Skip to content

SentinelOne#

SentinelOne_DNSReverseLookup#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- ip
Registration required: True
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Query SentinelOne for DNS names that resolved to a given IP address. Returns the domains and the hosts that made the DNS queries. Supports both SDL (Security Data Lake) API and legacy Deep Visibility API.

Configuration#

s1_console_url SentinelOne Console URL (e.g., https://your-instance.sentinelone.net)
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
api_mode API mode: 'sdl' for new Security Data Lake API (recommended), 'dv' for legacy Deep Visibility API
Default value if not configured sdl
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
sdl_token [SDL Mode] Log Access Read Key - generate in Console > Settings > API Keys > Log Access Keys > Add Read Key
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
sdl_url [SDL Mode] SDL URL if different from Console URL (optional, defaults to Console URL)
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
s1_api_key [DV Mode] API Key for legacy Deep Visibility mode (will expire!)
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
s1_account_id [DV Mode] Account ID for legacy Deep Visibility mode
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
s1_hours_ago Number of hours ago for the fromDate of the query. ToDate will be now. Default is 2.
Default value if not configured 2
Type of the configuration item number
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

No template samples to display.

SentinelOne_DeepVisibility_DNSQuery#

Author: Joe Vasquez
License: AGPL-V3
Version: 1.0
Supported observables types:
- url
- domain
- fqdn
Registration required: True
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Query Sentinel One Deep Visibility API v2.1 for hosts that have requested DNS lookups for a domain/URL/FQDN.

Configuration#

s1_console_url Console URL
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
s1_api_key API Key, don't forget this will expire!
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
s1_account_id Account ID
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
hours_ago Number of hours ago for the fromDate of the query. ToDate will be now. Default is 12.
Default value if not configured N/A
Type of the configuration item number
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

No template samples to display.

SentinelOne_DNSQuery#

Author: Joe Vasquez; Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 2.0
Supported observables types:
- url
- domain
- fqdn
Registration required: True
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Query SentinelOne for hosts that have requested DNS lookups for a domain/URL/FQDN. Supports both new SDL (Security Data Lake) API and legacy Deep Visibility API v2.1.

Configuration#

s1_console_url SentinelOne Console URL (e.g., https://your-instance.sentinelone.net)
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
api_mode API mode: 'sdl' for new Security Data Lake API (recommended), 'dv' for legacy Deep Visibility API
Default value if not configured sdl
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
sdl_token [SDL Mode] Log Access Read Key - generate in Console > Settings > API Keys > Log Access Keys > Add Read Key
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
sdl_url [SDL Mode] SDL URL if different from Console URL (optional, defaults to Console URL)
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
s1_api_key [DV Mode] API Key for legacy Deep Visibility mode (will expire!)
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
s1_account_id [DV Mode] Account ID for legacy Deep Visibility mode
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
s1_hours_ago Number of hours ago for the fromDate of the query. ToDate will be now. Default is 2.
Default value if not configured 2
Type of the configuration item number
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

No template samples to display.