Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(integration): SentinelOne list Threats + update Threat status #637

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(integration): SentinelOne list Threats + update Threat status #637

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions registry/tracecat_registry/templates/sentinel_one/list_threats.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
type: action
definition:
title: List SentinelOne Threats
description: List threats from SentinelOne
display_group: SentinelOne
namespace: integrations.sentinel_one
name: list_threats
secrets:
- name: sentinel_one
keys: ["SENTINEL_ONE_API_TOKEN", "SENTINEL_ONE_BASE_URL"]
expects:
start_time:
type: datetime
description: Start timestamp for the query (inclusive)
end_time:
type: datetime
description: End timestamp for the query (inclusive)
limit:
type: int
description: Maximum number of alerts to return
steps:
- ref: query_threats
action: core.http_request
args:
url: ${{ SECRETS.sentinel_one.SENTINEL_ONE_BASE_URL }}/web/api/v2.1/threats
method: GET
headers:
Authorization: "ApiToken ${{ SECRETS.sentinel_one.SENTINEL_ONE_API_TOKEN }}"
params:
created_at__gte: ${{ inputs.start_time }}
created_at__lte: ${{ inputs.end_time }}
limit: ${{ inputs.limit }}
returns: ${{ steps.query_threats.result }}
35 changes: 35 additions & 0 deletions registry/tracecat_registry/templates/sentinel_one/update_threat_status.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
type: action
definition:
title: Update SentinelOne Threat Status
description: Update the status of a SentinelOne threat
display_group: SentinelOne
namespace: integrations.sentinel_one
name: update_threat_status
secrets:
- name: sentinel_one
keys: ["SENTINEL_ONE_API_TOKEN", "SENTINEL_ONE_BASE_URL"]
expects:
threat_ids:
type: list[str]
description: The IDs of the threats to update
verdict:
type: str
description: The new status of the threat
status:
type: str
description: The analyst verdict of the threat
steps:
- ref: update_threat_status
action: core.http_request
args:
url: ${{ SECRETS.sentinel_one.SENTINEL_ONE_BASE_URL }}/web/api/v2.1/threats/incident
method: POST
headers:
Authorization: ApiToken ${{ SECRETS.sentinel_one.SENTINEL_ONE_API_TOKEN }}
payload:
data:
incidentStatus: ${{ inputs.status }}
analystVerdict: ${{ inputs.verdict }}
filter:
ids: ${{ inputs.threat_ids }}
returns: ${{ steps.update_threat_status.result }}