0% found this document useful (0 votes)

6K views2,687 pages

Sentinel One API Documentation 2.1

Uploaded by

crinob

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

6K views2,687 pages

Sentinel One API Documentation 2.1

Uploaded by

crinob

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2687

SentinelOne Api Documentation Version 2.

1
Get Accounts 18
Create Account 25
Get Account by ID 42
Update Account 47
Revert Policy 67
Reactivate Account 69
Expire an Account 71
Get Uninstall Password Metadata 75
Get Uninstall Password 77
Generate/Regenerate Uninstall Password 78
Revoke Uninstall Password 81
Export Accounts 83
Get Activities 84
Get Activity Types 88
Last activity as Syslog message 89
Export Activities 92
Broadcast Message 93

1
Connect to Network 115
Fetch Logs 136
Initiate Scan 158
Abort Scan 179
Disconnect from Network 200
Decommission 221
Uninstall 242
Restart 263
Shutdown 284
Approve Uninstall 305
Reject uninstall 326
Update Software 347
Reset Local Config 370
Set Persistent Configuration Overrides 391
Set External ID 412
Fetch Files 433
Move between Sites 435
Fetch Firewall Rules 456
Move to Console 478
Get Applications 499
Start Remote Shell 520
Can run Remote Shell 543
Terminate Remote Shell 564
Fetch Firewall Logs 585
Randomize UUID 606
Mark as up-to-date 627
Enable Ranger 648
Disable Ranger 669
Edit local upgrade site authorization 690
Disable Agent 711
Enable Agent 732
Start Remote Profiling 753

2
Stop Remote Profiling 774
Approve Stateless Upgrades 795
Manage endpoint tags: add, remove, override 816
Clear Remote Shell 837
Get Agents 858
Count Agents 878
Get Passphrase 888
Export Agent Logs 899
Applications 899
Processes 901
Get local upgrade agent authorization 902
Export Agents 903
Get the endpoint tags that match the filters. 912
Export Agents - Light 915
List Access Tokens 924
Create Access Token 925
Delete Access Token 927
Get alerts 927
Update Threat Incident 940
Update Alert Analyst Verdict 946
Inventory Endpoints Data Export 952
Aggregated Application Risk Data Export 953
Application Risk Data Export 954
Risk Endpoint Data Export 956
Application CVE Data Export 958
Inventory Data Export 959
Risks Data Export 960
Get Endpoint Apps 963
Get App Inventory Endpoints 965
Get Aggregated Applications With Risk 969
Get Applications With Risk 973
Get Endpoints For Vulnerable App 977

3
Get Application CVEs 982
Get Application Inventory 986
Get CVE data 989
Initiate scan 995
Update Application Management Settings 997
Get Application Management Settings 1000
Get Applications 1002
Get CVEs 1006
Export Applications 1009
Get Available Packages 1010
Has Policy 1012
Get Parent Policies 1014
Get Policies 1015
Deactivate Policies 1016
Policies OS Count 1017
Create Policy 1018
Update Policy 1021
Policy Action 1024
Reorder Policies 1026
Set Scope Inheriting 1028
Validate Bucket 1030
Get AWS assume role external ID. 1032
Validate Query 1033
Get cloud funnel rule 1035
Delete cloud funnel rule 1038
Post onboarding cloud funnel 1040
Create Estimator ID 1045
Get estimate size of events 1047
get cloud provider account active health events by cloud provider account id 1049
Export cloud rogue resources to csv 1051
Get cloud rogue resources 1052
Get Config Overrides 1056

4
Create Config Override 1060
Delete Config Overrides 1063
Delete Config Override 1066
Update Config Override 1067
Create Unified Exclusion 1070
Validate Exclusion Item 1073
Get Rules 1075
Create Rule 1082
Delete Rules 1089
Update Rule 1092
Activate Rules 1099
Disable Rules 1102
Create Query and Get QueryId 1105
Cancel Running Query 1109
Get Query Status 1111
Get Events 1113
Get Process State 1119
Get Events By Type 1119
Create a Power Query and Get QueryId 1127
Ping a Power Query if results haven't been retrieved 1129
Download source process file 1131
Get Device Rules 1132
Create Device Control Rule 1138
Delete Rules 1145
Update Device Rule 1149
Copy Rules 1156
Move rules 1161
Reorder Rules 1166
Get Configuration 1168
Update Configuration 1170
Export Rules 1174
Get Device Control Events 1175

5
Enable/Disable Rules 1179
Import Exclusions 1184
Get Exclusion Import Validation Report 1187
Import Blocklist Items 1187
Get Blocklist Import Validation Report 1190
Get Exclusions 1190
Create Exclusion 1196
Update Exclusions 1200
Delete Exclusions 1203
Get Blocklist 1205
Create Blocklist Item 1210
Update Blocklist Item 1213
Delete Blocklist Item 1216
Validate Exclusion Item 1218
Validate Blocklist Item 1220
Export Exclusions 1222
Export Blocklist 1224
Get Exclusions 1226
Delete Exclusions 1230
Get Filters 1232
Save Filter 1247
Update Filter 1275
Delete Filter 1302
Get Deep Visibility Filters 1303
Save Deep Visibility Filter 1304
Delete Deep Visibility Filter 1306
Update Deep Visibility Filter 1307
Upload CSV file 1311
Get Firewall Rules 1313
Create Firewall Rule 1319
Delete Rules 1326
Copy Rules 1330

6
Move Rules 1335
Set Location 1340
Reorder Rules 1345
Get Configuration 1347
Update Configuration 1350
Export Rules 1354
Import Rules 1355
Enable/Disable Rules 1358
Get Protocols 1363
Add Rule Tags 1365
Remove Rule Tags 1370
Get Tag Firewall Rules 1375
Update Firewall Rule 1381
Application Forensics 1388
Application Forensics - Detailed 1391
Application Connections 1394
Export Application 1395
Get Gateways 1395
Update Gateways 1403
Update Gateway 1411
Get Groups 1417
Create Group 1421
Regenerate Group Token 1438
Delete Group 1439
Update Group 1440
Get Group by ID 1457
Revert Policy 1459
Move Agents 1461
Update Ranks 1482
Get Site registration token by ID 1484
Hash Reputation Rank 1485
Hash classification 1487

7
Hash Reputation verdict 1488
Update sites add-ons 1489
Get Agent Merged Updates 1493
Create Location 1495
Get Locations 1503
Delete Locations 1509
Update Location 1511
Get Applications Catalog 1518
Get Installed Applications 1521
Delete Application 1526
Install Applications 1529
Update Application Configuration 1531
Get Configuration Fields 1533
Get Configuration fields for Catalog Application 1534
Enable or Disable application 1537
Activations - Resend activation link invitations 1539
Activations - Cancel user activation invitations 1540
Activations - Validate bulk user activation upload 1541
Activations - Bulk user activation import 1543
Provision - Check if tenant can be provisioned 1545
Provision - Persist MSSP partner key 1547
Provision - Update MSSP partner key 1548
Provision - Get MSSP partner key 1550
Provision - Provision tenant with admin user 1551
Provision - Get tenant with users 1553
Management - Create interim connector connection 1555
Management - Checks if connection can be created on current scope. 1558
Management - Create connector connection 1559
Activations - Create User Activation 1562
Activations - Get list of user activations 1564
Management - Test connector connection. Deprecated, use create-interim-connection + device-groups instead. 1567
Management - Get list of connections for specific scope 1570

8
Connectors - Get list of Connectors and their abilities 1573
Management - Get app configuration 1574
Activations - Generates a global link for anonymous device registration 1575
Activations - Return anonymous activation in the scope 1577
Incidents - Update analyst verdict 1580
Incidents - Update incident status 1582
Policy - Get global mobile policy 1584
Policy - Update global mobile policy 1586
Policy - Delete global mobile policy 1590
Incidents - Get list of incidents 1590
Devices - Get list of devices for specific scope 1595
Policy - Create mobile policy 1600
Management - Get managed groups for connection 1604
Management - Get all UEM device groups for given connection 1605
Management - Sync devices under connection 1607
Management - Patch connection group mappings 1608
Deletes MSSP partner key by client ID 1610
Management - Update connector connection 1611
Management - Delete connection 1614
Incidents - Mitigate incident 1615
Incidents - Update incident note 1617
Incidents - Delete incident note 1619
Incidents - Create incident note 1620
Policy - Get the policy for the Account given by ID 1622
Policy - Update the policy for the Account given by ID 1624
Policy - Delete the policy for the Account given by ID 1628
Policy - Get the policy for the Site given by ID 1628
Policy - Update the policy for the Group given by ID 1631
Policy - Delete the policy for the Site given by ID 1635
Policy - Update the policy for the Site given by ID 1635
Devices - Get device details by device id 1640
Get Firewall Rules 1644

9
Create Firewall Rule 1650
Delete Rules 1657
Copy Rules 1661
Move Rules 1666
Set Location 1671
Reorder Rules 1676
Get Configuration 1678
Update Configuration 1681
Export Rules 1685
Import Rules 1686
Enable/Disable Rules 1689
Get Protocols 1694
Add Rule Tags 1696
Remove Rule Tags 1701
Group Policy 1706
Update Group Policy 1721
Site Policy 1750
Update Site Policy 1765
Account Policy 1794
Update Account Policy 1809
Global Policy 1838
Update Global Policy 1853
Get Ranger Table 1882
Export Ranger Data 1890
JSON Raw Data 1892
Export JSON Raw Data 1894
Get Ranger Settings 1894
Update Ranger Settings 1898
Change Device Review in Bulk 1905
Change Device Review 1911
Change Device Tags 1916
Create Cred Group 1922

10
Get Cred groups 1925
Delete Cred Group 1928
Add cred details 1929
Get Cred group details 1931
Delete Cred Group Detail 1934
Update Cred Group Details 1935
Get Self Enablement 1938
Change Ranger or Rogues Features 1939
Change the Self-Enablement for Accounts 1942
Features Configuration for New Sites 1943
Change Feature Defaults for New Sites 1943
Get All Roles 1946
Get Specific Role Definition 1950
Update role 1953
Delete role 1956
Create new role 1958
Get template for new role 1961
Create new Destination profile. 1963
Get available Destination profiles 1965
Delete multiple Destination profiles by ID 1967
Delete Destination profile by ID 1969
Update existing Destination profile 1969
Get Destination profile by ID 1972
Set profile as default profile of the scope 1974
Get results sent to data exporter 1975
Start collection of Forensics artifacts according to specified profile 1977
Return result of collection task 1998
Returns collection file download pre-signed url 2001
Check if collection file exists for given storyline 2002
Get list of supported artifact types 2003
Get Collection profile by ID 2005
Update Collection profile by ID 2008

11
Delete Collection profiles 2012
Create new Collection profile 2016
Get list of available Collection profiles 2020
Run Remote Script 2024
Get Remote Scripts Tasks Status 2047
Get Script Results 2051
Get script content 2053
Get Scripts 2054
Upload New Script 2058
Delete Scripts 2064
Update a Script 2069
Get paginated pending executions 2074
Approve/decline pending execution 2080
Gets a guardrails configuration for a given scope 2082
Updates or inserts (if record does not exist) a guardrails configuration 2083
Deletes a specific guardrails configuration 2085
Check whether guardrail applies to an execution 2087
Get Rogues Table 2089
Export Rogues Data 2094
Get Rogues Settings 2096
Update Rogues Settings 2099
Get Service Users 2103
Create Service User 2106
Export Service Users 2110
Update Service User 2110
Delete Service User 2114
Bulk Delete Service Users 2115
Get SSO Settings 2117
Set SSO Settings 2120
Get SSO Service Provider Certificate 2126
Download SSO Service Provider Certificate 2128
Test SSO Settings 2128

12
Get Notification Settings 2133
Set Notification Settings 2136
Clear Pending Emails 2141
Get SMTP Settings 2143
Set SMTP Settings 2145
Test SMTP Settings 2149
Get Syslog Settings 2152
Set Syslog Settings 2154
Test Syslog Settings 2158
Get SMS Settings 2161
Set SMS Settings 2162
Get Notification Recipients 2164
Set Notification Recipients 2166
Delete Notification Recipient 2168
Get AD Settings 2169
Set AD Settings 2171
Test AD Settings 2174
Get AD FQDNs 2176
Set AD FQDNs 2177
Get Microsoft Settings 2179
Set Microsoft Settings 2181
Test Microsoft Settings 2184
Get Sites 2186
Create Site 2192
Export Sites 2212
Get Site by ID 2213
Update Site 2217
Delete Site 2237
Get Site registration token by ID 2238
Revert Policy 2239
Create duplicate site 2241
Create Site and User 2260

13
Regenerate Site Key 2280
Reactivate Site 2281
Expire Site 2283
Update Sites 2287
Get local upgrade site authorization 2291
Edit local upgrade site authorization 2292
Get a CSV file of local upgrade site authorization data 2294
System Info 2295
System Status 2296
Database Status 2297
Cache Status 2298
Get System Config 2299
Set System Config 2305
System Environment 2313
Create a new endpoint tag 2314
Delete tags 2317
Edit an existing tag 2319
Get Tags 2322
Create Tags 2325
Delete Tags 2328
Delete Tag by ID 2331
Edit Tag 2332
Get Task Configuration 2335
Create Task 2338
Has Child Scopes 2341
Get Child Scope Task Configuration 2343
Get Threat Intelligence user config 2345
Create Threat Intelligence user config 2347
Delete Threat Intelligence user config 2350
Get IOCs 2352
Create IOCs 2359
Delete IOCs 2368

14
Get Threat Notes 2373
Add Note to Multiple 2375
Update Threat Note 2389
Delete Threat Note 2391
Get Threats 2392
Mitigate Threats 2409
Add to Blocklist 2424
Fetch Threat File 2439
Disable Engines 2453
Exclusion Options 2455
Get Events 2456
Add to Exclusions 2462
Export Threats 2478
Add to Blocklist (Deep Visibility) 2483
Mark as Threat (Deep Visibility) 2486
Export Mitigation Report 2488
Updated Threat Incident 2488
Update Threat Analyst Verdict 2503
Update Threat External Ticket ID 2517
Download from cloud 2531
Disconnect Container 2532
Reconnect Container 2546
Get Threat Timeline 2560
Export Threat Timeline 2563
Export Events 2563
Update Exclusions 2564
Latest Packages by OS 2566
Get Latest Packages 2573
Delete Packages 2577
Update package 2579
Upload Agent Package 2583
Upload System Package 2587

15
Deploy System Package 2589
Download Agent Package 2590
Download Package 2590
User by token 2590
List users 2595
Create User 2602
Export Users 2608
Get User 2610
Delete User 2615
Update User 2616
Bulk Delete Users 2622
Generate iFrame Token 2626
Enable 2FA 2628
Disable 2FA 2630
Generate API Token 2632
Revoke API Token 2634
API Token by User ID 2636
API Token Details 2637
Enable 2FA App 2639
Request 2FA App 2641
Change Password 2643
Auth App 2645
Sign EULA 2647
Check Global User 2648
Check Remote Shell Permissions 2649
Check Viewer 2650
Email Verification 2651
Validate Verification Token 2653
Send Verification Email 2654
Reset 2FA 2659
Delete 2FA 2661
Enroll 2FA 2663

16
Redirect to SSO 2665
Redirect to SSO for re-authentication 2665
Auth by SSO 2666
Login 2666
Logout 2669
Login by API Token 2669
Login by Token 2672
Continue with login due to upcoming password expiration or SSO 2FA setup 2672
Set a New Password 2675
Prompt reset password 2677
Reset password on next login 2682

17
Accounts

Get Accounts
GET /web/api/v2.1/accounts

Get the Accounts, and their data, that match the filter. This command gives the Account IDs, which other commands require.
Accounts are created by a Global User or by SentinelOne. Each Account contains Sites, which can inherit assets and settings. Each Account has one or more SKUs, that you
assign to the Sites. To have both Core and Complete Sites in an Account, the Account must have both SKUs.

Parameters
accountids optional List of Account IDs to search for. Example:
"225494730938493804,225494730938493915".
accounttype optional Account type. Example: "Trial".
activelicenses optional Active licenses
billingmode optional Billing mode. Example: "subscription".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat optional Timestamp of Account creation. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
expiration optional Expiration. Example: "2018-02-27T04:49:26.257525Z".
features optional Filter the list of Accounts for those that support this feature.
Example: "firewall-control".
ids optional A list of Account IDs. Example:
"225494730938493804,225494730938493915".
isdefault optional Is default
limit optional Limit number of returned items (1-1000). Example: "10".
name optional Name. Example: "My Account".
query optional Full text search for fields: name. (Note: on single-Account Consoles,

18
the Account name will not be matched)
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
states optional Filter by state, such as active or expired.
totallicenses optional Total licenses
updatedat optional Timestamp of last update. Example:
"2018-02-27T04:49:26.257525Z".
usagetype optional Usage type. Example: "customer".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to

19
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
accountType Account type false string
activeAgents Total Agents false integer
in the
Account
agentsInComp [DEPRECATE false integer
leteSku D] Number of
Agents
connected to
a Complete
site
agentsInCont [DEPRECATE false integer
rolSku D] Number of
Agents
connected to
a Control site
agentsInCore [DEPRECATE false integer
Sku D] Number of
Agents
connected to
a Core site
billingMode Billing mode false enum
completeSite [DEPRECATE false integer
s D] Number of
Sites in suite
Complete
controlSites [DEPRECATE false integer
D] Number of
Sites in suite
Control
coreSites [DEPRECATE false integer
D] Number of
Sites in suite

20
Core
createdAt Timestamp of false string
Account
creation
creator The user that false string
created the
group
creatorId The ID of the false string
user that
created the
group
expiration Expiration false string
externalId ID of CRM false string
external
system
id Account ID false string
isDefault Is default false boolean
licenses The account false Name Description Required Value
licenses.
bundles The licenses false Name Description Required Value
Bundles
displayName The Bundle false string
display name
majorVersion The Bundle false integer
major version
minorVersion The Bundle false integer
minor version
name The Bundle false string
internal api
name
surfaces The Surfaces false Name De
in the Bundle
count Th
co
ind
un
co
name Th
na

21
totalSurfaces The total false integer
number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string
display name
majorVersion The Add-on false integer
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

Settings
displayName [DEPRECATE false string
D] The
Setting
display name
groupName The Setting false
group name
setting The Setting false
display name
settingGroup [DEPRECATE false string
D] The
Setting group
name
settingGroup The Setting false string
DisplayName group display
name

name Name false string

numberOfSit Total number false integer
es of Sites in
this Account
salesforceId false string
skus [DEPRECATE false

22
D] The list of Name Description Required Value
SKUs for the
Account. agentsInSku Total agents false integer
commissioned
in this SKU.
totalLicenses Number of false integer
licenses for
this specific
SKU.
Applicable
only if
unlimited is
False
type The suite of false enum
product
features
active for this
account
unlimited True if this is false boolean
an unlimited
SKU.

state Account state false enum

totalComplet [DEPRECATE false integer
e D] Total
Number of
Complete
licenses
totalControl [DEPRECATE false integer
D] Total
Number of
Control
licenses
totalCore [DEPRECATE false integer
D] Total
Number of
Core licenses
totalLicenses The total false integer
number of
licenses on all
Surfaces for
all Bundles.
unlimitedCom [DEPRECATE false boolean

23
plete D] True if
Complete
licenses
count is
unlimited
unlimitedCont [DEPRECATE false boolean
rol D] True if
Control
licenses
count is
unlimited
unlimitedCor [DEPRECATE false boolean
e D] True if
Core licenses
count is
unlimited
unlimitedExpi The Account false boolean
ration does not
expire
updatedAt Timestamp of false string
last update
usageType Usage type false enum

errors Errors false array

24
Create Account
POST /web/api/v2.1/accounts

Create a new Account. This command requires Global permissions and an MSSP deployment. Consult with your SE before you run this command. An Account is a logical
segment with permissions to configure features for specific Sites. Multiple Accounts can be useful for deployments with multiple Sites for third-parties (such as MSSP).
Each Account has one or more SKUs, that you assign to Sites. If an Account has the Complete SKU, and you create a new Site in the Account, it will automatically have the
Complete SKU. Best practice: Run "name-available" first, to make sure the name is unique in your deployment.

BEST PRACTICE
Run "name-available" first, to make sure the name is unique in your deployment.

Response Messages
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Body Schema
Name Description Required Value
data Data true Name Description Required Value
name Name true string
accountType Account false enum
type: Trial or
Paid
billingMode Billing mode false enum
expiration Expiration false string
externalId ID of CRM false string
external
system
inherits True if the false boolean
policy is
inherited
from Global,
False if the

25
Account has
its own
edited policy
licenses The license false Name Description Required Value
configuration
for the bundles The list of false Name Description Required Value
Account Bundles
selected name true string
majorVersion false integer
surfaces false Name De
name
count Th
of
pe
-1
un
co

modules The list of false Name Description Required Value

Add-ons
selected name true string

settings The list of false Name Description Required Value

Settings
selected for groupName true string
the Bundle setting true string
and Add-ons.
If a Bundle or
Add-on
requires a
Setting that is
not defined,
the default
Setting is
used.

policy Policy is false Name Description Required Value

mandatory if
it was edited agentLoggin True if false boolean
(inherits = gOn logging is
false), enabled in
otherwise the agent
ignored. agentNotifica [DEPRECATE false boolean
tion D] Show end

26
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab

27
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

D] Show/hide
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to

28
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

29
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name De
owserExtensi browser
ons extensions autoInstallBr Au
owserExtensi bro
ons ex

behavioralInd Behavioral false Name De

icators indicators
event dvEventTypeBe Be
havioralIndica ind
tors ev

commandScri Command false Name De

pts scripts event
dvEventType Co
CommandScri scr
pts

crossProcess Cross process false Name De

event
dvEventTypeC Du
rossProcessDu Pro
plicateProces Ev
s
dvEventTypeC Du
rossProcessD Th
uplicateThrea Ty
d
dvEventTypeC Op
rossProcessO Ev
penProcess
dvEventTypeC Re
rossProcessR Th
emoteThread Ty

dataMasking Data masking false Name De

dataMasking Da

dllModuleLoa DLL module false Name De

d load event
dvEventType DL
DllModuleLo loa
ad

30
dns Network false Name De
event - DNS
dvEventType Ne
Dns ev

driver Driver false Name De

dvEventTypeD Dr
riverLoad

file File event false Name De

dvEventTypeF Fil
ileCreation Ev
dvEventTypeF Fil
ileDeletion Ev
dvEventTypeFi Fil
leModificatio Mo
n Ev
dvEventTypeF Fil
ileRename Ev
fullDiskScan Fil
Ev

ip Network false Name De

event - IP
dvEventTypeI IP
pConnect Ev
dvEventTypeI IP
pListen Ev

login User login/ false Name De

logout event
dvEventTypeL Us
oginLoggedIn Ev
dvEventType Us
LoginLogged Ev
Out

namedPipe Named Pipe false Name De

dvEventType Na
NamedPipeCo Co
nnection Ev

31
dvEventType Na
NamedPipeCr Cr
eation Ev

namedPipeEx Named Pipe false Name De

tended Extended
namedPipeEx Na
tended Co
Ex
Ev

process Process event false Name De

dvEventTypeP Pro
rocessCreatio Cr
n Ev
dvEventTypeP Pro
rocessExit Ev
dvEventTypeP Pro
rocessModific Te
ation Ev

registry Registry false Name De

32
d Ev
dvEventTypeR Re
egistryValueC Va
reated Ev
dvEventTypeR Re
egistryValueD Va
eleted De
Ev
dvEventTypeR Re
egistryValueM Va
odified Mo
Ev

scheduledTas Scheduled false Name De

k task event
dvEventTypeS Sc
cheduledTask Ta
Delete Ev
dvEventTypeS Sc
cheduledTask Ta
Register Ev
dvEventTypeS Sc
cheduledTask Ta
Start Ev
dvEventTypeS Sc
cheduledTaskT Ta
rigger Ev
dvEventTypeS Sc
cheduledTask Ta
Update Ev

smartFileMoni Smart file false Name De

toring monitoring
smartFileMoni Sm
toring mo

url URL Actions false Name De

event
dvEventTypeU UR
rl ev

windowsEven Windows false Name De

tLogs Event Log

33
dvEventType W
WindowsEven Ev
tLogCreation Cr
Ev

windowsEven Windows false Name De

tLogsExtende Event Log
d Extended windowsEven W
tLogsExtende Ev
d Ex
Ev

engines The engines false Name Description Required Value

statuses
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

Triggering auto
triggering linuxEnabled True if linux false boolean
configuration forensics is
enabled
linuxProfileId The profile id false string
for the linux

34
forensics
linuxProfileN The profile false string
ame name for the
linux
forensics
macosEnable True if macos false boolean
d forensics is
enabled
macosProfileI The profile id false string
d for the macos
forensics
macosProfil The profile false string
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

35
command
consolidation
interval in
minutes
identityUpdat Identity false integer
eInterval update
interval in
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean

36
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

for the scope
isDefault True if this is false boolean
the tenant
policy
isDvPolicyPe FE indication false boolean
rEventType as to how to
display DV
policy
mitigationMo Mitigation false enum

37
de modes
mitigationMo Mitigation false enum
deSuspicious mode
monitorOnEx Monitor on false boolean
ecute execute on/
off
monitorOnWr Monitor on false boolean
ite write
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

rchestration orchestration
upload limits alwaysUpload Always false boolean
configuration StreamToClou upload
d streams to

38
cloud
maxDailyFile Maximum false integer
Download size (MB) to
download
daily
maxDailyFile Limit for the false integer
DownloadLim maximum
it size (MB) to
download
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

s macros
should be
removed
from macro
threats
researchOn Share data false boolean

39
with
SentinelOne
scanNewAgen If True initiate false boolean
ts full disk scan
upon first
registration
signedDriver Suspicious false boolean
BlockingOn signed driver
blocking on/
off
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

skus [DEPRECATE false Name Description Required Value

D] The list of
allowed SKUs totalLicenses Number of false integer
for the licenses for
Account this specific
SKU.
Applicable
only if
unlimited is
False
type The suite of false enum
product
features

40
active for this
Account
unlimited True if this is false boolean
an unlimited
SKU. Total
licenses will
be ignored if
unlimited is
True

unlimitedExpi If expiration false boolean

ration is not
unlimited,
enter the
expiration
date
usageType Usage type false enum

41
Get Account by ID
GET /web/api/v2.1/accounts/{account_id}

Get Account data from a given Account ID. To get an Account ID, run "accounts".

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Account not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountType Account type false string
activeAgents Total Agents false integer
in the
Account
agentsInComp [DEPRECATE false integer
leteSku D] Number of
Agents
connected to
a Complete
site
agentsInCont [DEPRECATE false integer
rolSku D] Number of
Agents
connected to
a Control site
agentsInCore [DEPRECATE false integer
Sku D] Number of
Agents
connected to
a Core site
billingMode Billing mode false enum

42
completeSite [DEPRECATE false integer
s D] Number of
Sites in suite
Complete
controlSites [DEPRECATE false integer
D] Number of
Sites in suite
Control
coreSites [DEPRECATE false integer
D] Number of
Sites in suite
Core
createdAt Timestamp of false string
Account
creation
creator The user that false string
created the
group
creatorId The ID of the false string
user that
created the
group
expiration Expiration false string
externalId ID of CRM false string
external
system
id Account ID false string
isDefault Is default false boolean
licenses The account false Name Description Required Value
licenses.
bundles The licenses false Name Description Required Value
Bundles
displayName The Bundle false string
display name
majorVersion The Bundle false integer
major version
minorVersion The Bundle false integer
minor version
name The Bundle false string
internal api

43
name
surfaces The Surfaces false Name De
in the Bundle
count Th
co
ind
un
co
name Th
na

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string
display name
majorVersion The Add-on false integer
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

44
settingGroup The Setting false string
DisplayName group display
name

name Name false string

numberOfSit Total number false integer
es of Sites in
this Account
salesforceId false string
skus [DEPRECATE false Name Description Required Value
D] The list of
SKUs for the agentsInSku Total agents false integer
Account. commissioned
in this SKU.
totalLicenses Number of false integer
licenses for
this specific
SKU.
Applicable
only if
unlimited is
False
type The suite of false enum
product
features
active for this
account
unlimited True if this is false boolean
an unlimited
SKU.

state Account state false enum

totalComplet [DEPRECATE false integer
e D] Total
Number of
Complete
licenses
totalControl [DEPRECATE false integer
D] Total
Number of
Control
licenses

45
totalCore [DEPRECATE false integer
D] Total
Number of
Core licenses
totalLicenses The total false integer
number of
licenses on all
Surfaces for
all Bundles.
unlimitedCom [DEPRECATE false boolean
plete D] True if
Complete
licenses
count is
unlimited
unlimitedCont [DEPRECATE false boolean
rol D] True if
Control
licenses
count is
unlimited
unlimitedCor [DEPRECATE false boolean
e D] True if
Core licenses
count is
unlimited
unlimitedExpi The Account false boolean
ration does not
expire
updatedAt Timestamp of false string
last update
usageType Usage type false enum

errors Errors false array

46
Update Account
PUT /web/api/v2.1/accounts/{account_id}

Change the data of an Account. This command requires a Global user or an Account user and Admin role. Use this command to change the name, ID, SKUs and how they
are distributed among Sites and Agents, and more. (See the Body sample.) Best practice: Consult with your SentinelOne SE.

BEST PRACTICE
Consult with your SentinelOne SE.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Account not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountType Account type false string
activeAgents Total Agents false integer
in the
Account
billingMode Billing mode false enum
createdAt Timestamp of false string
Account
creation
creator The user that false string
created the
group
creatorId The ID of the false string
user that

47
created the
group
expiration Expiration false string
externalId ID of CRM false string
external
system
id Account ID false string
isDefault Is default false boolean
licenses The account false Name Description Required Value
licenses.
bundles The licenses false Name Description Required Value
Bundles
displayName The Bundle false string
display name
majorVersion The Bundle false integer
major version
minorVersion The Bundle false integer
minor version
name The Bundle false string
internal api
name
surfaces The Surfaces false Name De
in the Bundle
count Th
co
ind
un
co
name Th
na

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string

48
display name
majorVersion The Add-on false integer
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

name Name false string

salesforceId false string
skus [DEPRECATE false Name Description Required Value
D] The list of
SKUs for the agentsInSku Total agents false integer
Account. commissioned
in this SKU.
totalLicenses Number of false integer
licenses for
this specific
SKU.
Applicable
only if
unlimited is
False
type The suite of false enum

49
product
features
active for this
account
unlimited True if this is false boolean
an unlimited
SKU.

state Account state false enum

totalLicenses The total false integer
number of
licenses on all
Surfaces for
all Bundles.
unlimitedExpi The Account false
ration does not
expire
updatedAt Timestamp of false string
last update
usageType Usage type false enum

errors Errors false array

50
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accountType Account type false enum
billingMode Billing mode false enum
expiration Expiration false string
externalId ID of CRM false string
external
system
inherits True if the false boolean
policy is
inherited
from Global,
False if the
Account has
its own
edited policy
licenses The license false Name Description Required Value
configuration
for the bundles The list of false Name Description Required Value
Account Bundles
selected name true string
majorVersion false integer
surfaces false Name De
name
count Th
of
pe
-1
un
co

modules The list of false Name Description Required Value

Add-ons
selected name true string

settings The list of false Name Description Required Value

Settings
selected for groupName true string

51
the Bundle setting true string
and Add-ons.
If a Bundle or
Add-on
requires a
Setting that is
not defined,
the default
Setting is
used.

name Name false string

policy Policy false Name Description Required Value
agentLoggin True if false boolean
gOn logging is
enabled in
the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string

52
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

53
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be

54
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name De
owserExtensi browser
ons extensions autoInstallBr Au
owserExtensi bro
ons ex

behavioralInd Behavioral false Name De

icators indicators
event dvEventTypeBe Be
havioralIndica ind
tors ev

commandScri Command false Name De

pts scripts event
dvEventType Co
CommandScri scr
pts

crossProcess Cross process false Name De

event
dvEventTypeC Du
rossProcessDu Pro
plicateProces Ev
s
dvEventTypeC Du

55
rossProcessD Th
uplicateThrea Ty
d
dvEventTypeC Op
rossProcessO Ev
penProcess
dvEventTypeC Re
rossProcessR Th
emoteThread Ty

dataMasking Data masking false Name De

dataMasking Da

dllModuleLoa DLL module false Name De

d load event
dvEventType DL
DllModuleLo loa
ad

dns Network false Name De

event - DNS
dvEventType Ne
Dns ev

driver Driver false Name De

dvEventTypeD Dr
riverLoad

file File event false Name De

dvEventTypeF Fil
ileCreation Ev
dvEventTypeF Fil
ileDeletion Ev
dvEventTypeFi Fil
leModificatio Mo
n Ev
dvEventTypeF Fil
ileRename Ev
fullDiskScan Fil
Ev

56
ip Network false Name De
event - IP
dvEventTypeI IP
pConnect Ev
dvEventTypeI IP
pListen Ev

login User login/ false Name De

logout event
dvEventTypeL Us
oginLoggedIn Ev
dvEventType Us
LoginLogged Ev
Out

namedPipe Named Pipe false Name De

dvEventType Na
NamedPipeCo Co
nnection Ev
dvEventType Na
NamedPipeCr Cr
eation Ev

namedPipeEx Named Pipe false Name De

tended Extended
namedPipeEx Na
tended Co
Ex
Ev

process Process event false Name De

dvEventTypeP Pro
rocessCreatio Cr
n Ev
dvEventTypeP Pro
rocessExit Ev
dvEventTypeP Pro
rocessModific Te
ation Ev

registry Registry false Name De

event

57
dvEventTypeR Re
egistryKeyCr Cr
eated Ev
dvEventTypeR Re
egistryKeyDel De
ete Ty
dvEventTypeR Re
egistryKeyExp Ex
ort Ty
dvEventTypeR Re
egistryKeyIm Im
port Ty
dvEventType Re
RegistryKey Re
Rename Ev
dvEventTypeR Re
egistryKeySe Se
curityChange Ch
d Ev
dvEventTypeR Re
egistryValueC Va
reated Ev
dvEventTypeR Re
egistryValueD Va
eleted De
Ev
dvEventTypeR Re
egistryValueM Va
odified Mo
Ev

scheduledTas Scheduled false Name De

k task event
dvEventTypeS Sc
cheduledTask Ta
Delete Ev
dvEventTypeS Sc
cheduledTask Ta
Register Ev
dvEventTypeS Sc

58
cheduledTask Ta
Start Ev
dvEventTypeS Sc
cheduledTaskT Ta
rigger Ev
dvEventTypeS Sc
cheduledTask Ta
Update Ev

smartFileMoni Smart file false Name De

toring monitoring
smartFileMoni Sm
toring mo

url URL Actions false Name De

event
dvEventTypeU UR
rl ev

windowsEven Windows false Name De

tLogs Event Log
dvEventType W
WindowsEven Ev
tLogCreation Cr
Ev

windowsEven Windows false Name De

tLogsExtende Event Log
d Extended windowsEven W
tLogsExtende Ev
d Ex
Ev

engines The engines false Name Description Required Value

59
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

Triggering auto
triggering linuxEnabled True if linux false boolean
configuration forensics is
enabled
linuxProfileId The profile id false string
for the linux
forensics
linuxProfileN The profile false string
ame name for the
linux
forensics
macosEnable True if macos false boolean
d forensics is
enabled
macosProfileI The profile id false string
d for the macos
forensics
macosProfil The profile false string
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows

60
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

intReporting reporting
level
identityOn Identity false boolean
module on/
off
identityRepor Identity false integer
tInterval telemetry
report
interval in
minutes
identityThrott Identity false integer
lingInterval duplicate
command
consolidation
interval in
minutes
identityUpdat Identity false integer
eInterval update
interval in
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled

61
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event

62
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

for the scope
isDefault True if this is false boolean
the tenant
policy
isDvPolicyPe FE indication false boolean
rEventType as to how to
display DV
policy
mitigationMo Mitigation false enum
de modes
mitigationMo Mitigation false enum
deSuspicious mode
monitorOnEx Monitor on false boolean
ecute execute on/
off
monitorOnWr Monitor on false boolean
ite write
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload

63
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

64
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

s macros
should be
removed
from macro
threats
researchOn Share data false boolean
with
SentinelOne
scanNewAgen If True initiate false boolean
ts full disk scan
upon first
registration
signedDriver Suspicious false boolean
BlockingOn signed driver
blocking on/
off
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy

65
userFullName The user that false string
created the
policy
userId The user id false string

salesforceId false string

skus [DEPRECATE false Name Description Required Value
D] Use
licenses totalLicenses Number of false integer
instead licenses for
this specific
SKU.
Applicable
only if
unlimited is
False
type The suite of false enum
product
features
active for this
Account
unlimited True if this is false boolean
an unlimited
SKU. Total
licenses will
be ignored if
unlimited is
True

unlimitedExpi If expiration false boolean

ration is not limited,
enter the
expiration
date and time
yyyy-mm-
ddThh:mm:ss
usageType Usage type false enum

66
Revert Policy
PUT /web/api/v2.1/accounts/{account_id}/revert-policy

The policy of the Account is based on the default Global policy and is enforced by all endpoints in the Sites and Groups of the Account (if you did not change the Site or
Group policies). If you change the Account policy, you can use this command to revert it to the default Global policy.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

67
Body Schema
Name Description Required Value
data Data false Name Description Required Value
id Id false string

68
Reactivate Account
PUT /web/api/v2.1/accounts/{account_id}/reactivate

Reactivate an expired Account. This command requires a Global user or Support. Consult with your SentinelOne SE.

Response Messages
200 - Account reactivated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Account not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

69
Body Schema
Name Description Required Value
data Data true Name Description Required Value
expiration New false string
expiration
date for the
Account
unlimited If false enter false boolean
an expiration
date and time
(yyyy-mm-
ddThh:mm:ss

70
Expire an Account
POST /web/api/v2.1/accounts/{account_id}/expire-now

Expire an Account immediately. The user must have Global access or Account acces with permissions for the Account. Best practice: Consult with Support before you use
this command.

BEST PRACTICE
Consult with Support before you use this command.

Response Messages
200 - Expire account now

401 - Unauthorized access - please sign in and retry.

404 - Account not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountType Account type false string
activeAgents Total Agents false integer
in the
Account
billingMode Billing mode false enum
createdAt Timestamp of false string
Account
creation
creator The user that false string
created the
group
creatorId The ID of the false string
user that
created the
group

71
expiration Expiration false string
externalId ID of CRM false string
external
system
id Account ID false string
isDefault Is default false boolean
licenses The account false Name Description Required Value
licenses.
bundles The licenses false Name Description Required Value
Bundles
displayName The Bundle false string
display name
majorVersion The Bundle false integer
major version
minorVersion The Bundle false integer
minor version
name The Bundle false string
internal api
name
surfaces The Surfaces false Name De
in the Bundle
count Th
co
ind
un
co
name Th
na

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string
display name
majorVersion The Add-on false integer

72
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

name Name false string

73
active for this
account
unlimited True if this is false boolean
an unlimited
SKU.

state Account state false enum

errors Errors false array

74
Get Uninstall Password Metadata
GET /web/api/v2.1/accounts/{account_id}/uninstall-password/metadata

Get the uninstall password metadata, such as which user created and revoked it and when.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
generatedBy name of the true string
Name user that
generated
the uninstall
password
lastRevoked uninstall true string
password last
revoked date
revokedByN Revoked by true string
ame name
version Version true integer
createdAt password false string
creation date:
yyyy-mm-dd
expiration password false string
expiration
date format:
yyyy-mm-dd
generatedByI The ID of the false integer
d user that

75
generated
the uninstall
password
revokedById The ID of the false integer
user that
revoked the
uninstall
password

errors Errors false array

76
Get Uninstall Password
GET /web/api/v2.1/accounts/{account_id}/uninstall-password/view

Get the uninstall password to uninstall several Agents of one Account with one command.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
password msg EC false string
signed with
private key:
v1.base64(dat
a).base64(ES3
84(data))

errors Errors false array

77
Generate/Regenerate Uninstall Password
POST /web/api/v2.1/accounts/{account_id}/uninstall-password/generate

You can uninstall all Agents of one Account with one command that requires a password. This command sets a new account-level uninstall password.
To enable this feature, submit a ticket with Support.
Best Practice: After you uninstall the Agents and install again, revoke the passphrase.
Applicable on Windows (versions 4.4+) and Linux (versions 21.7+) Agents.

BEST PRACTICE
After you uninstall the Agents and install again, revoke the passphrase.
Applicable on Windows (versions 4.4+) and Linux (versions 21.7+) Agents.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

78
version Version true integer
createdAt password false string
creation date:
yyyy-mm-dd
expiration password false string
expiration
date format:
yyyy-mm-dd
generatedByI The ID of the false integer
d user that
generated
the uninstall
password
revokedById The ID of the false integer
user that
revoked the
uninstall
password

errors Errors false array

79
Body Schema
Name Description Required Value
data Data true Name Description Required Value
expiration password true string
expiration
date format:
yyyy-mm-dd

80
Revoke Uninstall Password
POST /web/api/v2.1/accounts/{account_id}/uninstall-password/revoke

Delete the account-level uninstall password. If you do not delete it, you or another Console user can mistakenly use the Account passphrase (and uninstall all Agents) when
you mean to uninstall one Agent.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

81
d user that
generated
the uninstall
password
revokedById The ID of the false integer
user that
revoked the
uninstall
password

errors Errors false array

82
Export Accounts
GET /web/api/v2.1/export/accounts

Export Accounts data to a CSV, for Accounts that match the filter.

Parameters
accountids optional List of Account IDs to search for. Example:
"225494730938493804,225494730938493915".
accounttype optional Account type. Example: "Trial".
activelicenses optional Active licenses
billingmode optional Billing mode. Example: "subscription".
createdat optional Timestamp of Account creation. Example:
"2018-02-27T04:49:26.257525Z".
expiration optional Expiration. Example: "2018-02-27T04:49:26.257525Z".
features optional Filter the list of Accounts for those that support this feature.
Example: "firewall-control".
ids optional A list of Account IDs. Example:
"225494730938493804,225494730938493915".
isdefault optional Is default
name optional Name. Example: "My Account".
query optional Full text search for fields: name. (Note: on single-Account Consoles,
the Account name will not be matched)
states optional Filter by state, such as active or expired.
totallicenses optional Total licenses
updatedat optional Timestamp of last update. Example:
"2018-02-27T04:49:26.257525Z".
usagetype optional Usage type. Example: "customer".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

83
401 - Unauthorized access - please sign in and retry.

Activities

Get Activities
GET /web/api/v2.1/activities

Get the activities, and their data, that match the filters.
We recommend that you set some values for the filters. The full list will be too large to be useful.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
activitytypes optional Return only these activity codes (comma-separated list).
Select a code from the drop-down, or see the id field from the Get
activity types command. . Example: "52,53,71,72".
activityuuids optional Return activities by specific activity UUIDs. Example: "a2c8037c-
e6df-436d-b92b-bc09a418717e,f15b308b-fab9-4c0b-
b6f5-17d236a7bf55".
agentids optional Return activities related to specified agents. Example:
"225494730938493804,225494730938493915".
alertids optional Return activities related to specified alerts. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__between optional Get activities created in this range (inclusive) of a start timestamp
and an end timestamp. Example:
"1514978764288-1514978999999".
createdat__gt optional Get activities created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Get activities created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Get activities created before this timestamp. Example:

84
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Get activities created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional Filter activities by specific activity IDs. Example:
"225494730938493804,225494730938493915".
includehidden optional Include internal activities hidden from display. Example: "False".
limit optional Limit number of returned items (1-1000). Example: "10".
ruleids optional Return activities related to specified rules. Example:
"225494730938493804,225494730938493915".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
threatids optional Return activities related to specified threats. Example:
"225494730938493804,225494730938493915".
useremails optional Email of the user who invoked the activity (If applicable)
userids optional The user who invoked the activity (If applicable). Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

85
Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
accountId Related false string
account id (If
applicable)
accountName Related false string
account
name (If
applicable)
activityType Activity type false integer
activityUuid Activity false string
UUID
agentId Related agent false string
(If applicable)
agentUpdated Agent's new false string
Version version (If
applicable)
comments Comments false string
createdAt Activity false string
creation time

86
(UTC)
data Extra activity false object
specific data
description Extra activity false string
information
groupId Related group false string
id (If
applicable)
groupName Related group false string
name (If
applicable)
hash Threat file false string
hash (If
applicable)
id Activity ID false string
osFamily Agent's OS false enum
type (if
applicable)
primaryDescri Primary false string
ption description
secondaryDes Secondary false string
cription description
siteId Related site false string
id (If
applicable)
siteName Related site false string
name (If
applicable)
threatId Related false string
threat (If
applicable)
updatedAt Activity last false string
updated time
(UTC)
userId The user who false string
invoked the
activity (If
applicable)

errors Errors false array

87
Get Activity Types
GET /web/api/v2.1/activities/types

Get a list of activity types. This is useful to see valid values to filter activities in other commands.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
action Action false string
described in
the activity
descriptionTe Activity false string
mplate description
template as
seen in
activity page
id Activity type false integer
ID

errors Errors false array

88
Last activity as Syslog message
GET /web/api/v2.1/last-activity-as-syslog

To see examples of Syslog messages, you can get the Syslog message that corresponds to the last activity that matches the filter. This is not intended for production
purposes.
If Syslog messages that you expected to see are not in the response, make sure you selected "Syslog" for the activity type in Console > Settings > Notifications.
To see your Syslog settings, run: "settings/notifications".
To changethe settings, run: "settings/notifications" with the changes in the body of the request.

89
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional Filter activities by specific activity IDs. Example:
"225494730938493804,225494730938493915".
includehidden optional Include internal activities hidden from display. Example: "False".
limit optional Limit number of returned items (1-1000). Example: "10".
ruleids optional Return activities related to specified rules. Example:
"225494730938493804,225494730938493915".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
threatids optional Return activities related to specified threats. Example:
"225494730938493804,225494730938493915".
useremails optional Email of the user who invoked the activity (If applicable)
userids optional The user who invoked the activity (If applicable). Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value

90
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
activityId ID of the false string
activity
syslogMessag Syslog false string
e message
corresponding
to the
activity

errors Errors false array

91
Export Activities
GET /web/api/v2.1/export/activities

Export the list of activities.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
activitytypes optional Return only these activity codes (comma-separated list).
Select a code from the drop-down, or see the id field from the Get
activity types command. . Example: "52,53,71,72".
activityuuids optional Return activities by specific activity UUIDs. Example: "a2c8037c-
e6df-436d-b92b-bc09a418717e,f15b308b-fab9-4c0b-
b6f5-17d236a7bf55".
agentids optional Return activities related to specified agents. Example:
"225494730938493804,225494730938493915".
alertids optional Return activities related to specified alerts. Example:
"225494730938493804,225494730938493915".
createdat__between optional Get activities created in this range (inclusive) of a start timestamp
and an end timestamp. Example:
"1514978764288-1514978999999".
createdat__gt optional Get activities created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Get activities created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Get activities created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Get activities created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional Filter activities by specific activity IDs. Example:
"225494730938493804,225494730938493915".
includehidden optional Include internal activities hidden from display. Example: "False".

92
rowslimit optional Limit number of returned items (1-10000). Example: "100".
ruleids optional Return activities related to specified rules. Example:
"225494730938493804,225494730938493915".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
threatids optional Return activities related to specified threats. Example:
"225494730938493804,225494730938493915".
useremails optional Email of the user who invoked the activity (If applicable)
userids optional The user who invoked the activity (If applicable). Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Agent Actions

Broadcast Message
POST /web/api/v2.1/agents/actions/broadcast

You can send a message through the Agents that users can see.
This is useful for endpoints that have human users. This command is supported on Windows and macOS endpoints (not supported on Linux). The message is sent to all endpoints
that match the filter.
Put the message in the data parameter: "data":{"message":"<your message>"}
The message must be 140 characters or less.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

93
401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

94
Body Schema
Name Description Required Value
data Data true Name Description Required Value
message Message to true string
broadcast to
agents.

filter Applied filter true Name Description Required Value

- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []

95
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its

96
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version

97
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []

98
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)

99
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of

100
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created

101
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []

102
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads

103
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or

104
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string

105
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live

106
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum

107
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational

108
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses

109
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote

110
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string

111
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation

112
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp

113
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

114
Connect to Network
POST /web/api/v2.1/agents/actions/connect

After you run "disconnect from network" on endpoints, analyze the issue, and mitigate threats. Use this command to reconnect to the network all endpoints that match
the filter. To learn more, see "Disconnect from Network".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

115
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

116
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

117
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

118
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

119
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

120
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

121
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

122
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

123
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

124
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

125
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

126
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

127
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

128
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

129
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

130
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

131
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

132
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

133
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

134
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

135
Fetch Logs
POST /web/api/v2.1/agents/actions/fetch-logs

Get the Agent and Endpoint logs from Agents that match the filter.
The Agent logs are encrypted and only Support can read them.
The Endpoint logs, for operations on the computers, laptops, or servers that have the Agent installed, are readable. The Endpoint logs are available for Windows endpoints
only and require Agent version 3.6 or later. After you run this command, download the fetched logs. You can download the logs from the Console GUI or collect them.
On Windows: C:\ProgramData\Sentinel\logs.
On macOS: Run sudo sentinelctl logreport and get the log files on the desktop.
On Linux: Run sudo /opt/sentinelone/bin/sentinelctl log generate.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

136
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

137
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

138
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

139
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

140
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

141
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

142
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

143
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

144
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

145
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

146
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

147
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

148
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

149
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

150
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

151
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

152
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

153
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

154
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

155
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false Name Description Required Value

agentLogs Fetch Agent false boolean
logs
customerFaci Fetch false boolean
ngLogs customer-
facing logs
platformLogs Actively fetch false boolean
logs from the
relevant
platform:
windows/

156
mac/linux

157
Initiate Scan
POST /web/api/v2.1/agents/actions/initiate-scan

Use this command to run a Full Disk Scan on Agents that match the filter.
Full Disk Scan finds dormant suspicious activity, threats, and compliance violations, that are then mitigated according to the policy. It scans the local file system.
Full Disk Scan does not inspect drives that require user credentials (such as network drives) or external drives.
Full Disk Scan does not work on hashes. It does not check each file against the blocklist.
If the Static AI determines a file is suspicious, the Agent calculates its hash and sees if the hash is in the blocklist. If a file is executed, all aspects of the process are
inspected, including hash-based analysis and blocklist checks. Full Disk Scan can run when the endpoint is offline, but when it is connected to the Management, it can use
the most updated Cloud data to improve detection.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

158
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

159
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

160
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

161
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

162
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

163
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

164
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

165
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

166
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

167
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

168
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

169
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

170
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

171
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

172
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

173
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

174
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

175
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

176
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

177
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

178
Abort Scan
POST /web/api/v2.1/agents/actions/abort-scan

Immediately stop a Full Disk Scan on all Agents that match the filter. See "Initiate scan" to learn more about Full Disk Scan.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

179
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

180
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

181
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

182
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

183
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

184
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

185
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

186
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

187
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

188
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

189
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

190
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

191
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

192
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

193
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

194
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

195
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

196
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

197
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

198
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

199
Disconnect from Network
POST /web/api/v2.1/agents/actions/disconnect

Use this command to isolate (quarantine) endpoints from the network, if the endpoints match the filter.
The Agent can communicate with the Management, which lets you analyze and mitigate threats. Best practice: For Active threats that spread, apply "Disconnect from
network" immediately. In the policy, you can set this is to be automatic. When the Agent detects a high-confidence malicious threat, it will mitigate the threat (on Protect)
with the action set by the policy. Then the Agent will immediately quarantine the endpoint. To make Disconnect from network automatic in an Account policy, run the
"accounts/{id} command (see "Update Account") with: "networkQuarantine":true.

BEST PRACTICE
For Active threats that spread, apply "Disconnect from network" immediately. In the policy, you can set this is to be automatic. When the Agent detects a high-confidence
malicious threat, it will mitigate the threat (on Protect) with the action set by the policy. Then the Agent will immediately quarantine the endpoint. To make Disconnect
from network automatic in an Account policy, run the "accounts/{id} command (see "Update Account") with: "networkQuarantine":true.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

200
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Note: this amount
One of these of active
filter threats
arguments
must be activeThreats Include false integer
supplied: ids, __gt Agents with
groupIds, at least this
filterId. amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

201
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

202
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

203
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

204
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

205
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

206
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

207
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

208
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of false string []
network
groups
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

209
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

210
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

211
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

212
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

213
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

214
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

215
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

216
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

217
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

218
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

219
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

220
Decommission
POST /web/api/v2.1/agents/actions/decommission

If a user is scheduled for time off, or a device is scheduled for maintenance, you can decommission the Agent. This removes the Agent from the Management Console.
When the Agent communicates with the Management again, the Management recommissions it and returns it to the Console. Use this command to decommission the
Agents that match the filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

221
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Note: this amount
One of these of active
filter threats
arguments
must be activeThreats Include false integer
supplied: ids, __gt Agents with
groupIds, at least this
filterId. amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

222
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

223
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

224
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

225
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

226
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

227
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

228
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

229
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of false string []
network
groups
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

230
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

231
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

232
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

233
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

234
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

235
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

236
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

237
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

238
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

239
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

240
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

241
Uninstall
POST /web/api/v2.1/agents/actions/uninstall

Use this command to uninstall Agents that match the filter. For Windows and macOS, make sure that all remnants of the Agent are removed: reboot the endpoints after
uninstall. Use the "restart" command.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

242
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Note: this amount
One of these of active
filter threats
arguments
must be activeThreats Include false integer
supplied: ids, __gt Agents with
groupIds, at least this
filterId. amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

243
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

244
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

245
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

246
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

247
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

248
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

249
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

250
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of false string []
network
groups
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

251
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

252
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

253
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

254
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

255
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

256
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

257
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

258
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

259
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

260
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

261
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

262
Restart
POST /web/api/v2.1/agents/actions/restart-machine

Use this command to restart endpoints that have an Agent installed and that fit the filter. We recommend that you use the "broadcast" command to send a message to
users of endpoints before you restart their computers.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

263
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Note: this amount
One of these of active
filter threats
arguments
must be activeThreats Include false integer
supplied: ids, __gt Agents with
groupIds, at least this
filterId. amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

264
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

265
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

266
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

267
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

268
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

269
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

270
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

271
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of false string []
network
groups
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

272
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

273
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

274
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

275
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

276
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

277
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

278
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

279
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

280
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

281
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

282
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

283
Shutdown
POST /web/api/v2.1/agents/actions/shutdown

You can shut down endpoints remotely for performance, maintenance, or security.
This command shuts down all endpoints that match the filter. Best Practice: If an endpoint is infected, we recommend the "disconnect" command and not the "shutdown"
command. The disconnect command secures the environment from infection while you analyze the cause and best response.
If the endpoint is offline, the shutdown command is not available.

BEST PRACTICE
If an endpoint is infected, we recommend the "disconnect" command and not the "shutdown" command. The disconnect command secures the environment from
infection while you analyze the cause and best response.
If the endpoint is offline, the shutdown command is not available.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

284
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Note: this amount
One of these of active
filter threats
arguments
must be activeThreats Include false integer
supplied: ids, __gt Agents with
groupIds, at least this
filterId. amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

285
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

286
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

287
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

288
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

289
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

290
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

291
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

292
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of false string []
network
groups
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

293
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

294
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

295
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

296
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

297
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

298
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

299
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

300
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

301
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

302
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

303
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

304
Approve Uninstall
POST /web/api/v2.1/agents/actions/approve-uninstall

If a user tries to uninstall the SentinelOne Agent from an endpoint, an uninstall request is sent to the Management. You must approve the request.
After you approve a request, users see a message that the request was approved. They can restart to complete the Agent uninstall.
We recommend that you do not approve these requests until you understand the reason for the request, you agree with the request, and you have alternative security for
the endpoint until you install the Agent again.
This command will approve pending uninstall requests for all Agents that match the filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

305
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

306
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

307
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

308
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

309
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

310
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

311
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

312
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

313
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

314
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

315
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

316
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

317
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

318
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

319
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

320
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

321
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

322
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

323
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

324
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

325
Reject uninstall
POST /web/api/v2.1/agents/actions/reject-uninstall

Reject uninstall requests for all Agents that match the filter. To learn more about Uninstall Requests, see "Approve Uninstall".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

326
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

327
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

328
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

329
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

330
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

331
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

332
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

333
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

334
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

335
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

336
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

337
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

338
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

339
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

340
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

341
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

342
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

343
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

344
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

345
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

346
Update Software
POST /web/api/v2.1/agents/actions/update-software

Use this command to update the Agent version on endpoints that have the Agent installed and that match the filter. For a cloud-based Management, SentinelOne updates
your Management Console with the latest Agent versions. For On-Prem environments, or if you need a package that is not in your Management Console, request files from
SentinelOne Support.
IMPORTANT: These parameters are required:
packageType - example: "packageType": "AgentAndRanger",osType - example: "osType": "windows",fileName - example: "fileName": "SentinelInstaller-
x86_windows_32bit_v4_6_12_241.exe"
Best Practice: Upgrade your SentinelOne Agents by group or OS. Note about macOS endpoints: It is important that you upgrade the Agent before the endpoint operating
system is upgraded to a version that the Agent does not support. More best practices: read the Release Notes, review the system requirements, and if you decide to not
upgrade Agents yet, review the Agent Lifecycle. Make sure your deployment is in the supportable bounds.

BEST PRACTICE
Upgrade your SentinelOne Agents by group or OS. Note about macOS endpoints: It is important that you upgrade the Agent before the endpoint operating system is
upgraded to a version that the Agent does not support. More best practices: read the Release Notes, review the system requirements, and if you decide to not upgrade
Agents yet, review the Agent Lifecycle. Make sure your deployment is in the supportable bounds.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

409 - The Agent is automatically upgraded according to its Upgrade Policy. Manually upgrading the Agent may cause conflicts

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by

347
the requested
operation

errors Errors false array

348
Body Schema
Name Description Required Value
data Data true Name Description Required Value
allowDowngr Allows or false boolean
ade disallows
downgrading
the Agent
version
fileName Upgrade with false string
a given
uploaded
package,
locate
package by
its filename
ignoreConflic Ignore false boolean
ts conflicts that
may arise
when you
upgrade an
Agent that
has an active
Upgrade
Policy
isScheduled Upgrade false boolean
according to
the defined
scheduled in
agent
upgrade
configuration
osType Filter by false enum
specific OS
type, can be
used in
conjunction
with
"fileName" or
"path"
packageId Upgrade with false string
a given

349
uploaded
package,
located
package by
its ID
packageType Package type false enum
path Upgrade from false string
local path at
the endpoint

filter Applied filter true Name Description Required Value

350
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer

351
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version

352
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []

353
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)

354
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of

355
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created

356
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []

357
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads

358
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or

359
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string

360
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live

361
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum

362
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational

363
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses

364
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote

365
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string

366
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation

367
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp

368
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

369
Reset Local Config
POST /web/api/v2.1/agents/actions/reset-local-config

SentinelCtl is the CLI for Agents. It runs commands directly on one Agent at a time. You can use this command to clear the SentinelCtl changes from all Agents that match
the filter. Specific SentinelCtl settings are not cleared:
On Windows: proxy address and Management token.
On macOC: Management server address and server site key.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

370
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

371
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

372
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

373
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

374
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

375
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

376
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

377
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

378
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

379
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

380
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

381
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

382
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

383
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

384
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

385
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

386
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

387
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

388
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

389
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

390
Set Persistent Configuration Overrides
POST /web/api/v2.1/agents/actions/set-config

This command requires Global permissions or Support.

The configuration of an Agent can be changed in different ways, such as through Policy settings, Policy Override, SentinelCtl, and changes to the LocalConfig.json file.
For Windows, Policy Override overwrites policy settings, and local changes (to the file and from this command) overwrite Policy Override from the Console or with policy
updates from the API.
For macOS, the Policy Override has the highest priority. If you run this command and then update a Group policy that affects both Windows and macOS endpoints, the
settings of this command are applied to the Windows endpoints. But the macOS endpoints will apply the settings of the policy, for settings that are duplicated in both the
policy and this command.
When you use this command, enter the filter values to set which Agents get the change. Then use the data parameter to set the actual changes. Get the JSON settings for
data from the Agent Configuration or see the Knowledge Base: https://support.sentinelone.com/hc/en-us/articles/360022158673-sentinelctl

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

391
Body Schema
Name Description Required Value
data Data true Name Description Required Value
config Config false object

filter Applied filter true Name Description Required Value

392
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports

393
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to

394
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image

395
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by

396
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)

397
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp

398
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)

399
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration

400
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean

401
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time

402
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple

403
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity

404
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture

405
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include

406
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum

407
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this

408
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat

409
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp

410
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

411
Set External ID
POST /web/api/v2.1/agents/actions/set-external-id

You can add a Customer Identifier (a string) to identify each endpoint or to tag sets of endpoints. The string shows in the Endpoint Details of the Management Console. For
example, you can tag endpoints based on their state, installed applications, or endpoint status. The identifier is set on all Agents that match the filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

412
Body Schema
Name Description Required Value
data Data true Name Description Required Value
externalId New external true string
id for the
agent

filter Applied filter true Name Description Required Value

- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. this amount
of active
threats
activeThreats Include false integer
__gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []

413
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its

414
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version

415
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []

416
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)

417
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of

418
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created

419
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []

420
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads

421
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or

422
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string

423
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live

424
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum

425
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational

426
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses

427
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote

428
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string

429
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation

430
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp

431
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

432
Fetch Files
POST /web/api/v2.1/agents/{agent_id}/actions/fetch-files

Fetch files from endpoints (up to 10 MB for each command) to analyze the root of threats (that come from files - of course, this does not help for fileless threats). Set the
pathnames in the body of the request.
Regular expressions and metacharacters are not allowed. Spaces are allowed.
You must enter a new password, which you will use to open the archive of downloaded files. The password must be 10 or more characters with a mix of upper and lower
case letters, numbers, and symbols.
This command collects the file and uploads them to the Management. To get the files, download them from the Management.
FedRAMP-compliant and other Managements in GovCloud require a Support ticket to enable this feature.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

404 - Agent not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

433
Body Schema
Name Description Required Value
data Data true Name Description Required Value
password File true string
encryption
password
files List of files to false string []
fetch
(absolute
paths, up to
10 files)

434
Move between Sites
POST /web/api/v2.1/agents/actions/move-to-site

This command requires Account or Global level access.

Agents are assigned to a Site when they are first installed with a Site Token. If you have the required access level, a role with permissions (the SOC role does not allow this
action), and permission for both Sites, you can move Agents from one Site to a different Site. Agents will be moved to the best matching dynamic group, or to the Default
group if no dynamic group matches.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

435
Body Schema
Name Description Required Value
data Data true Name Description Required Value
targetSiteId Target site id true string

filter Applied filter true Name Description Required Value

436
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports

437
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to

438
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image

439
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by

440
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)

441
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp

442
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)

443
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration

444
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean

445
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time

446
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple

447
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity

448
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture

449
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include

450
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum

451
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this

452
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat

453
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp

454
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

455
Fetch Firewall Rules
POST /web/api/v2.1/agents/actions/fetch-firewall-rules

Firewall Control is disabled at the Global level. When it is first enabled, all Sites and Groups inherit the Firewall Control policy from the Global policy. Agents have Firewall
Control disabled, until they connect to a Site or Group with an enabled Firewall Control policy.
After Agents get Firewall Control, if you add or change a Firewall rule, you can use this command to make sure all Agents fetch the rules, (though Agents usually update
their policies every few seconds). Use the filter parameter to set which Agents will fetch the rules, if you do not want all of them to attempt it.
Firewall Control requires a Control SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

456
Body Schema
Name Description Required Value
data Data true Name Description Required Value
format Desired false enum
firewall
configuration
format. Use
"native" to
get
configuration
file in native
format.
state Desired false enum
firewall
configuration
state. Use
"initial" to get
the firewall
configuration
that existed
before Agent
installation.
(Note: "initial"
requires
native
format).

filter Applied filter true Name Description Required Value

457
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups

458
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)

459
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)

460
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []

461
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin

462
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:

463
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string

464
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for

465
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []

466
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []

467
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan

468
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations

469
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports

470
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical

471
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string

472
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string

473
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time

474
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more

475
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier

476
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

477
Move to Console
POST /web/api/v2.1/agents/actions/move-to-console

You can move Agents between Management Consoles. This command moves Agents to a target Console, Account, and Site, given the Console URL and Site token.
You must have Global permissions for the source Console and access to the Site token of the target Site.
Resolve all threats on the Agents to move before you run this command.
If the Agents have local configurations, the configurations are maintained.
If the new Management has different blocklists, exclusions, and other assets, these are applied the next time the Agent communicates with the Management.
This command works on these Agent versions: Windows 3.0 and later, macOS 3.0 and later, Linux 3.4 and later.
An Agent tries to connect to the new Management Console for 3 minutes. If the Agent cannot connect (has unresolved threats or other requirements are not met), it stays
in the original Management Console.
To get the Site token, run the "sites" command (see Sites list) and take the "registrationToken" value.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

478
Body Schema
Name Description Required Value
data Data true Name Description Required Value
token Site token of true string
the site to
which the
Agent is to be
moved. This
is a base-64
string that
can be copied
from the GUI.

filter Applied filter true Name Description Required Value

- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Note: this amount
One of these of active
filter threats
arguments
must be activeThreats Include false integer
supplied: ids, __gt Agents with
groupIds, at least this
filterId. amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer

479
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)

480
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version

481
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud

482
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []

483
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)

484
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string

485
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains

486
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of false string []
network
groups

487
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending

488
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after

489
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full

490
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions

491
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state

492
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger

493
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []

494
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,

495
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat

496
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)

497
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

498
Get Applications
POST /web/api/v2.1/agents/actions/fetch-installed-apps

Application Risk Management is an EA feature. Contact your partner or SentinelOne SE to learn how to join the EA program.
If you have this feature, you can use this command to have all Agents update the data of the applications that are installed on the endpoint. Change the filter parameter
values to send this command to matching Agents only. The updated data of installed applications shows on the Console.
Some filter fields are required.
Best practice: Enter all fields in the body. Click in the Body sample to get a copy of the fields in the body form.

BEST PRACTICE
Enter all fields in the body. Click in the Body sample to get a copy of the fields in the body form.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

499
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Note: this amount
One of these of active
filter threats
arguments
must be activeThreats Include false integer
supplied: ids, __gt Agents with
groupIds, at least this
filterId. amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

500
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

501
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

502
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

503
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

504
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

505
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

506
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

507
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of false string []
network
groups
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

508
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

509
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

510
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

511
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

512
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

513
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

514
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

515
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

516
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

517
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

518
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

519
Start Remote Shell
POST /web/api/v2.1/agents/actions/start-remote-shell

Remote shell is an opened websocket between the browser and the Agent, with a proprietary communication protocol that requires an unreasonable effort to run from the
API. We recommend that you not use this call.

If you do want to use this API, you must have permission through your user role (not IT or Viewer), specific Remote Shell permissions, 2FA enabled on the username with a
valid code in the twoFaCode parameter, valid code in the twoFaCode parameter, and permissions for the Account, Site, or Group on whose policy Remote Shell is enabled.
To make sure you have permission to start Remote Shell, use the "can-start-remote-shell" command. Best practice: Use the UUID filter to run Remote Shell on a specific
endpoint. To get the UUID, run the "agents" command.
In the body of this command, the data parameter set is mandatory.
Remote Shell requires a Control SKU.

BEST PRACTICE
Use the UUID filter to run Remote Shell on a specific endpoint. To get the UUID, run the "agents" command.
In the body of this command, the data parameter set is mandatory.
Remote Shell requires a Control SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
agentId Agent that false string
matched the
filter
channelId Name of the false string

520
channel that
will be used
to
communicate
with the
Agent

errors Errors false array

521
Body Schema
Name Description Required Value
data Data true Name Description Required Value
columns Number of true integer
columns of
the console
shell
rows Number of true integer
rows of the
console shell
twoFaCode The 2FA code true string
to
authenticate
the user
historyPassw Password to false string
ord zip the shell
history file at
end of
session
passwordFro Used to false Name Description Required Value
mScope specify
execution scopeLevel User scope true enum
where a scopeId string repr. of false string
generic scope id
password is
used

filter Applied filter true Name Description Required Value

522
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active

523
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,

524
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple

525
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)

526
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []

527
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation

528
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp

529
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it

530
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types

531
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)

532
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full

533
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations

534
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports

535
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical

536
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string

537
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string

538
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time

539
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more

540
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier

541
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

542
Can run Remote Shell
POST /web/api/v2.1/agents/actions/can-start-remote-shell

Who can run Remote Shell? Remote Shell is a powerful way to respond remotely to events on endpoints. It lets you open full shell capabilities - PowerShell on Windows
and Bash on macOS and Linux. To be able to run a Remote Shell session, SentinelOne users require permissions, which are set on different levels. It can be confusing to
know who has permission. Use this command to see if a username you created for someone else or the API, or your own name, has permission.
If a user does not have Remote Shell permission, how can you grant it? First, you need the Control SKU. Then, the user must have a role with permission to use Remote
Shell: Admin, SOC, IR Team. The IT role does not have Remote Shell permission, and the user must be responsible for the Account, Site, or Group on whose policy Remote
Shell is enabled.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

543
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

544
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

545
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

546
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

547
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

548
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

549
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

550
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

551
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

552
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

553
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

554
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

555
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

556
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

557
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

558
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

559
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

560
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

561
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

562
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

563
Terminate Remote Shell
POST /web/api/v2.1/agents/actions/terminate-remote-shell

Remote Shell is a powerful, full shell for Windows, macOS, and Linux. It is best practice to terminate Remote Shell sessions when they are not in use. A Remote Shell
session terminates when the user closes the session, the session times out, or the session is idle longer than the idle-timeout.
Use this command terminate a session immediately.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

564
Body Schema
Name Description Required Value
data Data true Name Description Required Value
channelId The channel true string
the user is
closing

filter Applied filter true Name Description Required Value

565
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its

566
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version

567
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []

568
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)

569
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of

570
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created

571
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []

572
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads

573
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or

574
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string

575
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live

576
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum

577
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational

578
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses

579
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote

580
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string

581
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation

582
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp

583
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

584
Fetch Firewall Logs
POST /web/api/v2.1/agents/actions/firewall-logging

Get Firewall Control events in the local log file, written in clear text, for Firewall Control events of an endpoint with Firewall Control enabled. Enable the logs for Agents
that match the filter.
When Firewall Logging is enabled, you can choose if blocked traffic events go only to a local log on the endpoint (reportMgmt: false, reportLog: true), or also to Console >
Activity (reportMgmt: true).
Allowed traffic is not logged.
Each Agent with Firewall Control Event Logging enabled keeps five log files, for a total of 100 MB maximum. The logs cycle older lines to maintain the size threshold.
On Windows endpoints, the Firewall Control logs are in C:\ProgramData\Sentinel\logs\. Search for log files with "visible" in the filename.
On macOS, run: sudo sentinelctl log.
On Linux, run: sudo /opt/sentinelone/bin/sentinelctl log generate /output_path.
Make sure the Group and Site of the Agent has Firewall Control enabled. Firewall Control requires a Control SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

585
Body Schema
Name Description Required Value
data Data true Name Description Required Value
reportLog Report true boolean
blocking
activity to log
reportMgmt Report true boolean
blocking
activity to
management

filter Applied filter true Name Description Required Value

586
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []

587
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string

588
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account

589
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud

590
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer

591
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created

592
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains

593
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by

594
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending

595
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after

596
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full

597
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions

598
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state

599
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger

600
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []

601
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,

602
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat

603
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)

604
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

605
Randomize UUID
POST /web/api/v2.1/agents/actions/randomize-uuid

IMPORTANT: This action will assign a new UUID to Agents that match the filter.
Run it only when instructed to do so by SentinelOne Support.
If you clone the Agent on a VM or VDI without the /VDI switch, you might need to run this command. It is best to ask for Support assistance. Historical threat and Deep
Visibility data will be kept in the Management, but that data will be disassociated from the Agent.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

606
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Note: this amount
One of these of active
filter threats
arguments
must be activeThreats Include false integer
supplied: ids, __gt Agents with
groupIds, at least this
filterId. amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

607
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

608
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

609
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

610
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

611
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

612
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

613
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

614
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of false string []
network
groups
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

615
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

616
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

617
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

618
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

619
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

620
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

621
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

622
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

623
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

624
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

625
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

626
Mark as up-to-date
POST /web/api/v2.1/agents/actions/mark-up-to-date

The value of the Agent version as "up-to-date" is a useful filter for many actions. There are scenarios where the Management does not recognize a version as latest.
For example, if Agents that were sent a new version with the update-software command did not yet report to their Management.
You can manually mark these Agents as up-to-date.
This command is not available to users with the SOC role.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permissions to perform the requested action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

627
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

628
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

629
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

630
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

631
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

632
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

633
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

634
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

635
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

636
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

637
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

638
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

639
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

640
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

641
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

642
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

643
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

644
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

645
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

646
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

647
Enable Ranger
POST /web/api/v2.1/agents/actions/ranger-enable

SentinelOne Ranger gives full visibility of all devices connected to your network. Ranger scans your corporate environment to identify and manage connected devices,
even those not protected by or supported by SentinelOne. Use this command to enable Ranger on Agents that match the filter. The Agent adds "Scanner" to its
functionality.
If the given Agent cannot support Ranger, or if Ranger is already enabled, this command does nothing.
Ranger requires a special license. Consult with your SentinelOne SE.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

648
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

649
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

650
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

651
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

652
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

653
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

654
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

655
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

656
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

657
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

658
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

659
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

660
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

661
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

662
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

663
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

664
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

665
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

666
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

667
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

668
Disable Ranger
POST /web/api/v2.1/agents/actions/ranger-disable

Disable Ranger from the Agents that match the filter.

SentinelOne Ranger gives full visibility of all devices connected to your network. Ranger scans your corporate environment to identify and manage connected devices,
even those not protected by or supported by SentinelOne. When Ranger is enabled on an Agent, the Agent adds "Scanner" to its functionality. It is the starting point for
the Ranger scans.
Best Practice: Disable Ranger on endpoints that are performance-sensitive and on endpoints that often connect to non-corporate networks.

BEST PRACTICE
Disable Ranger on endpoints that are performance-sensitive and on endpoints that often connect to non-corporate networks.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

669
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

670
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

671
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

672
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

673
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

674
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

675
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

676
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

677
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

678
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

679
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

680
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

681
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

682
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

683
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

684
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

685
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

686
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

687
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

688
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

689
Edit local upgrade site authorization
POST /web/api/v2.1/agents/actions/local-upgrade-authorization

Edit when authorization of local upgrades expires.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

690
Body Schema
Name Description Required Value
data Data true Name Description Required Value
agentAuthoriz Agent true string
ation approval
expiration
timestamp

filter Applied filter true Name Description Required Value

691
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer

692
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version

693
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []

694
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)

695
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of

696
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created

697
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []

698
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads

699
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or

700
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string

701
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live

702
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum

703
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational

704
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses

705
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote

706
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string

707
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation

708
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp

709
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

710
Disable Agent
POST /web/api/v2.1/agents/actions/disable-agent

Use this command to disable Agents that match the filter.

Disabled agents run with minimal footprint and do not detect or mitigate threats, but they maintain connectivity with the Management Console.
If the command returns "Insufficient permissions", make sure you have permissions for the Account, Site, or Group and a role that allows Disable Agent (Admin, IR team or
IT).
In the body of this command, the data parameter set is mandatory.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

711
Body Schema
Name Description Required Value
data Data true Name Description Required Value
shouldReboot Reboot the true boolean
endpoint
expiration Agents will false string
be re-enabled
after this
timestamp
expirationTi Timezone for false string
mezone the
expiration
timestamp

filter Applied filter true Name Description Required Value

712
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple

713
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given

714
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)

715
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider

716
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer

717
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp

718
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network

719
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter

720
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean

721
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)

722
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time

723
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []

724
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []

725
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.

726
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure

727
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by

728
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one

729
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam

730
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

731
Enable Agent
POST /web/api/v2.1/agents/actions/enable-agent

Use this command to enable disabled Agents that match the filter.
If the command returns "Insufficient permissions", make sure you have permissions for the Account, Site, or Group and a role that allows Disable Agent (Admin, IR team or
IT).
In the body of this command, the data parameter set is mandatory.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

732
Body Schema
Name Description Required Value
data Data true Name Description Required Value
shouldReboot Reboot the true boolean
endpoint

filter Applied filter true Name Description Required Value

733
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups

734
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []

735
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud

736
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []

737
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores

738
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at

739
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by

740
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads

741
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or

742
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string

743
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live

744
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum

745
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational

746
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses

747
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote

748
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string

749
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation

750
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp

751
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

752
Start Remote Profiling
POST /web/api/v2.1/agents/actions/start-profiling

Use this command to start remote profiling on Agents that match the filter.
Remote profiling lets you collect runtime diagnostic information for Agents on containers.
If the command returns "Insufficient permissions", make sure you have permissions for the Account, Site, or Group and a role that allows Start Remote Profiling (Admin or
IT).

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

753
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

754
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

755
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

756
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

757
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

758
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

759
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

760
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

761
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

762
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

763
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

764
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

765
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

766
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

767
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

768
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

769
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

770
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

771
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

772
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false Name Description Required Value

timeout Profiling will false integer
be disabled
after that
many
seconds

773
Stop Remote Profiling
POST /web/api/v2.1/agents/actions/stop-profiling

Use this command to stop remote profiling on Agents that match the filter.
If the command returns "Insufficient permissions", make sure you have permissions for the Account, Site, or Group and a role that allows Stop Remote Profiling (Admin or
IT).

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

774
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

775
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

776
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

777
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

778
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

779
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

780
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

781
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

782
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

783
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

784
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

785
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

786
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

787
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

788
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

789
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

790
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

791
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

792
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

793
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

794
Approve Stateless Upgrades
POST /web/api/v2.1/agents/actions/approve-stateless-upgrade

Approve stateless upgrade for agents

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

795
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

796
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

797
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

798
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

799
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

800
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

801
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

802
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

803
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

804
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

805
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

806
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

807
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

808
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

809
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

810
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

811
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

812
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

813
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

814
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false Name Description Required Value

expiration Number of true integer
days users
are
authorized to
upgrade
Agents

815
Manage endpoint tags: add, remove, override
POST /web/api/v2.1/agents/actions/manage-tags

Override forces the new key and value to be added to the endpoints. If you use add to add a key when that key already exists with a different value, it will not take effect.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

816
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

817
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

818
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

819
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

820
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

821
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

822
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

823
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

824
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

825
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

826
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

827
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

828
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

829
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

830
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

831
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

832
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

833
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

834
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

835
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Tags to attach false Name Description Required Value

operation Operation to false enum
perform on
tag
tagId Tag ID false string

836
Agent Support Actions

Clear Remote Shell

POST /web/api/v2.1/agents/actions/clear-remote-shell-session

Remote Shell is a powerful way to respond remotely to events on endpoints. It lets you open full shell capabilities - PowerShell on Windows and Bash on macOS and Linux.
For best practices, a Remote Shell session can be terminated in many ways: from the UI, from Agent timeouts, from endpoint or connections issues, and so on. If a shell
closes at the same time that an Agent goes offline, Remote Shell status is incorrect on the Management.
Use this command to clear the "open shell" flags on the Management.
The IT user role does not have permissions to run this command.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

837
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
- only
matched accountIds List of false string []
Agents will Account IDs
be affected to filter by
by the activeThreats Include false integer
requested Agents with
action. Leave this amount
empty to of active
apply the threats
action on all
applicable activeThreats Include false integer
Agents. __gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

838
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

839
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

840
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

841
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

842
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

843
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

844
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

845
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

846
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

847
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

848
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

849
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

850
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

851
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

852
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

853
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string

854
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation

855
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated

856
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false

857
Agents

Get Agents
GET /web/api/v2.1/agents

Get the Agents, and their data, that match the filter. This command gives the Agent ID, which you can use in other commands.
To save the list and data to a CSV file, use "export/agents".

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
activethreats optional Include Agents with this amount of active threats. Example: "3".
activethreats__gt optional Include Agents with at least this amount of active threats. Example:
"5".
adcomputermember__c optional Free-text filter by Active Directory computer groups string (supports
ontains multiple values). Example: "DC=sentinelone".
adcomputername__con optional Free-text filter by Active Directory computer name string (supports
tains multiple values). Example: "DC=sentinelone".
adcomputerquery__con optional Free-text filter by Active Directory computer name or its groups
tains (supports multiple values). Example: "DC=sentinelone,Windows".
adquery optional An Active Directory query string. Example:
"CN=Managers,DC=sentinelone,DC=com".
adquery__contains optional Free-text filter by Active Directory string (supports multiple values).
Example: "DC=sentinelone".
adusermember__conta optional Free-text filter by Active Directory user groups string (supports
ins multiple values). Example: "DC=sentinelone".
adusername__contains optional Free-text filter by Active Directory username string (supports
multiple values). Example: "DC=sentinelone".
aduserquery__contain optional Free-text filter by Active Directory computer name or its groups
s (supports multiple values). Example: "DC=sentinelone,John".
agentnamespace__cont optional Free-text filter by agent namespace (supports multiple values)
ains

858
agentpodname__conta optional Free-text filter by agent pod name (supports multiple values)
ins
agentversion__betwee optional Version range for agent version (format: <from_version>-
n <to_version>, inclusive). Example: "2.0.0.0-2.1.5.144".
agentversion__gt optional Agents versions greater than given version. Example: "2.5.1.1320".
agentversion__gte optional Agents versions greater than or equal to given version. Example:
"2.5.1.1320".
agentversion__lt optional Agents versions less than given version. Example: "2.5.1.1320".
agentversion__lte optional Agents versions less than or equal to given version. Example:
"2.5.1.1320".
agentversions optional Agent versions to include. Example: "2.0.0.0,2.1.5.144".
agentversionsnin optional Agent versions not to include. Example: "2.0.0.0,2.1.5.144".
appsvulnerabilitystatu optional Apps vulnerability status in. Example: "patch_required".
ses
appsvulnerabilitystatu optional Apps vulnerability status nin. Example: "patch_required".
sesnin
awsrole__contains optional Free-text filter by aws role(supports multiple values)
awssecuritygroups__co optional Free-text filter by aws securityGroups(supports multiple values)
ntains
awssubnetids__contai optional Free-text filter by aws subnet ids (supports multiple values)
ns
azureresourcegroup__c optional Free-text filter by azure resource group(supports multiple values)
ontains
cloudaccount__contain optional Free-text filter by cloud account (supports multiple values)
s
cloudimage__contains optional Free-text filter by cloud image (supports multiple values)
cloudinstanceid__cont optional Free-text filter by cloud instance id(supports multiple values)
ains
cloudinstancesize__co optional Free-text filter by cloud instance size(supports multiple values)
ntains
cloudlocation__contai optional Free-text filter by cloud location (supports multiple values)
ns
cloudnetwork__contai optional Free-text filter by cloud network (supports multiple values)
ns

859
cloudprovider optional Agents from which cloud provider
cloudprovidernin optional Exclude Agents from these cloud provider
cloudtags__contains optional Free-text filter by cloud tags (supports multiple values)
clustername__contains optional Free-text filter by cluster name (supports multiple values)
computername optional Computer name. Example: "My Office Desktop".
computername__conta optional Free-text filter by computer name (supports multiple values).
ins Example: "john-office,WIN".
computername__like optional Match computer name partially (substring). Example: "Lab1".
consolemigrationstatu optional Migration status in. Example: "N/A".
ses
consolemigrationstatu optional Migration status nin. Example: "N/A".
sesnin
corecount__between optional Possible number of CPU cores (inclusive). Example: "2-8".
corecount__gt optional CPU cores (more than)
corecount__gte optional CPU cores (more than or equal)
corecount__lt optional CPU cores (less than)
corecount__lte optional CPU cores (less than or equal)
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cpucount__between optional Possible number of CPU cores (inclusive). Example: "2-8".
cpucount__gt optional Number of CPUs (more than)
cpucount__gte optional Number of CPUs (more than or equal)
cpucount__lt optional Number of CPUs (less than)
cpucount__lte optional Number of CPUs (less than or equal)
cpuid__contains optional Free-text filter by CPU name (supports multiple values). Example:
"Intel,AMD".
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Agents created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Agents created after or at this timestamp. Example:

860
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Agents created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Agents created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
csvfilterid optional The ID of the CSV file to filter by. Example:
"225494730938493804".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
decommissionedat__b optional Date range for decommission time (format: <from_timestamp>-
etween <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
decommissionedat__gt optional Agents decommissioned after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
decommissionedat__g optional Agents decommissioned after or at this timestamp. Example:
te "2018-02-27T04:49:26.257525Z".
decommissionedat__lt optional Agents decommissioned before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
decommissionedat__lt optional Agents decommissioned before this timestamp. Example:
e "2018-02-27T04:49:26.257525Z".
domains optional Included network domains. Example: "mybusiness.net,workgroup".
domainsnin optional Not included network domains. Example:
"mybusiness.net,workgroup".
encryptedapplications optional Disk encryption status
externalid__contains optional Free-text filter by external ID (Customer ID). Example: "Tag#1 -
monitoring,Performance machine".
externalip__contains optional Free-text filter by visible IP (supports multiple values). Example:
"205,127.0".
filteredgroupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
filteredsiteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
filterid optional Include all Agents matching this saved filter. Example:
"225494730938493804".

