK to the latest version (v6.2.2) | Address vulnerabilities * 11.1.2 - Resolve issue where unexpected timestamps returned from SentinelOne were not parsed in task `Monitor Logs` | Update plugin to be FedRAMP compliant * 11.1.1 - Updated Plugin connection to improve `instance` input usability * 11.1.0 - Added connection test for task `Monitor Logs` | Update SDK @@ -2364,7 +2364,7 @@ Example output: * 8.1.0 - Added New actions: Fetch file for agent ID and Run remote script. Updated description for Trigger resolved field * 8.0.1 - Search Agents: Remove duplicate results when Case Sensitive is false * 8.0.0 - Connection: Added Service user (API only user type) authentication | Removed Basic Authentication -* 7.1.0 - Update for Blacklist action: Fix for unblocked action | Update for Quarantine action: unification of the output data when action fails | Add troubleshooting information about use Type Converter | Mark as Benign action: update description +* 7.1.0 - Update for Blacklist action: Fix for unblocked action | Update for Quarantine action: unification of the output data when action fails | Add troubleshooting information about use Type Converter | Mark as Benign action: update description * 7.0.0 - Add new actions Update Analyst Verdict and Update Incident Status | Fix Get Agent Details and Search Agents actions to handle more response scenarios | Add option to authentication with API key * 6.2.0 - New actions Create Query, Get Query Status, Cancel Running Query, Get Events, Get Events By Type * 6.1.0 - Add new actions Disable Agent and Enable Agent diff --git a/plugins/sentinelone/plugin.spec.yaml b/plugins/sentinelone/plugin.spec.yaml index e6d85cd4d9..0b81271221 100644 --- a/plugins/sentinelone/plugin.spec.yaml +++ b/plugins/sentinelone/plugin.spec.yaml @@ -3,19 +3,47 @@ extension: plugin products: [insightconnect] name: sentinelone title: SentinelOne -version: 11.1.2 +version: 11.1.3 connection_version: 10 cloud_ready: true fedramp_ready: true sdk: type: slim - version: 6.1.0 + version: 6.2.2 user: nobody supported_versions: ["2.1.0"] description: The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne vendor: rapid7 support: rapid7 status: [] +key_features: + - "Get activities" + - "Get activity types" + - "Blacklist hashes" + - "Run agent actions" + - "Reload agent modules" + - "Get information about agents" + - "Search agents" + - "Get information about agent applications" + - "Create, get and cancel query" + - "Create IOC threat" + - "Enable and disable agent" + - "Fetch files" + - "Get events" + - "Get information about threats" + - "Manage threats" + - "Quarantine endpoints" + - "Run remote scripts" + - "Check account name availability" + - "Execute scans" + - "Trigger workflows on security alerts" +links: + - "[SentinelOne Product Page](https://www.sentinelone.com/)" +references: + - "[SentinelOne Product Page](https://www.sentinelone.com/)" +requirements: + - "SentinelOne API key" +troubleshooting: "* To generate an API key, create a new Service User or select an existing one with adequate permissions from the SentinelOne console\n* To convert `threat` into an array use Type Converter Plugin\n* For the Trigger settings, only set the Resolved field to False if solely resolved threats should be retrieved (i.e. setting to False will not include unresolved threats)\n* The Run Remote Script action may require starting a protected actions session to function properly. To do this, in the `code` input field, enter the passcode from a third-party app, such as Duo Mobile or Google Authenticator, set up in two-factor authentication. Entering the code is not required each time you run the action, because the session is valid for 30 minutes" resources: source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/plugins/sentinelone license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE @@ -29,6 +57,44 @@ hub_tags: use_cases: [threat_detection_and_response] keywords: [sentinelone, endpoint, detection, cloud_enabled] features: [] +version_history: + - "11.1.3 - Updated SDK to the latest version (v6.2.2) | Address vulnerabilities" + - "11.1.2 - Resolve issue where unexpected timestamps returned from SentinelOne were not parsed in task `Monitor Logs` | Update plugin to be FedRAMP compliant" + - "11.1.1 - Updated Plugin connection to improve `instance` input