Skip to main content

Abort scan

Action ID: tools.sentinel_one.abort_scan Abort a running scan on SentinelOne agents. Reference: https://<base_url>/api-doc/api-details?category=agents&api=post-agents-actions-abort-scan

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

device_id
string
required
ID of the agent/device to abort scan on.
base_url
string | null
SentinelOne tenant URL.Default: null.

Disable agent

Action ID: tools.sentinel_one.disable_agent Disable a SentinelOne agent. Reference: https://<base_url>/api-doc/api-details?category=agents&api=post-agents-actions-disable-agent

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

agent_id
string
required
ID of the agent to disable.
base_url
string | null
SentinelOne tenant URL.Default: null.
should_reboot
boolean
Whether the agent should reboot after disabling.Default: false.

Enable agent

Action ID: tools.sentinel_one.enable_agent Enable a SentinelOne agent. Reference: https://<base_url>/api-doc/api-details?category=agents&api=post-agents-actions-enable-agent

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

agent_id
string
required
ID of the agent to enable.
base_url
string | null
SentinelOne tenant URL.Default: null.
should_reboot
boolean
Whether the agent should reboot after enabling.Default: false.

Initiate scan

Action ID: tools.sentinel_one.initiate_scan Initiate a scan on SentinelOne agents. Reference: https://<base_url>/api-doc/api-details?category=agents&api=post-agents-actions-initiate-scan

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

device_id
string
required
ID of the agent/device to scan.
base_url
string | null
SentinelOne tenant URL.Default: null.

Isolate endpoint

Action ID: tools.sentinel_one.disconnect_device Disconnect a SentinelOne agent from the network. Reference: https://<base_url>/api-doc/api-details?category=agents&api=post-agents-actions-disconnect

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

endpoint_id
string
required
ID of the endpoint/agent to disconnect.
base_url
string | null
SentinelOne tenant URL.Default: null.

List agent IDs

Action ID: tools.sentinel_one.list_agent_ids Get a simple list of SentinelOne agent IDs. Reference: https://<base_url>/api-doc/api-details?category=agents&api=get-agents

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

base_url
string | null
SentinelOne tenant URL.Default: null.
limit
integer
The maximum number of agents to return.Default: 1000.

List alerts

Action ID: tools.sentinel_one.list_alerts Query for SentinelOne alerts. Reference: https://<base_url>/api-doc/api-details?category=alerts&api=get-alerts

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

end_time
string
required
End time for the query (exclusive).
start_time
string
required
Start time for the query (inclusive).
base_url
string | null
SentinelOne tenant URL.Default: null.
limit
integer
Maximum number of alerts to return.Default: 100.
query
string | object | null
SentinelOne search query.Default: null.

List threats

Action ID: tools.sentinel_one.list_threats Query for SentinelOne threats. Reference: https://<base_url>/api-doc/api-details?category=threats&api=get-threats

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

end_time
string
required
End time for the query (exclusive).
start_time
string
required
Start time for the query (inclusive).
base_url
string | null
SentinelOne tenant URL.Default: null.
limit
integer
Maximum number of alerts to return.Default: 100.
query
string | object | null
SentinelOne search query.Default: null.

Lookup agents by account ID

Action ID: tools.sentinel_one.lookup_agent_account_id Find all SentinelOne agents in a specific account. Reference: https://<base_url>/api-doc/api-details?category=agents&api=get-agents

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

account_id
string
required
Account ID to filter agents by.
base_url
string | null
SentinelOne tenant URL.Default: null.
limit
integer
The maximum number of agents to return.Default: 100.

Lookup agents by email

Action ID: tools.sentinel_one.lookup_agent_email Find all SentinelOne agents associated with a user email address. Reference: https://<base_url>/api-doc/api-details?category=agents&api=get-agents

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

email
string
required
Email address to search for in agent user fields.
base_url
string | null
SentinelOne tenant URL.Default: null.
limit
integer
The maximum number of agents to return.Default: 100.