861
firewallenabled optional The agents supports Firewall Control and it is enabled for the
agent's group
gatewayip optional Gateway ip. Example: "192.168.0.1".
gcpserviceaccount__co optional Free-text filter by gcp service account (supports multiple values)
ntains
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
hascontainerizedwork optional Include only Agents protecting containerized workloads
load
haslocalconfiguration optional Agent has a local configuration set
hastags optional Include only Agents that have any tags assigned if True, or none if
False
ids optional A list of Agent IDs. Example:
"225494730938493804,225494730938493915".
infected optional Include only Agents with at least one active threat
installertypes optional Include only Agents installed with these package types. Example:
".msi".
installertypesnin optional Exclude Agents installed with these package types. Example: ".msi".
isactive optional Include only active Agents
isdecommissioned optional Include active, decommissioned or both. Example: "True,False".
ispendinguninstall optional Include only Agents with pending uninstall requests
isuninstalled optional Include installed, uninstalled or both. Example: "True,False".
isuptodate optional Include only Agents with updated software
k8snodelabels__contai optional Free-text filter by K8s node labels (supports multiple values)
ns
k8snodename__contai optional Free-text filter by K8s node name (supports multiple values)
ns
k8stype__contains optional Free-text filter by K8s type(supports multiple values)
k8sversion__contains optional Free-text filter by K8s version (supports multiple values)
lastactivedate__betwe optional Date range for last active date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
lastactivedate__gt optional Agents last active after this time. Example:

862
"2018-02-27T04:49:26.257525Z".
lastactivedate__gte optional Agents last active after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__lt optional Agents last active before this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__lte optional Agents last active before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
lastloggedinusername_ optional Free-text filter by username (supports multiple values). Example:
_contains "admin,johnd1".
lastsuccessfulscandat optional Date range for last successful full disk scan(format:
e__between <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
lastsuccessfulscandate optional Agents last successful full disk scan after this time. Example:
__gt "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan after or at this time. Example:
__gte "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan before this time. Example:
__lt "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan before or at this time. Example:
__lte "2018-02-27T04:49:26.257525Z".
limit optional Limit number of returned items (1-1000). Example: "10".
liveupdateid__contains optional Free-text filter by live update ID (supports multiple values)
locationenabled optional The agents supports Location Awareness and it is enabled for the
agent's group
locationids optional Include only Agents reporting these locations. Example:
"225494730938493804,225494730938493915".
locationidsnin optional Do not include only Agents reporting these locations. Example:
"225494730938493804,225494730938493915".
machinetypes optional Included machine types. Example: "laptop,desktop".
machinetypesnin optional Not included machine types. Example: "laptop,desktop".
migrationstatus optional Migration status. Example: "N/A".
missingpermissions optional Included missing permissions. Example:
"user_action_needed_bluetooth_per,user_action_needed_fda_helper"
.

863
missingpermissionsnin optional Excluded missing permissions. Example:
"user_action_needed_bluetooth_per,user_action_needed_fda_helper"
.
mitigationmode optional Agent mitigation mode policy. Example: "detect".
mitigationmodesuspici optional Mitigation mode policy for suspicious activity. Example: "detect".
ous
networkinterfacegate optional Free-text filter by Gateway MAC address (supports multiple values).
waymacaddress__cont Example: "aa:0f,:41:".
ains
networkinterfaceinet_ optional Free-text filter by local IP (supports multiple values). Example:
_contains "192,10.0.0".
networkinterfacephysi optional Free-text filter by MAC address (supports multiple values). Example:
cal__contains "aa:0f,:41:".
networkquarantineena optional The agents supports Network Quarantine Control and its enabled
bled for the agent's group
networkstatuses optional Included network statuses. Example: "connected,connecting".
networkstatusesnin optional Included network statuses. Example: "connected,connecting".
operationalstates optional Agent operational state
operationalstatesnin optional Do not include these Agent operational states
osarch optional OS architecture. Example: "32 bit".
ostypes optional Included OS types. Example: "macos".
ostypesnin optional Not included OS types. Example: "macos".
osversion__contains optional Free-text filter by OS full name and version (supports multiple
values). Example: "Service Pack 1".
query optional A free-text search term, will match applicable attributes (sub-string
match). Note: Device's physical addresses will be matched if they
start with the search term only (no match if they contain the term).
Example: "Linux".
rangerstatus optional [DEPRECATED] Use rangerStatuses. Example: "NotApplicable".
rangerstatuses optional Status of Ranger. Example: "NotApplicable".
rangerstatusesnin optional Do not include these Ranger Statuses. Example: "NotApplicable".
rangerversions optional Ranger versions to include. Example: "2.0.0.0,2.1.5.144".
rangerversionsnin optional Ranger versions not to include. Example: "2.0.0.0,2.1.5.144".

864
registeredat__between optional Date range for first registration time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
registeredat__gt optional Agents registered after this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__gte optional Agents registered after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__lt optional Agents registered before this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__lte optional Agents registered before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
remoteopsforensicssu optional Include only agents that has Remote Ops Forensicsfeature
pported supported
remoteprofilingstates optional Agent remote profiling state
remoteprofilingstatesn optional Do not include these Agent remote profiling states
in
rsolevel optional Supported Remote Script Orchestration level. Example: "none".
scanstatus optional Scan status. Example: "none".
scanstatuses optional Included scan statuses. Example: "started,aborted".
scanstatusesnin optional Not included scan statuses. Example: "started,aborted".
serialnumber__contain optional Free-text filter by Serial Number (supports multiple values)
s
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tagsdata optional Filter agents by their assigned tags. Given in form of a JSON where
each key represents a tag key, and each value represents a list of
string values to filter by. To filter by unassigned tag values, use __nin
suffix in the tag key. Example: "{"key1": ["value1_1", "value1_2"],

865
"key2__nin": ["value2"]}".
threatcontenthash optional Include only Agents that have at least one threat with this content
hash. Example: "cf23df2207d99a74fbe169e3eba035e633b65d94".
threatcreatedat__bet optional Agents with threats reported in a date range (format:
ween <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
threatcreatedat__gt optional Agents with threats reported after this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__gte optional Agents with threats reported after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__lt optional Agents with threats reported before this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__lte optional Agents with threats reported before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
threathidden optional Include only Agents with at least one hidden threat
threatmitigationstatus optional Include only Agents that have threats with this mitigation status.
Example: "mitigated".
threatrebootrequired optional Has at least one threat with at least one mitigation action pending
reboot to succeed
threatresolved optional Include only Agents with at least one resolved threat
totalmemory__betwee optional Total memory range (GB, inclusive). Example: "4-8".
n
totalmemory__gt optional Memory size (MB, more than)
totalmemory__gte optional Memory size (MB, more than or equal)
totalmemory__lt optional Memory size (MB, less than)
totalmemory__lte optional Memory size (MB, less than or equal)
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
updatedat__gt optional Agents updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Agents updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Agents updated before this timestamp. Example:

866
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Agents updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
useractionsneeded optional Included pending user actions. Example:
"reboot_needed,upgrade_needed".
useractionsneedednin optional Excluded pending user actions. Example:
"reboot_needed,upgrade_needed".
uuid optional Agent's universally unique identifier. Example:
"ff819e70af13be381993075eb0ce5f2f6de05be2".
uuid__contains optional Free-text filter by Agent UUID (supports multiple values). Example:
"e92-01928,b055".
uuids optional A list of included UUIDs. Example:
"ff819e70af13be381993075eb0ce5f2f6de05b11,ff819e70af13be3
81993075eb0ce5f2f6de05c22".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

867
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
accountId A reference false string
to the
containing
account
accountName Name of the false string
containing
account
activeDirecto Active false Name Description Required Value
ry Directory
data computerDis Computer false string
tinguishedN distinguished
ame name
computerMe Computer false string []
mberOf member of
lastUserDist Last user false string
inguishedNa distinguished
me name
lastUserMem Last user false string []
berOf member of
mail Mail false string
userPrincipa User principal false string
lName name

activeThreats Current false integer

number of
active threats
agentVersion Agent version false string
allowRemoteS Agent is false boolean
hell capable and
policy
enabled for
remote shell
appsVulnerabi Apps false enum

868
lityStatus vulnerability
status
cloudProvider Cloud false object
s providers for
this agent
computerNa Computer false string
me name
consoleMigrat What step false enum
ionStatus the agent is
at in the
process of
migrating to
another
console, if
any
containerize Containerized false Name Description Required Value
dWorkloadCo workload
unts counts containersCo Number of false integer
unt containers
the agent is
currently
protecting
podsCount Number of false integer
K8s pods the
agent is
currently
protecting
tasksCount Number of false integer
tasks the
agent is
currently
protecting

coreCount CPU cores false integer

cpuCount Number of false integer
CPUs
cpuId CPU model false string
createdAt Created at false string
detectionStat Detection false string
e State
domain Network false string

869
domain
encryptedAppl Disk false boolean
ications encryption
status
externalId External id false string
set by
customer
externalIp External IPv4 false string
address
firewallEnabl Firewall false boolean
ed enabled
firstFullMode Date of the false string
Time first time the
Agent moved
to full or slim
detection
modes
fullDiskScan Last time false string
LastUpdatedA scan status
t was updated
groupId A reference false string
to the
containing
network
group
groupIp IP Address false string
subnet
groupName Name of the false string
containing
network
group
groupUpdate Group false string
dAt updated at
hasContainer Indicates false boolean
izedWorkload whether the
agent
protects
containerized
workload at
the moment

870
id Agent ID false string
infected Indicates if false boolean
the Agent has
active threats
inRemoteShel Is the Agent false boolean
lSession in a remote
shell session
installerType Installer false enum
package type
(file
extension)
isActive Indicates if false boolean
the agent
was recently
active
isDecommiss Is Agent false boolean
ioned decommissio
ned
isPendingUnin Agent with a false boolean
stall pending
uninstall
request
isUninstalled Indicates if false boolean
Agent was
removed
from the
device
isUpToDate Indicates if false boolean
the agent
version is up
to date
lastActiveDat Last active false string
e date
lastIpToMgmt The last ip false string
used to
connect to
the
Management
console
lastLoggedIn Last logged in false string
UserName user name

871
lastSuccessfu Last false string
lScanDate successful full
disc scan
time
licenseKey License key false string
locationEnabl Location false boolean
ed enabled
locations A list of false Name Description Required Value
locations
reported by id Location ID false string
the Agent name Location false string
name
scope Location false enum
scope

locationType Reported false enum

location type
machineType Machine type false enum
missingPermis A list of false string []
sions missing
permissions.
List items
possible
values:
"user_action_
needed_fda,
user_action_n
eeded_rs_fda,
user_action_n
eeded_fda_hel
per,
user_action_n
eeded_fda_sen
tineld,
user_action_n
eeded_bluetoo
th_per,
user_action_
needed_netwo
rk,
user_action_n
eeded_notifica
tions".

872
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
modelName Device model false string
networkInter Device's false Name Description Required Value
faces network
interfaces gatewayIp The default false string
gateway ip
gatewayMacA The default false string
ddress gateway mac
address
id Id false string
inet IPv4 false string []
addresses
inet6 IPv6 false string []
addresses
name Name false string
physical Interface's false string
MAC address

873
osRevision Os revision false string
osStartTime Last boot false string
time
osType OS type false enum
osUsername Os username false string
policyUpdate Policy false string
dAt updated at
proxyStates Proxy state false Name Description Required Value
information
console Connected to false boolean
Management
Console
using a proxy
deepVisibility Connected to false boolean
Deep
Visibility
using a proxy

rangerStatus Is Agent false enum

disabled as a
Ranger
rangerVersion The version false string
of Ranger
registeredAt Time of first false string
registration
to
management
console
(similar to
createdAt)
remoteProfili Agent remote false string
ngState profiling state
remoteProfili Agent remote false string
ngStateExpira profiling state
tion expiration
inseconds
scanAbortedA Abort time of false string
t last scan (If
applicable)
scanFinished Finish time of false string
At last scan (If

874
applicable)
scanStartedA Start time of false string
t last scan
scanStatus Last scan false enum
status
serialNumber Serial false string
Number of
the endpoint
showAlertIco Show alert false boolean
n icon in agent
view and
details
siteId A reference false string
to the
containing
site
siteName Name of the false string
containing
site
storageName Storage false string
Name
storageType Storage Type false string
tags Agent's false Name Description Required Value
attached tags
sentinelone SentinelOne false Name Description Required Value
tags section
assignedAt when tag false string
assigned to
the agent
assignedBy full user false string
name who
assigned the
tag to the
agent
assignedById user ID who false string
assigned the
tag to the
agent
id Tag ID false string
key Tag key false string

875
value Tag value false string

threatReboot Has at least false boolean

Required one threat
with at least
one
mitigation
action that is
pending
reboot to
succeed
totalMemory Memory size false integer
(MB)
updatedAt Updated at false string
userActionsN A list of false string []
eeded pending user
actions. List
items
possible
values: "none,
user_action_n
eeded,
reboot_neede
d,
upgrade_need
ed,
incompatible_
os,
unprotected,
rebootless_wi
thout_dynamic
_detection,
extended_excl
usions_partial
ly_accepted,
reboot_requir
ed,
pending_depre
cation,
ne_not_runnin
g,
ne_cf_not_act
ive".

876
uuid Agent's false string
universally
unique
identifier

errors Errors false array

877
Count Agents
GET /web/api/v2.1/agents/count

Get the count of Agents that match a filter. This command is useful to run before you run other commands. You will be able to manage Agent maintenance better if you
know how many Agents will get a command that takes time (such as Update Software).

878
agentversion__gt optional Agents versions greater than given version. Example: "2.5.1.1320".
agentversion__gte optional Agents versions greater than or equal to given version. Example:
"2.5.1.1320".
agentversion__lt optional Agents versions less than given version. Example: "2.5.1.1320".
agentversion__lte optional Agents versions less than or equal to given version. Example:
"2.5.1.1320".
agentversions optional Agent versions to include. Example: "2.0.0.0,2.1.5.144".
agentversionsnin optional Agent versions not to include. Example: "2.0.0.0,2.1.5.144".
appsvulnerabilitystatu optional Apps vulnerability status in. Example: "patch_required".
ses
appsvulnerabilitystatu optional Apps vulnerability status nin. Example: "patch_required".
sesnin
awsrole__contains optional Free-text filter by aws role(supports multiple values)
awssecuritygroups__co optional Free-text filter by aws securityGroups(supports multiple values)
ntains
awssubnetids__contai optional Free-text filter by aws subnet ids (supports multiple values)
ns
azureresourcegroup__c optional Free-text filter by azure resource group(supports multiple values)
ontains
cloudaccount__contain optional Free-text filter by cloud account (supports multiple values)
s
cloudimage__contains optional Free-text filter by cloud image (supports multiple values)
cloudinstanceid__cont optional Free-text filter by cloud instance id(supports multiple values)
ains
cloudinstancesize__co optional Free-text filter by cloud instance size(supports multiple values)
ntains
cloudlocation__contai optional Free-text filter by cloud location (supports multiple values)
ns
cloudnetwork__contai optional Free-text filter by cloud network (supports multiple values)
ns
cloudprovider optional Agents from which cloud provider
cloudprovidernin optional Exclude Agents from these cloud provider
cloudtags__contains optional Free-text filter by cloud tags (supports multiple values)

879
clustername__contains optional Free-text filter by cluster name (supports multiple values)
computername optional Computer name. Example: "My Office Desktop".
computername__conta optional Free-text filter by computer name (supports multiple values).
ins Example: "john-office,WIN".
computername__like optional Match computer name partially (substring). Example: "Lab1".
consolemigrationstatu optional Migration status in. Example: "N/A".
ses
consolemigrationstatu optional Migration status nin. Example: "N/A".
sesnin
corecount__between optional Possible number of CPU cores (inclusive). Example: "2-8".
corecount__gt optional CPU cores (more than)
corecount__gte optional CPU cores (more than or equal)
corecount__lt optional CPU cores (less than)
corecount__lte optional CPU cores (less than or equal)
cpucount__between optional Possible number of CPU cores (inclusive). Example: "2-8".
cpucount__gt optional Number of CPUs (more than)
cpucount__gte optional Number of CPUs (more than or equal)
cpucount__lt optional Number of CPUs (less than)
cpucount__lte optional Number of CPUs (less than or equal)
cpuid__contains optional Free-text filter by CPU name (supports multiple values). Example:
"Intel,AMD".
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Agents created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Agents created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Agents created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Agents created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
csvfilterid optional The ID of the CSV file to filter by. Example:

880
"225494730938493804".
decommissionedat__b optional Date range for decommission time (format: <from_timestamp>-
etween <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
decommissionedat__gt optional Agents decommissioned after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
decommissionedat__g optional Agents decommissioned after or at this timestamp. Example:
te "2018-02-27T04:49:26.257525Z".
decommissionedat__lt optional Agents decommissioned before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
decommissionedat__lt optional Agents decommissioned before this timestamp. Example:
e "2018-02-27T04:49:26.257525Z".
domains optional Included network domains. Example: "mybusiness.net,workgroup".
domainsnin optional Not included network domains. Example:
"mybusiness.net,workgroup".
encryptedapplications optional Disk encryption status
externalid__contains optional Free-text filter by external ID (Customer ID). Example: "Tag#1 -
monitoring,Performance machine".
externalip__contains optional Free-text filter by visible IP (supports multiple values). Example:
"205,127.0".
filteredgroupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
filteredsiteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
filterid optional Include all Agents matching this saved filter. Example:
"225494730938493804".
firewallenabled optional The agents supports Firewall Control and it is enabled for the
agent's group
gatewayip optional Gateway ip. Example: "192.168.0.1".
gcpserviceaccount__co optional Free-text filter by gcp service account (supports multiple values)
ntains
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
hascontainerizedwork optional Include only Agents protecting containerized workloads

881
load
haslocalconfiguration optional Agent has a local configuration set
hastags optional Include only Agents that have any tags assigned if True, or none if
False
ids optional A list of Agent IDs. Example:
"225494730938493804,225494730938493915".
infected optional Include only Agents with at least one active threat
installertypes optional Include only Agents installed with these package types. Example:
".msi".
installertypesnin optional Exclude Agents installed with these package types. Example: ".msi".
isactive optional Include only active Agents
isdecommissioned optional Include active, decommissioned or both. Example: "True,False".
ispendinguninstall optional Include only Agents with pending uninstall requests
isuninstalled optional Include installed, uninstalled or both. Example: "True,False".
isuptodate optional Include only Agents with updated software
k8snodelabels__contai optional Free-text filter by K8s node labels (supports multiple values)
ns
k8snodename__contai optional Free-text filter by K8s node name (supports multiple values)
ns
k8stype__contains optional Free-text filter by K8s type(supports multiple values)
k8sversion__contains optional Free-text filter by K8s version (supports multiple values)
lastactivedate__betwe optional Date range for last active date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
lastactivedate__gt optional Agents last active after this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__gte optional Agents last active after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__lt optional Agents last active before this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__lte optional Agents last active before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
lastloggedinusername_ optional Free-text filter by username (supports multiple values). Example:

882
_contains "admin,johnd1".
lastsuccessfulscandat optional Date range for last successful full disk scan(format:
e__between <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
lastsuccessfulscandate optional Agents last successful full disk scan after this time. Example:
__gt "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan after or at this time. Example:
__gte "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan before this time. Example:
__lt "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan before or at this time. Example:
__lte "2018-02-27T04:49:26.257525Z".
liveupdateid__contains optional Free-text filter by live update ID (supports multiple values)
locationenabled optional The agents supports Location Awareness and it is enabled for the
agent's group
locationids optional Include only Agents reporting these locations. Example:
"225494730938493804,225494730938493915".
locationidsnin optional Do not include only Agents reporting these locations. Example:
"225494730938493804,225494730938493915".
machinetypes optional Included machine types. Example: "laptop,desktop".
machinetypesnin optional Not included machine types. Example: "laptop,desktop".
migrationstatus optional Migration status. Example: "N/A".
missingpermissions optional Included missing permissions. Example:
"user_action_needed_bluetooth_per,user_action_needed_fda_helper"
.
missingpermissionsnin optional Excluded missing permissions. Example:
"user_action_needed_bluetooth_per,user_action_needed_fda_helper"
.
mitigationmode optional Agent mitigation mode policy. Example: "detect".
mitigationmodesuspici optional Mitigation mode policy for suspicious activity. Example: "detect".
ous
networkinterfacegate optional Free-text filter by Gateway MAC address (supports multiple values).
waymacaddress__cont Example: "aa:0f,:41:".
ains

883
networkinterfaceinet_ optional Free-text filter by local IP (supports multiple values). Example:
_contains "192,10.0.0".
networkinterfacephysi optional Free-text filter by MAC address (supports multiple values). Example:
cal__contains "aa:0f,:41:".
networkquarantineena optional The agents supports Network Quarantine Control and its enabled
bled for the agent's group
networkstatuses optional Included network statuses. Example: "connected,connecting".
networkstatusesnin optional Included network statuses. Example: "connected,connecting".
operationalstates optional Agent operational state
operationalstatesnin optional Do not include these Agent operational states
osarch optional OS architecture. Example: "32 bit".
ostypes optional Included OS types. Example: "macos".
ostypesnin optional Not included OS types. Example: "macos".
osversion__contains optional Free-text filter by OS full name and version (supports multiple
values). Example: "Service Pack 1".
query optional A free-text search term, will match applicable attributes (sub-string
match). Note: Device's physical addresses will be matched if they
start with the search term only (no match if they contain the term).
Example: "Linux".
rangerstatus optional [DEPRECATED] Use rangerStatuses. Example: "NotApplicable".
rangerstatuses optional Status of Ranger. Example: "NotApplicable".
rangerstatusesnin optional Do not include these Ranger Statuses. Example: "NotApplicable".
rangerversions optional Ranger versions to include. Example: "2.0.0.0,2.1.5.144".
rangerversionsnin optional Ranger versions not to include. Example: "2.0.0.0,2.1.5.144".
registeredat__between optional Date range for first registration time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
registeredat__gt optional Agents registered after this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__gte optional Agents registered after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__lt optional Agents registered before this time. Example:
"2018-02-27T04:49:26.257525Z".

884
registeredat__lte optional Agents registered before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
remoteopsforensicssu optional Include only agents that has Remote Ops Forensicsfeature
pported supported
remoteprofilingstates optional Agent remote profiling state
remoteprofilingstatesn optional Do not include these Agent remote profiling states
in
rsolevel optional Supported Remote Script Orchestration level. Example: "none".
scanstatus optional Scan status. Example: "none".
scanstatuses optional Included scan statuses. Example: "started,aborted".
scanstatusesnin optional Not included scan statuses. Example: "started,aborted".
serialnumber__contain optional Free-text filter by Serial Number (supports multiple values)
s
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
tagsdata optional Filter agents by their assigned tags. Given in form of a JSON where
each key represents a tag key, and each value represents a list of
string values to filter by. To filter by unassigned tag values, use __nin
suffix in the tag key. Example: "{"key1": ["value1_1", "value1_2"],
"key2__nin": ["value2"]}".
threatcontenthash optional Include only Agents that have at least one threat with this content
hash. Example: "cf23df2207d99a74fbe169e3eba035e633b65d94".
threatcreatedat__bet optional Agents with threats reported in a date range (format:
ween <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
threatcreatedat__gt optional Agents with threats reported after this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__gte optional Agents with threats reported after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__lt optional Agents with threats reported before this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__lte optional Agents with threats reported before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
threathidden optional Include only Agents with at least one hidden threat

885
threatmitigationstatus optional Include only Agents that have threats with this mitigation status.
Example: "mitigated".
threatrebootrequired optional Has at least one threat with at least one mitigation action pending
reboot to succeed
threatresolved optional Include only Agents with at least one resolved threat
totalmemory__betwee optional Total memory range (GB, inclusive). Example: "4-8".
n
totalmemory__gt optional Memory size (MB, more than)
totalmemory__gte optional Memory size (MB, more than or equal)
totalmemory__lt optional Memory size (MB, less than)
totalmemory__lte optional Memory size (MB, less than or equal)
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
updatedat__gt optional Agents updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Agents updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Agents updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Agents updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
useractionsneeded optional Included pending user actions. Example:
"reboot_needed,upgrade_needed".
useractionsneedednin optional Excluded pending user actions. Example:
"reboot_needed,upgrade_needed".
uuid optional Agent's universally unique identifier. Example:
"ff819e70af13be381993075eb0ce5f2f6de05be2".
uuid__contains optional Free-text filter by Agent UUID (supports multiple values). Example:
"e92-01928,b055".
uuids optional A list of included UUIDs. Example:
"ff819e70af13be381993075eb0ce5f2f6de05b11,ff819e70af13be3
81993075eb0ce5f2f6de05c22".

886
Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
total Number of false integer
Agents
matching the
input filter

errors Errors false array

887
Get Passphrase
GET /web/api/v2.1/agents/passphrases

Show the passphrase for the Agents that match the filter. This is an important command. You need the passphrase for most SentinelCtl commands and for different API
commands.

888
agentversion__gt optional Agents versions greater than given version. Example: "2.5.1.1320".
agentversion__gte optional Agents versions greater than or equal to given version. Example:
"2.5.1.1320".
agentversion__lt optional Agents versions less than given version. Example: "2.5.1.1320".
agentversion__lte optional Agents versions less than or equal to given version. Example:
"2.5.1.1320".
agentversions optional Agent versions to include. Example: "2.0.0.0,2.1.5.144".
agentversionsnin optional Agent versions not to include. Example: "2.0.0.0,2.1.5.144".
appsvulnerabilitystatu optional Apps vulnerability status in. Example: "patch_required".
ses
appsvulnerabilitystatu optional Apps vulnerability status nin. Example: "patch_required".
sesnin
awsrole__contains optional Free-text filter by aws role(supports multiple values)
awssecuritygroups__co optional Free-text filter by aws securityGroups(supports multiple values)
ntains
awssubnetids__contai optional Free-text filter by aws subnet ids (supports multiple values)
ns
azureresourcegroup__c optional Free-text filter by azure resource group(supports multiple values)
ontains
cloudaccount__contain optional Free-text filter by cloud account (supports multiple values)
s
cloudimage__contains optional Free-text filter by cloud image (supports multiple values)
cloudinstanceid__cont optional Free-text filter by cloud instance id(supports multiple values)
ains
cloudinstancesize__co optional Free-text filter by cloud instance size(supports multiple values)
ntains
cloudlocation__contai optional Free-text filter by cloud location (supports multiple values)
ns
cloudnetwork__contai optional Free-text filter by cloud network (supports multiple values)
ns
cloudprovider optional Agents from which cloud provider
cloudprovidernin optional Exclude Agents from these cloud provider
cloudtags__contains optional Free-text filter by cloud tags (supports multiple values)

889
clustername__contains optional Free-text filter by cluster name (supports multiple values)
computername optional Computer name. Example: "My Office Desktop".
computername__conta optional Free-text filter by computer name (supports multiple values).
ins Example: "john-office,WIN".
computername__like optional Match computer name partially (substring). Example: "Lab1".
consolemigrationstatu optional Migration status in. Example: "N/A".
ses
consolemigrationstatu optional Migration status nin. Example: "N/A".
sesnin
corecount__between optional Possible number of CPU cores (inclusive). Example: "2-8".
corecount__gt optional CPU cores (more than)
corecount__gte optional CPU cores (more than or equal)
corecount__lt optional CPU cores (less than)
corecount__lte optional CPU cores (less than or equal)
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cpucount__between optional Possible number of CPU cores (inclusive). Example: "2-8".
cpucount__gt optional Number of CPUs (more than)
cpucount__gte optional Number of CPUs (more than or equal)
cpucount__lt optional Number of CPUs (less than)
cpucount__lte optional Number of CPUs (less than or equal)
cpuid__contains optional Free-text filter by CPU name (supports multiple values). Example:
"Intel,AMD".
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Agents created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Agents created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Agents created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Agents created before or at this timestamp. Example:

890
"2018-02-27T04:49:26.257525Z".
csvfilterid optional The ID of the CSV file to filter by. Example:
"225494730938493804".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
decommissionedat__b optional Date range for decommission time (format: <from_timestamp>-
etween <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
decommissionedat__gt optional Agents decommissioned after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
decommissionedat__g optional Agents decommissioned after or at this timestamp. Example:
te "2018-02-27T04:49:26.257525Z".
decommissionedat__lt optional Agents decommissioned before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
decommissionedat__lt optional Agents decommissioned before this timestamp. Example:
e "2018-02-27T04:49:26.257525Z".
domains optional Included network domains. Example: "mybusiness.net,workgroup".
domainsnin optional Not included network domains. Example:
"mybusiness.net,workgroup".
encryptedapplications optional Disk encryption status
externalid__contains optional Free-text filter by external ID (Customer ID). Example: "Tag#1 -
monitoring,Performance machine".
externalip__contains optional Free-text filter by visible IP (supports multiple values). Example:
"205,127.0".
filteredgroupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
filteredsiteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
filterid optional Include all Agents matching this saved filter. Example:
"225494730938493804".
firewallenabled optional The agents supports Firewall Control and it is enabled for the
agent's group
gatewayip optional Gateway ip. Example: "192.168.0.1".

891
gcpserviceaccount__co optional Free-text filter by gcp service account (supports multiple values)
ntains
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
hascontainerizedwork optional Include only Agents protecting containerized workloads
load
haslocalconfiguration optional Agent has a local configuration set
hastags optional Include only Agents that have any tags assigned if True, or none if
False
ids optional A list of Agent IDs. Example:
"225494730938493804,225494730938493915".
infected optional Include only Agents with at least one active threat
installertypes optional Include only Agents installed with these package types. Example:
".msi".
installertypesnin optional Exclude Agents installed with these package types. Example: ".msi".
isactive optional Include only active Agents
isdecommissioned optional Include active, decommissioned or both. Example: "True,False".
ispendinguninstall optional Include only Agents with pending uninstall requests
isuninstalled optional Include installed, uninstalled or both. Example: "True,False".
isuptodate optional Include only Agents with updated software
k8snodelabels__contai optional Free-text filter by K8s node labels (supports multiple values)
ns
k8snodename__contai optional Free-text filter by K8s node name (supports multiple values)
ns
k8stype__contains optional Free-text filter by K8s type(supports multiple values)
k8sversion__contains optional Free-text filter by K8s version (supports multiple values)
lastactivedate__betwe optional Date range for last active date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
lastactivedate__gt optional Agents last active after this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__gte optional Agents last active after or at this time. Example:
"2018-02-27T04:49:26.257525Z".

892
lastactivedate__lt optional Agents last active before this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__lte optional Agents last active before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
lastloggedinusername_ optional Free-text filter by username (supports multiple values). Example:
_contains "admin,johnd1".
lastsuccessfulscandat optional Date range for last successful full disk scan(format:
e__between <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
lastsuccessfulscandate optional Agents last successful full disk scan after this time. Example:
__gt "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan after or at this time. Example:
__gte "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan before this time. Example:
__lt "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan before or at this time. Example:
__lte "2018-02-27T04:49:26.257525Z".
limit optional Limit number of returned items (1-1000). Example: "10".
liveupdateid__contains optional Free-text filter by live update ID (supports multiple values)
locationenabled optional The agents supports Location Awareness and it is enabled for the
agent's group
locationids optional Include only Agents reporting these locations. Example:
"225494730938493804,225494730938493915".
locationidsnin optional Do not include only Agents reporting these locations. Example:
"225494730938493804,225494730938493915".
machinetypes optional Included machine types. Example: "laptop,desktop".
machinetypesnin optional Not included machine types. Example: "laptop,desktop".
migrationstatus optional Migration status. Example: "N/A".
missingpermissions optional Included missing permissions. Example:
"user_action_needed_bluetooth_per,user_action_needed_fda_helper"
.
missingpermissionsnin optional Excluded missing permissions. Example:
"user_action_needed_bluetooth_per,user_action_needed_fda_helper"
.

893
mitigationmode optional Agent mitigation mode policy. Example: "detect".
mitigationmodesuspici optional Mitigation mode policy for suspicious activity. Example: "detect".
ous
networkinterfacegate optional Free-text filter by Gateway MAC address (supports multiple values).
waymacaddress__cont Example: "aa:0f,:41:".
ains
networkinterfaceinet_ optional Free-text filter by local IP (supports multiple values). Example:
_contains "192,10.0.0".
networkinterfacephysi optional Free-text filter by MAC address (supports multiple values). Example:
cal__contains "aa:0f,:41:".
networkquarantineena optional The agents supports Network Quarantine Control and its enabled
bled for the agent's group
networkstatuses optional Included network statuses. Example: "connected,connecting".
networkstatusesnin optional Included network statuses. Example: "connected,connecting".
operationalstates optional Agent operational state
operationalstatesnin optional Do not include these Agent operational states
osarch optional OS architecture. Example: "32 bit".
ostypes optional Included OS types. Example: "macos".
ostypesnin optional Not included OS types. Example: "macos".
osversion__contains optional Free-text filter by OS full name and version (supports multiple
values). Example: "Service Pack 1".
query optional A free-text search term, will match applicable attributes (sub-string
match). Note: Device's physical addresses will be matched if they
start with the search term only (no match if they contain the term).
Example: "Linux".
rangerstatus optional [DEPRECATED] Use rangerStatuses. Example: "NotApplicable".
rangerstatuses optional Status of Ranger. Example: "NotApplicable".
rangerstatusesnin optional Do not include these Ranger Statuses. Example: "NotApplicable".
rangerversions optional Ranger versions to include. Example: "2.0.0.0,2.1.5.144".
rangerversionsnin optional Ranger versions not to include. Example: "2.0.0.0,2.1.5.144".
registeredat__between optional Date range for first registration time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".

894
registeredat__gt optional Agents registered after this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__gte optional Agents registered after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__lt optional Agents registered before this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__lte optional Agents registered before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
remoteopsforensicssu optional Include only agents that has Remote Ops Forensicsfeature
pported supported
remoteprofilingstates optional Agent remote profiling state
remoteprofilingstatesn optional Do not include these Agent remote profiling states
in
rsolevel optional Supported Remote Script Orchestration level. Example: "none".
scanstatus optional Scan status. Example: "none".
scanstatuses optional Included scan statuses. Example: "started,aborted".
scanstatusesnin optional Not included scan statuses. Example: "started,aborted".
serialnumber__contain optional Free-text filter by Serial Number (supports multiple values)
s
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
tagsdata optional Filter agents by their assigned tags. Given in form of a JSON where
each key represents a tag key, and each value represents a list of
string values to filter by. To filter by unassigned tag values, use __nin
suffix in the tag key. Example: "{"key1": ["value1_1", "value1_2"],
"key2__nin": ["value2"]}".
threatcontenthash optional Include only Agents that have at least one threat with this content
hash. Example: "cf23df2207d99a74fbe169e3eba035e633b65d94".
threatcreatedat__bet optional Agents with threats reported in a date range (format:
ween <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".

895
threatcreatedat__gt optional Agents with threats reported after this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__gte optional Agents with threats reported after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__lt optional Agents with threats reported before this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__lte optional Agents with threats reported before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
threathidden optional Include only Agents with at least one hidden threat
threatmitigationstatus optional Include only Agents that have threats with this mitigation status.
Example: "mitigated".
threatrebootrequired optional Has at least one threat with at least one mitigation action pending
reboot to succeed
threatresolved optional Include only Agents with at least one resolved threat
totalmemory__betwee optional Total memory range (GB, inclusive). Example: "4-8".
n
totalmemory__gt optional Memory size (MB, more than)
totalmemory__gte optional Memory size (MB, more than or equal)
totalmemory__lt optional Memory size (MB, less than)
totalmemory__lte optional Memory size (MB, less than or equal)
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
updatedat__gt optional Agents updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Agents updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Agents updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Agents updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
useractionsneeded optional Included pending user actions. Example:
"reboot_needed,upgrade_needed".
useractionsneedednin optional Excluded pending user actions. Example:

896
"reboot_needed,upgrade_needed".
uuid optional Agent's universally unique identifier. Example:
"ff819e70af13be381993075eb0ce5f2f6de05be2".
uuid__contains optional Free-text filter by Agent UUID (supports multiple values). Example:
"e92-01928,b055".
uuids optional A list of included UUIDs. Example:
"ff819e70af13be381993075eb0ce5f2f6de05b11,ff819e70af13be3
81993075eb0ce5f2f6de05c22".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

897
data Response false Name Description Required Value
data
computerNa Computer false string
me name
domain Network false string
domain
id Agent ID false string
lastLoggedIn Last logged in false string
UserName user name
passphrase Generated false string
passphrase
for the agent
uuid Agent's false string
universally
unique
identifier

errors Errors false array

898
Export Agent Logs
GET /web/api/v2.1/agents/{agent_id}/uploads/{activity_id}

Get Agent logs from Agents that match the filter. You can filter by Agent ID (run "agents" to get the ID) or by Activity ID (run "activities/types" to get the Activity ID). Send
the logs to SentinelOne Support for assistance.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - Agent or activity not found

Applications
GET /web/api/v2.1/agents/applications

Get the installed applications for a specific Agent.

To get the Agent ID, run "agents".

Parameters
ids required Agent ID list. Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema

899
Name Description Required Value
data Response false Name Description Required Value
data
installedDate Installed date false string
name Name false string
publisher Publisher false string
size Size false integer
version Version false string

errors Errors false array

900
Processes
GET /web/api/v2.1/agents/processes

[OBSOLETE] Returns empty array. To get processes of an Agent, see Applications.

Parameters
ids required Agent ID list. Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
cpuUsage CPU Usage false integer
(%)
executablePa Executable false string
th path
memoryUsag Memory false integer
e usage (MB)
pid Process ID false integer
processName Process name false string
startTime Start time false string

errors Errors false array

901
Get local upgrade agent authorization
GET /web/api/v2.1/agents/{agent_id}/local-upgrade-authorization

Get the time when authorization of local upgrades expires

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
agentAuthoriz Agent false string
ation authorization
siteAuthoriza Site false string
tion authorization

errors Errors false array

902
Export Agents
GET /web/api/v2.1/export/agents

Export Agent data to a CSV, for Agents that match the filter. This command exports up to 50000 items (each datum is an item).

903
agentversion__gt optional Agents versions greater than given version. Example: "2.5.1.1320".
agentversion__gte optional Agents versions greater than or equal to given version. Example:
"2.5.1.1320".
agentversion__lt optional Agents versions less than given version. Example: "2.5.1.1320".
agentversion__lte optional Agents versions less than or equal to given version. Example:
"2.5.1.1320".
agentversions optional Agent versions to include. Example: "2.0.0.0,2.1.5.144".
agentversionsnin optional Agent versions not to include. Example: "2.0.0.0,2.1.5.144".
appsvulnerabilitystatu optional Apps vulnerability status in. Example: "patch_required".
ses
appsvulnerabilitystatu optional Apps vulnerability status nin. Example: "patch_required".
sesnin
awsrole__contains optional Free-text filter by aws role(supports multiple values)
awssecuritygroups__co optional Free-text filter by aws securityGroups(supports multiple values)
ntains
awssubnetids__contai optional Free-text filter by aws subnet ids (supports multiple values)
ns
azureresourcegroup__c optional Free-text filter by azure resource group(supports multiple values)
ontains
cloudaccount__contain optional Free-text filter by cloud account (supports multiple values)
s
cloudimage__contains optional Free-text filter by cloud image (supports multiple values)
cloudinstanceid__cont optional Free-text filter by cloud instance id(supports multiple values)
ains
cloudinstancesize__co optional Free-text filter by cloud instance size(supports multiple values)
ntains
cloudlocation__contai optional Free-text filter by cloud location (supports multiple values)
ns
cloudnetwork__contai optional Free-text filter by cloud network (supports multiple values)
ns
cloudprovider optional Agents from which cloud provider
cloudprovidernin optional Exclude Agents from these cloud provider
cloudtags__contains optional Free-text filter by cloud tags (supports multiple values)

904
clustername__contains optional Free-text filter by cluster name (supports multiple values)
computername optional Computer name. Example: "My Office Desktop".
computername__conta optional Free-text filter by computer name (supports multiple values).
ins Example: "john-office,WIN".
computername__like optional Match computer name partially (substring). Example: "Lab1".
consolemigrationstatu optional Migration status in. Example: "N/A".
ses
consolemigrationstatu optional Migration status nin. Example: "N/A".
sesnin
corecount__between optional Possible number of CPU cores (inclusive). Example: "2-8".
corecount__gt optional CPU cores (more than)
corecount__gte optional CPU cores (more than or equal)
corecount__lt optional CPU cores (less than)
corecount__lte optional CPU cores (less than or equal)
cpucount__between optional Possible number of CPU cores (inclusive). Example: "2-8".
cpucount__gt optional Number of CPUs (more than)
cpucount__gte optional Number of CPUs (more than or equal)
cpucount__lt optional Number of CPUs (less than)
cpucount__lte optional Number of CPUs (less than or equal)
cpuid__contains optional Free-text filter by CPU name (supports multiple values). Example:
"Intel,AMD".
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Agents created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Agents created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Agents created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Agents created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
csvfilterid optional The ID of the CSV file to filter by. Example:

905
"225494730938493804".
decommissionedat__b optional Date range for decommission time (format: <from_timestamp>-
etween <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
decommissionedat__gt optional Agents decommissioned after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
decommissionedat__g optional Agents decommissioned after or at this timestamp. Example:
te "2018-02-27T04:49:26.257525Z".
decommissionedat__lt optional Agents decommissioned before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
decommissionedat__lt optional Agents decommissioned before this timestamp. Example:
e "2018-02-27T04:49:26.257525Z".
domains optional Included network domains. Example: "mybusiness.net,workgroup".
domainsnin optional Not included network domains. Example:
"mybusiness.net,workgroup".
encryptedapplications optional Disk encryption status
externalid__contains optional Free-text filter by external ID (Customer ID). Example: "Tag#1 -
monitoring,Performance machine".
externalip__contains optional Free-text filter by visible IP (supports multiple values). Example:
"205,127.0".
filteredgroupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
filteredsiteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
filterid optional Include all Agents matching this saved filter. Example:
"225494730938493804".
firewallenabled optional The agents supports Firewall Control and it is enabled for the
agent's group
gatewayip optional Gateway ip. Example: "192.168.0.1".
gcpserviceaccount__co optional Free-text filter by gcp service account (supports multiple values)
ntains
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
hascontainerizedwork optional Include only Agents protecting containerized workloads

906
load
haslocalconfiguration optional Agent has a local configuration set
hastags optional Include only Agents that have any tags assigned if True, or none if
False
ids optional A list of Agent IDs. Example:
"225494730938493804,225494730938493915".
infected optional Include only Agents with at least one active threat
installertypes optional Include only Agents installed with these package types. Example:
".msi".
installertypesnin optional Exclude Agents installed with these package types. Example: ".msi".
isactive optional Include only active Agents
isdecommissioned optional Include active, decommissioned or both. Example: "True,False".
ispendinguninstall optional Include only Agents with pending uninstall requests
isuninstalled optional Include installed, uninstalled or both. Example: "True,False".
isuptodate optional Include only Agents with updated software
k8snodelabels__contai optional Free-text filter by K8s node labels (supports multiple values)
ns
k8snodename__contai optional Free-text filter by K8s node name (supports multiple values)
ns
k8stype__contains optional Free-text filter by K8s type(supports multiple values)
k8sversion__contains optional Free-text filter by K8s version (supports multiple values)
lastactivedate__betwe optional Date range for last active date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
lastactivedate__gt optional Agents last active after this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__gte optional Agents last active after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__lt optional Agents last active before this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__lte optional Agents last active before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
lastloggedinusername_ optional Free-text filter by username (supports multiple values). Example:

907
_contains "admin,johnd1".
lastsuccessfulscandat optional Date range for last successful full disk scan(format:
e__between <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
lastsuccessfulscandate optional Agents last successful full disk scan after this time. Example:
__gt "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan after or at this time. Example:
__gte "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan before this time. Example:
__lt "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan before or at this time. Example:
__lte "2018-02-27T04:49:26.257525Z".
liveupdateid__contains optional Free-text filter by live update ID (supports multiple values)
locationenabled optional The agents supports Location Awareness and it is enabled for the
agent's group
locationids optional Include only Agents reporting these locations. Example:
"225494730938493804,225494730938493915".
locationidsnin optional Do not include only Agents reporting these locations. Example:
"225494730938493804,225494730938493915".
machinetypes optional Included machine types. Example: "laptop,desktop".
machinetypesnin optional Not included machine types. Example: "laptop,desktop".
migrationstatus optional Migration status. Example: "N/A".
missingpermissions optional Included missing permissions. Example:
"user_action_needed_bluetooth_per,user_action_needed_fda_helper"
.
missingpermissionsnin optional Excluded missing permissions. Example:
"user_action_needed_bluetooth_per,user_action_needed_fda_helper"
.
mitigationmode optional Agent mitigation mode policy. Example: "detect".
mitigationmodesuspici optional Mitigation mode policy for suspicious activity. Example: "detect".
ous
networkinterfacegate optional Free-text filter by Gateway MAC address (supports multiple values).
waymacaddress__cont Example: "aa:0f,:41:".
ains

908
networkinterfaceinet_ optional Free-text filter by local IP (supports multiple values). Example:
_contains "192,10.0.0".
networkinterfacephysi optional Free-text filter by MAC address (supports multiple values). Example:
cal__contains "aa:0f,:41:".
networkquarantineena optional The agents supports Network Quarantine Control and its enabled
bled for the agent's group
networkstatuses optional Included network statuses. Example: "connected,connecting".
networkstatusesnin optional Included network statuses. Example: "connected,connecting".
operationalstates optional Agent operational state
operationalstatesnin optional Do not include these Agent operational states
osarch optional OS architecture. Example: "32 bit".
ostypes optional Included OS types. Example: "macos".
ostypesnin optional Not included OS types. Example: "macos".
osversion__contains optional Free-text filter by OS full name and version (supports multiple
values). Example: "Service Pack 1".
query optional A free-text search term, will match applicable attributes (sub-string
match). Note: Device's physical addresses will be matched if they
start with the search term only (no match if they contain the term).
Example: "Linux".
rangerstatus optional [DEPRECATED] Use rangerStatuses. Example: "NotApplicable".
rangerstatuses optional Status of Ranger. Example: "NotApplicable".
rangerstatusesnin optional Do not include these Ranger Statuses. Example: "NotApplicable".
rangerversions optional Ranger versions to include. Example: "2.0.0.0,2.1.5.144".
rangerversionsnin optional Ranger versions not to include. Example: "2.0.0.0,2.1.5.144".
registeredat__between optional Date range for first registration time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
registeredat__gt optional Agents registered after this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__gte optional Agents registered after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__lt optional Agents registered before this time. Example:
"2018-02-27T04:49:26.257525Z".

909
registeredat__lte optional Agents registered before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
remoteopsforensicssu optional Include only agents that has Remote Ops Forensicsfeature
pported supported
remoteprofilingstates optional Agent remote profiling state
remoteprofilingstatesn optional Do not include these Agent remote profiling states
in
rsolevel optional Supported Remote Script Orchestration level. Example: "none".
scanstatus optional Scan status. Example: "none".
scanstatuses optional Included scan statuses. Example: "started,aborted".
scanstatusesnin optional Not included scan statuses. Example: "started,aborted".
serialnumber__contain optional Free-text filter by Serial Number (supports multiple values)
s
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
tagsdata optional Filter agents by their assigned tags. Given in form of a JSON where
each key represents a tag key, and each value represents a list of
string values to filter by. To filter by unassigned tag values, use __nin
suffix in the tag key. Example: "{"key1": ["value1_1", "value1_2"],
"key2__nin": ["value2"]}".
threatcontenthash optional Include only Agents that have at least one threat with this content
hash. Example: "cf23df2207d99a74fbe169e3eba035e633b65d94".
threatcreatedat__bet optional Agents with threats reported in a date range (format:
ween <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
threatcreatedat__gt optional Agents with threats reported after this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__gte optional Agents with threats reported after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__lt optional Agents with threats reported before this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__lte optional Agents with threats reported before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
threathidden optional Include only Agents with at least one hidden threat

910
threatmitigationstatus optional Include only Agents that have threats with this mitigation status.
Example: "mitigated".
threatrebootrequired optional Has at least one threat with at least one mitigation action pending
reboot to succeed
threatresolved optional Include only Agents with at least one resolved threat
totalmemory__betwee optional Total memory range (GB, inclusive). Example: "4-8".
n
totalmemory__gt optional Memory size (MB, more than)
totalmemory__gte optional Memory size (MB, more than or equal)
totalmemory__lt optional Memory size (MB, less than)
totalmemory__lte optional Memory size (MB, less than or equal)
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
updatedat__gt optional Agents updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Agents updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Agents updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Agents updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
useractionsneeded optional Included pending user actions. Example:
"reboot_needed,upgrade_needed".
useractionsneedednin optional Excluded pending user actions. Example:
"reboot_needed,upgrade_needed".
uuid optional Agent's universally unique identifier. Example:
"ff819e70af13be381993075eb0ce5f2f6de05be2".
uuid__contains optional Free-text filter by Agent UUID (supports multiple values). Example:
"e92-01928,b055".
uuids optional A list of included UUIDs. Example:
"ff819e70af13be381993075eb0ce5f2f6de05b11,ff819e70af13be3
81993075eb0ce5f2f6de05c22".

911
Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Get the endpoint tags that match the filters.

GET /web/api/v2.1/agents/tags

Get endpoint Tags.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
description optional Tag description
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of tag IDs to filter by. Example:
"225494730938493804,225494730938493915".
includechildren optional Return tags from children scope levels
includeparents optional Return tags from parent scope levels
key optional Tag key
key__contains optional Free-text filter by tag key. Example: "server".
limit optional Limit number of returned items (1-1000). Example: "10".
query optional Free text search on fields key, value, description
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".

912
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
value optional Tag value
value__contains optional Free-text filter by tag value. Example: "server".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false

913
data Name Description Required Value
allowEdit indicate if false boolean
user can/cant
edit the tag
createdAt Timestamp of false string
creation
createdBy Tag creator false string
name
description Tag false string
description
endpointsInC The number false integer
urrentScope of endpoints
in this scope
that have this
tag
id Tag ID false string
key Tag key false string
scopeId Scope id false string
scopeLevel Scope level false enum
scopePath tag scope false string
path
totalEndpoint The total false integer
s number of
endpoints
that have this
tag
type Tag type false string
updatedAt Timestamp of false string
last update
updatedBy Tag updater false string
name
value tag value false string

errors Errors false array

914
Export Agents - Light
GET /web/api/v2.1/export/agents-light

Export Agent data to a CSV, for Agents that match the filter. This command exports up to 300000 items (each datum is an item).

915
agentversion__gt optional Agents versions greater than given version. Example: "2.5.1.1320".
agentversion__gte optional Agents versions greater than or equal to given version. Example:
"2.5.1.1320".
agentversion__lt optional Agents versions less than given version. Example: "2.5.1.1320".
agentversion__lte optional Agents versions less than or equal to given version. Example:
"2.5.1.1320".
agentversions optional Agent versions to include. Example: "2.0.0.0,2.1.5.144".
agentversionsnin optional Agent versions not to include. Example: "2.0.0.0,2.1.5.144".
appsvulnerabilitystatu optional Apps vulnerability status in. Example: "patch_required".
ses
appsvulnerabilitystatu optional Apps vulnerability status nin. Example: "patch_required".
sesnin
awsrole__contains optional Free-text filter by aws role(supports multiple values)
awssecuritygroups__co optional Free-text filter by aws securityGroups(supports multiple values)
ntains
awssubnetids__contai optional Free-text filter by aws subnet ids (supports multiple values)
ns
azureresourcegroup__c optional Free-text filter by azure resource group(supports multiple values)
ontains
cloudaccount__contain optional Free-text filter by cloud account (supports multiple values)
s
cloudimage__contains optional Free-text filter by cloud image (supports multiple values)
cloudinstanceid__cont optional Free-text filter by cloud instance id(supports multiple values)
ains
cloudinstancesize__co optional Free-text filter by cloud instance size(supports multiple values)
ntains
cloudlocation__contai optional Free-text filter by cloud location (supports multiple values)
ns
cloudnetwork__contai optional Free-text filter by cloud network (supports multiple values)
ns
cloudprovider optional Agents from which cloud provider
cloudprovidernin optional Exclude Agents from these cloud provider
cloudtags__contains optional Free-text filter by cloud tags (supports multiple values)

916
clustername__contains optional Free-text filter by cluster name (supports multiple values)
computername optional Computer name. Example: "My Office Desktop".
computername__conta optional Free-text filter by computer name (supports multiple values).
ins Example: "john-office,WIN".
computername__like optional Match computer name partially (substring). Example: "Lab1".
consolemigrationstatu optional Migration status in. Example: "N/A".
ses
consolemigrationstatu optional Migration status nin. Example: "N/A".
sesnin
corecount__between optional Possible number of CPU cores (inclusive). Example: "2-8".
corecount__gt optional CPU cores (more than)
corecount__gte optional CPU cores (more than or equal)
corecount__lt optional CPU cores (less than)
corecount__lte optional CPU cores (less than or equal)
cpucount__between optional Possible number of CPU cores (inclusive). Example: "2-8".
cpucount__gt optional Number of CPUs (more than)
cpucount__gte optional Number of CPUs (more than or equal)
cpucount__lt optional Number of CPUs (less than)
cpucount__lte optional Number of CPUs (less than or equal)
cpuid__contains optional Free-text filter by CPU name (supports multiple values). Example:
"Intel,AMD".
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Agents created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Agents created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Agents created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Agents created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
csvfilterid optional The ID of the CSV file to filter by. Example:

917
"225494730938493804".
decommissionedat__b optional Date range for decommission time (format: <from_timestamp>-
etween <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
decommissionedat__gt optional Agents decommissioned after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
decommissionedat__g optional Agents decommissioned after or at this timestamp. Example:
te "2018-02-27T04:49:26.257525Z".
decommissionedat__lt optional Agents decommissioned before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
decommissionedat__lt optional Agents decommissioned before this timestamp. Example:
e "2018-02-27T04:49:26.257525Z".
domains optional Included network domains. Example: "mybusiness.net,workgroup".
domainsnin optional Not included network domains. Example:
"mybusiness.net,workgroup".
encryptedapplications optional Disk encryption status
externalid__contains optional Free-text filter by external ID (Customer ID). Example: "Tag#1 -
monitoring,Performance machine".
externalip__contains optional Free-text filter by visible IP (supports multiple values). Example:
"205,127.0".
filteredgroupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
filteredsiteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
filterid optional Include all Agents matching this saved filter. Example:
"225494730938493804".
firewallenabled optional The agents supports Firewall Control and it is enabled for the
agent's group
gatewayip optional Gateway ip. Example: "192.168.0.1".
gcpserviceaccount__co optional Free-text filter by gcp service account (supports multiple values)
ntains
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
hascontainerizedwork optional Include only Agents protecting containerized workloads

918
load
haslocalconfiguration optional Agent has a local configuration set
hastags optional Include only Agents that have any tags assigned if True, or none if
False
ids optional A list of Agent IDs. Example:
"225494730938493804,225494730938493915".
infected optional Include only Agents with at least one active threat
installertypes optional Include only Agents installed with these package types. Example:
".msi".
installertypesnin optional Exclude Agents installed with these package types. Example: ".msi".
isactive optional Include only active Agents
isdecommissioned optional Include active, decommissioned or both. Example: "True,False".
ispendinguninstall optional Include only Agents with pending uninstall requests
isuninstalled optional Include installed, uninstalled or both. Example: "True,False".
isuptodate optional Include only Agents with updated software
k8snodelabels__contai optional Free-text filter by K8s node labels (supports multiple values)
ns
k8snodename__contai optional Free-text filter by K8s node name (supports multiple values)
ns
k8stype__contains optional Free-text filter by K8s type(supports multiple values)
k8sversion__contains optional Free-text filter by K8s version (supports multiple values)
lastactivedate__betwe optional Date range for last active date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
lastactivedate__gt optional Agents last active after this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__gte optional Agents last active after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__lt optional Agents last active before this time. Example:
"2018-02-27T04:49:26.257525Z".
lastactivedate__lte optional Agents last active before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
lastloggedinusername_ optional Free-text filter by username (supports multiple values). Example:

919
_contains "admin,johnd1".
lastsuccessfulscandat optional Date range for last successful full disk scan(format:
e__between <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
lastsuccessfulscandate optional Agents last successful full disk scan after this time. Example:
__gt "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan after or at this time. Example:
__gte "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan before this time. Example:
__lt "2018-02-27T04:49:26.257525Z".
lastsuccessfulscandate optional Agents last successful full disk scan before or at this time. Example:
__lte "2018-02-27T04:49:26.257525Z".
liveupdateid__contains optional Free-text filter by live update ID (supports multiple values)
locationenabled optional The agents supports Location Awareness and it is enabled for the
agent's group
locationids optional Include only Agents reporting these locations. Example:
"225494730938493804,225494730938493915".
locationidsnin optional Do not include only Agents reporting these locations. Example:
"225494730938493804,225494730938493915".
machinetypes optional Included machine types. Example: "laptop,desktop".
machinetypesnin optional Not included machine types. Example: "laptop,desktop".
migrationstatus optional Migration status. Example: "N/A".
missingpermissions optional Included missing permissions. Example:
"user_action_needed_bluetooth_per,user_action_needed_fda_helper"
.
missingpermissionsnin optional Excluded missing permissions. Example:
"user_action_needed_bluetooth_per,user_action_needed_fda_helper"
.
mitigationmode optional Agent mitigation mode policy. Example: "detect".
mitigationmodesuspici optional Mitigation mode policy for suspicious activity. Example: "detect".
ous
networkinterfacegate optional Free-text filter by Gateway MAC address (supports multiple values).
waymacaddress__cont Example: "aa:0f,:41:".
ains

920
networkinterfaceinet_ optional Free-text filter by local IP (supports multiple values). Example:
_contains "192,10.0.0".
networkinterfacephysi optional Free-text filter by MAC address (supports multiple values). Example:
cal__contains "aa:0f,:41:".
networkquarantineena optional The agents supports Network Quarantine Control and its enabled
bled for the agent's group
networkstatuses optional Included network statuses. Example: "connected,connecting".
networkstatusesnin optional Included network statuses. Example: "connected,connecting".
operationalstates optional Agent operational state
operationalstatesnin optional Do not include these Agent operational states
osarch optional OS architecture. Example: "32 bit".
ostypes optional Included OS types. Example: "macos".
ostypesnin optional Not included OS types. Example: "macos".
osversion__contains optional Free-text filter by OS full name and version (supports multiple
values). Example: "Service Pack 1".
query optional A free-text search term, will match applicable attributes (sub-string
match). Note: Device's physical addresses will be matched if they
start with the search term only (no match if they contain the term).
Example: "Linux".
rangerstatus optional [DEPRECATED] Use rangerStatuses. Example: "NotApplicable".
rangerstatuses optional Status of Ranger. Example: "NotApplicable".
rangerstatusesnin optional Do not include these Ranger Statuses. Example: "NotApplicable".
rangerversions optional Ranger versions to include. Example: "2.0.0.0,2.1.5.144".
rangerversionsnin optional Ranger versions not to include. Example: "2.0.0.0,2.1.5.144".
registeredat__between optional Date range for first registration time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
registeredat__gt optional Agents registered after this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__gte optional Agents registered after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
registeredat__lt optional Agents registered before this time. Example:
"2018-02-27T04:49:26.257525Z".

921
registeredat__lte optional Agents registered before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
remoteopsforensicssu optional Include only agents that has Remote Ops Forensicsfeature
pported supported
remoteprofilingstates optional Agent remote profiling state
remoteprofilingstatesn optional Do not include these Agent remote profiling states
in
rsolevel optional Supported Remote Script Orchestration level. Example: "none".
scanstatus optional Scan status. Example: "none".
scanstatuses optional Included scan statuses. Example: "started,aborted".
scanstatusesnin optional Not included scan statuses. Example: "started,aborted".
serialnumber__contain optional Free-text filter by Serial Number (supports multiple values)
s
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
tagsdata optional Filter agents by their assigned tags. Given in form of a JSON where
each key represents a tag key, and each value represents a list of
string values to filter by. To filter by unassigned tag values, use __nin
suffix in the tag key. Example: "{"key1": ["value1_1", "value1_2"],
"key2__nin": ["value2"]}".
threatcontenthash optional Include only Agents that have at least one threat with this content
hash. Example: "cf23df2207d99a74fbe169e3eba035e633b65d94".
threatcreatedat__bet optional Agents with threats reported in a date range (format:
ween <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978764288-1514978999999".
threatcreatedat__gt optional Agents with threats reported after this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__gte optional Agents with threats reported after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__lt optional Agents with threats reported before this time. Example:
"2018-02-27T04:49:26.257525Z".
threatcreatedat__lte optional Agents with threats reported before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
threathidden optional Include only Agents with at least one hidden threat

922
threatmitigationstatus optional Include only Agents that have threats with this mitigation status.
Example: "mitigated".
threatrebootrequired optional Has at least one threat with at least one mitigation action pending
reboot to succeed
threatresolved optional Include only Agents with at least one resolved threat
totalmemory__betwee optional Total memory range (GB, inclusive). Example: "4-8".
n
totalmemory__gt optional Memory size (MB, more than)
totalmemory__gte optional Memory size (MB, more than or equal)
totalmemory__lt optional Memory size (MB, less than)
totalmemory__lte optional Memory size (MB, less than or equal)
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
updatedat__gt optional Agents updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Agents updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Agents updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Agents updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
useractionsneeded optional Included pending user actions. Example:
"reboot_needed,upgrade_needed".
useractionsneedednin optional Excluded pending user actions. Example:
"reboot_needed,upgrade_needed".
uuid optional Agent's universally unique identifier. Example:
"ff819e70af13be381993075eb0ce5f2f6de05be2".
uuid__contains optional Free-text filter by Agent UUID (supports multiple values). Example:
"e92-01928,b055".
uuids optional A list of included UUIDs. Example:
"ff819e70af13be381993075eb0ce5f2f6de05b11,ff819e70af13be3
81993075eb0ce5f2f6de05c22".

923
Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Agents Repository (Beta)

List Access Tokens

GET /web/api/v2.1/agent-artifacts/token

Lists valid access tokens for the S1 Agent Artifacts Repository, with the option to filter by scope

Parameters
scope_id optional Scope id to list the tokens for, example: '983604236220743370'
scope_level optional Scope level to list the tokens for. Possible values: 'site', 'account'

Response Messages
200 - OK

400 - Invalid request

401 - Unauthorized

500 - Internal error

Response Schema
Name Description Required Value
data List of false undefined []
existing
tokens

924
Create Access Token
POST /web/api/v2.1/agent-artifacts/token

Creates an access token for the S1 Agent Artifacts Repository, which is needed for pulling artifacts

Response Messages
200 - OK

400 - Invalid request

401 - Unauthorized

500 - Internal Error

Response Schema
Name Description Required Value
created_at Created At false string
timestamp of
the token
description Token false string
description
id Access token false integer
ID
scope_id Scope ID false string
scope_level Scope level of false string
the token
title Token name false string
token Access token false string
- seen only
once
username Username of false string
the token

925
Body Schema
Name Description Required Value
description Token false string
description
scope_id Scope ID of false string
the specified
account or
site
scope_level Scope Level false string
of the token
e.g.
`account`,
`site`
title Token title false string

926
Delete Access Token
DELETE /web/api/v2.1/agent-artifacts/token

Deletes an access token for the S1 Agent Artifacts Repository

Parameters
scope_id optional Scope id to list the tokens for, example: '983604236220743370'
scope_level optional Scope level to list the tokens for. Possible values: 'site', 'account'
token_id optional token id of the token to be deleted, example: '42'

Response Messages
200 - Token deleted

400 - Invalid request

401 - Unauthorized

404 - Not found

500 - Internal error

alerts

Get alerts
GET /web/api/v2.1/cloud-detection/alerts

Get a list of alerts for a given scope

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".

927
analystverdict optional Filter threats by a analyst verdict. Example: "TRUE_POSITIVE".
containerimagename__ optional Free-text filter by the endpoint container image name (supports
contains multiple values)
containerlabels__conta optional Free-text filter by the endpoint container labels (supports multiple
ins values)
containername__conta optional Free-text filter by the endpoint container name (supports multiple
ins values)
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__gt optional Created at greater than. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Created at greater or equal than. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Created at lesser than. Example: "2018-02-27T04:49:26.257525Z".
createdat__lte optional Created at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
disablepagination optional If true, all rules for requested scope will be returned
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional A list of Alert IDs. Example:
"225494730938493804,225494730938493915".
incidentstatus optional Filter threats by a incident status. Example: "IN_PROGRESS".
k8scluster__contains optional Free-text filter by the endpoint Kubernetes cluster name (supports
multiple values)
k8scontrollerlabels__c optional Free-text filter by the endpoint Kubernetes controller labels
ontains (supports multiple values)
k8scontrollername__co optional Free-text filter by the endpoint Kubernetes controller name
ntains (supports multiple values)
k8snamespacelabels__ optional Free-text filter by the endpoint Kubernetes namespace labels
contains (supports multiple values)
k8snamespacename__c optional Free-text filter by the endpoint Kubernetes namespace name

928
ontains (supports multiple values)
k8snode__contains optional Free-text filter by the endpoint Kubernetes node name (supports
multiple values)
k8spod__contains optional Free-text filter by the endpoint Kubernetes pod name (supports
multiple values)
k8spodlabels__contain optional Free-text filter by the endpoint Kubernetes pod labels (supports
s multiple values)
limit optional Limit number of returned items (1-1000). Example: "10".
machinetype optional agent machine type
origagentname__conta optional Free-text filter by agent name. Example: "ilia".
ins
origagentosrevision__c optional Free-text filter by agent OS revision. Example: "win7".
ontains
origagentuuid__contai optional Free-text filter by agent UUID. Example: "win7".
ns
origagentversion__con optional Free-text filter by agent OS version. Example: "7.11".
tains
ostype optional Included OS types
query optional Full text search for all fields
reportedat__gt optional Reported at greater than. Example:
"2018-02-27T04:49:26.257525Z".
reportedat__gte optional Reported at greater or equal than. Example:
"2018-02-27T04:49:26.257525Z".
reportedat__lt optional Reported at lesser than. Example:
"2018-02-27T04:49:26.257525Z".
reportedat__lte optional Reported at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".
rulename__contains optional Free-text filter by rule name. Example: "rule1".
scopes optional Filter results by scope. Example: "account".
severity optional Severity. Example: "Low".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000

929
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
sourceprocesscommand optional Free-text filter by source commandline. Example: "rule1".
line__contains
sourceprocessfilehash optional Free-text filter by source md5. Example: "rule1".
md5__contains
sourceprocessfilehash optional Free-text filter by source sha1. Example: "rule1".
sha1__contains
sourceprocessfilehash optional Free-text filter by source sha255. Example: "rule1".
sha256__contains
sourceprocessfilepath optional Free-text filter by source file path. Example: "rule1".
__contains
sourceprocessname__c optional Free-text filter by source process name. Example: "proc1.exe".
ontains
sourceprocessstorylin optional Free-text filter by source storyline. Example: "rule1".
e__contains
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found

930
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
agentDetecti Agent false Name Description Required Value
onInfo detection
time accountId Account id false string
information machineType Machine type false string
name Name false string
osFamily Os family false string
osName Os name false string
osRevision Os revision false string
siteId Site id false string
uuid UUID of the false string
agent
version Version false string

alertInfo Alert false Name Description Required Value

information
alertId Alert ID false string
analystVerdic Analyst false enum
t verdict
createdAt Timestamp false string
alert sent for
detection
dnsRequest Get the DNS false string
name.

931
dnsResponse Get the DNS false string
response
information
(examples: IP
address,
DNS, data
type).
dstIp Get the IP false string
address of
the
destination.
dstPort Get the port false string
number of
the
destination.
dvEventId Deep false string
Visibility
event ID
eventType Event type false string
hitType Type of hit false enum
reported
from the
Agent
incidentStatu Incident false enum
s status
indicatorCate Get the false string
gory Indicator
categories for
this process.
indicatorDesc Get the false string
ription description of
the Indicator.
indicatorNam Get the false string
e Indicator
names for
this process.
isEdr True if the false boolean
event is edr
event
loginAccoun Get the false string

932
tDomain domain or
computer
name for
which the
login attempt
was
performed.
loginAccount Get the SID false string
Sid of the
account that
attempted to
log in.
loginIsAdmini See if the false string
stratorEquiva login attempt
lent was
performed by
an
administrator
equivalent.
loginIsSuccess Check if the false string
ful login attempt
succeeded.
loginsUserN Get the login false string
ame username.
loginType Get the type false string
of login that
was
performed.
modulePath Get the paths false string
of modules
loaded by this
process.
moduleSha1 Get the false string
SHA1
signatures for
modules
loaded by this
process.
netEventDire Get the false string
ction direction of
the
connection

933
attempt
(incoming or
outgoing).
registryKeyPa Get the full false string
th paths of
registry
entries
modified by
this process.
registryOldVa Get the false string
lue previous
registry value
if it was
modified.
registryOldVa Get the false string
lueType previous
registry value
type if it was
modified.
registryPath Get the full false string
path location
of the
registry key
entry.
registryValue Get the false string
registry value
reportedAt Timestamp of false string
alert creation
in STAR
source Source false string
reported
from the
Agent.
srcIp Get the IP false string
address of
the traffic
source.
srcMachineIp Get the IP false string
address of
the endpoint
performing

934
the login
attempt.
srcPort Get the port false string
number of
the traffic
source.
tiIndicatorC Get the false string
omparisonMe comparison
thod method used
by
SentinelOne
to trigger the
event.
tiIndicatorSo Get the false string
urce source of the
identified
Threat
Intelligence
indicator.
tiIndicatorTyp Get the type false string
e of the
identified
Threat
Intelligence
indicator.
tiIndicatorVal Get the value false string
ue of the
identified
Threat
Intelligence
indicator.
updatedAt Date of alert false string
updated in
Star MMS

containerInfo Alert false Name Description Required Value

container
information id Id false string
image Image false string
labels Labels false string
name Name false string

935
kubernetesIn Alert false Name Description Required Value
fo kubernetes
information cluster Cluster false string
controllerKin Controller false string
d kind
controllerLabe Controller false string
ls labels
controllerNa Controller false string
me name
namespace Namespace false string
namespaceLa Namespace false string
bels labels
node Node false string
pod Pod false string
podLabels Pod labels false string

ruleInfo Custom false Name Description Required Value

Detection
rules like s1ql The query true string
STAR description Rule false string
indicators description
information for the STAR
alert
id Rule ID for false string
the STAR
alert
name Rule name for false string
the STAR
alert
queryLang Defines the false enum
s1ql version
query
language of
the rule
(1.0/2.0)
queryType The query false enum
type
scopeLevel Scope level false enum
severity Rule severity false enum

936
treatAsThreat Rule treat as false enum
threat type

sourceParent Source parent false Name Description Required Value

ProcessInfo process info
integrityLevel Integrity level true enum
subsystem Subsystem true enum
commandline Commandline false string
effectiveUser Effective user false string
fileHashMd5 File hash md5 false string
fileHashSha1 File hash false string
sha1
fileHashSha2 File hash false string
56 sha256
filePath File path false string
fileSignerIden File signer false string
tity identity
loginUser Login user false string
name Name false string
pid Pid false string
pidStarttime Pid starttime false string
realUser Real user false string
storyline Storyline false string
uniqueId Unique id false string
user User false string

sourceProcess Source false Name Description Required Value

Info process info
integrityLevel Integrity level true enum
subsystem Subsystem true enum
commandline Commandline false string
effectiveUser Effective user false string
fileHashMd5 File hash md5 false string
fileHashSha1 File hash false string
sha1
fileHashSha2 File hash false string

937
56 sha256
filePath File path false string
fileSignerIden File signer false string
tity identity
loginUser Login user false string
name Name false string
pid Pid false string
pidStarttime Pid starttime false string
realUser Real user false string
storyline Storyline false string
uniqueId Unique id false string
user User false string

targetProcess Target false Name Description Required Value

Info process info
tgtFileCreate Date and false string
dAt Time of File
Creation
tgtFileHashS SHA1 false string
ha1 Signature of
File
tgtFileHashS SHA256 false string
ha256 Signature of
File
tgtFileId Unique ID of false string
file
tgtFileIsSigne Is file signed false string
d
tgtFileModifi Date and false string
edAt time file was
modified
tgtFileOldPat Old path false string
h before
'Rename'
tgtFilePath Path and false string
filename
tgtProcCmdLi Target false string

938
ne Process
Command
Line
tgtProcessSta Target false string
rtTime Process Start
Time
tgtProcImage Target false string
Path Process
Image path
tgtProcIntegri Integrity level false enum
tyLevel of target
process
tgtProcName Target false string
Process
Name
tgtProcPid Target false string
Process ID
(PID)
tgtProcSigned Target false string
Status Process
Signed Status
tgtProcStoryl Target false string
ineId Process
StoryLine ID
tgtProcUid Target false string
Process
Unique ID

errors Errors false array

939
Update Threat Incident
POST /web/api/v2.1/cloud-detection/alerts/incident

Update the incident details of an alert.

Response Messages
200 - Threats incident successfully updated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

940
Body Schema
Name Description Required Value
data Data true Name Description Required Value
incidentStatu Incident true enum
s status

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
analystVerdic Filter threats false string []
t by a analyst
verdict
containerIma Free-text false string []
geName__con filter by the
tains endpoint
container
image name
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
createdAt__g Created at false string
t greater than.
createdAt__g Created at false string

941
te greater or
equal than.
createdAt__lt Created at false string
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
groupIds List of Group false string []
IDs to filter
by
ids A list of Alert false string []
IDs
incidentStatu Filter threats false string []
s by a incident
status
k8sCluster__c Free-text false string []
ontains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name
(supports
multiple
values)
k8sNamespace Free-text false string []

942
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNode__con Free-text false string []
tains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPod__cont Free-text false string []
ains filter by the
endpoint
Kubernetes
pod name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple
values)
limit Limit false integer
machineType agent false string []

943
machine type
origAgentNam Free-text false string []
e__contains filter by agent
name
origAgentOsR Free-text false string []
evision__cont filter by agent
ains OS revision
origAgentUui Free-text false string []
d__contains filter by agent
UUID
origAgentVers Free-text false string []
ion__contains filter by agent
OS version
osType Included OS false string []
types
query Full text false string
search for all
fields
reportedAt__ Reported at false string
gt greater than.
reportedAt__ Reported at false string
gte greater or
equal than.
reportedAt__l Reported at false string
t lesser than.
reportedAt__l Reported at false string
te lesser or
equal than.
ruleName__co Free-text false string []
ntains filter by rule
name
scopes Filter results false string []
by scope
severity Severity false string []
siteIds List of Site false string []
IDs to filter
by
sourceProces Free-text false string []
sCommandline filter by

944
__contains source
commandline
sourceProces Free-text false string []
sFileHashMd5 filter by
__contains source md5
sourceProces Free-text false string []
sFileHashSha filter by
1__contains source sha1
sourceProces Free-text false string []
sFileHashSha filter by
256__contain source
s sha255
sourceProcess Free-text false string []
FilePath__con filter by
tains source file
path
sourceProces Free-text false string []
sName__conta filter by
ins source
process name
sourceProcess Free-text false string []
Storyline__co filter by
ntains source
storyline
tenant Indicates a false boolean
tenant scope
request

945
Update Alert Analyst Verdict
POST /web/api/v2.1/cloud-detection/alerts/analyst-verdict

Change the verdict of an alert

Response Messages
200 - Threats incident successfully updated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

946
Body Schema
Name Description Required Value
data Data true Name Description Required Value
analystVerdic Analyst true enum
t verdict

filter Filter true Name Description Required Value

947
te greater or
equal than.
createdAt__lt Created at false string
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
groupIds List of Group false string []
IDs to filter
by
ids A list of Alert false string []
IDs
incidentStatu Filter threats false string []
s by a incident
status
k8sCluster__c Free-text false string []
ontains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name
(supports
multiple
values)
k8sNamespace Free-text false string []

948
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNode__con Free-text false string []
tains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPod__cont Free-text false string []
ains filter by the
endpoint
Kubernetes
pod name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple
values)
limit Limit false integer
machineType agent false string []

949
machine type
origAgentNam Free-text false string []
e__contains filter by agent
name
origAgentOsR Free-text false string []
evision__cont filter by agent
ains OS revision
origAgentUui Free-text false string []
d__contains filter by agent
UUID
origAgentVers Free-text false string []
ion__contains filter by agent
OS version
osType Included OS false string []
types
query Full text false string
search for all
fields
reportedAt__ Reported at false string
gt greater than.
reportedAt__ Reported at false string
gte greater or
equal than.
reportedAt__l Reported at false string
t lesser than.
reportedAt__l Reported at false string
te lesser or
equal than.
ruleName__co Free-text false string []
ntains filter by rule
name
scopes Filter results false string []
by scope
severity Severity false string []
siteIds List of Site false string []
IDs to filter
by
sourceProces Free-text false string []
sCommandline filter by

950
__contains source
commandline
sourceProces Free-text false string []
sFileHashMd5 filter by
__contains source md5
sourceProces Free-text false string []
sFileHashSha filter by
1__contains source sha1
sourceProces Free-text false string []
sFileHashSha filter by
256__contain source
s sha255
sourceProcess Free-text false string []
FilePath__con filter by
tains source file
path
sourceProces Free-text false string []
sName__conta filter by
ins source
process name
sourceProcess Free-text false string []
Storyline__co filter by
ntains source
storyline
tenant Indicates a false boolean
tenant scope
request

951
Application Management

Inventory Endpoints Data Export

GET /web/api/v2.1/application-management/inventory/endpoints/export/csv

Export application inventory endpoints data to CSV.

Parameters
applicationname required Name
applicationvendor required Vendor
accountids optional Single Account ID to filter by. Example: "225494730938493804".
detectiondate__betwe optional Date range for application detection date(format:
en <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
detectiondate__gt optional Application detection date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__gte optional Application detection date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lt optional Application detection date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lte optional Application detection date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointuuid__contain optional Free-text filter by endpoint uuid (supports multiple values)
s
groupids optional Single Group ID to filter by. Example: "225494730938493804".
osarchitectures optional Included OS architectures
ostypes optional Included OS types
osversions optional Included OS versions
siteids optional Single Site ID to filter by. Example: "225494730938493804".

952
versions optional Included application versions

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Aggregated Application Risk Data Export

GET /web/api/v2.1/application-management/risks/aggregated-applications/export/csv

Export aggregated application data to CSV.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
applicationtypes optional Application type. Available with Ranger Insights. Example:
"A,p,p,l,i,c,a,t,i,o,n".
cveid__contains optional Free-text filter by CVE id (supports multiple values). Example:
"CVE-1234-5678".
daysfromdetection optional Days from application detection, e.g. 12 days or more. Example:
"12".
detectiondate__betwe optional Date range for application detection date(format:
en <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
detectiondate__gt optional Application detection date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__gte optional Application detection date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lt optional Application detection date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lte optional Application detection date before or at this timestamp. Example:

953
"2018-02-27T04:49:26.257525Z".
domains optional Included domains.
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointtypes optional Included endpoint types. Example: "desktop,laptop".
endpointuuid__contain optional Free-text filter by endpoint uuid (supports multiple values)
s
exploitcodematurity optional Included exploit code maturity values. Available with Ranger
Insights. Example: "Functional,High".
exploitedinthewild optional Included exploited in the wild values. Available with Ranger Insights.
Example: "Unknown,Yes".
groupids optional Single Group ID to filter by. Example: "225494730938493804".
highestseverities optional Included highest severities. Example: "CRITICAL,HIGH".
mostcommonstatuses optional Included most common status values. Available with Ranger Insights.
name__contains optional Free-text filter by application name (supports multiple values).
Example: "Office 1.1,Test".
ostypes optional Included OS types. Example: "windows,linux".
remediationlevels optional Included remediation level values. Available with Ranger Insights.
Example: "Official Fix,Temporary Fix".
siteids optional Single Site ID to filter by. Example: "225494730938493804".
vendor__contains optional Free-text filter by vendor (supports multiple values). Example:
"Microsoft,Apple".
vendors optional Included vendors. Example: "Microsoft,Apple".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Application Risk Data Export

954
GET /web/api/v2.1/application-management/risks/applications/export/csv

Export application data to CSV.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
application__contains optional Free-text filter by application name and version (supports multiple
values). Example: "Office 1.1,Test".
applicationtypes optional Application type. Available with Ranger Insights. Example:
"A,p,p,l,i,c,a,t,i,o,n".
cveid__contains optional Free-text filter by CVE id (supports multiple values). Example:
"CVE-1234-5678".
daysfromdetection optional Days from application detection, e.g. 12 days or more. Example:
"12".
detectiondate__betwe optional Date range for application detection date(format:
en <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
detectiondate__gt optional Application detection date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__gte optional Application detection date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lt optional Application detection date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lte optional Application detection date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
domains optional Included domains.
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointtypes optional Included endpoint types. Example: "desktop,laptop".
endpointuuid__contain optional Free-text filter by endpoint uuid (supports multiple values)
s
exploitcodematurity optional Included exploit code maturity values. Available with Ranger
Insights. Example: "Functional,High".
exploitedinthewild optional Included exploited in the wild values. Available with Ranger Insights.
Example: "Unknown,Yes".

