Integrate SentinelOne with Google SecOps
This document explains how to configure and integrate SentinelOne with Google Security Operations (Google SecOps).
Integration version: 3.0
Use cases
-
Automated threat response: use Google SecOps capabilities to automatically respond to threats detected by SentinelOne, reducing the time and effort required for security operations.
-
Enriched incident context: use Google SecOps capabilities to provide security analysts with more context around security incidents and make more informed decisions. For example, you can automatically enrich incident data with information about the affected endpoints and threats.
-
Orchestrated remediation actions: use Google SecOps capabilities to automatically execute playbooks that combine SentinelOne actions with other security tools, such as network firewalls or identity management systems, ensuring a coordinated response to threats and minimizing their impact.
Integration parameters
The SentinelOne integration requires the following parameters:
| Parameter | Description |
|---|---|
Api root
|
Required. The SentinelOne API root. The default value is |
Username
|
Required. The username to authenticate with. |
Password
|
Required. The password to authenticate with. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Disconnect Agent From Network
Use the Disconnect Agent From Networkaction to disconnect an agent from the network connection.
This action runs on the following Google SecOps entities:
-
IP Address -
Hostname
Action inputs
None.
Action outputs
The Disconnect Agent From Networkaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Disconnect Agent From Networkaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Enrich Endpoint
Use the Enrich Endpointaction to enrich an endpoint entity with information from the system.
This action runs on the following Google SecOps entities:
-
IP Address -
Hostname
Action inputs
None.
Action outputs
The Enrich Endpointaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Enrich Endpointaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Agent Status
Use the Get Agent Statusaction to retrieve the status of an agent.
This action runs on the following Google SecOps entities:
-
IP Address -
Hostname
Action inputs
None.
Action outputs
The Get Agent Statusaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Get Agent Statusaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Application List for Endpoint
Use the Get Application List for Endpointaction to obtain a list of applications used on an endpoint.
This action runs on the following Google SecOps entities:
-
IP Address -
Hostname
Action inputs
None.
Action outputs
The Get Application List for Endpointaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Get Application List for Endpointaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Events for Endpoint by Time
Use the Get Events for Endpoint by Timeaction to retrieve all events that are related to an endpoint.
This action runs on the following Google SecOps entities:
-
IP Address -
Hostname
Action inputs
The Get Events for Endpoint by Timeaction requires the following parameters:
| Parameter | Description |
|---|---|
Hours Back
|
Optional. The number of hours prior to the current time to retrieve events. |
Events Amount Limit
|
Optional. The number of events to retrieve for every action run. |
Action outputs
The Get Events for Endpoint by Timeaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Get Events for Endpoint by Timeaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Hash Reputation
Use the Get Hash Reputationaction to obtain the reputation of a SHA-1 hash.
This action runs on the Google SecOps Filehash
entity.
Action inputs
None.
Action outputs
The Get Hash Reputationaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Get Hash Reputationaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Process List for Endpoint
Use the Get Process List for Endpointaction to retrieve the process list for an endpoint.
This action runs on the following Google SecOps entities:
-
IP Address -
Hostname
Action inputs
None.
Action outputs
The Get Process List for Endpointaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Get Process List for Endpointaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get System Status
Use the Get System Statusaction to get the SentinelOne system health status.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Get System Statusaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Get System Statusaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get System Version
Use the Get System Versionaction to get the SentinelOne system version.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Get System Versionaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Get System Versionaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Initiate Full Scan
Use the Initiate Full Scanaction to initiate a full disk scan on an endpoint.
This action runs on the following Google SecOps entities:
-
IP Address -
Hostname
Action inputs
None.
Action outputs
The Initiate Full Scanaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Initiate Full Scanaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Ping
Use the Pingaction to test the connectivity to SentinelOne.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Reconnect Agent to the Network
Use the Reconnect Agent to the Networkaction to reconnect a disconnected agent to the network.
This action runs on the following Google SecOps entities:
-
IP Address -
Hostname
Action inputs
None.
Action outputs
The Reconnect Agent to the Networkaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Reconnect Agent to the Networkaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Update Exclusion List Add Path
Use the Update Exclusion List Add Pathaction to add a path to an existing exclusion list.
This action supports the following operating systems: Windows, OSX, Linux, and Android.
This action runs on all Google SecOps entities.
Action inputs
The Update Exclusion List Add Pathaction requires the following parameters:
List Name
Required.
The exclusion list name.
Path
Required.
The path to add to the list.
Operation System
Required.
The operating system.
The possible values are as follows:
-
windows -
osx -
linux -
android
Action outputs
The Update Exclusion List Add Pathaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Update Exclusion List Add Pathaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Need more help? Get answers from Community members and Google SecOps professionals.