usability" + - "11.1.0 - Added connection test for task `Monitor Logs` | Update SDK" + - "11.0.0 - Removed `Monitor Logs` task input options | Update SDK" + - "10.0.0 - Added `Monitor Logs` task | Removed `User Type` from connection | A Service User API Key must now be provided to provide enhanced security" + - "9.1.2 - Retry functionality added to requests to SenintelOne that result in a 429 (too many requests) or 503 (service unavailable) error." + - "9.1.1 - `Threats Fetch File`: Updated action to prevent possible movement through file system" + - "9.1.0 - `Move Agent to Another Site`: Action added" + - "9.0.0 - Update plugin to allow cloud connections to be configured | Rename URL input to Instance in connection | Code refactor" + - "8.1.0 - Added New actions: Fetch file for agent ID and Run remote script. Updated description for Trigger resolved field" + - "8.0.1 - Search Agents: Remove duplicate results when Case Sensitive is false" + - "8.0.0 - Connection: Added Service user (API only user type) authentication | Removed Basic Authentication" + - "7.1.0 - Update for Blacklist action: Fix for unblocked action | Update for Quarantine action: unification of the output data when action fails | Add troubleshooting information about use Type Converter | Mark as Benign action: update description" + - "7.0.0 - Add new actions Update Analyst Verdict and Update Incident Status | Fix Get Agent Details and Search Agents actions to handle more response scenarios | Add option to authentication with API key" + - "6.2.0 - New actions Create Query, Get Query Status, Cancel Running Query, Get Events, Get Events By Type" + - "6.1.0 - Add new actions Disable Agent and Enable Agent" + - "6.0.0 - Add `operational_state` field to input of Get Agent Details and Search Agent actions | Update schema to return new outputs such as Active Directory, firewall, location, and quarantine information for Get Agent Details and Search Agent actions | Use API version 2.1 | Update capitalization according to style in Activities List action for Created Than Date and Less Than Dates inputs to Greater than Date and Less than Date" + - "5.0.1 - Correct spelling in help.md" + - "5.0.0 - Consolidate various Agent actions | Use API version 2.1 where possible | Delete obsolete Blacklist by IOC Hash and Agent Processes" + - "4.1.1 - Update the Get Threat Summary action to return all threat summaries instead of 10" + - "4.1.0 - Add case sensitivity option for Agent lookups" + - "4.0.1 - Fix Agent Active parameter in Get Agent Details action | Update Quarantine action whitelist for IP addresses" + - "4.0.0 - Update ID input for Fetch Threats File action to a string" + - "3.1.0 - Add new action Fetch Threats File" + - "3.0.0 - Update help.md for the Extension Library | Update title in action Blacklist by IOC Hash, Get Activities, Count Summary and Connect to Network" + - "2.1.1 - Upgrade trigger Get Threats to only return threats since trigger start" + - "2.1.0 - Add `agent_active` field to input in action Search Agents" + - "2.0.0 - Upgrade trigger input Agent is Active to default true" + - "1.4.0 - New actions Quarantine, Get Agent Details, Search Agents" + - "1.3.0 - Add new action Blacklist" + - "1.2.2 - Update error message in Connection" + - "1.2.1 - Update to use the `komand/python-3-37-slim-plugin` Docker image to reduce plugin size" + - "1.2.0 - New spec and help.md format for the Extension Library | New actions activities_list, activities_types, agents_abort_scan, agents_connect, agents_decommission, agents_disconnect, agents_fetch_logs, agents_initiate, agents_processes, agents_reload, agents_restart, agents_shutdown, agents_summary, agents_uninstall, apps_by_agent_ids, name_available" + - "1.1.0 - New trigger Get Threats | New actions Mitigate Threat, Mark as Benign, Mark as Threat and Create IOC Threat" + - "1.0.1 - Update to add Blacklist by IOC Hash and Blacklist by Content Hash" + - "1.0.0 - Initial plugin" types: activityTypes: id: diff --git a/plugins/sentinelone/setup.py b/plugins/sentinelone/setup.py index 320ee14799..4372ef72db 100644 --- a/plugins/sentinelone/setup.py +++ b/plugins/sentinelone/setup.py @@ -3,7 +3,7 @@ setup(name="sentinelone-rapid7-plugin", - version="11.1.2", + version="11.1.3", description="The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne", author="rapid7", author_email="",