955
groupids optional Single Group ID to filter by. Example: "225494730938493804".
highestseverities optional Included highest severities. Example: "CRITICAL,HIGH".
mostcommonstatuses optional Included most common status values. Available with Ranger Insights.
ostypes optional Included OS types. Example: "windows,linux".
remediationlevels optional Included remediation level values. Available with Ranger Insights.
Example: "Official Fix,Temporary Fix".
siteids optional Single Site ID to filter by. Example: "225494730938493804".
vendor__contains optional Free-text filter by vendor (supports multiple values). Example:
"Microsoft,Apple".
vendors optional Included vendors. Example: "Microsoft,Apple".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Risk Endpoint Data Export

GET /web/api/v2.1/application-management/risks/endpoints/export/csv

Export endpoint data to CSV.

956
daystomitigation__be optional Date range for days left to mitigation. Available with Ranger Insights
tween when using ticket integration. Example: "1-30".
detectiondate__betwe optional Date range for application detection date(format:
en <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
detectiondate__gt optional Application detection date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__gte optional Application detection date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lt optional Application detection date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lte optional Application detection date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
domain__contains optional Free-text filter by domain (supports multiple values). Example:
"mybusiness,workgroup".
domains optional Included endpoint domains
endpointid__contains optional Free-text filter by endpoint id (supports multiple values)
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointtypes optional Included endpoint types
endpointuuid__contain optional Free-text filter by endpoint uuid (supports multiple values)
s
groupids optional Single Group ID to filter by. Example: "225494730938493804".
lastscandate__betwee optional Date range for last scan date(format: <from_timestamp>-
n <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
lastscandate__gt optional Last scan date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastscandate__gte optional Last scan date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastscandate__lt optional Last scan date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastscandate__lte optional Last scan date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

957
lastscanresults optional Included last scan results. Example: "Succeeded".
ostypes optional Included OS types
osversions optional Included OS versions
siteids optional Single Site ID to filter by. Example: "225494730938493804".
statuses optional Included statuses. Available with Ranger Insights.
statusmessage__conta optional Free-text filter by status message (supports multiple values).
ins Available with Ranger Insights. Example: "assigned to john,top
priority".
ticketid__contains optional Free-text filter by ticket id. Available with Ranger Insights when
using ticket integration. Example: "ABC-123,ABCD-100".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Application CVE Data Export

GET /web/api/v2.1/application-management/risks/cves/export/csv

Export CVE data to CSV.

958
cveid__contains optional Free-text filter by CVE id (supports multiple values). Example:
"CVE-1234-5678".
exploitcodematurity optional Included exploit code maturity values. Available with Ranger
Insights. Example: "FUNCTIONAL,HIGH".
exploitedinthewild optional Included exploited in the wild values. Available with Ranger Insights.
Example: "EXPLOITED_UNKNOWN,YES".
groupids optional Single Group ID to filter by. Example: "225494730938493804".
publisheddate__betwe optional Date range for CVE publish date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
publisheddate__gt optional CVE published date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__gte optional CVE published date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__lt optional CVE published date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__lte optional CVE published date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
remediationlevels optional Included remediation level values. Available with Ranger Insights.
Example: "OFFICIAL_FIX,TEMPORARY_FIX".
reportconfidence optional Included report confidence values. Available with Ranger Insights.
Example: "REASONABLE,CONFIRMED".
severities optional Included severities. Example: "CRITICAL,HIGH".
siteids optional Single Site ID to filter by. Example: "225494730938493804".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Inventory Data Export

959
GET /web/api/v2.1/application-management/inventory/export/csv

Export application inventory data to CSV.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointuuid__contain optional Free-text filter by endpoint uuid (supports multiple values)
s
groupids optional Single Group ID to filter by. Example: "225494730938493804".
name__contains optional Free-text filter by application name (supports multiple values).
Example: "Office,Test".
osarchitectures optional Included OS architectures
ostypes optional Included OS types
osversion__contains optional Free-text filter by os version (supports multiple values). Example:
"Windows 7 ServicePack1".
osversions optional Included OS versions
siteids optional Single Site ID to filter by. Example: "225494730938493804".
vendor__contains optional Free-text filter by vendor (supports multiple values). Example:
"Microsoft,Apple".
vendors optional Included vendors. Example: "Microsoft,Apple".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Risks Data Export

GET /web/api/v2.1/application-management/risks/export/csv

960
Export risks data to CSV.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
analystverdict optional Include Default(not edited)/ False Positives / Added CVEs for
Vulnerabilities. Example: "Default,False Positive,Added CVE".
application__contains optional Free-text filter by application name and version (supports multiple
values). Example: "Office 1.1,Test".
applicationnames optional Included application names. Example: "Office 1.1,Test".
applicationvendor__co optional Free-text filter by vendor (supports multiple values). Example:
ntains "Microsoft,Apple".
cveid__contains optional Free-text filter by CVE id (supports multiple values). Example:
"CVE-1234-5678".
daysfromcvedetection optional Days from CVE detection, e.g. 12 days or more. Example: "12".
detectiondate__betwe optional Date range for CVE detection date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
detectiondate__gt optional CVE detection date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__gte optional CVE detection date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lt optional CVE detection date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lte optional CVE detection date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
domain__contains optional Free-text filter by domain (supports multiple values). Example:
"mybusiness,workgroup".
domains optional Included network domains. Example: "mybusiness,workgroup".
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointtypes optional Included endpoint types
exploitcodematurity optional Included exploit code maturity values. Available for VLN SKU.
Example: "FUNCTIONAL,HIGH".
exploitedinthewild optional Included exploited in the wild values. Available for VLN SKU.

961
Example: "EXPLOITED_UNKNOWN,YES".
groupids optional Single Group ID to filter by. Example: "225494730938493804".
includeremovals optional Include also removed CVEs in the results
lastscanresults optional Included last scan results. Example: "Succeeded".
mitigationstatus optional Filters by the application's mitigation status values.Available for VLN
SKU. Example: "Not mitigated,To be patched,On hold".
ostypes optional Included OS types
osversions optional Included OS versions
publisheddate__betwe optional Date range for CVE publish date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
publisheddate__gt optional CVE published date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__gte optional CVE published date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__lt optional CVE published date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__lte optional CVE published date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
remediationlevels optional Included remediation level values. Available for VLN SKU. Example:
"OFFICIAL_FIX,TEMPORARY_FIX".
reportconfidence optional Included report confidence values. Available for VLN SKU. Example:
"REASONABLE,CONFIRMED".
riskscore__between optional Risk score (inclusive). Available for VLN SKU. Example: "5-8.9".
riskupdateddate__bet optional Significant CVE updates within this date range(format:
ween <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
riskupdateddate__gt optional Significant CVE updates after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
riskupdateddate__gte optional Significant CVE updates after or at this timestamp. Recommended
for fetching delta-changes. Example:
"2018-02-27T04:49:26.257525Z".
riskupdateddate__lt optional Significant CVE updates before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

962
riskupdateddate__lte optional Significant CVE updates before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
severities optional Included severities. Example: "CRITICAL,HIGH".
siteids optional Single Site ID to filter by. Example: "225494730938493804".
vendors optional Included vendors. Example: "Microsoft,Apple".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Get Endpoint Apps

GET /web/api/v2.1/application-management/inventory/applications

Get the installed applications for a specific endpoint.

To get the Agent ID, run "agents".

Parameters
ids required Agent ID list. Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value

963
data Response false Name Description Required Value
data
installedDate Installed date false string
name Name false string
publisher Publisher false string
size Size false integer
version Version false string

errors Errors false array

964
Get App Inventory Endpoints
GET /web/api/v2.1/application-management/inventory/endpoints

Get endpoint data for a specific application.

Parameters
applicationname required Name
applicationvendor required Vendor
accountids optional Single Account ID to filter by. Example: "225494730938493804".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
detectiondate__betwe optional Date range for application detection date(format:
en <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
detectiondate__gt optional Application detection date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__gte optional Application detection date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lt optional Application detection date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lte optional Application detection date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointuuid__contain optional Free-text filter by endpoint uuid (supports multiple values)
s
groupids optional Single Group ID to filter by. Example: "225494730938493804".
limit optional Limit number of returned items (1-1000). Example: "10".
osarchitectures optional Included OS architectures
ostypes optional Included OS types

965
osversions optional Included OS versions
siteids optional Single Site ID to filter by. Example: "225494730938493804".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
versions optional Included application versions

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

966
page
reached)

data Response false Name Description Required Value

data
accountName Account false string
name
applicationIns Application false string
tallationDate installation
date
applicationIns Application false string
tallationPath installation
path
applicationN Application false string
ame name
coreCount Core count false integer
cpe Cpe false
cpuCount Cpu count false integer
detectionDat Detection false string
e date
endpointId Endpoint id false string
endpointNam Endpoint false string
e name
endpointType Endpoint false string
type
endpointUuid Endpoint false string
uuid
fileSize File size false integer
groupName Group name false string
id Id false string
osArch Os arch false string
osName Os name false string
osType OS type false enum
osVersion Os version false string
siteName Site name false string
version Version false string

967
errors Errors false array

968
Get Aggregated Applications With Risk
GET /web/api/v2.1/application-management/risks/aggregated-applications

Get data for all applications. Available with Ranger Insights license.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
applicationtypes optional Application type. Available with Ranger Insights. Example:
"A,p,p,l,i,c,a,t,i,o,n".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
cveid__contains optional Free-text filter by CVE id (supports multiple values). Example:
"CVE-1234-5678".
daysfromdetection optional Days from application detection, e.g. 12 days or more. Example:
"12".
detectiondate__betwe optional Date range for application detection date(format:
en <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
detectiondate__gt optional Application detection date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__gte optional Application detection date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lt optional Application detection date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lte optional Application detection date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
domains optional Included domains.
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointtypes optional Included endpoint types. Example: "desktop,laptop".

969
endpointuuid__contain optional Free-text filter by endpoint uuid (supports multiple values)
s
exploitcodematurity optional Included exploit code maturity values. Available with Ranger
Insights. Example: "Functional,High".
exploitedinthewild optional Included exploited in the wild values. Available with Ranger Insights.
Example: "Unknown,Yes".
groupids optional Single Group ID to filter by. Example: "225494730938493804".
highestseverities optional Included highest severities. Example: "CRITICAL,HIGH".
limit optional Limit number of returned items (1-1000). Example: "10".
mostcommonstatuses optional Included most common status values. Available with Ranger Insights.
name__contains optional Free-text filter by application name (supports multiple values).
Example: "Office 1.1,Test".
ostypes optional Included OS types. Example: "windows,linux".
remediationlevels optional Included remediation level values. Available with Ranger Insights.
Example: "Official Fix,Temporary Fix".
siteids optional Single Site ID to filter by. Example: "225494730938493804".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
vendor__contains optional Free-text filter by vendor (supports multiple values). Example:
"Microsoft,Apple".
vendors optional Included vendors. Example: "Microsoft,Apple".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

970
Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
applicationTy Application false string
pe type
cveCount Cve count false integer
daysDetected Days false
detected
detectionDat Detection false string
e date
endpointCoun Endpoint false integer
t count
endpointsWit Number of false integer
houtTicket endpoints
that are in an
integrated
scope, but
don't have a
ticket
created.
Available
with Ranger

971
Insights.
estimate Estimate false boolean
exploitCodeM Exploit code false enum
aturity maturity
exploitedInTh Exploited in false enum
eWild the wild
highestNvdBa Highest nvd false string
seScore base score
highestRiskSc Highest risk false string
ore score
highestSeveri Highest false string
ty severity
name Name false string
remediationLe Remediation false enum
vel level
statuses Statuses false Name Description Required Value
count Count false integer
key Key false
label Label false
ticketCategor Ticket false string
y category

vendor Vendor false string

versionCount Version count false integer

errors Errors false array

972
Get Applications With Risk
GET /web/api/v2.1/application-management/risks/applications

Get data for each version of all applications.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
application__contains optional Free-text filter by application name and version (supports multiple
values). Example: "Office 1.1,Test".
applicationtypes optional Application type. Available with Ranger Insights. Example:
"A,p,p,l,i,c,a,t,i,o,n".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
cveid__contains optional Free-text filter by CVE id (supports multiple values). Example:
"CVE-1234-5678".
daysfromdetection optional Days from application detection, e.g. 12 days or more. Example:
"12".
detectiondate__betwe optional Date range for application detection date(format:
en <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
detectiondate__gt optional Application detection date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__gte optional Application detection date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lt optional Application detection date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lte optional Application detection date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
domains optional Included domains.
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".

973
endpointtypes optional Included endpoint types. Example: "desktop,laptop".
endpointuuid__contain optional Free-text filter by endpoint uuid (supports multiple values)
s
exploitcodematurity optional Included exploit code maturity values. Available with Ranger
Insights. Example: "Functional,High".
exploitedinthewild optional Included exploited in the wild values. Available with Ranger Insights.
Example: "Unknown,Yes".
groupids optional Single Group ID to filter by. Example: "225494730938493804".
highestseverities optional Included highest severities. Example: "CRITICAL,HIGH".
limit optional Limit number of returned items (1-1000). Example: "10".
mostcommonstatuses optional Included most common status values. Available with Ranger Insights.
ostypes optional Included OS types. Example: "windows,linux".
remediationlevels optional Included remediation level values. Available with Ranger Insights.
Example: "Official Fix,Temporary Fix".
siteids optional Single Site ID to filter by. Example: "225494730938493804".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
vendor__contains optional Free-text filter by vendor (supports multiple values). Example:
"Microsoft,Apple".
vendors optional Included vendors. Example: "Microsoft,Apple".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

974
Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
applicationId Application id false string
applicationTy Available false string
pe with Ranger
Insights.
cveCount Cve count false integer
daysDetected Days false
detected
detectionDat Detection false string
e date
endpointCoun Endpoint false integer
t count
endpointsWit Number of false integer
houtTicket endpoints
that are in an
integrated
scope, but
don't have a
ticket

975
created.
Available
with Ranger
Insights.
estimate Estimate false boolean
exploitCodeM Available false enum
aturity with Ranger
Insights.
exploitedInTh Available false enum
eWild with Ranger
Insights.
highestNvdBa Highest nvd false string
seScore base score
highestRiskSc Available false string
ore with Ranger
Insights.
highestSeveri Highest false string
ty severity
name Name false string
remediationLe Available false enum
vel with Ranger
Insights.
statuses Statuses false Name Description Required Value
count Count false integer
key Key false
label Label false
ticketCategor Ticket false string
y category

vendor Vendor false string

errors Errors false array

976
Get Endpoints For Vulnerable App
GET /web/api/v2.1/application-management/risks/endpoints

Get a list of all endpoints installed with a specific application that contains vulnerabilities.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
applicationids optional Included application versions by id
applicationname optional Application name
applicationvendor optional Application vendor
applicationversions optional Included application versions
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
daysfromdetection optional Days from application detection, e.g. 12 days or more. Example:
"12".
daystomitigation__be optional Date range for days left to mitigation. Available with Ranger Insights
tween when using ticket integration. Example: "1-30".
detectiondate__betwe optional Date range for application detection date(format:
en <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
detectiondate__gt optional Application detection date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__gte optional Application detection date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lt optional Application detection date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lte optional Application detection date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
domain__contains optional Free-text filter by domain (supports multiple values). Example:
"mybusiness,workgroup".

977
domains optional Included endpoint domains
endpointid__contains optional Free-text filter by endpoint id (supports multiple values)
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointtypes optional Included endpoint types
endpointuuid__contain optional Free-text filter by endpoint uuid (supports multiple values)
s
groupids optional Single Group ID to filter by. Example: "225494730938493804".
lastscandate__betwee optional Date range for last scan date(format: <from_timestamp>-
n <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
lastscandate__gt optional Last scan date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastscandate__gte optional Last scan date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastscandate__lt optional Last scan date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastscandate__lte optional Last scan date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastscanresults optional Included last scan results. Example: "Succeeded".
limit optional Limit number of returned items (1-1000). Example: "10".
ostypes optional Included OS types
osversions optional Included OS versions
siteids optional Single Site ID to filter by. Example: "225494730938493804".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
statuses optional Included statuses. Available with Ranger Insights.
statusmessage__conta optional Free-text filter by status message (supports multiple values).
ins Available with Ranger Insights. Example: "assigned to john,top

978
priority".
ticketid__contains optional Free-text filter by ticket id. Available with Ranger Insights when
using ticket integration. Example: "ABC-123,ABCD-100".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

data Response false Name Description Required Value

data
accountName Account false string
name
applicationD Application false
aysDetected days

979
detected
applicationD Detection false string
etectionDate date
applicationVe Version false string
rsion
domain Domain false string
endpointId Endpoint id false string
endpointNam Endpoint false string
e name
endpointType Endpoint false string
type
endpointUuid Endpoint false string
uuid
externalTicke External false Name Description Required Value
tSystem ticket system
available Available false boolean
type Type false string

groupName Group name false string

lastScanDate Last scan false string
date
lastScanResul Last scan false string
t result
osType OS type false enum
osVersion Os version false string
siteName Site name false string
statusHistory Available false Name Description Required Value
with Ranger
Insights changedAt Changed at false string
changedBy Changed by false string
currentKey Current key false string
currentLabel Current label false enum
previousKey Previous key false string
previousLabel Previous label false enum
reason Reason false string

ticket Ticket false

980
Name Description Required Value
analystReaso Analyst false string
n reason
daysToMitigat Days to false integer
ion mitigation
endpointsCou Endpoints false integer
nt count
metaData Meta data false object
name Name false string
projectName Project name false string
reporter Reporter false string
status Status false string
statusCatego Status false string
ry category
title Title false string
url Url false string

errors Errors false array

981
Get Application CVEs
GET /web/api/v2.1/application-management/risks/cves

Get CVE data for a specific application.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
analystverdict optional Include Default(not edited)/ False Positives / Added CVEs for
Vulnerabilities. Example: "Default,False Positive,Added CVE".
applicationids optional Included application versions by id
applicationname optional Application name
applicationvendor optional Application vendor
applicationversions optional Included application versions
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
cveid__contains optional Free-text filter by CVE id (supports multiple values). Example:
"CVE-1234-5678".
exploitcodematurity optional Included exploit code maturity values. Available with Ranger
Insights. Example: "FUNCTIONAL,HIGH".
exploitedinthewild optional Included exploited in the wild values. Available with Ranger Insights.
Example: "EXPLOITED_UNKNOWN,YES".
groupids optional Single Group ID to filter by. Example: "225494730938493804".
limit optional Limit number of returned items (1-1000). Example: "10".
publisheddate__betwe optional Date range for CVE publish date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
publisheddate__gt optional CVE published date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__gte optional CVE published date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

982
publisheddate__lt optional CVE published date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__lte optional CVE published date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
remediationlevels optional Included remediation level values. Available with Ranger Insights.
Example: "OFFICIAL_FIX,TEMPORARY_FIX".
reportconfidence optional Included report confidence values. Available with Ranger Insights.
Example: "REASONABLE,CONFIRMED".
severities optional Included severities. Example: "CRITICAL,HIGH".
siteids optional Single Site ID to filter by. Example: "225494730938493804".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

983
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
cveId Cve id false string
cvssVersion Cvss version false string
description Description false
exploitCodeM Available false enum
aturity with Ranger
Insights
exploitedInTh Available false enum
eWild with Ranger
Insights
fpFnMarks Fp fn marks false Name Description Required Value
markedOnSc true Name Description Required Value
ope
id false string
name false string
type false string

markedBy false string

markedDate false string
reason false string
type false

mitreUrl Mitre url false

nvdBaseScor Nvd base false string
e score
nvdUrl Nvd url false
publishedDat Published false string

984
e date
remediationLe Available false enum
vel with Ranger
Insights
reportConfid Available false enum
ence with Ranger
Insights
riskScore Available false string
with Ranger
Insights
severity Severity false

errors Errors false array

985
Get Application Inventory
GET /web/api/v2.1/application-management/inventory

Get application inventory data grouped by application name and vendor.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointuuid__contain optional Free-text filter by endpoint uuid (supports multiple values)
s
groupids optional Single Group ID to filter by. Example: "225494730938493804".
limit optional Limit number of returned items (1-1000). Example: "10".
name__contains optional Free-text filter by application name (supports multiple values).
Example: "Office,Test".
osarchitectures optional Included OS architectures
ostypes optional Included OS types
osversion__contains optional Free-text filter by os version (supports multiple values). Example:
"Windows 7 ServicePack1".
osversions optional Included OS versions
siteids optional Single Site ID to filter by. Example: "225494730938493804".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

986
vendor__contains optional Free-text filter by vendor (supports multiple values). Example:
"Microsoft,Apple".
vendors optional Included vendors. Example: "Microsoft,Apple".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

data Response false Name Description Required Value

data
applicationN Name false string
ame
applicationVe Vendor false string
ndor

987
applicationVe Application false integer
rsionsCount versions
count
endpointsCou Endpoints false integer
nt count
estimate Estimate false boolean

errors Errors false array

988
Get CVE data
GET /web/api/v2.1/application-management/risks

Get the CVE vulnerability data for each CVE.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
analystverdict optional Include Default(not edited)/ False Positives / Added CVEs for
Vulnerabilities. Example: "Default,False Positive,Added CVE".
application__contains optional Free-text filter by application name and version (supports multiple
values). Example: "Office 1.1,Test".
applicationnames optional Included application names. Example: "Office 1.1,Test".
applicationvendor__co optional Free-text filter by vendor (supports multiple values). Example:
ntains "Microsoft,Apple".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
cveid__contains optional Free-text filter by CVE id (supports multiple values). Example:
"CVE-1234-5678".
daysfromcvedetection optional Days from CVE detection, e.g. 12 days or more. Example: "12".
detectiondate__betwe optional Date range for CVE detection date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
detectiondate__gt optional CVE detection date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__gte optional CVE detection date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lt optional CVE detection date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
detectiondate__lte optional CVE detection date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

989
domain__contains optional Free-text filter by domain (supports multiple values). Example:
"mybusiness,workgroup".
domains optional Included network domains. Example: "mybusiness,workgroup".
endpointname__contai optional Free-text filter by endpoint name (supports multiple values).
ns Example: "Office,Test".
endpointtypes optional Included endpoint types
exploitcodematurity optional Included exploit code maturity values. Available for VLN SKU.
Example: "FUNCTIONAL,HIGH".
exploitedinthewild optional Included exploited in the wild values. Available for VLN SKU.
Example: "EXPLOITED_UNKNOWN,YES".
groupids optional Single Group ID to filter by. Example: "225494730938493804".
includeremovals optional Include also removed CVEs in the results
lastscanresults optional Included last scan results. Example: "Succeeded".
limit optional Limit number of returned items (1-1000). Example: "10".
mitigationstatus optional Filters by the application's mitigation status values.Available for VLN
SKU. Example: "Not mitigated,To be patched,On hold".
ostypes optional Included OS types
osversions optional Included OS versions
publisheddate__betwe optional Date range for CVE publish date(format: <from_timestamp>-
en <to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
publisheddate__gt optional CVE published date after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__gte optional CVE published date after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__lt optional CVE published date before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
publisheddate__lte optional CVE published date before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
remediationlevels optional Included remediation level values. Available for VLN SKU. Example:
"OFFICIAL_FIX,TEMPORARY_FIX".
reportconfidence optional Included report confidence values. Available for VLN SKU. Example:
"REASONABLE,CONFIRMED".
riskscore__between optional Risk score (inclusive). Available for VLN SKU. Example: "5-8.9".

990
riskupdateddate__bet optional Significant CVE updates within this date range(format:
ween <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
riskupdateddate__gt optional Significant CVE updates after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
riskupdateddate__gte optional Significant CVE updates after or at this timestamp. Recommended
for fetching delta-changes. Example:
"2018-02-27T04:49:26.257525Z".
riskupdateddate__lt optional Significant CVE updates before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
riskupdateddate__lte optional Significant CVE updates before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
severities optional Included severities. Example: "CRITICAL,HIGH".
siteids optional Single Site ID to filter by. Example: "225494730938493804".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
vendors optional Included vendors. Example: "Microsoft,Apple".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information

991
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
application Composed false string
application
name
applicationN Application false string
ame name
applicationVe Application false string
ndor vendor
applicationVe Application false string
rsion version
baseScore Not available false string
with VLN
SKU
cveId CVE Id false string
cvssVersion Cvss version false string
daysDetected Days false integer
detected
detectionDat Detection false string
e date
endpointId Endpoint id false string
endpointNam Endpoint false string
e name

992
endpointType Endpoint false string
type
exploitCodeM Available for false enum
aturity VLN SKU
id Id false string
lastScanDate Last scan false string
date
lastScanResul Last scan false string
t result
markedBy Marked by false string
markedDate Marked date false string
markType Mark type false
mitigationSta Risk false enum
tus mitigation
status
mitigationSt Mitigation false string
atusChanged status
By changer
mitigationSt Mitigation false string
atusChangeT status change
ime time
mitigationSta Mitigation false string
tusReason status reason
nvdBaseScor Available for false string
e VLN SKU
nvdCvssVersi Available for false string
on VLN SKU
osType OS type false enum
publishedDat Published false string
e date
reason Reason false string
remediationLe Available for false enum
vel VLN SKU
reportConfid Available for false enum
ence VLN SKU
riskScore Available for false string
VLN SKU

993
severity Severity false string
status Risk status false enum

errors Errors false array

994
Initiate scan
POST /web/api/v2.1/application-management/scan

Initiate application vulnerability scan.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

995
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds account false string []
scope ID to
filter by
siteIds site scope ID false string []
to filter by
tenant if the entire false boolean
tenant scope
should be
filtered

996
Application Management Settings

Update Application Management Settings

POST /web/api/v2.1/application-management/settings

Update Application Management Settings

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
extensiveLin Extensive false boolean
uxScanEnable linux scan
d enabled
extensiveSca Extensive false boolean
nEnabled scan enabled
inheritedFro Inherited false string
m from
isDefaultPolic Determines if false boolean
y the policy is
overridden
on the scope
level.
vulnerabiliti Vulnerabilities false boolean
esScanEnable scan enabled

997
d

errors Errors false array

998
Body Schema
Name Description Required Value
data Data true Name Description Required Value
extensiveLin Extensive false boolean
uxScanEnable linux scan
d enabled
extensiveSca Extensive false boolean
nEnabled scan enabled
isDefaultPolic Determines if false boolean
y the policy is
overridden
on the scope
level.
vulnerabiliti Vulnerabilities false boolean
esScanEnable scan enabled
d

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

999
Get Application Management Settings
GET /web/api/v2.1/application-management/settings

Get Application Management settings.

Parameters
accountids optional account scope IDs to filter by. Example:
"225494730938493804,225494730938493915".
groupids optional group scope to filter by. Example:
"225494730938493804,225494730938493915".
siteids optional site scope IDs to filter by. Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

1000
overridden
on the scope
level.
vulnerabiliti Vulnerabilities false boolean
esScanEnable scan enabled
d

errors Errors false array

1001
Application Risk

Get Applications
GET /web/api/v2.1/installed-applications

Get the applications, and their data (such as risk level), installed on endpoints with Application Risk-enabled Agents that match the filter. SentinelOne Application Risk lets
you monitor applications installed on endpoints. Applications not updated with the latest patches are vulnerable to exploits. With SentinelOne Application Risk you can
see all applications to be patched, on all endpoints or on a specific endpoint. The Agent takes a snapshot of the endpoint application data and checks for vulnerabilities in
the SentinelOne Cloud. When the Agent detects a change to the application data, it sends a diff to the Management.
Application Risk requires Complete SKU. This feature is in EA. To join the EA program, contact your SentinelOne Sales Rep.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
agentcomputername__ optional Free-text filter by computer name (supports multiple values).
contains Example: "john-office,WIN".
agentisdecommissione optional Include active agents, decommissioned or both. Example:
d "True,False".
agentmachinetypes optional Filter by endpoint machine types. Example: "unknown".
agentmachinetypesnin optional Filter not by endpoint machine types. Example: "unknown".
agentosversion__conta optional Free-text filter by OS full name and version (supports multiple
ins values). Example: "Service Pack 1".
agentuuid__contains optional Free-text filter by agent UUID (supports multiple values). Example:
"e92-01928,b055".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional Filter by application IDs. Example:

1002
"225494730938493804,225494730938493915".
installedat__between optional Filter by installation date range
limit optional Limit number of returned items (1-1000). Example: "10".
name__contains optional Free-text filter by application name (supports multiple values).
Example: "calc".
ostypes optional Filter by OS types. Example: "macos".
ostypesnin optional Filter not by OS types. Example: "macos".
publisher__contains optional Free-text filter by application publisher (supports multiple values).
Example: "Sentinel".
risklevels optional Filter by risk. Example: "none".
risklevelsnin optional Filter not by risk. Example: "none".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
size__between optional Filter by application size range (bytes). Example: "1024-104856".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
types optional Filter by application types. Example: "app".
typesnin optional Filter not by application types. Example: "app".
version__contains optional Free-text filter by application version (supports multiple values).
Example: "1.22.333,build".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema

1003
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
agentCompu Agent false string
terName computer
name
agentDomain Agent false string
domain
agentId Agent id false string
agentInfected Agent false boolean
infected
agentIsActive Agent is false boolean
active
agentIsDecom Agent is false boolean
missioned decommissio
ned
agentMachin Agent false enum
eType machine type
agentNetwork Agent false enum
Status network
status
agentOperati Agent false string

1004
onalState operational
state
agentOsType OS type false enum
agentUuid Agent uuid false string
agentVersion Agent version false string
createdAt Created at false string
id Application false string
ID
installedAt Installed at false string
name Name false string
osType OS type false enum
publisher Publisher false string
riskLevel Risk level false enum
signed Signed false boolean
size Application false integer
size (bytes)
type Type false enum
updatedAt Updated at false string
version Version false string

errors Errors false array

1005
Get CVEs
GET /web/api/v2.1/installed-applications/cves

Get known CVEs for applications that are installed on endpoints with Application Risk-enabled Agents.
Application Risk requires Complete SKU. This feature is in EA. To join the EA program, contact your SentinelOne Sales Rep.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
applicationids optional Filter by application IDs. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__gt optional Created at greater than. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Created at greater or equal than. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Created at lesser than. Example: "2018-02-27T04:49:26.257525Z".
createdat__lte optional Created at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
cveids optional Filter by global CVE ids. Example:
"CVE-2018-3182,CVE-2018-1087".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional Filter by internal CVE IDs. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".

1006
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
updatedat__gt optional Updated at greater than. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Updated at greater or equal than. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Updated at lesser than. Example: "2018-02-27T04:49:26.257525Z".
updatedat__lte optional Updated at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1007
page
reached)

data Response false Name Description Required Value

data
createdAt Created at false string
cveId Global CVE false string
ID
description Description false string
id Id false string
link Link false string
publishedAt Published at false string
riskLevel Risk level false enum
score Score false number
updatedAt Updated at false string

errors Errors false array

1008
Export Applications
GET /web/api/v2.1/export/installed-applications

Export the list of applications installed on endpoints with Application Risk-enabled Agents and their properties, including the CVEs for each application that requires a
patch. The CSV file is stored on the Management. Application Risk requires Complete SKU.
This feature is in EA. To join the EA program, contact your SentinelOne Sales Rep.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
agentcomputername__ optional Free-text filter by computer name (supports multiple values).
contains Example: "john-office,WIN".
agentisdecommissione optional Include active agents, decommissioned or both. Example:
d "True,False".
agentmachinetypes optional Filter by endpoint machine types. Example: "unknown".
agentmachinetypesnin optional Filter not by endpoint machine types. Example: "unknown".
agentosversion__conta optional Free-text filter by OS full name and version (supports multiple
ins values). Example: "Service Pack 1".
agentuuid__contains optional Free-text filter by agent UUID (supports multiple values). Example:
"e92-01928,b055".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional Filter by application IDs. Example:
"225494730938493804,225494730938493915".
installedat__between optional Filter by installation date range
name__contains optional Free-text filter by application name (supports multiple values).
Example: "calc".
ostypes optional Filter by OS types. Example: "macos".
ostypesnin optional Filter not by OS types. Example: "macos".
publisher__contains optional Free-text filter by application publisher (supports multiple values).
Example: "Sentinel".
risklevels optional Filter by risk. Example: "none".
risklevelsnin optional Filter not by risk. Example: "none".

1009
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
size__between optional Filter by application size range (bytes). Example: "1024-104856".
types optional Filter by application types. Example: "app".
typesnin optional Filter not by application types. Example: "app".
version__contains optional Free-text filter by application version (supports multiple values).
Example: "1.22.333,build".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Auto Upgrade Policy

Get Available Packages

GET /web/api/v2.1/upgrade-policy/available-packages

Get Available Packages

Parameters
ostype required OS type, one of 'linux', 'macos' or 'windows'
scopelevel required Scope level, one of 'account', 'group', 'site' or 'tenant'
displayname__contain optional Partially match the name of the package, e.g. '22.1 GA'
s
scopeid optional Scope ID

Response Messages
200 - Success

1010
400 - Bad request

Response Schema
Name Description Required Value
data false Name Description Required Value
packages false undefined []

1011
Has Policy
POST /web/api/v2.1/upgrade-policy/has-policy

Has policy

Response Messages
200 - Success

400 - Bad request

Response Schema
Name Description Required Value
hasPolicies false boolean

1012
Body Schema
Name Description Required Value
accounts List of false string []
Account IDs
to filter by.
Example:
'2254947309
38493804,22
54947309384
93915'.
groups List of Group false string []
IDs to filter
by. Example:
'2254947309
38493804,22
54947309384
93915'.
osType OS type, one false string
of 'linux',
'macos' or
'windows'
sites List of Site false string []
IDs to filter
by. Example:
'2254947309
38493804,22
54947309384
93915'.

1013
Get Parent Policies
GET /web/api/v2.1/upgrade-policy/parent-policies

Get paginated and ordered parent policies by a given scope

Parameters
limit required Limit number of returned items. Should be more than 1. Example:
'10'.
ostype required OS type, one of 'linux', 'macos' or 'windows'
scopelevel required Scope level, one of 'account', 'group', 'site' or 'tenant'
skip required Skip first number of items. Example: '0'.
sortby required The column to sort the results by. Example: 'priority'.
sortorder required Sort direction. Could be 'asc' or 'desc'.
scopeid optional Scope ID

Response Messages
200 - Success

400 - Bad request

Response Schema
Name Description Required Value
data false Name Description Required Value
isInherited false boolean
policies false undefined []
policiesInChi false boolean
ldScope

pagination false Name Description Required Value

totalItems false integer

1014
Get Policies
GET /web/api/v2.1/upgrade-policy/policies

Get paginated and ordered policies by a given scope

Parameters
limit required Limit number of returned items. Should be more than 1. Example:
'10'
ostype required OS type, one of 'linux', 'macos' or 'windows'
scopelevel required Scope level, one of 'account', 'group', 'site' or 'tenant'
skip required Skip first number of items. Example: '0'.
sortby required The column to sort the results by. Example: 'priority'.
sortorder required Sort direction. Could be 'asc' or 'desc'.
scopeid optional Scope ID

Response Messages
200 - Success

400 - Bad request

Response Schema
Name Description Required Value
data false Name Description Required Value
isInherited false boolean
policies false undefined []
policiesInChi false boolean
ldScope

pagination false Name Description Required Value

totalItems false integer

1015
Deactivate Policies
POST /web/api/v2.1/upgrade-policy/policies

Deactivate all policies

Parameters
ostype required OS type, one of 'linux', 'macos' or 'windows'
scopelevel required Scope level, one of 'account', 'group', 'site' or 'tenant'
scopeid optional Scope ID

Response Messages
200 - Success

400 - Bad request

Response Schema
Name Description Required Value
response false string

1016
Policies OS Count
GET /web/api/v2.1/upgrade-policy/policies-count

Get the number of policies for each OS, for a given scope level and id

Parameters
scopelevel required Scope level, one of 'account', 'group', 'site' or 'tenant'
scopeid optional Scope ID

Response Messages
200 - Success

400 - Bad request

Response Schema
Name Description Required Value
linux false integer
macos false integer
windows false integer

1017
Create Policy
POST /web/api/v2.1/upgrade-policy/policy

Add policy

Response Messages
200 - Success

400 - Bad request

Response Schema
Name Description Required Value
response false string

1018
Body Schema
Name Description Required Value
allEndpoints Affected false boolean
endpoints.
'true' if the
policy is
applied to all
endpoints. If
'false', tags
must be
provided.
description Policy false string
description
isActive 'true' if policy false boolean
is active,
'false' if policy
is disabled
isScheduled In case of false boolean
maintenance
window
selected,
scheduling an
upgrade for
maintenance
window
name Policy name. false string
This name
will be used
for creating
tasks. Should
be unique.
osType OS type, one false string
of 'linux',
'macos' or
'windows'
package false Name Description Required Value
build false string
fileId false string
major false string

1019
minor false string

scopeId Scope ID false string

scopeLevel Scope level, false string
one of
'account',
'group', 'site'
or 'tenant'
tags Tags for false string []
policy
application. If
provided,
AllEndpoints
should be
false.

1020
Update Policy
PUT /web/api/v2.1/upgrade-policy/policy/:policyid

Update existing policy

Parameters
policyid required Policy id

Response Messages
200 - Success

400 - Bad request

Response Schema
Name Description Required Value
response false string

1021
Body Schema
Name Description Required Value
allEndpoints Affected false boolean
endpoints.
'true' if the
policy is
applied to all
endpoints. If
'false', tags
must be
provided.
description Policy false string
description
isActive 'true' if policy false boolean
is active,
'false' if policy
is disabled
isScheduled In case of false boolean
maintenance
window
selected,
scheduling an
upgrade for
maintenance
window
name Policy name. false string
This name
will be used
for creating
tasks. Should
be unique.
osType OS type, one false string
of 'linux',
'macos' or
'windows'
package false Name Description Required Value
build false string
fileId false string
major false string

1022
minor false string

scopeId Scope ID false string

scopeLevel Scope level, false string
one of
'account',
'group', 'site'
or 'tenant'
tags Tags for false string []
policy
application. If
provided,
AllEndpoints
should be
false.

1023
Policy Action
POST /web/api/v2.1/upgrade-policy/policy/:policyid

Perform action on a certain policy

Parameters
policyid required Policy id

Response Messages
200 - Success

400 - Bad request

Response Schema
Name Description Required Value
response false string

1024
Body Schema
Name Description Required Value
action Policy action, false string
one of
'delete',
'activate' or
'deactivate'

1025
Reorder Policies
PUT /web/api/v2.1/upgrade-policy/reorder

Reorder policies

Response Messages
200 - Success

400 - Bad request

Response Schema
Name Description Required Value
response false string

1026
Body Schema
Name Description Required Value
policies List of policy false undefined []
IDs and their
new order.
Example:
{"id":"2ad5fd
d3-7f9d-4969
-9d52-3560fcb
482fb","order"
:0},
{"id":"b448e
d4e-545f-44
2d-
ad20-624876e
85e84","order"
:1}.

1027
Set Scope Inheriting
PUT /web/api/v2.1/upgrade-policy/set-inheriting

Set Scope Inheriting

Response Messages
200 - Success

400 - Bad request

Response Schema
Name Description Required Value
response false string

1028
Body Schema
Name Description Required Value
isInheriting True if false boolean
policies are
inherited
from the
higher
scopes, false
otherwise.
scopeId Scope ID false string
scopeLevel Scope level, false string
one of
'account',
'group', 'site'
or 'tenant'

1029
Cloud Funnel

Validate Bucket
POST /web/api/v2.1/cloud-funnel/validate-bucket-permissions

Validates bucket permissions.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
isValid Bucket true boolean
permissions is
valid or
invalid
error Error false string
message in
case the
bucket
permissions is
invalid

errors Errors false array

1030
Body Schema
Name Description Required Value
data Data true Name Description Required Value
bucketUrl Validate true string
bucket
permissions
accountId Account id false string
cloudProvider Cloud false string
provider,
default is aws
roleToAssume The aws role false string
to assume
when using
assume role
functionality.
Only
applicable if
cloud_provide
r is s3.
siteId Site id false string
useAssumeRo If set to true, false boolean
le activates the
AWS
AssumeRole
functionality
for accessing
S3 buckets or
other
associated
resources.
Only
applicable if
cloud_provide
r is s3.

1031
Get AWS assume role external ID.
GET /web/api/v2.1/cloud-funnel/assume-role-external-id

Get the AWS assume role external ID.

Parameters
accountid optional Account id. Example: "225494730938493804".
siteid optional Site id. Example: "225494730938493804".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
assumeRoleEx The AWS true string
ternalId assume role
external id.

errors Errors false array

1032
Validate Query
POST /web/api/v2.1/cloud-funnel/validate-query

Verifies that a query is valid before using it as filterfor a Cloud Funnel onboarding

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
error Error true string
message in
case the
query is
invalid
isValid Query is valid true boolean
or invalid

errors Errors false array

1033
Body Schema
Name Description Required Value
data Data true Name Description Required Value
query Validate true string
query

1034
Get cloud funnel rule
GET /web/api/v2.1/cloud-funnel/onboarding

Gets cloud funnel onboarding rule details

Parameters
accountid optional Account id. Example: "225494730938493804".
siteid optional Site id. Example: "225494730938493804".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
bucketUrl Bucket url true string
disableStream disable true boolean
events
stream
accountonboa For site false boolean
rdingexists scope, is
account
onboarding
exists
assumeRoleEx The AWS false string
ternalId assume role
external id.
cloudProvider Cloud false string
provider,
default is aws

1035
desiredFields List of false string []
desired fields
to be
included in
the output. If
not specified,
all fields are
included.
error Error false string
message in
case the
bucket
permissions is
invalid
globalOnboard Is global false boolean
ingExists onboarding
exists in table
id log-archive- false string
rule id,
default for
accounts:
cloud-funnel
isInheriting Is inheriting false boolean
global setting
query Syql query to false string
validate
roleToAssume The AWS role false string
to assume
when using
assume role
functionality.
Only
applicable if
cloud_provide
r is s3.
useAssumeRo If set to true, false boolean
le activates the
AWS
AssumeRole
functionality
for accessing
S3 buckets or
other

1036
associated
resources.
Only
applicable if
cloud_provide
r is s3.

errors Errors false array

1037
Delete cloud funnel rule
DELETE /web/api/v2.1/cloud-funnel/onboarding

Deletes cloud funnel onboarding rule.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
error Error true string
message in
case the
bucket
permissions is
invalid

errors Errors false array

1038
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accountId Account id false string
siteIds Site ids false string []

1039
Post onboarding cloud funnel
POST /web/api/v2.1/cloud-funnel/onboarding

Post onboarding cloud funnel rule.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1040
all fields are
included.
error Error false string
message in
case the
bucket
permissions is
invalid
globalOnboard Is global false boolean
ingExists onboarding
exists in table
id log-archive- false string
rule id,
default for
accounts:
cloud-funnel
isInheriting Is inheriting false boolean
global setting
query Syql query to false string
validate
roleToAssume The AWS role false string
to assume
when using
assume role
functionality.
Only
applicable if
cloud_provide
r is s3.
useAssumeRo If set to true, false boolean
le activates the
AWS
AssumeRole
functionality
for accessing
S3 buckets or
other
associated
resources.
Only
applicable if
cloud_provide
r is s3.

1041
errors Errors false array

1042
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accountId Account id false string
bucketUrl bucket url false string
cloudProvider Cloud false string
provider,
default is aws
desiredFields List of false string []
desired fields
to be
included in
the output. If
not specified,
all fields are
included.
disableStream disable false boolean
events
stream
isInheriting Is inheriting false boolean
global setting
query Syql query to false string
validate
roleToAssume The aws role false string
to assume
when using
assume role
functionality.
Only
applicable if
cloud_provide
r is s3.
siteIds Site ids false string []
useAssumeRo If set to true, false boolean
le activates the
AWS
AssumeRole
functionality
for accessing

1043
S3 buckets or
other
associated
resources.
Only
applicable if
cloud_provide
r is s3.

1044
Create Estimator ID
POST /web/api/v2.1/cloud-funnel/estimator

Create estimator ID. This is needed to run the API "Get Estimate Size Of Events".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
estimatorId Estimator true string
query id.
error Error false string
message in
case the
estimator
query is
invalid

errors Errors false array

1045
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accountIds Account ids false string []
desiredFields List of false string []
desired fields
to be
included in
the output. If
not specified,
all fields are
included.
query Query false string
siteIds Site ids false string []

1046
Get estimate size of events
GET /web/api/v2.1/cloud-funnel/estimator

Get estimate size of events in the bucket. You need the estimator ID which can be generated by running the API: "Create Estimator ID".

Parameters
estimatorid required Estimator query id.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
isCompleted Is estimator true boolean
query status
is completed.
compressedB Estimation of false string
ytes compressed
size.
error Error false string
message in
case the
estimator
query failed
matchingEven Estimation of false string
ts events
number.
string to
avoid round
uncompresse Estimation of false string

1047
dBytes uncompressed
size.

errors Errors false array

1048
Cloud Provider Account

get cloud provider account active health events by cloud provider account id
GET /web/api/v2.1/cloudnative/account-management/active-health-events/{cloud_provider_account_id}

get cloud provider account active health events

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
cloudProvide Cloud false string
rAccountId Provider
Account ID
description Description false string
detectedAt Detected at false string

1049
healthStatus Health status false string
recommended Recommende false string
Action d action
title Title false string

errors Errors false array

1050
Cloud Resources

Export cloud rogue resources to csv

GET /web/api/v2.1/cloudnative/cloud-rogues/export

Returns the results for given cloud rogues filter in a csv format

Parameters
exportformat required Export format. Example: "csv".
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
cloudprovideraccounti optional Free-text filter by cloud account id (supports multiple values)
d__contains
cloudprovideraccount optional Filter by cloud account (supports multiple values)
name
cloudprovideraccount optional Free-text filter by cloud account (supports multiple values)
name__contains
cloudprovidername optional Filter by cloud provider name (supports multiple values)
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
id__contains optional Free-text filter by id (supports multiple values)
image__contains optional Free-text filter by image (supports multiple values)
limit optional Limit number of returned items (1-1000). Example: "10".
name__contains optional Free-text filter by resource name (supports multiple values)
ostypes optional Included OS types. Example: "macos".
region optional Filter by region (supports multiple values)
region__contains optional Free-text filter by region (supports multiple values)

1051
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
virtual_network_id__c optional Free-text filter by network id (supports multiple values)
ontains

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Get cloud rogue resources

GET /web/api/v2.1/cloudnative/cloud-rogues

Returns the cloud rogue resources for given filter

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
cloudprovideraccounti optional Free-text filter by cloud account id (supports multiple values)
d__contains
cloudprovideraccount optional Filter by cloud account (supports multiple values)
name
cloudprovideraccount optional Free-text filter by cloud account (supports multiple values)
name__contains
cloudprovidername optional Filter by cloud provider name (supports multiple values)

1052
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
id__contains optional Free-text filter by id (supports multiple values)
image__contains optional Free-text filter by image (supports multiple values)
limit optional Limit number of returned items (1-1000). Example: "10".
name__contains optional Free-text filter by resource name (supports multiple values)
ostypes optional Included OS types. Example: "macos".
region optional Filter by region (supports multiple values)
region__contains optional Free-text filter by region (supports multiple values)
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
virtual_network_id__c optional Free-text filter by network id (supports multiple values)
ontains

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value

1053
information totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
resources Resources false Name Description Required Value
cloudProvide false string
rAccountId
cloudProvid false string
erAccountNa
me
cloudProvid false string
erName
cloudProvider false string
Organization
createdTime false string
id Cloud false string
Resource ID
name false string
osType false string
osTypeIcon false string
region false string
resourceType false string
tags false object

1054
virtualNetwor false string
kId

errors Errors false array

1055
Config Overrides

Get Config Overrides

GET /web/api/v2.1/config-override

There are different ways to override the configuration of an Agent, and the priority of changes depends on the endpoint OS and the version of the installed Agent. Use this
command to see the configuration values that are changed for each Agent that matches the filter.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
agentids optional List of Agent IDs to filter by. Example:
"225494730938493804,225494730938493915".
agentversions optional Included agent versions. Example: "2.5.1.1320".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Config Overrides created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Config Overrides created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Config Overrides created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Config Overrides created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
description__like optional Match description partially (substring)
groupids optional List of Group IDs to filter by. Example:

1056
"225494730938493804,225494730938493915".
ids optional List of ids to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
name__like optional Match name partially (substring)
ostypes optional Included OS types. Example: "macos".
query optional Free text search on fields name, description, agent_version, os_type,
config
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenant optional Indicates a tenant scope request
versionoption optional Version option. Example: "ALL".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching

1057
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
description Description true string
name Name true string
account Account false Name Description Required Value
id Id true string
name Name false string

agent Agent false Name Description Required Value

id Id true string

agentVersion Agent version false string

config Config false object
group Group false Name Description Required Value
id Id true string
name Name false string

id Id false string
osType OS type false enum
scope Scope level false enum
site Site false Name Description Required Value
id Id true string
name Name false string

versionOptio Version false enum

1058
n option

errors Errors false array

1059
Create Config Override
POST /web/api/v2.1/config-override

Override the configuration of Agents that match the filter. Best practice: Run "support-actions/config" to get the complete syntax. This command requires a Global user or
Support.

BEST PRACTICE
Run "support-actions/config" to get the complete syntax. This command requires a Global user or Support.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - Scope not found.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
description Description true string
name Name true string
account Account false Name Description Required Value
id Id true string
name Name false string

agent Agent false Name Description Required Value

id Id true string

agentVersion Agent version false string

1060
config Config false object
group Group false Name Description Required Value
id Id true string
name Name false string

id Id false string
osType OS type false enum
scope Scope level false enum
site Site false Name Description Required Value
id Id true string
name Name false string

versionOptio Version false enum

n option

errors Errors false array

1061
Body Schema
Name Description Required Value
data Data true Name Description Required Value
name Name true string
osType OS type true enum
scope Scope level true enum
account Config false Name Description Required Value
override will
apply to all id Id true string
agents in the name Name false string
account. This
should be
used with
scope =
'account'
agentVersion Agent version false string
config Config false object
description Description false string
group Config false Name Description Required Value
override will
apply to all id Id true string
agents in the name Name false string
group. This
should be
used with
scope =
'group'
site Config false Name Description Required Value
override will
apply to all id Id true string
agents in the name Name false string
site. This
should be
used with
scope = 'site'
versionOptio Version false enum
n option

filter Filter false

1062
Delete Config Overrides
DELETE /web/api/v2.1/config-override

Delete overrides value. To get the required IDs, run "config-override".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1063
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
agentIds List of Agent false string []
IDs to filter
by
agentVersion Included false string []
s agent
versions
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Config false string
t Overrides
created after
this
timestamp
createdAt__g Config false string
te Overrides
created after
or at this
timestamp
createdAt__lt Config false string
Overrides
created
before this
timestamp
createdAt__lt Config false string
e Overrides
created
before or at
this
timestamp

1064
description__l Match false string
ike description
partially
(substring)
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
name__like Match name false string
partially
(substring)
osTypes Included OS false string []
types
query Free text false string
search on
fields name,
description,
agent_version
, os_type,
config
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request
versionOptio Version false enum
n option

1065
Delete Config Override
DELETE /web/api/v2.1/config-override/{override_id}

Delete an override value. To get the required ID, run "config-override".

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - Override not found.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1066
Update Config Override
PUT /web/api/v2.1/config-override/{override_id}

Use this command to change the value of one configuration value. To get the required ID, run "config-override".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions.

404 - Override not found.

agent Agent false Name Description Required Value

id Id true string

agentVersion Agent version false string

config Config false object
group Group false Name Description Required Value
id Id true string
name Name false string

1067
id Id false string
osType OS type false enum
scope Scope level false enum
site Site false Name Description Required Value
id Id true string
name Name false string

versionOptio Version false enum

n option

errors Errors false array

1068
Body Schema
Name Description Required Value
data Data true Name Description Required Value
account Account false Name Description Required Value
id Id true string
name Name false string

agentVersion Agent version false string

config Config false object
description Description false string
group Group false Name Description Required Value
id Id true string
name Name false string

name Name false string

osType OS type false enum
scope Scope level false enum
site Site false Name Description Required Value
id Id true string
name Name false string

versionOptio Version false enum

n option

filter Filter false

1069
create_exclusion

Create Unified Exclusion

POST /web/api/v2.1/unified-exclusions

Create Exclusions to make your Agents suppress alerts and mitigation for items that you consider to be benign or which you require for interoperability.
IMPORTANT! Every Exclusion is a possible security hole. Do not create Exclusions unless you are sure this hash, path, certificate signer, file type, or browser is always
benign.
Of course, if you can make the Exclusion by its hash or path, that is much more secure than excluding all detections of a specific signer, file type, or browser. We do not
recommend the last types for Exclusions on production endpoints. These Exclusions might be helpful in a lab or pentester group. When you create an Exclusion, make sure
you set the filter to the smallest possible scope. For example, if you can exclude security for this item on a group, do not enter values for siteIds or accountIds.
We recommend that you read "Not Recommended Exclusions: https://support.sentinelone.com/hc/en-us/articles/360007532894
and Best Practices for Exclusions: https://support.sentinelone.com/hc/en-us/articles/360008709014

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1070
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false

data
errors Errors false array

1071
Body Schema
Name Description Required Value
data Data true
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1072
Validate Exclusion Item
POST /web/api/v2.1/unified-exclusions/validate

Check if an exclusion is on the list of SentinelOne items that are "Not Allowed" or "Not Recommended". This API returns one of the following statuses:
* Not Recommended: This item is not recommended by SentinelOne because it decreases security. For example, If you accidentally exclude a path that is too broad,
malware can enter your environment.
* Not Allowed: This exclusion can harm the product and lead to unexpected functionality. From version North Pole SP3 you are prevented from creating Not Allowed
exclusions.* None: This item is not on the list of SentinelOne items that are "Not Allowed" or "Not Recommended".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
status Recommendat false enum
ion for the
exclusion/
blocklist item

errors Errors false array

1073
Body Schema
Name Description Required Value
data Data true Name Description Required Value
exclusionType Unified true enum
exclusion
type
osType OS type true enum
type Exclusion true enum
type
value Value true string

filter Filter true Name Description Required Value

1074
Custom Detection Rule

Get Rules
GET /web/api/v2.1/cloud-detection/rules

Get a list of Custom Detection Rules for a given scope.

Note: You can create and see rules only for your highest available scope. For example, if your username has an access level of scope Account, you cannot see rules created
for the Global scope or rules created for a specific Site.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
activeresponse optional The active response status for the rule.
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
creator__contains optional Free-text filter by rule creator. You can enter multiple values,
separated by commas. Example: "Service Pack 1".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
description__contains optional Free-text filter by rule description. You can enter multiple values,
separated by commas. Example: "Service Pack 1".
disablepagination optional If True, all rules for the requested scope will be returned.
expirationmode optional The expiration mode. Example: "Permanent".
expired optional Rule expired or not.
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional To filter by Rule ID, enter one or more Rule IDs, separated by
commas. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".

1075
name__contains optional Free-text filter by rule name. You can enter multiple values,
separated by commas. Example: "Service Pack 1".
query optional Free-text filter by S1 query. You can enter multiple values, separated
by commas. Example: "Service Pack 1".
querytype optional The query type. Example: "events".
reachedlimit optional Rule reached limit or not.
s1ql__contains optional Free-text filter by S1 query. You can enter multiple values, separated
by commas. Example: "Service Pack 1".
scopes optional To filter by scope, enter one or more scopes, separated by commas.
Example: "account".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
status optional To filter by status, enter one or more statuses, separated by commas.
Example: "Draft".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found

1076
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
expirationMo Whether the true enum
de rule is
Temporary or
Permanent.
name The name of true string
the custom
detection
rule.
queryType The query true enum
type -
Correlation
(made of
multiple
subqueries),
Event (single
query), or
Processes
(Deprecated).
severity The rule true enum
severity in
your
environment.
status Enabled true enum
(Activated
and sends
alerts if
triggered) or

1077
Disabled.
accountId The account false string
ID.
accountName The name of false string
the account.
activeRespon The Active false boolean
se Response
status of the
Rule.
correlationPa Correlation false Name Description Required Value
rams params
entity A common true enum
entity used to
group
matching
events.
matchInOrder Set to True to true boolean
require
subqueries to
match in
sequence to
trigger an
alert.
subQueries The list of false Name Description Required Value
subqueries
for the matchesRequi The number true integer
custom red of times a
detection subquery
rule. must match.
subQuery A subquery true string

timeWindow The period of false Name Description Required Value

time in
minutes in windowMinut The period of false integer
which es time in
subqueries minutes in
must match which
to trigger an subqueries
alert. must match
to trigger an
alert.

createdAt The date the false string

1078
rule was
created.
creator The full name false string
of the user
that created
the rule.
creatorId The ID of the false string
user that
created the
rule.
description The false string
description of
the custom
detection
rule.
editable True if the false boolean
rule can be
modified at
this scope
level.
enrichment Enrichment false Name Description Required Value
creator The ID of the false string
user that
created the
Rule.
scopeName scope id false string
updater The ID of the false string
user that last
updated the
Rule.

expiration If Temporary, false string

the
expiration
date for the
rule.
expired True if the false boolean
Rule has
expired.
generatedAler The number false integer
ts of alerts that

1079
have been
generated for
the Rule.
id Rule ID false string
lastAlertTime The time of false string
the last alert
for the Rule.
networkQuara True if the false boolean
ntine network
quarantine is
on.
queryLang The s1ql false enum
version query
language of
the rule. Can
be 1.0 or 2.0.
reachedLimit True if the false boolean
Rule reached
the 5k/hour
or 10k/day
alert limit. If
the limit has
been
reached, the
Rule is
disabled.
s1ql The query. false string
scope The scope of false enum
the rule. Can
be Global,
Account, Site,
or Group.
scopeId The Account, false string []
Site, or Group
ID, depending
on the scope.
Null if the
scope is
Global.
siteId The site ID. false string
siteName The name of false string

1080
the site.
statusReason The reason false string
why the Rule
has its
current
status.
treatAsThreat The Treat as false enum
threat auto
response -
UNDEFINED
/suspicious/
malicious
updatedAt The date the false string
rule was last
updated.
updaterId The ID of the false string
user that last
updated the
rule.

errors Errors false array

1081
Create Rule
POST /web/api/v2.1/cloud-detection/rules

Create a Custom Detection Rule for a scope specified by ID. To get the ID, run "accounts", "sites", "groups", or set "tenant" to "true" for Global.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
expirationMo Whether the true enum
de rule is
Temporary or
Permanent.
name The name of true string
the custom
detection
rule.
queryType The query true enum
type -
Correlation
(made of
multiple
subqueries),
Event (single
query), or
Processes
(Deprecated).
severity The rule true enum
severity in
your
environment.

1082
status Enabled true enum
(Activated
and sends
alerts if
triggered) or
Disabled.
correlationPa Correlation false Name Description Required Value
rams params
entity A common true enum
entity used to
group
matching
events.
matchInOrder Set to True to true boolean
require
subqueries to
match in
sequence to
trigger an
alert.
subQueries The list of false Name Description Required Value
subqueries
for the matchesRequi The number true integer
custom red of times a
detection subquery
rule. must match.
subQuery A subquery true string

timeWindow The period of false Name Description Required Value

time in
minutes in windowMinut The period of false integer
which es time in
subqueries minutes in
must match which
to trigger an subqueries
alert. must match
to trigger an
alert.

createdAt The date the false string

rule was
created.
creator The full name false string
of the user

1083
that created
the rule.
creatorId The ID of the false string
user that
created the
rule.
description The false string
description of
the custom
detection
rule.
editable True if the false boolean
rule can be
modified at
this scope
level.
expiration If Temporary, false string
the
expiration
date for the
rule.
expired True if the false boolean
Rule has
expired.
id Rule ID false string
networkQuara True if the false boolean
ntine network
quarantine is
on.
queryLang The s1ql false enum
version query
language of
the rule. Can
be 1.0 or 2.0.
reachedLimit True if the false boolean
Rule reached
the 5k/hour
or 10k/day
alert limit. If
the limit has
been
reached, the

1084
Rule is
disabled.
s1ql The query. false string
scope The scope of false enum
the rule. Can
be Global,
Account, Site,
or Group.
scopeId The Account, false string []
Site, or Group
ID, depending
on the scope.
Null if the
scope is
Global.
statusReason The reason false string
why the Rule
has its
current
status.
treatAsThreat The Treat as false enum
threat auto
response -
UNDEFINED
/suspicious/
malicious
updatedAt The date the false string
rule was last
updated.
updaterId The ID of the false string
user that last
updated the
rule.

errors Errors false array

1085
Body Schema
Name Description Required Value
data Data true Name Description Required Value
expirationMo Defines the true enum
de rule as
Permanent or
Temporary.
name The name of true string
the custom
detection
rule.
queryType Define the true enum
query type:
Correlation
(made of
multiple
subqueries),
Event (single
query), or
Processes
(Deprecated).
severity The rule true enum
severity in
your
environment.
status Defines the true enum
rule is
Enabled
(Activated
and sends
alerts if
triggered) or
Disabled.
correlationPa Correlation false Name Description Required Value
rams params
entity A common true enum
entity used to
group
matching
events.

1086
matchInOrder Set to True to true boolean
require
subqueries to
match in
sequence to
trigger an
alert.
subQueries The list of false Name Description Required Value
subqueries
for the matchesRequi The number true integer
custom red of times a
detection subquery
rule. must match.
subQuery A subquery true string

timeWindow The period of false Name Description Required Value

time in
minutes in windowMinut The period of false integer
which es time in
subqueries minutes in
must match which
to trigger an subqueries
alert. must match
to trigger an
alert.

description A description false string

of the custom
detection
rule.
expiration If the rule is false string
Temporary,
enter the
expiration
date for the
rule.
id Rule ID false string
networkQuara Set to True to false boolean
ntine automatically
quarantine
the alerted
endpoints.
queryLang Defines the false enum

1087
s1ql version
query
language of
the rule - 1.0
or 2.0.
s1ql The query false string
treatAsThreat Defines the false enum
Treat as a
threat auto
response.
Undefined,
Suspicious, or
Malicious.

filter Filter false Name Description Required Value

1088
Delete Rules
DELETE /web/api/v2.1/cloud-detection/rules

Deletes Custom Detection Rules that match a filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1089
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
activeRespon The active false boolean
se response
status for the
rule.
creator__cont Free-text false string []
ains filter by rule
creator. You
can enter
multiple
values,
separated by
commas.
description__ Free-text false string []
contains filter by rule
description.
You can enter
multiple
values,
separated by
commas.
expirationMo The false enum
de expiration
mode.
expired Rule expired false boolean
or not.
groupIds List of Group false string []
IDs to filter
by
ids To filter by false string []
Rule ID, enter
one or more
Rule IDs,
separated by
commas.

1090
name__contai Free-text false string []
ns filter by rule
name. You
can enter
multiple
values,
separated by
commas.
query Free-text false string []
filter by S1
query. You
can enter
multiple
values,
separated by
commas.
queryType The query false enum
type.
reachedLimit Rule reached false boolean
limit or not.
s1ql__contain Free-text false string []
s filter by S1
query. You
can enter
multiple
values,
separated by
commas.
scopes To filter by false string []
scope, enter
one or more
scopes,
separated by
commas.
siteIds List of Site false string []
IDs to filter
by
status To filter by false string []
status, enter
one or more
statuses,
separated by
commas.

1091
Update Rule
PUT /web/api/v2.1/cloud-detection/rules/{rule_id}

Change a Custom Detection rule.

This command requires the rule ID. (See Get Rules).

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Custom Detection rule not found

1092
severity The rule true enum
severity in
your
environment.
status Enabled true enum
(Activated
and sends
alerts if
triggered) or
Disabled.
correlationPa Correlation false Name Description Required Value
rams params
entity A common true enum
entity used to
group
matching
events.
matchInOrder Set to True to true boolean
require
subqueries to
match in
sequence to
trigger an
alert.
subQueries The list of false Name Description Required Value
subqueries
for the matchesRequi The number true integer
custom red of times a
detection subquery
rule. must match.
subQuery A subquery true string

timeWindow The period of false Name Description Required Value

time in
minutes in windowMinut The period of false integer
which es time in
subqueries minutes in
must match which
to trigger an subqueries
alert. must match
to trigger an
alert.

createdAt The date the false string

1093
rule was
created.
creator The full name false string
of the user
that created
the rule.
creatorId The ID of the false string
user that
created the
rule.
description The false string
description of
the custom
detection
rule.
editable True if the false boolean
rule can be
modified at
this scope
level.
expiration If Temporary, false string
the
expiration
date for the
rule.
expired True if the false boolean
Rule has
expired.
id Rule ID false string
networkQuara True if the false boolean
ntine network
quarantine is
on.
queryLang The s1ql false enum
version query
language of
the rule. Can
be 1.0 or 2.0.
reachedLimit True if the false boolean
Rule reached
the 5k/hour

1094
or 10k/day
alert limit. If
the limit has
been
reached, the
Rule is
disabled.
s1ql The query. false string
scope The scope of false enum
the rule. Can
be Global,
Account, Site,
or Group.
scopeId The Account, false string []
Site, or Group
ID, depending
on the scope.
Null if the
scope is
Global.
statusReason The reason false string
why the Rule
has its
current
status.
treatAsThreat The Treat as false enum
threat auto
response -
UNDEFINED
/suspicious/
malicious
updatedAt The date the false string
rule was last
updated.
updaterId The ID of the false string
user that last
updated the
rule.

errors Errors false array

1095
Body Schema
Name Description Required Value
data Data true Name Description Required Value
expirationMo Defines the true enum
de rule as
Permanent or
Temporary.
name The name of true string
the custom
detection
rule.
queryType Define the true enum
query type:
Correlation
(made of
multiple
subqueries),
Event (single
query), or
Processes
(Deprecated).
severity The rule true enum
severity in
your
environment.
status Defines the true enum
rule is
Enabled
(Activated
and sends
alerts if
triggered) or
Disabled.
correlationPa Correlation false Name Description Required Value
rams params
entity A common true enum
entity used to
group
matching
events.

1096
matchInOrder Set to True to true boolean
require
subqueries to
match in
sequence to
trigger an
alert.
subQueries The list of false Name Description Required Value
subqueries
for the matchesRequi The number true integer
custom red of times a
detection subquery
rule. must match.
subQuery A subquery true string

timeWindow The period of false Name Description Required Value

time in
minutes in windowMinut The period of false integer
which es time in
subqueries minutes in
must match which
to trigger an subqueries
alert. must match
to trigger an
alert.

description A description false string

1097
s1ql version
query
language of
the rule - 1.0
or 2.0.
s1ql The query false string
treatAsThreat Defines the false enum
Treat as a
threat auto
response.
Undefined,
Suspicious, or
Malicious.

filter Filter false Name Description Required Value

1098
Activate Rules
PUT /web/api/v2.1/cloud-detection/rules/enable

Activate Custom Detection Rules based on a filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1099
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
activeRespon The active false boolean
se response
status for the
rule.
creator__cont Free-text false string []
ains filter by rule
creator. You
can enter
multiple
values,
separated by
commas.
description__ Free-text false string []
contains filter by rule
description.
You can enter
multiple
values,
separated by
commas.
expirationMo The false enum
de expiration
mode.
expired Rule expired false boolean
or not.
groupIds List of Group false string []
IDs to filter
by
ids To filter by false string []
Rule ID, enter
one or more
Rule IDs,
separated by
commas.

1100
name__contai Free-text false string []
ns filter by rule
name. You
can enter
multiple
values,
separated by
commas.
query Free-text false string []
filter by S1
query. You
can enter
multiple
values,
separated by
commas.
queryType The query false enum
type.
reachedLimit Rule reached false boolean
limit or not.
s1ql__contain Free-text false string []
s filter by S1
query. You
can enter
multiple
values,
separated by
commas.
scopes To filter by false string []
scope, enter
one or more
scopes,
separated by
commas.
siteIds List of Site false string []
IDs to filter
by
status To filter by false string []
status, enter
one or more
statuses,
separated by
commas.

1101
Disable Rules
PUT /web/api/v2.1/cloud-detection/rules/disable

Disable Custom Detection Rules based on a filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1102
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
activeRespon The active false boolean
se response
status for the
rule.
creator__cont Free-text false string []
ains filter by rule
creator. You
can enter
multiple
values,
separated by
commas.
description__ Free-text false string []
contains filter by rule
description.
You can enter
multiple
values,
separated by
commas.
expirationMo The false enum
de expiration
mode.
expired Rule expired false boolean
or not.
groupIds List of Group false string []
IDs to filter
by
ids To filter by false string []
Rule ID, enter
one or more
Rule IDs,
separated by
commas.

1103
name__contai Free-text false string []
ns filter by rule
name. You
can enter
multiple
values,
separated by
commas.
query Free-text false string []
filter by S1
query. You
can enter
multiple
values,
separated by
commas.
queryType The query false enum
type.
reachedLimit Rule reached false boolean
limit or not.
s1ql__contain Free-text false string []
s filter by S1
query. You
can enter
multiple
values,
separated by
commas.
scopes To filter by false string []
scope, enter
one or more
scopes,
separated by
commas.
siteIds List of Site false string []
IDs to filter
by
status To filter by false string []
status, enter
one or more
statuses,
separated by
commas.

1104
Deep Visibility

Create Query and Get QueryId

POST /web/api/v2.1/dv/init-query

Start a Deep Visibility Query and get the queryId. You can use the queryId for other commands, such as Get Events and Get Query Status. For complete query syntax, see
Query Syntax in the Knowledge Base (support.sentinelone.com) or the Console Help. SentinelOne Deep Visibility extends the ActiveEDR capabilities, with full visibility
into endpoint data and threat hunting. Its kernel-based monitoring searches across endpoints for all indicators of compromise (IOC).
Rate limit: 1 call per minute for each different user token.
Note: From Management version Rio (February 2022) the default of "isVerbose" is "false" instead of "true".
Deep Visibility requires Complete SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
queryId A query true string
unique
identifier
queryModeIn Query mode false Name Description Required Value
fo info
mode The query true string
mode
lastActivated The query false string
At mode
last_activated
_at date

1105
errors Errors false array

1106
Body Schema
Name Description Required Value
fromDate Events true string
created after
this
timestamp
query Events true string
matching the
query search
term will be
returned
toDate Events true string
created
before or at
this
timestamp
accountIds List of false string []
Account IDs
to filter by
isVerbose Show all false boolean
fields or just
priority fields
limit Limit number false integer
of returned
items
(1-100000)
queryType Query Search false string []
Type - only
one is
allowed
siteIds List of Site false string []
IDs to filter
by
timeFrame Time frame false string
that the
query was
performed
on, when
omitted
defaults to
"Last 48

1107
Hours"

1108
Cancel Running Query
POST /web/api/v2.1/dv/cancel-query

Stop a Deep Visibility Query by queryId. The body is {"queryID":"string_ID"}. Get the ID of the Deep Visibility query or Power Query from "init-query". See "Create Query
and get QueryId".
Deep Visibility requires Complete SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success request true string
success
status

errors Errors false array

1109
Body Schema
Name Description Required Value
queryId QueryId true string
obtained
when
creating a
query under
Create Query

1110
Get Query Status
GET /web/api/v2.1/dv/query-status

Get that status of a Deep Visibility Query. When the status is FINISHED, you can get the results with the queryId in "Get Events".
Deep Visibility requires Complete SKU.
Rate limit: 1 call per second for each different user token.
responseState can return these values: EMPTY_RESULTS, EVENTS_RUNNING, FAILED, FAILED_CLIENT, FINISHED, PLANNING, PROCESS_RUNNING, QUERY_CANCEL,
QUERY_EXPIRED, QUERY_NOT_FOUND, QUERY_RUNNING, RUNNING, TIMED_OUT.

Parameters
queryid required QueryId obtained when creating a query under Create Query.
Example: "q1xx2xx3".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
progressStatu Query true integer
s loading status
in percentage
responseStat Response true enum
e state
queryModeIn Query mode false Name Description Required Value
fo info
mode The query true string
mode
lastActivated The query false string
At mode
last_activated

1111
_at date

responseErro Relevant only false string

r for FAILED
and
FAILED_CLIE
NT DV errors
warnings Warnings false string

errors Errors false array

1112
Get Events
GET /web/api/v2.1/dv/events

Get all Deep Visibility events from a queryId. You can use this command to send a sub-query, a new query to run on these events. Get the ID from "init-query". See "Create
Query and get QueryId".
For complete documentation, see Query Syntax in the Knowledge Base (support.sentinelone.com) or the Console Help.

Parameters
queryid required QueryId obtained when creating a query under Create Query.
Example: "q1xx2xx3".
cursor optional Cursor position returned by the last request. Should be used instead
of skip. cursor currently supports sort by with createdAt, pid,
processStartTime
limit optional Limit number of returned items (1-1000). Example: "10".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
sortby optional Events sorted by field. Example: "createdAt".
sortorder optional Event sorting order. Example: "asc".
subquery optional Create a sub query to run on the data that was already pulled

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found

1113
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
agentDomain Agent true string
domain
agentGroupId Agent group true string
id
agentId Agent id true string
agentInfected Agent true boolean
infected
agentIp Agent ip true string
agentIsActive Agent is true boolean
active
agentIsDecom Agent is true boolean
missioned decommissio
ned
agentMachin Agent true string
eType machine type
agentName Agent name true string
agentNetwork Agent true string
Status network
status
agentOs OS type true enum
agentUuid Agent uuid true string
agentVersion Agent version true string
createdAt Created at true string

1114
id Id true string
objectType Object type true string
processName Process name true string
siteName Site name true string
user User true string
connectionSt Connection false string
atus status
direction Direction false string
dnsRequest Dns request false string
dnsResponse Dns response false string
dstIp Dst ip false string
dstPort Dst port false integer
eventType Event type false string
fileFullName File full name false string
fileId File id false string
fileMd5 File md5 false string
fileSha1 File sha1 false string
fileSha256 File sha256 false string
fileSize File size false string
fileType File type false string
forensicUrl Forensic url false string
indicatorCate Indicator false string
gory category
indicatorDesc Indicator false string
ription description
indicatorMet Indicator false string
adata metadata
indicatorNam Indicator false string
e name
isAgentVersi Is agent false boolean
onFullySuppo version fully
rtedForPg supported for
pg
isAgentVersi Is agent false string

1115
onFullySuppo version fully
rtedForPgMe supported for
ssage pg message
loginsBaseTy Logins base false string
pe type
loginsUserN Logins user false string
ame name
md5 Md5 false string
networkMeth Network false string
od method
networkSour Network false string
ce source
networkUrl Network url false string
oldFileMd5 Old file md5 false string
oldFileName Old file name false string
oldFileSha1 Old file sha1 false string
oldFileSha25 Old file false string
6 sha256
parentPid Parent pid false string
parentProces Parent false string
sGroupId process
group id
parentProcess Parent false boolean
IsMalicious process is
malicious
parentProce Parent false string
ssName process name
parentProces Parent false string
sStartTime process start
time
parentProces Parent false string
sUniqueKey process
unique key
pid Pid false string
processCmd Process cmd false string
processDispl Process false string
ayName display name

1116
processGroup Process false string
Id group id
processImage Process false string
Path image path
processImag Process false string
eSha1Hash image sha1
hash
processIntegr Process false string
ityLevel integrity level
processIsMali Process is false boolean
cious malicious
processIsRed Process is false string
irectedComm redirected
andProcessor command
processor
processIsWo Process is false string
w64 wow64
processRoot Process root false string
processSessio Process false string
nId session id
processStartT Process start false string
ime time
processSubSy Process sub false string
stem system
processUniqu Process false string
eKey unique key
processUser Process user false string
Name name
publisher Publisher false string
registryId Registry id false string
registryPath Registry path false string
relatedToThre Related to false string
at threat
rpid Rpid false string
sha1 Sha1 false string
sha256 Sha256 false string
signatureSign Signature false string

1117
edInvalidRea signed invalid
son reason
signedStatus Signed status false string
srcIp Src ip false string
srcPort Src port false integer
srcProcDown Src proc false string
loadToken download
token
taskName Task name false string
taskPath Task path false string
threatStatus Threat status false string
tid Tid false string
trueContext True context false string
verifiedStatus Verified false string
status

errors Errors false array

1118
Get Process State
GET /web/api/v2.1/dv/process-state

Get details of all Deep Visibility processes from a queryId.To get the ID from "init-query". See "Create Query and get QueryId".

Parameters
queryid required QueryId obtained when creating a query under Create Query.
Example: "q1xx2xx3".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
limit optional Limit number of returned items (1-1000). Example: "10".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
sortby optional Events sorted by field. Example: "SrcProcStartTime".
sortorder optional Event sorting order. Example: "asc".

Response Messages
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Get Events By Type

GET /web/api/v2.1/dv/events/{event_type}

Get Deep Visibility results from the query that matches the given event type. Valid values for Event Type:
Process Exit
Process Modification
Process Creation
Duplicate Process Handle
Duplicate Thread Handle
Open Remote Process Handle
Remote Thread Creation
Remote Process Termination

1119
Command Script
IP Connect
IP Listen
File Modification
File Creation
File Scan
File Deletion
File Rename
Pre Execution Detection
Login
Logout
GET
OPTIONS
POST
PUT
DELETE
CONNECT
HEAD
DNS Resolved
DNS Unresolved
Task Register
Task Update
Task Start
Task Trigger
Task Delete
Registry Key Create
Registry Key Rename
Registry Key Delete
Registry Key Export
Registry Key Security Changed
Registry Key Import
Registry Value Modified
Registry Value Create
Registry Value Delete
Behavioral Indicators
Module Load

Parameters
queryid required QueryId obtained when creating a query under Create Query.
Example: "q1xx2xx3".

1120
cursor optional Cursor position returned by the last request. Should be used instead
of skip. cursor currently supports sort by with createdAt, pid,
processStartTime
limit optional Limit number of returned items (1-1000). Example: "10".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
sortby optional Events sorted by field. Example: "createdAt".
sortorder optional Event sorting order. Example: "asc".
subquery optional Create a sub query to run on the data that was already pulled

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1121
data Response false Name Description Required Value
data
agentDomain Agent true string
domain
agentGroupId Agent group true string
id
agentId Agent id true string
agentInfected Agent true boolean
infected
agentIp Agent ip true string
agentIsActive Agent is true boolean
active
agentIsDecom Agent is true boolean
missioned decommissio
ned
agentMachin Agent true string
eType machine type
agentName Agent name true string
agentNetwork Agent true string
Status network
status
agentOs OS type true enum
agentUuid Agent uuid true string
agentVersion Agent version true string
createdAt Created at true string
id Id true string
objectType Object type true string
processName Process name true string
siteName Site name true string
user User true string
connectionSt Connection false string
atus status
direction Direction false string
dnsRequest Dns request false string
dnsResponse Dns response false string
dstIp Dst ip false string

1122
dstPort Dst port false integer
eventType Event type false string
fileFullName File full name false string
fileId File id false string
fileMd5 File md5 false string
fileSha1 File sha1 false string
fileSha256 File sha256 false string
fileSize File size false string
fileType File type false string
forensicUrl Forensic url false string
indicatorCate Indicator false string
gory category
indicatorDesc Indicator false string
ription description
indicatorMet Indicator false string
adata metadata
indicatorNam Indicator false string
e name
isAgentVersi Is agent false boolean
onFullySuppo version fully
rtedForPg supported for
pg
isAgentVersi Is agent false string
onFullySuppo version fully
rtedForPgMe supported for
ssage pg message
loginsBaseTy Logins base false string
pe type
loginsUserN Logins user false string
ame name
md5 Md5 false string
networkMeth Network false string
od method
networkSour Network false string
ce source
networkUrl Network url false string

1123
oldFileMd5 Old file md5 false string
oldFileName Old file name false string
oldFileSha1 Old file sha1 false string
oldFileSha25 Old file false string
6 sha256
parentPid Parent pid false string
parentProces Parent false string
sGroupId process
group id
parentProcess Parent false boolean
IsMalicious process is
malicious
parentProce Parent false string
ssName process name
parentProces Parent false string
sStartTime process start
time
parentProces Parent false string
sUniqueKey process
unique key
pid Pid false string
processCmd Process cmd false string
processDispl Process false string
ayName display name
processGroup Process false string
Id group id
processImage Process false string
Path image path
processImag Process false string
eSha1Hash image sha1
hash
processIntegr Process false string
ityLevel integrity level
processIsMali Process is false boolean
cious malicious
processIsRed Process is false string
irectedComm redirected
andProcessor command

1124
processor
processIsWo Process is false string
w64 wow64
processRoot Process root false string
processSessio Process false string
nId session id
processStartT Process start false string
ime time
processSubSy Process sub false string
stem system
processUniqu Process false string
eKey unique key
processUser Process user false string
Name name
publisher Publisher false string
registryId Registry id false string
registryPath Registry path false string
relatedToThre Related to false string
at threat
rpid Rpid false string
sha1 Sha1 false string
sha256 Sha256 false string
signatureSign Signature false string
edInvalidRea signed invalid
son reason
signedStatus Signed status false string
srcIp Src ip false string
srcPort Src port false integer
srcProcDown Src proc false string
loadToken download
token
taskName Task name false string
taskPath Task path false string
threatStatus Threat status false string
tid Tid false string

1125
trueContext True context false string
verifiedStatus Verified false string
status

errors Errors false array

1126
Create a Power Query and Get QueryId
POST /web/api/v2.1/dv/events/pq

Start a Deep Visibility Power Query, get back status and potential results (ping afterwards using the queryId if query has not finished)

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
progress Query true integer
loading status
in percentage
queryId Query Id true string
status Status true enum
columns includes the false Name Description Required Value
name of the
column and false object
its type
data Includes false Name Description Required Value
actual
searched data false undefined []

externalId External false string

Query Id
recommendat possible false string []
ions action items
to improve
query results

errors Errors false array

1127
Body Schema
Name Description Required Value
fromDate Events true string
created after
this
timestamp
query Events true string
matching the
query search
term will be
returned
toDate Events true string
created
before or at
this
timestamp
accountIds List of false string []
Account IDs
to filter by
limit Limit number false integer
of returned
items
(1-100000)
siteIds List of Site false string []
IDs to filter
by

1128
Ping a Power Query if results haven't been retrieved
GET /web/api/v2.1/dv/events/pq-ping

Ping a Deep Visibility Power Query using the queryId if results have not returned from an initial Power Query or a previous ping

Parameters
queryid optional QueryId query param

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

externalId External false string

Query Id
recommendat possible false string []
ions action items

1129
to improve
query results

errors Errors false array

1130
Download source process file
GET /web/api/v2.1/dv/fetch-file

Download the source process file associated with a Deep Visibility event.

Parameters
downloadtoken required Download token

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - File not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
downloadUrl Download false string
link
fileName File name false string

errors Errors false array

1131
Device Control

Get Device Rules

GET /web/api/v2.1/device-control

Get the Device Control rules of a specified Account, Site, Group or Global (tenant) that match the filter.

Parameters
accesspermissions optional Access permission in. Example: "Read-Only".
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
actions optional Return device rules with the filtered action. Example: "Allow".
bluetoothaddresses optional Return device rules with the filtered bluetooth addresses.
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__between optional Return device rules created within this range (inclusive). Example:
"1514978764288-1514978999999".
createdat__gt optional Return device rules created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Return device rules created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Return device rules created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Return device rules created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
deviceclasses optional Return device rules with the filtered device class. Example: "02h".
deviceids optional Return device rules with the filtered device id. Example: "02".
deviceinformationserv optional Return device rules with the filtered device information service info

1132
iceinfokeys keys.
devicenames optional Return device rules with the filtered device names.
disablepagination optional If true, all rules for requested scope will be returned
gattservices optional Return device rules with the filtered GATT services.
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of ids to filter by. Example:
"225494730938493804,225494730938493915".
interfaces optional Return device rules with the filtered interface. Example: "USB".
limit optional Limit number of returned items (1-1000). Example: "10".
manufacturernames optional Return device rules with the filtered manufacturer names.
minorclasses optional Return device rules with the filtered minor classes.
productids optional Return device rules with the filtered product id. Example: "02".
query optional A free-text search term, will match applicable attributes.
rulename optional Return device rules with the filtered rule name.
scopes optional Return only device rules in this scope. Example: "account".
serviceclasses optional Return device rules with the filtered service class. Example: "02".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
statuses optional Return device rules with the filtered status. Example: "Enabled".
tenant optional Indicates a tenant scope request
uids optional Return device rules with the filtered uId.
vendorids optional Return device rules with the filtered vendor id.
versions optional Return device rules with the filtered versions.