Lookup agents by file hash

Action ID: tools.sentinel_one.lookup_agent_hash Find all SentinelOne agents that have encountered threats with a specific file hash. Reference: https://<base_url>/api-doc/api-details?category=agents&api=get-agents

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

file_hash
string
required
File hash (MD5, SHA1, SHA256) to search for in agent threats.
base_url
string | null
SentinelOne tenant URL.Default: null.
limit
integer
The maximum number of agents to return.Default: 100.

Lookup agents by group ID

Action ID: tools.sentinel_one.lookup_agent_groupid Find all SentinelOne agents in a specific group. Reference: https://<base_url>/api-doc/api-details?category=agents&api=get-agents

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

group_id
string
required
Group ID to filter agents by.
base_url
string | null
SentinelOne tenant URL.Default: null.
limit
integer
The maximum number of agents to return.Default: 100.

Lookup agents by hostname

Action ID: tools.sentinel_one.lookup_agent_hostname Find all SentinelOne agents by hostname/computer name. Reference: https://<base_url>/api-doc/api-details?category=agents&api=get-agents

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

hostname
string
required
Hostname/computer name to search for (supports partial matches).
base_url
string | null
SentinelOne tenant URL.Default: null.
limit
integer
The maximum number of agents to return.Default: 100.

Lookup agents by IP address

Action ID: tools.sentinel_one.lookup_agent_ip Find all SentinelOne agents by IP address (external IP, network interface, or gateway). Reference: https://<base_url>/api-doc/api-details?category=agents&api=get-agents

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

ip_address
string
required
IP address to search for (supports partial matches).
base_url
string | null
SentinelOne tenant URL.Default: null.
limit
integer
The maximum number of agents to return.Default: 100.

Lookup agents by MAC address

Action ID: tools.sentinel_one.lookup_agent_mac_address Find all SentinelOne agents by MAC address (network interface physical address or gateway MAC). Reference: https://<base_url>/api-doc/api-details?category=agents&api=get-agents

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

mac_address
string
required
MAC address to search for (supports partial matches, e.g., “aa:0f” or “41:”)
base_url
string | null
SentinelOne console base URL (e.g., https://your-tenant.sentinelone.net)Default: null.
limit
integer
Maximum number of agents to return (1-1000)Default: 100.
search_gateway_mac
boolean
Whether to also search gateway MAC addressesDefault: false.

Lookup agents by machine type

Action ID: tools.sentinel_one.lookup_agent_machine_type Find all SentinelOne agents filtered by machine type (laptop, desktop, server, etc.). Reference: https://<base_url>/api-doc/api-details?category=agents&api=get-agents

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

machine_types
array[string]
required
Machine types to include (e.g., laptop, desktop, server)
base_url
string | null
SentinelOne console base URL (e.g., https://your-tenant.sentinelone.net)Default: null.
exclude_machine_types
array[string]
Machine types to exclude (optional)Default: [].
limit
integer
Maximum number of agents to return (1-1000)Default: 100.

Lookup agents by operating system

Action ID: tools.sentinel_one.lookup_agent_os Find all SentinelOne agents filtered by operating system type, name, revision, and version information. Reference: https://<base_url>/api-doc/api-details?category=agents&api=get-agents

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

os_types
array[string]
required
OS types to include (e.g., windows, linux, macos, windows_legacy)
base_url
string | null
SentinelOne console base URL (e.g., https://your-tenant.sentinelone.net)Default: null.
limit
integer
Maximum number of agents to return (1-1000)Default: 100.
os_name
string
Free-text filter by OS full name (optional)Default: "".
os_revision
string
OS revision filter (optional)Default: "".
os_version_contains
array[string]
Free-text filter by OS full name and version (supports multiple values)Default: [].

Unisolate endpoint

Action ID: tools.sentinel_one.connect_to_network Connect a SentinelOne agent to the network. Reference: https://<base_url>/api-doc/api-details?category=agents&api=post-agents-actions-connect

Secrets

Required secrets:
  • sentinel_one: required values SENTINEL_ONE_API_TOKEN.

Input fields

endpoint_id
string
required
ID of the endpoint/agent to connect.
base_url
string | null
SentinelOne tenant URL.Default: null.