SentinelOne Beat
SentinelOne portal : https://usea1-partners.sentinelone.net/
Below are the types of data source we will be collecting from various APIs provided by SentinelOne.
Activities
Alerts
Device Control Events
Exclusions
Threats
In order to call these services we need to have Bearer Token for authentication. Below are the steps to get the same.
Log into SentinelOne portal and go to Settings → Service Users → Create New Service User
Create New Service User along with expiration time. Need to have long lived Bearer Token so choose the expiration time appropriately.
Choose the scope of dataset.
Next screen should show the API Token, need to store that somewhere safe. This token would be required while making respective call to various data sources API.
Data Sources:
Below are all the request for the given data source(all these are well doucmented here https://www.postman.com/api-evangelist/sentinelone/example/35240-0f049ae8-6012-4523-823f-53b817989382)
Activities :
Request
curl --location 'https://usea1-partners.sentinelone.net/web/api/v2.1/activities?createdAt__gte=2024-12-17T03%3A37%3A14.717622Z&limit=2' \
--header 'Authorization: Bearer <token genrated while creating service user>' \
--header 'Content-Type: application/json' \
--data ''Response
{
"data": [
{
"accountId": "1202974619335305646",
"accountName": "Exabeam (Technical Alliance Partner)",
"activityType": 138,
"activityUuid": "0027dc98-a148-465d-a488-2b3a6370d976",
"agentId": null,
"agentUpdatedVersion": null,
"comments": null,
"createdAt": "2024-12-17T05:04:46.489699Z",
"data": {
"accountName": "Exabeam (Technical Alliance Partner)",
"duration": 30,
"expiration": "2024-12-17T05:34:46.478506Z",
"externalServiceId": null,
"fullScopeDetails": "Account Exabeam (Technical Alliance Partner)",
"fullScopeDetailsPath": "Global / Exabeam (Technical Alliance Partner)",
"groupName": null,
"ipAddress": "136.226.252.199",
"realUser": null,
"role": "Admin",
"scopeLevel": "Account",
"scopeName": "Exabeam (Technical Alliance Partner)",
"siteName": null,
"sourceType": "UI",
"userScope": "account",
"username": "Raj Agrawal"
},
"description": null,
"groupId": null,
"groupName": null,
"hash": null,
"id": "2107076448798959096",
"osFamily": null,
"primaryDescription": "The Management user, Raj Agrawal, has initiated a protected actions session that will end in 30 minutes, at Tue, 17 Dec 2024, 05:34:46 UTC.",
"secondaryDescription": "IP address: 136.226.252.199",
"siteId": null,
"siteName": null,
"threatId": null,
"updatedAt": "2024-12-17T05:04:46.488517Z",
"userId": "2102389541634677242"
},
{
"accountId": "1202974619335305646",
"accountName": "Exabeam (Technical Alliance Partner)",
"activityType": 140,
"activityUuid": "08d76caf-4cdf-4cd6-b260-0efdcc45db6a",
"agentId": null,
"agentUpdatedVersion": null,
"comments": null,
"createdAt": "2024-12-17T05:04:46.954102Z",
"data": {
"accountName": "Exabeam (Technical Alliance Partner)",
"byUser": "Raj Agrawal",
"description": "generating long lived token",
"externalServiceId": null,
"fullScopeDetails": "Account Exabeam (Technical Alliance Partner)",
"fullScopeDetailsPath": "Global / Exabeam (Technical Alliance Partner)",
"groupName": null,
"ipAddress": "136.226.252.199",
"realUser": null,
"roleName": "Viewer",
"scopeLevel": "Account",
"scopeName": "Exabeam (Technical Alliance Partner)",
"siteName": null,
"sourceType": "UI",
"username": "serviceuser"
},
"description": null,
"groupId": null,
"groupName": null,
"hash": null,
"id": "2107076452691273212",
"osFamily": null,
"primaryDescription": "The management user Raj Agrawal added a new Service User serviceuser with the description generating long lived token to Exabeam (Technical Alliance Partner) with role Viewer.",
"secondaryDescription": "IP address: 136.226.252.199",
"siteId": null,
"siteName": null,
"threatId": null,
"updatedAt": "2024-12-17T05:04:46.921151Z",
"userId": "2107076452280231418"
}
],
"pagination": {
"nextCursor": "eyJpZF9jb2x1bW4iOiAiQWN0aXZpdHkuaWQiLCAiaWRfdmFsdWUiOiAyMTA3MDc2NDUyNjkxMjczMjEyLCAiaWRfc29ydF9vcmRlciI6ICJhc2MiLCAic29ydF9ieV9jb2x1bW4iOiAiQWN0aXZpdHkuY3JlYXRlZF9hdCIsICJzb3J0X2J5X3ZhbHVlIjogIjIwMjQtMTItMTdUMDU6MDQ6NDYuOTU0MTAyWiIsICJzb3J0X29yZGVyIjogImFzYyJ9",
"totalItems": 10
}
}Use nextCursor value to be used for next corresponding call to get next set of data. Query Param cursor needs to be populated with pagination.nextCusor value
curl --location 'https://usea1-partners.sentinelone.net/web/api/v2.1/activities?createdAt__gte=2024-12-17T03%3A37%3A14.717622Z&limit=2&cursor=eyJpZF9dWUiOiAyMT29ydF9vcmRlciI6ICJhc2MiLCAic29ydF9ieV9jb2x1bW4iOiAiQWN0aXZpdHkuY3JlYXRlZF9hdCIsICJzb3J0X2J5X3ZhbHVlIjogIjIwMjQtMTItMTdUMDQ6NTk6NTUuMDA1NDk2WiIsICJzb3J0X29yZGVyIjogImFzYyJ9' \
--header 'Authorization: Bearer Bearer <token genrated while creating service user>' \
--header 'Content-Type: application/json' \
--data ''Note: All the datasources have similar way of sending next cursor attribute.
Alerts:
curl --location 'https://usea1-partners.sentinelone.net//web/api/v2.1/cloud-detection/alerts?createdAt__gte=2024-12-17T03%3A37%3A14.717622Z' \
--header 'Authorization: Bearer <token genrated while creating service user>' \
--header 'Content-Type: application/json' \
--data ''Device Control Events
Please note that instead of createdAt__gte we this API required eventTime__gte in the query param.
curl --location 'https://usea1-partners.sentinelone.net/web/api/v2.1/device-control/events?limit=2&eventTime__gte=2024-11-25T05%3A20%3A52Z' \
--header 'Authorization: Bearer Bearer <token genrated while creating service user>' \
--header 'Content-Type: application/json' \
--data ''Exclusions
curl --location 'https://usea1-partners.sentinelone.net/web/api/v2.1/exclusions?createdAt__gte=2024-09-25T17%3A16%3A23.155553Z' \
--header 'Authorization: Bearer Bearer <token genrated while creating service user>' \
--header 'Content-Type: application/json' \
--data ''Threats
curl --location 'https://usea1-partners.sentinelone.net/web/api/v2.1/threats?createdAt__gte=2024-09-25T17%3A16%3A23.155553Z' \
--header 'Authorization: Bearer Bearer <token genrated while creating service user>'
\
--header 'Content-Type: application/json' \
--data ''