1133
Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
accessPermis Access false enum
sion permission
action Defines if false enum
agent shall
Block or
Allow use of
devices
which
matches the
rule
parameters.

1134
bluetoothAdd Bluetooth false string
ress Address
createdAt Date of rule false string
creation
creator Full name of false string
the creating
user
creatorId Id of the false string
creating user
deviceClass The Device false string
Class key.
Valid for all
rule types.
deviceClass The Device false
Name Class name.
Valid for all
rule types.
deviceId The id of the false string
physical
device
connected to
the interface.
deviceInforma Device false string
tionServiceIn Information
foKey Service Info
Key
deviceInforma Device false string
tionServiceIn Information
foValue Service Info
Value
deviceName Device Name false string
editable True if the false boolean
rule can be
modified at
this scope
level
gattService GATT Service false string []
IDs
id Rule ID false string
interface The physical false enum

1135
bus type of
the device.
manufacture Manufacturer false string
rName Name
minorClasses List of false string []
Bluetooth
minor classes
order Position in false integer
the list of
rules
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
ruleName The name of false string
the device
rule.
ruleType Defines a set false enum
of fields that
are
mandatory.
scope Scope of the false enum
rule
scopeId The id false string
representing
a group or a
site
dependent
on the scope
scopeName Extended false string
name of the
scope
status Defines if false enum
rule is
Enabled or
Disabled.
uid Relevant USB false string

1136
Mass storage
devices only
(Interface=US
B,
Class=mass
storage).
updatedAt Date of last false string
update
vendorId Vendor false string
identifier.
Mandatory
when rule
type is
vendor id or
product id.
version Vendor false string
identifier.
Mandatory
when rule
type is
vendor id or
product id.

errors Errors false array

1137
Create Device Control Rule
POST /web/api/v2.1/device-control

Use this command to create a new Device Control rule. These rules allow or block devices, based on device identifiers. Rules apply to a scope: Global (tenant), Account,
Site, or Group. To learn details of the fields, see https://support.sentinelone.com/hc/en-us/articles/360023338494.
Recommended: Before you begin, see Device Control Known Limitations: https://support.sentinelone.com/hc/en-us/articles/360021104114.
Device Control requires Control SKU. Linux Agents do not support Device Control.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accessPermis Access false enum
sion permission
action Defines if false enum
agent shall
Block or
Allow use of
devices
which
matches the
rule
parameters.
bluetoothAdd Bluetooth false string
ress Address
createdAt Date of rule false string
creation
creator Full name of false string
the creating
user

1138
creatorId Id of the false string
creating user
deviceClass The Device false string
Class key.
Valid for all
rule types.
deviceClass The Device false
Name Class name.
Valid for all
rule types.
deviceId The id of the false string
physical
device
connected to
the interface.
deviceInforma Device false string
tionServiceIn Information
foKey Service Info
Key
deviceInforma Device false string
tionServiceIn Information
foValue Service Info
Value
deviceName Device Name false string
editable True if the false boolean
rule can be
modified at
this scope
level
gattService GATT Service false string []
IDs
id Rule ID false string
interface The physical false enum
bus type of
the device.
manufacture Manufacturer false string
rName Name
minorClasses List of false string []
Bluetooth
minor classes

1139
order Position in false integer
the list of
rules
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
ruleName The name of false string
the device
rule.
ruleType Defines a set false enum
of fields that
are
mandatory.
scope Scope of the false enum
rule
scopeId The id false string
representing
a group or a
site
dependent
on the scope
scopeName Extended false string
name of the
scope
status Defines if false enum
rule is
Enabled or
Disabled.
uid Relevant USB false string
Mass storage
devices only
(Interface=US
B,
Class=mass
storage).
updatedAt Date of last false string
update

1140
vendorId Vendor false string
identifier.
Mandatory
when rule
type is
vendor id or
product id.
version Vendor false string
identifier.
Mandatory
when rule
type is
vendor id or
product id.

errors Errors false array

1141
Body Schema
Name Description Required Value
data Data true Name Description Required Value
action Defines if true enum
agent shall
Block or
Allow use of
devices
which
matches the
rule
parameters.
interface The physical true enum
bus type of
the device.
ruleName The name of true string
the device
rule.
ruleType Rule type. true enum
Depending
on the type,
each rule
requires
different
parameters.
status Defines if true enum
rule is
Enabled or
Disabled.
accessPermis Access false enum
sion permission
bluetoothAdd Bluetooth false string
ress Address
deviceClass The Device false string
Class
deviceId Physical false string
device
identifier.
Mandatory
when rule

1142
type is device
id.
deviceInforma Device false string
tionServiceIn Information
foKey Service Info
Key
deviceInforma Device false string
tionServiceIn Information
foValue Service Info
Value
deviceName Device Name false string
gattService Gatt service false string []
manufacture Manufacturer false string
rName Name
minorClasses Minor classes false string []
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
serviceClass Relevant for false string
Bluetooth
devices only
uid Relevant USB false string
Mass storage
devices only
(Interface=US
B,
Class=mass
storage).
vendorId Vendor false string
identifier.
Mandatory
when rule
type is
vendor id or
product id.
version The version false string

1143
of the device.

filter Filter true Name Description Required Value

1144
Delete Rules
DELETE /web/api/v2.1/device-control

Delete Device Control rules that match the filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1145
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accessPermis Access false string []
sions permission in
accountIds List of false string []
Account IDs
to filter by
actions Return device false string []
rules with the
filtered
action.
bluetoothAdd Return device false string []
resses rules with the
filtered
bluetooth
addresses.
createdAt__b Return device false string
etween rules created
within this
range
(inclusive)
createdAt__g Return device false string
t rules created
after this
timestamp.
createdAt__g Return device false string
te rules created
after or at
this
timestamp.
createdAt__lt Return device false string
rules created
before this
timestamp.
createdAt__lt Return device false string
e rules created
before or at
this
timestamp.

1146
deviceClasses Return device false string []
rules with the
filtered
device class.
deviceIds Return device false string []
rules with the
filtered
device id.
deviceInforma Return device false string []
tionServiceIn rules with the
foKeys filtered
device
information
service info
keys.
deviceNames Return device false string []
rules with the
filtered
device
names.
gattServices Return device false string []
rules with the
filtered GATT
services.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
interfaces Return device false string []
rules with the
filtered
interface.
manufacture Return device false string []
rNames rules with the
filtered
manufacturer
names.
minorClasses Return device false string []
rules with the
filtered minor
classes.

1147
productIds Return device false string []
rules with the
filtered
product id.
query A free-text false string
search term,
will match
applicable
attributes.
ruleName Return device false string
rules with the
filtered rule
name.
scopes Return only false string []
device rules
in this scope
serviceClasse Return device false string []
s rules with the
filtered
service class.
siteIds List of Site false string []
IDs to filter
by
statuses Return device false string []
rules with the
filtered
status.
tenant Indicates a false boolean
tenant scope
request
uids Return device false string []
rules with the
filtered uId.
vendorIds Return device false string []
rules with the
filtered
vendor id.
versions Return device false string []
rules with the
filtered
versions.

1148
Update Device Rule
PUT /web/api/v2.1/device-control/{rule_id}

Change the Device Control rule that matches the filter. To learn more about the fields, see https://support.sentinelone.com/hc/en-us/articles/360023338494.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Device rule not found

1149
creating user
deviceClass The Device false string
Class key.
Valid for all
rule types.
deviceClass The Device false
Name Class name.
Valid for all
rule types.
deviceId The id of the false string
physical
device
connected to
the interface.
deviceInforma Device false string
tionServiceIn Information
foKey Service Info
Key
deviceInforma Device false string
tionServiceIn Information
foValue Service Info
Value
deviceName Device Name false string
editable True if the false boolean
rule can be
modified at
this scope
level
gattService GATT Service false string []
IDs
id Rule ID false string
interface The physical false enum
bus type of
the device.
manufacture Manufacturer false string
rName Name
minorClasses List of false string []
Bluetooth
minor classes
order Position in false integer

1150
the list of
rules
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
ruleName The name of false string
the device
rule.
ruleType Defines a set false enum
of fields that
are
mandatory.
scope Scope of the false enum
rule
scopeId The id false string
representing
a group or a
site
dependent
on the scope
scopeName Extended false string
name of the
scope
status Defines if false enum
rule is
Enabled or
Disabled.
uid Relevant USB false string
Mass storage
devices only
(Interface=US
B,
Class=mass
storage).
updatedAt Date of last false string
update

1151
vendorId Vendor false string
identifier.
Mandatory
when rule
type is
vendor id or
product id.
version Vendor false string
identifier.
Mandatory
when rule
type is
vendor id or
product id.

errors Errors false array

1152
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accessPermis Access false enum
sion permission
action Defines if false enum
agent shall
Block or
Allow use of
devices
which
matches the
rule
parameters.
bluetoothAdd Bluetooth false string
ress Address
deviceClass The Device false string
Class
deviceId Physical false string
device
identifier.
Mandatory
when rule
type is device
id.
deviceInforma Device false string
tionServiceIn Information
foKey Service Info
Key
deviceInforma Device false string
tionServiceIn Information
foValue Service Info
Value
deviceName Device Name false string
gattService Gatt service false string []
interface Defines the false enum
Physical bus
type of the
Device.

1153
manufacture Manufacturer false string
rName Name
minorClasses Minor classes false string []
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
ruleName The name of false string
the device
rule.
ruleType Rule type. false enum
Depending
on the type,
each rule
requires
different
parameters.
serviceClass Relevant for false string
Bluetooth
devices only
status Defines if false enum
rule is
Enabled or
Disabled.
uid Relevant USB false string
Mass storage
devices only
(Interface=US
B,
Class=mass
storage).
vendorId Vendor false string
identifier.
Mandatory
when rule
type is
vendor id or
product id.

1154
version The version false string
of the device.

1155
Copy Rules
POST /web/api/v2.1/device-control/copy-rules

You can copy a set of Device Control rules to use in other Accounts, Sites, or Groups. Copy the rules from a source Group, Site, or Account to target Groups, Sites, or
Accounts.
Define the rules to copy with the filters. To get the values for devices, run "unscoped". To get Account IDs, run "accounts". To get Site IDs, run "sites".
Device Control requires Control SKU. Linux Agents do not support Device Control.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1156
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accessPermis Access false string []
sions permission in
accountIds List of false string []
Account IDs
to filter by
actions Return device false string []
rules with the
filtered
action.
bluetoothAdd Return device false string []
resses rules with the
filtered
bluetooth
addresses.
createdAt__b Return device false string
etween rules created
within this
range
(inclusive)
createdAt__g Return device false string
t rules created
after this
timestamp.
createdAt__g Return device false string
te rules created
after or at
this
timestamp.
createdAt__lt Return device false string
rules created
before this
timestamp.
createdAt__lt Return device false string
e rules created
before or at
this
timestamp.

1157
deviceClasses Return device false string []
rules with the
filtered
device class.
deviceIds Return device false string []
rules with the
filtered
device id.
deviceInforma Return device false string []
tionServiceIn rules with the
foKeys filtered
device
information
service info
keys.
deviceNames Return device false string []
rules with the
filtered
device
names.
gattServices Return device false string []
rules with the
filtered GATT
services.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
interfaces Return device false string []
rules with the
filtered
interface.
manufacture Return device false string []
rNames rules with the
filtered
manufacturer
names.
minorClasses Return device false string []
rules with the
filtered minor
classes.

1158
productIds Return device false string []
rules with the
filtered
product id.
query A free-text false string
search term,
will match
applicable
attributes.
ruleName Return device false string
rules with the
filtered rule
name.
scopes Return only false string []
device rules
in this scope
serviceClasse Return device false string []
s rules with the
filtered
service class.
siteIds List of Site false string []
IDs to filter
by
statuses Return device false string []
rules with the
filtered
status.
tenant Indicates a false boolean
tenant scope
request
uids Return device false string []
rules with the
filtered uId.
vendorIds Return device false string []
rules with the
filtered
vendor id.
versions Return device false string []
rules with the
filtered
versions.

1159
data Data false Name Description Required Value
accountId Target false string
account (or
"null" for
global scope)
groupIds Target false string []
group(s)
siteId Target site (or false string
"null" for
global scope)

1160
Move rules
POST /web/api/v2.1/device-control/move-rules

You can move a set of Device Control rules to other Accounts, Sites, or Groups. This command removes the rule from the source and copies to the targets.
Define the rules to copy with the filters. To get the values for devices, run "unscoped". To get Account IDs, run "accounts". To get Site IDs, run "sites".
Device Control requires Control SKU. Linux Agents do not support Device Control.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1161
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accessPermis Access false string []
sions permission in
accountIds List of false string []
Account IDs
to filter by
actions Return device false string []
rules with the
filtered
action.
bluetoothAdd Return device false string []
resses rules with the
filtered
bluetooth
addresses.
createdAt__b Return device false string
etween rules created
within this
range
(inclusive)
createdAt__g Return device false string
t rules created
after this
timestamp.
createdAt__g Return device false string
te rules created
after or at
this
timestamp.
createdAt__lt Return device false string
rules created
before this
timestamp.
createdAt__lt Return device false string
e rules created
before or at
this
timestamp.

1162
deviceClasses Return device false string []
rules with the
filtered
device class.
deviceIds Return device false string []
rules with the
filtered
device id.
deviceInforma Return device false string []
tionServiceIn rules with the
foKeys filtered
device
information
service info
keys.
deviceNames Return device false string []
rules with the
filtered
device
names.
gattServices Return device false string []
rules with the
filtered GATT
services.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
interfaces Return device false string []
rules with the
filtered
interface.
manufacture Return device false string []
rNames rules with the
filtered
manufacturer
names.
minorClasses Return device false string []
rules with the
filtered minor
classes.

1163
productIds Return device false string []
rules with the
filtered
product id.
query A free-text false string
search term,
will match
applicable
attributes.
ruleName Return device false string
rules with the
filtered rule
name.
scopes Return only false string []
device rules
in this scope
serviceClasse Return device false string []
s rules with the
filtered
service class.
siteIds List of Site false string []
IDs to filter
by
statuses Return device false string []
rules with the
filtered
status.
tenant Indicates a false boolean
tenant scope
request
uids Return device false string []
rules with the
filtered uId.
vendorIds Return device false string []
rules with the
filtered
vendor id.
versions Return device false string []
rules with the
filtered
versions.

1164
data Data false Name Description Required Value
accountId Target false string
account (or
"null" for
global scope)
groupIds Target false string []
group(s)
siteId Target site (or false string
"null" for
global scope)

1165
Reorder Rules
PUT /web/api/v2.1/device-control/reorder

When an external device connects to an endpoint, the SentinelOne Agent looks at the rules based on their order in the Device Control policy, from the top to the bottom.
When the Agent finds a rule that matches the device identifiers of a connected device, that rule is applied. The Agent does not continue to the lower rules in the list.
Use this command to change the order of rules for a specific scope.
Device Control requires Control SKU. Linux Agents do not support Device Control.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1166
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
interface The physical true enum
bus type of
the device.
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

data Data false Name Description Required Value

id Rule ID true string
order Desired true integer
position in
the list of
rules

1167
Get Configuration
GET /web/api/v2.1/device-control/configuration

Get Device Control configuration for a given scope.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1168
Bluetooth
devices
disallowAcces Disallow false boolean
sPermissionCo access
ntrol permission
control (i.e.
treat Read-
Only rules as
Read-Write)
enabled Device false boolean
control
enabled for
the scope
inheritedFro If null it false string
m means it is
own policy
else it will be
site or global
to state
which policy
is being
inherited.
inherits True if rules false boolean
are
decoupled
from parent
rules
reportApprov Agent should false boolean
ed report
connected/
disconnected
events
reportBlocke Agent should false boolean
d report
blocked
events
reportReadOn Agent should false boolean
ly report
'connected as
read-only'
events

errors Errors false array

1169
Update Configuration
PUT /web/api/v2.1/device-control/configuration

Use this command to change the Device Control configuration. Enter a Group ID, Site ID, Account ID, or "tenant = true". If you select only tenant, and the other scopes are
empty, the change is applied to the Global policy.
Device Control requires Control SKU. It is not supported on Linux.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
disableBleCo Disable false boolean
mmunication Bluetooth LE
Communicati
on
disableRfco Disable false boolean
mm RFCOMM for
Bluetooth
devices
disallowAcces Disallow false boolean
sPermissionCo access
ntrol permission
control (i.e.
treat Read-
Only rules as
Read-Write)
enabled Device false boolean
control
enabled for
the scope

1170
inheritedFro If null it false string
m means it is
own policy
else it will be
site or global
to state
which policy
is being
inherited.
inherits True if rules false boolean
are
decoupled
from parent
rules
reportApprov Agent should false boolean
ed report
connected/
disconnected
events
reportBlocke Agent should false boolean
d report
blocked
events
reportReadOn Agent should false boolean
ly report
'connected as
read-only'
events

errors Errors false array

1171
Body Schema
Name Description Required Value
data Data true Name Description Required Value
disableBleCo Disable false boolean
mmunication Bluetooth LE
Communicati
on
disableRfco Disable false boolean
mm RFCOMM for
Bluetooth
devices
disallowAcces Disallow false boolean
sPermissionCo access
ntrol permission
control (i.e.
treat Read-
Only rules as
Read-Write)
enabled Device false boolean
control
enabled for
the scope
inheritedFro If null it false string
m means it is
own policy
else it will be
site or global
to state
which policy
is being
inherited.
inherits True if rules false boolean
are
decoupled
from parent
rules
reportApprov Agent should false boolean
ed report
connected/
disconnected
events

1172
reportBlocke Agent should false boolean
d report
blocked
events
reportReadOn Agent should false boolean
ly report
'connected as
read-only'
events

filter Filter true Name Description Required Value

1173
Export Rules
GET /web/api/v2.1/device-control/export

Export Device Control rules to a CSV file.

Parameters
accesspermissions optional Access permission in. Example: "Read-Only".
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
actions optional Return device rules with the filtered action. Example: "Allow".
bluetoothaddresses optional Return device rules with the filtered bluetooth addresses.
createdat__between optional Return device rules created within this range (inclusive). Example:
"1514978764288-1514978999999".
createdat__gt optional Return device rules created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Return device rules created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Return device rules created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Return device rules created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
deviceclasses optional Return device rules with the filtered device class. Example: "02h".
deviceids optional Return device rules with the filtered device id. Example: "02".
deviceinformationserv optional Return device rules with the filtered device information service info
iceinfokeys keys.
devicenames optional Return device rules with the filtered device names.
gattservices optional Return device rules with the filtered GATT services.
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of ids to filter by. Example:
"225494730938493804,225494730938493915".
interfaces optional Return device rules with the filtered interface. Example: "USB".

1174
manufacturernames optional Return device rules with the filtered manufacturer names.
minorclasses optional Return device rules with the filtered minor classes.
productids optional Return device rules with the filtered product id. Example: "02".
query optional A free-text search term, will match applicable attributes.
rulename optional Return device rules with the filtered rule name.
scopes optional Return only device rules in this scope. Example: "account".
serviceclasses optional Return device rules with the filtered service class. Example: "02".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
statuses optional Return device rules with the filtered status. Example: "Enabled".
tenant optional Indicates a tenant scope request
uids optional Return device rules with the filtered uId.
vendorids optional Return device rules with the filtered vendor id.
versions optional Return device rules with the filtered versions.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Get Device Control Events

GET /web/api/v2.1/device-control/events

Get the data of Device Control events on Windows and macOS endpoints with Device Control-enabled Agents that match the filter.
Device Control requires Control SKU. Linux Agents do not support Device Control.

Parameters
access_permissions optional Access permission in. Example: "Read-Only".
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".

1175
agentids optional List of agent Ids to filter by
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
deviceclasses optional List of device classes to filter by. Example: "02h".
deviceids optional List of device IDs to filter by
eventids optional List of event IDs to filter by
eventtime__between optional Return events created within this range (inclusive). Example:
"1514978764288-1514978999999".
eventtime__gt optional Return events generated after this time. Example:
"2018-02-27T04:49:26.257525Z".
eventtime__gte optional Return events generated after or at this time. Example:
"2018-02-27T04:49:26.257525Z".
eventtime__lt optional Return events generated before this time. Example:
"2018-02-27T04:49:26.257525Z".
eventtime__lte optional Return events generated before or at this time. Example:
"2018-02-27T04:49:26.257525Z".
eventtypes optional List of event types to filter by.
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of IDs to filter by. Example:
"225494730938493804,225494730938493915".
interfaces optional List of interfaces to filter by. Example: "USB".
limit optional Limit number of returned items (1-1000). Example: "10".
productids optional List of product IDs to filter by. Example: "02".
query optional A free-text search term, will match applicable attributes.
serviceclasses optional List of service classes to filter by. Example: "02".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".

1176
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenant optional Indicates a tenant scope request
uids optional List of uIds to filter by.
vendorids optional List of vendor IDs to filter by.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data

1177
accessPermis Access false enum
sion permission
agentId Agent id false string
computerNa Computer false string
me name
createdAt Created at false string
deviceClass Device class false string
deviceId Device id false string
deviceName Device name false string
eventId Event id false string
eventTime Event time false string
eventType Event type false string
id Id false string
interface Interface false enum
lastLoggedIn Last logged in false string
UserName user name
lmpVersion Lmp version false string
minorClass Minor class false string
productId Product id false string
profileUuids Profile uuids false string
ruleId Rule id false string
serviceClass Service class false string
uId U id false string
updatedAt Updated at false string
vendorId Vendor id false string

errors Errors false array

1178
Enable/Disable Rules
PUT /web/api/v2.1/device-control/enable

It is best practice to disable a rule rather than delete it. Use this command to change the status of a rule between Enabled and Disabled.
Note: On Windows, if a USB device is already connected to an endpoint, new rules and rule changes do not affect it. USB rules will apply the next time the device
connects to the endpoint. For Windows Bluetooth rules, the device and endpoint must be paired after the SentinelOne Agent that supports Bluetooth is installed or
upgraded. If the endpoint and device were already paired before the Agent supported bluetooth, reboot the endpoint to activate the rule, or re-pair the endpoint and
device.
On macOS, changes apply to devices that are already connected to an endpoint.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1179
Body Schema
Name Description Required Value
data Data true Name Description Required Value
status should the true enum
rules be
enabled/
disabled

filter Filter true Name Description Required Value

accessPermis Access false string []
sions permission in
accountIds List of false string []
Account IDs
to filter by
actions Return device false string []
rules with the
filtered
action.
bluetoothAdd Return device false string []
resses rules with the
filtered
bluetooth
addresses.
createdAt__b Return device false string
etween rules created
within this
range
(inclusive)
createdAt__g Return device false string
t rules created
after this
timestamp.
createdAt__g Return device false string
te rules created
after or at
this
timestamp.
createdAt__lt Return device false string
rules created

1180
before this
timestamp.
createdAt__lt Return device false string
e rules created
before or at
this
timestamp.
deviceClasses Return device false string []
rules with the
filtered
device class.
deviceIds Return device false string []
rules with the
filtered
device id.
deviceInforma Return device false string []
tionServiceIn rules with the
foKeys filtered
device
information
service info
keys.
deviceNames Return device false string []
rules with the
filtered
device
names.
gattServices Return device false string []
rules with the
filtered GATT
services.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
interfaces Return device false string []
rules with the
filtered
interface.
manufacture Return device false string []

1181
rNames rules with the
filtered
manufacturer
names.
minorClasses Return device false string []
rules with the
filtered minor
classes.
productIds Return device false string []
rules with the
filtered
product id.
query A free-text false string
search term,
will match
applicable
attributes.
ruleName Return device false string
rules with the
filtered rule
name.
scopes Return only false string []
device rules
in this scope
serviceClasse Return device false string []
s rules with the
filtered
service class.
siteIds List of Site false string []
IDs to filter
by
statuses Return device false string []
rules with the
filtered
status.
tenant Indicates a false boolean
tenant scope
request
uids Return device false string []
rules with the
filtered uId.

1182
vendorIds Return device false string []
rules with the
filtered
vendor id.
versions Return device false string []
rules with the
filtered
versions.

1183
Exclusions and Blocklist

Import Exclusions
POST /web/api/v2.1/exclusions/import

Upload a CSV file that contains exclusion entries to import to a scope in your Management

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
reportId The ID of the false string
Validation
Report
generated for
the import. It
can help you
fix entries
that did not
import
successfully.
succeeded The number false integer
of entries
that imported
successfully
total The number false integer
of rows in the
file

1184
errors Errors false array

1185
Body Schema
Name Description Required Value
formData false Name Description Required Value
file The input true file
CSV file
filter The details of false string
the scope
where the
entities will
be imported,
for example:
For Global -
'{"tenant":true
}'
For an
Account -
'{"accountIds":

["225494730
938493804"]}
'
For a Site -
'{"siteIds":
["225494730
938493804"]}
'
For a Group -
'{"groupIds":
["225494730
938493804"]}
'

1186
Get Exclusion Import Validation Report
GET /web/api/v2.1/exclusions/report/{report_id}

Get the Validation Report generated for the import to help you fix entries that did not import successfully

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Import Blocklist Items

POST /web/api/v2.1/restrictions/import

Upload a CSV file that contains blocklist entries to import to a scope in your Management

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1187
import
successfully.
succeeded The number false integer
of entries
that imported
successfully
total The number false integer
of rows in the
file

errors Errors false array

1188
Body Schema
Name Description Required Value
formData false Name Description Required Value
file The input true file
CSV file
filter The details of false string
the scope
where the
entities will
be imported,
for example:
For Global -
'{"tenant":true
}'
For an
Account -
'{"accountIds":

["225494730
938493804"]}
'
For a Site -
'{"siteIds":
["225494730
938493804"]}
'
For a Group -
'{"groupIds":
["225494730
938493804"]}
'

1189
Get Blocklist Import Validation Report
GET /web/api/v2.1/restrictions/report/{report_id}

Get the Validation Report generated for the import to help you fix entries that did not import successfully

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Get Exclusions
GET /web/api/v2.1/exclusions

Get a list of all the Exclusions that match the filter.

Note: To filter the results for a scope:
* Global - Make sure "tenant" is "true" and no other scope ID is given.
* Account - Make sure "tenant" is "false" and at least one Account ID is given.
* Site - Make sure "tenant" is "false" and at least one Site ID is given.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
applicationname__cont optional Free-text filter by application name
ains
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

1190
createdat__lt optional Created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
description__contains optional Free-text filter by description
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of IDs to filter by. Example:
"225494730938493804,225494730938493915".
imported optional indication whether the exclusion was imported by a bulk operation
or not
inappinventory optional Found or Not found - indicates if this exclusion is related to an
application found in the scope's Application Inventory.
includechildren optional Return filters from children scope levels (Default: false)
includeparents optional Return filters from parent scope levels (Default: false)
limit optional Limit number of returned items (1-1000). Example: "10".
modes optional List of modes to filter by (Path exclusions only). Example: "suppress".
modetype optional Agent interaction \ Suppression. Example: "all".
ostypes optional List of Os types to filter by. Example: "macos".
pathexclusiontypes optional List of excluded paths in an exclusion (Path exclusions only).
Example: "file".
query optional A free-text search term, will match applicable attributes
recommendations optional List of recommendations to filter by. Example: "Not recommended".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".

1191
sortorder optional Sort direction. Example: "asc".
source optional List sources to filter by. Example: "user".
tenant optional Indicates a tenant scope request
type optional Type. Example: "path".
types optional Type in. Example: "path".
unified optional Unified
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
updatedat__gt optional Updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
user__contains optional Free-text filter by user name
userids optional List of user ids to filter by. Example:
"225494730938493804,225494730938493915".
value optional Value
value__contains optional Free-text filter by value

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value

1192
information totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
actions Actions to false string []
perform
applicationN The false string
ame Application
name of
exclusions
created from
the Exclusion
Catalog.
createdAt Timestamp of false string
item creation
description Description false string
id Id false string
imported indication false boolean
whether the
exclusion was
imported by a
bulk
operation or
not
inAppInvento Found or Not false boolean
ry found -
indicates if

1193
this exclusion
is related to
an
application
found in the
scope's
Application
Inventory.
includeChildr Return filters false boolean
en from children
scope levels
(Default:
false)
includeParent Return filters false boolean
s from parent
scope levels
(Default:
false)
inject [DEPRECATE false boolean
D] Path
exclusion
monitor
mode
mode Exclusion false enum
mode (path
exclusion
only)
notRecomme Not false string
nded recommende
d
osType os_type false enum
pathExclusio Excluded false enum
nType path for a
path
exclusion list
scope Scope false Name Description Required Value
accountIds Account ids false string []
groupIds Group ids false string []
siteIds Site ids false string []
tenant Tenant false boolean

1194
scopeName Scope name false string
scopePath Scope path false string
source Source: false enum
cloud, user,
action_from_t
hreat, or
catalog
type type false string
updatedAt Timestamp of false string
item update
userId ID of the false string
creating user
userName Name of the false string
creating user
value Sha1 if hash false string
type or value
according to
the exclusion
list type

errors Errors false array

1195
Create Exclusion
POST /web/api/v2.1/exclusions

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
scope Scope true Name Description Required Value
accountIds Account ids false string []
groupIds Group ids false string []
siteIds Site ids false string []
tenant Tenant false boolean

actions Actions to false string []

perform
createdAt Timestamp of false string
exclusion
item creation
description Description false string

1196
id Id false string
inject [DEPRECATE false boolean
D] Path
exclusion
monitor
mode
mode Exclusion false enum
mode (path
exclusion
only)
notRecomme Not false string
nded recommende
d
osType OS type false enum
pathExclusio Excluded false enum
nType path for a
path
exclusion list
scopeName Scope name false string
source Source: false enum
cloud, user,
action_from_t
hreat, or
catalog
type Type false string
updatedAt Timestamp of false string
exclusion
item update
userId ID of the false string
creating user
userName Name of the false string
creating user
value Sha1 if hash false string
type or value
according to
the exclusion
list type

errors Errors false array

1197
Body Schema
Name Description Required Value
data Data true Name Description Required Value
osType OS type true enum
type Exclusion true enum
item type
value Valid values true
depend on
the item type
actions Actions to false string []
perform
description Description false string
inject [DEPRECATE false boolean
D] Path
exclusion
monitor
mode
mode Exclusion false enum
mode (path
exclusion
only)
pathExclusio Excluded false string
nType path for a
path
exclusion list
source Source false string

filter Filter true Name Description Required Value

1198
tenant scope
request

1199
Update Exclusions
PUT /web/api/v2.1/exclusions

Change the properties of an Exclusion through the data fields. To get the original data, run "exclusions" with a filter to give the item you want.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Exclusion not found

actions Actions to false string []

perform
createdAt Timestamp of false string
exclusion
item creation
description Description false string
id Id false string
inject [DEPRECATE false boolean
D] Path
exclusion
monitor

1200
mode
mode Exclusion false enum
mode (path
exclusion
only)
notRecomme Not false string
nded recommende
d
osType OS type false enum
pathExclusio Excluded false enum
nType path for a
path
exclusion list
scopeName Scope name false string
source Source: false enum
cloud, user,
action_from_t
hreat, or
catalog
type Type false string
updatedAt Timestamp of false string
exclusion
item update
userId ID of the false string
creating user
userName Name of the false string
creating user
value Sha1 if hash false string
type or value
according to
the exclusion
list type

errors Errors false array

1201
Body Schema
Name Description Required Value
data Data true Name Description Required Value
id Id true string
osType OS type true enum
type Exclusion true enum
item type
actions Actions to false string []
perform
description Description false string
inject [DEPRECATE false boolean
D] Path
exclusion
monitor
mode
mode Exclusion false enum
mode (path
exclusion
only)
pathExclusio Excluded false string
nType path for a
path
exclusion list
source Source false string
value Value false

1202
Delete Exclusions
DELETE /web/api/v2.1/exclusions

Every Exclusion opens a possible security hole. If you decide that an Exclusion (or multiple Exclusions) is not required, use this command to delete it. To get the ID of the
Exclusion to delete, run the "exclusions" command.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1203
Body Schema
Name Description Required Value
data Data true Name Description Required Value
ids Ids false string []
type Type false enum

1204
Get Blocklist
GET /web/api/v2.1/restrictions

Get a list of all the items in the Blocklist that match the filter.
To filter the results for a scope:
* Global - Make sure "tenant" is "true" and no other scope ID is given.
* Account - Make sure "tenant" is "false" and at least one Account ID is given.
* Site - Make sure "tenant" is "false" and at least one Site ID is given.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
description__contains optional Free-text filter by description
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of IDs to filter by. Example:
"225494730938493804,225494730938493915".
imported optional indication whether the hash was imported by a bulk operation or

1205
not
includechildren optional Return filters from children scope levels (Default: false)
includeparents optional Return filters from parent scope levels (Default: false)
limit optional Limit number of returned items (1-1000). Example: "10".
modes optional List of modes to filter by (Path exclusions only). Example: "suppress".
ostypes optional List of Os types to filter by. Example: "macos".
query optional A free-text search term, will match applicable attributes
recommendations optional List of recommendations to filter by. Example: "Not recommended".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
source optional List sources to filter by. Example: "user".
tenant optional Indicates a tenant scope request
type optional Type. Example: "black_hash".
types optional Type in. Example: "black_hash".
unified optional Unified
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
updatedat__gt optional Updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

1206
user__contains optional Free-text filter by user name
userids optional List of user ids to filter by. Example:
"225494730938493804,225494730938493915".
value optional Value
value__contains optional Free-text filter by value

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
createdAt Timestamp of false string
item creation
description Description false string

1207
id Id false string
imported indication false boolean
whether the
exclusion was
imported by a
bulk
operation or
not
includeChildr Return filters false boolean
en from children
scope levels
(Default:
false)
includeParent Return filters false boolean
s from parent
scope levels
(Default:
false)
notRecomme Not false string
nded recommende
d
osType os_type false enum
scope Scope false Name Description Required Value
accountIds Account ids false string []
groupIds Group ids false string []
siteIds Site ids false string []
tenant Tenant false boolean

scopeName Scope name false string

scopePath Scope path false string
source Source: false enum
cloud, user,
or
action_from_t
hreat
type type false string
updatedAt Timestamp of false string
item update
userId ID of the false string

1208
creating user
userName Name of the false string
creating user
value SHA1 hash false string

errors Errors false array

1209
Create Blocklist Item
POST /web/api/v2.1/restrictions

Create a blocklist item for a SHA1 hash, for the scopes you enter in the filter fields. You can add the hash to multiple Groups, Sites, Accounts, and to the Global list.
IMPORTANT: The type must be "black_hash" - any other value will create an Exclusion rather than a Blocklist item.
Users with the IT role do not have permissions to run this.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

createdAt Timestamp of false string

blocklist item
creation
description Description false string
id Id false string
notRecomme Not false string
nded recommende
d
osType OS type false enum
scopeName Scope name false string

1210
source Source: false enum
cloud, user,
or
action_from_t
hreat
type Type false string
updatedAt Timestamp of false string
blocklist item
update
userId ID of the false string
creating user
userName Name of the false string
creating user
value SHA1 hash false string

errors Errors false array

1211
Body Schema
Name Description Required Value
data Data true Name Description Required Value
osType OS type true enum
type Restriction true enum
type
value SHA1 of the true
file to add to
the blocklist
description Description false string
source Source false string

filter Filter true Name Description Required Value

1212
Update Blocklist Item
PUT /web/api/v2.1/restrictions

Change the properties of a Blocklist item through the data fields. To get the original data, run "restrictions" with a filter to give the item you want.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Blocklist not found

createdAt Timestamp of false string

blocklist item
creation
description Description false string
id Id false string
notRecomme Not false string
nded recommende
d
osType OS type false enum
scopeName Scope name false string

1213
source Source: false enum
cloud, user,
or
action_from_t
hreat
type Type false string
updatedAt Timestamp of false string
blocklist item
update
userId ID of the false string
creating user
userName Name of the false string
creating user
value SHA1 hash false string

errors Errors false array

1214
Body Schema
Name Description Required Value
data Data true Name Description Required Value
id Id true string
osType OS type true enum
type Restrictions true enum
type
(black_hash)
description Description false string
source Source false string
value Value false

1215
Delete Blocklist Item
DELETE /web/api/v2.1/restrictions

Agents immediately identify files on the blocklist and block them from executing. Agents identify files on the blocklist before they look at exclusions. If there is a conflict -
for example, if a hash is blocklisted from the Cloud Intelligence, and you have an exclusion to run an application that requires this hash - you can delete the hash from the
Blocklist. Users with the IT role do not have permissions to run this command.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1216
Body Schema
Name Description Required Value
data Data true Name Description Required Value
ids Ids false string []
type Type false enum

1217
Validate Exclusion Item
POST /web/api/v2.1/exclusions/validate

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
status Recommendat false enum
ion for the
exclusion/
blocklist item

errors Errors false array

1218
Body Schema
Name Description Required Value
data Data true Name Description Required Value
exclusionType Exclusion false enum
type
osType OS type false enum
value Value false string

1219
Validate Blocklist Item
POST /web/api/v2.1/restrictions/validate

Check if a hash is on the list of SentinelOne items that are "Not Allowed" or "Not Recommended". This API returns one of the following statuses:
* Not Recommended: This item is not recommended by SentinelOne because it decreases security.
* Not Allowed: This item can harm the product and lead to unexpected functionality. From version North Pole SP3 you are prevented from creating Not Allowed blocklist
item. * None: This item is not on the list of SentinelOne items that are "Not Allowed" or "Not Recommended".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
status Recommendat false enum
ion for the
exclusion/
blocklist item

errors Errors false array

1220
Body Schema
Name Description Required Value
data Data true Name Description Required Value
osType OS type false enum
value Value false string

1221
Export Exclusions
GET /web/api/v2.1/export/exclusions

Get a csv of all the items in the Exclusions that match the filter.
Note: To see items from the Global Exclusion scope, make sure "tenant" is "true" and no other scope ID is given.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
applicationname__cont optional Free-text filter by application name
ains
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
description__contains optional Free-text filter by description
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of IDs to filter by. Example:
"225494730938493804,225494730938493915".
imported optional indication whether the exclusion was imported by a bulk operation
or not
inappinventory optional Found or Not found - indicates if this exclusion is related to an
application found in the scope's Application Inventory.
includechildren optional Return filters from children scope levels (Default: false)
includeparents optional Return filters from parent scope levels (Default: false)

1222
modes optional List of modes to filter by (Path exclusions only). Example: "suppress".
modetype optional Agent interaction \ Suppression. Example: "all".
ostypes optional List of Os types to filter by. Example: "macos".
pathexclusiontypes optional List of excluded paths in an exclusion (Path exclusions only).
Example: "file".
query optional A free-text search term, will match applicable attributes
recommendations optional List of recommendations to filter by. Example: "Not recommended".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
source optional List sources to filter by. Example: "user".
tenant optional Indicates a tenant scope request
type optional Type. Example: "path".
types optional Type in. Example: "path".
unified optional Unified
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
updatedat__gt optional Updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
user__contains optional Free-text filter by user name
userids optional List of user ids to filter by. Example:
"225494730938493804,225494730938493915".
value optional Value
value__contains optional Free-text filter by value

Response Messages

1223
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Export Blocklist
GET /web/api/v2.1/export/restrictions

Get a csv of all the items in the Blocklist that match the filter.
Note: To see items from the Global Blocklist, make sure "tenant" is "true" and no other scope ID is given.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
description__contains optional Free-text filter by description
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of IDs to filter by. Example:
"225494730938493804,225494730938493915".
imported optional indication whether the hash was imported by a bulk operation or
not
includechildren optional Return filters from children scope levels (Default: false)
includeparents optional Return filters from parent scope levels (Default: false)

1224
ostypes optional List of Os types to filter by. Example: "macos".
query optional A free-text search term, will match applicable attributes
recommendations optional List of recommendations to filter by. Example: "Not recommended".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
source optional List sources to filter by. Example: "user".
tenant optional Indicates a tenant scope request
type optional Type. Example: "black_hash".
types optional Type in. Example: "black_hash".
unified optional Unified
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
updatedat__gt optional Updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
user__contains optional Free-text filter by user name
userids optional List of user ids to filter by. Example:
"225494730938493804,225494730938493915".
value optional Value
value__contains optional Free-text filter by value

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1225
Exclusions v2.1

Get Exclusions
GET /web/api/v2.1/unified-exclusions

Get a list of all the Exclusions that match the filter.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
applicationname__cont optional Free-text filter by application name
ains
conditions optional List of conditions to filter by. Example: "white_hash".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
description__contains optional Free-text filter by description

1226
engines optional List of engines to filter by. Example: "suppress".
exclusionname__conta optional Free-text filter by exclusion name
ins
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of IDs to filter by. Example:
"225494730938493804,225494730938493915".
imported optional indication whether the exclusion was imported by a bulk operation
or not
includechildren optional Return filters from children scope levels (Default: false)
includeparents optional Return filters from parent scope levels (Default: false)
interactionlevel optional List of interaction levels to filter by. Example: "disable_all_monitors".
limit optional Limit number of returned items (1-1000). Example: "10".
modetype optional Agent interaction \ Suppression. Example: "suppression".
notrecommended optional List of recommendations to filter by. Example: "Not recommended".
ostypes optional List of Os types to filter by. Example: "macos".
pathexclusiontypes optional List of excluded paths in an exclusion (Path exclusions only).
Example: "file".
scopepath__contains optional Free-text filter by scope path
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
source optional List sources to filter by. Example: "user".
tenant optional Indicates a tenant scope request
threattype optional List of threat types to filter by. Example: "EDR".
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".

1227
updatedat__gt optional Updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
user__contains optional Free-text filter by user name
userids optional List of user ids to filter by. Example:
"225494730938493804,225494730938493915".
value__contains optional Free-text filter by value

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1228
be "null"
when last
page
reached)

data Response false

data
errors Errors false array

1229
Delete Exclusions
DELETE /web/api/v2.1/unified-exclusions

Response Messages
200 - Exclusions successfully deleted.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed to perform this operation.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1230
Body Schema
Name Description Required Value
data Data true Name Description Required Value
exclusions Exclusions false Name Description Required Value
exclusionType Exclusion true enum
type
id Id true string

1231
Filters

Get Filters
GET /web/api/v2.1/filters

Get the list of saved filters. See Save Filter. The response includes the ID of the filter, which you can use in other commands.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
ids optional A list of Filter IDs. Example:
"225494730938493804,225494730938493915".
includechildren optional Return filters from children scope levels (Default: false)
includeglobal optional [DEPRECATED] Return global filters even when specific sites are
selected
includeparents optional Return filters from parent scope levels (Default: false)
limit optional Limit number of returned items (1-1000). Example: "10".
query optional Text query for filter's name. Example: "MyFilter".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

1232
Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
createdAt Created at true string
id Id true string
name Name true string
scopeLevel Filter scope true enum
updatedAt Updated at true string
filterFields A set of false Name Description Required Value
arguments
composing adComputerM Free-text false string []
the filter ember__conta filter by
ins Active

1233
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports

1234
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in

1235
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports

1236
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer

1237
name
(supports
multiple
values)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple

1238
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types

1239
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)

1240
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []

1241
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []

1242
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:

1243
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states

1244
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
totalMemory Total memory false string
__between range (GB,
inclusive)
userActionsN Included false string []

1245
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

scopeId Associated false string

site/account
siteId [DEPRECATE false string
D] Use
scopeId
instead

errors Errors false array

1246
Save Filter
POST /web/api/v2.1/filters

Save a new filter to get a list of matching endpoints. When you save a filter, you can run actions on the Agents as a set of objects or create a dynamic group (automatically
adds new Agents that match the filter and drops Agents if they change to not match).
For example, you can save a filter with {"data":{"filterFields":{"infected":true}}} to run kill and quarantine commands on all the Agents at once, or to create a group that holds
currently infected endpoints. Best Practice: Set a scope for the new Saved Filter. Run "accounts", "sites", or "groups" to get the IDs for the scope.

BEST PRACTICE
Set a scope for the new Saved Filter. Run "accounts", "sites", or "groups" to get the IDs for the scope.

Response Messages
200 - Filter successfully saved. Returns created object.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed to perform this operation.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
createdAt Created at true string
id Id true string
name Name true string
scopeLevel Filter scope true enum
updatedAt Updated at true string
filterFields A set of false Name Description Required Value
arguments
composing adComputerM Free-text false string []
the filter ember__conta filter by
ins Active

1247
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports

1248
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in

1249
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports

1250
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer

1251
name
(supports
multiple
values)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple

1252
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types

1253
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)

1254
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []

1255
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []

1256
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:

1257
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states

1258
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
totalMemory Total memory false string
__between range (GB,
inclusive)
userActionsN Included false string []

1259
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

scopeId Associated false string

site/account
siteId [DEPRECATE false string
D] Use
scopeId
instead

errors Errors false array

1260
Body Schema
Name Description Required Value
data Data true Name Description Required Value
filterFields A set of true Name Description Required Value
parameters
to filter by adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string

1261
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)

1262
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)

1263
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple

1264
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption

1265
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False

1266
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)

1267
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports

1268
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []

1269
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and

1270
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:

1271
<from_times
tamp>-
<to_timestam
p>, inclusive)
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatReboot Has at least false boolean []

1272
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
totalMemory Total memory false string
__between range (GB,
inclusive)
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

name New filter true string

name
scopeLevel [DEPRECATE false enum
D] Use the
"filter" object
instead.
siteId [DEPRECATE false string
D] Use the
"filter" object
instead.

filter Target scope false Name Description Required Value

for the new
filter accountIds List of false string []
Account IDs

1273
to filter by
siteIds List of Site false string []
IDs to filter
by

1274
Update Filter
PUT /web/api/v2.1/filters/{filter_id}

Update an existing filter

Response Messages
200 - Filter successfully updated. Returns updated object.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed to perform this operation.

404 - Filter not found

1275
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory

1276
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports

1277
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports

1278
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
consoleMigra Migration false string []
tionStatuses status in

1279
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter

1280
by
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean

1281
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)

1282
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only

1283
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group

1284
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no

1285
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial

1286
Number
(supports
multiple
values)
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
totalMemory Total memory false string
__between range (GB,
inclusive)
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid__contain Free-text false string []

1287
s filter by
Agent UUID
(supports
multiple
values)

scopeId Associated false string

site/account
siteId [DEPRECATE false string
D] Use
scopeId
instead

errors Errors false array

1288
Body Schema
Name Description Required Value
data Data true Name Description Required Value
filterFields A set of false Name Description Required Value
parameters
to filter by (If adComputerM Free-text false string []
supplied, ember__conta filter by
replaces ins Active
existing Directory
parameter set computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string

1289
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)

1290
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)

1291
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple

1292
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption

1293
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False

1294
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)

1295
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports

1296
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []

1297
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and

1298
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:

1299
<from_times
tamp>-
<to_timestam
p>, inclusive)
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatReboot Has at least false boolean []

1300
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
totalMemory Total memory false string
__between range (GB,
inclusive)
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

name Updated filter false string

name

1301
Delete Filter
DELETE /web/api/v2.1/filters/{filter_id}

Delete a saved filter.

Response Messages
200 - Filter successfully deleted.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed to perform this operation.

404 - Filter not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1302
Get Deep Visibility Filters
GET /web/api/v2.1/filters/dv

Get saved Deep Visibility queries with full data. See Save Deep Visibility Filters.The response includes the ID of the filter, which you can use in other commands.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional A list of Filter IDs. Example:
"225494730938493804,225494730938493915".
includechildren optional Return filters from children scope levels (Default: false)
includeglobal optional [DEPRECATED] Return global filters even when specific sites are
selected
includeparents optional Return filters from parent scope levels (Default: false)
limit optional Limit number of returned items (1-1000). Example: "10".
query optional Text query for filter's name. Example: "MyFilter".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

1303
Response Messages
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Save Deep Visibility Filter

POST /web/api/v2.1/filters/dv

Save a Deep Visibility query with data as a filter, to get notifications of specific events sent to named recipients on a given frequency. The recipients must be Console users
with permissions on the scope of the query. Notifications are sent through email: you must have an SMTP server configured in the SentinelOne solution (/settings/smtp
see Set SMTP Settings).
Deep Visibility requires a Complete SKU.

Response Messages
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Body Schema
Name Description Required Value
data Data true Name Description Required Value
filterFields A set of true Name Description Required Value
parameters
to filter by accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
query The query to false string
be saved
queryType Query Search false string
Type
siteIds List of Site false string []
IDs to filter

1304
by
timeRange The false string
timeframe in
which events
occurred

name New filter true string

name
frequency Frequency false integer
notifications Notifications false boolean
recipients List of false string []
recipients

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
scope_level Filter scope false enum
siteIds List of Site false string []
IDs to filter
by

1305
Delete Deep Visibility Filter
DELETE /web/api/v2.1/filters/dv/{filter_id}

Delete a saved Deep Visibility query.

Response Messages
200 - Filter successfully deleted.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed to perform this operation.

404 - Filter not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1306
Update Deep Visibility Filter
PUT /web/api/v2.1/filters/dv/{filter_id}

Change a saved Deep Visibility filter. To get the ID and fields to change, run Get Deep Visibility Filters.

Response Messages
200 - Filter successfully updated. Returns updated object.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed to perform this operation.

404 - Filter not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
createdAt Created at true string
id Id true string
name Name true string
scopeLevel Filter scope true enum
updatedAt Updated at true string
filterFields A set of false Name Description Required Value
parameters
to filter by query Deep false string
visibility
query
queryType Either false string
powerquery
or events/
processes/
None

1307
timeRange Deep false string
visibility
query time
range

frequency Frequency false integer

notifications Notifications false boolean
recipients List of false string []
recipients
scopeId Associated false string
site/account
scopeLevelN Filter scope false string
ame name
siteId [DEPRECATE false string
D] Use
scopeId
instead

errors Errors false array

1308
Body Schema
Name Description Required Value
data Data true Name Description Required Value
filterFields A set of true Name Description Required Value
parameters
to filter by accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
query The query to false string
be saved
queryType Query Search false string
Type
siteIds List of Site false string []
IDs to filter
by
timeRange The false string
timeframe in
which events
occurred

name New filter true string

name
frequency Frequency false integer
notifications Notifications false boolean
recipients List of false string []
recipients

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
scope_level Filter scope false enum

1309
siteIds List of Site false string []
IDs to filter
by

1310
Upload CSV file
POST /web/api/v2.1/filters/csv-filter

Upload CSV file

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
endpointFou Number of false integer
ndCount endpoints
found with
these values
filterId ID of the false string
filter
notFoundEndp Not found false string []
oints endpoints
rowsCount Number of false integer
rows in the
CSV file
uniqueInputV Number of false integer
aluesCount unique values
in the file

errors Errors false array

1311
Body Schema
Name Description Required Value
formData false Name Description Required Value
agentFilterFie The property true string
ld of the
endpoint to
filter by
excludeHeade Set to True to true boolean
r exclude the
column
header
file File true file

1312
Firewall Control

Get Firewall Rules

GET /web/api/v2.1/firewall-control

Get the Firewall Control rules for a scope specified by ID (run "accounts", "sites, "groups", or set "tenant" to "true") that match the filter.
The response will be quite long because it includes all the rule properties, thus at least one of these filters is required: action, status, osType, name, or scope ID.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
actions optional Return firewall rules with the filtered action. Example: "Allow".
application__contains optional Free-text filter by application (supports multiple values)
applications optional Return firewall rules with the filtered firewall class.
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__between optional Return firewall rules created within this range (inclusive). Example:
"1514978764288-1514978999999".
createdat__gt optional Return firewall rules created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Return firewall rules created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Return firewall rules created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Return firewall rules created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
directions optional Return firewall rules with the filtered directions. Example: "any".
disablepagination optional If true, all rules for requested scope will be returned

1313
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of ids to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
locationids optional Filter by associated locations. Example:
"225494730938493804,225494730938493915".
name optional Return firewall rules with the filtered name.
name__contains optional Free-text filter by the Rule name (supports multiple values)
ostypes optional Return firewall rules with the filtered os_type. Example: "macos".
protocol__contains optional Free-text filter by protocol (supports multiple values)
protocols optional Return firewall rules with the filtered protocols.
query optional Free text search on name, tag, application, protocol
scopes optional Return only firewall rules in this scope. Example: "account".
service__contains optional Free-text filter by service (supports multiple values)
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
statuses optional Return firewall rules with the filtered status. Example: "Enabled".
tagids optional Filter by associated tags. Example:
"225494730938493804,225494730938493915".
tagname__contains optional Free-text filter by the Tag name (supports multiple values)
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

1314
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

1315
user
creatorId Id of the false string
creating user
description Description false string
direction Defines the false enum
Direction of
the Firewall
rule.
editable True if the false boolean
rule can be
modified at
this scope
level
id Rule ID false string
localHost Local host false
localPort Local ports false
location Location false Name Description Required Value
associated
with the rule type Location type true enum
values Location IDs false Name Description Required Value
(applicable
for the id Location ID true string
"specific" name Location false string
location type name
only)
scope Location false enum
scope

name The name of false string

the firewall
rule.
order Position in false integer
the list of
rules
osType [DEPRECATE false enum
D] Please use
os_types
since multiple
os types are
supported.Thi
s field will

1316
return the
first os_type,
not
necessarily
the only one.
osTypes Os types false string []
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
protocol The protocol. false string
remoteHost [DEPRECATE false
D] First
remote host
in the rule.
Full list in
remote_hosts
remoteHosts List of remote false Name Description Required Value
hosts
type Type of the false enum
host
values Value of the false string []
host

remotePort Remote ports false

ruleCategory Network false enum
quarantine
rule or
standard
firewall rule
scope Scope of the false enum
rule
scopeId The group or false string
site id
depending on
the scope.
null if it is
global.

1317
status Defines if false enum
rule is
Enabled or
Disabled
tag [DEPRECATE false string
D] Free text
to describe
the rule.
Please use
description
instead.
tagIds Tag ids false string []
tagNames Tag names false string []
tags Tags false Name Description Required Value
id false string
name false string

updatedAt Date of last false string

update

errors Errors false array

1318
Create Firewall Rule
POST /web/api/v2.1/firewall-control

Create a Firewall Control rule for a scope specified by ID (run "accounts", "sites", "groups", or set "tenant" to "true") and specific OS, to allow or block network traffic to
matching endpoints.
You can create one clean-up rule, with the Action of Allow or Block and with no other parameters defined explicitly. Make this the default rule at the end of your rule list.
Traffic that does not match other rules first will match this rule. If you do not have a clean-up rule to match all traffic, the default Firewall Control behavior is to allow traffic
that is not explicitly blocked.
Firewall Control requires Control SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
action Defines if false enum
agent shall
Block or
Allow use of
firewalls
which
matches the
rule
parameters.
application Application false
for the rule
createdAt Date of rule false string
creation
creator Full name of false string
the creating
user

1319
creatorId Id of the false string
creating user
description Description false string
direction Defines the false enum
Direction of
the Firewall
rule.
editable True if the false boolean
rule can be
modified at
this scope
level
id Rule ID false string
localHost Local host false
localPort Local ports false
location Location false Name Description Required Value
associated
with the rule type Location type true enum
values Location IDs false Name Description Required Value
(applicable
for the id Location ID true string
"specific" name Location false string
location type name
only)
scope Location false enum
scope

name The name of false string

the firewall
rule.
order Position in false integer
the list of
rules
osType [DEPRECATE false enum
D] Please use
os_types
since multiple
os types are
supported.Thi
s field will
return the
first os_type,

1320
not
necessarily
the only one.
osTypes Os types false string []
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
protocol The protocol. false string
remoteHost [DEPRECATE false
D] First
remote host
in the rule.
Full list in
remote_hosts
remoteHosts List of remote false Name Description Required Value
hosts
type Type of the false enum
host
values Value of the false string []
host

remotePort Remote ports false

ruleCategory Network false enum
quarantine
rule or
standard
firewall rule
scope Scope of the false enum
rule
scopeId The group or false string
site id
depending on
the scope.
null if it is
global.
status Defines if false enum
rule is

1321
Enabled or
Disabled
tag [DEPRECATE false string
D] Free text
to describe
the rule.
Please use
description
instead.
tagIds Tag ids false string []
tagNames Tag names false string []
tags Tags false Name Description Required Value
id false string
name false string

updatedAt Date of last false string

update

errors Errors false array

1322
Body Schema
Name Description Required Value
data Data true Name Description Required Value
action Defines if true enum
agent shall
Block or
Allow use of
firewalls
which
matches the
rule
parameters.
name The name of true string
the firewall
rule.
status Defines if true enum
rule is
Enabled or
Disabled
application Application false Name Description Required Value
for the rule
type Type of the false enum
application
values Value of the false string []
application

description Description false string

direction Defines the false enum
Direction of
the Firewall
rule.
localHost Local host false Name Description Required Value
structure
with a type type Type of the false enum
and a set of host
values values Value of the false string []
host

localPort Local ports false Name Description Required Value

structure
with a type type Type of the false enum

1323
and a set of ports
values
values A list of port false integer []
numbers

location Location false Name Description Required Value

structure
with a type type Location type true enum
and a set of values Location IDs false
values Name Description Required Value
(applicable
for the id Location ID true string
"specific" name Location false string
location type name
only)
scope Location false enum
scope

osType [DEPRECATE false enum

D] Please use
os_types
since multiple
os types are
supported.Thi
s field will
return the
first os_type,
not
necessarily
the only one.
osTypes Os types false string []
protocol The protocol false string
remoteHost [DEPRECATE false Name Description Required Value
D] Please use
remote_hosts type Type of the false enum
.Remote host host
structure values Value of the false string []
with a type host
and a set of
values.
remoteHosts List of remote false Name Description Required Value
hosts, each
structured type Type of the false enum
with a type host
and a set of values Value of the false string []

1324
values host

remotePort Remote ports false Name Description Required Value

structure
with a type type Type of the false enum
and a set of ports
values values A list of port false integer []
numbers

tag [DEPRECATE false string

D] Free text
to describe
the rule.
Please use
description
instead.
tagIds Tag ids false string []

filter Filter true Name Description Required Value

1325
Delete Rules
DELETE /web/api/v2.1/firewall-control

Delete Firewall Control rules that match the filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1326
Body Schema
Name Description Required Value
filter Filter false Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
actions Return false string []
firewall rules
with the
filtered
action.
application__ Free-text false string []
contains filter by
application
(supports
multiple
values)
applications Return false string []
firewall rules
with the
filtered
firewall class.
createdAt__b Return false string
etween firewall rules
created
within this
range
(inclusive)
createdAt__g Return false string
t firewall rules
created after
this
timestamp.
createdAt__g Return false string
te firewall rules
created after
or at this
timestamp.
createdAt__lt Return false string
firewall rules

1327
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []
tains filter by
protocol
(supports
multiple

1328
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean
tenant scope
request

1329
Copy Rules
POST /web/api/v2.1/firewall-control/copy-rules

Copy a set of rules to other scopes.

In the filter of the body, enter the properties to define the source. In the data field of the body, define the targets by ID. To get a scope ID, run 'accounts', 'sites', or 'groups'.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1330
Body Schema
Name Description Required Value
data Data false Name Description Required Value
accountId Target false string
account
accountIds List of false string []
Account IDs
to filter by
groupId Target group false string
groupIds [DEPRECATE false string []
D] Target
group(s)
siteId Target site false string
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

filter Filter false Name Description Required Value

1331
firewall class.
createdAt__b Return false string
etween firewall rules
created
within this
range
(inclusive)
createdAt__g Return false string
t firewall rules
created after
this
timestamp.
createdAt__g Return false string
te firewall rules
created after
or at this
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations

1332
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter

1333
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean
tenant scope
request

1334
Move Rules
POST /web/api/v2.1/firewall-control/move-rules

Remove Firewall Rules, defined with the ID of the rules (run 'firewall-control'), from scopes specified by ID (run 'accounts', 'sites', or 'groups') and add the rules to the scope
IDs in the data field.
Firewall Control requires Control SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1335
Body Schema
Name Description Required Value
data Data false Name Description Required Value
accountId Target false string
account
accountIds List of false string []
Account IDs
to filter by
groupId Target group false string
groupIds [DEPRECATE false string []
D] Target
group(s)
siteId Target site false string
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

filter Filter false Name Description Required Value

1336
firewall class.
createdAt__b Return false string
etween firewall rules
created
within this
range
(inclusive)
createdAt__g Return false string
t firewall rules
created after
this
timestamp.
createdAt__g Return false string
te firewall rules
created after
or at this
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations

1337
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter

1338
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean
tenant scope
request

1339
Set Location
POST /web/api/v2.1/firewall-control/set-location

Set location attributes for a Location Aware Firewall Control rule. These rules are applied by Agents only if the network parameters of the endpoint match the properties of
the location definition. To get a Location ID, run "locations".
Firewall Control requires Control SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1340
Body Schema
Name Description Required Value
data Data true Name Description Required Value
type Location type true enum
values Location IDs false Name Description Required Value
(applicable
for the id Location ID true string
"specific" name Location false string
location type name
only)
scope Location false enum
scope

filter Filter false Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
actions Return false string []
firewall rules
with the
filtered
action.
application__ Free-text false string []
contains filter by
application
(supports
multiple
values)
applications Return false string []
firewall rules
with the
filtered
firewall class.
createdAt__b Return false string
etween firewall rules
created
within this
range
(inclusive)
createdAt__g Return false string

1341
t firewall rules
created after
this
timestamp.
createdAt__g Return false string
te firewall rules
created after
or at this
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple

1342
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags

1343
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean
tenant scope
request

1344
Reorder Rules
PUT /web/api/v2.1/firewall-control/reorder

Change the order of rules for a scope specified by ID (run "accounts", "sites", or "groups").
The Agent looks at the rules based on their order in the Firewall Control policy, from the top to the bottom. First it goes through the Group rules, then the Site rules, then
the Account rules, then the Global rules. When the Agent finds a rule that matches the parameters of the traffic, that rule is applied. The Agent does not continue to the
lower rules in the list. Thus, the scope and the order of the rules is important.
Firewall Control requires Control SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1345
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
osTypes [DEPRECATE false string []
D] Rules OS
type (was
relevant for
when each
OS type had
its own rule
order)
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

data Data false Name Description Required Value

id Rule ID true string
order Desired true integer
position in
the list of
rules

1346
Get Configuration
GET /web/api/v2.1/firewall-control/configuration

Get the Firewall Control configuration for a given scope.

To filter the results for a scope:
* Global - Make sure "tenant" is "true" and no other scope ID is given.
* Account - Make sure "tenant" is "false" and at least one Account ID is given.
* Site - Make sure "tenant" is "false" and at least one Site ID is given.
The response shows if Firewall Control is enabled for the scope, if Location Awareness is enabled, the higher scope from which this scope inherited the configuration, and
whether a lower scope inherits this configuration.
Firewall Control requires Control SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
enabled Firewall false boolean
control
enabled for

1347
the scope
inheritAllFire Inherit all the false boolean
wallRules rules and tags
from the
parent scope.
Expands on
'inherits'
value.
inheritedFro If null it false string
m means it is
own policy
else it tells
the ancestor
for the
policy.For
groups
options are
null/Site/
Global, for
site options
are null/
Global.
inherits True if rules false boolean
are
decoupled
from parent
rules
inheritSetting Inherit false boolean
s firewall
settings from
parent scope
locationAwar Firewall false boolean
e control
supports
location
awareness for
the scope
reportBlocke Agent should false boolean
d report
blocked
events
selectedTags Selected tags false string []

1348
errors Errors false array

1349
Update Configuration
PUT /web/api/v2.1/firewall-control/configuration

Change the Firewall Control configuration for a given scope.

To get the ID of a scope, run "accounts", "sites", or "groups". To change the Global configuration, leave the filters empty and set "tenant" to "true". In the Body, you can set if
Firewall Control is enabled for the scope, if Location Awareness is enabled, the higher scope from which this scope inherits the configuration ("Global" or a scope ID),
whether the lower scopes inherit this configuration, and whether blocked actions are reported.
Firewall Control requires Control SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
enabled Firewall false boolean
control
enabled for
the scope
inheritAllFire Inherit all the false boolean
wallRules rules and tags
from the
parent scope.
Expands on
'inherits'
value.
inheritedFro If null it false string
m means it is
own policy
else it tells
the ancestor
for the
policy.For

1350
groups
options are
null/Site/
Global, for
site options
are null/
Global.
inherits True if rules false boolean
are
decoupled
from parent
rules
inheritSetting Inherit false boolean
s firewall
settings from
parent scope
locationAwar Firewall false boolean
e control
supports
location
awareness for
the scope
reportBlocke Agent should false boolean
d report
blocked
events
selectedTags Selected tags false string []

errors Errors false array

1351
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled Firewall false boolean
control
enabled for
the scope
inheritAllFire Inherit all the false boolean
wallRules rules and tags
from the
parent scope.
Expands on
'inherits'
value.
inheritedFro If null it false string
m means it is
own policy
else it tells
the ancestor
for the
policy.For
groups
options are
null/Site/
Global, for
site options
are null/
Global.
inherits True if rules false boolean
are
decoupled
from parent
rules
inheritSetting Inherit false boolean
s firewall
settings from
parent scope
locationAwar Firewall false boolean
e control
supports
location

1352
awareness for
the scope
reportBlocke Agent should false boolean
d report
blocked
events
selectedTags Selected tags false string []

filter Filter true Name Description Required Value

1353
Export Rules
GET /web/api/v2.1/firewall-control/export

Export Firewall Control rules that match the filter to a JSON file from a scope specified by ID (run "accounts", "sites", "groups", or leave the scope empty and set "tenant" to
"true") and import them to another scope (with the "import" command.
Firewall Control requires Control SKU.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
actions optional Return firewall rules with the filtered action. Example: "Allow".
application__contains optional Free-text filter by application (supports multiple values)
applications optional Return firewall rules with the filtered firewall class.
createdat__between optional Return firewall rules created within this range (inclusive). Example:
"1514978764288-1514978999999".
createdat__gt optional Return firewall rules created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Return firewall rules created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Return firewall rules created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Return firewall rules created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
directions optional Return firewall rules with the filtered directions. Example: "any".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of ids to filter by. Example:
"225494730938493804,225494730938493915".
locationids optional Filter by associated locations. Example:
"225494730938493804,225494730938493915".
name optional Return firewall rules with the filtered name.
name__contains optional Free-text filter by the Rule name (supports multiple values)
ostypes optional Return firewall rules with the filtered os_type. Example: "macos".

1354
protocol__contains optional Free-text filter by protocol (supports multiple values)
protocols optional Return firewall rules with the filtered protocols.
query optional Free text search on name, tag, application, protocol
scopes optional Return only firewall rules in this scope. Example: "account".
service__contains optional Free-text filter by service (supports multiple values)
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
statuses optional Return firewall rules with the filtered status. Example: "Enabled".
tagids optional Filter by associated tags. Example:
"225494730938493804,225494730938493915".
tagname__contains optional Free-text filter by the Tag name (supports multiple values)
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Import Rules
POST /web/api/v2.1/firewall-control/import

Import Firewall Control rules from an exported JSON file to scopes specified by ID (run "accounts", "sites", "groups", or leave the scope empty and set "tenant" to "true").
Firewall Control requires Control SKU, in the target and in the source.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1355
Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1356
Body Schema
Name Description Required Value
formData false Name Description Required Value
file File true file
accountIds List of false string []
Account IDs
to filter by.
Example:
"2254947309
38493804,22
54947309384
93915".
groupIds List of Group false string []
IDs to filter
by. Example:
"2254947309
38493804,22
54947309384
93915".
siteIds List of Site false string []
IDs to filter
by. Example:
"2254947309
38493804,22
54947309384
93915".
tenant Indicates a false boolean
tenant scope
request

1357
Enable/Disable Rules
PUT /web/api/v2.1/firewall-control/enable

Change the status of a set of Firewall Control rules that match the filter to "Enabled" or "Disabled". In one request, you can set one status or the other.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1358
Body Schema
Name Description Required Value
data Data true Name Description Required Value
status should the true enum
rules be
enabled/
disabled

filter Filter true Name Description Required Value

1359
te firewall rules
created after
or at this
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered

1360
os_type.
protocol__con Free-text false string []
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple

1361
values)
tenant Indicates a false boolean
tenant scope
request

1362
Get Protocols
GET /web/api/v2.1/firewall-control/protocols

Get a list of protocols that can be used in Firewall Control rules.

Parameters
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
disablepagination optional If true, all rules for requested scope will be returned
limit optional Limit number of returned items (1-1000). Example: "10".
query optional Full text search on protocols
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer

1363
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
name Description false string
of the
protocol
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request
value Short code false string
identifying
the protocol

errors Errors false array

1364
Add Rule Tags
POST /web/api/v2.1/firewall-control/add-tags

Create a Firewall Rule tag.

Create tags to represent Firewall policies - a set of rules in a specific order. After you create the tag, add rules to it.
Notes:
* Tags apply to a scope and cannot be linked to rules from different scopes.
* Tags must be 2 to 256 characters.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1365
Body Schema
Name Description Required Value
data Data true Name Description Required Value
tagIds Tag ids false string []

filter Filter true Name Description Required Value

1366
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []

1367
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean

1368
tenant scope
request

1369
Remove Rule Tags
POST /web/api/v2.1/firewall-control/remove-tags

Remove firewall tags from rules matching the filter.

Tags represent Firewall policies - a set of rules in a specific order. When you remove a rule with a tag, all scopes that subscribe to the tag get the change.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1370
Body Schema
Name Description Required Value
data Data true Name Description Required Value
tagIds Tag ids false string []

filter Filter true Name Description Required Value

1371
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []

1372
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean

1373
tenant scope
request

1374
Get Tag Firewall Rules
GET /web/api/v2.1/firewall-control/tag-rules/{tag_id}

Get all Firewall rules linked to tag, regardless of inheritance mode.

To get the ID of a tag, run the firewall-control API (see Get Firewall Rules) and see tagIDs in the response.

1375
limit optional Limit number of returned items (1-1000). Example: "10".
locationids optional Filter by associated locations. Example:
"225494730938493804,225494730938493915".
name optional Return firewall rules with the filtered name.
name__contains optional Free-text filter by the Rule name (supports multiple values)
ostypes optional Return firewall rules with the filtered os_type. Example: "macos".
protocol__contains optional Free-text filter by protocol (supports multiple values)
protocols optional Return firewall rules with the filtered protocols.
query optional Free text search on name, tag, application, protocol
scopes optional Return only firewall rules in this scope. Example: "account".
service__contains optional Free-text filter by service (supports multiple values)
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
statuses optional Return firewall rules with the filtered status. Example: "Enabled".
tagids optional Filter by associated tags. Example:
"225494730938493804,225494730938493915".
tagname__contains optional Free-text filter by the Tag name (supports multiple values)
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema

1376
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
action Defines if false enum
agent shall
Block or
Allow use of
firewalls
which
matches the
rule
parameters.
application Application false
for the rule
createdAt Date of rule false string
creation
creator Full name of false string
the creating
user
creatorId Id of the false string
creating user
description Description false string
direction Defines the false enum

1377
Direction of
the Firewall
rule.
editable True if the false boolean
rule can be
modified at
this scope
level
id Rule ID false string
localHost Local host false
localPort Local ports false
location Location false Name Description Required Value
associated
with the rule type Location type true enum
values Location IDs false Name Description Required Value
(applicable
for the id Location ID true string
"specific" name Location false string
location type name
only)
scope Location false enum
scope

name The name of false string

1378
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
protocol The protocol. false string
remoteHost [DEPRECATE false
D] First
remote host
in the rule.
Full list in
remote_hosts
remoteHosts List of remote false Name Description Required Value
hosts
type Type of the false enum
host
values Value of the false string []
host

remotePort Remote ports false

1379
to describe
the rule.
Please use
description
instead.
tagIds Tag ids false string []
tagNames Tag names false string []
tags Tags false Name Description Required Value
id false string
name false string

updatedAt Date of last false string

update

errors Errors false array

1380
Update Firewall Rule
PUT /web/api/v2.1/firewall-control/{firewall_rule_category}

Change a Firewall Control rule.

This command requires the rule ID, which you can get from "firewall-control" (see Get Firewall Rules) or "firewall-control/unscoped" (see Get Unscoped Rules).

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Firewall rule not found

1381
description Description false string
direction Defines the false enum
Direction of
the Firewall
rule.
editable True if the false boolean
rule can be
modified at
this scope
level
id Rule ID false string
localHost Local host false
localPort Local ports false
location Location false Name Description Required Value
associated
with the rule type Location type true enum
values Location IDs false Name Description Required Value
(applicable
for the id Location ID true string
"specific" name Location false string
location type name
only)
scope Location false enum
scope

name The name of false string

1382
the only one.
osTypes Os types false string []
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
protocol The protocol. false string
remoteHost [DEPRECATE false
D] First
remote host
in the rule.
Full list in
remote_hosts
remoteHosts List of remote false Name Description Required Value
hosts
type Type of the false enum
host
values Value of the false string []
host

remotePort Remote ports false

1383
tag [DEPRECATE false string
D] Free text
to describe
the rule.
Please use
description
instead.
tagIds Tag ids false string []
tagNames Tag names false string []
tags Tags false Name Description Required Value
id false string
name false string

updatedAt Date of last false string

update

errors Errors false array

1384
Body Schema
Name Description Required Value
data Data true Name Description Required Value
action Defines if false enum
agent shall
Block or
Allow use of
firewalls
which
matches the
rule
parameters.
application Application false Name Description Required Value
for the rule
type Type of the false enum
application
values Value of the false string []
application

description Description false string

localPort Local ports false Name Description Required Value

structure
with a type type Type of the false enum
and a set of ports
values values A list of port false integer []
numbers

location Location false Name Description Required Value

structure
with a type type Location type true enum
and a set of

1385
values values Location IDs false Name Description Required Value
(applicable
for the id Location ID true string
"specific" name Location false string
location type name
only)
scope Location false enum
scope

name The name of false string

the firewall
rule.
osType [DEPRECATE false enum
D] Please use
os_types
since multiple
os types are
supported.Thi
s field will
return the
first os_type,
not
necessarily
the only one.
osTypes Os types false string []
protocol The protocol false string
remoteHost [DEPRECATE false Name Description Required Value
D] Please use
remote_hosts type Type of the false enum
.Remote host host
structure values Value of the false string []
with a type host
and a set of
values.
remoteHosts List of remote false Name Description Required Value
hosts, each
structured type Type of the false enum
with a type host
and a set of values Value of the false string []
values host

remotePort Remote ports false Name Description Required Value

structure

1386
with a type type Type of the false enum
and a set of ports
values
values A list of port false integer []
numbers

status Defines if false enum

rule is
Enabled or
Disabled
tag [DEPRECATE false string
D] Free text
to describe
the rule.
Please use
description
instead.
tagIds Tag ids false string []

1387
Forensics

Application Forensics
GET /web/api/v2.1/applications/{application_id}/forensics

DEPRECATED

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
result Result false Name Description Required Value
agent Agent false string
application_c Application false string
reated created

1388
application_id Application id false string
fetch_story_s Fetch story false string
tatus status
file File false Name Description Required Value
content_hash Content hash false string
created_date Created date false string
display_name Display name false string
is_system Is system false boolean
object_id Object id false string
path Path false string
permission Permission false string
size Size false integer

malicious_pr Malicious false string

ocess_argume process
nts arguments
process Process false Name Description Required Value
bundle_id Bundle id false string
created_date Created date false string
display_name Display name false string
executable_fil Executable false string
e_id file id
is_primary Is primary false boolean
is_root Is root false boolean
object_id Object id false string
pid Pid false integer
username Username false string

process_creat Process false string

ed_at created at
process_disp Process false string
lay_name display name
seen_on_net Seen on false integer
work network

1389
success Success false boolean

errors Errors false array

1390
Application Forensics - Detailed
GET /web/api/v2.1/applications/{application_id}/forensics/details

[DEPRECATED] Returns an empty array

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Not found

1391
category_scor Category false
es scores
fetch_story_e Fetch story false string
rror_at error at
fetch_story_s Fetch story false string
ent_at sent at
fetch_story_s Fetch story false string
tatus status
file File false Name Description Required Value
content_hash Content hash false string
created_date Created date false string
display_name Display name false string
is_system Is system false boolean
object_id Object id false string
path Path false string
permission Permission false string
size Size false integer

graph Graph false

last_event_se Last event false string
en_at seen at
process Process false Name Description Required Value
bundle_id Bundle id false string
created_date Created date false string
display_name Display name false string
executable_fil Executable false string
e_id file id
is_primary Is primary false boolean
is_root Is root false boolean
object_id Object id false string
pid Pid false integer
username Username false string

process_creat Process false string

ed_at created at

1392
process_disp Process false string
lay_name display name
raw_data Raw data false
seen_on_net Seen on false integer
work network
summary Summary false
summary_ove Summary false Name Description Required Value
rview overview
file File false Name De
create Cr
delete De
write W

network Network false Name De

connections Co
dns Dn

registry Registry false Name De

persistence Pe
security Se
stealth Ste

success Success false boolean

errors Errors false array

1393
Application Connections
GET /web/api/v2.1/applications/{application_id}/forensics/connections

[DEPRECATED] Returns an empty array

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
country_code optional Country code
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
data Data false Name Description Required Value
false object

errors Errors false array

1394
Export Application
GET /web/api/v2.1/applications/{application_id}/forensics/export/{export_format}

[DEPRECATED] Returns an empty array

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Not found

Gateways

Get Gateways
GET /web/api/v2.1/ranger/gateways

Get the gateways in your deployment that match the filter from a Ranger scan.
Ranger requires a Ranger license.

Parameters
accountids optional List of Account IDs to filter by. Example:

1395
"225494730938493804,225494730938493915".
agentpercentage__be optional Percentage of agents of the account in this network calculated as
tween numberOfAgents/totalAgents * 100. Example: "70-80".
agentpercentage__gt optional Agent percentage (more than)
agentpercentage__gte optional Agent percentage (more than or equal)
agentpercentage__lt optional Agent percentage (less than)
agentpercentage__lte optional Agent percentage (less than or equal)
allowscan optional Do we allow scanning in this network
archived optional Archived network
connectedrangers__b optional The total of non decommissioned agents in the account. Example:
etween "2-8".
connectedrangers__gt optional Total agents (more than)
connectedrangers__gt optional Total agents (more than or equal)
e
connectedrangers__lt optional Total agents (less than)
connectedrangers__lte optional Total agents (less than or equal)
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__between optional Date range for creation time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional Gateway created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Gateway created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Gateway created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Gateway created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
externalip optional Search external ip using a CIDR expression or exact IP

1396
externalip__contains optional Free-text filter by visible IP (supports multiple values). Example:
"192.168.0.1/24,10.1".
icmpscan optional ICMP scan enabled
ids optional List of gateway ids. Example:
"225494730938493804,225494730938493915".
ip optional Search ip using a CIDR expression exact IP
ip__contains optional Free-text filter by IP Address (supports multiple values). Example:
"192.168.0.1/24,10.1".
limit optional Limit number of returned items (1-1000). Example: "10".
macaddress optional The gateway mac address
macaddress__contains optional Free-text filter by mac address (supports multiple values). Example:
"aa:ee:b1".
manufacturer optional The gateway manufacturer obtained from the mac address
manufacturer__contai optional Free-text filter by manufacturer (supports multiple values). Example:
ns "Company".
mdnsscan optional MDNS scan enabled
networkname__contai optional Free-text filter by network name (supports multiple values).
ns Example: "Network1".
new optional True if this is network was first seen some days ago, 3 by default
numberofagents__bet optional The number of non decommissioned agents in this network.
ween Example: "2-8".
numberofagents__gt optional Agent count (more than)
numberofagents__gte optional Agent count (more than or equal)
numberofagents__lt optional Agent count (less than)
numberofagents__lte optional Agent count (less than or equal)
numberofrangers__be optional The number of non decommissioned agents in this network.
tween Example: "2-8".
numberofrangers__gt optional Ranger count (more than)
numberofrangers__gte optional Ranger count (more than or equal)
numberofrangers__lt optional Ranger count (less than)
numberofrangers__lte optional Ranger count (less than or equal)
query optional Free text query

1397
rdnsscan optional RDNS scan enabled
scanonlylocalsubnets optional Allow remote tasks form this network
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
smbscan optional SMB scan enabled
snmpscan optional SNMP scan enabled
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tcpports__contains optional Free-text filter by tcp port (supports multiple values). Example:
"80,24".
totalagents__between optional The total of non decommissioned agents in the account. Example:
"2-8".
totalagents__gt optional Total agents (more than)
totalagents__gte optional Total agents (more than or equal)
totalagents__lt optional Total agents (less than)
totalagents__lte optional Total agents (less than or equal)
udpports__contains optional Free-text filter by udp port (supports multiple values). Example:
"137,2002".
updatedat__between optional Date range for update time (format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
updatedat__gt optional Gateway updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Gateway updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Gateway updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Gateway updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

1398
Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

data Response false Name Description Required Value

data
accountId The Account false integer
Id
accountName Account false string
name
agentPercent Percentage of false number
age agents of the
account in
this network
calculated as

1399
numberOfAge
nts/
totalAgents *
100
allowScan Do we allow false boolean
scanning in
this network
archived Archived false boolean
network
connectedRan The number false integer
gers of active
rangers
createdAt Created at false string
discoveryMet Discovery false enum
hod method
expiryDate Date when false string
this network
will expire,
null if it won't
expire
externalIp The gateway false string
external Ip
icmpScan ICMP scan false boolean
enabled
id The gateway false string
id
inheritSetting True if false boolean
s inherited
values are
taken from
account
settings
ip The gateway false string
local ip
macAddress The gateway false string
mac address
manufacturer The gateway false string
manufacturer
obtained
from the mac

1400
address
mdnsScan MDNS scan false boolean
enabled
multiScanSsd Multicast false boolean
p SSDP scan
enabled
networkNam The network false string
e name
new True if this is false boolean
network was
first seen
some days
ago, 3 by
default
numberOfAge The number false integer
nts of non
decommission
ed agents in
this network
numberOfRan The number false integer
gers of rangers in
this network
rdnsScan RDNS scan false boolean
enabled
restrictions A set of IP false Name Description Required Value
addresses
that should annotation An optional false string
not be note with the
scanned in reason for
the specific the
network restriction
type false enum
values It will be one false string []
IP or one
CIDR or two
values for a
Range

scanOnlyLoca Allow remote false boolean

lSubnets tasks form
this network

1401
siteId The Site Id false integer
smbScan SMB scan false boolean
enabled
snmpScan SNMP scan false boolean
enabled
tcpPorts Allowed TCP false integer []
ports
tcpPortScan TCP Port false boolean
scan enabled
totalAgents The total of false integer
non
decommission
ed agents in
the account
udpPorts Allowed UDP false integer []
ports
udpPortScan UDP Port false boolean
scan enabled

errors Errors false array

1402
Update Gateways
POST /web/api/v2.1/ranger/gateways/update

Change the status of filtered gateways discovered by Ranger. You can set the archived status, whether the network behind the gateway may be scanned by Ranger, and
whether Ranger will scan only local networks.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1403
Body Schema
Name Description Required Value
data Data true Name Description Required Value
allowScan Do we allow false boolean
scanning in
this network
archived True if we false boolean
should
archive the
network,
valid for
networks
that are not
allowed to
scan only
inheritSetting True if false boolean
s inherited
values are
taken from
account
settings
scanOnlyLoca Allow remote false boolean
lSubnets tasks form
this network

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
agentPercent Percentage of false string
age__betwee agents of the
n account in
this network
calculated as
numberOfAge
nts/
totalAgents *
100
agentPercent Agent false number
age__gt percentage

1404
(more than)
agentPercent Agent false number
age__gte percentage
(more than or
equal)
agentPercenta Agent false number
ge__lt percentage
(less than)
agentPercenta Agent false number
ge__lte percentage
(less than or
equal)
allowScan Do we allow false string
scanning in
this network
archived Archived false boolean
network
connectedRa The total of false string
ngers__betw non
een decommission
ed agents in
the account
connectedRan Total agents false integer
gers__gt (more than)
connectedRan Total agents false integer
gers__gte (more than or
equal)
connectedRan Total agents false integer
gers__lt (less than)
connectedRan Total agents false integer
gers__lte (less than or
equal)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Gateway false string

1405
t created after
this
timestamp
createdAt__g Gateway false string
te created after
or at this
timestamp
createdAt__lt Gateway false string
created
before this
timestamp
createdAt__lt Gateway false string
e created
before or at
this
timestamp
externalIp Search false string
external ip
using a CIDR
expression or
exact IP
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
icmpScan ICMP scan false boolean
enabled
ids List of false string []
gateway ids
ip Search ip false string
using a CIDR
expression
exact IP
ip__contains Free-text false string []
filter by IP
Address
(supports
multiple
values)

1406
macAddress The gateway false string
mac address
macAddress__ Free-text false string []
contains filter by mac
address
(supports
multiple
values)
manufacturer The gateway false string
manufacturer
obtained
from the mac
address
manufacturer Free-text false string []
__contains filter by
manufacturer
(supports
multiple
values)
mdnsScan MDNS scan false boolean
enabled
networkName Free-text false string []
__contains filter by
network
name
(supports
multiple
values)
new True if this is false boolean
network was
first seen
some days
ago, 3 by
default
numberOfAge The number false string
nts__between of non
decommission
ed agents in
this network
numberOfAge Agent count false integer
nts__gt (more than)
numberOfAge Agent count false integer

1407
nts__gte (more than or
equal)
numberOfAgen Agent count false integer
ts__lt (less than)
numberOfAgen Agent count false integer
ts__lte (less than or
equal)
numberOfRan The number false string
gers__betwee of non
n decommission
ed agents in
this network
numberOfRan Ranger count false integer
gers__gt (more than)
numberOfRan Ranger count false integer
gers__gte (more than or
equal)
numberOfRang Ranger count false integer
ers__lt (less than)
numberOfRang Ranger count false integer
ers__lte (less than or
equal)
query Free text false string
query
rdnsScan RDNS scan false boolean
enabled
scanOnlyLoca Allow remote false boolean
lSubnets tasks form
this network
siteIds List of Site false string []
IDs to filter
by
smbScan SMB scan false boolean
enabled
snmpScan SNMP scan false boolean
enabled
tcpPorts__con Free-text false integer []
tains filter by tcp
port

1408
(supports
multiple
values)
totalAgents_ The total of false string
_between non
decommission
ed agents in
the account
totalAgents__ Total agents false integer
gt (more than)
totalAgents__ Total agents false integer
gte (more than or
equal)
totalAgents__ Total agents false integer
lt (less than)
totalAgents__ Total agents false integer
lte (less than or
equal)
udpPorts__co Free-text false integer []
ntains filter by udp
port
(supports
multiple
values)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Gateway false string
t updated after
this
timestamp
updatedAt__g Gateway false string
te updated after
or at this
timestamp
updatedAt__l Gateway false string
t updated

1409
before this
timestamp
updatedAt__l Gateway false string
te updated
before or at
this
timestamp

1410
Update Gateway
PUT /web/api/v2.1/ranger/gateways/{gateway_id}

Change the Ranger scan configuration for a gateway that Ranger discovered

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountId The Account false integer
Id
accountName Account false string
name
agentPercent Percentage of false number
age agents of the
account in
this network
calculated as
numberOfAge
nts/
totalAgents *
100
allowScan Do we allow false boolean
scanning in
this network
archived Archived false boolean
network
connectedRan The number false integer

1411
gers of active
rangers
createdAt Created at false string
discoveryMet Discovery false enum
hod method
expiryDate Date when false string
this network
will expire,
null if it won't
expire
externalIp The gateway false string
external Ip
icmpScan ICMP scan false boolean
enabled
id The gateway false string
id
inheritSetting True if false boolean
s inherited
values are
taken from
account
settings
ip The gateway false string
local ip
macAddress The gateway false string
mac address
manufacturer The gateway false string
manufacturer
obtained
from the mac
address
mdnsScan MDNS scan false boolean
enabled
multiScanSsd Multicast false boolean
p SSDP scan
enabled
networkNam The network false string
e name
new True if this is false boolean

1412
network was
first seen
some days
ago, 3 by
default
numberOfAge The number false integer
nts of non
decommission
ed agents in
this network
numberOfRan The number false integer
gers of rangers in
this network
rdnsScan RDNS scan false boolean
enabled
restrictions A set of IP false Name Description Required Value
addresses
that should annotation An optional false string
not be note with the
scanned in reason for
the specific the
network restriction
type false enum
values It will be one false string []
IP or one
CIDR or two
values for a
Range

scanOnlyLoca Allow remote false boolean

lSubnets tasks form
this network
siteId The Site Id false integer
smbScan SMB scan false boolean
enabled
snmpScan SNMP scan false boolean
enabled
tcpPorts Allowed TCP false integer []
ports
tcpPortScan TCP Port false boolean
scan enabled

1413
totalAgents The total of false integer
non
decommission
ed agents in
the account
udpPorts Allowed UDP false integer []
ports
udpPortScan UDP Port false boolean
scan enabled

errors Errors false array

1414
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accountId The Account false integer
Id
allowScan Do we allow false boolean
scanning in
this network
archived Archived false boolean
network
icmpScan ICMP scan false boolean
enabled
inheritSetting True if false boolean
s inherited
values are
taken from
account
settings
mdnsScan MDNS scan false boolean
enabled
multiCastSsd Multicast false boolean
pScan SSDP scan
enabled
networkNam The network false string
e name
rdnsScan RDNS scan false boolean
enabled
restrictions A set of IP false Name Description Required Value
addresses
that should annotation An optional false string
not be note with the
scanned in reason for
the specific the
network restriction
type false enum
values It will be one false string []
IP or one
CIDR or two

1415
values for a
Range

scanOnlyLoca Can we scan false boolean

lSubnets remote
networks
from this
gateway
siteId The Site Id false integer
smbScan SMB scan false boolean
enabled
snmpScan SNMP scan false boolean
enabled
tcpPorts Allowed TCP false integer []
ports
tcpPortScan TCP Port false boolean
scan enabled
udpPorts Allowed UDP false integer []
ports
udpPortScan UDP Port false boolean
scan enabled

1416
Groups

Get Groups
GET /web/api/v2.1/groups

Get data of groups that match the filter. Best practice: use as narrow a filter as you can. The data can be quite long for many groups. The response returns the ID of each
group, which you can use in other commands.

BEST PRACTICE
use as narrow a filter as you can. The data can be quite long for many groups. The response returns the ID of each group, which you can use in other commands.

1417
ICJzaXRlX2tleSI6ICIwNzhkYjliMWUyOTA1Y2NhIn0=".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
type optional Group type. Example: "static".
types optional A list of Group types. Example: "static".
updatedat__gt optional Updated at greater than. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Updated at greater or equal than. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Updated at lesser than. Example: "2018-02-27T04:49:26.257525Z".
updatedat__lte optional Updated at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query

1418
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
createdAt Timestamp of false string
group
creation
creator The user that false string
created the
group
creatorId The ID of the false string
user that
created the
group
description The user- false string
defined
description
for the Group
filterId If the group is false string
dynamic id of
the filter
which is used
to associate
agents
filterName If the group is false string
dynamic the
name of the
filter which is
used to
associate
agents
id Id false string

1419
inherits True if the false boolean
policy is
inherited
from Site,
False if the
group has its
own edited
policy
isDefault True only for false boolean
the default
group of the
Site
name Name false string
rank The rank sets false integer
the priority of
a dynamic
group over
others
registrationT [DEPRECATE false
oken D] token
generation in
dedicated
endpoint - /
groups/
<group_id>/
token
siteId The id of the false string
site this
group is part
of
totalAgents Count of false integer
agents in the
group
type Group type false enum
updatedAt Timestamp of false string
last update

errors Errors false array

1420
Create Group
POST /web/api/v2.1/groups

Create a new group. You must create the Group in a Site (run "sites" to get the Site ID) for which you have permissions. If you create a dynamic Group, you must have the
ID of a filter saved in the Site (run "filters?siteIds=<id from sites>").

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
createdAt Timestamp of false string
group
creation
creator The user that false string
created the
group
creatorId The ID of the false string
user that
created the
group
description The user- false string
defined
description
for the Group
filterId If the group is false string
dynamic id of
the filter
which is used

1421
to associate
agents
id Id false string
isDefault True only for false boolean
the default
group of the
Site
name Name false string
rank The rank sets false integer
the priority of
a dynamic
group over
others
registrationT [DEPRECATE false
oken D] token
generation in
dedicated
endpoint - /
groups/
<group_id>/
token
siteId The id of the false string
site this
group is part
of
type Group type false enum
updatedAt Timestamp of false string
last update

errors Errors false array

1422
Body Schema
Name Description Required Value
data Data true Name Description Required Value
inherits True to true boolean
inherit from
site policy.
name Name true string
siteId The site this true string
group should
be part of
description The user- false string
defined
description
for the Group
filterId If supplied false string
this group
will be
dynamic
using the
filter to
associate
agents.
isDefault Obsolete for false boolean
POST, always
false
policy The group false Name Description Required Value
policy, it is
required only agentLoggin True if false boolean
if inherits is gOn logging is
False, ignored enabled in
else. the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the

1423
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

1424
agentUiOn [DEPRECATE false boolean
D] Show/hide
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload

1425
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name De
owserExtensi browser
ons extensions autoInstallBr Au
owserExtensi bro
ons ex

behavioralInd Behavioral false Name De

icators indicators

1426
event dvEventTypeBe Be
havioralIndica ind
tors ev

commandScri Command false Name De

pts scripts event
dvEventType Co
CommandScri scr
pts

crossProcess Cross process false Name De

event
dvEventTypeC Du
rossProcessDu Pro
plicateProces Ev
s
dvEventTypeC Du
rossProcessD Th
uplicateThrea Ty
d
dvEventTypeC Op
rossProcessO Ev
penProcess
dvEventTypeC Re
rossProcessR Th
emoteThread Ty

dataMasking Data masking false Name De

dataMasking Da

dllModuleLoa DLL module false Name De

d load event
dvEventType DL
DllModuleLo loa
ad

dns Network false Name De

event - DNS
dvEventType Ne
Dns ev

driver Driver false Name De

dvEventTypeD Dr

1427
riverLoad

file File event false Name De

dvEventTypeF Fil
ileCreation Ev
dvEventTypeF Fil
ileDeletion Ev
dvEventTypeFi Fil
leModificatio Mo
n Ev
dvEventTypeF Fil
ileRename Ev
fullDiskScan Fil
Ev

ip Network false Name De

event - IP
dvEventTypeI IP
pConnect Ev
dvEventTypeI IP
pListen Ev

login User login/ false Name De

logout event
dvEventTypeL Us
oginLoggedIn Ev
dvEventType Us
LoginLogged Ev
Out

namedPipe Named Pipe false Name De

dvEventType Na
NamedPipeCo Co
nnection Ev
dvEventType Na
NamedPipeCr Cr
eation Ev

namedPipeEx Named Pipe false Name De

tended Extended
namedPipeEx Na

1428
tended Co
Ex
Ev

process Process event false Name De

dvEventTypeP Pro
rocessCreatio Cr
n Ev
dvEventTypeP Pro
rocessExit Ev
dvEventTypeP Pro
rocessModific Te
ation Ev

registry Registry false Name De

event
dvEventTypeR Re
egistryKeyCr Cr
eated Ev
dvEventTypeR Re
egistryKeyDel De
ete Ty
dvEventTypeR Re
egistryKeyExp Ex
ort Ty
dvEventTypeR Re
egistryKeyIm Im
port Ty
dvEventType Re
RegistryKey Re
Rename Ev
dvEventTypeR Re
egistryKeySe Se
curityChange Ch
d Ev
dvEventTypeR Re
egistryValueC Va
reated Ev
dvEventTypeR Re
egistryValueD Va

1429
eleted De
Ev
dvEventTypeR Re
egistryValueM Va
odified Mo
Ev

scheduledTas Scheduled false Name De

smartFileMoni Smart file false Name De

toring monitoring
smartFileMoni Sm
toring mo

url URL Actions false Name De

event
dvEventTypeU UR
rl ev

windowsEven Windows false Name De

tLogs Event Log
dvEventType W
WindowsEven Ev
tLogCreation Cr
Ev

windowsEven Windows false Name De

tLogsExtende Event Log

1430
d Extended windowsEven W
tLogsExtende Ev
d Ex
Ev

engines The engines false Name Description Required Value

forensicsAuto Forensics false Name Description Required Value

1431
d forensics is
enabled
macosProfileI The profile id false string
d for the macos
forensics
macosProfil The profile false string
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

1432
interval in
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean

1433
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

1434
off
monitorOnWr Monitor on false boolean
ite write
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

rchestration orchestration
upload limits alwaysUpload Always false boolean
configuration StreamToClou upload
d streams to
cloud
maxDailyFile Maximum false integer
Download size (MB) to
download
daily

1435
maxDailyFile Limit for the false integer
DownloadLim maximum
it size (MB) to
download
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

s macros
should be
removed
from macro
threats
researchOn Share data false boolean
with
SentinelOne
scanNewAgen If True initiate false boolean
ts full disk scan
upon first
registration

1436
signedDriver Suspicious false boolean
BlockingOn signed driver
blocking on/
off
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

rank Obsolete for false integer

post - The
rank of the
group
source Obsolete - false string
Always
MGMT
type Type of false enum
Group: Static,
Dynamic, or
Pinned

1437
Regenerate Group Token
PUT /web/api/v2.1/groups/{group_id}/regenerate-key

Get a new Group Token for a static Group. This command requires the Group ID ("groups") and you must have permissions for the Group. If you run this command on a
dynamic Group, it ends in an error. If you use the API in scripts to add new endpoints with a Group Token rather than a Site Token, be aware that you must update the
token value in your scripts.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

403 - No permission for regenerating a key.

404 - Group not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
registrationT Registration false string
oken token

errors Errors false array

1438
Delete Group
DELETE /web/api/v2.1/groups/{group_id}

Delete a Group given by the required Group ID (run "groups"). If there are Agents in the Group, and the Group is dynamic, the next dynamic Groups will collect matching
Agents, and unmatched Agents will go to the Default Group. If this is a static Group with Agents, all the Agents will go to the Default Group. (Agents always go to
matching dynamic Groups. If a static Group holds Agents, there are no matching dynamic Groups.)

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Group not found.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1439
Update Group
PUT /web/api/v2.1/groups/{group_id}

Change properties of a Group specified by its ID (run "groups"). The body of the request holds all the properties of a Group. You must have access permissions on the Site.
Note: iocAttributes refers to Deep Visibility. If you do not have a Complete SKU, you can remove this set.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions.

404 - Group not found.

1440
the filter
which is used
to associate
agents
id Id false string
isDefault True only for false boolean
the default
group of the
Site
name Name false string
rank The rank sets false integer
the priority of
a dynamic
group over
others
registrationT [DEPRECATE false
oken D] token
generation in
dedicated
endpoint - /
groups/
<group_id>/
token
siteId The id of the false string
site this
group is part
of
type Group type false enum
updatedAt Timestamp of false string
last update

errors Errors false array

1441
Body Schema
Name Description Required Value
data Data false Name Description Required Value
description The user- false string
defined
description
for the Group
filterId If supplied false string
this group
will be
dynamic
using the
filter to
associate
agents.
id Id false string
inherits True to false boolean
inherit from
Site Policy.
isDefault Obsolete for false boolean
POST, always
false
name Name false string
policy The group false Name Description Required Value
policy, it is
required only agentLoggin True if false boolean
if inherits is gOn logging is
False, ignored enabled in
else. the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section

1442
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

D] Show/hide

1443
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer

1444
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

behavioralInd Behavioral false Name De

icators indicators
event dvEventTypeBe Be

1445
havioralIndica ind
tors ev

commandScri Command false Name De

pts scripts event
dvEventType Co
CommandScri scr
pts

crossProcess Cross process false Name De

event
dvEventTypeC Du
rossProcessDu Pro
plicateProces Ev
s
dvEventTypeC Du
rossProcessD Th
uplicateThrea Ty
d
dvEventTypeC Op
rossProcessO Ev
penProcess
dvEventTypeC Re
rossProcessR Th
emoteThread Ty

dataMasking Data masking false Name De

dataMasking Da

dllModuleLoa DLL module false Name De

d load event
dvEventType DL
DllModuleLo loa
ad

dns Network false Name De

event - DNS
dvEventType Ne
Dns ev

driver Driver false Name De

dvEventTypeD Dr
riverLoad

1446
file File event false Name De
dvEventTypeF Fil
ileCreation Ev
dvEventTypeF Fil
ileDeletion Ev
dvEventTypeFi Fil
leModificatio Mo
n Ev
dvEventTypeF Fil
ileRename Ev
fullDiskScan Fil
Ev

ip Network false Name De

event - IP
dvEventTypeI IP
pConnect Ev
dvEventTypeI IP
pListen Ev

login User login/ false Name De

logout event
dvEventTypeL Us
oginLoggedIn Ev
dvEventType Us
LoginLogged Ev
Out

namedPipe Named Pipe false Name De

dvEventType Na
NamedPipeCo Co
nnection Ev
dvEventType Na
NamedPipeCr Cr
eation Ev

namedPipeEx Named Pipe false Name De

tended Extended
namedPipeEx Na
tended Co
Ex

1447
Ev

process Process event false Name De

dvEventTypeP Pro
rocessCreatio Cr
n Ev
dvEventTypeP Pro
rocessExit Ev
dvEventTypeP Pro
rocessModific Te
ation Ev

registry Registry false Name De

1448
dvEventTypeR Re
egistryValueM Va
odified Mo
Ev

scheduledTas Scheduled false Name De

smartFileMoni Smart file false Name De

toring monitoring
smartFileMoni Sm
toring mo

url URL Actions false Name De

event
dvEventTypeU UR
rl ev

windowsEven Windows false Name De

tLogs Event Log
dvEventType W
WindowsEven Ev
tLogCreation Cr
Ev

windowsEven Windows false Name De

tLogsExtende Event Log
d Extended windowsEven W
tLogsExtende Ev

1449
d Ex
Ev

engines The engines false Name Description Required Value

forensicsAuto Forensics false Name Description Required Value

1450
macosProfileI The profile id false string
d for the macos
forensics
macosProfil The profile false string
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

1451
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP

1452
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

1453
ite write
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

1454
it size (MB) to
download
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

1455
BlockingOn signed driver
blocking on/
off
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

rank Obsolete for false integer

post - The
rank of the
group
siteId The site this false string
group should
be part of
source Obsolete false string

1456
Get Group by ID
GET /web/api/v2.1/groups/{group_id}

Get data of a given Group. To get a Group ID, run "groups". This command responds with the ID of the Site of the Group, Group name, type (dynamic or static), and similar
data. Your username must permissions for the Site.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

1457
id Id false string
isDefault True only for false boolean
the default
group of the
Site
name Name false string
rank The rank sets false integer
the priority of
a dynamic
group over
others
registrationT [DEPRECATE false
oken D] token
generation in
dedicated
endpoint - /
groups/
<group_id>/
token
siteId The id of the false string
site this
group is part
of
type Group type false enum
updatedAt Timestamp of false string
last update

errors Errors false array

1458
Revert Policy
PUT /web/api/v2.1/groups/{group_id}/revert-policy

A Group can have a policy that is different from its Site policy. Use this command to revert the changes on the Group policy to inherit the Site policy. Your user must have
permissions on the Site.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1459
Body Schema
Name Description Required Value
data Data false Name Description Required Value
id Id false string

1460
Move Agents
PUT /web/api/v2.1/groups/{group_id}/move-agents

Move Agents that match the filter to a Group. The Group ID (run "groups") is required and there can be only one. This will move the matched Agents that are in the same
Site as the given Group.

Response Messages
204 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

409 - Conflict

Body Schema
Name Description Required Value
filter Specification true Name Description Required Value
of which
agents should accountIds List of false string []
be moved Account IDs
to filter by
activeThreats Include false integer
Agents with
this amount
of active
threats
activeThreats Include false integer
__gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active

1461
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple

1462
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentIds (DEPRECATED false string []
; use 'ids'
instead) List
of agent ids
to move to a
new group
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio

1463
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup

1464
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports

1465
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []

1466
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)

1467
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at

1468
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports

1469
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package

1470
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple

1471
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string

1472
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these

1473
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []

1474
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's

1475
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time

1476
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by

1477
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at

1478
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer

1479
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique

1480
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

1481
Update Ranks
PUT /web/api/v2.1/groups/ranks

An Agent can belong to only one Group. If the Agent matches multiple Dynamic Groups, it goes to the Group with the highest rank. The "rank" parameter has a minimum
of "1". The lower the integer, the higher priority it has to collect Agents. Make sure the IDs of the groups in this command are for Dynamic groups.

Response Messages
204 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Body Schema
Name Description Required Value
data Data true Name Description Required Value
ranks List of ranks false Name Description Required Value
to update
id Id false string
rank The new rank false integer
for the group

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

accountIds List of false string []

Account IDs
to filter by
siteIds List of Site false string []

1482
IDs to filter
by

1483
Get Site registration token by ID
GET /web/api/v2.1/groups/{group_id}/token

Get the registration token of the Group of the ID.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
token Token false string

errors Errors false array

1484
Hashes

Hash Reputation Rank

GET /web/api/v2.1/hashes/{hash}/reputation

[DEPRECATED] Please use the /verdict endpoint.

Get the reputation rank of the of a hash, given the required SHA1. To get a hash, run "threats" (best if filtered for a Group or Site) and take the fileContentHash value.
Rank is a number measured on a scale of 1-10, where 10 is definitely malicious and 1 is definitely not malicious. 5-10 shows a status of malicious. 1-4 shows a status of not
malicious. 0 is status unknown. Example response for a malicious hash looks like this: {"data": {"rank": "5"}}.
Important: This endpoint only returns the rank of the hash if it is known to the management (stored in mgmt DB). For unknown hashes it returns an empty response
{"data": {}}

Response Messages
200 - Rank of the hash known to the management. If the hash is unknown, the response is an empty "data" field in the response.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
rank The hash false string
reputation
measured on
a scale of
1-10, where
10 is
definitely
malicious and
1 is definitely
not malicious.
5-10 shows a
status of
malicious. 1-4
shows a

1485
status of not
malicious. 0 is
status
unknown.

errors Errors false array

1486
Hash classification
GET /web/api/v2.1/hashes/{hash}/classification

[DEPRECATED] Returns hash classification.

Response Messages
200 - Hash classification received from cloud

401 - Unauthorized access - please sign in and retry.

404 - Hash classification wasn't received from cloud

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
classification The hash false string
classification
classification The source false enum
Source deciding the
most current
classification

errors Errors false array

1487
Hash Reputation verdict
GET /web/api/v2.1/hashes/{hash}/verdict

Get the verdict of the of a hash, given the required SHA1.

A hash, either malicious or non-malicious, means it has been marked as such by the Reputation's sources.
An unknown answer is given for hashes that are not yet known by Reputation.

Response Messages
200 - Verdict of the hash known to the management

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
verdict The hash false string
verdict, could
be malicious,
non-
malicious or
unknown

errors Errors false array

1488
licenses

Update sites add-ons

PUT /web/api/v2.1/licenses/update-sites-modules

Change the add-ons of the sites by a given filter

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1489
Body Schema
Name Description Required Value
data Data true Name Description Required Value
operation Operation true enum
modules Modules false Name Description Required Value
name Name true string

filter Filter true Name Description Required Value

accountId Account id false string
accountIds List of false string []
Account IDs
to filter by
accountName_ Free-text false string []
_contains filter by
account
name
(supports
multiple
values)
activeLicense Active false integer
s licenses
adminOnly Show sites false boolean
the user has
Admin
privileges to
availableMove Only return false boolean
Sites sites the user
can move
agents to
createdAt Timestamp of false string
site creation
description The false string
description
for the Site
description__ Free-text false string []
contains filter by site
description

1490
(supports
multiple
values)
expiration Expiration false string
externalId Id in a CRM false string
external
system
features If sent return false string []
only sites
that support
this features
healthStatus Health status false boolean
isDefault Is default false boolean
module Module false string
name Name false string
name__contai Free-text false string []
ns filter by site
name
(supports
multiple
values)
query Full text false string
search for
fields: name,
account_name
, description.
(Note: on
single-
account
consoles
account
name will not
be matched)
registrationT Registration false string
oken token
siteIds List of Site false string []
IDs to filter
by
siteType Site type false enum
sku Sku false string

1491
state Site state false enum
states List of states false string []
to filter
suite [DEPRECATE false enum
D] Use sku
instead
totalLicenses Total licenses false integer
updatedAt Timestamp of false string
last update

1492
Live Updates

Get Agent Merged Updates

GET /web/api/v2.1/content-updates-inventory

Get Agent's merged updates.

Parameters
agentid required The ID of the Agent. Example: "225494730938493804".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
limit optional Limit number of returned items (1-1000). Example: "10".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value

1493
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
appliedAt Timestamp of false string
when the
update was
applied
assetFamilyT Live update false string
ype category
displayName Live update false string
type name
liveUpdateId Live update false string
ID

errors Errors false array

1494
Locations

Create Location
POST /web/api/v2.1/locations

Create a location that defines parameters of Agents in a scope filter. Parameters include:
* ipAddresses - The Agent compares the endpoint active IPv4 or IPv6 addresses to the IP addresses, ranges, and CIDRs defined for the location.
* dnsServers - The Agent compares the configured DNS servers of the endpoint to the DNS servers defined for the location.
* dnsLookup - The Agent resolves the FQDN of the endpoint to IPv4 or IPv6 addresses and compares them to the addresses configured in the location setting.
* networkInterfaces - The Agent determines if the endpoint is connected to the network over a wireless connection. If one connected interface is wireless, the endpoint is
considered wireless.
* serverConnectivity - The Agent reports if it is connected to its Management.
* registryKeys - The Agent compares the endpoint registry keys in HKEY_LOCAL_MACHINE\SOFTWARE with the registry key of the location definition.
When you set a location parameter, also set the operator to ALL, NONE, or at least 1.
The serverConnectivity parameter takes "enabled" (true or false) and "value" (connected or disconnected).
The networkInterfaces parameter takes "enabled" (true or false) and "value" (wired or wireless).

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
name Location true string
name (should
be unique per
scope)

1495
operator Logical true enum
operator to
apply
between the
set of
identifiers
activeFirewal Number of false integer
lRules active firewall
rules defined
in the
location
createdAt Created at false string
creator Location false string
creator name
creatorId Location false string
creator ID
description Location false string
description
dnsLookup Identify a false Name Description Required Value
location by
DNS lookup operator Logical true enum
results operator to
apply
between the
set of
identifiers
identifiers A list of DNS false Name Description Required Value
lookup
identifiers host Hostname to true string
resolve
ip Resolved IP true string
address

dnsServers Identify a false Name Description Required Value

location by
DNS servers operator Logical true enum
defined on operator to
the endpoint apply
between the
set of
identifiers
identifiers A list of false

1496
identifiers Name Description Required Value
type Address type true enum
values IP address, false string
CIDR or []
range of two
addresses.
May be either
IPv4 or IPv6

editable Is location false boolean

editable in
current scope
id Id false string
ipAddresses Identify a false Name Description Required Value
location the
assigned IP operator Logical true enum
addresses operator to
apply
between the
set of
identifiers
identifiers A list of false Name Description Required Value
identifiers
type Address type true enum
values IP address, false string
CIDR or []
range of two
addresses.
May be either
IPv4 or IPv6

isFallback Is fallback false boolean

networkInter Identify a false Name Description Required Value
faces location by
available enabled Use or true boolean
network discard this
interface location
types identifier
value Network false enum
interface type

registryKeys Identify a false

1497
location by a Name Description Required Value
registry key
or value key Registry key true string
path to
match. Must
start with
"HKEY_LOCA
L_MACHINE\
SOFTWARE\"
.
data Content of false string
the value to
match (may
be a string or
a 64-bit
integer,
optional)
value Value name false string
in the registry
key path to
match
(optional)

reportingAge Number of false integer

nts agents in the
location
scope Scope false enum
scopeId Scope id false string
scopeName Scope name false string
serverConnect Identify a false Name Description Required Value
ivity location by
connectivity enabled Use or true boolean
to the discard this
management location
server identifier
value Server false enum
connectivity
status

updatedAt Updated at false string

updater Location false string
updater name

1498
updaterId Location false string
updater

errors Errors false array

1499
Body Schema
Name Description Required Value
data Location data true Name Description Required Value
name Location true string
name (should
be unique per
scope)
operator Logical true enum
operator to
apply
between the
set of
identifiers
description Location false string
description
dnsLookup Identify a false Name Description Required Value
location by
DNS lookup operator Logical true enum
results operator to
apply
between the
set of
identifiers
identifiers A list of DNS false Name Description Required Value
lookup
identifiers host Hostname to true string
resolve
ip Resolved IP true string
address

dnsServers Identify a false Name Description Required Value

location by
DNS servers operator Logical true enum
defined on operator to
the endpoint apply
between the
set of
identifiers
identifiers A list of false Name Description Required Value
identifiers
type Address type true enum

1500
values IP address, false string
CIDR or []
range of two
addresses.
May be either
IPv4 or IPv6

ipAddresses Identify a false Name Description Required Value

location the
assigned IP operator Logical true enum
addresses operator to
apply
between the
set of
identifiers
identifiers A list of false Name Description Required Value
identifiers
type Address type true enum
values IP address, false string
CIDR or []
range of two
addresses.
May be either
IPv4 or IPv6

networkInter Identify a false Name Description Required Value

faces location by
available enabled Use or true boolean
network discard this
interface location
types identifier
value Network false enum
interface type

registryKeys Identify a false Name Description Required Value

location by a
registry key key Registry key true string
or value path to
match. Must
start with
"HKEY_LOCA
L_MACHINE\
SOFTWARE\"
.

1501
data Content of false string
the value to
match (may
be a string or
a 64-bit
integer,
optional)
value Value name false string
in the registry
key path to
match
(optional)

serverConnect Identify a false Name Description Required Value

ivity location by
connectivity enabled Use or true boolean
to the discard this
management location
server identifier
value Server false enum
connectivity
status

filter Location true Name Description Required Value

scope
accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

1502
Get Locations
GET /web/api/v2.1/locations

Get the locations of Agents in a given scope that match the filter. Agent locations are based on endpoint network parameters (IP, DNS, NIC, Registry Key, or SentinelOne
connection set for all true, at least one true, or none true and applied to a Site, Account, or Global). Agents detect their location settings and apply Firewall Control rules
that have Location Aware parameters that match the Agent location. Agents can be in multiple locations at the same time. If an Agent that supports Locations does not
detect that it is in a defined location, it uses the Firewall rules assigned to the Fallback location.
Use this command with a filter for "hasFirewallRules" to find Locations that do not have matching Firewall Control rules. The response to this request includes the ID of the
location, which you can use in other commands.
Firewall Control and Location Awareness require Control SKU.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
creator__contains optional Free-text filter by creator of the location (supports multiple values).
Example: "max,mike".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
description__contains optional Free-text filter by description (supports multiple values). Example:
"out of office".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
hasfirewallrules optional Filter by locations with/without firewall rules associated to them
hostname__contains optional Free-text filter by hostname (supports multiple values). Example:
"sentinelone.com,localhost".
ids optional Filter results by location IDs. Example:
"225494730938493804,225494730938493915".
ipaddress__contains optional Free-text filter by IP address (supports multiple values). Example:
"29.213.22.17".
limit optional Limit number of returned items (1-1000). Example: "10".
name__contains optional Free-text filter by location name (supports multiple values). Example:

1503
"office".
registrykey__contains optional Free-text filter by registry key (supports multiple values). Example:
"system\software,sentinel".
scopename__contains optional Free-text filter by scope name (supports multiple values). Example:
"my_group,my_site".
scopes optional Filter results by scope. Example: "account".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1504
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
name Location true string
name (should
be unique per
scope)
operator Logical true enum
operator to
apply
between the
set of
identifiers
activeFirewal Number of false integer
lRules active firewall
rules defined
in the
location
createdAt Created at false string
creator Location false string
creator name
creatorId Location false string
creator ID
description Location false string
description
dnsLookup Identify a false Name Description Required Value
location by
DNS lookup operator Logical true enum
results operator to
apply
between the
set of
identifiers
identifiers A list of DNS false Name Description Required Value
lookup

1505
identifiers host Hostname to true string
resolve
ip Resolved IP true string
address

dnsServers Identify a false Name Description Required Value

editable Is location false boolean

1506
May be either
IPv4 or IPv6

isFallback Is fallback false boolean

registryKeys Identify a false Name Description Required Value

location by a
registry key key Registry key true string
or value path to
match. Must
start with
"HKEY_LOCA
L_MACHINE\
SOFTWARE\"
.
data Content of false string
the value to
match (may
be a string or
a 64-bit
integer,
optional)
value Value name false string
in the registry
key path to
match
(optional)

reportingAge Number of false integer

nts agents in the
location
scope Scope false enum
scopeId Scope id false string
scopeName Scope name false string

1507
serverConnect Identify a false Name Description Required Value
ivity location by
connectivity enabled Use or true boolean
to the discard this
management location
server identifier
value Server false enum
connectivity
status

updatedAt Updated at false string

updater Location false string
updater name
updaterId Location false string
updater

errors Errors false array

1508
Delete Locations
DELETE /web/api/v2.1/locations

Delete location definitions of a given location. To get location IDs, run "locations".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1509
Body Schema
Name Description Required Value
data Data true Name Description Required Value
ids List of false string []
location IDs
to delete

1510
Update Location
PUT /web/api/v2.1/locations/{location_id}

Change the parameter values of a location definition. See Create Location.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - Location not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
name Location true string
name (should
be unique per
scope)
operator Logical true enum
operator to
apply
between the
set of
identifiers
activeFirewal Number of false integer
lRules active firewall
rules defined
in the
location
createdAt Created at false string
creator Location false string

1511
creator name
creatorId Location false string
creator ID
description Location false string
description
dnsLookup Identify a false Name Description Required Value
location by
DNS lookup operator Logical true enum
results operator to
apply
between the
set of
identifiers
identifiers A list of DNS false Name Description Required Value
lookup
identifiers host Hostname to true string
resolve
ip Resolved IP true string
address

dnsServers Identify a false Name Description Required Value

editable Is location false boolean

editable in
current scope
id Id false string

1512
ipAddresses Identify a false Name Description Required Value
location the
assigned IP operator Logical true enum
addresses operator to
apply
between the
set of
identifiers
identifiers A list of false Name Description Required Value
identifiers
type Address type true enum
values IP address, false string
CIDR or []
range of two
addresses.
May be either
IPv4 or IPv6

isFallback Is fallback false boolean

registryKeys Identify a false Name Description Required Value

1513
optional)
value Value name false string
in the registry
key path to
match
(optional)

reportingAge Number of false integer

updatedAt Updated at false string

updater Location false string
updater name
updaterId Location false string
updater

errors Errors false array

1514
Body Schema
Name Description Required Value
data Data true Name Description Required Value
name Location true string
name (should
be unique per
scope)
description Location false string
description
dnsLookup Identify a false Name Description Required Value
location by
DNS lookup operator Logical true enum
results operator to
apply
between the
set of
identifiers
identifiers A list of DNS false Name Description Required Value
lookup
identifiers host Hostname to true string
resolve
ip Resolved IP true string
address

dnsServers Identify a false Name Description Required Value

1515
ipAddresses Identify a false Name Description Required Value
location the
assigned IP operator Logical true enum
addresses operator to
apply
between the
set of
identifiers
identifiers A list of false Name Description Required Value
identifiers
type Address type true enum
values IP address, false string
CIDR or []
range of two
addresses.
May be either
IPv4 or IPv6

networkInter Identify a false Name Description Required Value

faces location by
available enabled Use or true boolean
network discard this
interface location
types identifier
value Network false enum
interface type

operator Logical false enum

operator to
apply
between the
set of
identifiers
registryKeys Identify a false Name Description Required Value
location by a
registry key key Registry key true string
or value path to
match. Must
start with
"HKEY_LOCA
L_MACHINE\
SOFTWARE\"
.
data Content of false string

1516
the value to
match (may
be a string or
a 64-bit
integer,
optional)
value Value name false string
in the registry
key path to
match
(optional)

serverConnect Identify a false Name Description Required Value

ivity location by
connectivity enabled Use or true boolean
to the discard this
management location
server identifier
value Server false enum
connectivity
status

1517
marketplace

Get Applications Catalog

GET /web/api/v2.1/singularity-marketplace/applications-catalog

Get the Marketplace Application Catalog.

Parameters
category__contains optional Free-text filter by catalog application category (supports multiple
values). Example: "Service Pack 1".
description__contains optional Free-text filter by catalog application description (supports multiple
values). Example: "Service Pack 1".
id optional Filter results by application catalog id. Example:
"225494730938493804,225494730938493915".
name__contains optional Free-text filter by catalog application name (supports multiple
values). Example: "Service Pack 1".
query optional Free-text filter by S1 query (supports multiple values). Example:
"Service Pack 1".

Response Messages
200 - Success

400 - Invalid user input received, See error details for further information

401 - Unauthorized access - please sign in and retry

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
name Application's true string
name

1518
availablePlugi Available false string
ns Plugins for
the
Application
category Application's false string
category
createdAt Date of false string
Application's
installation
deletedAt Deleted false string
Application
Date of
Deletion
description The false string
description of
the
Application
externalUrl External URL false string
in case the
app type is
not openfaas
icon Application's false string
icon
id Application false string
ID
installed True if the false boolean
application is
installed for
requested
user
key The false string
application's
unique key
oauthUrl OAuth URL in false string
case the app
supports
OIDC flows
retryPolicy The number false integer
of seconds to
retry until in
case of app

1519
error
summary Application's false string
summary
type Type of false string
triggered
application
updatedAt Date of last false string
update
viewPolicy Policy for false string
whether to
show or hide
and
application in
the catalog

errors Errors false array

1520
Get Installed Applications
GET /web/api/v2.1/singularity-marketplace/applications

Get the installed Marketplace applications for a scope specified.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
application_catalog_id optional A list of catalog applications IDs. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
creator__contains optional Free-text filter by application creator (supports multiple values).
Example: "Service Pack 1".
cursor optional Cursor position returned by the last request. Should be used for
iterating over more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
disablepagination optional If true, all installed applications for requested scope will be returned
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
id optional A list of applications IDs. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
name__contains optional Free-text filter by application name (supports multiple values).
Example: "Service Pack 1".
query optional Free-text filter by S1 query (supports multiple values). Example:
"Service Pack 1".
scopes optional Filter results by scope. Example: "global".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). For iterating over more than a
1000 items please use "cursor" instead. Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up

1521
execution time
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages
200 - Success

400 - Invalid user input received, See error details for further information

401 - Unauthorized access - please sign in and retry

data Response false Name Description Required Value

data
name Application's true string
name
applicationCa Application false string
talogId Catalog ID

1522
hasAlert True if the false boolean
any installed
application
has any
issues
icon Application's false string
icon
lastInstalledA Last time an false string
t Application
was installed
scopes Scopes false Name Description Required Value
desiredStatus Desired true enum
status
status Status true enum
account Application's false string
scope
account
name
accountId Account ID of false string
the scope the
application
was installed
for
alertMessage Application's false string
alert
message, in
case of an
alert
createdAt Date false string
application
was installed
creator Application's false string
creator name
creatorId The ID of the false string
user who
installed the
application
group Application's false string
scope group
name

1523
groupId Group ID of false string
the scope the
application
was installed
for
hasAlert True if the false boolean
application
has any
issues
id Application false string
ID
lastEntityCre Date of the false string
atedAt last entity
processed by
the
application
modifier Application's false string
last modifier
name
modifierId The ID of the false string
user who
modified last
the
application
retryUntil In case the false string
application
receives
errors, the
field will be
populated
with the last
date and time
the
application
can retry
scopeId Scope ID of false string
the scope the
application
was installed
for
scopeLevel Scope the false enum
application

1524
was installed
for
site Application's false string
scope site
name
siteId Site ID of the false string
scope the
application
was installed
for
updatedAt Date of last false string
update

errors Errors false array

1525
Delete Application
DELETE /web/api/v2.1/singularity-marketplace/applications

Delete application integration from your Marketplace.

Response Messages
200 - Delete Application successfully

400 - Invalid user input received, See error details for further information

401 - Unauthorized access - please sign in and retry

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1526
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
application_c A list of false string []
atalog_id catalog
applications
IDs
creator__cont Free-text false string []
ains filter by
application
creator
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
id A list of false string []
applications
IDs
name__contai Free-text false string []
ns filter by
application
name
(supports
multiple
values)
query Free-text false string []
filter by S1
query
(supports
multiple
values)
scopes Filter results false string []
by scope
siteIds List of Site false string []
IDs to filter

1527
by

1528
Install Applications
POST /web/api/v2.1/singularity-marketplace/applications

Install application from the Application Catalog.

Response Messages
200 - Installed application successfully

400 - Invalid user input received, See error details for further information

401 - Unauthorized access - please sign in and retry

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1529
Body Schema
Name Description Required Value
data Data true Name Description Required Value
configuration Configuration false Name Description Required Value
s s
id Id false string
value Value false string

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
applicationCa Install false string
talogId Application
for requested
Application
Catalog ID
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1530
Update Application Configuration
PUT /web/api/v2.1/singularity-marketplace/applications

Update installed application configuration.

Response Messages
200 - Success

400 - Invalid user input received, See error details for further information

401 - Unauthorized access - please sign in and retry

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1531
Body Schema
Name Description Required Value
data Data true Name Description Required Value
configuration Configuration false Name Description Required Value
s s
id Id false string
value Value false string

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
ids A list of false string []
applications
IDs
siteIds List of Site false string []
IDs to filter
by

1532
Get Configuration Fields
GET /web/api/v2.1/singularity-marketplace/applications-catalog/{application_catalog_id}/config

Get the Catalog Application Configuration Fields.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry

404 - Application Catalog not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
fields Fields false Name Description Required Value
defaultValue Default value false string
enum Enum false string []
id Id false string
label Label false string
placeHolder Place holder false string
required Required false boolean
type Type false string
value Value false string

errors Errors false array

1533
Get Configuration fields for Catalog Application
GET /web/api/v2.1/singularity-marketplace/applications/{application_id}/config

Returns The configuration schema for a requested Application Catalog.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry

404 - Application not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
desiredStatus Desired true enum
status
status Status true enum
account Application's false string
scope
account
name
accountId Account ID of false string
the scope the
application
was installed
for
alertMessage Application's false string
alert
message, in
case of an
alert
createdAt Date false string
application
was installed

1534
creator Application's false string
creator name
creatorId The ID of the false string
user who
installed the
application
fields Fields false Name Description Required Value
defaultValue Default value false string
enum Enum false string []
id Id false string
label Label false string
placeHolder Place holder false string
required Required false boolean
type Type false string
value Value false string

group Application's false string

scope group
name
groupId Group ID of false string
the scope the
application
was installed
for
hasAlert True if the false boolean
application
has any
issues
id Application false string
ID
lastEntityCre Date of the false string
atedAt last entity
processed by
the
application
modifier Application's false string
last modifier
name

1535
modifierId The ID of the false string
user who
modified last
the
application
retryUntil In case the false string
application
receives
errors, the
field will be
populated
with the last
date and time
the
application
can retry
scopeId Scope ID of false string
the scope the
application
was installed
for
scopeLevel Scope the false enum
application
was installed
for
site Application's false string
scope site
name
siteId Site ID of the false string
scope the
application
was installed
for
updatedAt Date of last false string
update

errors Errors false array

1536
Enable or Disable application
POST /web/api/v2.1/singularity-marketplace/applications/{mode}

Use this command to enable or disable application integrations that match the filter.

Response Messages
200 - Updated application mode successfully

400 - Invalid user input received, See error details for further information

401 - Unauthorized access - please sign in and retry

404 - Application not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1537
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
applicationId Enable or false string
Disable
Application
for requested
Application
by ID
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1538
Mobile Integration

Activations - Resend activation link invitations

PUT /web/api/v2.1/mobile-integration/activation/user-activation/resend-activations

Activations - Resend activation link invitations

Response Messages
200 - Activation links resend

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - 403 - You do not have authorization to complete request.

Body Schema
Name Description Required Value
data Data false string []
filter Filter false Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1539
Activations - Cancel user activation invitations
PUT /web/api/v2.1/mobile-integration/activation/user-activation/cancel-activations

Activations - Cancel user activation invitations

Response Messages
200 - Activation links cancelled

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - 403 - You do not have authorization to complete request.

1540
Activations - Validate bulk user activation upload
POST /web/api/v2.1/mobile-integration/activation/user-activation/validate-import

Check the validity of uploaded CSV file and its content

Response Messages
200 - Validation result

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - 403 - You do not have authorization to complete request.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
total The number true integer
of rows in the
file
errors Validation false array
errors

errors Errors false array

1541
Body Schema
Name Description Required Value
formData false Name Description Required Value
file The input true file
CSV file with
user
activations
filter The details of false string
the scope
where the
entities will
be imported,
for example:
For Global -
'{"tenant":true
}'
For an
Account -
'{"accountIds":

["225494730
938493804"]}
'
For a Site -
'{"siteIds":
["225494730
938493804"]}
'
For a Group -
'{"groupIds":
["225494730
938493804"]}
'

1542
Activations - Bulk user activation import
POST /web/api/v2.1/mobile-integration/activation/user-activation/import

Import user activations from uploaded CSV file

Response Messages
200 - Import completed

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - 403 - You do not have authorization to complete request.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
total The number true integer
of rows in the
file
errors Validation false array
errors

errors Errors false array

1543
Body Schema
Name Description Required Value
formData false Name Description Required Value
file The input true file
CSV file with
user
activations
filter The details of false string
the scope
where the
entities will
be imported,
for example:
For Global -
'{"tenant":true
}'
For an
Account -
'{"accountIds":

["225494730
938493804"]}
'
For a Site -
'{"siteIds":
["225494730
938493804"]}
'
For a Group -
'{"groupIds":
["225494730
938493804"]}
'
mgmtGroupId Group false string
identifier of a
group where
new devices
will be
activated

1544
Provision - Check if tenant can be provisioned
GET /web/api/v2.1/mobile-integration/provisioning/can-provision-tenant

Checks if tenant can be provisioned by scope

Response Messages
200 - Tenant retrieved

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
canProvision Can provision true boolean
tenant
affectingScop Affectingscop false Name Description Required Value
es es
id Scope ID true string
level Scope level true string

msspScope Is MSSP false boolean

scope
reason Reason for false string

1545
not being
able to
provision
tenant
reasonCode Reason code false string
for not being
able to
provision
tenant
underMSSPS Is under false boolean
cope MSSP scope

errors Errors false array

1546
Provision - Persist MSSP partner key
POST /web/api/v2.1/mobile-integration/provisioning/partner-key

Persists MSSP partner key - client ID and secret - for future customer provisioning.

Response Messages
201 - Partner key persisted successfully.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - 403 - You do not have authorization to complete request.

Body Schema
Name Description Required Value
data Data true Name Description Required Value
clientId Partner client true string
ID
secret Partner true string
secret

filter Filter false Name Description Required Value

1547
Provision - Update MSSP partner key
PUT /web/api/v2.1/mobile-integration/provisioning/partner-key

Updates MSSP partner key - client ID and secret - for future customer provisioning.

Response Messages
201 - Partner key updated successfully.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - 403 - You do not have authorization to complete request.

404 - 404 - Partner key not found.

Body Schema
Name Description Required Value
data Data true Name Description Required Value
clientId Partner client true string
ID
secret Partner true string
secret

filter Filter false Name Description Required Value

1548
tenant scope
request

1549
Provision - Get MSSP partner key
GET /web/api/v2.1/mobile-integration/provisioning/partner-key

Gets MSSP partner key by scope

Response Messages
200 - Partner key retrieved successfully.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
clientId Partner client true string
ID

errors Errors false array

1550
Provision - Provision tenant with admin user
POST /web/api/v2.1/mobile-integration/provisioning/tenant

Provision a new tenant and create an admin user for the tenant account

Response Messages
201 - Tenant provisioned and admin user created

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - 403 - You do not have authorization to complete request.

Body Schema
Name Description Required Value
data Data true Name Description Required Value
adminEmail User's email true string
address
adminFirstN User's first true string
ame name
adminLastNa User's last true string
me name
adminNotifica Notification false string
tionEmail email for
sending
details

filter Filter false Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by

1551
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1552
Provision - Get tenant with users
GET /web/api/v2.1/mobile-integration/provisioning/tenant

Gets tenant with users by scope

Response Messages
200 - Tenant retrieved

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
id Tenant ID true string
name Tenant name true string
adminUser Tenant admin false Name Description Required Value
user
created User's true string
creation date
email User's email true string
address
firstName User's first true string

1553
name
id User ID true string
lastName User's last true string
name
role User's role true Name Description Required Value
id Role ID true string
name Role name true string

notificationEm Notification false string

ail email for
sending
details

users Tenant users false Name Description Required Value

created User's true string
creation date
email User's email true string
address
firstName User's first true string
name
id User ID true string
lastName User's last true string
name
role User's role true Name Description Required Value
id Role ID true string
name Role name true string

notificationEm Notification false string

ail email for
sending
details

errors Errors false array

1554
Management - Create interim connector connection
POST /web/api/v2.1/mobile-integration/management/create-interim-connection

Management - Create interim connector connection.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
connectionId Connectionid true string

errors Errors false array

1555
Body Schema
Name Description Required Value
data Data true Name Description Required Value
MicrosoftEnd Microsoftend false Name Description Required Value
pointManage pointmanager
rConnector connector auth Auth true Name Description Required Value
oauth Oauth false Name De
cloud Clo
tenantId Te

baseUrl Baseurl true string

backgroundS Enable false boolean
ync background
syncing
maskUserInfo Enable false boolean
rmation masking user
information
mode Supported false enum
mode

MobileIronCl Mobileironcl false Name Description Required Value

oudConnecto oudconnecto
r r auth Auth true Name Description Required Value
basic Basic true Name De
password Pa
userId Us

baseUrl Baseurl true string

MobileIronCo Mobileironco false Name Description Required Value

reConnector reconnector
auth Auth true Name Description Required Value
basic Basic true Name De
password Pa
userId Us

1556
baseUrl Baseurl true string

WorkspaceOn Workspaceon false Name Description Required Value

eConnector econnector
auth Auth true Name Description Required Value
basic Basic false Name De
apiKey Ap
password Pa
userId Us

certificate Certificate false Name De

apiKey Ap
certificate Ce
passphrase Pa

baseUrl Baseurl true string

filter Filter true Name Description Required Value

1557
Management - Checks if connection can be created on current scope.
GET /web/api/v2.1/mobile-integration/management/can-create-connection

Management - Checks if connection can be created on current scope.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
canCreateCon Cancreatecon true boolean
nection nection
reason Reason true string
affectingScop Affectingscop false Name Description Required Value
es es
scopeId true string
scopeLevel true string

errors Errors false array

1558
Management - Create connector connection
POST /web/api/v2.1/mobile-integration/management/create-connection

Management - Create connector connection.

Response Messages
201 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Body Schema
Name Description Required Value
data Data true Name Description Required Value
connector Connector true Name Description Required Value
MicrosoftEnd Microsoftend false Name Description Required Value
pointManage pointmanager
rConnector connector auth Auth true Name De
oauth Oa

baseUrl Baseurl true string

backgroundS Enable false boolean
ync background
syncing
maskUserInfo Enable false boolean
rmation masking user
information
mode Supported false enum
mode

MobileIronCl Mobileironcl false

1559
oudConnecto oudconnecto Name Description Required Value
r r
auth Auth true Name De
basic Ba

baseUrl Baseurl true string

MobileIronCo Mobileironco false Name Description Required Value

reConnector reconnector
auth Auth true Name De
basic Ba

baseUrl Baseurl true string

WorkspaceOn Workspaceon false Name Description Required Value

eConnector econnector
auth Auth true Name De
basic Ba

certificate Ce

baseUrl Baseurl true string

name Name true string

connectionId Connectionid false string
defaultS1Gro Defaults1gro false string
upId upid

1560
deviceGroup Devicegroup false Name Description Required Value
Mappings mappings
mdmGroupId true string
s1GroupId true string

responseGrou Responsegrou false string []

pIds pids

filter Filter true Name Description Required Value

1561
Activations - Create User Activation
POST /web/api/v2.1/mobile-integration/activation/user-activation

Generate bulk of end user links for device registration

Response Messages
201 - Bulk of user activation links created

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - 403 - You do not have authorization to complete request.

Body Schema
Name Description Required Value
data Data true Name Description Required Value
mgmtGroupId Group true string
identifier of a
group where
new devices
will be
activated
details Details false Name Description Required Value
email This is the true string
email for the
new user and
the new user
uses it to log
into the
console.
firstName This is the true string
first name
that you want
for the new
user

1562
lastName This is the true string
last name
that you want
for the new
user
activationLimi This is the false integer
t count of how
many
activations
are allowed

filter Filter false Name Description Required Value

1563
Activations - Get list of user activations
GET /web/api/v2.1/mobile-integration/activation/user-activation

Activations - Get list of user activations

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
status__in optional Include user activations only with given status. Example: "created".
tenant optional Indicates a tenant scope request

Response Messages
200 - Paged list of user activations

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1564
403 - 403 - You do not have authorization to complete request.

data Response false Name Description Required Value

data
activationCou Counter of true integer
nt devices
registered
through the
group
activation
link
activationLimi This is the true integer
t number of
activations
available with
this group
activation
link.
createdAt User invite true string
creation date
createdBy Username, true string

1565
who sent the
invitation
email User email true string
id User true string
activation
identifier
name User name true string
mgmtGroupN Name of the false string
ame group, where
a new device
is registered
scope Scope false Name Description Required Value
hierarchy,
where the accountName Accountname false string
user groupName Groupname false string
activation is
assigned siteName Sitename false string

errors Errors false array

1566
Management - Test connector connection. Deprecated, use create-interim-connection + device-groups instead.
POST /web/api/v2.1/mobile-integration/management/test-connection

Management - Test connector connection. Deprecated, use create-interim-connection + device-groups instead.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
managedGrou Managedgrou false Name Description Required Value
ps ps
id true string
name true string

errors Errors false array

1567
Body Schema
Name Description Required Value
data Data true Name Description Required Value
MicrosoftEnd Microsoftend false Name Description Required Value
pointManage pointmanager
rConnector connector auth Auth true Name Description Required Value
oauth Oauth false Name De
cloud Clo
tenantId Te

baseUrl Baseurl true string

backgroundS Enable false boolean
ync background
syncing
maskUserInfo Enable false boolean
rmation masking user
information
mode Supported false enum
mode

MobileIronCl Mobileironcl false Name Description Required Value

oudConnecto oudconnecto
r r auth Auth true Name Description Required Value
basic Basic true Name De
password Pa
userId Us

baseUrl Baseurl true string

MobileIronCo Mobileironco false Name Description Required Value

reConnector reconnector
auth Auth true Name Description Required Value
basic Basic true Name De
password Pa
userId Us

1568
baseUrl Baseurl true string

WorkspaceOn Workspaceon false Name Description Required Value

eConnector econnector
auth Auth true Name Description Required Value
basic Basic false Name De
apiKey Ap
password Pa
userId Us

certificate Certificate false Name De

apiKey Ap
certificate Ce
passphrase Pa

baseUrl Baseurl true string

filter Filter true Name Description Required Value

1569
Management - Get list of connections for specific scope
GET /web/api/v2.1/mobile-integration/management/connections

Management - Get list of connections for specific scope

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
connectionId Connectionid true string
connector Connector true Name Description Required Value
MicrosoftEnd Microsoftend false Name Description Required Value
pointManage pointmanager
rConnector connector auth Auth true Name De
oauth Oa

1570
baseUrl Baseurl true string
backgroundS Enable false boolean
ync background
syncing
maskUserInfo Enable false boolean
rmation masking user
information
mode Supported false enum
mode

MobileIronCl Mobileironcl false Name Description Required Value

oudConnecto oudconnecto
r r auth Auth true Name De
basic Ba

baseUrl Baseurl true string

MobileIronCo Mobileironco false Name Description Required Value

reConnector reconnector
auth Auth true Name De
basic Ba

baseUrl Baseurl true string

WorkspaceOn Workspaceon false Name Description Required Value

eConnector econnector
auth Auth true Name De
basic Ba

1571
certificate Ce

baseUrl Baseurl true string

name Name true string

scopeId Scopeid true string
scopeLevel Scopelevel true string
defaultS1Gro Defaults1gro false string
upId upid
details Details false Name Description Required Value
lastSyncOn When the true string
connection
sync
happened
last time
syncStatus Connection true enum
sync status
syncErrorMes Syncerrormes false string
sage sage

deviceGroup Devicegroup false Name Description Required Value

Mappings mappings
mdmGroupId true string
s1GroupId true string

responseGrou Responsegrou false string []

pIds pids

errors Errors false array

1572
Connectors - Get list of Connectors and their abilities
GET /web/api/v2.1/mobile-integration/management/connectors

Connectors - Get list of Connectors and their abilities

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
id Id true string
logo Logo true string
azureApps Azureapps false Name Description Required Value
clientId true string
id true string
requestUri true string

supportedMo Supportedmo false string []

des des

errors Errors false array

1573
Management - Get app configuration
GET /web/api/v2.1/mobile-integration/management/app-config

Management - Get app configuration

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Credentials not found for scope

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
defaultChann Defaultchann true string
el el
tenantId Tenantid true string

errors Errors false array

1574
Activations - Generates a global link for anonymous device registration
POST /web/api/v2.1/mobile-integration/activation/anonymous

Activations - Generates a global link for anonymous device registration

Response Messages
201 - Link for anonymous activation was generated and can be shared

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - 403 - You do not have authorization to complete request.

Body Schema
Name Description Required Value
data Data true Name Description Required Value
activationLimi This is the true integer
t number of
activations
available with
this group
activation
link.
description This is the false string
description
for the group
activation
expiryDays This is the false integer
link
expiration
days
mgmtGroupId Group false string
identifier of a
group where
new devices

1575
will be
activated
name This is the false string
name that
you want for
the group
activation.
This has to be
unique.

filter Filter false Name Description Required Value

1576
Activations - Return anonymous activation in the scope
GET /web/api/v2.1/mobile-integration/activation/anonymous

Activations - Return anonymous activation in the scope

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenant optional Indicates a tenant scope request

Response Messages
200 - Active links for anonymous activation in the scope

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1577
Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
activationCou Counter of true integer
nt devices
registered
through the
group
activation
link
activationLimi This is the true integer
t number of
activations
available with
this group
activation
link.
activationLin Anonymous true string
k group link to
register
devices
createdAt Request true string
timestamp

1578
id Anonymous true string
activation
identifier
createdBy Identifier of false string
the user, who
created the
anonymous
activation
linkExpiry This is the false string
link
expiration
date
mgmtGroupN Name of the false string
ame group, where
a new device
is registered
scope Scope false Name Description Required Value
hierarchy,
where the accountName Accountname false string
anonymous groupName Groupname false string
activation is
assigned siteName Sitename false string

errors Errors false array

1579
Incidents - Update analyst verdict
POST /web/api/v2.1/mobile-integration/incidents/analyst-verdict

Incidents - Update analyst verdict

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Affected true integer

errors Errors false array

1580
Body Schema
Name Description Required Value
data Data true Name Description Required Value
analystVerdic Analystverdic true string
t t

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
ids Ids false integer []
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1581
Incidents - Update incident status
POST /web/api/v2.1/mobile-integration/incidents/incident-status

Incidents - Update incident status

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Affected true integer

errors Errors false array

1582
Body Schema
Name Description Required Value
data Data true Name Description Required Value
incidentStatu Incidentstatu true string
s s

filter Filter true Name Description Required Value

1583
Policy - Get global mobile policy
GET /web/api/v2.1/mobile-integration/tenant/policy

Policy - Get global mobile policy

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
alertOnDevic Alertondevice true string
eAlert alert
alerts Alerts true string
default Default true boolean
engines Engines true Name Description Required Value
appBehaviora Appbehaviora true string
lAi lai
appStaticAi Appstaticai true string
networkAnaly Networkanaly true string
sis sis
phishingScan Phishingscan true string
ner ner
systemBehavi Systembehavio true string
oralAi ralai
systemStaticA Systemstatica true string
i i
vulnerability Vulnerability true string
Scanner scanner

1584
responseActi Responseacti true string
ons ons
threatOnDevi Threatondevic true string
ceAlert ealert
threatPhishin Threatphishin true string
gPrevention gprevention
threats Threats true string
updatedAt Updatedat true string
alertRespons Alertrespons false string
eGroupId egroupid
connectionId Connectionid false string
connectionSc Connectionsc false string
opeId opeid
connectionSc Connectionsc false string
opeLevel opelevel
inheritedFro Inheritedfrom false string
m
threatRespon Threatrespon false string
seGroupId segroupid
updatedBy Updatedby false string
userFullName Userfullname false string

errors Errors false array

1585
Policy - Update global mobile policy
PUT /web/api/v2.1/mobile-integration/tenant/policy

Policy - Update global mobile policy

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

1586
vulnerability Vulnerability true string
Scanner scanner

responseActi Responseacti true string

ons ons
threatOnDevi Threatondevic true string
ceAlert ealert
threatPhishin Threatphishin true string
gPrevention gprevention
threats Threats true string
updatedAt Updatedat true string
alertRespons Alertrespons false string
eGroupId egroupid
connectionId Connectionid false string
connectionSc Connectionsc false string
opeId opeid
connectionSc Connectionsc false string
opeLevel opelevel
inheritedFro Inheritedfrom false string
m
threatRespon Threatrespon false string
seGroupId segroupid
updatedBy Updatedby false string
userFullName Userfullname false string

errors Errors false array

1587
Body Schema
Name Description Required Value
data Data true Name Description Required Value
alertOnDevic Alertondevice true string
eAlert alert
alerts Alerts true string
engines Engines true Name Description Required Value
appBehaviora Appbehaviora true string
lAi lai
appStaticAi Appstaticai true string
networkAnaly Networkanaly true string
sis sis
phishingScan Phishingscan true string
ner ner
systemBehavi Systembehavio true string
oralAi ralai
systemStaticA Systemstatica true string
i i
vulnerability Vulnerability true string
Scanner scanner

threatOnDevi Threatondevic true string

ceAlert ealert
threatPhishin Threatphishin true string
gPrevention gprevention
threats Threats true string
alertRespons Alertrespons false string
eGroupId egroupid
threatRespon Threatrespon false string
seGroupId segroupid

filter Filter false Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []

1588
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1589
Policy - Delete global mobile policy
DELETE /web/api/v2.1/mobile-integration/tenant/policy

Policy - Delete global mobile policy

Response Messages
204 - Success

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

Incidents - Get list of incidents

GET /web/api/v2.1/mobile-integration/incidents

Incidents - Get list of incidents

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
analystverdict__in optional Include incident only of given analyst verdicts. Example:
"true_positive".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
deviceid__contains optional Include incidents by device IDs that contain text
deviceid__in optional Include incidents only of given device ids. Example:
"a,b,c,-,1,2,3,-,4,5,6".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".

1590
incidentstatus__in optional Include incident only of given incident statuses. Example:
"unresolved".
kind__in optional Include incidents only of given kinds. Example: "t,h,r,e,a,t".
limit optional Limit number of returned items (1-1000). Example: "10".
severity__in optional Include incident only of given severities. Example: "low".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
status__in optional Include incident only of given statuses. Example: "not_mitigated".
statusaction__in optional Include incident only of given status actions. Example:
"conditional_access".
tenant optional Indicates a tenant scope request
user__contains optional Include incidents by user email that contain text

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching

1591
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
accountId A reference true string
to the
containing
account
accountName Name of the true string
containing
account
analystVerdic Analystverdic true string
t t
description Description true string
details Details true Name Description Required Value
applicationDe Applicationde true string
veloper veloper
applicationN Applicationn true string
ame ame
applicationPa Applicationp true string
ckage ackage
deviceTime Devicetime true string
fileHash Filehash true string
fileName Filename true string
installerSourc Installersourc true string
e e
malwareThre Malwarethre true string

1592
atName atname
networkInter Networkinter true string
face face
processName Processname true string
routerBSSID Routerbssid true string
routerSSID Routerssid true string
suspectedUrl Suspectedurl true string

detectionEng Detectioneng true string

ine ine
detectionTyp Detectiontyp true string
e e
deviceId Deviceid true string
groupId A reference true string
to the
containing
network
group
groupName Name of the true string
containing
network
group
id Id true integer
incidentStatu Incidentstatu true string
s s
investigation Investigation true string
kind Kind true string
osType Ostype true string
osVersion Osversion true string
remediationS Remediations true string
tep tep
reportedTime Reportedtime true string
severity Severity true string
siteId A reference true string
to the
containing
site

1593
siteName Name of the true string
containing
site
status Status true string
statusAction Statusaction true string
trackingId1 Trackingid1 true string
trackingId2 Trackingid2 true string
type Type true string
userEmail Useremail true string
userNotified Usernotified true boolean
detail Detail false string
network Network false string
notes Notes false Name Description Required Value
author true string
authorId true string
createdAt true string
edited true boolean
id true integer
text true string
updatedAt true string

errors Errors false array

1594
Devices - Get list of devices for specific scope
GET /web/api/v2.1/mobile-integration/devices

Devices - Get list devices for specific scope

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
appversion__in optional Include devices with given app versions. Example: "2.5.1.1320".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
deviceid__contains optional Include devices by device IDs that contain text
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
healthstate__in optional Include devices only with given health state. Example: "normal".
limit optional Limit number of returned items (1-1000). Example: "10".
model__contains optional Include devices by models that contain text
osversion__contains optional Include devices by os version that contain text
platform__in optional Include devices only of given platforms. Example: "android".
privileges__in optional Include devices only with given privileges. Example: "none".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenant optional Indicates a tenant scope request

1595
trackingid1__contains optional Include devices by external tracking IDs that contain text
trackingid2__contains optional Include devices by another external tracking IDs that contain text
user__contains optional Include devices by users that contain text

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
accountId A reference true string
to the
containing
account
accountName Name of the true string

1596
containing
account
alertCounts Alertcounts true Name Description Required Value
adminResolv How many true integer
edCount threats are
resolved by
admin
conditionalA How many true integer
ccessCount threats is in
conditional
access
mitigatedCou How many true integer
nt threats are
mitigated
notMitigated How many true integer
Count threats are
not mitigated

deviceId MDM device true string

ID
groupId A reference true string
to the
containing
network
group
groupName Name of the true string
containing
network
group
id Id true integer
registrationS MDM name true string
ource or initiator in
case of
activations
registrationT Registration true enum
ype type
siteId A reference true string
to the
containing
site

1597
siteName Name of the true string
containing
site
threatCounts Threatcounts true Name Description Required Value
adminResolv How many true integer
edCount threats are
resolved by
admin
conditionalA How many true integer
ccessCount threats is in
conditional
access
mitigatedCou How many true integer
nt threats are
mitigated
notMitigated How many true integer
Count threats are
not mitigated

appState ZipApp state false enum

appVersion Version of false string
the ZippApp
debugMode Debugmode false boolean
developerMo Developermo false boolean
de de
encrypted Encrypted false boolean
healthState Highest false enum
health state
of the device
lastActiveOn When we false string
received last
heartbeat
managedStat UEM state of false enum
e the device
model Device false string
manufacturer
and model
osVersion Device os false string
version

1598
owner User email false string
platform Device false enum
platform
policyUpdate When the false string
dAt corresponding
policy was
updated
privileges Either rooted false enum
or jailbroken
for devices
with
privileges.
Otherwise
none
protected Protected false boolean
registeredOn When the false string
ZippApp
registered
registrationD When the false string
ate activation for
this device
was created
screenLocked Screenlocked false boolean
stagefreightV Stagefreightv false boolean
ulnerable ulnerable
trackingId1 External false string
tracking ID of
device
trackingId2 Another false string
external
tracking ID of
device
unofficialApp Unofficialapp false boolean
store store

errors Errors false array

1599
Policy - Create mobile policy
POST /web/api/v2.1/mobile-integration/policy

Policy - Create mobile policy

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

1600
vulnerability Vulnerability true string
Scanner scanner

responseActi Responseacti true string

errors Errors false array

1601
Body Schema
Name Description Required Value
data Data true Name Description Required Value
alertOnDevic Alertondevice true string
eAlert alert
alerts Alerts true string
engines Engines true Name Description Required Value
appBehaviora Appbehaviora true string
lAi lai
appStaticAi Appstaticai true string
networkAnaly Networkanaly true string
sis sis
phishingScan Phishingscan true string
ner ner
systemBehavi Systembehavio true string
oralAi ralai
systemStaticA Systemstatica true string
i i
vulnerability Vulnerability true string
Scanner scanner

threatOnDevi Threatondevic true string

filter Filter false Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []

1602
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1603
Management - Get managed groups for connection
GET /web/api/v2.1/mobile-integration/management/connections/{conn_id}/managed-groups

Management - Get managed groups for connection

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

errors Errors false array

1604
Management - Get all UEM device groups for given connection
GET /web/api/v2.1/mobile-integration/management/connections/{conn_id}/device-groups

Management - Get all UEM device groups for given connection

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
query optional Search for groups with names containing this value
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1605
Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
id Id true string
name Name true string

errors Errors false array

1606
Management - Sync devices under connection
POST /web/api/v2.1/mobile-integration/management/connections/{connection_id}/sync-devices

Management - Sync devices under connection

Response Messages
204 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1607
Management - Patch connection group mappings
PUT /web/api/v2.1/mobile-integration/management/connections/{connection_id}/groups

Management - Patch connection group mappings

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Connection not found

Body Schema
Name Description Required Value
data Data true Name Description Required Value
defaultS1Gro Defaults1gro false string
upId upid
deviceGroup Devicegroup false Name Description Required Value
Mappings mappings
mdmGroupId true string
s1GroupId true string

responseGrou Responsegrou false string []

pIds pids

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter

1608
by
tenant Indicates a false boolean
tenant scope
request

1609
Deletes MSSP partner key by client ID
DELETE /web/api/v2.1/mobile-integration/provisioning/partner-key/{client_id}

Provision - Delete MSSP partner key

Response Messages
204 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1610
Management - Update connector connection
PUT /web/api/v2.1/mobile-integration/management/connections/{connection_id}

Management - Update connector connection.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Connection not found

baseUrl Baseurl true string

backgroundS Enable false boolean
ync background
syncing
maskUserInfo Enable false boolean
rmation masking user
information
mode Supported false enum

1611
mode

MobileIronCl Mobileironcl false Name Description Required Value

oudConnecto oudconnecto
r r auth Auth true Name De
basic Ba

baseUrl Baseurl true string

MobileIronCo Mobileironco false Name Description Required Value

reConnector reconnector
auth Auth true Name De
basic Ba

baseUrl Baseurl true string

WorkspaceOn Workspaceon false Name Description Required Value

eConnector econnector
auth Auth true Name De
basic Ba

certificate Ce

baseUrl Baseurl true string

name Name true string

defaultS1Gro Defaults1gro false string

1612
upId upid
deviceGroup Devicegroup false Name Description Required Value
Mappings mappings
mdmGroupId true string
s1GroupId true string

responseGrou Responsegrou false string []

pIds pids

filter Filter true Name Description Required Value

1613
Management - Delete connection
DELETE /web/api/v2.1/mobile-integration/management/connections/{connection_id}

Management - Delete connection

Response Messages
204 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1614
Incidents - Mitigate incident
POST /web/api/v2.1/mobile-integration/incidents/mitigate/{mitigation_action}

Incidents - Mitigate incident

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Affected true integer

errors Errors false array

1615
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
ids Ids false integer []
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1616
Incidents - Update incident note
PUT /web/api/v2.1/mobile-integration/incidents/{incident_id}/notes/{note_id}

Incidents - Update incident note

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
author Author true string
authorId Authorid true string
createdAt Createdat true string
edited Edited true boolean
id Id true integer
text Text true string
updatedAt Updatedat true string

errors Errors false array

1617
Body Schema
Name Description Required Value
data Data true Name Description Required Value
text Text field true string

filter Filter true Name Description Required Value

1618
Incidents - Delete incident note
DELETE /web/api/v2.1/mobile-integration/incidents/{incident_id}/notes/{note_id}

Incidents - Delete incident note

Response Messages
204 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1619
Incidents - Create incident note
POST /web/api/v2.1/mobile-integration/incidents/{incident_id}/notes

Incidents - Create incident note

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

errors Errors false array

1620
Body Schema
Name Description Required Value
data Data true Name Description Required Value
text Text field true string

filter Filter true Name Description Required Value

1621
Policy - Get the policy for the Account given by ID
GET /web/api/v2.1/mobile-integration/accounts/{account_id}/policy

Policy - Get the policy for the Account given by ID

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

1622
responseActi Responseacti true string
ons ons
threatOnDevi Threatondevic true string
ceAlert ealert
threatPhishin Threatphishin true string
gPrevention gprevention
threats Threats true string
updatedAt Updatedat true string
alertRespons Alertrespons false string
eGroupId egroupid
connectionId Connectionid false string
connectionSc Connectionsc false string
opeId opeid
connectionSc Connectionsc false string
opeLevel opelevel
inheritedFro Inheritedfrom false string
m
threatRespon Threatrespon false string
seGroupId segroupid
updatedBy Updatedby false string
userFullName Userfullname false string

errors Errors false array

1623
Policy - Update the policy for the Account given by ID
PUT /web/api/v2.1/mobile-integration/accounts/{account_id}/policy

Policy - Update the policy for the Account given by ID

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

1624
vulnerability Vulnerability true string
Scanner scanner

responseActi Responseacti true string

errors Errors false array

1625
Body Schema
Name Description Required Value
data Data true Name Description Required Value
alertOnDevic Alertondevice true string
eAlert alert
alerts Alerts true string
engines Engines true Name Description Required Value
appBehaviora Appbehaviora true string
lAi lai
appStaticAi Appstaticai true string
networkAnaly Networkanaly true string
sis sis
phishingScan Phishingscan true string
ner ner
systemBehavi Systembehavio true string
oralAi ralai
systemStaticA Systemstatica true string
i i
vulnerability Vulnerability true string
Scanner scanner

threatOnDevi Threatondevic true string

filter Filter false Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []

1626
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1627
Policy - Delete the policy for the Account given by ID
DELETE /web/api/v2.1/mobile-integration/accounts/{account_id}/policy

Policy - Delete the policy for the Account given by ID

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

Policy - Get the policy for the Site given by ID

GET /web/api/v2.1/mobile-integration/sites/{site_id}/policy

Policy - Get the policy for the Site given by ID

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

1628
engines Engines true Name Description Required Value
appBehaviora Appbehaviora true string
lAi lai
appStaticAi Appstaticai true string
networkAnaly Networkanaly true string
sis sis
phishingScan Phishingscan true string
ner ner
systemBehavi Systembehavio true string
oralAi ralai
systemStaticA Systemstatica true string
i i
vulnerability Vulnerability true string
Scanner scanner

responseActi Responseacti true string

1629
errors Errors false array

1630
Policy - Update the policy for the Group given by ID
PUT /web/api/v2.1/mobile-integration/groups/{group_id}/policy

Policy - Update the policy for the Group given by ID

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

1631
vulnerability Vulnerability true string
Scanner scanner

responseActi Responseacti true string

errors Errors false array

1632
Body Schema
Name Description Required Value
data Data true Name Description Required Value
alertOnDevic Alertondevice true string
eAlert alert
alerts Alerts true string
engines Engines true Name Description Required Value
appBehaviora Appbehaviora true string
lAi lai
appStaticAi Appstaticai true string
networkAnaly Networkanaly true string
sis sis
phishingScan Phishingscan true string
ner ner
systemBehavi Systembehavio true string
oralAi ralai
systemStaticA Systemstatica true string
i i
vulnerability Vulnerability true string
Scanner scanner

threatOnDevi Threatondevic true string

filter Filter false Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []

1633
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1634
Policy - Delete the policy for the Site given by ID
DELETE /web/api/v2.1/mobile-integration/sites/{site_id}/policy

Policy - Delete the policy for the Site given by ID

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

Policy - Update the policy for the Site given by ID

PUT /web/api/v2.1/mobile-integration/sites/{site_id}/policy

Policy - Update the policy for the Site given by ID

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
alertOnDevic Alertondevice true string
eAlert alert
alerts Alerts true string

1635
default Default true boolean
engines Engines true Name Description Required Value
appBehaviora Appbehaviora true string
lAi lai
appStaticAi Appstaticai true string
networkAnaly Networkanaly true string
sis sis
phishingScan Phishingscan true string
ner ner
systemBehavi Systembehavio true string
oralAi ralai
systemStaticA Systemstatica true string
i i
vulnerability Vulnerability true string
Scanner scanner

responseActi Responseacti true string

1636
errors Errors false array

1637
Body Schema
Name Description Required Value
data Data true Name Description Required Value
alertOnDevic Alertondevice true string
eAlert alert
alerts Alerts true string
engines Engines true Name Description Required Value
appBehaviora Appbehaviora true string
lAi lai
appStaticAi Appstaticai true string
networkAnaly Networkanaly true string
sis sis
phishingScan Phishingscan true string
ner ner
systemBehavi Systembehavio true string
oralAi ralai
systemStaticA Systemstatica true string
i i
vulnerability Vulnerability true string
Scanner scanner

threatOnDevi Threatondevic true string

filter Filter false Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []

1638
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

1639
Devices - Get device details by device id
GET /web/api/v2.1/mobile-integration/devices/{device_id}

Devices - Get device details by device id

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Device not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountId A reference true string
to the
containing
account
accountName Name of the true string
containing
account
alertCounts Alertcounts true

1640
Name Description Required Value
adminResolv How many true integer
edCount threats are
resolved by
admin
conditionalA How many true integer
ccessCount threats is in
conditional
access
mitigatedCou How many true integer
nt threats are
mitigated
notMitigated How many true integer
Count threats are
not mitigated

deviceId MDM device true string

1641
threatCounts Threatcounts true Name Description Required Value
adminResolv How many true integer
edCount threats are
resolved by
admin
conditionalA How many true integer
ccessCount threats is in
conditional
access
mitigatedCou How many true integer
nt threats are
mitigated
notMitigated How many true integer
Count threats are
not mitigated

appState ZipApp state false enum

1642
policyUpdate When the false string
dAt corresponding
policy was
updated
privileges Either rooted false enum
or jailbroken
for devices
with
privileges.
Otherwise
none
protected Protected false boolean
registeredOn When the false string
ZippApp
registered
registrationD When the false string
ate activation for
this device
was created
screenLocked Screenlocked false boolean
stagefreightV Stagefreightv false boolean
ulnerable ulnerable
trackingId1 External false string
tracking ID of
device
trackingId2 Another false string
external
tracking ID of
device
unofficialApp Unofficialapp false boolean
store store

errors Errors false array

1643
Network Quarantine Control

Get Firewall Rules

GET /web/api/v2.1/firewall-control/{firewall_rule_category}

1644
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of ids to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
locationids optional Filter by associated locations. Example:
"225494730938493804,225494730938493915".
name optional Return firewall rules with the filtered name.
name__contains optional Free-text filter by the Rule name (supports multiple values)
ostypes optional Return firewall rules with the filtered os_type. Example: "macos".
protocol__contains optional Free-text filter by protocol (supports multiple values)
protocols optional Return firewall rules with the filtered protocols.
query optional Free text search on name, tag, application, protocol
scopes optional Return only firewall rules in this scope. Example: "account".
service__contains optional Free-text filter by service (supports multiple values)
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
statuses optional Return firewall rules with the filtered status. Example: "Enabled".
tagids optional Filter by associated tags. Example:
"225494730938493804,225494730938493915".
tagname__contains optional Free-text filter by the Tag name (supports multiple values)
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

1645
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

1646
user
creatorId Id of the false string
creating user
description Description false string
direction Defines the false enum
Direction of
the Firewall
rule.
editable True if the false boolean
rule can be
modified at
this scope
level
id Rule ID false string
localHost Local host false
localPort Local ports false
location Location false Name Description Required Value
associated
with the rule type Location type true enum
values Location IDs false Name Description Required Value
(applicable
for the id Location ID true string
"specific" name Location false string
location type name
only)
scope Location false enum
scope

name The name of false string

the firewall
rule.
order Position in false integer
the list of
rules
osType [DEPRECATE false enum
D] Please use
os_types
since multiple
os types are
supported.Thi
s field will

1647
return the
first os_type,
not
necessarily
the only one.
osTypes Os types false string []
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
protocol The protocol. false string
remoteHost [DEPRECATE false
D] First
remote host
in the rule.
Full list in
remote_hosts
remoteHosts List of remote false Name Description Required Value
hosts
type Type of the false enum
host
values Value of the false string []
host

remotePort Remote ports false

ruleCategory Network false enum
quarantine
rule or
standard
firewall rule
scope Scope of the false enum
rule
scopeId The group or false string
site id
depending on
the scope.
null if it is
global.

1648
status Defines if false enum
rule is
Enabled or
Disabled
tag [DEPRECATE false string
D] Free text
to describe
the rule.
Please use
description
instead.
tagIds Tag ids false string []
tagNames Tag names false string []
tags Tags false Name Description Required Value
id false string
name false string

updatedAt Date of last false string

update

errors Errors false array

1649
Create Firewall Rule
POST /web/api/v2.1/firewall-control/{firewall_rule_category}

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1650
creatorId Id of the false string
creating user
description Description false string
direction Defines the false enum
Direction of
the Firewall
rule.
editable True if the false boolean
rule can be
modified at
this scope
level
id Rule ID false string
localHost Local host false
localPort Local ports false
location Location false Name Description Required Value
associated
with the rule type Location type true enum
values Location IDs false Name Description Required Value
(applicable
for the id Location ID true string
"specific" name Location false string
location type name
only)
scope Location false enum
scope

name The name of false string

1651
not
necessarily
the only one.
osTypes Os types false string []
productId Product false string
identifier.
Unique for a
specific
product
module, per
vendor ID,
Interface.
protocol The protocol. false string
remoteHost [DEPRECATE false
D] First
remote host
in the rule.
Full list in
remote_hosts
remoteHosts List of remote false Name Description Required Value
hosts
type Type of the false enum
host
values Value of the false string []
host

remotePort Remote ports false

1652
Enabled or
Disabled
tag [DEPRECATE false string
D] Free text
to describe
the rule.
Please use
description
instead.
tagIds Tag ids false string []
tagNames Tag names false string []
tags Tags false Name Description Required Value
id false string
name false string

updatedAt Date of last false string

update

errors Errors false array

1653
Body Schema
Name Description Required Value
data Data true Name Description Required Value
action Defines if true enum
agent shall
Block or
Allow use of
firewalls
which
matches the
rule
parameters.
name The name of true string
the firewall
rule.
status Defines if true enum
rule is
Enabled or
Disabled
application Application false Name Description Required Value
for the rule
type Type of the false enum
application
values Value of the false string []
application

description Description false string

localPort Local ports false Name Description Required Value

structure
with a type type Type of the false enum

1654
and a set of ports
values
values A list of port false integer []
numbers

location Location false Name Description Required Value

osType [DEPRECATE false enum

1655
values host

remotePort Remote ports false Name Description Required Value

structure
with a type type Type of the false enum
and a set of ports
values values A list of port false integer []
numbers

tag [DEPRECATE false string

D] Free text
to describe
the rule.
Please use
description
instead.
tagIds Tag ids false string []

filter Filter true Name Description Required Value

1656
Delete Rules
DELETE /web/api/v2.1/firewall-control/{firewall_rule_category}

Delete Firewall Control rules that match the filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1657
Body Schema
Name Description Required Value
filter Filter false Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
actions Return false string []
firewall rules
with the
filtered
action.
application__ Free-text false string []
contains filter by
application
(supports
multiple
values)
applications Return false string []
firewall rules
with the
filtered
firewall class.
createdAt__b Return false string
etween firewall rules
created
within this
range
(inclusive)
createdAt__g Return false string
t firewall rules
created after
this
timestamp.
createdAt__g Return false string
te firewall rules
created after
or at this
timestamp.
createdAt__lt Return false string
firewall rules

1658
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []
tains filter by
protocol
(supports
multiple

1659
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean
tenant scope
request

1660
Copy Rules
POST /web/api/v2.1/firewall-control/{firewall_rule_category}/copy-rules

Copy a set of rules to other scopes.

In the filter of the body, enter the properties to define the source. In the data field of the body, define the targets by ID. To get a scope ID, run 'accounts', 'sites', or 'groups'.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1661
Body Schema
Name Description Required Value
data Data false Name Description Required Value
accountId Target false string
account
accountIds List of false string []
Account IDs
to filter by
groupId Target group false string
groupIds [DEPRECATE false string []
D] Target
group(s)
siteId Target site false string
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

filter Filter false Name Description Required Value

1662
firewall class.
createdAt__b Return false string
etween firewall rules
created
within this
range
(inclusive)
createdAt__g Return false string
t firewall rules
created after
this
timestamp.
createdAt__g Return false string
te firewall rules
created after
or at this
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations

1663
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter

1664
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean
tenant scope
request

1665
Move Rules
POST /web/api/v2.1/firewall-control/{firewall_rule_category}/move-rules

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1666
Body Schema
Name Description Required Value
data Data false Name Description Required Value
accountId Target false string
account
accountIds List of false string []
Account IDs
to filter by
groupId Target group false string
groupIds [DEPRECATE false string []
D] Target
group(s)
siteId Target site false string
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

filter Filter false Name Description Required Value

1667
firewall class.
createdAt__b Return false string
etween firewall rules
created
within this
range
(inclusive)
createdAt__g Return false string
t firewall rules
created after
this
timestamp.
createdAt__g Return false string
te firewall rules
created after
or at this
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations

1668
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter

1669
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean
tenant scope
request

1670
Set Location
POST /web/api/v2.1/firewall-control/{firewall_rule_category}/set-location

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1671
Body Schema
Name Description Required Value
data Data true Name Description Required Value
type Location type true enum
values Location IDs false Name Description Required Value
(applicable
for the id Location ID true string
"specific" name Location false string
location type name
only)
scope Location false enum
scope

filter Filter false Name Description Required Value

1672
t firewall rules
created after
this
timestamp.
createdAt__g Return false string
te firewall rules
created after
or at this
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple

1673
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags

1674
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean
tenant scope
request

1675
Reorder Rules
PUT /web/api/v2.1/firewall-control/{firewall_rule_category}/reorder

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1676
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
osTypes [DEPRECATE false string []
D] Rules OS
type (was
relevant for
when each
OS type had
its own rule
order)
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

data Data false Name Description Required Value

id Rule ID true string
order Desired true integer
position in
the list of
rules

1677
Get Configuration
GET /web/api/v2.1/firewall-control/{firewall_rule_category}/configuration

Get the Firewall Control configuration for a given scope.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
enabled Firewall false boolean
control
enabled for

1678
the scope
inheritAllFire Inherit all the false boolean
wallRules rules and tags
from the
parent scope.
Expands on
'inherits'
value.
inheritedFro If null it false string
m means it is
own policy
else it tells
the ancestor
for the
policy.For
groups
options are
null/Site/
Global, for
site options
are null/
Global.
inherits True if rules false boolean
are
decoupled
from parent
rules
inheritSetting Inherit false boolean
s firewall
settings from
parent scope
locationAwar Firewall false boolean
e control
supports
location
awareness for
the scope
reportBlocke Agent should false boolean
d report
blocked
events
selectedTags Selected tags false string []

1679
errors Errors false array

1680
Update Configuration
PUT /web/api/v2.1/firewall-control/{firewall_rule_category}/configuration

Change the Firewall Control configuration for a given scope.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1681
groups
options are
null/Site/
Global, for
site options
are null/
Global.
inherits True if rules false boolean
are
decoupled
from parent
rules
inheritSetting Inherit false boolean
s firewall
settings from
parent scope
locationAwar Firewall false boolean
e control
supports
location
awareness for
the scope
reportBlocke Agent should false boolean
d report
blocked
events
selectedTags Selected tags false string []

errors Errors false array

1682
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled Firewall false boolean
control
enabled for
the scope
inheritAllFire Inherit all the false boolean
wallRules rules and tags
from the
parent scope.
Expands on
'inherits'
value.
inheritedFro If null it false string
m means it is
own policy
else it tells
the ancestor
for the
policy.For
groups
options are
null/Site/
Global, for
site options
are null/
Global.
inherits True if rules false boolean
are
decoupled
from parent
rules
inheritSetting Inherit false boolean
s firewall
settings from
parent scope
locationAwar Firewall false boolean
e control
supports
location

1683
awareness for
the scope
reportBlocke Agent should false boolean
d report
blocked
events
selectedTags Selected tags false string []

filter Filter true Name Description Required Value

1684
Export Rules
GET /web/api/v2.1/firewall-control/{firewall_rule_category}/export

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
actions optional Return firewall rules with the filtered action. Example: "Allow".
application__contains optional Free-text filter by application (supports multiple values)
applications optional Return firewall rules with the filtered firewall class.
createdat__between optional Return firewall rules created within this range (inclusive). Example:
"1514978764288-1514978999999".
createdat__gt optional Return firewall rules created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Return firewall rules created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Return firewall rules created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Return firewall rules created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
directions optional Return firewall rules with the filtered directions. Example: "any".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of ids to filter by. Example:
"225494730938493804,225494730938493915".
locationids optional Filter by associated locations. Example:
"225494730938493804,225494730938493915".
name optional Return firewall rules with the filtered name.
name__contains optional Free-text filter by the Rule name (supports multiple values)
ostypes optional Return firewall rules with the filtered os_type. Example: "macos".

1685
protocol__contains optional Free-text filter by protocol (supports multiple values)
protocols optional Return firewall rules with the filtered protocols.
query optional Free text search on name, tag, application, protocol
scopes optional Return only firewall rules in this scope. Example: "account".
service__contains optional Free-text filter by service (supports multiple values)
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
statuses optional Return firewall rules with the filtered status. Example: "Enabled".
tagids optional Filter by associated tags. Example:
"225494730938493804,225494730938493915".
tagname__contains optional Free-text filter by the Tag name (supports multiple values)
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Import Rules
POST /web/api/v2.1/firewall-control/{firewall_rule_category}/import

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1686
Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1687
Body Schema
Name Description Required Value
formData false Name Description Required Value
file File true file
accountIds List of false string []
Account IDs
to filter by.
Example:
"2254947309
38493804,22
54947309384
93915".
groupIds List of Group false string []
IDs to filter
by. Example:
"2254947309
38493804,22
54947309384
93915".
siteIds List of Site false string []
IDs to filter
by. Example:
"2254947309
38493804,22
54947309384
93915".
tenant Indicates a false boolean
tenant scope
request

1688
Enable/Disable Rules
PUT /web/api/v2.1/firewall-control/{firewall_rule_category}/enable

Change the status of a set of Firewall Control rules that match the filter to "Enabled" or "Disabled". In one request, you can set one status or the other.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1689
Body Schema
Name Description Required Value
data Data true Name Description Required Value
status should the true enum
rules be
enabled/
disabled

filter Filter true Name Description Required Value

1690
te firewall rules
created after
or at this
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered

1691
os_type.
protocol__con Free-text false string []
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple

1692
values)
tenant Indicates a false boolean
tenant scope
request

1693
Get Protocols
GET /web/api/v2.1/firewall-control/{firewall_rule_category}/protocols

Get a list of protocols that can be used in Firewall Control rules.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer

1694
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

errors Errors false array

1695
Add Rule Tags
POST /web/api/v2.1/firewall-control/{firewall_rule_category}/add-tags

Create a Firewall Rule tag.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1696
Body Schema
Name Description Required Value
data Data true Name Description Required Value
tagIds Tag ids false string []

filter Filter true Name Description Required Value

1697
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []

1698
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean

1699
tenant scope
request

1700
Remove Rule Tags
POST /web/api/v2.1/firewall-control/{firewall_rule_category}/remove-tags

Remove firewall tags from rules matching the filter.

Tags represent Firewall policies - a set of rules in a specific order. When you remove a rule with a tag, all scopes that subscribe to the tag get the change.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1701
Body Schema
Name Description Required Value
data Data true Name Description Required Value
tagIds Tag ids false string []

filter Filter true Name Description Required Value

1702
timestamp.
createdAt__lt Return false string
firewall rules
created
before this
timestamp.
createdAt__lt Return false string
e firewall rules
created
before or at
this
timestamp.
directions Return false string []
firewall rules
with the
filtered
directions.
groupIds List of Group false string []
IDs to filter
by
ids List of ids to false string []
filter by
locationIds Filter by false string []
associated
locations
name Return false string
firewall rules
with the
filtered name.
name__contai Free-text false string []
ns filter by the
Rule name
(supports
multiple
values)
osTypes Return false string []
firewall rules
with the
filtered
os_type.
protocol__con Free-text false string []

1703
tains filter by
protocol
(supports
multiple
values)
protocols Return false string []
firewall rules
with the
filtered
protocols.
query Free text false string
search on
name, tag,
application,
protocol
scopes Return only false string []
firewall rules
in this scope
service__cont Free-text false string []
ains filter by
service
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
statuses Return false string []
firewall rules
with the
filtered
status.
tagIds Filter by false string []
associated
tags
tagName__con Free-text false string []
tains filter by the
Tag name
(supports
multiple
values)
tenant Indicates a false boolean

1704
tenant scope
request

1705
Policies

Group Policy
GET /web/api/v2.1/groups/{group_id}/policy

Get the policy of the Group given by ID. To get the ID of a Group, run "groups". See also: Get Policy.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
agentLoggin True if false boolean
gOn logging is
enabled in
the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section
agentUi Agent ui false Name Description Required Value

1706
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

D] Show/hide
Agent UI.
Moved inside

1707
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded

1708
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators
tors event

commandScri Command false

1709
pts scripts event Name Description Required Value
dvEventType Command false boolean
CommandScri scripts event
pts

crossProcess Cross process false Name Description Required Value

event
dvEventTypeC Duplicate false boolean
rossProcessDu Process
plicateProces Event Type
s
dvEventTypeC Duplicate false boolean
rossProcessD Thread Event
uplicateThrea Type
d
dvEventTypeC Open Process false boolean
rossProcessO Event Type
penProcess
dvEventTypeC Remote false boolean
rossProcessR Thread Event
emoteThread Type

dataMasking Data masking false Name Description Required Value

dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

dvEventTypeF File Creation false boolean

1710
ileCreation Event Type
dvEventTypeF File Deletion false boolean
ileDeletion Event Type
dvEventTypeFi File false boolean
leModificatio Modification
n Event Type
dvEventTypeF File Rename false boolean
ileRename Event Type
fullDiskScan File Scan false boolean
Event Type

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false Name Description Required Value

1711
dvEventTypeP Process false boolean
rocessCreatio Creation
n Event Type
dvEventTypeP Process Exit false boolean
rocessExit Event Type
dvEventTypeP Process false boolean
rocessModific Termination
ation Event Type

registry Registry false Name Description Required Value

event
dvEventTypeR Registry Key false boolean
egistryKeyCr Created
eated Event Type
dvEventTypeR Registry Key false boolean
egistryKeyDel Delete Event
ete Type
dvEventTypeR Registry Key false boolean
egistryKeyExp Export Event
ort Type
dvEventTypeR Registry Key false boolean
egistryKeyIm Import Event
port Type
dvEventType Registry Key false boolean
RegistryKey Rename
Rename Event Type
dvEventTypeR Registry Key false boolean
egistryKeySe Security
curityChange Changed
d Event Type
dvEventTypeR Registry false boolean
egistryValueC Value Crated
reated Event Type
dvEventTypeR Registry false boolean
egistryValueD Value
eleted Deleted
Event Type
dvEventTypeR Registry false boolean
egistryValueM Value
odified Modified

1712
Event Type

scheduledTas Scheduled false Name Description Required Value

k task event
dvEventTypeS Scheduled false boolean
cheduledTask Task Delete
Delete Event Type
dvEventTypeS Scheduled false boolean
cheduledTask Task Register
Register Event Type
dvEventTypeS Scheduled false boolean
cheduledTask Task Start
Start Event Type
dvEventTypeS Scheduled false boolean
cheduledTaskT Task Trigeer
rigger Event Type
dvEventTypeS Scheduled false boolean
cheduledTask Task Update
Update Event Type

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

engines The engines false

1713
statuses Name Description Required Value
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

1714
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

fwForNetwor True if false boolean

kQuarantineE Firewall
nabled Control for
Network
Quarantine is
enabled
identityEndpo Endpoint false enum
intReporting reporting
level
identityOn Identity false boolean
module on/
off
identityRepor Identity false integer
tInterval telemetry
report
interval in
minutes
identityThrott Identity false integer
lingInterval duplicate
command
consolidation
interval in
minutes
identityUpdat Identity false integer
eInterval update
interval in

1715
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP

1716
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

1717
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

1718
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

1719
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

errors Errors false array

1720
Update Group Policy
PUT /web/api/v2.1/groups/{group_id}/policy

Change the policy for the Group given by ID. Best practice: Get the policy of the Group before you attempt to change it. See also: Get Policy.

BEST PRACTICE
Get the policy of the Group before you attempt to change it. See also: Get Policy.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Group not found

1721
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

D] Show/hide

1722
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk

1723
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators

1724
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

crossProcess Cross process false Name Description Required Value

dataMasking Data masking false Name Description Required Value

dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

1725
dvEventTypeF File Creation false boolean
ileCreation Event Type
dvEventTypeF File Deletion false boolean
ileDeletion Event Type
dvEventTypeFi File false boolean
leModificatio Modification
n Event Type
dvEventTypeF File Rename false boolean
ileRename Event Type
fullDiskScan File Scan false boolean
Event Type

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false

1726
Name Description Required Value
dvEventTypeP Process false boolean
rocessCreatio Creation
n Event Type
dvEventTypeP Process Exit false boolean
rocessExit Event Type
dvEventTypeP Process false boolean
rocessModific Termination
ation Event Type

registry Registry false Name Description Required Value

1727
odified Modified
Event Type

scheduledTas Scheduled false Name Description Required Value

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

1728
engines The engines false Name Description Required Value
statuses
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

1729
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

fwForNetwor True if false boolean

1730
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP

1731
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

1732
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

1733
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

1734
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

errors Errors false array

1735
Body Schema
Name Description Required Value
data Data true Name Description Required Value
agentLoggin True if false boolean
gOn logging is
enabled in
the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications

1736
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

1737
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on

1738
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

crossProcess Cross process false Name Description Required Value

dataMasking Data masking false Name Description Required Value

1739
dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

dvEventTypeF File Creation false boolean
ileCreation Event Type
dvEventTypeF File Deletion false boolean
ileDeletion Event Type
dvEventTypeFi File false boolean
leModificatio Modification
n Event Type
dvEventTypeF File Rename false boolean
ileRename Event Type
fullDiskScan File Scan false boolean
Event Type

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean

1740
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false Name Description Required Value

dvEventTypeP Process false boolean
rocessCreatio Creation
n Event Type
dvEventTypeP Process Exit false boolean
rocessExit Event Type
dvEventTypeP Process false boolean
rocessModific Termination
ation Event Type

registry Registry false Name Description Required Value

1741
port Type
dvEventType Registry Key false boolean
RegistryKey Rename
Rename Event Type
dvEventTypeR Registry Key false boolean
egistryKeySe Security
curityChange Changed
d Event Type
dvEventTypeR Registry false boolean
egistryValueC Value Crated
reated Event Type
dvEventTypeR Registry false boolean
egistryValueD Value
eleted Deleted
Event Type
dvEventTypeR Registry false boolean
egistryValueM Value
odified Modified
Event Type

scheduledTas Scheduled false Name Description Required Value

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean

1742
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

engines The engines false Name Description Required Value

1743
forensicsAuto Forensics false Name Description Required Value
Triggering auto
triggering linuxEnabled True if linux false boolean
configuration forensics is
enabled
linuxProfileId The profile id false string
for the linux
forensics
linuxProfileN The profile false string
ame name for the
linux
forensics
macosEnable True if macos false boolean
d forensics is
enabled
macosProfileI The profile id false string
d for the macos
forensics
macosProfil The profile false string
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

intReporting reporting
level
identityOn Identity false boolean
module on/
off
identityRepor Identity false integer

1744
tInterval telemetry
report
interval in
minutes
identityThrott Identity false integer
lingInterval duplicate
command
consolidation
interval in
minutes
identityUpdat Identity false integer
eInterval update
interval in
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process

1745
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

for the scope
isDefault True if this is false boolean
the tenant
policy

1746
isDvPolicyPe FE indication false boolean
rEventType as to how to
display DV
policy
mitigationMo Mitigation false enum
de modes
mitigationMo Mitigation false enum
deSuspicious mode
monitorOnEx Monitor on false boolean
ecute execute on/
off
monitorOnWr Monitor on false boolean
ite write
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

1747
remoteScriptO Remote script false Name Description Required Value
rchestration orchestration
upload limits alwaysUpload Always false boolean
configuration StreamToClou upload
d streams to
cloud
maxDailyFile Maximum false integer
Download size (MB) to
download
daily
maxDailyFile Limit for the false integer
DownloadLim maximum
it size (MB) to
download
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

s macros
should be
removed

1748
from macro
threats
researchOn Share data false boolean
with
SentinelOne
scanNewAgen If True initiate false boolean
ts full disk scan
upon first
registration
signedDriver Suspicious false boolean
BlockingOn signed driver
blocking on/
off
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

1749
Site Policy
GET /web/api/v2.1/sites/{site_id}/policy

Get the policy of the Site given by ID. To get the ID of a Site, run "sites". See also: Get Policy.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

1750
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

D] Show/hide
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell

1751
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk

1752
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

1753
crossProcess Cross process false Name Description Required Value
event
dvEventTypeC Duplicate false boolean
rossProcessDu Process
plicateProces Event Type
s
dvEventTypeC Duplicate false boolean
rossProcessD Thread Event
uplicateThrea Type
d
dvEventTypeC Open Process false boolean
rossProcessO Event Type
penProcess
dvEventTypeC Remote false boolean
rossProcessR Thread Event
emoteThread Type

dataMasking Data masking false Name Description Required Value

dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

dvEventTypeF File Creation false boolean
ileCreation Event Type
dvEventTypeF File Deletion false boolean
ileDeletion Event Type
dvEventTypeFi File false boolean
leModificatio Modification

1754
n Event Type
dvEventTypeF File Rename false boolean
ileRename Event Type
fullDiskScan File Scan false boolean
Event Type

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false Name Description Required Value

dvEventTypeP Process false boolean
rocessCreatio Creation
n Event Type
dvEventTypeP Process Exit false boolean
rocessExit Event Type

1755
dvEventTypeP Process false boolean
rocessModific Termination
ation Event Type

registry Registry false Name Description Required Value

scheduledTas Scheduled false Name Description Required Value

k task event
dvEventTypeS Scheduled false boolean
cheduledTask Task Delete
Delete Event Type

1756
dvEventTypeS Scheduled false boolean
cheduledTask Task Register
Register Event Type
dvEventTypeS Scheduled false boolean
cheduledTask Task Start
Start Event Type
dvEventTypeS Scheduled false boolean
cheduledTaskT Task Trigeer
rigger Event Type
dvEventTypeS Scheduled false boolean
cheduledTask Task Update
Update Event Type

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

engines The engines false Name Description Required Value

statuses
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum

1757
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

1758
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

fwForNetwor True if false boolean

1759
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean

1760
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

1761
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

1762
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

1763
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

errors Errors false array

1764
Update Site Policy
PUT /web/api/v2.1/sites/{site_id}/policy

Change the policy for the Site given by ID. Best practice: Get the policy of the Site before you attempt to change it. See also: Get Policy.

BEST PRACTICE
Get the policy of the Site before you attempt to change it. See also: Get Policy.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

agentUiOn [DEPRECATE false boolean

D] Show/hide

1766
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk

1767
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators

1768
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

crossProcess Cross process false Name Description Required Value

dataMasking Data masking false Name Description Required Value

dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

1769
dvEventTypeF File Creation false boolean
ileCreation Event Type
dvEventTypeF File Deletion false boolean
ileDeletion Event Type
dvEventTypeFi File false boolean
leModificatio Modification
n Event Type
dvEventTypeF File Rename false boolean
ileRename Event Type
fullDiskScan File Scan false boolean
Event Type

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false

1770
Name Description Required Value
dvEventTypeP Process false boolean
rocessCreatio Creation
n Event Type
dvEventTypeP Process Exit false boolean
rocessExit Event Type
dvEventTypeP Process false boolean
rocessModific Termination
ation Event Type

registry Registry false Name Description Required Value

1771
odified Modified
Event Type

scheduledTas Scheduled false Name Description Required Value

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

1772
engines The engines false Name Description Required Value
statuses
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

1773
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

fwForNetwor True if false boolean

1774
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP

1775
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

1776
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

1777
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

1778
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

errors Errors false array

1779
Body Schema
Name Description Required Value
data Data true Name Description Required Value
agentLoggin True if false boolean
gOn logging is
enabled in
the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications

1780
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

1781
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on

1782
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

crossProcess Cross process false Name Description Required Value

dataMasking Data masking false Name Description Required Value

1783
dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean

1784
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false Name Description Required Value

registry Registry false Name Description Required Value

1785
port Type
dvEventType Registry Key false boolean
RegistryKey Rename
Rename Event Type
dvEventTypeR Registry Key false boolean
egistryKeySe Security
curityChange Changed
d Event Type
dvEventTypeR Registry false boolean
egistryValueC Value Crated
reated Event Type
dvEventTypeR Registry false boolean
egistryValueD Value
eleted Deleted
Event Type
dvEventTypeR Registry false boolean
egistryValueM Value
odified Modified
Event Type

scheduledTas Scheduled false Name Description Required Value

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean

1786
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

engines The engines false Name Description Required Value

1787
forensicsAuto Forensics false Name Description Required Value
Triggering auto
triggering linuxEnabled True if linux false boolean
configuration forensics is
enabled
linuxProfileId The profile id false string
for the linux
forensics
linuxProfileN The profile false string
ame name for the
linux
forensics
macosEnable True if macos false boolean
d forensics is
enabled
macosProfileI The profile id false string
d for the macos
forensics
macosProfil The profile false string
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

intReporting reporting
level
identityOn Identity false boolean
module on/
off
identityRepor Identity false integer

1788
tInterval telemetry
report
interval in
minutes
identityThrott Identity false integer
lingInterval duplicate
command
consolidation
interval in
minutes
identityUpdat Identity false integer
eInterval update
interval in
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process

1789
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

for the scope
isDefault True if this is false boolean
the tenant
policy

1790
isDvPolicyPe FE indication false boolean
rEventType as to how to
display DV
policy
mitigationMo Mitigation false enum
de modes
mitigationMo Mitigation false enum
deSuspicious mode
monitorOnEx Monitor on false boolean
ecute execute on/
off
monitorOnWr Monitor on false boolean
ite write
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

1791
remoteScriptO Remote script false Name Description Required Value
rchestration orchestration
upload limits alwaysUpload Always false boolean
configuration StreamToClou upload
d streams to
cloud
maxDailyFile Maximum false integer
Download size (MB) to
download
daily
maxDailyFile Limit for the false integer
DownloadLim maximum
it size (MB) to
download
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

s macros
should be
removed

1792
from macro
threats
researchOn Share data false boolean
with
SentinelOne
scanNewAgen If True initiate false boolean
ts full disk scan
upon first
registration
signedDriver Suspicious false boolean
BlockingOn signed driver
blocking on/
off
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

1793
Account Policy
GET /web/api/v2.1/accounts/{account_id}/policy

Get the policy for the Account given by ID. To get the ID of an Account, run "accounts". See also: Get Policy.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

1794
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

D] Show/hide
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell

1795
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk

1796
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

1797
crossProcess Cross process false Name Description Required Value
event
dvEventTypeC Duplicate false boolean
rossProcessDu Process
plicateProces Event Type
s
dvEventTypeC Duplicate false boolean
rossProcessD Thread Event
uplicateThrea Type
d
dvEventTypeC Open Process false boolean
rossProcessO Event Type
penProcess
dvEventTypeC Remote false boolean
rossProcessR Thread Event
emoteThread Type

dataMasking Data masking false Name Description Required Value

dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

dvEventTypeF File Creation false boolean
ileCreation Event Type
dvEventTypeF File Deletion false boolean
ileDeletion Event Type
dvEventTypeFi File false boolean
leModificatio Modification

1798
n Event Type
dvEventTypeF File Rename false boolean
ileRename Event Type
fullDiskScan File Scan false boolean
Event Type

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false Name Description Required Value

dvEventTypeP Process false boolean
rocessCreatio Creation
n Event Type
dvEventTypeP Process Exit false boolean
rocessExit Event Type

1799
dvEventTypeP Process false boolean
rocessModific Termination
ation Event Type

registry Registry false Name Description Required Value

scheduledTas Scheduled false Name Description Required Value

k task event
dvEventTypeS Scheduled false boolean
cheduledTask Task Delete
Delete Event Type

1800
dvEventTypeS Scheduled false boolean
cheduledTask Task Register
Register Event Type
dvEventTypeS Scheduled false boolean
cheduledTask Task Start
Start Event Type
dvEventTypeS Scheduled false boolean
cheduledTaskT Task Trigeer
rigger Event Type
dvEventTypeS Scheduled false boolean
cheduledTask Task Update
Update Event Type

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

engines The engines false Name Description Required Value

statuses
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum

1801
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

1802
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

fwForNetwor True if false boolean

1803
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean

1804
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

1805
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

1806
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

1807
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

errors Errors false array

1808
Update Account Policy
PUT /web/api/v2.1/accounts/{account_id}/policy

Change the policy for the Account given by ID. Best practice: Get the policy of the Account before you attempt to change it. See also: Get Policy.

BEST PRACTICE
Get the policy of the Account before you attempt to change it. See also: Get Policy.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Account not found

1809
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

D] Show/hide

1810
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk

1811
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators

1812
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

crossProcess Cross process false Name Description Required Value

dataMasking Data masking false Name Description Required Value

dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

1813
dvEventTypeF File Creation false boolean
ileCreation Event Type
dvEventTypeF File Deletion false boolean
ileDeletion Event Type
dvEventTypeFi File false boolean
leModificatio Modification
n Event Type
dvEventTypeF File Rename false boolean
ileRename Event Type
fullDiskScan File Scan false boolean
Event Type

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false

1814
Name Description Required Value
dvEventTypeP Process false boolean
rocessCreatio Creation
n Event Type
dvEventTypeP Process Exit false boolean
rocessExit Event Type
dvEventTypeP Process false boolean
rocessModific Termination
ation Event Type

registry Registry false Name Description Required Value

1815
odified Modified
Event Type

scheduledTas Scheduled false Name Description Required Value

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

1816
engines The engines false Name Description Required Value
statuses
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

1817
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

fwForNetwor True if false boolean

1818
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP

1819
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

1820
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

1821
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

1822
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

errors Errors false array

1823
Body Schema
Name Description Required Value
data Data true Name Description Required Value
agentLoggin True if false boolean
gOn logging is
enabled in
the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications

1824
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

1825
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on

1826
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

crossProcess Cross process false Name Description Required Value

dataMasking Data masking false Name Description Required Value

1827
dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean

1828
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false Name Description Required Value

registry Registry false Name Description Required Value

1829
port Type
dvEventType Registry Key false boolean
RegistryKey Rename
Rename Event Type
dvEventTypeR Registry Key false boolean
egistryKeySe Security
curityChange Changed
d Event Type
dvEventTypeR Registry false boolean
egistryValueC Value Crated
reated Event Type
dvEventTypeR Registry false boolean
egistryValueD Value
eleted Deleted
Event Type
dvEventTypeR Registry false boolean
egistryValueM Value
odified Modified
Event Type

scheduledTas Scheduled false Name Description Required Value

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean

1830
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

engines The engines false Name Description Required Value

1831
forensicsAuto Forensics false Name Description Required Value
Triggering auto
triggering linuxEnabled True if linux false boolean
configuration forensics is
enabled
linuxProfileId The profile id false string
for the linux
forensics
linuxProfileN The profile false string
ame name for the
linux
forensics
macosEnable True if macos false boolean
d forensics is
enabled
macosProfileI The profile id false string
d for the macos
forensics
macosProfil The profile false string
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

intReporting reporting
level
identityOn Identity false boolean
module on/
off
identityRepor Identity false integer

1832
tInterval telemetry
report
interval in
minutes
identityThrott Identity false integer
lingInterval duplicate
command
consolidation
interval in
minutes
identityUpdat Identity false integer
eInterval update
interval in
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process

1833
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

for the scope
isDefault True if this is false boolean
the tenant
policy

1834
isDvPolicyPe FE indication false boolean
rEventType as to how to
display DV
policy
mitigationMo Mitigation false enum
de modes
mitigationMo Mitigation false enum
deSuspicious mode
monitorOnEx Monitor on false boolean
ecute execute on/
off
monitorOnWr Monitor on false boolean
ite write
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

1835
remoteScriptO Remote script false Name Description Required Value
rchestration orchestration
upload limits alwaysUpload Always false boolean
configuration StreamToClou upload
d streams to
cloud
maxDailyFile Maximum false integer
Download size (MB) to
download
daily
maxDailyFile Limit for the false integer
DownloadLim maximum
it size (MB) to
download
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

s macros
should be
removed

1836
from macro
threats
researchOn Share data false boolean
with
SentinelOne
scanNewAgen If True initiate false boolean
ts full disk scan
upon first
registration
signedDriver Suspicious false boolean
BlockingOn signed driver
blocking on/
off
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

1837
Global Policy
GET /web/api/v2.1/tenant/policy

Get the Global policy. This is the default policy for your deployment. See also: Get Policy.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

1838
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

D] Show/hide
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell

1839
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk

1840
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

1841
crossProcess Cross process false Name Description Required Value
event
dvEventTypeC Duplicate false boolean
rossProcessDu Process
plicateProces Event Type
s
dvEventTypeC Duplicate false boolean
rossProcessD Thread Event
uplicateThrea Type
d
dvEventTypeC Open Process false boolean
rossProcessO Event Type
penProcess
dvEventTypeC Remote false boolean
rossProcessR Thread Event
emoteThread Type

dataMasking Data masking false Name Description Required Value

dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

dvEventTypeF File Creation false boolean
ileCreation Event Type
dvEventTypeF File Deletion false boolean
ileDeletion Event Type
dvEventTypeFi File false boolean
leModificatio Modification

1842
n Event Type
dvEventTypeF File Rename false boolean
ileRename Event Type
fullDiskScan File Scan false boolean
Event Type

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false Name Description Required Value

dvEventTypeP Process false boolean
rocessCreatio Creation
n Event Type
dvEventTypeP Process Exit false boolean
rocessExit Event Type

1843
dvEventTypeP Process false boolean
rocessModific Termination
ation Event Type

registry Registry false Name Description Required Value

scheduledTas Scheduled false Name Description Required Value

k task event
dvEventTypeS Scheduled false boolean
cheduledTask Task Delete
Delete Event Type

1844
dvEventTypeS Scheduled false boolean
cheduledTask Task Register
Register Event Type
dvEventTypeS Scheduled false boolean
cheduledTask Task Start
Start Event Type
dvEventTypeS Scheduled false boolean
cheduledTaskT Task Trigeer
rigger Event Type
dvEventTypeS Scheduled false boolean
cheduledTask Task Update
Update Event Type

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

engines The engines false Name Description Required Value

statuses
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum

1845
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

1846
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

fwForNetwor True if false boolean

1847
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean

1848
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

1849
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

1850
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

1851
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

errors Errors false array

1852
Update Global Policy
PUT /web/api/v2.1/tenant/policy

Change the policy of your deployment. Best practice: Get the Global policy before you attempt to change it. See also: Get Policy.
You must be a Global Admin user to change the Global Policy.

BEST PRACTICE
Get the Global policy before you attempt to change it. See also: Get Policy.
You must be a Global Admin user to change the Global Policy.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Policy not found

1853
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

1854
agentUiOn [DEPRECATE false boolean
D] Show/hide
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload

1855
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators

1856
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

crossProcess Cross process false Name Description Required Value

dataMasking Data masking false Name Description Required Value

dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

1857
file File event false Name Description Required Value
dvEventTypeF File Creation false boolean
ileCreation Event Type
dvEventTypeF File Deletion false boolean
ileDeletion Event Type
dvEventTypeFi File false boolean
leModificatio Modification
n Event Type
dvEventTypeF File Rename false boolean
ileRename Event Type
fullDiskScan File Scan false boolean
Event Type

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

1858
process Process event false Name Description Required Value
dvEventTypeP Process false boolean
rocessCreatio Creation
n Event Type
dvEventTypeP Process Exit false boolean
rocessExit Event Type
dvEventTypeP Process false boolean
rocessModific Termination
ation Event Type

registry Registry false Name Description Required Value

1859
odified Modified
Event Type

scheduledTas Scheduled false Name Description Required Value

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

1860
engines The engines false Name Description Required Value
statuses
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

1861
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

fwForNetwor True if false boolean

1862
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP

1863
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

1864
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

1865
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

1866
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

errors Errors false array

1867
Body Schema
Name Description Required Value
data Data true Name Description Required Value
agentLoggin True if false boolean
gOn logging is
enabled in
the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications

1868
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

1869
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on

1870
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name Description Required Value
owserExtensi browser
ons extensions autoInstallBr Auto install false boolean
owserExtensi browser
ons extensions

behavioralInd Behavioral false Name Description Required Value

icators indicators
event dvEventTypeBe Behavioral false boolean
havioralIndica indicators
tors event

commandScri Command false Name Description Required Value

pts scripts event
dvEventType Command false boolean
CommandScri scripts event
pts

crossProcess Cross process false Name Description Required Value

dataMasking Data masking false Name Description Required Value

1871
dataMasking Data masking false boolean

dllModuleLoa DLL module false Name Description Required Value

d load event
dvEventType DLL module false boolean
DllModuleLo load event
ad

dns Network false Name Description Required Value

event - DNS
dvEventType Network false boolean
Dns event - DNS

driver Driver false Name Description Required Value

dvEventTypeD Driver Load false boolean
riverLoad

file File event false Name Description Required Value

ip Network false Name Description Required Value

event - IP
dvEventTypeI IP Connect false boolean
pConnect Event Type
dvEventTypeI IP Listen false boolean
pListen Event Type

login User login/ false Name Description Required Value

logout event
dvEventTypeL User Login false boolean
oginLoggedIn Event Type
dvEventType User Logout false boolean

1872
LoginLogged Event Type
Out

namedPipe Named Pipe false Name Description Required Value

dvEventType Named Pipe false boolean
NamedPipeCo Connection
nnection Event Type
dvEventType Named Pipe false boolean
NamedPipeCr Creation
eation Event Type

namedPipeEx Named Pipe false Name Description Required Value

tended Extended
namedPipeEx Named Pipe false boolean
tended Connection
Extended
Event Type

process Process event false Name Description Required Value

registry Registry false Name Description Required Value

1873
port Type
dvEventType Registry Key false boolean
RegistryKey Rename
Rename Event Type
dvEventTypeR Registry Key false boolean
egistryKeySe Security
curityChange Changed
d Event Type
dvEventTypeR Registry false boolean
egistryValueC Value Crated
reated Event Type
dvEventTypeR Registry false boolean
egistryValueD Value
eleted Deleted
Event Type
dvEventTypeR Registry false boolean
egistryValueM Value
odified Modified
Event Type

scheduledTas Scheduled false Name Description Required Value

smartFileMoni Smart file false Name Description Required Value

toring monitoring
smartFileMoni Smart file false boolean

1874
toring monitoring

url URL Actions false Name Description Required Value

event
dvEventTypeU URL Actions false boolean
rl event

windowsEven Windows false Name Description Required Value

tLogs Event Log
dvEventType Windows false boolean
WindowsEven Event Log
tLogCreation Creation
Event Type

windowsEven Windows false Name Description Required Value

tLogsExtende Event Log
d Extended windowsEven Windows false boolean
tLogsExtende Event Log
d Extended
Event Type

engines The engines false Name Description Required Value

1875
forensicsAuto Forensics false Name Description Required Value
Triggering auto
triggering linuxEnabled True if linux false boolean
configuration forensics is
enabled
linuxProfileId The profile id false string
for the linux
forensics
linuxProfileN The profile false string
ame name for the
linux
forensics
macosEnable True if macos false boolean
d forensics is
enabled
macosProfileI The profile id false string
d for the macos
forensics
macosProfil The profile false string
eName name for the
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

intReporting reporting
level
identityOn Identity false boolean
module on/
off
identityRepor Identity false integer

1876
tInterval telemetry
report
interval in
minutes
identityThrott Identity false integer
lingInterval duplicate
command
consolidation
interval in
minutes
identityUpdat Identity false integer
eInterval update
interval in
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process

1877
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

for the scope
isDefault True if this is false boolean
the tenant
policy

1878
isDvPolicyPe FE indication false boolean
rEventType as to how to
display DV
policy
mitigationMo Mitigation false enum
de modes
mitigationMo Mitigation false enum
deSuspicious mode
monitorOnEx Monitor on false boolean
ecute execute on/
off
monitorOnWr Monitor on false boolean
ite write
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

1879
remoteScriptO Remote script false Name Description Required Value
rchestration orchestration
upload limits alwaysUpload Always false boolean
configuration StreamToClou upload
d streams to
cloud
maxDailyFile Maximum false integer
Download size (MB) to
download
daily
maxDailyFile Limit for the false integer
DownloadLim maximum
it size (MB) to
download
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

s macros
should be
removed

1880
from macro
threats
researchOn Share data false boolean
with
SentinelOne
scanNewAgen If True initiate false boolean
ts full disk scan
upon first
registration
signedDriver Suspicious false boolean
BlockingOn signed driver
blocking on/
off
snapshotsOn True if false boolean
snapshots are
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

1881
Ranger

Get Ranger Table

GET /web/api/v2.1/ranger/table-view

Get the data for each row in the Ranger Device Inventory Table. Best practice: Set filters. Each row is a set of parameters that quickly fills the pagination limits.

BEST PRACTICE
Set filters. Each row is a set of parameters that quickly fills the pagination limits.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
agentids optional List of agent ids. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
devicefunction__conta optional Free-text filter by device function (supports multiple values).
ins Example: "security,mobile".
devicereviews optional The device review state
devicetype optional Device type. Example: "Server/Workstation/...".
devicetypes optional Device types
discoverymethods optional Discovery methods
domains optional Included network domains. Example: "mybusiness,workgroup".
externalip optional Search using external IP
externalip__contains optional Free-text filter by visible IP (supports multiple values). Example:
"192.168.0.1/24,10.1".
firstseen__between optional Date range refor first seen(format: <from_timestamp>-

1882
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
firstseen__gt optional Devices first seen after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__gte optional Devices first seen after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__lt optional Devices first seen before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__lte optional Devices first seen before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
gatewaymacaddress optional A gateway mac address to search for
gatewaymacaddress__c optional Free-text filter by gateway mac address (supports multiple values).
ontains Example: "aa:ee:b1".
hostnames optional Hostnames
hostnames__contains optional Free-text filter by hostname (supports multiple values). Example:
"s1_host,SomeHost".
ids optional List of device ids. Example:
"225494730938493804,225494730938493915".
knownfingerprintingda optional Known fingerprinting data. Example: "Manufacturer".
ta
lastseen__between optional Date range for last seen(format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
lastseen__gt optional Devices last seen after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__gte optional Devices last seen after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__lt optional Devices last seen before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__lte optional Devices last seen before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
limit optional Limit number of returned items (1-1000). Example: "10".
localip optional Search using local IP
localip__contains optional Free-text filter by IP Address (supports multiple values). Example:

1883
"192.168.0.1/24,10.1".
macaddress optional A mac address to search for
macaddress__contains optional Free-text filter by mac address (supports multiple values). Example:
"aa:ee:b1".
managedstate optional Is the device managed
managedstates optional Is the device managed
manufacturer optional Manufacturer of the device or network interface
manufacturer__contai optional Free-text filter by manufacturer (supports multiple values). Example:
ns "Company".
networkname optional Search using network name
networkname__contai optional Free-text filter by network name (supports multiple values).
ns Example: "Office".
osname optional Os name
ostype optional OS type
ostypes optional Included OS types
osversion optional Os version
osversion__contains optional Free-text filter by OS full name and version (supports multiple
values). Example: "Service Pack 1".
period optional Period. Example: "latest".
query optional Query
siteids optional Single Site ID to filter by. Example: "225494730938493804".
sitenames optional Included site names. Example: "Office,Test".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
subnetaddress__contai optional Free-text filter by Subnet Address (supports multiple values).
ns Example: "192.168.0.1/24,10.1".
tagname__contains optional Free-text filter by tag name (supports multiple values). Example:
"iot".

1884
tcpports__contains optional Free-text filter by tcp port (supports multiple values). Example:
"80,24".
udpports__contains optional Free-text filter by udp port (supports multiple values). Example:
"137,2002".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

data Response false Name Description Required Value

data
agentId The agent id false string
if this is a
known

1885
managed
device
deviceFuncti Function of false string
on the device
deviceReview The device false string
review state
deviceReview Log of actions false Name Description Required Value
Log for this
device current false string
previous false string
reason false string
reasonDetails false string
updatedAt false string
username false string

deviceType Role of the false string

device
discoveryMet Methods false string []
hods used to
discover the
device
domain The domain false string
of the device
externalIp Main false string
Gateway
Visible IP
fingerPrintSc The false integer
ore confidence
for this
fingerprinting
result
firstSeen Time the false string
device was
first seen
gatewayIpAdd Main false string
ress gateway IP
address
gatewayMacA Main false string
ddress gateway

1886
MAC address
hasIdentity Would we be false boolean
able to
identify this
device over
time
hasUserLabel True if it has a false boolean
user label
hostnames Array of host false string []
names
id Id of the false string
device
ipAddresses A list of ip false string []
addresses.
When it is
not combined
it is always
one element
labelUpdated The date of false string
At the last label
update
labelUserNa The user that false string
me changed the
label
lastSeen Time the false string
device was
last seen
localIp Local ip of false string
the device
macAddress Mac address false string
of the device
managedStat Protection false string
e state of the
device
manufacturer Manufacturer false string
of the device
or network
interface
networkNam The network false string
e name

1887
networks A list of all false Name Description Required Value
the networks
associated to externalIp Main false string
the device. Gateway
When it is Visible IP
not combined gatewayIpAdd Main false string
it is always ress gateway IP
one element address
gatewayMacA Main false string
ddress gateway
MAC address
ip The IP of the false string
device in the
network
networkNam The network false string
e name
subnetAddres Main subnet false string
s address

osName OS Name/ false string

Version of
the device
osType Os Type of false string
the device
osVersion OS Version of false string
the device
previousDevi Previous false string
ceFunction Function of
the device if
manually
changed
previousOsTy Previous Os false string
pe Type of the
device if
manually
changed
previousOsVe Previous OS false string
rsion Version of
the device if
manually
changed

1888
siteName Site name false string
subnetAddres Main subnet false string
s address
tags The tags false Name Description Required Value
id The tag id true string
description The tag false string
description
kind Kind of tag if false string
relevant
name The tag name false string

tcpPorts TCP Ports false integer []

udpPorts UDP Ports false integer []

errors Errors false array

1889
Export Ranger Data
GET /web/api/v2.1/ranger/report/csv

Export Ranger data to csv. You can set filters to get only relevant data. The response sends the csv data as text.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
agentids optional List of agent ids. Example:
"225494730938493804,225494730938493915".
devicefunction__conta optional Free-text filter by device function (supports multiple values).
ins Example: "security,mobile".
devicereviews optional The device review state
devicetype optional Device type. Example: "Server/Workstation/...".
devicetypes optional Device types
discoverymethods optional Discovery methods
domains optional Included network domains. Example: "mybusiness,workgroup".
externalip optional Search using external IP
externalip__contains optional Free-text filter by visible IP (supports multiple values). Example:
"192.168.0.1/24,10.1".
firstseen__between optional Date range refor first seen(format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
firstseen__gt optional Devices first seen after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__gte optional Devices first seen after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__lt optional Devices first seen before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__lte optional Devices first seen before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
gatewaymacaddress optional A gateway mac address to search for
gatewaymacaddress__c optional Free-text filter by gateway mac address (supports multiple values).

1890
ontains Example: "aa:ee:b1".
hostnames optional Hostnames
hostnames__contains optional Free-text filter by hostname (supports multiple values). Example:
"s1_host,SomeHost".
ids optional List of device ids. Example:
"225494730938493804,225494730938493915".
knownfingerprintingda optional Known fingerprinting data. Example: "Manufacturer".
ta
lastseen__between optional Date range for last seen(format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
lastseen__gt optional Devices last seen after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__gte optional Devices last seen after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__lt optional Devices last seen before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__lte optional Devices last seen before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
localip optional Search using local IP
localip__contains optional Free-text filter by IP Address (supports multiple values). Example:
"192.168.0.1/24,10.1".
macaddress optional A mac address to search for
macaddress__contains optional Free-text filter by mac address (supports multiple values). Example:
"aa:ee:b1".
managedstate optional Is the device managed
managedstates optional Is the device managed
manufacturer optional Manufacturer of the device or network interface
manufacturer__contai optional Free-text filter by manufacturer (supports multiple values). Example:
ns "Company".
networkname optional Search using network name
networkname__contai optional Free-text filter by network name (supports multiple values).
ns Example: "Office".

1891
osname optional Os name
ostype optional OS type
ostypes optional Included OS types
osversion optional Os version
osversion__contains optional Free-text filter by OS full name and version (supports multiple
values). Example: "Service Pack 1".
period optional Period. Example: "latest".
query optional Query
siteids optional Single Site ID to filter by. Example: "225494730938493804".
sitenames optional Included site names. Example: "Office,Test".
subnetaddress__contai optional Free-text filter by Subnet Address (supports multiple values).
ns Example: "192.168.0.1/24,10.1".
tagname__contains optional Free-text filter by tag name (supports multiple values). Example:
"iot".
tcpports__contains optional Free-text filter by tcp port (supports multiple values). Example:
"80,24".
udpports__contains optional Free-text filter by udp port (supports multiple values). Example:
"137,2002".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

JSON Raw Data

GET /web/api/v2.1/ranger/{inventory_id}/json

Get a json string with the Ranger data for one device, by ID in the Device Inventory Data.

Response Messages

1892
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false
data
errors Errors false array

1893
Export JSON Raw Data
GET /web/api/v2.1/ranger/{inventory_id}/json/export

Export the raw data for one device, by its ID in the Device Inventory Data. To get the ID, run ranger/table-view (see Get Ranger Table). Use this command to get data for Support.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Not found

Get Ranger Settings

GET /web/api/v2.1/ranger/settings

Ranger gives full visibility of all devices connected to your network. Ranger scans your corporate environment to identify and manage connected devices, even those not
protected by or supported by SentinelOne. Ranger identifies devices as:
* Secured - End-user computer or laptop, or server, with a SentinelOne Agent.
* Unsecured - Endpoint of supported hardware and OS, without an Agent.
* Unsupported - Hardware or software that are not compatible with the SentinelOne Agent.
* Unknown - Ranger cannot determine if the device is Unsecured or Unsupported.
When you install Windows Agents with Ranger, the Agents can become scanners. Selected scanners from networks that you enable for scanning find connected devices with
passive and active scan techniques. The scanners send the collected data to Ranger on the Management. Ranger then runs fingerprinting to identify and classify unique devices
and to update the Device Inventory Table in the Management Console. With port scanning, it is important that you understand the legal and ethical considerations and that you
document a Ranger plan and implementation. See https://support.sentinelone.com/hc/en-us/articles/360041484913 > Legal Considerations and Proper Implementation.
Requirements: Ranger license, Cloud-based Management (not supported for On-Prem), Global user or Account user with scope access to the Account with a Ranger license.
Use this command to get the Ranger Settings for the Account of the given ID (run "accounts" to get an Account ID). The Response shows if Ranger is enabled on the Account, the
protocols and ports of the scans, and more:
* minAgentsInNetworkToScan - To help you determine which networks are corporate, Ranger looks at the number of secured endpoints (Agents) in a network. If there are not
enough Agents in a network - set by this parameter value - Ranger considers the network to be non-corporate and will not scan it.
* scanOnlyLocalSubnets - If false, Ranger scans remote subnets that do not have online Ranger scanners. This will create network traffic through the corporate firewall (and
between different corporate locations), which can impact network performance.
* usePeriodicSnapshots - A complete scan includes scanner port scanning and Ranger AI analysis of the scanner data to update the Device Inventory Snapshot. If this setting is
true, Ranger runs a new scan on an interval. If snapshotPeriod is shorter, the data is more accurate. If longer, there is better performance.

Parameters

1894
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountId Account id false string
autoEnableN All networks false boolean
etworks that match
the min
agents
configuration
will be
enabled
automatically
combineDevi Combine false boolean
ces devices as
one among
multiple
networks
enabled Is the ranger false boolean
collection
enabled for
the account
icmpScan ICMP scan false boolean
enabled
mdnsScan MDNS scan false boolean

1895
enabled
minAgentsIn Minimum false integer
NetworkToSc agents
an required in a
network to
be listed as
selectable for
scan
multiScanSsd SSDP false boolean
p Multicast
scan enabled
networkDeco The number false integer
mmissionValu of days to
e archive a
network
which was
not enabled
for scan
newNetworkI Networks are false integer
nHours going to be
marked as
new for this
period
rdnsScan RDNS scan false boolean
enabled
restrictions A set of IP false Name Description Required Value
addresses
that should annotation An optional false string
not be note with the
scanned in reason for
the specific the
network restriction
type false enum
values It will be one false string []
IP or one
CIDR or two
values for a
Range

scanOnlyLoca Scan only false boolean

lSubnets local subnets
scopeId Scope id false string

1896
smbScan SMB scan false boolean
enabled
snapshotPeri Period in false integer
od minutes for
each
snapshot
snmpScan SNMP scan false boolean
enabled
specificPorts [FUTURE] A false Name Description Required Value
set of specific
ports allowed type false enum
to be used as values It can be a false integer []
source ports single port or
for an active two ports
scan [start, end]
for a Range

tcpPorts TCP Ports false integer []

tcpPortScan TCP Port false boolean
scan enabled
udpPorts UDP Ports false integer []
udpPortScan UDP Port false boolean
scan enabled
useFullDnsSc DNS Full scan false boolean
an enabled
usePeriodicS Ranger views false boolean
napshots are generated
periodically
by the
snapshot
period
useSpecificPo [FUTURE] false boolean
rts Use only
specific ports
defined in
specific ports
as source
ports of
active scans

errors Errors false array

1897
Update Ranger Settings
PUT /web/api/v2.1/ranger/settings

Change the Ranger Settings. Best Practice: Get the current settings before you change them. See: Get Ranger Settings.

BEST PRACTICE
Get the current settings before you change them. See: Get Ranger Settings.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

1898
collection
enabled for
the account
icmpScan ICMP scan false boolean
enabled
mdnsScan MDNS scan false boolean
enabled
minAgentsIn Minimum false integer
NetworkToSc agents
an required in a
network to
be listed as
selectable for
scan
multiScanSsd SSDP false boolean
p Multicast
scan enabled
networkDeco The number false integer
mmissionValu of days to
e archive a
network
which was
not enabled
for scan
newNetworkI Networks are false integer
nHours going to be
marked as
new for this
period
rdnsScan RDNS scan false boolean
enabled
restrictions A set of IP false Name Description Required Value
addresses
that should annotation An optional false string
not be note with the
scanned in reason for
the specific the
network restriction
type false enum
values It will be one false string []
IP or one

1899
CIDR or two
values for a
Range

scanOnlyLoca Scan only false boolean

lSubnets local subnets
scopeId Scope id false string
smbScan SMB scan false boolean
enabled
snapshotPeri Period in false integer
od minutes for
each
snapshot
snmpScan SNMP scan false boolean
enabled
specificPorts [FUTURE] A false Name Description Required Value
set of specific
ports allowed type false enum
to be used as values It can be a false integer []
source ports single port or
for an active two ports
scan [start, end]
for a Range

tcpPorts TCP Ports false integer []

1900
defined in
specific ports
as source
ports of
active scans

errors Errors false array

1901
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accountId Account id false string
autoEnableN All networks false boolean
etworks that match
the min
agents
configuration
will be
enabled
automatically
combineDevi Combine false boolean
ces devices as
one among
multiple
networks
enabled Is the ranger false boolean
collection
enabled for
the account
icmpScan ICMP scan false boolean
enabled
mdnsScan MDNS scan false boolean
enabled
minAgentsIn Minimum false integer
NetworkToSc agents
an required in a
network to
be listed as
selectable for
scan
multiScanSsd SSDP false boolean
p Multicast
scan enabled
networkDeco The number false integer
mmissionValu of days to
e archive a
network
which was

1902
not enabled
for scan
newNetworkI Networks are false integer
nHours going to be
marked as
new for this
period
rdnsScan RDNS scan false boolean
enabled
restrictions A set of IP false Name Description Required Value
addresses
that should annotation An optional false string
not be note with the
scanned in reason for
the specific the
network restriction
type false enum
values It will be one false string []
IP or one
CIDR or two
values for a
Range

scanOnlyLoca Scan only false boolean

1903
for a Range

tcpPorts TCP Ports false integer []

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

1904
Change Device Review in Bulk
POST /web/api/v2.1/ranger/device-review

Change the review state of more than one device.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1905
Body Schema
Name Description Required Value
data Data true Name Description Required Value
deviceReview The device true enum
review state
reason Reason for false string
the change
reasonDetails Reason false string
details for the
change

filter Filter true Name Description Required Value

accountIds Single false string []
Account ID
to filter by
agentIds List of agent false string []
ids
deviceFunctio Free-text false string []
n__contains filter by
device
function
(supports
multiple
values)
deviceReview The device false string []
s review state
deviceType Device type false string
deviceTypes Device types false string []
discoveryMet Discovery false string []
hods methods
domains Included false string []
network
domains
externalIp Search using false string
external IP
externalIp__c Free-text false string []
ontains filter by
visible IP

1906
(supports
multiple
values)
firstSeen__b Date range false string
etween refor first
seen(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
firstSeen__gt Devices first false string
seen after
this
timestamp
firstSeen__gt Devices first false string
e seen after or
at this
timestamp
firstSeen__lt Devices first false string
seen before
this
timestamp
firstSeen__lte Devices first false string
seen before
or at this
timestamp
gatewayMacA A gateway false string
ddress mac address
to search for
gatewayMacAd Free-text false string []
dress__contai filter by
ns gateway mac
address
(supports
multiple
values)
hasUserLabel false boolean
hostnames Hostnames false string []
hostnames__c Free-text false string []
ontains filter by
hostname

1907
(supports
multiple
values)
ids List of device false string []
ids
knownFingerp Known false string []
rintingData fingerprinting
data
lastSeen__be Date range false string
tween for last
seen(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSeen__gt Devices last false string
seen after
this
timestamp
lastSeen__gte Devices last false string
seen after or
at this
timestamp
lastSeen__lt Devices last false string
seen before
this
timestamp
lastSeen__lte Devices last false string
seen before
or at this
timestamp
localIp Search using false string
local IP
localIp__cont Free-text false string []
ains filter by IP
Address
(supports
multiple
values)
macAddress A mac false string
address to

1908
search for
macAddress__ Free-text false string []
contains filter by mac
address
(supports
multiple
values)
managedStat Is the device false string
e managed
managedStat Is the device false string []
es managed
manufacturer Manufacturer false string
of the device
or network
interface
manufacturer Free-text false string []
__contains filter by
manufacturer
(supports
multiple
values)
networkNam Search using false string
e network
name
networkName Free-text false string []
__contains filter by
network
name
(supports
multiple
values)
osName Os name false string
osType OS type false string
osTypes Included OS false string []
types
osVersion Os version false string
osVersion__co Free-text false string []
ntains filter by OS
full name and
version

1909
(supports
multiple
values)
period Period false enum
query Query false string
siteIds Single Site ID false string []
to filter by
siteNames Included site false string []
names
subnetAddres Free-text false string []
s__contains filter by
Subnet
Address
(supports
multiple
values)
tagName__con Free-text false string []
tains filter by tag
name
(supports
multiple
values)
tcpPorts__con Free-text false integer []
tains filter by tcp
port
(supports
multiple
values)
udpPorts__co Free-text false integer []
ntains filter by udp
port
(supports
multiple
values)

1910
Change Device Review
PUT /web/api/v2.1/ranger/device-review/{inventory_id}

Change the review state of one device.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
agentId The agent id false string
if this is a
known
managed
device
deviceFuncti Function of false string
on the device
deviceReview The device false string
review state
deviceReview Log of actions false Name Description Required Value
Log for this
device current false string
previous false string
reason false string
reasonDetails false string
updatedAt false string
username false string

deviceType Role of the false string

device

1911
discoveryMet Methods false string []
hods used to
discover the
device
domain The domain false string
of the device
externalIp Main false string
Gateway
Visible IP
fingerPrintSc The false integer
ore confidence
for this
fingerprinting
result
firstSeen Time the false string
device was
first seen
gatewayIpAdd Main false string
ress gateway IP
address
gatewayMacA Main false string
ddress gateway
MAC address
hasIdentity Would we be false boolean
able to
identify this
device over
time
hasUserLabel True if it has a false boolean
user label
hostnames Array of host false string []
names
id Id of the false string
device
ipAddresses A list of ip false string []
addresses.
When it is
not combined
it is always
one element

1912
labelUpdated The date of false string
At the last label
update
labelUserNa The user that false string
me changed the
label
lastSeen Time the false string
device was
last seen
localIp Local ip of false string
the device
macAddress Mac address false string
of the device
managedStat Protection false string
e state of the
device
manufacturer Manufacturer false string
of the device
or network
interface
networkNam The network false string
e name
networks A list of all false Name Description Required Value
the networks
associated to externalIp Main false string
the device. Gateway
When it is Visible IP
not combined gatewayIpAdd Main false string
it is always ress gateway IP
one element address
gatewayMacA Main false string
ddress gateway
MAC address
ip The IP of the false string
device in the
network
networkNam The network false string
e name
subnetAddres Main subnet false string
s address

1913
osName OS Name/ false string
Version of
the device
osType Os Type of false string
the device
osVersion OS Version of false string
the device
previousDevi Previous false string
ceFunction Function of
the device if
manually
changed
previousOsTy Previous Os false string
pe Type of the
device if
manually
changed
previousOsVe Previous OS false string
rsion Version of
the device if
manually
changed
siteName Site name false string
subnetAddres Main subnet false string
s address
tags The tags false Name Description Required Value
id The tag id true string
description The tag false string
description
kind Kind of tag if false string
relevant
name The tag name false string

tcpPorts TCP Ports false integer []

udpPorts UDP Ports false integer []

errors Errors false array

1914
Body Schema
Name Description Required Value
data Data true Name Description Required Value
deviceReview The device true enum
review state
reason Reason for false string
the change
reasonDetails Reason false string
details for the
change

1915
Change Device Tags
POST /web/api/v2.1/ranger/tags

Change the device tags.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

1916
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds Single false string []
Account ID
to filter by
agentIds List of agent false string []
ids
deviceFunctio Free-text false string []
n__contains filter by
device
function
(supports
multiple
values)
deviceReview The device false string []
s review state
deviceType Device type false string
deviceTypes Device types false string []
discoveryMet Discovery false string []
hods methods
domains Included false string []
network
domains
externalIp Search using false string
external IP
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
firstSeen__b Date range false string
etween refor first
seen(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)

1917
firstSeen__gt Devices first false string
seen after
this
timestamp
firstSeen__gt Devices first false string
e seen after or
at this
timestamp
firstSeen__lt Devices first false string
seen before
this
timestamp
firstSeen__lte Devices first false string
seen before
or at this
timestamp
gatewayMacA A gateway false string
ddress mac address
to search for
gatewayMacAd Free-text false string []
dress__contai filter by
ns gateway mac
address
(supports
multiple
values)
hasUserLabel false boolean
hostnames Hostnames false string []
hostnames__c Free-text false string []
ontains filter by
hostname
(supports
multiple
values)
ids List of device false string []
ids
knownFingerp Known false string []
rintingData fingerprinting
data
lastSeen__be Date range false string
tween for last

1918
seen(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSeen__gt Devices last false string
seen after
this
timestamp
lastSeen__gte Devices last false string
seen after or
at this
timestamp
lastSeen__lt Devices last false string
seen before
this
timestamp
lastSeen__lte Devices last false string
seen before
or at this
timestamp
localIp Search using false string
local IP
localIp__cont Free-text false string []
ains filter by IP
Address
(supports
multiple
values)
macAddress A mac false string
address to
search for
macAddress__ Free-text false string []
contains filter by mac
address
(supports
multiple
values)
managedStat Is the device false string
e managed
managedStat Is the device false string []

1919
es managed
manufacturer Manufacturer false string
of the device
or network
interface
manufacturer Free-text false string []
__contains filter by
manufacturer
(supports
multiple
values)
networkNam Search using false string
e network
name
networkName Free-text false string []
__contains filter by
network
name
(supports
multiple
values)
osName Os name false string
osType OS type false string
osTypes Included OS false string []
types
osVersion Os version false string
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
period Period false enum
query Query false string
siteIds Single Site ID false string []
to filter by
siteNames Included site false string []
names

1920
subnetAddres Free-text false string []
s__contains filter by
Subnet
Address
(supports
multiple
values)
tagName__con Free-text false string []
tains filter by tag
name
(supports
multiple
values)
tcpPorts__con Free-text false integer []
tains filter by tcp
port
(supports
multiple
values)
udpPorts__co Free-text false integer []
ntains filter by udp
port
(supports
multiple
values)

data Data false Name Description Required Value

id The tag id true string
description The tag false string
description
kind Kind of tag if false string
relevant
name The tag name false string

1921
Ranger Deploy

Create Cred Group

POST /web/api/v2.1/ranger/cred-groups

Create a new Cred Group.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
groupName The cred true string
group name
groupPassphr Encrypted true string
ase passphrase
with key
unknown by
the
management
scopeId Scope id true string
domain The domain false string
associated to
this cred
group
id The cred false string
group id
targetOs The os type false enum

1922
for this cred
group
totalDetails The number false integer
of cred
details in the
group

errors Errors false array

1923
Body Schema
Name Description Required Value
data Data true Name Description Required Value
groupName The cred true string
group name
groupPassphr Encrypted true string
ase passphrase
with key
unknown by
the
management
scopeId Scope id true string
domain The domain false string
associated to
this cred
group
targetOs The os type false enum
for this cred
group

1924
Get Cred groups
GET /web/api/v2.1/ranger/cred-groups

Get the data for each row in the Cred Groups table.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupname optional Group name being searched
groupnamelike optional Group name being searched
ids optional A list of ids to get
limit optional Limit number of returned items (1-1000). Example: "10".
siteids optional Single Site ID to filter by. Example: "225494730938493804".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
targetos optional The os type for this cred group. Example: "windows".
totaldetails__gt optional Get creds with total details greater than the supplied number

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1925
403 - Insufficient permissions

data Response false Name Description Required Value

data
groupName The cred true string
group name
groupPassphr Encrypted true string
ase passphrase
with key
unknown by
the
management
scopeId Scope id true string
domain The domain false string
associated to
this cred
group
id The cred false string
group id
targetOs The os type false enum

1926
for this cred
group
totalDetails The number false integer
of cred
details in the
group

errors Errors false array

1927
Delete Cred Group
DELETE /web/api/v2.1/ranger/cred-groups/{cred_group_id}

Delete cred group value.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Cred group not found.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1928
Add cred details
POST /web/api/v2.1/ranger/cred-groups/details

Add cred details to a cred group.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Cred group not found.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1929
Body Schema
Name Description Required Value
data Data false Name Description Required Value
credGroupId Cred group id true string
details The cred false Name Description Required Value
group details
credType The type of true string
the cred
encryptedCre The true string
d encrypted
creds
encryptedKey A encrypted true string
key for the
creds
title The title for true string
the cred

1930
Get Cred group details
GET /web/api/v2.1/ranger/cred-groups/details

Get the data for each row in the Cred Groups details table.

Parameters
accountids optional Single Account ID to filter by. Example: "225494730938493804".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
credgroupids optional A list of ids to get
credtypelike optional The type of the cred group
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
ids optional A list of ids to get
limit optional Limit number of returned items (1-1000). Example: "10".
siteids optional Single Site ID to filter by. Example: "225494730938493804".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
title optional Exact filter by title
titlelike optional Like filter by title

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1931
403 - Insufficient permissions

data Response false Name Description Required Value

data
credType The type of true string
the cred
group
title The title for true string
the cred
createdAt The creation false string
time
createdBy The user that false string
created the
details
credGroupId The cred false string
group id
id The detail id false string
updatedAt The last false string
update time

1932
updatedBy The user that false string
updated the
details

errors Errors false array

1933
Delete Cred Group Detail
DELETE /web/api/v2.1/ranger/cred-groups/details/{detail_id}

Delete cred group detail value.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Cred group not found.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1934
Update Cred Group Details
PUT /web/api/v2.1/ranger/cred-groups/details/{detail_id}

Update cred group values.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Cred group not found.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
credType The type of true string
the cred
group
title The title for true string
the cred
createdAt The creation false string
time
createdBy The user that false string
created the
details
credGroupId The cred false string
group id
id The detail id false string
updatedAt The last false string
update time
updatedBy The user that false string
updated the
details

1935
errors Errors false array

1936
Body Schema
Name Description Required Value
data Data true Name Description Required Value
credType The type of true string
the cred
encryptedCre The true string
d encrypted
creds
encryptedKey A encrypted true string
key for the
creds
title The title for true string
the cred

1937
Ranger Self Enablement

Get Self Enablement

GET /web/api/v2.1/ranger/enablement

[DEPRECATED] Use the Update Account, Get Account, Get Sites, or the Update Site Add-ons APIs instead.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
activeagents optional The number of non-decommissioned agents in the site
activeagents__betwee optional Agent count (between). Example: "2-8".
n
activeagents__gt optional Agent count (more than)
activeagents__gte optional Agent count (more than or equal)
activeagents__lt optional Agent count (less than)
activeagents__lte optional Agent count (less than or equal)
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
id optional The enablement id. Example: "225494730938493804".
ids optional A list of ids to get. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
rangerenabled optional Ranger Enabled true/false
rangerproenabled optional [DEPRECATED]. Use rangerEnabled instead. Ranger Pro Enabled
true/false

1938
roguesenabled optional Rogues Enabled true/false
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
sitename optional The site name
sitename__contains optional Free-text filter by site name (supports multiple values)
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenant optional Indicates a tenant scope request

Response Messages
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 -

Change Ranger or Rogues Features

POST /web/api/v2.1/ranger/enablement

[DEPRECATED] Use the Update Account, Get Account, Get Sites, or the Update Site Add-ons APIs instead.

Response Messages
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 -

Body Schema

1939
Name Description Required Value
data Data true Name Description Required Value
rangerEnable Ranger false boolean
d Enabled true/
false
rangerProEna [DEPRECATE false boolean
bled D] Use
rangerEnabled
parameter
instead.
Ranger Pro
Enabled true/
false
roguesEnable Rogues false boolean
d Enabled true/
false

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
activeAgents The number false integer
of non-
decommission
ed agents in
the site
activeAgents Agent count false string
__between (between)
activeAgents_ Agent count false integer
_gt (more than)
activeAgents Agent count false integer
__gte (more than or
equal)
activeAgents_ Agent count false integer
_lt (less than)
activeAgents_ Agent count false integer
_lte (less than or
equal)
groupIds List of Group false string []
IDs to filter

1940
by
id The false string
enablement
id
ids A list of ids to false string []
get
rangerEnable Ranger false boolean
d Enabled true/
false
rangerProEna [DEPRECATED false boolean
bled ]. Use
rangerEnabled
instead.
Ranger Pro
Enabled true/
false
roguesEnable Rogues false boolean
d Enabled true/
false
siteIds List of Site false string []
IDs to filter
by
siteName The site false string
name
siteName__co Free-text false string []
ntains filter by site
name
(supports
multiple
values)
tenant Indicates a false boolean
tenant scope
request

1941
Change the Self-Enablement for Accounts
POST /web/api/v2.1/ranger/enable-self-management

[DEPRECATED] Use the Update Account, Get Account, Get Sites, or the Update Site Add-ons APIs instead.

Response Messages
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 -

Body Schema
Name Description Required Value
data Data true Name Description Required Value
enable enable: true/ false boolean
false

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by

1942
Features Configuration for New Sites
GET /web/api/v2.1/ranger/enablement/defaults

[DEPRECATED] Use the Update Account, Get Account, Get Sites, or the Update Site Add-ons APIs instead..

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".

Response Messages
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 -

Change Feature Defaults for New Sites

POST /web/api/v2.1/ranger/enablement/defaults

[DEPRECATED] Use the Update Account, Get Account, Get Sites, or the Update Site Add-ons APIs instead.

Response Messages
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 -

Body Schema
Name Description Required Value
data Data true Name Description Required Value

1943
rangerEnable Ranger false boolean
d Enabled true/
false
rangerProEna [DEPRECATE false boolean
bled D] Use
rangerEnabled
parameter
instead.
Ranger Pro
Enabled true/
false
roguesEnable Rogues false boolean
d Enabled true/
false

filter Filter true Name Description Required Value

1944
id
ids A list of ids to false string []
get
rangerEnable Ranger false boolean
d Enabled true/
false
rangerProEna [DEPRECATED false boolean
bled ]. Use
rangerEnabled
instead.
Ranger Pro
Enabled true/
false
roguesEnable Rogues false boolean
d Enabled true/
false
siteIds List of Site false string []
IDs to filter
by
siteName The site false string
name
siteName__co Free-text false string []
ntains filter by site
name
(supports
multiple
values)
tenant Indicates a false boolean
tenant scope
request

1945
RBAC

Get All Roles

GET /web/api/v2.1/rbac/roles

See roles assigned to users that match the filter, a basic description of the roles, and the number of users for each role.
Role-Based Access Control (RBAC) has predefined roles. (Currently, customized roles are not supported.), This command gives the ID of the role, which you can use in
other commands.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
accountname optional Name of the account that contains the role
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat optional Created at. Example: "2018-02-27T04:49:26.257525Z".
createdat__between optional Return RBAC roles created within this range (inclusive). Example:
"1514978764288-1514978999999".
createdat__gt optional Return RBAC roles created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Return RBAC roles created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Return RBAC roles created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Return RBAC roles created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
creator optional Email of the creating user
creatorid optional Id of the creating user. Example: "225494730938493804".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".

1946
description optional Description
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of ids to filter by. Example:
"225494730938493804,225494730938493915".
includechildren optional Include child scopes roles
includeparents optional Include parent scopes roles
limit optional Limit number of returned items (1-1000). Example: "10".
name optional Return RBAC role matching the name
query optional Free text search on role name, and description
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
sitename optional Name of the site that contains the role
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenancyids optional List of Tenancies IDs to filter by. Example:
"225494730938493804,225494730938493915".
tenant optional Indicates a tenant scope request
updatedat optional Updated at. Example: "2018-02-27T04:49:26.257525Z".
updatedat__between optional Return RBAC roles updated within this range (inclusive). Example:
"1514978764288-1514978999999".
updatedat__gt optional Return RBAC roles updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Return RBAC roles updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Return RBAC roles updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Return RBAC roles updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

1947
updatedby optional Email of the updating user
updatedbyid optional Id of the updating user. Example: "225494730938493804".
usersinroles optional How many users use this role

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
accountName Account false string
name
createdAt Created at false string
creator Email of the false string
creating user

1948
creatorId Id of the false string
creating user
description Description false string
id Id false string
name Name false string
predefinedRo Whether this false boolean
le role is a
system role
scope Scope of the false string
role (Group/
Site/
Account/
Tenant)
scopeId Id of the false string
containing
scope
siteName Site name false string
updatedAt Updated at false string
updatedBy Email of the false string
updating user
updatedById Id of the false string
creating user
usersInRoles How many false integer
users use this
role

errors Errors false array

1949
Get Specific Role Definition
GET /web/api/v2.1/rbac/role/{role_id}

With the ID of a role (see Get All Roles) you can see the permissions of that role.
The definition of a role can change in different scopes and SKUs. For example, an Admin role with the scope access of a Site does not have Ranger permissions, but an IT
role with the scope access of an Account with a Ranger license does have permissions on Ranger.
The Response shows role permissions to see views in the WebUI and to use Console features.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
createdat__between optional Return RBAC roles created within this range (inclusive). Example:
"1514978764288-1514978999999".
createdat__gt optional Return RBAC roles created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Return RBAC roles created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Return RBAC roles created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional Return RBAC roles created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
name optional Return RBAC role matching the name
query optional Free text search on role name, and description
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
tenant optional Indicates a tenant scope request
updatedat__between optional Return RBAC roles updated within this range (inclusive). Example:
"1514978764288-1514978999999".
updatedat__gt optional Return RBAC roles updated after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Return RBAC roles updated after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

1950
updatedat__lt optional Return RBAC roles updated before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lte optional Return RBAC roles updated before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountName Account false string
name
createdAt Created at false string
creator Email of the false string
creating user
creatorId Id of the false string
creating user
description Description false string
id Id false string
name Name false string
pages Pages false Name Description Required Value
identifier Identifier false string
name Name false string
permissions Permissions false Name Description Required Value
additionalDes Additional false string
cription description
dependsOn Depends on false string []
description Description false string

1951
disabledReas Disabled false string
on reason
disabledReas Disabled false string
onCode reason code
groupName Group name false string
identifier Identifier false string
title Title false string
type Type false string
value Value false boolean

predefinedRo Whether this false boolean

le role is a
system role
scope Scope of the false string
role (Group/
Site/
Account/
Tenant)
scopeId Id of the false string
containing
scope
siteName Site name false string
updatedAt Updated at false string
updatedBy Email of the false string
updating user
updatedById Id of the false string
creating user
usersInRoles How many false integer
users use this
role

errors Errors false array

1952
Update role
PUT /web/api/v2.1/rbac/role/{role_id}

With the ID of a role (see Get All Roles), you can update the permissions of users with this role.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1953
dependsOn Depends on false string []
description Description false string
disabledReas Disabled false string
on reason
disabledReas Disabled false string
onCode reason code
groupName Group name false string
identifier Identifier false string
title Title false string
type Type false string
value Value false boolean

predefinedRo Whether this false boolean

errors Errors false array

1954
Body Schema
Name Description Required Value
data Data true Name Description Required Value
description Description true string
name Recommendat true string
ion: Use a
prefix or
suffix for
each role that
identifies it as
related to a
specific
Account or
Site.
permissionIds Permission false string []
ids

filter Filter false Name Description Required Value

1955
Delete role
DELETE /web/api/v2.1/rbac/role/{role_id}

With the ID of a role (see Get All Roles), you can delete a role. If there are users assigned to the role, specify the ID of their new role.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

1956
Body Schema
Name Description Required Value
data Data true Name Description Required Value
targetId Role ID of false string
new role to
assign to
users with
the role

1957
Create new role
POST /web/api/v2.1/rbac/role

Create a new role for Role-Based Access Control (RBAC).

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

1958
dependsOn Depends on false string []
description Description false string
disabledReas Disabled false string
on reason
disabledReas Disabled false string
onCode reason code
groupName Group name false string
identifier Identifier false string
title Title false string
type Type false string
value Value false boolean

predefinedRo Whether this false boolean

errors Errors false array

1959
Body Schema
Name Description Required Value
data Data true Name Description Required Value
description Description true string
name Recommendat true string
ion: Use a
prefix or
suffix for
each role that
identifies it as
related to a
specific
Account or
Site.
permissionIds Permission false string []
ids

filter Filter true Name Description Required Value

1960
Get template for new role
GET /web/api/v2.1/rbac/role

Get the template for a new role.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
description Description true string
pages Pages false Name Description Required Value
identifier Identifier false string
name Name false string
permissions Permissions false Name Description Required Value
additionalDes Additional false string
cription description

1961
dependsOn Depends on false string []
description Description false string
disabledReas Disabled false string
on reason
disabledReas Disabled false string
onCode reason code
groupName Group name false string
identifier Identifier false string
title Title false string
type Type false string
value Value false boolean

errors Errors false array

1962
Remote Ops MMS

Create new Destination profile.

POST /web/api/v2.1/remote-ops/data-exporter/destination-profiles

Create Destination profile inside specified scope. If the created profile is requested to be default, the default profile of the specified scope is overriden.

Response Messages
200 - Successes

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
profileId Profile ID true string

errors Errors false array

1963
Body Schema
Name Description Required Value
apiKey Write key of true string
api account
to upload
data
apiUrl URL of api true string
instance to
upload the
events
destination Destination true enum
profile type
name Destination true string
profile name
scopeId Scope ID to true string
store the
Destination
profile
scopeLevel Scope level true enum
to store the
Destination
profile
isDefault Flag if the false boolean
profile should
be marked as
default in it's
scope

1964
Get available Destination profiles
GET /web/api/v2.1/remote-ops/data-exporter/destination-profiles

Get Destination profiles available for the specified scope. The profiles are inherited downwards, e.g. the profiles from parent Account and Tenant scopes are available for a
Site. At most one of returned destination profiles will be marked as default for the scope. If the scope does not have default profile defined, it's inherited from the higher
scope, unless inheritance was broken

Parameters
scopeid optional Scope ID to get Destination profiles configuration. Example:
"225494730938493804".
scopelevel optional Scope level to get Destination profile configuration. Example:
"tenant".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permission to perform such action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
apiKey Write key of true string
destination
account to
upload data
apiUrl URL of true string
destination
instance to
upload data
creator Email of user true string
who created

1965
the
Destination
profile
creatorId ID of user true string
who created
the
Destination
profile
destination Destination true string
type where
the results
will be
uploaded
id Destination true string
profile ID
isDefault Flag if the true boolean
Destination
profile is
default for
the scope
name Destination true string
profile name
scopePath Path of scope true string
where the
Destination
profile is
stored
updater Email of user true string
who updated
the
Destination
profile
updaterId ID of user true string
who updated
the
Destination
profile

errors Errors false array

1966
Delete multiple Destination profiles by ID
DELETE /web/api/v2.1/remote-ops/data-exporter/destination-profiles

Delete multiple Destination profiles. The profiles that are not possible to delete (e.g.non-existing or user does not have proper permissions) are skipped. IDs of successfully
deleted profiles are returned in response.

Response Messages
200 - Delete was completed or partially completed.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Deleted false string []
Destination
profile IDs

errors Errors false array

1967
Body Schema
Name Description Required Value
data Data false
filter Filter false Name Description Required Value
ids List of false string []
Destination
profile IDs to
delete

1968
Delete Destination profile by ID
DELETE /web/api/v2.1/remote-ops/data-exporter/destination-profiles/{profile_id}

Delete Destination profile with specified ID. If the profile was used as default for a scope, the last created profile will be marked as default for that scope.

Response Messages
200 - Destination profile is deleted

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permission to perform such action

404 - Destination profile is not found

Update existing Destination profile

PUT /web/api/v2.1/remote-ops/data-exporter/destination-profiles/{profile_id}

Update contents of existing Destination profile with specified ID. All the profile data should be specified, even if the values are not changed. If the updated profile is
requested to be default, the default profile of its scope is modified.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permission to perform such action

404 - Destination profile is not found

Response Schema
Name Description Required Value

1969
data Response false Name Description Required Value
data
profileId Profile ID true string

errors Errors false array

1970
Body Schema
Name Description Required Value
data Data true Name Description Required Value
apiKey Write key of true string
api account
to upload
data
apiUrl URL of api true string
instance to
upload the
events
name Destination true string
profile name
isDefault Flag if the false boolean
profile should
be marked as
default in it's
scope

1971
Get Destination profile by ID
GET /web/api/v2.1/remote-ops/data-exporter/destination-profiles/{profile_id}

Get Destination profile with specified ID

Response Messages
200 - Get Destination profile

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permission to perform such action

404 - Destination profile is not found

1972
the
Destination
profile
creatorId ID of user true string
who created
the
Destination
profile
destination Destination true string
type where
the results
will be
uploaded
id Destination true string
profile ID
isDefault Flag if the true boolean
Destination
profile is
default for
the scope
name Destination true string
profile name
scopePath Path of scope true string
where the
Destination
profile is
stored
updater Email of user true string
who updated
the
Destination
profile
updaterId ID of user true string
who updated
the
Destination
profile

errors Errors false array

1973
Set profile as default profile of the scope
POST /web/api/v2.1/remote-ops/data-exporter/destination-profiles/set-default

Set profile as default profile of the scope

Response Messages
200 - Get Destination profile

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permission to perform such action

Body Schema
Name Description Required Value
data Data true Name Description Required Value
profileId Profile Id to true string
set as default
profile
scopeLevel Scope level true enum
to get
Destination
profile
configuration
scopeId Scope ID to false string
get
Destination
profiles
configuration

1974
Get results sent to data exporter
GET /web/api/v2.1/remote-ops/data-exporter/results

Get results sent to data exporter

Parameters
agentid required Id of the agent the data came from
maliciousgroupid optional Threat malicious group id
taskid optional Task id

Response Messages
200 - Get Destination profile results

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permission to perform such action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
agentResults Agent results false Name Description Required Value
hasFailures Indicates if true boolean
not failures
has occurred
during upload
returned
isEmpty Indicates if true boolean
not results
returned
url Url to true string
relevant data
source

1975
errorMessage Last error false string
message

taskResults Task results false Name Description Required Value

hasFailures Indicates if true boolean
not failures
has occurred
during upload
returned
isEmpty Indicates if true boolean
not results
returned
url Url to true string
relevant data
source
errorMessage Last error false string
message

threatResults Threat results false Name Description Required Value

errors Errors false array

1976
RemoteOps Forensics

Start collection of Forensics artifacts according to specified profile

POST /web/api/v2.1/remote-ops/forensics/start-collection

Start collection of Forensics artifacts according to specified profile

Response Messages
202 - Forensics collection has been started

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Body Schema
Name Description Required Value
data Data true Name Description Required Value
destination Destination true Name Description Required Value
password Password for false string
encrypting
uploaded
binary
artifacts
passwordFro Used to false Name Description Required Value
mScope specify
execution scopeLevel User scope true enum
where a scopeId string repr. of false string
generic scope id
password is
used
profileId ID of profile false string
for
destination of

1977
exported
collection
date

collectionProf ID of the false string

ileId Collection
Profile that
will be used
description Description false string
of the
collection
tag Tag identifier false string
of the
collection

filter Filter true Name Description Required Value

specification
of targeted accountIds List of false string []
agents Account IDs
to filter by
activeThreats Include false integer
Agents with
this amount
of active
threats
activeThreats Include false integer
__gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory

1978
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)

1979
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version

1980
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud

1981
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []

1982
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)

1983
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string

1984
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains

1985
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by

1986
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending

1987
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after

1988
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full

1989
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions

1990
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state

1991
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger

1992
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []

1993
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,

1994
use __nin
suffix in the
tag key.
threatConten Include only false string
tHash Agents that
have at least
one threat
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat

1995
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)

1996
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

1997
Return result of collection task
GET /web/api/v2.1/remote-ops/forensics/task-result

Return result of collection task

Parameters
taskid required Task id. Example: "225494730938493804".

Response Messages
200 - Task is found and result is returned

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
collection Details of the false Name Description Required Value
collection
tag Tag of the true string
collection
artifacts Artifacts false Name Description Required Value
included in
the collection artifactType Type of the true string
artifact
detailedStatu Detailed true string
s status of the
artifact
collection
osType Target Os true string
status Status of the true string
artifact
collection

1998
parameters Parameters false object
passed to the
artifact
collector

description Description false string

of the
collection

collectionFile Details of the false Name Description Required Value

collection file,
if exists agentId Agent id true string
signature File Signature true string
siteId Site id true string
uploadedTim Uploaded true string
estamp timestamp
signatureType Signature false string
type

collectionProf Details of the false Name Description Required Value

ile collection
profile used id ID of used true string
for collection collection
profile
name Name of used true string
collection
profile

destination Details of the false Name Description Required Value

destination
profileId ID of false string
destination
profile used
for collection

skylightParen Link to false string

tTaskResultsU Skylight view
rl with results
for parent
task
skylightResul Status of false Name Description Required Value
tsStatus Skylight
results hasFailures Indicates if true boolean
there were

1999
failures
during
uploading
data to
Skylight
isEmpty Indicates if true boolean
the collection
contains no
data store in
Skylight
errorMessage Last error false string
message if
there were
failures
during upload

skylightResult Link to false string

sUrl Skylight view
with results
for the single
task

errors Errors false array

2000
Returns collection file download pre-signed url
GET /web/api/v2.1/remote-ops/forensics/collection-file-url

Returns collection file download pre-signed url

Parameters
agentid required Agent id. Example: "225494730938493804".
signature required Signature
signaturetype required Signature type
siteid required Site id. Example: "225494730938493804".
uploadedtimestamp required Uploaded timestamp

Response Messages
200 - Remote Ops Forensics Collection File Found

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
downloadUrl download false string
link for the
file
fileName the name of false string
the file

errors Errors false array

2001
Check if collection file exists for given storyline
GET /web/api/v2.1/remote-ops/forensics/is-collection-file

Check if collection file exists for given storyline

Parameters
agentid required Agent's ID. Example: "225494730938493804".
storyline required Storyline ID

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Collection file not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
agentId Agent's ID true string
signature File's true string
Signature
siteId Site's ID true string
signatureType Signature false string
type
uploadedTim Collection file false string
estamp uploaded
DateTime iso-
formatted

errors Errors false array

2002
Get list of supported artifact types
GET /web/api/v2.1/remote-ops/forensics/artifact-types

Return a complete list of supported artifact types

Response Messages
200 - Successes

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
artifactType Artifact type true string
code name,
used as
identifier of
the artifact
category Category of true string
the artifact
type
name User- true string
readable
name of the
artifact
osTypes Os types false string []
parameters Parameters false Name Description Required Value
default Default value true string
of artifact
parameter,
null if the
parameter
does not
allow default
key Unique key of true string

2003
artifact
parameter
type Type of true enum
artifact
parameter
description Artifact false string
parameter
description
example Example of false string
the
parameter
value

version Internal false integer

version of the
artifact type

errors Errors false array

2004
Get Collection profile by ID
GET /web/api/v2.1/remote-ops/forensics/collection-profiles/{profile_id}

Get contents of an existing Forensics Collection profile, including specification of artifacts to be collected and profile metadata.

Response Messages
200 - Collection profile content in returned

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permission to perform such action

404 - Collection profile was not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
createdAt Timestamp true string
when the
profile was
created
creator Email of user true string
who created
the profile
description Collection true string
profile
description
id Collection true string
profile ID
isBundled Flag true boolean
indicating if
the
Collection
profile is
bundled
(provided by

2005
S1)
name name of true string
collection
profile in db
scopeId Scope ID true string
where the
Collection
profile is
stored
scopeLevel Scope level true enum
where the
Collection
profile is
stored
scopeName Scope name true string
where the
Collection
profile is
stored
scopePath Full path of true string
Scope where
the
Collection
profile is
stored
type Type of true enum
RemoteOps
Action
(forensicsProfi
le)
updater Email of user true string
who update
the profile
version Collection true string
profile
version
artifacts Artifacts false Name Description Required Value
artifactType Type of true string
artifact to
collect

2006
osType OS type true enum
where the
artifact will
be collected
parameters Input false object
parameters
for the
artifact

osTypes Os types false string []

updatedAt Timestamp false string
when the
profile was
updated

errors Errors false array

2007
Update Collection profile by ID
PUT /web/api/v2.1/remote-ops/forensics/collection-profiles/{profile_id}

Update contents of an existing Forensics Collection profile. All the profile data should be specified, even if the values are not changed. It's not allowed to change scope of
profile. The namemust be unique inside the scope, if different profile with specified name already exists, Bad requesterror is returned and no profile data is changed.

Response Messages
200 - Collection profile is updated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User has insufficient permission to perform such action

404 - Collection profile was not found

2008
profile is
bundled
(provided by
S1)
name name of true string
collection
profile in db
scopeId Scope ID true string
where the
Collection
profile is
stored
scopeLevel Scope level true enum
where the
Collection
profile is
stored
scopeName Scope name true string
where the
Collection
profile is
stored
scopePath Full path of true string
Scope where
the
Collection
profile is
stored
type Type of true enum
RemoteOps
Action
(forensicsProfi
le)
updater Email of user true string
who update
the profile
version Collection true string
profile
version
artifacts Artifacts false Name Description Required Value
artifactType Type of true string

2009
artifact to
collect
osType OS type true enum
where the
artifact will
be collected
parameters Input false object
parameters
for the
artifact

osTypes Os types false string []

updatedAt Timestamp false string
when the
profile was
updated

errors Errors false array

2010
Body Schema
Name Description Required Value
data Data true Name Description Required Value
name Collection true string
profile name
artifacts Artifacts false Name Description Required Value
artifactType Type of true string
artifact to
collect
osType OS type true enum
where the
artifact will
be collected
parameters Input false object
parameters
for the
artifact

description Collection false string

profile
description

2011
Delete Collection profiles
DELETE /web/api/v2.1/remote-ops/forensics/collection-profiles

Delete multiple Forensics Collection profiles. The profiles that are not possible to delete (e.g. bundled profiles by S1, non-existing or user does not have proper
permissions) are skipped. Contents of successfully deleted profiles are returned in response.

Response Messages
200 - Delete was completed or partially completed.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2012
name name of true string
collection
profile in db
scopeId Scope ID true string
where the
Collection
profile is
stored
scopeLevel Scope level true enum
where the
Collection
profile is
stored
scopeName Scope name true string
where the
Collection
profile is
stored
scopePath Full path of true string
Scope where
the
Collection
profile is
stored
type Type of true enum
RemoteOps
Action
(forensicsProfi
le)
updater Email of user true string
who update
the profile
version Collection true string
profile
version
artifacts Artifacts false Name Description Required Value
artifactType Type of true string
artifact to
collect
osType OS type true enum
where the

2013
artifact will
be collected
parameters Input false object
parameters
for the
artifact

osTypes Os types false string []

updatedAt Timestamp false string
when the
profile was
updated

errors Errors false array

2014
Body Schema
Name Description Required Value
data Data false
filter Filter false Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
ids List of false string []
Collection
profile IDs to
delete
siteIds List of Site false string []
IDs to filter
by

2015
Create new Collection profile
POST /web/api/v2.1/remote-ops/forensics/collection-profiles

Create a Forensics Collection profile with provided artifacts on the specified scope. The profile name must be unique inside the scope, if the name already exists, Bad
request error is returned.

Response Messages
200 - Collection profile is created

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2016
name name of true string
collection
profile in db
scopeId Scope ID true string
where the
Collection
profile is
stored
scopeLevel Scope level true enum
where the
Collection
profile is
stored
scopeName Scope name true string
where the
Collection
profile is
stored
scopePath Full path of true string
Scope where
the
Collection
profile is
stored
type Type of true enum
RemoteOps
Action
(forensicsProfi
le)
updater Email of user true string
who update
the profile
version Collection true string
profile
version
artifacts Artifacts false Name Description Required Value
artifactType Type of true string
artifact to
collect
osType OS type true enum
where the

2017
artifact will
be collected
parameters Input false object
parameters
for the
artifact

osTypes Os types false string []

updatedAt Timestamp false string
when the
profile was
updated

errors Errors false array

2018
Body Schema
Name Description Required Value
data Data true Name Description Required Value
name Collection true string
profile name
scopeLevel Scope level of true enum
the collection
profile
artifacts Artifacts false Name Description Required Value
artifactType Type of true string
artifact to
collect
osType OS type true enum
where the
artifact will
be collected
parameters Input false object
parameters
for the
artifact

description Collection false string

profile
description
scopeId Scope ID of false string
the collection
profile

2019
Get list of available Collection profiles
GET /web/api/v2.1/remote-ops/forensics/collection-profiles

Get list of available Forensics collection profiles. The list may be narrowed by specifying filter parameter. Profiles are inherited between scopes in both upward and
downward directions, e.g. profiles on parent Account and Tenant scopes are returned when querying for a Site scope, and profiles on a Site scopes are returned when
querying its parent Account. Bundled profiles are available regardless of requested scqpe. If scope is not specified in filter, the scopes of the requesting user are considered.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
ids optional A list of collection profiles IDs. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
ostypes optional Os types. Example: "linux".
query optional Keyword to search in Collection profile name / description
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

2020
401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
createdAt Timestamp true string
when the
profile was
created
creator Email of user true string
who created
the profile
creatorId ID of user true string
who created
the profile
description Collection true string
profile
description
id Collection true string
profile ID
isBundled Flag true boolean

2021
indicating if
the
Collection
profile is
bundled
(provided by
S1)
name name of true string
collection
profile in db
scopeId Scope ID true string
where the
Collection
profile is
stored
scopeLevel Scope level true enum
where the
Collection
profile is
stored
scopeName Scope name true string
where the
Collection
profile is
stored
scopePath Full path of true string
Scope where
the
Collection
profile is
stored
type Type of true enum
RemoteOps
Action
(forensicsProfi
le)
updater Email of user true string
who update
the profile
updaterId ID of user true string
who updated
the profile

2022
version Collection true string
profile
version
osTypes Os types false string []
updatedAt Timestamp false string
when the
profile was
updated

errors Errors false array

2023
RemoteOps Scripts

Run Remote Script

POST /web/api/v2.1/remote-scripts/execute

Run a remote script that was uploaded to the SentinelOne Script Library.

Response Messages
200 - Run remote script request was successful

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation
parentTaskId The parent false string
task id of the
script
execution
task, null in
case of
pending
execution
pending Flag false boolean
indicating if
requested
script

2024
execution
requires
approval and
is created as
pending
execution
pendingExecu ID of created false string
tionId pending
execution,
present only
if pending
flag is true

errors Errors false array

2025
Body Schema
Name Description Required Value
filter Applied filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
activeThreats Include false integer
Agents with
this amount
of active
threats
activeThreats Include false integer
__gt Agents with
at least this
amount of
active threats
adComputerM Free-text false string []
ember__conta filter by
ins Active
Directory
computer
groups string
(supports
multiple
values)
adComputerN Free-text false string []
ame__contain filter by
s Active
Directory
computer
name string
(supports
multiple
values)
adComputerQ Free-text false string []
uery__contain filter by
s Active
Directory
computer
name or its
groups

2026
(supports
multiple
values)
adQuery An Active false string
Directory
query string
adQuery__con Free-text false string []
tains filter by
Active
Directory
string
(supports
multiple
values)
adUserMembe Free-text false string []
r__contains filter by
Active
Directory
user groups
string
(supports
multiple
values)
adUserName_ Free-text false string []
_contains filter by
Active
Directory
username
string
(supports
multiple
values)
adUserQuery_ Free-text false string []
_contains filter by
Active
Directory
computer
name or its
groups
(supports
multiple
values)
agentNamespa Free-text false string []

2027
ce__contains filter by agent
namespace
(supports
multiple
values)
agentPodNam Free-text false string []
e__contains filter by agent
pod name
(supports
multiple
values)
agentVersion Version range false string
__between for agent
version
(format:
<from_versio
n>-
<to_version>,
inclusive)
agentVersion_ Agents false string
_gt versions
greater than
given version
agentVersion Agents false string
__gte versions
greater than
or equal to
given version
agentVersion_ Agents false string
_lt versions less
than given
version
agentVersion_ Agents false string
_lte versions less
than or equal
to given
version
agentVersion Agent false string []
s versions to
include
agentVersion Agent false string []
sNin versions not

2028
to include
appsVulnerabi Apps false string []
lityStatuses vulnerability
status in
appsVulnerabi Apps false string []
lityStatusesN vulnerability
in status nin
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)

2029
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
cloudTags__co Free-text false string []
ntains filter by cloud
tags
(supports
multiple
values)
clusterName_ Free-text false string []
_contains filter by
cluster name
(supports
multiple
values)

2030
computerNa Computer false string
me name
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
computerNam Match false string
e__like computer
name
partially
(substring)
consoleMigra Migration false string []
tionStatuses status in
consoleMigra Migration false string []
tionStatusesN status nin
in
coreCount__ Possible false string
between number of
CPU cores
(inclusive)
coreCount__g CPU cores false integer
t (more than)
coreCount__g CPU cores false integer
te (more than or
equal)
coreCount__lt CPU cores false integer
(less than)
coreCount__l CPU cores false integer
te (less than or
equal)
cpuCount__b Possible false string
etween number of
CPU cores
(inclusive)
cpuCount__gt Number of false integer
CPUs (more
than)

2031
cpuCount__gt Number of false integer
e CPUs (more
than or equal)
cpuCount__lt Number of false integer
CPUs (less
than)
cpuCount__lt Number of false integer
e CPUs (less
than or equal)
cpuId__contai Free-text false string []
ns filter by CPU
name
(supports
multiple
values)
createdAt__b Date range false string
etween for creation
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g Agents false string
t created after
this
timestamp
createdAt__g Agents false string
te created after
or at this
timestamp
createdAt__lt Agents false string
created
before this
timestamp
createdAt__lt Agents false string
e created
before or at
this
timestamp
csvFilterId The ID of the false string
CSV file to
filter by

2032
decommissio Date range false string
nedAt__betw for
een decommission
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
decommission Agents false string
edAt__gt decommission
ed after this
timestamp
decommission Agents false string
edAt__gte decommission
ed after or at
this
timestamp
decommission Agents false string
edAt__lt decommission
ed before this
timestamp
decommission Agents false string
edAt__lte decommission
ed before this
timestamp
domains Included false string []
network
domains
domainsNin Not included false string []
network
domains
encryptedAppl Disk false boolean
ications encryption
status
externalId__c Free-text false string []
ontains filter by
external ID
(Customer ID)
externalIp__c Free-text false string []
ontains filter by
visible IP
(supports

2033
multiple
values)
filteredGroup List of Group false string []
Ids IDs to filter
by
filteredSiteIds List of Site false string []
IDs to filter
by
filterId Include all false string
Agents
matching this
saved filter
firewallEnabl The agents false boolean []
ed supports
Firewall
Control and it
is enabled for
the agent's
group
gatewayIp Gateway ip false string
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasContainer Include only false boolean
izedWorkload Agents
protecting
containerized
workloads
hasLocalConfi Agent has a false boolean
guration local
configuration
set
hasTags Include only false boolean
Agents that

2034
have any tags
assigned if
True, or none
if False
ids A list of false string []
Agent IDs
infected Include only false boolean
Agents with
at least one
active threat
installerTypes Include only false string []
Agents
installed with
these
package
types
installerType Exclude false string []
sNin Agents
installed with
these
package
types
isActive Include only false boolean
active Agents
isDecommiss Include false boolean []
ioned active,
decommission
ed or both
isPendingUnin Include only false boolean
stall Agents with
pending
uninstall
requests
isUninstalled Include false boolean []
installed,
uninstalled or
both
isUpToDate Include only false boolean
Agents with
updated
software

2035
k8sNodeLabel Free-text false string []
s__contains filter by K8s
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by K8s
node name
(supports
multiple
values)
k8sType__con Free-text false string []
tains filter by K8s
type(supports
multiple
values)
k8sVersion__c Free-text false string []
ontains filter by K8s
version
(supports
multiple
values)
lastActiveDa Date range false string
te__between for last active
date(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActiveDat Agents last false string
e__gt active after
this time
lastActiveDat Agents last false string
e__gte active after or
at this time
lastActiveDat Agents last false string
e__lt active before
this time
lastActiveDat Agents last false string
e__lte active before
or at this time

2036
lastLoggedIn Free-text false string []
UserName__c filter by
ontains username
(supports
multiple
values)
lastSuccessf Date range false string
ulScanDate_ for last
_between successful full
disk
scan(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastSuccessfu Agents last false string
lScanDate__g successful full
t disk scan
after this
time
lastSuccessfu Agents last false string
lScanDate__g successful full
te disk scan
after or at
this time
lastSuccessfu Agents last false string
lScanDate__lt successful full
disk scan
before this
time
lastSuccessfu Agents last false string
lScanDate__lt successful full
e disk scan
before or at
this time
liveUpdateId_ Free-text false string []
_contains filter by live
update ID
(supports
multiple
values)
locationEnabl The agents false boolean []
ed supports

2037
Location
Awareness
and it is
enabled for
the agent's
group
locationIds Include only false string []
Agents
reporting
these
locations
locationIdsNi Do not false string []
n include only
Agents
reporting
these
locations
machineTypes Included false string []
machine
types
machineType Not included false string []
sNin machine
types
migrationStat Migration false enum
us status
missingPermis Included false string []
sions missing
permissions
missingPermi Excluded false string []
ssionsNin missing
permissions
mitigationMo Agent false enum
de mitigation
mode policy
mitigationMo Mitigation false enum
deSuspicious mode policy
for suspicious
activity
networkInter Free-text false string []
faceGatewayM filter by
acAddress__c Gateway

2038
ontains MAC address
(supports
multiple
values)
networkInterf Free-text false string []
aceInet__cont filter by local
ains IP (supports
multiple
values)
networkInterf Free-text false string []
acePhysical__ filter by MAC
contains address
(supports
multiple
values)
networkQuara The agents false boolean []
ntineEnabled supports
Network
Quarantine
Control and
its enabled
for the
agent's group
networkStatu Included false string []
ses network
statuses
networkStatu Included false string []
sesNin network
statuses
operationalSt Agent false string []
ates operational
state
operationalSt Do not false string []
atesNin include these
Agent
operational
states
osArch OS false enum
architecture
osTypes Included OS false string []
types

2039
osTypesNin Not included false string []
OS types
osVersion__co Free-text false string []
ntains filter by OS
full name and
version
(supports
multiple
values)
query A free-text false string
search term,
will match
applicable
attributes
(sub-string
match). Note:
Device's
physical
addresses will
be matched if
they start
with the
search term
only (no
match if they
contain the
term).
rangerStatus [DEPRECATE false enum
D] Use
rangerStatuse
s.
rangerStatuse Status of false string []
s Ranger
rangerStatus Do not false string []
esNin include these
Ranger
Statuses
rangerVersion Ranger false string []
s versions to
include
rangerVersio Ranger false string []
nsNin versions not
to include

2040
registeredAt Date range false string
__between for first
registration
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
registeredAt_ Agents false string
_gt registered
after this
time
registeredAt_ Agents false string
_gte registered
after or at
this time
registeredAt__ Agents false string
lt registered
before this
time
registeredAt_ Agents false string
_lte registered
before or at
this time
remoteOpsFor Include only false boolean
ensicsSuppor agents that
ted has Remote
Ops
Forensicsfeat
ure
supported
remoteProfili Agent remote false string []
ngStates profiling state
remoteProfili Do not false string []
ngStatesNin include these
Agent remote
profiling
states
rsoLevel Supported false enum
Remote
Script
Orchestration

2041
level
scanStatus Scan status false enum
scanStatuses Included scan false string []
statuses
scanStatuses Not included false string []
Nin scan statuses
serialNumber Free-text false string []
__contains filter by Serial
Number
(supports
multiple
values)
siteIds List of Site false string []
IDs to filter
by
tagsData Filter agents false string
by their
assigned tags.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
tenant Indicates a false boolean
tenant scope
request
threatConten Include only false string
tHash Agents that
have at least
one threat

2042
with this
content hash
threatCreate Agents with false string
dAt__betwee threats
n reported in a
date range
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
threatCreate Agents with false string
dAt__gt threats
reported
after this
time
threatCreate Agents with false string
dAt__gte threats
reported
after or at
this time
threatCreated Agents with false string
At__lt threats
reported
before this
time
threatCreated Agents with false string
At__lte threats
reported
before or at
this time
threatHidden Include only false boolean
Agents with
at least one
hidden threat
threatMitigat Include only false enum
ionStatus Agents that
have threats
with this
mitigation
status
threatReboot Has at least false boolean []

2043
Required one threat
with at least
one
mitigation
action
pending
reboot to
succeed
threatResolv Include only false boolean
ed Agents with
at least one
resolved
threat
totalMemory Total memory false string
__between range (GB,
inclusive)
totalMemory_ Memory size false integer
_gt (MB, more
than)
totalMemory_ Memory size false integer
_gte (MB, more
than or equal)
totalMemory_ Memory size false integer
_lt (MB, less
than)
totalMemory_ Memory size false integer
_lte (MB, less
than or equal)
updatedAt__ Date range false string
between for update
time (format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
updatedAt__g Agents false string
t updated after
this
timestamp
updatedAt__g Agents false string
te updated after
or at this

2044
timestamp
updatedAt__l Agents false string
t updated
before this
timestamp
updatedAt__l Agents false string
te updated
before or at
this
timestamp
userActionsN Included false string []
eeded pending user
actions
userActionsN Excluded false string []
eededNin pending user
actions
uuid Agent's false string
universally
unique
identifier
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)
uuids A list of false string []
included
UUIDs

data Data false Name Description Required Value

outputDestin Output true enum
ation destination
scriptId Script id true string
taskDescripti Task true string
on description
apiKey Api key false string

2045
destinationPro Id of false string
fileId destination
profile to use
destinationPr Destination false string
ofileKeyword profile
keyword
inputParams Input params false string
outputDirect Output false string
ory directory
outputFilePat Output file false string []
hs paths
password Password false string
passwordFro Used to false Name Description Required Value
mScope specify
execution scopeLevel User scope true enum
where a scopeId string repr. of false string
generic scope id
password is
used
requiresAppro If set to true, false boolean
val execution will
require
approval
scriptRuntim Script false integer
eTimeoutSec runtime
onds timout in
seconds for
current
execution
singularityxd Singularityxdr false string
rKeyword keyword
singularityxdr Singularityxdr false string
Url url

2046
Get Remote Scripts Tasks Status
GET /web/api/v2.1/remote-scripts/status

Get remote scripts tasks using a variety of filters. Accessible via API only
parent_task_id or parent_task_id__in query parameter is mandatory

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
computername__conta optional Free-text filter by agent computer name (supports multiple values)
ins
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__gt optional Created at greater than. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Created at greater or equal than. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Created at lesser than. Example: "2018-02-27T04:49:26.257525Z".
createdat__lte optional Created at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
description__contains optional Only include tasks with specific description
detailedstatus__contai optional Only include tasks with specific detailed status
ns
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of IDs to filter by. Example:
"225494730938493804,225494730938493915".
initiatedby__contains optional Only include tasks from specific initiating user
limit optional Limit number of returned items (1-1000). Example: "10".
parenttaskid optional parent task id to fetch the status by. Example:

2047
"225494730938493804".
parenttaskid__in optional List of IDs to filter by
query optional Query
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
status optional Status in. Example: "created".
tenant optional Indicates a tenant scope request
type optional Type
types optional Type in
updatedat__gt optional Updated at greater than. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Updated at greater or equal than. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Updated at lesser than. Example: "2018-02-27T04:49:26.257525Z".
updatedat__lte optional Updated at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".
uuid__contains optional Free-text filter by agent UUID (supports multiple values)

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value

2048
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
accountId Account id false string
accountName Account false string
name
agentCompu Agent false string
terName computer
name
agentId Agent id false string
agentIsActive Agent is false boolean
active
agentIsDecom Agent is false boolean
missioned decommissio
ned
agentMachin Agent false string
eType machine type
agentOsType OS type false enum
agentUuid Agent uuid false string
createdAt Timestamp of false string
date creation
description Description false string

2049
detailedStatu Detailed false string
s status
groupId Group id false string
groupName Group name false string
id Task id false string
initiatedBy Initiated by false string
initiatedById Initiated by id false string
parentTaskId Parent task id false string
scriptResults Script results false string
Bucket bucket
scriptResults Script results false string
Path path
scriptResults Script results false string
Signature signature
siteId Site id false string
siteName Site name false string
status Status false enum
statusCode Status code false integer
statusDescrip Status false
tion description
type Type false string
updatedAt Timestamp of false string
last update

errors Errors false array

2050
Get Script Results
POST /web/api/v2.1/remote-scripts/fetch-files

Get scripts results URLs. Accessible via API only

Response Messages
200 - Get remote script results was successful

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
data Data false Name Description Required Value
downloadLink List of false Name Description Required Value
s download
links downloadUrl download false string
link for the
file
fileName the name of false string
the file
taskId the task id false string
related to the
download
link

errors Task id's and false array

detailed
errors for
tasks which a
download
link couldn't
be fetched

errors Errors false array

2051
Body Schema
Name Description Required Value
data Data true Name Description Required Value
computerNa A list of false string []
mes partial or
whole
computer
names, which
ran scripts, to
get a
download
link for
taskIds A list of task false string []
ids to get a
download
link for

2052
Get script content
GET /web/api/v2.1/remote-scripts/script-content

Get Script content by script id

Parameters
scriptid optional Script ID. Example: "225494730938493804".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Script not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
scriptContent Script true string
content

errors Errors false array

2053
Get Scripts
GET /web/api/v2.1/remote-scripts

Get data of the scripts in the SentinelOne Script Library.

The SentinelOne Script Library, used for the Remote Script Orchestration feature, gives you a wide range of scripts to collect various forensic artifacts, parse them, and
show them in formats that are easy to analyze. Use the scripts to collect information such as hardware and software inventory and configuration, running applications and
processes, files and directories, network connections, and more.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional A list of script IDs. Example:
"225494730938493804,225494730938493915".
isavailableforars optional Is the script runnable in Advanced Response Scripts
limit optional Limit number of returned items (1-1000). Example: "10".
ostypes optional List of the script OS types. Example: "linux".
query optional Query
scripttype optional List of the script types. Example: "artifactCollection".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

2054
Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
createdByUse Created by true string
rId user id
inputExample Input true string
example
inputInstruct Input true string
ions instructions
inputRequire Is input true boolean
d required
scriptName Script name true string
scriptType Script type true string

2055
version Version true string
bucketName Bucket name false string
createdAt Created at false string
createdByUse Created by false string
r user
creator Name of the false string
creating user
creatorId Id of the false string
creating user
fileName File name false string
with full path
fileSize File size false integer
id Script ID false string
isAvailableFo Is the script false boolean
rArs runnable in
Advanced
Response
Scripts
isAvailableFor Is the script false boolean
Lite runnable in
Lite version
mgmtId Mgmt id false integer
osTypes OS types false string []
outputFilePat Output file false string []
hs paths
package Package false Name Description Required Value
bucketName Bucket name false string
endpointExpir Package false string
ation expiration
option on
endpoint
endpointExpi Package false integer
rationSecond expiration
s time on
endpoint
fileName File name false string
with full path

2056
fileSize File size false integer
id Package ID false string
signature Signature false string
signatureType Signature false string
type

scopeId Scope ID false string

scopeLevel Scope level false enum
scopeName The scripts false string
scope name
scopePath The path of false string
the scripts
scope
scriptDescrip Script false string
tion description
scriptRuntim Script false integer
eTimeoutSec runtime
onds timeout in
seconds
shortFileNam File name false string
e
signature Signature false string
signatureType Signature false string
type
supportedDes Supported false string []
tinations destinations
updatedAt Updated at false string
updater Name of the false string
updating user
updaterId Id of the false string
updating user

errors Errors false array

2057
Upload New Script
POST /web/api/v2.1/remote-scripts

Upload a new script file. The file and various properties are required. To see the mandatory and optional parameters and their valid values, see the Body Schema or click
Run On Console.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
createdByUse Created by true string
rId user id
inputExample Input true string
example
inputInstruct Input true string
ions instructions
inputRequire Is input true boolean
d required
scriptName Script name true string
scriptType Script type true string
version Version true string
bucketName Bucket name false string
createdAt Created at false string
createdByUse Created by false string
r user
creator Name of the false string
creating user

2058
creatorId Id of the false string
creating user
fileName File name false string
with full path
fileSize File size false integer
id Script ID false string
isAvailableFo Is the script false boolean
rArs runnable in
Advanced
Response
Scripts
isAvailableFor Is the script false boolean
Lite runnable in
Lite version
mgmtId Mgmt id false integer
osTypes OS types false string []
outputFilePat Output file false string []
hs paths
package Package false Name Description Required Value
bucketName Bucket name false string
endpointExpir Package false string
ation expiration
option on
endpoint
endpointExpi Package false integer
rationSecond expiration
s time on
endpoint
fileName File name false string
with full path
fileSize File size false integer
id Package ID false string
signature Signature false string
signatureType Signature false string
type

scopeId Scope ID false string

scopeLevel Scope level false enum

2059
scopeName The scripts false string
scope name
scopePath The path of false string
the scripts
scope
scriptDescrip Script false string
tion description
scriptRuntim Script false integer
eTimeoutSec runtime
onds timeout in
seconds
shortFileNam File name false string
e
signature Signature false string
signatureType Signature false string
type
supportedDes Supported false string []
tinations destinations
updatedAt Updated at false string
updater Name of the false string
updating user
updaterId Id of the false string
updating user

errors Errors false array

2060
Body Schema
Name Description Required Value
formData false Name Description Required Value
inputRequire Is input true boolean
d required
scopeLevel Scope level. true enum
Example:
"site".
scriptName Script name true string
scriptType Script type. true enum
Example:
"artifactCollec
tion".
consoleData Console data false string
file File false file
inputExample Input false string
example
inputInstruct Input false string
ions instructions
isDuplication True if script/ false boolean
package files
should be
taken from an
existing script
specified in
original_scrip
t_id
isScriptCont True if script false boolean
entEncoded content is
encoded
originalScript ID of script, false string
Id from which
the script/
package files
will becopied,
applicable
ony if
is_duplication
is true.

2061
Example:
"2254947309
38493804".
osTypes Os types. false string []
Example:
"m,a,c,o,s,,,l,i,
n,u,x".
packageEndpo Package false enum
intExpiration expiration
option on
endpoint.
Example:
"None".
packageEndpo Package false integer
intExpiration expiration
Seconds time on
endpoint
packageFile Package file false file
packageMaxS Package max false string
ize size
packageRemo True if false boolean
ved package
should file
should not be
copied,
applicable
only if
is_duplication
is true
scopeId Scope ID. false string
Example:
"2254947309
38493804".
scriptContent Content of false string
the script file,
applicable
only if
is_duplication
is true
scriptDescrip Script false string
tion description

2062
scriptRuntim Script false integer
eTimeoutSec runtime
onds timeout in
seconds
sendActivity Send activity false boolean

2063
Delete Scripts
DELETE /web/api/v2.1/remote-scripts

Deletes scripts that match a filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
createdByUse Created by true string
rId user id

2064
inputExample Input true string
example
inputInstruct Input true string
ions instructions
inputRequire Is input true boolean
d required
scriptName Script name true string
scriptType Script type true string
version Version true string
bucketName Bucket name false string
createdAt Created at false string
createdByUse Created by false string
r user
creator Name of the false string
creating user
creatorId Id of the false string
creating user
fileName File name false string
with full path
fileSize File size false integer
id Script ID false string
isAvailableFo Is the script false boolean
rArs runnable in
Advanced
Response
Scripts
isAvailableFor Is the script false boolean
Lite runnable in
Lite version
mgmtId Mgmt id false integer
osTypes OS types false string []
outputFilePat Output file false string []
hs paths
package Package false Name Description Required Value
bucketName Bucket name false string
endpointExpir Package false string

2065
ation expiration
option on
endpoint
endpointExpi Package false integer
rationSecond expiration
s time on
endpoint
fileName File name false string
with full path
fileSize File size false integer
id Package ID false string
signature Signature false string
signatureType Signature false string
type

scopeId Scope ID false string

2066
updaterId Id of the false string
updating user

errors Errors false array

2067
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of group false string []
IDs to filter
by
ids A list of false string []
Scripts IDs
osTypes List of the false string []
script OS
types.
query Query false string
scriptType List of the false string []
script types
siteIds List of Site false string []
IDs to filter
by

consoleData Console data false string

sendActivity Send activity false boolean

2068
Update a Script
PUT /web/api/v2.1/remote-scripts/edit/{script_id}

Change the properties of a given script: runtime timeout, name, and whether input is required (if true, input example and instructions are requried),or script content itselt.
This command requires the script ID, which you can get from the Get Scripts API.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Script not found

2069
creator Name of the false string
creating user
creatorId Id of the false string
creating user
fileName File name false string
with full path
fileSize File size false integer
id Script ID false string
isAvailableFo Is the script false boolean
rArs runnable in
Advanced
Response
Scripts
isAvailableFor Is the script false boolean
Lite runnable in
Lite version
mgmtId Mgmt id false integer
osTypes OS types false string []
outputFilePat Output file false string []
hs paths
package Package false Name Description Required Value
bucketName Bucket name false string
endpointExpir Package false string
ation expiration
option on
endpoint
endpointExpi Package false integer
rationSecond expiration
s time on
endpoint
fileName File name false string
with full path
fileSize File size false integer
id Package ID false string
signature Signature false string
signatureType Signature false string
type

2070
scopeId Scope ID false string
scopeLevel Scope level false enum
scopeName The scripts false string
scope name
scopePath The path of false string
the scripts
scope
scriptDescrip Script false string
tion description
scriptRuntim Script false integer
eTimeoutSec runtime
onds timeout in
seconds
shortFileNam File name false string
e
signature Signature false string
signatureType Signature false string
type
supportedDes Supported false string []
tinations destinations
updatedAt Updated at false string
updater Name of the false string
updating user
updaterId Id of the false string
updating user

errors Errors false array

2071
Body Schema
Name Description Required Value
formData false Name Description Required Value
inputExample Input true string
example
inputInstruct Input true string
ions instructions
inputRequire Is input true boolean
d required
scriptName Script name true string
scriptRuntim Script true integer
eTimeoutSec runtime
onds timeout in
seconds
scriptType Script type. true enum
Example:
"artifactCollec
tion".
consoleData Console data false string
isScriptCont Is the script false boolean
entEncoded content
base64
encoded?
osTypes Os types. false string []
Example:
"m,a,c,o,s,,,l,i,
n,u,x".
packageEndpo Package false enum
intExpiration expiration
option on
endpoint.
Example:
"None".
packageEndpo Package false integer
intExpiration expiration
Seconds time on
endpoint
packageFile Package file false file

2072
packageMaxS Package max false string
ize size
packageRemo Was package false boolean
ved removed
during edit of
the script?
scriptContent Filled out false string
with a new
content of a
script if the
script content
was
changedon
an already
previously
uploaded
script
scriptDescrip Script false string
tion description
scriptFile Script file false file
sendActivity Send activity false boolean

2073
Get paginated pending executions
GET /web/api/v2.1/remote-scripts/pending-executions

Get paginated pending executions

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of group IDs to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema

2074
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
canApproveO Can approve true boolean
rDecline or decline
creator Creator true string
creatorId Creator id true string
executionDat Execution true Name Description Required Value
a data
outputDestin Output true enum
ation destination
scriptId Script id true string
taskDescripti Task true string
on description
apiKey Api key false string
destinationPro Id of false string
fileId destination
profile to use
destinationPr Destination false string
ofileKeyword profile
keyword
inputParams Input params false string

2075
outputDirect Output false string
ory directory
outputFilePat Output file false string []
hs paths
password Password false string
passwordFro Used to false Name Description Required Value
mScope specify
execution scopeLevel User scope true enum
where a scopeId string repr. of false string
generic scope id
password is
used
requiresAppro If set to true, false boolean
val execution will
require
approval
scriptRuntim Script false integer
eTimeoutSec runtime
onds timout in
seconds for
current
execution
singularityxd Singularityxdr false string
rKeyword keyword
singularityxdr Singularityxdr false string
Url url

pendingExecu Pending true string

tionId execution id
reviewer Reviewer true string
reviewerId Reviewer id true string
scriptData Script data true Name Description Required Value
createdByUse Created by true string
rId user id
inputExample Input true string
example
inputInstruct Input true string
ions instructions
inputRequire Is input true boolean

2076
d required
scriptName Script name true string
scriptType Script type true string
version Version true string
bucketName Bucket name false string
createdAt Created at false string
createdByUse Created by false string
r user
creator Name of the false string
creating user
creatorId Id of the false string
creating user
fileName File name false string
with full path
fileSize File size false integer
id Script ID false string
isAvailableFo Is the script false boolean
rArs runnable in
Advanced
Response
Scripts
isAvailableFor Is the script false boolean
Lite runnable in
Lite version
mgmtId Mgmt id false integer
osTypes OS types false string []
outputFilePat Output file false string []
hs paths
package Package false Name Description Required Value
bucketName Bucket name false string
endpointExpir Package false string
ation expiration
option on
endpoint
endpointExpi Package false integer

2077
rationSecond expiration
s time on
endpoint
fileName File name false string
with full path
fileSize File size false integer
id Package ID false string
signature Signature false string
signatureType Signature false string
type

scopeId Scope ID false string

2078
state State true enum
totalEndpoint Total true integer
s endpoints
createdAt Created at false string
endpointsBy Endpoints by false Name Description Required Value
Scope scope
scopeName true string
totalEndpoint true integer
s

scheduledTas Scheduled false string

kId task id

errors Errors false array

2079
Approve/decline pending execution
PUT /web/api/v2.1/remote-scripts/pending-executions/{pending_execution_id}

Approve/decline pending execution

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Pending execution not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Operation false boolean
result

errors Errors false array

2080
Body Schema
Name Description Required Value
data Data true Name Description Required Value
action Action true enum

2081
Gets a guardrails configuration for a given scope
GET /web/api/v2.1/remote-scripts/guardrails/configuration

Gets a guardrails configuration for a given scope

Parameters
scopeid required Scope ID. Example: "225494730938493804".
scopelevel required Scope level. Example: "account".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
enabled Whether true boolean
guardrail is
active
endpointsQua Threshold for true integer
ntity number of
endpoints
inherited Whether true boolean
guardrail is
inherited
scriptTypes List of script false string []
types that
the guardrail
relates to

errors Errors false array

2082
Updates or inserts (if record does not exist) a guardrails configuration
POST /web/api/v2.1/remote-scripts/guardrails/configuration

Updates or inserts (if record does not exist) a guardrails configuration

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Operation false boolean
result

errors Errors false array

2083
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled Whether true boolean
guardrail is
active
endpointsQua Threshold for true integer
ntity number of
endpoints
scopeId Scope ID true string
scopeLevel Scope level true enum
scriptTypes List of script false string []
types that
the guardrail
relates to

2084
Deletes a specific guardrails configuration
DELETE /web/api/v2.1/remote-scripts/guardrails/configuration

Deletes a specific guardrails configuration

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Operation false boolean
result

errors Errors false array

2085
Body Schema
Name Description Required Value
data Data true Name Description Required Value
scopeId Scope ID true string
scopeLevel Scope level true enum

2086
Check whether guardrail applies to an execution
POST /web/api/v2.1/remote-scripts/guardrails/check

Check whether guardrail applies to an execution

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
requiresAppro Whether the false boolean
val guardrail
check
requires
approval

errors Errors false array

2087
Body Schema
Name Description Required Value
data Data true Name Description Required Value
scriptId Script id true string
agentIds Agent ids false string []

2088
Rogues

Get Rogues Table

GET /web/api/v2.1/rogues/table-view

Get the data for each row in the Rogues Device Inventory Table.
Best practice: Set filters. Each row is a set of parameters that quickly fills the pagination limits.

BEST PRACTICE
Set filters. Each row is a set of parameters that quickly fills the pagination limits.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
devicetype optional Device type. Example: "Server/Workstation/...".
devicetypes optional Device types
externalip optional Search using external IP
externalip__contains optional Free-text filter by visible IP (supports multiple values). Example:
"192.168.0.1/24,10.1".
firstseen__between optional Date range refor first seen(format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
firstseen__gt optional Devices first seen after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__gte optional Devices first seen after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".

2089
firstseen__lt optional Devices first seen before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__lte optional Devices first seen before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
hostnames optional Hostnames
hostnames__contains optional Free-text filter by hostanem (supports multiple values). Example:
"s1_host,SomeHost".
ids optional List of device ids. Example:
"225494730938493804,225494730938493915".
lastseen__between optional Date range for last seen(format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
lastseen__gt optional Devices last seen after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__gte optional Devices last seen after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__lt optional Devices last seen before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__lte optional Devices last seen before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
limit optional Limit number of returned items (1-1000). Example: "10".
localip optional Search using local IP
localip__contains optional Free-text filter by IP Address (supports multiple values). Example:
"192.168.0.1/24,10.1".
macaddress optional A mac address to search for
macaddress__contains optional Free-text filter by mac address (supports multiple values). Example:
"aa:ee:b1".
manufacturer optional Manufacturer of the device or network interface
manufacturer__contai optional Free-text filter by manufacturer (supports multiple values). Example:
ns "Company".
osname optional Os name
ostype optional OS type

2090
ostypes optional Included OS types
osversion optional Os version
osversion__contains optional Free-text filter by OS full name and version (supports multiple
values). Example: "Service Pack 1".
query optional Query
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

2091
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
deviceFuncti Function of false string
on the device
deviceType Role of the false string
device
externalIp Main false string
Gateway
Visible IP
firstSeen Time the false string
device was
first seen
hostnames Array of host false string []
names
id Id of the false string
device
lastSeen Time the false string
device was
last seen
localIp Local ip of false string
the device
macAddress Mac address false string
of the device
manufacturer Manufacturer false string
of the device
or network
interface
osName OS Name/ false string
Version of
the device
osType Os Type of false string

2092
the device
osVersion OS Version of false string
the device

errors Errors false array

2093
Export Rogues Data
GET /web/api/v2.1/rogues/report/csv

Export Rogues data to CSV. You can set filters to get only relevant data. The response sends the CSV data as text.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
devicetype optional Device type. Example: "Server/Workstation/...".
devicetypes optional Device types
externalip optional Search using external IP
externalip__contains optional Free-text filter by visible IP (supports multiple values). Example:
"192.168.0.1/24,10.1".
firstseen__between optional Date range refor first seen(format: <from_timestamp>-
<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
firstseen__gt optional Devices first seen after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__gte optional Devices first seen after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__lt optional Devices first seen before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
firstseen__lte optional Devices first seen before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
hostnames optional Hostnames
hostnames__contains optional Free-text filter by hostanem (supports multiple values). Example:
"s1_host,SomeHost".
ids optional List of device ids. Example:
"225494730938493804,225494730938493915".
lastseen__between optional Date range for last seen(format: <from_timestamp>-
<to_timestamp>, inclusive). Example:

2094
"1514978890136-1514978650130".
lastseen__gt optional Devices last seen after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__gte optional Devices last seen after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__lt optional Devices last seen before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastseen__lte optional Devices last seen before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
localip optional Search using local IP
localip__contains optional Free-text filter by IP Address (supports multiple values). Example:
"192.168.0.1/24,10.1".
macaddress optional A mac address to search for
macaddress__contains optional Free-text filter by mac address (supports multiple values). Example:
"aa:ee:b1".
manufacturer optional Manufacturer of the device or network interface
manufacturer__contai optional Free-text filter by manufacturer (supports multiple values). Example:
ns "Company".
osname optional Os name
ostype optional OS type
ostypes optional Included OS types
osversion optional Os version
osversion__contains optional Free-text filter by OS full name and version (supports multiple
values). Example: "Service Pack 1".
query optional Query
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

2095
401 - Unauthorized access - please sign in and retry.

Get Rogues Settings

GET /web/api/v2.1/rogues/settings

Rogues gives full visibility of all unsecured devices connected to your network. Rogues scans your corporate environment to identify and manage connected devices, even those
not protected by or supported by SentinelOne. Rogues identifies devices as:
* UnSecured - End-user computer or laptop, or server, without a SentinelOne Agent.
When you install Windows Agents with Rogues, the Agents can become scanners. Selected scanners from networks that you enable for scanning find connected devices with
passive and active scan techniques. The scanners send the collected data to Rogues on the Management. Rogues then runs fingerprinting to identify and classify unique devices
and to update the Device Inventory Table in the Management Console. With port scanning, it is important that you understand the legal and ethical considerations and that you
document a Rogues plan and implementation. See Legal Considerations and Proper Implementation in the Console Help.
* minAgentsInNetworkToScan - To help you determine which networks are corporate, Rogues looks at the number of secured endpoints (Agents) in a network. If there are not
enough Agents in a network - set by this parameter value - Rogues considers the network to be non-corporate and will not scan it.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountId Account id false string
enabled Is the ranger false boolean

2096
collection
enabled for
the account
minAgentsIn Minimum false integer
NetworkToSc agents
an required in a
network to
be listed as
selectable for
scan.Valid
values are 2,
10 and 100 if
rogues is
enabled
restrictions A set of IP false Name Description Required Value
addresses
that should annotation An optional false string
not be note with the
scanned in reason for
the specific the
network restriction
type false enum
values It will be one false string []
IP or one
CIDR or two
values for a
Range

specificPorts [FUTURE] A false Name Description Required Value

set of specific
ports allowed type false enum
to be used as values It can be a false integer []
source ports single port or
for an active two ports
scan [start, end]
for a Range

useSpecificPo [FUTURE] false boolean

rts Use only
specific ports
defined in
specific ports
as source
ports of

2097
active scans

errors Errors false array

2098
Update Rogues Settings
PUT /web/api/v2.1/rogues/settings

Change the Rogues Settings. Best Practice: Get the current settings before you change them. See: Get Rogues Settings.

BEST PRACTICE
Get the current settings before you change them. See: Get Rogues Settings.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountId Account id false string
enabled Is the ranger false boolean
collection
enabled for
the account
minAgentsIn Minimum false integer
NetworkToSc agents
an required in a
network to
be listed as
selectable for
scan.Valid
values are 2,
10 and 100 if
rogues is

2099
enabled
restrictions A set of IP false Name Description Required Value
addresses
that should annotation An optional false string
not be note with the
scanned in reason for
the specific the
network restriction
type false enum
values It will be one false string []
IP or one
CIDR or two
values for a
Range

specificPorts [FUTURE] A false Name Description Required Value

set of specific
ports allowed type false enum
to be used as values It can be a false integer []
source ports single port or
for an active two ports
scan [start, end]
for a Range

useSpecificPo [FUTURE] false boolean

rts Use only
specific ports
defined in
specific ports
as source
ports of
active scans

errors Errors false array

2100
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accountId Account id false string
enabled Is the ranger false boolean
collection
enabled for
the account
minAgentsIn Minimum false integer
NetworkToSc agents
an required in a
network to
be listed as
selectable for
scan.Valid
values are 2,
10 and 100 if
rogues is
enabled
restrictions A set of IP false Name Description Required Value
addresses
that should annotation An optional false string
not be note with the
scanned in reason for
the specific the
network restriction
type false enum
values It will be one false string []
IP or one
CIDR or two
values for a
Range

specificPorts [FUTURE] A false Name Description Required Value

set of specific
ports allowed type false enum
to be used as values It can be a false integer []
source ports single port or
for an active two ports
scan [start, end]
for a Range

2101
useSpecificPo [FUTURE] false boolean
rts Use only
specific ports
defined in
specific ports
as source
ports of
active scans

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2102
Service Users

Get Service Users

GET /web/api/v2.1/service-users

Get a list of service users.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
ids optional List of service user IDs to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
query optional Full text search for fields: full_name, email, description
roleids optional List of rbac roles to filter by. Example:
"225494730938493804,225494730938493915".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages

2103
200 - List of service users retrieved successfully.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
scope User Scope true enum
apiToken Api token false Name Description Required Value
createdAt Created at false string
expiresAt Expires at false string

createdAt Created at false string

createdBy Created by false Name Description Required Value
id Id false string
name Name false string

description Description false string

2104
id Id false string
lastActivation Last false string
activation
name Name false string
scopeRoles Roles of the false Name Description Required Value
scope user
accountName Scope name true string
name Scope name true string
id Scope ID false string
roleId ID of the false string
wanted role
roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id or
role_name
instead.

updatedAt Updated at false string

updatedBy Updated by false Name Description Required Value
id Id false string
name Name false string

errors Errors false array

2105
Create Service User
POST /web/api/v2.1/service-users

Create a new service user.

Response Messages
200 - Service User created successfully.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Not enough permissions to create service user.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
scope User Scope true enum
apiToken Api token false Name Description Required Value
createdAt Created at false string
expiresAt Expires at false string
value Value false string

createdAt Created at false string

createdBy Created by false Name Description Required Value
id Id false string
name Name false string

description Description false string

id Id false string
lastActivation Last false string
activation
name Name false string

2106
scopeRoles Roles of the false Name Description Required Value
scope user
accountName Scope name true string
name Scope name true string
id Scope ID false string
roleId ID of the false string
wanted role
roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id or
role_name
instead.

updatedAt Updated at false string

updatedBy Updated by false Name Description Required Value
id Id false string
name Name false string

errors Errors false array

2107
Body Schema
Name Description Required Value
data Data true Name Description Required Value
expirationDat Date when true string
e the
generated
token expires
name Name of the true string
service user
scope User scope true enum
description Description false string
forceLegacy Temporary false boolean
attribute for
WA: If the
flag is set to
True the
legacy token
will be
generated
even if the
auth_tokens
global switch
is turned on
scopeRoles List of id and false Name Description Required Value
role id, id is
mandatory id Scope ID false string
for user in roleId ID of the false string
scope wanted role
account/site.
User in roleName [DEPRECATE false string
tenant D] Name of
(global) role the role, will
does not work only for
need to predefined
provide an id. roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in

2108
this scope.
Use role_id or
role_name
instead.

2109
Export Service Users
GET /web/api/v2.1/export/service-users

Export Service User data to a CSV, for Service Users that match the filter.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of service user IDs to filter by. Example:
"225494730938493804,225494730938493915".
query optional Full text search for fields: full_name, email, description
roleids optional List of rbac roles to filter by. Example:
"225494730938493804,225494730938493915".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Update Service User

PUT /web/api/v2.1/service-users/{service_user_id}

Change properties of the service user with the given ID.

Response Messages
200 - Service User updated successfully.

400 - Invalid user input received. See error details for further information.

2110
401 - Unauthorized access - please sign in and retry.

403 - Forbidden.

404 - Service User not found.

createdAt Created at false string

createdBy Created by false Name Description Required Value
id Id false string
name Name false string

description Description false string

id Id false string
lastActivation Last false string
activation
name Name false string
scopeRoles Roles of the false Name Description Required Value
scope user
accountName Scope name true string
name Scope name true string
id Scope ID false string
roleId ID of the false string
wanted role
roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined

2111
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id or
role_name
instead.

updatedAt Updated at false string

updatedBy Updated by false Name Description Required Value
id Id false string
name Name false string

errors Errors false array

2112
Body Schema
Name Description Required Value
data Data true Name Description Required Value
description Description false string
scope User scope false enum
scopeRoles List of id and false Name Description Required Value
role id, id is
mandatory id Scope ID false string
for user in roleId ID of the false string
scope wanted role
account/site.
User in roleName [DEPRECATE false string
tenant D] Name of
(global) role the role, will
does not work only for
need to predefined
provide an id. roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id or
role_name
instead.

2113
Delete Service User
DELETE /web/api/v2.1/service-users/{service_user_id}

Delete a service user by ID.

Response Messages
200 - Service User deleted successfully.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2114
Bulk Delete Service Users
POST /web/api/v2.1/service-users/delete-service-users

Delete all service users that match the filter.

Response Messages
200 - Service Users deleted successfully.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2115
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
ids List of service false string []
user IDs to
filter by
query Full text false string
search for
fields:
full_name,
email,
description
roleIds List of rbac false string []
roles to filter
by
siteIds List of Site false string []
IDs to filter
by

data Data false

2116
Settings

Get SSO Settings

GET /web/api/v2.1/settings/sso

Get the Single Sign-On configuration for the given Sites (to get the IDs, run "sites") or Accounts ("accounts").

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2117
the first time
defaultUserRo The role false string
leId name of the
default role
for a new
user logging
in via SSO for
the first time
domains A list of false string []
domain
names
associated
with the
scope
enabled Indicates if false boolean
SSO is
enabled
idpCertName Identity false string
provider's
certificate file
name (If not
provided, cert
name and
content will
stay
untouched in
the DB)
idpEntityId Identity false string
provider's
Entity ID
(a.k.a. Issuer)
idpSsoUrl The SSO URL false string
of the
Identity
Provider
(Login URL)
signRequest Indicates if false boolean
SAML
Request
Signing is
enabled
spAcsUrl Management false string

2118
console
Assertion
Consumer
Service (ACS)
URL. This is
were IDP
should send
the
authenticatio
n request
spEntityId Identifier the false string
Management
console
creates to
dialogue with
the SSO
provider.
ssoElevatedS Type of re- false enum
essionReauth authenticatio
Type n used for
session
elevation.
ssoElevatedS Marks false boolean
essionReauth whether re-
TypeEnabled auth type
choice should
be available
in SSO
settings
ssoInheritab A dictionary false object
leDomains of inheritable
domains
ssoInheritDo Scope(s) to false string []
mainsFrom inherit
domains from
ssoPropagate True if the false boolean
DomainsToChi domains
ldren should be
propagated
to children
scopes

errors Errors false array

2119
Set SSO Settings
PUT /web/api/v2.1/settings/sso

Change the Single Sign-On configuration for the given Sites (to get the IDs, run "sites") or Accounts ("accounts").
The Management supports SAML 2.0 and will integrate with SAML 2.0 compliant SSO providers.
SentinelOne Technical Support can help you with issues related to the provider we tested: Okta. To use a different ID provider, see the provider documentation and
support.
For requirements and best practices of Okta integration, see https://support.sentinelone.com/hc/en-us/articles/360004195714.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
autoProvision True if the false boolean
ing user should
be auto
provisioned
defaultUserRo The role false string
le name of the
default role
for a new
user logging
in via SSO for
the first time
defaultUserRo The role false string
leId name of the
default role
for a new
user logging
in via SSO for
the first time

2120
domains A list of false string []
domain
names
associated
with the
scope
enabled Indicates if false boolean
SSO is
enabled
idpCertName Identity false string
provider's
certificate file
name (If not
provided, cert
name and
content will
stay
untouched in
the DB)
idpEntityId Identity false string
provider's
Entity ID
(a.k.a. Issuer)
idpSsoUrl The SSO URL false string
of the
Identity
Provider
(Login URL)
signRequest Indicates if false boolean
SAML
Request
Signing is
enabled
spAcsUrl Management false string
console
Assertion
Consumer
Service (ACS)
URL. This is
were IDP
should send
the
authenticatio

2121
n request
spEntityId Identifier the false string
Management
console
creates to
dialogue with
the SSO
provider.
ssoElevatedS Type of re- false enum
essionReauth authenticatio
Type n used for
session
elevation.
ssoElevatedS Marks false boolean
essionReauth whether re-
TypeEnabled auth type
choice should
be available
in SSO
settings
ssoInheritab A dictionary false object
leDomains of inheritable
domains
ssoInheritDo Scope(s) to false string []
mainsFrom inherit
domains from
ssoPropagate True if the false boolean
DomainsToChi domains
ldren should be
propagated
to children
scopes

errors Errors false array

2122
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled If True, other true boolean
arguments
must also be
supplied, if
False, other
arguments
stay
untouched in
the DB
autoProvision True if the false boolean
ing user should
be auto
provisioned
defaultUserRo The name of false string
le the default
role for a new
user who logs
in with SSO.
Sending it
without
default_user_r
ole_id will
search only in
global scope
defaultUserRo The role false string
leId name of the
default role
for a new
user logging
in via SSO for
the first time
domains A list of false string []
domain
names
associated
with the
scope
idpCertConte Identity false string

2123
nt provider's
certificate file
content
(Base64
encoded
string)
idpCertName Identity false string
provider's
certificate file
name (If not
provided, cert
name and
content will
stay
untouched in
the DB)
idpEntityId Identity false string
provider's
Entity ID
(a.k.a. Issuer)
idpSsoUrl The SSO URL false string
of the
Identity
Provider
(Login URL)
signRequest Indicates if false boolean
SAML
Request
Signing is
enabled
ssoElevatedS Type of re- false enum
essionReauth authenticatio
Type n used for
session
elevation.
ssoInheritDo Scope(s) to false string []
mainsFrom inherit
domains from
ssoPropagate True if the false boolean
DomainsToChi domains
ldren should be
propagated
to children

2124
scopes

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2125
Get SSO Service Provider Certificate
GET /web/api/v2.1/settings/sso/sp-cert

Get the Service Provider Certificate for the Single Sign-On configuration for the given scope.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
expiresAt Certificate false string
expires at
fileName File name of false string
the signing
certificate
used by the
service
provider to
sign SAML
requests
issuedAt Certificate false string
issued at
pem Certificate in false string
PEM format

2126
errors Errors false array

2127
Download SSO Service Provider Certificate
GET /web/api/v2.1/settings/sso/sp-cert/download

Download the Service Provider Certificate for the Single Sign-On configuration for the given scope.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Test SSO Settings

POST /web/api/v2.1/settings/sso/test

Test Single Sign-On settings.

Response Messages
200 - The url to redirect too.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value

2128
data Response false Name Description Required Value
data
redirectUrl The url to false string
redirect for
test.

errors Errors false array

2129
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled If True, other true boolean
arguments
must also be
supplied, if
False, other
arguments
stay
untouched in
the DB
autoProvision True if the false boolean
ing user should
be auto
provisioned
defaultUserRo The name of false string
le the default
role for a new
user who logs
in with SSO.
Sending it
without
default_user_r
ole_id will
search only in
global scope
defaultUserRo The role false string
leId name of the
default role
for a new
user logging
in via SSO for
the first time
domains A list of false string []
domain
names
associated
with the
scope
idpCertConte Identity false string

2130
nt provider's
certificate file
content
(Base64
encoded
string)
idpCertName Identity false string
provider's
certificate file
name (If not
provided, cert
name and
content will
stay
untouched in
the DB)
idpEntityId Identity false string
provider's
Entity ID
(a.k.a. Issuer)
idpSsoUrl The SSO URL false string
of the
Identity
Provider
(Login URL)
signRequest Indicates if false boolean
SAML
Request
Signing is
enabled
ssoElevatedS Type of re- false enum
essionReauth authenticatio
Type n used for
session
elevation.
ssoInheritDo Scope(s) to false string []
mainsFrom inherit
domains from
ssoPropagate True if the false boolean
DomainsToChi domains
ldren should be
propagated
to children

2131
scopes

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2132
Get Notification Settings
GET /web/api/v2.1/settings/notifications

Get the notification settings for the given Sites (to get the IDs, run "settings") or Accounts ("accounts").
The response shows every possible notification and whether it is active and if so, for email or syslog or both. It also shows the ID string for each notification, which can be
used in other commands.
Note: Each notification also shows "sms" which is deprecated.

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
configuration Configuration false Name Description Required Value
s s
email If not empty, false string
email
configuration
is missing
sms If not empty, false string
sms
configuration

2133
is missing
syslog If not empty, false string
syslog
configuration
is missing

lastModified Notifications false Name Description Required Value

last modified
updatedAt Last Modified false string
details level
data
updatedBy Last Modified false string
details level
data

notifications Notifications false Name Description Required Value

categories
activedirecto Category false object
ry Items
administrativ Category false object
e Items
customrules Category false object
Items
devicecontrol Category false object
Items
endpointtagg Category false object
ing Items
firewallcontro Category false object
l Items
locations Category false object
Items
malware Category false object
Items
mitigation Category false object
Items
operations Category false object
Items
ranger Category false object
Items
remoteshell Category false object

2134
Items
threatmanag Category false object
ement Items
whitelistblackl Category false object
ist Items

errors Errors false array

2135
Set Notification Settings
PUT /web/api/v2.1/settings/notifications

Change the notifications for the given Sites (to get the IDs, run "settings") or Accounts ("accounts"). Best practice: Get the current settings (see Get Notification Settings)
before you run this command.

BEST PRACTICE
Get the current settings (see Get Notification Settings) before you run this command.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

2136
configuration
is missing

lastModified Notifications false Name Description Required Value

last modified
updatedAt Last Modified false string
details level
data
updatedBy Last Modified false string
details level
data

notifications Notifications false Name Description Required Value

2137
whitelistblackl Category false object
ist Items

errors Errors false array

2138
Body Schema
Name Description Required Value
data Data true Name Description Required Value
configuration Configuration false Name Description Required Value
s s
email If not empty, false string
email
configuration
is missing
sms If not empty, false string
sms
configuration
is missing
syslog If not empty, false string
syslog
configuration
is missing

lastModified Notifications false Name Description Required Value

last modified
updatedAt Last Modified false string
details level
data
updatedBy Last Modified false string
details level
data

notifications Notifications false Name Description Required Value

2139
l Items
locations Category false object
Items
malware Category false object
Items
mitigation Category false object
Items
operations Category false object
Items
ranger Category false object
Items
remoteshell Category false object
Items
threatmanag Category false object
ement Items
whitelistblackl Category false object
ist Items

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2140
Clear Pending Emails
POST /web/api/v2.1/settings/notifications/cancel-pending-emails

Clear (discard without sending) pending email notifications for the given Sites (to get the IDs, run "sites") or Accounts ("accounts").
When you set email recipients to get notifications for activities in the system, you can set too many, or in other ways cause issues that demand that the queue be cleared.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
canceled Canceled true integer

errors Errors false array

2141
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2142
Get SMTP Settings
GET /web/api/v2.1/settings/smtp

Get the SMTP server configuration of the given Sites (to get the IDs, run "sites") or Accounts ("accounts"). The SMTP integration is required to send notifications by email.

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
enabled SMTP service false boolean
is enabled
encryption SMTP service false enum
encryption
type
host SMTP service false string
host
inherits True if site false boolean
inherits
SMTP

2143
settings from
global scope,
False if using
custom
settings.
noReplyEmail SMTP service false string
no-reply-
email
password SMTP service false string
password.
Required
when
creating new
SMTP
settings or
updating host
and/or port
of the
existing one.
port SMTP service false integer
port
username SMTP service false string
username

errors Errors false array

2144
Set SMTP Settings
PUT /web/api/v2.1/settings/smtp

Change the SMTP server configuration for the given Sites or Accounts. Use this command to integrate a different SMTP server, which is required to send notifications by
email.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

2145
no-reply-
email
password SMTP service false string
password.
Required
when
creating new
SMTP
settings or
updating host
and/or port
of the
existing one.
port SMTP service false integer
port
username SMTP service false string
username

errors Errors false array

2146
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled SMTP service false boolean
is enabled
encryption SMTP service false enum
encryption
type
host SMTP service false string
host
inherits True if site false boolean
inherits
SMTP
settings from
global scope,
False if using
custom
settings.
noReplyEmail SMTP service false string
no-reply-
email
password SMTP service false string
password.
Required
when
creating new
SMTP
settings or
updating host
and/or port
of the
existing one.
port SMTP service false integer
port
username SMTP service false string
username

filter Filter true Name Description Required Value

accountIds List of false string []

2147
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2148
Test SMTP Settings
POST /web/api/v2.1/settings/smtp/test

Test SMTP settings between the Management and the SMTP server. This integration is required if you use email notifications.

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
status Status true boolean

errors Errors false array

2149
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled SMTP service false boolean
is enabled
encryption SMTP service false enum
encryption
type
host SMTP service false string
host
inherits True if site false boolean
inherits
SMTP
settings from
global scope,
False if using
custom
settings.
noReplyEmail SMTP service false string
no-reply-
email
password SMTP service false string
password.
Required
when testing
new SMTP
settings or
testing
update of
host and/or
port of the
existing one.
port SMTP service false integer
port
username SMTP service false string
username

filter Filter true Name Description Required Value

accountIds List of false string []

2150
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2151
Get Syslog Settings
GET /web/api/v2.1/settings/syslog

Get the configuration of the syslog server integrated with the given Sites (to get the IDs, run "sites") or Accounts ("accounts").

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
clientCertCon SysLog false string
tent service client
certificate
content in
Base64
clientCertNa SysLog false string
me service client
certificate
name
clientKeyCon SysLog false string

2152
tent service client
key content
in Base64
clientKeyNa SysLog false string
me service client
key name
enabled SysLog false boolean
service is
enabled
format SysLog false enum
service
format
host SysLog false string
service host
port SysLog false integer
service port
serverCertCo SysLog false string
ntent service server
certificate
content in
Base64
serverCertN SysLog false string
ame service server
certificate
name
ssl SysLog false boolean
service uses
ssl
token SysLog server false string
token

errors Errors false array

2153
Set Syslog Settings
PUT /web/api/v2.1/settings/syslog

Change the configuration of the syslog server of the given Sites (to get the IDs, run "sites") or Accounts ("accounts"). Use this command to send notifications to a different
syslog server. Best Practice: Get Syslog Settings before you run this command.

BEST PRACTICE
Get Syslog Settings before you run this command.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

2154
in Base64
clientKeyNa SysLog false string
me service client
key name
enabled SysLog false boolean
service is
enabled
format SysLog false enum
service
format
host SysLog false string
service host
port SysLog false integer
service port
serverCertCo SysLog false string
ntent service server
certificate
content in
Base64
serverCertN SysLog false string
ame service server
certificate
name
ssl SysLog false boolean
service uses
ssl
token SysLog server false string
token

errors Errors false array

2155
Body Schema
Name Description Required Value
data Data true Name Description Required Value
clientCertCon SysLog false string
tent service client
certificate
content in
Base64
clientCertNa SysLog false string
me service client
certificate
name
clientKeyCon SysLog false string
tent service client
key content
in Base64
clientKeyNa SysLog false string
me service client
key name
enabled SysLog false boolean
service is
enabled
format SysLog false enum
service
format
host SysLog false string
service host
port SysLog false integer
service port
serverCertCo SysLog false string
ntent service server
certificate
content in
Base64
serverCertN SysLog false string
ame service server
certificate
name
ssl SysLog false boolean

2156
service uses
ssl
token SysLog server false string
token

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2157
Test Syslog Settings
POST /web/api/v2.1/settings/syslog/test

Test Syslog settings. The Management tests the connection to the Syslog server.

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
status Status true boolean

errors Errors false array

2158
Body Schema
Name Description Required Value
data Data true Name Description Required Value
clientCertCon SysLog false string
tent service client
certificate
content in
Base64
clientCertNa SysLog false string
me service client
certificate
name
clientKeyCon SysLog false string
tent service client
key content
in Base64
clientKeyNa SysLog false string
me service client
key name
enabled SysLog false boolean
service is
enabled
format SysLog false enum
service
format
host SysLog false string
service host
port SysLog false integer
service port
serverCertCo SysLog false string
ntent service server
certificate
content in
Base64
serverCertN SysLog false string
ame service server
certificate
name
ssl SysLog false boolean

2159
service uses
ssl
token SysLog server false string
token

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2160
Get SMS Settings
GET /web/api/v2.1/settings/sms

[DEPRECATED] Gets the site's SMS settings.

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
enabled SMS service false boolean
is enabled

errors Errors false array

2161
Set SMS Settings
PUT /web/api/v2.1/settings/sms

[DEPRECATED] Set SMS settings.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
enabled SMS service false boolean
is enabled

errors Errors false array

2162
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled SMS service false boolean
is enabled

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2163
Get Notification Recipients
GET /web/api/v2.1/settings/recipients

Get the emails that are configured to receive notifications.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
email optional Email
name optional Name
query optional Full text search for fields: name, email, sms
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
sms optional Sms

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
recipients Notification false Name Description Required Value
Recipients
email Notification false string
Recipients
Email

2164
id Notification false string
Recipients Id
name Notification false string
Recipients
Email
sms Notification false string
Recipients
SMS

errors Errors false array

2165
Set Notification Recipients
PUT /web/api/v2.1/settings/recipients

Set the emails of recipients to get notifications.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
email Notification false string
Recipients
Email
id Notification false string
Recipients Id
name Notification false string
Recipients
Email
sms Notification false string
Recipients
SMS

errors Errors false array

2166
Body Schema
Name Description Required Value
data Data true Name Description Required Value
email Notification false string
Recipients
Email
id Notification false string
Recipients Id
name Notification false string
Recipients
Email
sms Notification false string
Recipients
SMS

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2167
Delete Notification Recipient
DELETE /web/api/v2.1/settings/recipients/{recipient_id}

Delete a notification recipient by ID. To get the IDs of recipients, run "recipients" (see Get Notification Recipients).

Response Messages
200 - Recipient deleted successfully.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2168
Get AD Settings
GET /web/api/v2.1/settings/active-directory

Get the Global Active Directory settings.

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

2169
Directory
ssl Should we false boolean
speak to the
Active
Directory
server using
SSL?
username Username false string
used to log in
to active
directory

errors Errors false array

2170
Set AD Settings
PUT /web/api/v2.1/settings/active-directory

Update the Global Active Directory settings.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
enabled Is AD service false boolean
enabled?
host Active false string
Directory
server
address
port Active false integer
Directory
server port
rootDn Root Domain false string
Name of
Active
Directory
ssl Should we false boolean
speak to the
Active
Directory
server using
SSL?
username Username false string
used to log in

2171
to active
directory

errors Errors false array

2172
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled Is AD service false boolean
enabled?
host Active false string
Directory
server
address
password Password false string
used to log in
to active
directory
port Active false integer
Directory
server port
rootDn Root Domain false string
Name of
Active
Directory
ssl Should we false boolean
speak to the
Active
Directory
server using
SSL?
username Username false string
used to log in
to active
directory

2173
Test AD Settings
POST /web/api/v2.1/settings/active-directory/test

Test Active Directory settings.

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
status Status true boolean

errors Errors false array

2174
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled Is AD service false boolean
enabled?
host Active false string
Directory
server
address
password Password false string
used to log in
to active
directory
port Active false integer
Directory
server port
rootDn Root Domain false string
Name of
Active
Directory
ssl Should we false boolean
speak to the
Active
Directory
server using
SSL?
username Username false string
used to log in
to active
directory

2175
Get AD FQDNs
GET /web/api/v2.1/settings/active-directory/scope-mapping

Get the map of Active Directory FQDNs to user roles of the given Sites (use "sites" to get IDs) or Accounts ("accounts").

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
admin Admin false string []
viewer Viewer false string []

errors Errors false array

2176
Set AD FQDNs
PUT /web/api/v2.1/settings/active-directory/scope-mapping

Update the Active Directory FQDNs of a Site or Account.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
admin Admin false string []
viewer Viewer false string []

errors Errors false array

2177
Body Schema
Name Description Required Value
data Data true Name Description Required Value
admin Admin false string []
viewer Viewer false string []

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2178
Get Microsoft Settings
GET /web/api/v2.1/settings/microsoft

[DEPRECATED] Gets the Microsoft settings of the Sites or Accounts.

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
enabled Microsoft false boolean
service is
enabled
expiryDate The expiry false string
time of the
given url
inherits True if site false boolean
inherits
SMTP
settings from

2179
global scope,
False if using
custom
settings.
url URL used to false string
authenticate
with
microsoft

errors Errors false array

2180
Set Microsoft Settings
PUT /web/api/v2.1/settings/microsoft

[DEPRECATED] Update Microsoft settings for the given Sites or Accounts.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Scope does not exist

2181
microsoft

errors Errors false array

2182
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled Microsoft false boolean
service is
enabled
expiryDate The expiry false string
time of the
given url
inherits True if site false boolean
inherits
SMTP
settings from
global scope,
False if using
custom
settings.
url URL used to false string
authenticate
with
microsoft

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2183
Test Microsoft Settings
POST /web/api/v2.1/settings/microsoft/test

[DEPRECATED] Test Microsoft settings.

Response Messages
200 - Data retrieved successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Scope does not exist

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
reason Reason for false string
unsuccessful
call
success True if false boolean
succeeded

errors Errors false array

2184
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enabled Microsoft false boolean
service is
enabled
expiryDate The expiry false string
time of the
given url
inherits True if site false boolean
inherits
SMTP
settings from
global scope,
False if using
custom
settings.
url URL used to false string
authenticate
with
microsoft

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
siteIds List of Site false string []
IDs to filter
by

2185
Sites

Get Sites
GET /web/api/v2.1/sites

Get the Sites that match the filters.

The response includes the IDs of Sites, which you can use in other commands.

Parameters
accountid optional Account id. Example: "225494730938493804".
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
accountname__contain optional Free-text filter by account name (supports multiple values)
s
activelicenses optional Active licenses
adminonly optional Show sites the user has Admin privileges to
availablemovesites optional Only return sites the user can move agents to
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat optional Timestamp of site creation. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
description optional The description for the Site
description__contains optional Free-text filter by site description (supports multiple values)
expiration optional Expiration. Example: "2018-02-27T04:49:26.257525Z".
externalid optional Id in a CRM external system
features optional If sent return only sites that support this features. Example:
"firewall-control".
healthstatus optional Health status

2186
isdefault optional Is default
limit optional Limit number of returned items (1-1000). Example: "10".
module optional Module. Example: "star,rso".
name optional Name. Example: "My Site".
name__contains optional Free-text filter by site name (supports multiple values)
query optional Full text search for fields: name, account_name, description. (Note:
on single-account consoles account name will not be matched)
registrationtoken optional Registration token. Example:
"eyJ1cmwiOiAiaHR0cHM6Ly9jb25zb2xlLnNlbnRpbmVsb25lLm5ldCIs
ICJzaXRlX2tleSI6ICIwNzhkYjliMWUyOTA1Y2NhIn0=".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
sitetype optional Site type. Example: "Trial".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sku optional Sku. Example: "core".
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
state optional Site state. Example: "active".
states optional List of states to filter
suite optional [DEPRECATED] Use sku instead. Example: "Core".
totallicenses optional Total licenses
updatedat optional Timestamp of last update. Example:
"2018-02-27T04:49:26.257525Z".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2187
Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
allSites All sites false Name Description Required Value
activeLicense Active false integer
s licenses
totalLicenses Total licenses false integer

2188
user
creatorId Id of the false string
creating user
description The user- false string
defined
description
for the Site
expiration Expiration false string
externalId Id of CRM false string
external
system
healthStatus Obsolete. false boolean
Always true
id Site ID false string
isDefault Is default false boolean
licenses The site false Name Description Required Value
licenses
bundles The licenses false Name De
Bundles
displayName Th
dis
majorVersion Th
ma
minorVersion Th
mi
name Th
int
na
surfaces Th
in

totalSurfaces Th

2189
nu
Su
thi
-1
un
co

modules The licenses false Name De

Add-ons
displayName Th
dis
majorVersion Th
ma
name Th
int
na

settings The licenses false Name De

Settings
displayName [D
D]
Se
dis
groupName Th
gro
setting Th
dis
settingGroup [D
D]
Se
na
settingGroup Th
DisplayName gro
na

name Name false string

registrationT [DEPRECATE false
oken D] token
generation in
dedicated
endpoint - /
sites/

2190
<site_id>/
token
siteType Site type false string
sku [DEPRECATE false enum
D] The sku of
product
features
active for this
site
state Site state false enum
suite [DEPRECATE false enum
D] Use sku
instead
totalLicenses Total licenses false integer
unlimitedExpi The site does false boolean
ration not expire
unlimitedLice Site licenses false boolean
nses unlimited
updatedAt Timestamp of false string
last update
usageType Usage type false string

errors Errors false array

2191
Create Site
POST /web/api/v2.1/sites

Create a Site. This requires an Admin role with a Global scope or Account scope that has permissions over the Account to which the Site will belong.
You must have a license for a new Site.
In the body of this request, include the policy.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountId Account id false string
accountName Account false string
name
activeLicense Number of false integer
s active
licenses for
the site
createdAt Timestamp of false string
site creation
creator Full name of false string
the creating
user
creatorId Id of the false string
creating user
description The user- false string
defined
description
for the Site

2192
expiration Expiration false string
externalId Id of CRM false string
external
system
healthStatus Obsolete. false boolean
Always true
id Site ID false string
isDefault Is default false boolean
licenses The site false Name Description Required Value
licenses
bundles The licenses false Name Description Required Value
Bundles
displayName The Bundle false string
display name
majorVersion The Bundle false integer
major version
minorVersion The Bundle false integer
minor version
name The Bundle false string
internal api
name
surfaces The Surfaces false Name De
in the Bundle
count Th
co
ind
un
co
name Th
na

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string

2193
display name
majorVersion The Add-on false integer
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

name Name false string

2194
state Site state false enum
suite [DEPRECATE false enum
D] Use sku
instead
totalLicenses Total licenses false integer
unlimitedExpi True if the false
ration Site has no
expiration
date
unlimitedLice True if the false boolean
nses Site has
unlimited
licenses
updatedAt Timestamp of false string
last update
usageType Usage type false string

errors Errors false array

2195
Body Schema
Name Description Required Value
data Data true Name Description Required Value
name Name true string
accountId Associated false string
account.
Leave empty
in single-
account
management
consoles.
accountSfId false string
description The user- false string
defined
description
for the Site
expiration Expiration false string
externalId Id of CRM false string
external
system
inherits True if the false boolean
policy is
inherited
from Tenant,
False if the
site has its
own edited
policy
licenses The license false Name Description Required Value
configuration
for the Site bundles The list of false Name Description Required Value
Bundles
selected name true string
majorVersion false integer
surfaces false Name De
name
count Th

2196
of
pe
-1
un
co

modules The list of false Name Description Required Value

Add-ons
selected name true string

policy Policy is false Name Description Required Value

mandatory if
inherits is agentLoggin True if false boolean
false, else it gOn logging is
will be enabled in
ignored. the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone

2197
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

2198
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are

2199
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name De
owserExtensi browser
ons extensions autoInstallBr Au
owserExtensi bro
ons ex

behavioralInd Behavioral false Name De

icators indicators
event dvEventTypeBe Be
havioralIndica ind
tors ev

commandScri Command false Name De

pts scripts event
dvEventType Co
CommandScri scr
pts

crossProcess Cross process false Name De

event
dvEventTypeC Du
rossProcessDu Pro
plicateProces Ev
s
dvEventTypeC Du
rossProcessD Th
uplicateThrea Ty

2200
d
dvEventTypeC Op
rossProcessO Ev
penProcess
dvEventTypeC Re
rossProcessR Th
emoteThread Ty

dataMasking Data masking false Name De

dataMasking Da

dllModuleLoa DLL module false Name De

d load event
dvEventType DL
DllModuleLo loa
ad

dns Network false Name De

event - DNS
dvEventType Ne
Dns ev

driver Driver false Name De

dvEventTypeD Dr
riverLoad

file File event false Name De

dvEventTypeF Fil
ileCreation Ev
dvEventTypeF Fil
ileDeletion Ev
dvEventTypeFi Fil
leModificatio Mo
n Ev
dvEventTypeF Fil
ileRename Ev
fullDiskScan Fil
Ev

ip Network false Name De

event - IP

2201
dvEventTypeI IP
pConnect Ev
dvEventTypeI IP
pListen Ev

login User login/ false Name De

logout event
dvEventTypeL Us
oginLoggedIn Ev
dvEventType Us
LoginLogged Ev
Out

namedPipe Named Pipe false Name De

dvEventType Na
NamedPipeCo Co
nnection Ev
dvEventType Na
NamedPipeCr Cr
eation Ev

namedPipeEx Named Pipe false Name De

tended Extended
namedPipeEx Na
tended Co
Ex
Ev

process Process event false Name De

dvEventTypeP Pro
rocessCreatio Cr
n Ev
dvEventTypeP Pro
rocessExit Ev
dvEventTypeP Pro
rocessModific Te
ation Ev

registry Registry false Name De

event
dvEventTypeR Re
egistryKeyCr Cr

2202
eated Ev
dvEventTypeR Re
egistryKeyDel De
ete Ty
dvEventTypeR Re
egistryKeyExp Ex
ort Ty
dvEventTypeR Re
egistryKeyIm Im
port Ty
dvEventType Re
RegistryKey Re
Rename Ev
dvEventTypeR Re
egistryKeySe Se
curityChange Ch
d Ev
dvEventTypeR Re
egistryValueC Va
reated Ev
dvEventTypeR Re
egistryValueD Va
eleted De
Ev
dvEventTypeR Re
egistryValueM Va
odified Mo
Ev

scheduledTas Scheduled false Name De

k task event
dvEventTypeS Sc
cheduledTask Ta
Delete Ev
dvEventTypeS Sc
cheduledTask Ta
Register Ev
dvEventTypeS Sc
cheduledTask Ta
Start Ev

2203
dvEventTypeS Sc
cheduledTaskT Ta
rigger Ev
dvEventTypeS Sc
cheduledTask Ta
Update Ev

smartFileMoni Smart file false Name De

toring monitoring
smartFileMoni Sm
toring mo

url URL Actions false Name De

event
dvEventTypeU UR
rl ev

windowsEven Windows false Name De

tLogs Event Log
dvEventType W
WindowsEven Ev
tLogCreation Cr
Ev

windowsEven Windows false Name De

tLogsExtende Event Log
d Extended windowsEven W
tLogsExtende Ev
d Ex
Ev

engines The engines false Name Description Required Value

2204
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

2205
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

2206
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring

2207
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

2208
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

rchestration orchestration
upload limits alwaysUpload Always false boolean
configuration StreamToClou upload
d streams to
cloud
maxDailyFile Maximum false integer
Download size (MB) to
download
daily
maxDailyFile Limit for the false integer
DownloadLim maximum
it size (MB) to
download
daily
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file

2209
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

2210
created the
policy
userId The user id false string

2211
Export Sites
GET /web/api/v2.1/export/sites

Export Sites data to a CSV, for Sites that match the filter.

Parameters
accountid optional Account id. Example: "225494730938493804".
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
accountname__contain optional Free-text filter by account name (supports multiple values)
s
activelicenses optional Active licenses
adminonly optional Show sites the user has Admin privileges to
availablemovesites optional Only return sites the user can move agents to
createdat optional Timestamp of site creation. Example:
"2018-02-27T04:49:26.257525Z".
description optional The description for the Site
description__contains optional Free-text filter by site description (supports multiple values)
expiration optional Expiration. Example: "2018-02-27T04:49:26.257525Z".
externalid optional Id in a CRM external system
features optional If sent return only sites that support this features. Example:
"firewall-control".
healthstatus optional Health status
isdefault optional Is default
module optional Module. Example: "star,rso".
name optional Name. Example: "My Site".
name__contains optional Free-text filter by site name (supports multiple values)
query optional Full text search for fields: name, account_name, description. (Note:
on single-account consoles account name will not be matched)
registrationtoken optional Registration token. Example:
"eyJ1cmwiOiAiaHR0cHM6Ly9jb25zb2xlLnNlbnRpbmVsb25lLm5ldCIs

2212
ICJzaXRlX2tleSI6ICIwNzhkYjliMWUyOTA1Y2NhIn0=".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
sitetype optional Site type. Example: "Trial".
sku optional Sku. Example: "core".
state optional Site state. Example: "active".
states optional List of states to filter
suite optional [DEPRECATED] Use sku instead. Example: "Core".
totallicenses optional Total licenses
updatedat optional Timestamp of last update. Example:
"2018-02-27T04:49:26.257525Z".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Get Site by ID
GET /web/api/v2.1/sites/{site_id}

Get the data of the Site of the ID. To get the ID, run "sites".
The response shows the Site expiration date, SKU, licenses (total and active), token, Account name and ID, who and when it was created and changed, and its status.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Site not found

Response Schema

2213
Name Description Required Value
data Response false Name Description Required Value
data
accountId Account id false string
accountName Account false string
name
activeLicense Number of false integer
s active
licenses for
the site
createdAt Timestamp of false string
site creation
creator Full name of false string
the creating
user
creatorId Id of the false string
creating user
description The user- false string
defined
description
for the Site
expiration Expiration false string
externalId Id of CRM false string
external
system
healthStatus Obsolete. false boolean
Always true
id Site ID false string
isDefault Is default false boolean
licenses The site false Name Description Required Value
licenses
bundles The licenses false Name Description Required Value
Bundles
displayName The Bundle false string
display name
majorVersion The Bundle false integer
major version
minorVersion The Bundle false integer
minor version

2214
name The Bundle false string
internal api
name
surfaces The Surfaces false Name De
in the Bundle
count Th
co
ind
un
co
name Th
na

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string
display name
majorVersion The Add-on false integer
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

Settings
displayName [DEPRECATE false string
D] The
Setting
display name
groupName The Setting false
group name
setting The Setting false
display name
settingGroup [DEPRECATE false string
D] The

2215
Setting group
name
settingGroup The Setting false string
DisplayName group display
name

name Name false string

registrationT [DEPRECATE false
oken D] token
generation in
dedicated
endpoint - /
sites/
<site_id>/
token
siteType Site type false string
sku [DEPRECATE false enum
D] The sku of
product
features
active for this
site
state Site state false enum
suite [DEPRECATE false enum
D] Use sku
instead
totalLicenses Total licenses false integer
unlimitedExpi The site does false boolean
ration not expire
unlimitedLice Site licenses false boolean
nses unlimited
updatedAt Timestamp of false string
last update
usageType Usage type false string

errors Errors false array

2216
Update Site
PUT /web/api/v2.1/sites/{site_id}

Change the policy and properties of the Site given by ID.

To get the ID, run 'sites'.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons

2218
displayName The Add-on false string
display name
majorVersion The Add-on false integer
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

name Name false string

2219
site
state Site state false enum
suite [DEPRECATE false enum
D] Use sku
instead
totalLicenses Total licenses false integer
unlimitedExpi True if the false
ration Site has no
expiration
date
unlimitedLice True if the false boolean
nses Site has
unlimited
licenses
updatedAt Timestamp of false string
last update
usageType Usage type false string

errors Errors false array

2220
Body Schema
Name Description Required Value
data Data true Name Description Required Value
description The user- false string
defined
description
for the Site
expiration Expiration false string
externalId Id of CRM false string
external
system
id Site ID false string
inherits True if the false boolean
policy is
inherited
from Tenant,
False if the
site has its
own edited
policy
licenses The license false Name Description Required Value
configuration
for the Site bundles The list of false Name Description Required Value
Bundles
selected name true string
majorVersion false integer
surfaces false Name De
name
count Th
of
pe
-1
un
co

modules The list of false Name Description Required Value

Add-ons
selected name true string

2221
name Name false string
policy Policy false Name Description Required Value
agentLoggin True if false boolean
gOn logging is
enabled in
the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer

2222
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

2223
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

On immune on/
off - this
value must be
true since all
policies are
immune by
default
autoMitigatio Default false string
nAction action for
auto
mitigation
cloudValidat Cloud false
ionOn validation on

2224
createdAt Timestamp of false string
policy
creation
driverBlockin Suspicious false boolean
g driver
blocking
engine on/off
dvAttributes The DV false Name Description Required Value
PerEventType attributes
autoInstallBr Auto install false Name De
owserExtensi browser
ons extensions autoInstallBr Au
owserExtensi bro
ons ex

behavioralInd Behavioral false Name De

icators indicators
event dvEventTypeBe Be
havioralIndica ind
tors ev

commandScri Command false Name De

pts scripts event
dvEventType Co
CommandScri scr
pts

crossProcess Cross process false Name De

event
dvEventTypeC Du
rossProcessDu Pro
plicateProces Ev
s
dvEventTypeC Du
rossProcessD Th
uplicateThrea Ty
d
dvEventTypeC Op
rossProcessO Ev
penProcess
dvEventTypeC Re
rossProcessR Th
emoteThread Ty

dataMasking Data masking false

2225
Name De
dataMasking Da

dllModuleLoa DLL module false Name De

d load event
dvEventType DL
DllModuleLo loa
ad

dns Network false Name De

event - DNS
dvEventType Ne
Dns ev

driver Driver false Name De

dvEventTypeD Dr
riverLoad

file File event false Name De

dvEventTypeF Fil
ileCreation Ev
dvEventTypeF Fil
ileDeletion Ev
dvEventTypeFi Fil
leModificatio Mo
n Ev
dvEventTypeF Fil
ileRename Ev
fullDiskScan Fil
Ev

ip Network false Name De

event - IP
dvEventTypeI IP
pConnect Ev
dvEventTypeI IP
pListen Ev

login User login/ false Name De

logout event
dvEventTypeL Us
oginLoggedIn Ev

2226
dvEventType Us
LoginLogged Ev
Out

namedPipe Named Pipe false Name De

dvEventType Na
NamedPipeCo Co
nnection Ev
dvEventType Na
NamedPipeCr Cr
eation Ev

namedPipeEx Named Pipe false Name De

tended Extended
namedPipeEx Na
tended Co
Ex
Ev

process Process event false Name De

dvEventTypeP Pro
rocessCreatio Cr
n Ev
dvEventTypeP Pro
rocessExit Ev
dvEventTypeP Pro
rocessModific Te
ation Ev

registry Registry false Name De

event
dvEventTypeR Re
egistryKeyCr Cr
eated Ev
dvEventTypeR Re
egistryKeyDel De
ete Ty
dvEventTypeR Re
egistryKeyExp Ex
ort Ty
dvEventTypeR Re

2227
egistryKeyIm Im
port Ty
dvEventType Re
RegistryKey Re
Rename Ev
dvEventTypeR Re
egistryKeySe Se
curityChange Ch
d Ev
dvEventTypeR Re
egistryValueC Va
reated Ev
dvEventTypeR Re
egistryValueD Va
eleted De
Ev
dvEventTypeR Re
egistryValueM Va
odified Mo
Ev

scheduledTas Scheduled false Name De

smartFileMoni Smart file false Name De

toring monitoring

2228
smartFileMoni Sm
toring mo

url URL Actions false Name De

event
dvEventTypeU UR
rl ev

windowsEven Windows false Name De

tLogs Event Log
dvEventType W
WindowsEven Ev
tLogCreation Cr
Ev

windowsEven Windows false Name De

tLogsExtende Event Log
d Extended windowsEven W
tLogsExtende Ev
d Ex
Ev

engines The engines false Name Description Required Value

2229
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

identityEndpo Endpoint false enum

intReporting reporting
level
identityOn Identity false boolean

2230
module on/
off
identityRepor Identity false integer
tInterval telemetry
report
interval in
minutes
identityThrott Identity false integer
lingInterval duplicate
command
consolidation
interval in
minutes
identityUpdat Identity false integer
eInterval update
interval in
minutes
inheritedFro Indicates the false enum
m parent scope
from which
this policy is
inherited, or
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command

2231
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

for the scope

2232
isDefault True if this is false boolean
the tenant
policy
isDvPolicyPe FE indication false boolean
rEventType as to how to
display DV
policy
mitigationMo Mitigation false enum
de modes
mitigationMo Mitigation false enum
deSuspicious mode
monitorOnEx Monitor on false boolean
ecute execute on/
off
monitorOnWr Monitor on false boolean
ite write
networkQuar Network false boolean
antineOn quarantine on
remoteOpsFor Remote ops false Name Description Required Value
ensics forensics
configuration cpuLimit CPU false integer
resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload

2233
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

2234
usage (MB)
for packages

removeMacro Determines if false boolean

siteType Site type false enum

suite [DEPRECATE false enum
D] Use

2235
licenses
instead
totalLicenses Total licenses false integer
unlimitedExpi Is expiration false boolean
ration unlimited, if
not
expiration
should be
supplied
unlimitedLice [DEPRECATE false boolean
nses D] True if the
Site has
unlimited
licenses.

2236
Delete Site
DELETE /web/api/v2.1/sites/{site_id}

Delete the Site of the given ID. To get the ID, run "sites".
You must have an Admin role with scope access that includes the Site.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2237
Get Site registration token by ID
GET /web/api/v2.1/sites/{site_id}/token

Get the registration token of the Site of the ID.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Site not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
token Token false string

errors Errors false array

2238
Revert Policy
PUT /web/api/v2.1/sites/{site_id}/revert-policy

When a Site is created through the Console, it gets the Global policy.
If you change the policy and later want it set to the Global policy, use this command.
The site_id is required. You can get it from "sites".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2239
Body Schema
Name Description Required Value
data Data false Name Description Required Value
id Id false string

2240
Create duplicate site
POST /web/api/v2.1/sites/duplicate-site

[DEPRECATED] Create duplicate site.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2241
externalId Id of CRM false string
external
system
healthStatus Obsolete. false boolean
Always true
id Site ID false string
isDefault Is default false boolean
licenses The site false Name Description Required Value
licenses
bundles The licenses false Name Description Required Value
Bundles
displayName The Bundle false string
display name
majorVersion The Bundle false integer
major version
minorVersion The Bundle false integer
minor version
name The Bundle false string
internal api
name
surfaces The Surfaces false Name De
in the Bundle
count Th
co
ind
un
co
name Th
na

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string
display name

2242
majorVersion The Add-on false integer
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

name Name false string

2243
suite [DEPRECATE false enum
D] Use sku
instead
totalLicenses Total licenses false integer
unlimitedExpi True if the false
ration Site has no
expiration
date
unlimitedLice True if the false boolean
nses Site has
unlimited
licenses
updatedAt Timestamp of false string
last update
usageType Usage type false string

errors Errors false array

2244
Body Schema
Name Description Required Value
data Data true Name Description Required Value
copyUsers If true adds true boolean
the
duplicated
site to all
source site
users
name New Site true string
Name
policySource Source of true enum
duplicate site
policy
sourceSiteId Site ID of true integer
origin site
policy Policy is false Name Description Required Value
mandatory if
policy_source agentLoggin True if false boolean
is new, else it gOn logging is
will be enabled in
ignored. the agent
agentNotifica [DEPRECATE false boolean
tion D] Show end
point
notification
on
suspicious.Re
placed by
'show_suspici
ous' in the
agent UI
section
agentUi Agent ui false Name Description Required Value
agentUiOn Agent ui on false boolean
contactComp Contact false string
any company
contactDirec Contact false string

2245
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

D] Show/hide
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell

2246
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum

2247
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

behavioralInd Behavioral false Name De

icators indicators
event dvEventTypeBe Be
havioralIndica ind
tors ev

commandScri Command false Name De

pts scripts event
dvEventType Co

2248
CommandScri scr
pts

crossProcess Cross process false Name De

event
dvEventTypeC Du
rossProcessDu Pro
plicateProces Ev
s
dvEventTypeC Du
rossProcessD Th
uplicateThrea Ty
d
dvEventTypeC Op
rossProcessO Ev
penProcess
dvEventTypeC Re
rossProcessR Th
emoteThread Ty

dataMasking Data masking false Name De

dataMasking Da

dllModuleLoa DLL module false Name De

d load event
dvEventType DL
DllModuleLo loa
ad

dns Network false Name De

event - DNS
dvEventType Ne
Dns ev

driver Driver false Name De

dvEventTypeD Dr
riverLoad

file File event false Name De

dvEventTypeF Fil
ileCreation Ev
dvEventTypeF Fil

2249
ileDeletion Ev
dvEventTypeFi Fil
leModificatio Mo
n Ev
dvEventTypeF Fil
ileRename Ev
fullDiskScan Fil
Ev

ip Network false Name De

event - IP
dvEventTypeI IP
pConnect Ev
dvEventTypeI IP
pListen Ev

login User login/ false Name De

logout event
dvEventTypeL Us
oginLoggedIn Ev
dvEventType Us
LoginLogged Ev
Out

namedPipe Named Pipe false Name De

dvEventType Na
NamedPipeCo Co
nnection Ev
dvEventType Na
NamedPipeCr Cr
eation Ev

namedPipeEx Named Pipe false Name De

tended Extended
namedPipeEx Na
tended Co
Ex
Ev

process Process event false Name De

dvEventTypeP Pro

2250
rocessCreatio Cr
n Ev
dvEventTypeP Pro
rocessExit Ev
dvEventTypeP Pro
rocessModific Te
ation Ev

registry Registry false Name De

2251
scheduledTas Scheduled false Name De
k task event
dvEventTypeS Sc
cheduledTask Ta
Delete Ev
dvEventTypeS Sc
cheduledTask Ta
Register Ev
dvEventTypeS Sc
cheduledTask Ta
Start Ev
dvEventTypeS Sc
cheduledTaskT Ta
rigger Ev
dvEventTypeS Sc
cheduledTask Ta
Update Ev

smartFileMoni Smart file false Name De

toring monitoring
smartFileMoni Sm
toring mo

url URL Actions false Name De

event
dvEventTypeU UR
rl ev

windowsEven Windows false Name De

tLogs Event Log
dvEventType W
WindowsEven Ev
tLogCreation Cr
Ev

windowsEven Windows false Name De

tLogsExtende Event Log
d Extended windowsEven W
tLogsExtende Ev
d Ex
Ev

engines The engines false Name Description Required Value

statuses

2252
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

2253
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

2254
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean

2255
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

2256
ensics forensics cpuLimit CPU false integer
configuration resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

2257
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

2258
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

totalLicenses Total licenses false integer

for duplicate
site, will be
subtracted
from
freelicenses
of the source
site
unlimitedLice Is the site false boolean
nses unlimited, if
not then
total_licenses
must be
supplied

2259
Create Site and User
POST /web/api/v2.1/site-with-admin

Create a Site and an Admin role user. This requires an Admin role with a Global scope or Account scope that has permissions over the Account to which the Site will
belong.
You must have a license for a new Site.
In the body of this request, include the policy and user properties.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accountId Account id false string
accountName Account false string
name
activeLicense Number of false integer
s active
licenses for
the site
createdAt Timestamp of false string
site creation
description The user- false string
defined
description
for the Site
expiration Expiration false string
externalId Id of CRM false string
external
system

2260
healthStatus Obsolete. false boolean
Always true
id Site ID false string
isDefault Is default false boolean
licenses The site false Name Description Required Value
licenses
bundles The licenses false Name Description Required Value
Bundles
displayName The Bundle false string
display name
majorVersion The Bundle false integer
major version
minorVersion The Bundle false integer
minor version
name The Bundle false string
internal api
name
surfaces The Surfaces false Name De
in the Bundle
count Th
co
ind
un
co
name Th
na

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string
display name
majorVersion The Add-on false integer
major version
name The Add-on false string

2261
internal api
name

settings The licenses false Name Description Required Value

name Name false string

2262
totalLicenses Total licenses false integer
updatedAt Timestamp of false string
last update
usageType Usage type false string
user The data of false Name Description Required Value
the newly
created site email Email true string
admin fullName Full name true string
id Id false string
primaryTwoF Primary two false string
aMethod fa method
twoFaEnable Two fa false boolean
d enabled

errors Errors false array

2263
Body Schema
Name Description Required Value
data Data true Name Description Required Value
name Name true string
user The data of true Name Description Required Value
the admin
user been email Email true string
created fullName Full name true string
id Id false string
password Password false string
primaryTwoF Primary two false string
aMethod fa method
twoFaEnable Two fa false boolean
d enabled

accountId Associated false string

account.
Leave empty
in single-
account
management
consoles.
accountSfId false string
description The user- false string
defined
description
for the Site
expiration Expiration false string
externalId Id of CRM false string
external
system
inherits True if the false boolean
policy is
inherited
from Tenant,
False if the
site has its
own edited
policy

2264
licenses The license false Name Description Required Value
configuration
for the Site bundles The list of false Name Description Required Value
Bundles
selected name true string
majorVersion false integer
surfaces false Name De
name
count Th
of
pe
-1
un
co

modules The list of false Name Description Required Value

Add-ons
selected name true string

policy Policy is false Name Description Required Value

2265
tMessage direct
message
contactEmail Contact email false string
contactFreeTe Contact free false string
xt text
contactOther Contact other false string
contactPhon Contact false string
eNumber phone
number
contactSuppo Contact false string
rtWebsite support
website
devicePopUpN Device pop false boolean
otifications up
notifications
maxEventAge Max event false integer
Days age days
showAgentWa Show agent false boolean
rnings warnings
showDeviceT Show device false boolean
ab tab
showQuarant Show false boolean
ineTab quarantine
tab
showSupport Show support false boolean
showSuspicio Show false boolean
us suspicious
threatPopUpNo Threat pop false boolean
tifications up
notifications

agentUiOn [DEPRECATE false boolean

D] Show/hide
Agent UI.
Moved inside
the agent UI
section
allowRemoteS True if false boolean
hell Remote Shell

2266
is enabled for
the scope
antiTamperin Anti false boolean
gOn tampering
on/off
autoDecommi Automatic false integer
ssionDays decommission
period in
days
autoDecommi Auto false boolean
ssionOn decommission
on
autoFileUplo Automatic false Name Description Required Value
ad file upload
configuration enabled Automatic false boolean
file upload
on/off
includeBenign Upload false boolean
Files benign files
maxDailyFile Maximum false integer
Upload size (MB) to
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum file false integer
size (MB) to
upload
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalDis Maximum false integer
kUsage local disk
usage (MB)
for uploaded
files
maxLocalDisk Limit for the false integer
UsageLimit maximum

2267
local disk
usage (MB)
for uploaded
files

autoImmune Automatic false boolean

behavioralInd Behavioral false Name De

icators indicators
event dvEventTypeBe Be
havioralIndica ind
tors ev

commandScri Command false Name De

pts scripts event
dvEventType Co

2268
CommandScri scr
pts

crossProcess Cross process false Name De

event
dvEventTypeC Du
rossProcessDu Pro
plicateProces Ev
s
dvEventTypeC Du
rossProcessD Th
uplicateThrea Ty
d
dvEventTypeC Op
rossProcessO Ev
penProcess
dvEventTypeC Re
rossProcessR Th
emoteThread Ty

dataMasking Data masking false Name De

dataMasking Da

dllModuleLoa DLL module false Name De

d load event
dvEventType DL
DllModuleLo loa
ad

dns Network false Name De

event - DNS
dvEventType Ne
Dns ev

driver Driver false Name De

dvEventTypeD Dr
riverLoad

file File event false Name De

dvEventTypeF Fil
ileCreation Ev
dvEventTypeF Fil

2269
ileDeletion Ev
dvEventTypeFi Fil
leModificatio Mo
n Ev
dvEventTypeF Fil
ileRename Ev
fullDiskScan Fil
Ev

ip Network false Name De

event - IP
dvEventTypeI IP
pConnect Ev
dvEventTypeI IP
pListen Ev

login User login/ false Name De

logout event
dvEventTypeL Us
oginLoggedIn Ev
dvEventType Us
LoginLogged Ev
Out

namedPipe Named Pipe false Name De

dvEventType Na
NamedPipeCo Co
nnection Ev
dvEventType Na
NamedPipeCr Cr
eation Ev

namedPipeEx Named Pipe false Name De

tended Extended
namedPipeEx Na
tended Co
Ex
Ev

process Process event false Name De

dvEventTypeP Pro

2270
rocessCreatio Cr
n Ev
dvEventTypeP Pro
rocessExit Ev
dvEventTypeP Pro
rocessModific Te
ation Ev

registry Registry false Name De

2271
scheduledTas Scheduled false Name De
k task event
dvEventTypeS Sc
cheduledTask Ta
Delete Ev
dvEventTypeS Sc
cheduledTask Ta
Register Ev
dvEventTypeS Sc
cheduledTask Ta
Start Ev
dvEventTypeS Sc
cheduledTaskT Ta
rigger Ev
dvEventTypeS Sc
cheduledTask Ta
Update Ev

smartFileMoni Smart file false Name De

toring monitoring
smartFileMoni Sm
toring mo

url URL Actions false Name De

event
dvEventTypeU UR
rl ev

windowsEven Windows false Name De

tLogs Event Log
dvEventType W
WindowsEven Ev
tLogCreation Cr
Ev

windowsEven Windows false Name De

tLogsExtende Event Log
d Extended windowsEven W
tLogsExtende Ev
d Ex
Ev

engines The engines false Name Description Required Value

statuses

2272
applicationCo application false enum
ntrol control
dataFiles data files false enum
executables executables false enum
exploits exploits false enum
lateralMovem lateral false enum
ent movement
penetration penetration false enum
preExecution on-write false enum
preExecution pre execution false enum
Suspicious suspicious
pup potentially false enum
unwanted
applications
(PUP)
remoteShell remote shell false enum
reputation reputation false enum

forensicsAuto Forensics false Name Description Required Value

2273
macos
forensics
windowsEnab True if false boolean
led windows
forensics is
enabled
windowsProfi The profile id false string
leId for the
windows
forensics
windowsProf The profile false string
ileName name for the
windows
forensics

identityEndpo Endpoint false enum

2274
'null' if it is
not inherited
(modified
specifically
for the
current
scope).
ioc True if ioc is false boolean
enabled
iocAttributes The Ioc false Name Description Required Value
attributes
autoInstallBr Update auto false boolean
owserExtensi install
ons browser
extensions
behavioralInd Update false boolean
icators behavioral
indicators
commandScri Update false boolean
pts command
scripts
crossProcess Update cross false boolean
process
dataMasking Update data false boolean
masking
dllModuleLoa Update DLL false boolean
d module load
dns Network false boolean
event - DNS
driver Driver false boolean
fds Full disk scan false boolean
file File event false boolean
ip Network false boolean
event - IP
login User login/ false boolean
logout event
namedPipe Named Pipe false boolean
namedPipeEx Named Pipe false boolean

2275
tended Extended
process Process false boolean
creation
event
registry Registry false boolean
event
scheduledTas Scheduled false boolean
k task event
smartFileMoni Smart file false boolean
toring monitoring
url Ioc URI false boolean
windowsEven Windows false boolean
tLogs Event Log
windowsEven Windows false boolean
tLogsExtende Event Log
d Extended

iocSupported Ioc supported false boolean

2276
ensics forensics cpuLimit CPU false integer
configuration resources
limit for
collection
process
enabled Enabled false boolean
maximumDail Maximum false integer
yUpload size to upload
daily
maximumDail Limit for the false integer
yUploadLimit maximum
size to upload
daily
maximumFileS Maximum false integer
izeUpload size for single
file
maximumFileS Limit for the false integer
izeUploadLimi maximum file
t size to upload
parsedArtifac Default false enum
tsDestination destination of
parsed
artifacts

remoteScriptO Remote script false Name Description Required Value

2277
upload daily
maxDailyFile Limit for the false integer
UploadLimit maximum
size (MB) to
upload daily
maxFileSize Maximum false integer
size in bytes
for single file
maxFileSizeLi Limit for the false integer
mit maximum file
size (MB) to
upload
maxLocalPac Maximum false integer
kageDiskUsa local disk
ge usage (MB)
for packages
maxLocalPack Limit for the false integer
ageDiskUsage maximum
Limit local disk
usage (MB)
for packages

removeMacro Determines if false boolean

2278
enabled
unsignedDriv Suspicious false boolean
erBlockingOn unsigned
driver
blocking on/
off
updatedAt Time of the false string
last update to
the policy
userFullName The user that false string
created the
policy
userId The user id false string

siteType Site types false enum

2279
Regenerate Site Key
PUT /web/api/v2.1/sites/{site_id}/regenerate-key

Regenerate the key for the given Site.

To get the site_id, use "sites".

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

403 - No permission for regenerating a key.

404 - Site not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
registrationT Registration false string
oken token

errors Errors false array

2280
Reactivate Site
PUT /web/api/v2.1/sites/{site_id}/reactivate

Reactivate an expired Site.

You must have an Admin role with scope access that includes this Site, and you must have a license for the Site.
To get the site_id, run "sites".

Response Messages
200 - Site reactivated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Site not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2281
Body Schema
Name Description Required Value
data Data true Name Description Required Value
expiration New false string
expiration
date for the
site
unlimited If false an false boolean
expiration
should be
supplied

2282
Expire Site
POST /web/api/v2.1/sites/{site_id}/expire-now

Expire the Site of the given ID (run "sites" to get the ID).
You must have an Admin role with scope access that includes this Site.

Response Messages
200 - Expire site now

401 - Unauthorized access - please sign in and retry.

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string
display name

2284
majorVersion The Add-on false integer
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

name Name false string

2285
suite [DEPRECATE false enum
D] Use sku
instead
totalLicenses Total licenses false integer
unlimitedExpi True if the false
ration Site has no
expiration
date
unlimitedLice True if the false boolean
nses Site has
unlimited
licenses
updatedAt Timestamp of false string
last update
usageType Usage type false string

errors Errors false array

2286
Update Sites
PUT /web/api/v2.1/sites/update-bulk

Change the properties of the Sites given by IDs.

To get the IDs, run 'sites'.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2287
Body Schema
Name Description Required Value
data Data true Name Description Required Value
description The false string
description
for the Site
expiration Expiration false string
inherits True if the false boolean
policy is
inherited
from
Account,
False is not
supported in
bulk update
licenses The licenses false Name Description Required Value
configuration
for the sites bundles The list of false Name Description Required Value
Bundles
selected name true string
majorVersion false integer
surfaces false Name De
name
count Th
of
pe
-1
un
co

siteType Site type false enum

unlimitedExpi Is expiration false boolean
ration unlimited

filter Filter true Name Description Required Value

accountId Account id false string
accountIds List of false string []
Account IDs

2288
to filter by
accountName_ Free-text false string []
_contains filter by
account
name
(supports
multiple
values)
activeLicense Active false integer
s licenses
adminOnly Show sites false boolean
the user has
Admin
privileges to
availableMove Only return false boolean
Sites sites the user
can move
agents to
createdAt Timestamp of false string
site creation
description The false string
description
for the Site
description__ Free-text false string []
contains filter by site
description
(supports
multiple
values)
expiration Expiration false string
externalId Id in a CRM false string
external
system
features If sent return false string []
only sites
that support
this features
healthStatus Health status false boolean
isDefault Is default false boolean
module Module false string

2289
name Name false string
name__contai Free-text false string []
ns filter by site
name
(supports
multiple
values)
query Full text false string
search for
fields: name,
account_name
, description.
(Note: on
single-
account
consoles
account
name will not
be matched)
registrationT Registration false string
oken token
siteIds List of Site false string []
IDs to filter
by
siteType Site type false enum
sku Sku false string
state Site state false enum
states List of states false string []
to filter
suite [DEPRECATE false enum
D] Use sku
instead
totalLicenses Total licenses false integer
updatedAt Timestamp of false string
last update

2290
Get local upgrade site authorization
GET /web/api/v2.1/sites/{site_id}/local-authorization

Get the time when authorization of local upgrades expires, and the number of Agents authorized for local upgrade, in this Site.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
authorizedAg Authorized false integer
ents agents
siteAuthoriza Site false string
tion authorization

errors Errors false array

2291
Edit local upgrade site authorization
PUT /web/api/v2.1/sites/{site_id}/local-authorization

Edit when authorization of local upgrades expires. Returns the number of Agents authorized for local upgrade, in this Site.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
authorizedAg Authorized false integer
ents agents

errors Errors false array

2292
Body Schema
Name Description Required Value
siteAuthoriza New false string
tion expiration
date for site
local
upgrades
authorization

2293
Get a CSV file of local upgrade site authorization data
GET /web/api/v2.1/sites/{site_id}/local-upgrade-approved-agents-csv

Get a CSV file containing the Agents authorized for local upgrade, in this Site.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

errors Errors false array

2294
System

System Info
GET /web/api/v2.1/system/info

Get the Console build, version, patch, and release information.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
build Build false string
latestAgentVe Latest agent false string
rsion version
patch Patch false string
release Release false string
version Version false string

errors Errors false array

2295
System Status
GET /web/api/v2.1/system/status

Get an indication of the system's health status.

This command returns a positive response when the Management Console and API server are up and running. This command does not require authentication.
Rate limit: 1 call per second for each IP address that communicates with the Console.

Response Messages
200 - Success

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
health System false string
health
indicator.
Always
returns "ok"
when it is up
and running

errors Errors false array

2296
Database Status
GET /web/api/v2.1/system/status/db

[DEPRECATED] Works the same way as "System Status" endpoint.

This command does not require authentication.
Rate limit: 1 call per second for each IP address that communicates with the Console.

Response Messages
200 - Success

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
health System false string
health
indicator.
Always
returns "ok"
when it is up
and running

errors Errors false array

2297
Cache Status
GET /web/api/v2.1/system/status/cache

[DEPRECATED] Works the same way as "System Status" endpoint.

This command does not require authentication.
Rate limit: 1 call per second for each IP address that communicates with the Console.

Response Messages
200 - Success

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
health System false string
health
indicator.
Always
returns "ok"
when it is up
and running

errors Errors false array

2298
Get System Config
GET /web/api/v2.1/system/configuration

Get the configuration of your SentinelOne system.

The response shows basic information of the deployed SKUs and licenses, 2FA, and the Management URL.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
accessibleUrl External DNS false string
name of the
management
advancedMo True if false boolean
de advanced
mode is
enabled.
advancedMod True if false boolean
eAllowChang advanced
es mode value
can be
updated from
this scope.

2299
allowDuplicat [DEPRECATE false boolean
eSite D] Allow site
admins to
duplicate
sites in their
accounts
allowedDoma list of allowed false Name Description Required Value
ins domains for
user creation. domain Allowed false string
domain name
for user
creation.
inherited True if this is false boolean
an inherited
domain

cloudIntellig [DEPRECATE false boolean

enceOn D] Cloud
intelligence
on
cloudLastCon Cloud last false string
nectionTime connection
time
earlyAccess True if early false boolean
access mode
is enabled.
earlyAccessPl Early access false string []
atforms platforms
globalSalesfo salesforce id false string
rceId field of
tenant
globalShared shared false boolean
Console console field
of tenant
globalTwoFaE Global two fa false boolean
nabled enabled
licenses List of false Name Description Required Value
available
licenses bundles The licenses false Name Description Required Value
Bundles
displayName The Bundle false string
display name

2300
majorVersion The Bundle false integer
major version
minorVersion The Bundle false integer
minor version
name The Bundle false string
internal api
name
surfaces The Surfaces false Name De
in the Bundle
count Th
co
ind
un
co
name Th
na

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string
display name
majorVersion The Add-on false integer
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

Settings
displayName [DEPRECATE false string
D] The
Setting
display name
groupName The Setting false
group name

2301
setting The Setting false
display name
settingGroup [DEPRECATE false string
D] The
Setting group
name
settingGroup The Setting false string
DisplayName group display
name

maxComplete [DEPRECATE false integer

Licenses D] Complete
Licenses
maxControlLi [DEPRECATE false integer
censes D] Control
licenses
maxCoreLicen [DEPRECATE false integer
ses D] Core
licenses
passwordExpi Time in days false integer
ration until a user
password
expires
passwordExpi Password false Name Description Required Value
rationRange expiration
range (read- max Maximum false integer
only) time in days
until a user
password
expires
min Minimum false integer
time in days
until a user
password
expires

region The region of false string

the
management
rememberMe Time in false integer
Length minutes until
a user session

2302
expires
rememberMeL Remember false Name Description Required Value
engthRange me length
range max Maximum false integer
time interval
in minutes
before the
session
expires
min Minimum false integer
time interval
in minutes
before the
session
expires

scalyrUrl The Scalyr false string

URL that
sends data to
this Console.
tfaEnrollment 2FA false
Expiration enrollment
expiration
period
uiInactivityT Length of UI false
imeoutSecon inactivity
ds period
uiInactivity UI inactivity false Name Description Required Value
TimeoutSeco timeout
ndsRange range max Maximum ui false integer
inactivity
time in
seconds
before the
session
expires
min Minimum ui false integer
inactivity
time in
seconds
before the
session
expires

2303
unlimitedCom [DEPRECATE false boolean
plete D] True if
Complete
licenses is
unlimited
unlimitedCont [DEPRECATE false boolean
rol D] True if
Control
licenses is
unlimited
unlimitedCor [DEPRECATE false boolean
e D] True if
Core licenses
is unlimited

errors Errors false array

2304
Set System Config
PUT /web/api/v2.1/system/configuration

Change the system configuration.

Before you run this, see Get System Config.
This command requires a Global Admin user or Support.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

2305
sites in their
accounts
allowedDoma list of allowed false Name Description Required Value
ins domains for
user creation. domain Allowed false string
domain name
for user
creation.
inherited True if this is false boolean
an inherited
domain

cloudIntellig [DEPRECATE false boolean

2306
minor version
name The Bundle false string
internal api
name
surfaces The Surfaces false Name De
in the Bundle
count Th
co
ind
un
co
name Th
na

totalSurfaces The total false integer

number of
Surfaces in
this Bundle.
-1 indicates
unlimited
count.

modules The licenses false Name Description Required Value

Add-ons
displayName The Add-on false string
display name
majorVersion The Add-on false integer
major version
name The Add-on false string
internal api
name

settings The licenses false Name Description Required Value

Settings
displayName [DEPRECATE false string
D] The
Setting
display name
groupName The Setting false
group name
setting The Setting false
display name

2307
settingGroup [DEPRECATE false string
D] The
Setting group
name
settingGroup The Setting false string
DisplayName group display
name

maxComplete [DEPRECATE false integer

region The region of false string

the
management
rememberMe Time in false integer
Length minutes until
a user session
expires
rememberMeL Remember false

2308
engthRange me length Name Description Required Value
range
max Maximum false integer
time interval
in minutes
before the
session
expires
min Minimum false integer
time interval
in minutes
before the
session
expires

scalyrUrl The Scalyr false string

unlimitedCom [DEPRECATE false boolean

2309
plete D] True if
Complete
licenses is
unlimited
unlimitedCont [DEPRECATE false boolean
rol D] True if
Control
licenses is
unlimited
unlimitedCor [DEPRECATE false boolean
e D] True if
Core licenses
is unlimited

errors Errors false array

2310
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accessibleUrl External DNS false string
name of the
management
advancedMo Advanced false boolean
de mode
allowDuplicat [DEPRECATE false boolean
eSite D] Allow site
admins to
duplicate
sites in their
accounts
allowedDoma list of allowed false Name Description Required Value
ins domains for
user creation. domain Allowed false string
domain name
for user
creation.
inherited True if this is false boolean
an inherited
domain

cloudIntellig [DEPRECATE false boolean

enceOn D] Cloud
intelligence
on
cloudLastCon Cloud last false string
nectionTime connection
time
earlyAccess Early access false boolean
earlyAccessPl Early access false string []
atforms platforms
globalTwoFaE Global two fa false boolean
nabled enabled
passwordExpi Time in days false integer
ration until a user
password
expires

2311
rememberMe Time in false integer
Length minutes until
a user session
expires
tfaEnrollment 2FA false
Expiration expiration
period
uiInactivityT Length of UI false
imeoutSecon inactivity
ds period

filter Filter section true Name Description Required Value

determines
the accountIds List of false string []
configuration Account IDs
scope. to filter by
Provide a site siteIds List of Site false string []
ID or leave IDs to filter
empty for by
global
configuration.

2312
System Environment
GET /web/api/v2.1/system/env

Get environment details of the system

Response Messages
200 - Success

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
env Env false string
isProd Is prod false boolean
url Url false string

errors Errors false array

2313
Tag Manager

Create a new endpoint tag

POST /web/api/v2.1/tag-manager

Each tag must contain a type (endpoints) and key, Value is optional but recommended. A description is optional.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
createdAt Created at false string
createdById A reference false string
to the user
which
created the
tag
description Description false string
id Tag ID false string
key Key false string
scopeId An ID false string
reference to
the
containing
scope
scopeLevel Name of false string

2314
scope
type e.g: manual- false string
tagging
updatedAt Updated at false string
updatedById A reference false string
to the user
which
updated the
tag
value Value false string

errors Errors false array

2315
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

data Data false Name Description Required Value

key Key true string
type Type true string
value Value true string
description Description false string

2316
Delete tags
DELETE /web/api/v2.1/tag-manager

Delete all tags that match the filters.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2317
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
includeChildr Return tags false boolean
en from children
scope levels
includeParent Return tags false boolean
s from parent
scope levels
query Free text false string
search on
fields key,
value,
description
siteIds List of Site false string []
IDs to filter
by
tagIds List of tag IDs false string []
tenant Indicates a false boolean
tenant scope
request

2318
Edit an existing tag
PUT /web/api/v2.1/tag-manager/{tag_id}

Change the key, value, or description of a tag.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2319
updatedById A reference false string
to the user
which
updated the
tag
value Value false string

errors Errors false array

2320
Body Schema
Name Description Required Value
data Data true Name Description Required Value
description Description false string
key Key false string
value Value false string

2321
Tags

Get Tags
GET /web/api/v2.1/tags

Get tags.

Parameters
type required Type in. Example: "firewall".
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
disablepagination optional If true, all tags for requested filters will be returned
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
ids optional List of IDs to filter by. Example:
"225494730938493804,225494730938493915".
kind optional Returns tags of this specific kind
limit optional Limit number of returned items (1-1000). Example: "10".
name__contains optional Free-text filter by tag name. Example: "tag_name,tag_na".
onlyparents optional If true returns all tags possible to inherit from parent scopes,
otherwise returns all tags already inherited and tags from this scope.
query optional Free text search on tag name
scope optional Return tags from given scope level. Example: "account".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000

2322
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
type Type true enum

2323
affectedScop Affected false integer
es scopes
createdAt Timestamp of false string
site creation
creator Location false string
creator name
creatorId Location false string
creator ID
description Description false string
id Id false string
kind Kind is a false string
MGMT side
indication to
categorize
special tags
like
`vulnerability
`
linkedRules Linked rules false integer
name Name false string
scope Scope false enum
scopeId Scope id false string
scopeName Scope name false string
updatedAt Timestamp of false string
last update
updater Location false string
updater name
updaterId Location false string
updater

errors Errors false array

2324
Create Tags
POST /web/api/v2.1/tags

Add tags to create user-defined logical groups.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
type Type true enum
affectedScop Affected false integer
es scopes
createdAt Timestamp of false string
site creation
creator Location false string
creator name
creatorId Location false string
creator ID
description Description false string
id Id false string
kind Kind is a false string
MGMT side
indication to
categorize
special tags
like
`vulnerability
`

2325
linkedRules Linked rules false integer
name Name false string
scope Scope false enum
scopeId Scope id false string
scopeName Scope name false string
updatedAt Timestamp of false string
last update
updater Location false string
updater name
updaterId Location false string
updater

errors Errors false array

2326
Body Schema
Name Description Required Value
data Data true Name Description Required Value
name Name true string
type Type true enum
description Description false string
id Id false string
kind Kind false string

filter Filter true Name Description Required Value

2327
Delete Tags
DELETE /web/api/v2.1/tags

Delete tags by given filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2328
Body Schema
Name Description Required Value
filter Filter false Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
ids List of IDs to false string []
filter by
kind Returns tags false string
of this
specific kind
name__contai Free-text false string []
ns filter by tag
name
onlyParents If true returns false boolean
all tags
possible to
inherit from
parent
scopes,
otherwise
returns all
tags already
inherited and
tags from this
scope.
query Free text false string
search on tag
name
scope Return tags false enum
from given
scope level
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean

2329
tenant scope
request
type Type in false string []

2330
Delete Tag by ID
DELETE /web/api/v2.1/tags/{tag_id}

Delete tag by ID.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2331
Edit Tag
PUT /web/api/v2.1/tags/{tag_id}

Edit tag

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2332
linkedRules Linked rules false integer
name Name false string
scope Scope false enum
scopeId Scope id false string
scopeName Scope name false string
updatedAt Timestamp of false string
last update
updater Location false string
updater name
updaterId Location false string
updater

errors Errors false array

2333
Body Schema
Name Description Required Value
data Data true Name Description Required Value
description Description false string
id Id false string
kind Kind false string
name Name false string

2334
Tasks

Get Task Configuration

GET /web/api/v2.1/tasks-configuration

Get the task configuration of a scope.

Parameters
tasktype required Task type. Example: "agents_upgrade".
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

2335
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - Configuration not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
inheritParen Inherit true boolean
tConcurrency parent's
Config scope Max
Concurrent
configuration
inheritParen Inherit true boolean
tMaintenance parent's
Config scope
Maintenance
windows
configuration
maxConcurre Max true integer
nt concurrent
timezoneGmt Timezone true string
gmt
concurrencyC Timestamp of false string
onfigUpdated last
At concurrency
configuration
update
concurrencyC User name of false string
onfigUpdated last updated
By concurrency
configuration
maintenance Timestamp of false string
ConfigUpdat last
edAt maintenance
configuration
update

2336
maintenance User name of false string
ConfigUpdat last updated
edBy maintenance
configuration
maintenance Stores the false object
WindowsByD maintenance
ay time for each
day
parentMaxCo scope's false integer
ncurrent parent max
concurrent
limit, must
not exceed
taskType Defines task's false enum
type and
priority

errors Errors false array

2337
Create Task
PUT /web/api/v2.1/tasks-configuration

Create a task configuration.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Operation is not allowed

404 - Configuration not found

2338
At concurrency
configuration
update
concurrencyC User name of false string
onfigUpdated last updated
By concurrency
configuration
maintenance Timestamp of false string
ConfigUpdat last
edAt maintenance
configuration
update
maintenance User name of false string
ConfigUpdat last updated
edBy maintenance
configuration
maintenance Stores the false object
WindowsByD maintenance
ay time for each
day
parentMaxCo scope's false integer
ncurrent parent max
concurrent
limit, must
not exceed
taskType Defines task's false enum
type and
priority

errors Errors false array

2339
Body Schema
Name Description Required Value
data Data true Name Description Required Value
inheritParen Inherit true boolean
tConcurrency parent's
Config scope Max
Concurrent
configuration
inheritParen Inherit true boolean
tMaintenance parent's
Config scope
Maintenance
windows
configuration
maxConcurre Max true integer
nt concurrent
timezoneGmt Timezone true string
gmt
maintenance Stores the false object
WindowsByD maintenance
ay time for each
day

filter Filter true Name Description Required Value

taskType Defines task's true enum
type and
priority
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

2340
Has Child Scopes
GET /web/api/v2.1/tasks-configuration/has-explicit-subscope

From a given scope, see if there are scopes under it that have local, explicit tasks. The response returns True if a sub-scope has a local (not inherited) task configuration.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2341
403 - User is not allowed in this scope

404 - Configuration not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
flag Returns false boolean
boolean value
for the
request

errors Errors false array

2342
Get Child Scope Task Configuration
GET /web/api/v2.1/tasks-configuration/explicit-subscopes

Get the task configuration of child scopes of the given scope, if the tasks are not inherited.

Parameters
tasktype required Task type. Example: "agents_upgrade".
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
query optional Query
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

2343
401 - Unauthorized access - please sign in and retry.

403 - User is not allowed in this scope

404 - Configuration not found

data Response false Name Description Required Value

data
accountId Account id false string
accountName Account false string
name
groupId Group id false string
groupName Group name false string
siteId Site id false string
siteName Site name false string

errors Errors false array

2344
Threat Intelligence

Get Threat Intelligence user config

GET /web/api/v2.1/threat-intelligence/user-config

Get the Threat Intelligence user config that match the filter.

Parameters
accountids optional List of Account IDs to filter by. Example:
"4,2,6,4,1,8,0,3,0,2,1,2,0,7,3,7,6,2".
tenant optional Indicates a tenant scope request

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2345
updated in
SentinelOne
DB
description User defined false string
description of
the user
config.
disableThreat The flag to false boolean
disable
Threat
Intelligence
Indicator
based Threat
creation for
the entire
account.
excludeTii Exclude tii false string []
scopeId The group/ false string
site/account
id depending
on the
scope_level.
scopeLevel Scope level of false enum
the user
config

errors Errors false array

2346
Create Threat Intelligence user config
POST /web/api/v2.1/threat-intelligence/user-config

Create Threat Intelligence user config.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
createdAt The time at true string
which the
user config
was created
in
SentinelOne
DB
updatedAt The time at true string
which the
user config
was last
updated in
SentinelOne
DB
description User defined false string
description of
the user
config.
disableThreat The flag to false boolean
disable
Threat
Intelligence

2347
Indicator
based Threat
creation for
the entire
account.
excludeTii Exclude tii false string []
scopeId The group/ false string
site/account
id depending
on the
scope_level.
scopeLevel Scope level of false enum
the user
config

errors Errors false array

2348
Body Schema
Name Description Required Value
data Data true Name Description Required Value
description User defined false string
description of
the user
config.
disableThreat The flag to false boolean
disable
Threat
Intelligence
Indicator
based Threat
creation for
the entire
account.
excludeTii Exclude tii false string []

filter Filter true Name Description Required Value

2349
Delete Threat Intelligence user config
DELETE /web/api/v2.1/threat-intelligence/user-config

Delete Threat Intelligence user config that match the filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2350
Body Schema
Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
tenant Indicates a false boolean
tenant scope
request

2351
Get IOCs
GET /web/api/v2.1/threat-intelligence/iocs

Get the IOCs of a specified Account that match the filter.

Parameters
accountids optional List of Account IDs to filter by. Example:
"4,2,6,4,1,8,0,3,0,2,1,2,0,7,3,7,6,2".
batchid optional Unique ID of the uploaded indicators batch. Example:
"atmtn000000028a881bcf939dc6d92ab55443".
category__in optional The categories of the Threat Intelligence indicator, e.g. the malware
type associated with the IOC
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
creationtime__gt optional Creation Time as set by the user greater than. Example:
"2021-07-12T20:33:29.007906Z".
creationtime__gte optional Creation Time as set by the user greater or equal than. Example:
"2021-07-13T20:33:29.007906Z".
creationtime__lt optional Creation Time as set by the user lesser than. Example:
"2021-07-13T20:33:29.007906Z".
creationtime__lte optional Creation Time as set by the user lesser or equal than. Example:
"2021-07-11T20:33:29.007906Z".
creator__contains optional Free-text filter by the user uploaded the Threat Intelligence indicator
(supports multiple values). Example: "[email protected]".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
description__contains optional Free-text filter by the description of the indicator (supports multiple
values). Example: "Malicious-activity".
externalid optional The unique identifier of the indicator as provided by the Threat
Intelligence source. Example: "e277603e-1060-5ad4-9937-
c26c97f1ca68".
limit optional Limit number of returned items (1-1000). Example: "10".
name__contains optional Free-text filter by the Indicator name (supports multiple values).

2352
Example: "foo.dll".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
source optional List of the sources of the identified Threat Intelligence indicator.
Example: "AlienVault".
tenant optional Indicates a tenant scope request
type optional The type of the Threat Intelligence indicator. Example: "IPv4".
updatedat__gt optional The time at which the indicator was last updated in SentinelOne DB
greater than. Example: "2021-07-13T20:33:29.007906Z".
updatedat__gte optional The time at which the indicator was last updated in SentinelOne DB
greater or equal than. Example: "2021-07-13T20:33:29.007906Z".
updatedat__lt optional The time at which the indicator was last updated in SentinelOne DB
lesser than. Example: "2021-07-13T20:33:29.007906Z".
updatedat__lte optional The time at which the indicator was last updated in SentinelOne DB
lesser or equal than. Example: "2021-07-13T20:33:29.007906Z".
uploadtime__gt optional The time at which the Threat Intelligence indicator was uploaded to
SentinelOne DB greater than. Example:
"2022-07-13T20:33:29.007906Z".
uploadtime__gte optional The time at which the Threat Intelligence indicator was uploaded to
SentinelOne DB greater or equal than. Example:
"2022-07-13T20:33:29.007906Z".
uploadtime__lt optional The time at which the Threat Intelligence indicator was uploaded to
SentinelOne DB lesser than. Example:
"2021-07-13T20:33:29.007906Z".
uploadtime__lte optional The time at which the Threat Intelligence indicator was uploaded to
SentinelOne DB lesser or equal than. Example:
"2022-07-13T20:33:29.007906Z".
uuids optional A list of unique Ids of the parent process of the indicator of
compromise. Example:
"2,c,f,f,a,e,8,7,1,1,9,7,f,2,0,d,8,6,4,f,e,8,3,6,3,e,e,e,6,6,5,1".
value optional The value of the Threat Intelligence indicator. Example:

2353
"175.45.176.1".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
source The source of true string
the identified
Threat
Intelligence
indicator
type The type of true enum
the Threat
Intelligence

2354
indicator
value The value of true string
the Threat
Intelligence
indicator
batchId Unique ID of false string
the uploaded
Threat
Intelligence
indicators
batch
campaignNam Campaign false string []
es names
category Category false string []
creationTime The time at false string
which the
Threat
Intelligence
indicator was
originally
created (as
indicated by
the TI source)
creator The user that false string
uploaded the
Threat
Intelligence
indicator
description Description false string
of the Threat
Intelligence
indicator
externalId The unique false string
identifier of
the indicator
as provided
by the Threat
Intelligence
source
intrusionSets Intrusion sets false string []
labels Labels false string []

2355
malwareNam Malware false string []
es names
metadata The metadata false string
of the Threat
Intelligence
indicator
method The false enum
comparison
method used
by
SentinelOne
to trigger the
event
mitreTactic Mitre tactic false string []
name Threat false string
Intelligence
indicator
name
originalRiskS The relative false integer
core level of risk
associated
with the
Threat
Intelligence
indicator. An
integer
between 0
and 100,
inclusive.
pattern The detection false string
pattern for
this Indicator
(expressed as
a STIX
Pattern, e.g.
Comparison
expression/
Boolean
Operators
etc.)
patternType Characterize false string
the pattern
language that

2356
the indicator
pattern is
expressed in
reference Reference false string []
scope Scope of the false enum
ioc
scopeId The group/ false string
site/account
id depending
on the scope.
null if it is
global.
severity The potential false integer
impact of the
Threat
Intelligence
indicator.
Designed to
work based
on OCSF
format for
scores 0-7.
threatActors Threat actors false string []
threatActorT Threat actor false string []
ypes types
updatedAt The time at false string
which the
indicator was
last updated
in
SentinelOne
DB
uploadTime The time at false string
which the
Threat
Intelligence
indicator was
uploaded to
SentinelOne
DB
uuid Unique Id of false string
the Threat

2357
Intelligence
indicator
validUntil The date false string
from which
the indicator
will no longer
be monitored

errors Errors false array

2358
Create IOCs
POST /web/api/v2.1/threat-intelligence/iocs

Add an IoC to the Threat Intelligence database.

These values under data are required fields: "source", "type", "value", and "method".
"Type" and "method" must be in upper case.
The "validUntil" field is mandatory, and must contain a date, for example, 2021-03-20 09:14:47.779000. "validUntil" determines when the IOC expires.
If the expiration date ("validUntil") is left blank, by default it will be the upload date plus a default offset value:
- 14 days for IPs
- 90 days for URLs and domains
- 180 days for file hashes (SHA1, SHA256, and MD5)
The maximum offset values allowed are:
- 30 days for IPs
- 180 days for URLs and Domains
- 180 days for hashes (SHA1, SHA256, and MD5)
The upload date is when the API gets a request to create an IOC.
If the expiration date is later than the upload date plus the the maximum offset value allowed, it will be adjusted to the upload date plus the maximum offset value allowed.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
source The source of true string
the identified
Threat
Intelligence
indicator
type The type of true enum
the Threat
Intelligence

2359
indicator
value The value of true string
the Threat
Intelligence
indicator
batchId Unique ID of false string
the uploaded
Threat
Intelligence
indicators
batch
campaignNam Campaign false string []
es names
category Category false string []
creationTime The time at false string
which the
Threat
Intelligence
indicator was
originally
created (as
indicated by
the TI source)
creator The user that false string
uploaded the
Threat
Intelligence
indicator
description Description false string
of the Threat
Intelligence
indicator
externalId The unique false string
identifier of
the indicator
as provided
by the Threat
Intelligence
source
intrusionSets Intrusion sets false string []
labels Labels false string []

2360
malwareNam Malware false string []
es names
metadata The metadata false string
of the Threat
Intelligence
indicator
method The false enum
comparison
method used
by
SentinelOne
to trigger the
event
mitreTactic Mitre tactic false string []
name Threat false string
Intelligence
indicator
name
originalRiskS The relative false integer
core level of risk
associated
with the
Threat
Intelligence
indicator. An
integer
between 0
and 100,
inclusive.
pattern The detection false string
pattern for
this Indicator
(expressed as
a STIX
Pattern, e.g.
Comparison
expression/
Boolean
Operators
etc.)
patternType Characterize false string
the pattern
language that

2361
the indicator
pattern is
expressed in
reference Reference false string []
scope Scope of the false enum
ioc
scopeId The group/ false string
site/account
id depending
on the scope.
null if it is
global.
severity The potential false integer
impact of the
Threat
Intelligence
indicator.
Designed to
work based
on OCSF
format for
scores 0-7.
threatActors Threat actors false string []
threatActorT Threat actor false string []
ypes types
updatedAt The time at false string
which the
indicator was
last updated
in
SentinelOne
DB
uploadTime The time at false string
which the
Threat
Intelligence
indicator was
uploaded to
SentinelOne
DB
uuid Unique Id of false string
the Threat

2362
Intelligence
indicator
validUntil The date false string
from which
the indicator
will no longer
be monitored

errors Errors false array

2363
Body Schema
Name Description Required Value
data Data false Name Description Required Value
source The source of true string
the identified
Threat
Intelligence
indicator
type The type of true enum
the Threat
Intelligence
indicator
value The value of true string
the Threat
Intelligence
indicator
campaignNam Campaign false string []
es names
category Category false string []
creationTime The time at false string
which the
Threat
Intelligence
indicator was
originally
created (as
indicated by
the TI source)
creator The user that false string
uploaded the
Threat
Intelligence
indicator
description Description false string
of the Threat
Intelligence
indicator
externalId The unique false string
identifier of
the indicator

2364
as provided
by the Threat
Intelligence
source
intrusionSets Intrusion sets false string []
labels Labels false string []
malwareNam Malware false string []
es names
metadata The metadata false string
of the Threat
Intelligence
indicator
method The false enum
comparison
method used
by
SentinelOne
to trigger the
event
mitreTactic Mitre tactic false string []
name Threat false string
Intelligence
indicator
name
originalRiskS The relative false integer
core level of risk
associated
with the
Threat
Intelligence
indicator. An
integer
between 0
and 100,
inclusive.
pattern The detection false string
pattern for
this Threat
Intelligence
indicator
(expressed as
a STIX

2365
Pattern, e.g.
Comparison
expression/
Boolean
Operators
etc.)
patternType Characterize false
the pattern
language that
the Threat
Intelligence
indicator
pattern is
expressed in
reference Reference false string []
severity The potential false integer
impact of the
Threat
Intelligence
indicator.
Designed to
work based
on OCSF
format for
scores 0-7.
threatActors Threat actors false string []
threatActorT Threat actor false string []
ypes types
validUntil Expiration false string
date for the
Threat
Intelligence
indicator

filter Filter false Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by

2366
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

2367
Delete IOCs
DELETE /web/api/v2.1/threat-intelligence/iocs

Delete an IoC from the Threat Intelligence database that matches a filter using the accountID and one other field.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2368
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
batchId Unique ID of false string
the uploaded
indicators
batch
category__in The false string
categories of
the Threat
Intelligence
indicator, e.g.
the malware
type
associated
with the IOC
creationTime_ Creation false string
_gt Time as set
by the user
greater than
creationTime_ Creation false string
_gte Time as set
by the user
greater or
equal than
creationTime_ Creation false string
_lt Time as set
by the user
lesser than
creationTime_ Creation false string
_lte Time as set
by the user
lesser or
equal than
creator__cont Free-text false string []
ains filter by the
user

2369
uploaded the
Threat
Intelligence
indicator
(supports
multiple
values)
description__ Free-text false string []
contains filter by the
description of
the indicator
(supports
multiple
values)
externalId The unique false string
identifier of
the indicator
as provided
by the Threat
Intelligence
source
name__contai Free-text false string []
ns filter by the
Indicator
name
(supports
multiple
values)
source List of the false string []
sources of
the identified
Threat
Intelligence
indicator
tenant Indicates a false boolean
tenant scope
request
type The type of false enum
the Threat
Intelligence
indicator
updatedAt__g The time at false string
t which the

2370
indicator was
last updated
in
SentinelOne
DB greater
than
updatedAt__g The time at false string
te which the
indicator was
last updated
in
SentinelOne
DB greater
or equal than
updatedAt__l The time at false string
t which the
indicator was
last updated
in
SentinelOne
DB lesser
than
updatedAt__l The time at false string
te which the
indicator was
last updated
in
SentinelOne
DB lesser or
equal than
uploadTime__ The time at false string
gt which the
Threat
Intelligence
indicator was
uploaded to
SentinelOne
DB greater
than
uploadTime__ The time at false string
gte which the
Threat
Intelligence
indicator was

2371
uploaded to
SentinelOne
DB greater or
equal than
uploadTime__ The time at false string
lt which the
Threat
Intelligence
indicator was
uploaded to
SentinelOne
DB lesser
than
uploadTime__ The time at false string
lte which the
Threat
Intelligence
indicator was
uploaded to
SentinelOne
DB lesser or
equal than
uuids A list of false string []
unique Ids of
the parent
process of
the indicator
of
compromise
value The value of false string
the Threat
Intelligence
indicator

2372
Threat Notes

Get Threat Notes

GET /web/api/v2.1/threats/{threat_id}/notes

Get the threat notes that match the filter.

Parameters
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
creator__like optional Threat Note creator name (partially or full). Example: "John".
creatorid optional Threat Note creator ID. Example: "225494730938493804".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
limit optional Limit number of returned items (1-1000). Example: "10".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema

2373
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
createdAt Timestamp of false string
date creation
creator Threat Note false string
creator name
creatorId Threat Note false string
creator id
edited Identify if the false boolean
the note
changed
id Threat Note false string
ID
text Threat Note false string
text
updatedAt Timestamp of false string
last update

errors Errors false array

2374
Add Note to Multiple
POST /web/api/v2.1/threats/notes

Add a threat note to multiple threats.

Response Messages
200 - Threats note successfully created

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2375
Body Schema
Name Description Required Value
data Data true Name Description Required Value
text Threat Note true string
text

filter Filter true Name Description Required Value

accountIds List of false string []
Account IDs
to filter by
agentIds List of Agent false string []
IDs
agentIsActive Include false boolean
Agents
currently
connected to
the
Management
Console
agentMachine Include Agent false string []
Types machine
types
agentMachine Excluded false string []
TypesNin Agent
machine
types
agentTagsDat Filter threats false string
a by assigned
tags to the
related agent.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to

2376
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
agentVersion Include Agent false string []
s versions
agentVersion Excluded false string []
sNin Agent
versions
analystVerdic Filter threats false string []
ts by a specific
analyst
verdict
analystVerdic Exclude false string []
tsNin threats with
specific
analyst
verdicts
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support

2377
s multiple
values)
classifications List of threat false string []
classifications
to search
classification List of threat false string []
sNin classifications
not to search
classification Classification false string []
Sources sources list
classificatio Classification false string []
nSourcesNin sources list to
exclude
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple

2378
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
collectionIds List of false string []
collection IDs
to search
commandLine Free-text false string []
Arguments__c filter by
ontains threat
command
line
arguments
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
confidenceLev Filter threats false string []
els by a specific
confidence
level
confidenceLe Exclude false string []
velsNin threats with
specific
confidence
level

2379
containerIma Free-text false string []
geName__con filter by the
tains endpoint
container
image name
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
contentHash_ Free-text false string []
_contains filter by file
content hash
(supports
multiple
values)
contentHashe List of sha1 false string []
s hashes to
search for
countsFor comma- false string
separated list
of fields to be
shown
createdAt__g Created at false string
t greater than.
createdAt__g Created at false string
te greater or
equal than.

2380
createdAt__lt Created at false string
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
detectionAge Free-text false string []
ntDomain__co filter by
ntains Agent
domain at
detection
time
(supports
multiple
values)
detectionAge Free-text false string []
ntVersion__co filter by
ntains Agent version
at detection
time
(supports
multiple
values)
detectionEng Included false string []
ines engines
detectionEng Excluded false string []
inesNin engines
displayName Display name false string
engines Included false string []
engines
enginesNin Excluded false string []
engines
externalTicke The threat false boolean
tExists contains
ticket number
externalTicke Free-text false string []
tId__contains filter by the
threat
external
ticket ID
(supports
multiple

2381
values)
externalTicke External false string []
tIds ticket ID for
the threat
failedActions At least one false boolean
action failed
on the threat
filePath__con Free-text false string []
tains filter by file
path
(supports
multiple
values)
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasAgentTags Include only false boolean
Threats
whose Agent
is assigned
any tags if
True, or none
if False
ids List of threat false string []
IDs
incidentStatu Filter threats false string []
ses by a specific
incident
status
incidentStatu Exclude false string []
sesNin threats with
specific
incident
statuses

2382
initiatedBy Only include false string []
threats from
specific
initiating
sources
initiatedByNi Exclude false string []
n threats with
specific
initiating
sources
initiatedByU Free-text false string []
sername__con filter by the
tains username
that initiated
that threat
(supports
multiple
values)
k8sClusterNa Free-text false string []
me__contains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name
(supports
multiple
values)

2383
k8sNamespace Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNodeLabel Free-text false string []
s__contains filter by the
endpoint
Kubernetes
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple
values)
k8sPodName_ Free-text false string []
_contains filter by the

2384
endpoint
Kubernetes
pod name
(supports
multiple
values)
limit Limit false integer
mitigatedPre If the threat false boolean
emptively was detected
pre-execution
or post-
execution
mitigationSta Filter threats false string []
tuses by a specific
status
mitigationSta Filter threats false string []
tusesNin not by a
specific
status
noteExists The threat false boolean
contains at
least one
note
originatedPro Free-text false string []
cess__contain filter by the
s originated
process name
of the threat
(supports
multiple
values)
osArchs Included OS false string []
Architectures
osNames false string []
osNamesNin false string []
osTypes Included OS false string []
types
osTypesNin Excluded OS false string []
types
pendingActio At least one false boolean

2385
ns action is
pending for
the Agent for
the threat
publisherNam Free-text false string []
e__contains filter by
threat's
publisher
name
(supports
multiple
values)
query Full text false string
search for
fields:
threat_details,

content_hash,

2386
k8s_controlle
r_name,
k8s_controller
_labels,
k8s_pod_name
,
k8s_pod_label
s,
container_nam
e,
container_im
age_name,
container_labe
ls,
external_ticke
t_id
realtimeAgent Free-text false string []
Version__cont filter by
ains Agent version
at current
time
(supports
multiple
values)
rebootRequir A reboot is false boolean
ed required on
any endpoint
for at least
one action on
the threat
resolved This is used false boolean
for backward-
compatibility
with API 2.0.
siteIds List of Site false string []
IDs to filter
by
storyline__co Free-text false string []
ntains filter by
threat
storyline
(supports
multiple
values)

2387
storylines List of Agent false string []
context to
search for
tenant Indicates a false boolean
tenant scope
request
threatDetails Free-text false string []
__contains filter by
threat
details(suppor
ts multiple
values)
updatedAt__g Updated at false string
t greater than.
updatedAt__g Updated at false string
te greater or
equal than.
updatedAt__l Updated at false string
t lesser than.
updatedAt__l Updated at false string
te lesser or
equal than.
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

2388
Update Threat Note
PUT /web/api/v2.1/threats/{threat_id}/notes/{note_id}

Change the text of a threat note.

Response Messages
200 - Threat note successfully updated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
createdAt Timestamp of false string
date creation
creator Threat Note false string
creator name
creatorId Threat Note false string
creator id
edited Identify if the false boolean
the note
changed
id Threat Note false string
ID
text Threat Note false string
text
updatedAt Timestamp of false string
last update

errors Errors false array

2389
Body Schema
Name Description Required Value
data Data true Name Description Required Value
text Threat Note true string
text

2390
Delete Threat Note
DELETE /web/api/v2.1/threats/{threat_id}/notes/{note_id}

Delete a threat note.

Response Messages
200 - Threat note successfully deleted

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2391
Threats

Get Threats
GET /web/api/v2.1/threats

Get data of threats that match the filter.

Best Practice: Use the filters. Each threat gives a number of data lines that will quickly fill the page limit.

BEST PRACTICE
Use the filters. Each threat gives a number of data lines that will quickly fill the page limit.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
agentids optional List of Agent IDs. Example:
"225494730938493804,225494730938493915".
agentisactive optional Include Agents currently connected to the Management Console
agentmachinetypes optional Include Agent machine types. Example: "unknown".
agentmachinetypesnin optional Excluded Agent machine types. Example: "unknown".
agenttagsdata optional Filter threats by assigned tags to the related agent. Given in form of
a JSON where each key represents a tag key, and each value
represents a list of string values to filter by. To filter by unassigned
tag values, use __nin suffix in the tag key. Example: "{"key1":
["value1_1", "value1_2"], "key2__nin": ["value2"]}".
agentversions optional Include Agent versions. Example: "2.5.1.1320".
agentversionsnin optional Excluded Agent versions. Example: "2.5.1.1320".
analystverdicts optional Filter threats by a specific analyst verdict. Example:
"true_positive,suspicious".
analystverdictsnin optional Exclude threats with specific analyst verdicts. Example:
"true_positive,suspicious".
awsrole__contains optional Free-text filter by aws role(supports multiple values)

2392
awssecuritygroups__co optional Free-text filter by aws securityGroups(supports multiple values)
ntains
awssubnetids__contai optional Free-text filter by aws subnet ids (supports multiple values)
ns
azureresourcegroup__c optional Free-text filter by azure resource group(supports multiple values)
ontains
classifications optional List of threat classifications to search
classificationsnin optional List of threat classifications not to search
classificationsources optional Classification sources list. Example: "Cloud".
classificationsourcesni optional Classification sources list to exclude. Example: "Cloud".
n
cloudaccount__contain optional Free-text filter by cloud account (supports multiple values)
s
cloudimage__contains optional Free-text filter by cloud image (supports multiple values)
cloudinstanceid__cont optional Free-text filter by cloud instance id(supports multiple values)
ains
cloudinstancesize__co optional Free-text filter by cloud instance size(supports multiple values)
ntains
cloudlocation__contai optional Free-text filter by cloud location (supports multiple values)
ns
cloudnetwork__contai optional Free-text filter by cloud network (supports multiple values)
ns
cloudprovider optional Agents from which cloud provider
cloudprovidernin optional Exclude Agents from these cloud provider
collectionids optional List of collection IDs to search. Example:
"225494730938493804,225494730938493915".
commandlineargument optional Free-text filter by threat command line arguments (supports multiple
s__contains values). Example: "/usr/sbin/,wget".
computername__conta optional Free-text filter by computer name (supports multiple values).
ins Example: "john-office,WIN".
confidencelevels optional Filter threats by a specific confidence level. Example: "malicious".
confidencelevelsnin optional Exclude threats with specific confidence level. Example: "malicious".
containerimagename__ optional Free-text filter by the endpoint container image name (supports
contains multiple values)

2393
containerlabels__conta optional Free-text filter by the endpoint container labels (supports multiple
ins values)
containername__conta optional Free-text filter by the endpoint container name (supports multiple
ins values)
contenthash__contain optional Free-text filter by file content hash (supports multiple values).
s Example: "5f09bcff3".
contenthashes optional List of sha1 hashes to search for. Example:
"d,d,d,5,0,3,0,a,3,d,0,2,9,f,3,8,4,5,f,c,1,0,5,2,4,1,9,8,2,9,f,0,8,f,3,1,2,2,
4,0".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
countsfor optional comma-separated list of fields to be shown. Example:
"osTypes,machineTypes".
createdat__gt optional Created at greater than. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Created at greater or equal than. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Created at lesser than. Example: "2018-02-27T04:49:26.257525Z".
createdat__lte optional Created at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
detectionagentdomain optional Free-text filter by Agent domain at detection time (supports multiple
__contains values). Example: "sentinel,sentinelone.com".
detectionagentversion optional Free-text filter by Agent version at detection time (supports multiple
__contains values). Example: "1.1.1.1,2.2.".
detectionengines optional Included engines. Example: "reputation".
detectionenginesnin optional Excluded engines. Example: "reputation".
displayname optional Display name
engines optional Included engines. Example: "reputation".
enginesnin optional Excluded engines. Example: "reputation".
externalticketexists optional The threat contains ticket number
externalticketid__cont optional Free-text filter by the threat external ticket ID (supports multiple

2394
ains values)
externalticketids optional External ticket ID for the threat
failedactions optional At least one action failed on the threat
filepath__contains optional Free-text filter by file path (supports multiple values). Example:
"\MyUser\Downloads".
gcpserviceaccount__co optional Free-text filter by gcp service account (supports multiple values)
ntains
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
hasagenttags optional Include only Threats whose Agent is assigned any tags if True, or
none if False
ids optional List of threat IDs. Example:
"225494730938493804,225494730938493915".
incidentstatuses optional Filter threats by a specific incident status. Example:
"unresolved,in_progress".
incidentstatusesnin optional Exclude threats with specific incident statuses. Example:
"unresolved,in_progress".
initiatedby optional Only include threats from specific initiating sources. Example:
"agent_policy,dv_command".
initiatedbynin optional Exclude threats with specific initiating sources. Example:
"agent_policy,dv_command".
initiatedbyusername__ optional Free-text filter by the username that initiated that threat (supports
contains multiple values). Example: "John,John Doe".
k8sclustername__cont optional Free-text filter by the endpoint Kubernetes cluster name (supports
ains multiple values)
k8scontrollerlabels__c optional Free-text filter by the endpoint Kubernetes controller labels
ontains (supports multiple values)
k8scontrollername__co optional Free-text filter by the endpoint Kubernetes controller name
ntains (supports multiple values)
k8snamespacelabels__ optional Free-text filter by the endpoint Kubernetes namespace labels
contains (supports multiple values)
k8snamespacename__c optional Free-text filter by the endpoint Kubernetes namespace name
ontains (supports multiple values)
k8snodelabels__contai optional Free-text filter by the endpoint Kubernetes node labels (supports

2395
ns multiple values)
k8snodename__contai optional Free-text filter by the endpoint Kubernetes node name (supports
ns multiple values)
k8spodlabels__contain optional Free-text filter by the endpoint Kubernetes pod labels (supports
s multiple values)
k8spodname__contain optional Free-text filter by the endpoint Kubernetes pod name (supports
s multiple values)
limit optional Limit number of returned items (1-1000). Example: "10".
mitigatedpreemptively optional If the threat was detected pre-execution or post-execution
mitigationstatuses optional Filter threats by a specific status. Example: "not_mitigated".
mitigationstatusesnin optional Filter threats not by a specific status. Example: "not_mitigated".
noteexists optional The threat contains at least one note
originatedprocess__co optional Free-text filter by the originated process name of the threat
ntains (supports multiple values)
osarchs optional Included OS Architectures. Example: "32 bit".
osnames optional
osnamesnin optional
ostypes optional Included OS types. Example: "macos".
ostypesnin optional Excluded OS types. Example: "macos".
pendingactions optional At least one action is pending for the Agent for the threat
publishername__conta optional Free-text filter by threat's publisher name (supports multiple values).
ins Example: "GOOGLE,Apple Inc.".
query optional Full text search for fields: threat_details, content_hash,
computer_name, file_path, uuid, detection_agent_version,
realtime_agent_version, detection_agent_domain,
command_line_arguments, initiated_by_username, storyline,
originated_process, k8s_cluster_name, k8s_node_name,
k8s_node_labels, k8s_namespace_name, k8s_namespace_labels,
k8s_controller_name, k8s_controller_labels, k8s_pod_name,
k8s_pod_labels, container_name, container_image_name,
container_labels, external_ticket_id
realtimeagentversion_ optional Free-text filter by Agent version at current time (supports multiple
_contains values). Example: "1.1.1.1,2.2.".
rebootrequired optional A reboot is required on any endpoint for at least one action on the

2396
threat
resolved optional This is used for backward-compatibility with API 2.0.
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
storyline__contains optional Free-text filter by threat storyline (supports multiple values).
Example: "0000C2E97648,0006FC73-77B4-470F-AAC7-".
storylines optional List of Agent context to search for
tenant optional Indicates a tenant scope request
threatdetails__contain optional Free-text filter by threat details(supports multiple values). Example:
s "malware.exe,virus.exe".
updatedat__gt optional Updated at greater than. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Updated at greater or equal than. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Updated at lesser than. Example: "2018-02-27T04:49:26.257525Z".
updatedat__lte optional Updated at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".
uuid__contains optional Free-text filter by Agent UUID (supports multiple values). Example:
"e92-01928,b055".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema

2397
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
agentDetecti Agent false Name Description Required Value
onInfo detection
time accountId Orig account false string
information id
accountName Orig account false string
name
agentDetecti The Agent's false string
onState detection
state at time
of detection
agentDomain Network false string
domain
agentIpV4 Orig agent ip false string
v4
agentIpV6 Orig agent ip false string
v6
agentLastLog UPN of last false string
gedInUpn logged in user
agentLastLog mail from AD false string

2398
gedInUserMai of last logged
l in user
agentLastLo Orig logged false string
ggedInUserN user
ame
agentMitigat Agent false enum
ionMode mitigation
mode policy
agentOsNam Orig agent os false string
e name
agentOsRevis Orig agent os false string
ion revision
agentRegiste Time of first false string
redAt registration
to
management
console
agentUuid UUID of the false string
agent
agentVersion Orig agent false string
version
cloudProvider Cloud false object
s providers for
this agent
externalIp Orig agent false string
external ip
groupId Orig group id false string
groupName Orig group false string
name
siteId Orig site id false string
siteName Orig site false string
name

agentRealtime Agent false Name Description Required Value

Info realtime
information accountId Account id false string
accountName Account false string
name
activeThreats Active false integer

2399
threats
agentCompu Computer false string
terName name
agentDecomm Decommissio false boolean
issionedAt ned at
agentDomain Domain false string
agentId Id false string
agentInfected Agent false boolean
infected
agentIsActive Is active false boolean
agentIsDecom Is false boolean
missioned decommissio
ned
agentMachin Machine type false enum
eType
agentMitigat Agent false enum
ionMode mitigation
mode policy
agentNetwork Network false enum
Status status
agentOsNam Os name false string
e
agentOsRevis Os revision false string
ion
agentOsType OS type false enum
agentUuid Uuid false string
agentVersion Agent version false string
groupId Group id false string
groupName Group name false string
networkInter Device's false Name Description Required Value
faces network
interfaces id Id false string
inet IPv4 false string []
addresses
inet6 IPv6 false string []
addresses

2400
name Name false string
physical Interface's false string
MAC address

operationalSt Agent false string

ate operational
state
rebootRequir A reboot is false boolean
ed required on
the endpoint
for at least
one threat
scanAbortedA Abort time of false string
t last scan (If
applicable)
scanFinished Finish time of false string
At last scan (If
applicable)
scanStartedA Start time of false string
t last scan
scanStatus Scan status false enum
siteId Site id false string
siteName Site name false string
storageName Storage false string
Name
storageType Storage Type false string
userActionsN A list of false string []
eeded pending user
actions. List
items
possible
values: "none,
user_action_n
eeded,
reboot_neede
d,
upgrade_need
ed,
incompatible_
os,

2401
unprotected,
rebootless_wi
thout_dynamic
_detection,
extended_excl
usions_partial
ly_accepted,
reboot_requir
ed,
pending_depre
cation,
ne_not_runnin
g,
ne_cf_not_act
ive".

containerInfo Threat false Name Description Required Value

container
information id Id false string
image Image false string
isContainerQ True if the false boolean
uarantine container is
quarantined
labels Labels false string []
name Name false string

id Threat ID false string

indicators Indicators false Name Description Required Value
category Category false string
categoryId [DEPRECATE false integer
D]
description Description false string
ids List of all the false integer []
indicators IDs
tactics Tactics false Name Description Required Value
name Name false string
source Source false string
techniques Techniques false Name De

2402
link Lin
name Na

kubernetesIn Threat false Name Description Required Value

fo kubernetes
information cluster Cluster false string
controllerKin Controller false string
d kind
controllerLabe Controller false string []
ls labels
controllerNa Controller false string
me name
isContainerQ True if the false boolean
uarantine container is
quarantined
namespace Namespace false string
namespaceLa Namespace false string []
bels labels
node Node false string
nodeLabels Node labels false string []
pod Pod false string
podLabels Pod labels false string []

mitigationSta Threat false Name Description Required Value

tus mitigation
information action Action false enum
actionsCount Actions false Name Description Required Value
ers counters
failed Failed false integer
notFound Not found false integer
pendingRebo Pending false integer
ot reboot
success Success false integer
total Total false integer

agentSupport The Agent false boolean

sReport generates a
full mitigation

2403
report
groupNotFou Agent could false boolean
nd not find the
threat
lastUpdate Timestamp of false string
last
mitigation
status update
latestReport Report false string
download
URL. If None,
there is no
report
mitigationEn The time the false string
dedAt Agent
finished the
mitigation
mitigationSta The time the false string
rtedAt Agent started
the
mitigation
reportId ID of the false string
mitigation
report
status Status false enum

threatInfo Threat false Name Description Required Value

information
sha1 SHA1 hash of true string
file content
analystVerdic Analyst false enum
t verdict
analystVerdic Analyst false
tDescription verdict
description
automatically Automatically false boolean
Resolved resolved
browserType Browser type false string
certificateId File false string
Certificate ID

2404
classification Classification false string
of the threat
classification Source of the false enum
Source threat
Classification
cloudFilesHas Cloud files false string
hVerdict hash verdict
collectionId Collection id false string
confidenceLev SentinelOne false enum
el threat
confidence
level
createdAt Timestamp of false string
date creation
in the
Management
Console.
detectionEng List of false
ines engines that
detected the
threat
detectionTyp Detection false enum
e type
engines [Deprecated] false
List of
engines that
detected the
threat
externalTicke External false
tExists ticket exists
externalTicke External false string
tId ticket id
failedActions At least one false boolean
action failed
on the threat
fileExtension File extension false string
fileExtension File extension false string
Type type
filePath File path false

2405
fileSize File size false integer
fileVerificati File false string
onType verification
type
identifiedAt Identified at false string
incidentStatu Incident false enum
s status
incidentStatu Incident false
sDescription status
description
initiatedBy Source of false enum
threat
initiatedByDe Initiated by false
scription description
initiatingUser Initiating user false string
Id id
initiatingUse Initiating false string
rname username
isFileless Is fileless false
isValidCertifi True if the false boolean
cate certificate is
valid
macroModule List of macro false Name Description Required Value
s modules
moduleName Name of false string
macro
module
sha1 SHA-1 of the false string
macro
module

maliciousPro Malicious false string

cessArgumen process
ts arguments
md5 Md5 false string
mitigatedPre True is the false boolean
emptively threat was
blocked
before

2406
execution
mitigationSta Mitigation false enum
tus status
mitigationSta Mitigation false
tusDescriptio status
n description
originatorPro Originator false string
cess process
pendingActio At least one false boolean
ns action is
pending on
the threat
processUser Process user false string
publisherNa Certificate false string
me publisher
reachedEvent Has number false boolean
sLimit of OS events
for this threat
reached the
limit,
resulting in a
partial attack
storyline
rebootRequir A reboot is false boolean
ed required on
the endpoint
for at least
one action on
the threat
sha256 SHA256 hash false string
of file
content
storyline Storyline false string
identifier
from agent
threatId Threat id false string
threatName Threat name false string
updatedAt Timestamp of false string
last update

2407
whiteningOpt Whitening false string []
ions options

errors Errors false array

2408
Mitigate Threats
POST /web/api/v2.1/threats/mitigate/{action}

Apply a mitigation action to a group of threats that match the filter. Valid values for mitigation: "kill", "quarantine", "remediate", "rollback-remediation", "un-
quarantine","network-quarantine".
Your user role must have permissions to mitigate threats - Admin, IR Team, SOC. Only threats which you have permission to mitigate are countedas "affected" in response
field.
Rollback is applied only on Windows. Remediate is applied only on macOS and Windows.

Response Messages
200 - Threat successfully mitigated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation
details Single threat false Name Description Required Value
mitigation
information reports List of latest false Name Description Required Value
mitigation
reports action Action false enum
created by actionsCount Actions false
the action Name De
ers counters
trigger. failed Fa
notFound No
pendingRebo Pe
ot reb

2409
success Su
total To

agentSupport The Agent false boolean

sReport generates a
full mitigation
report
groupNotFou Agent could false boolean
nd not find the
threat
lastUpdate Timestamp of false string
last
mitigation
status update
latestReport Report false string
download
URL. If None,
there is no
report
mitigationEn The time the false string
dedAt Agent
finished the
mitigation
mitigationSta The time the false string
rtedAt Agent started
the
mitigation
reportId ID of the false string
mitigation
report
status Status false enum

skipped List of false Name Description Required Value

skipped
mitigation action Action false enum
actions with description Description false string
additional
details. reason Reason false enum

threatId Threat id false string

errors Errors false array

2410
Body Schema
Name Description Required Value
filter Use any of true Name Description Required Value
the filtering
options to accountIds List of false string []
control the Account IDs
list of to filter by
affected agentIds List of Agent false string []
threats. You IDs
can use any
combination agentIsActive Include false boolean
of filters to Agents
narrow down currently
the list (For connected to
example the
"apply to only Management
active threats Console
from Linux agentMachine Include Agent false string []
endpoints"). Types machine
You can also types
leave this
field empty to agentMachine Excluded false string []
apply to all TypesNin Agent
available machine
threats. types
agentTagsDat Filter threats false string
a by assigned
tags to the
related agent.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin

2411
suffix in the
tag key.
agentVersion Include Agent false string []
s versions
agentVersion Excluded false string []
sNin Agent
versions
analystVerdic Filter threats false string []
ts by a specific
analyst
verdict
analystVerdic Exclude false string []
tsNin threats with
specific
analyst
verdicts
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
classifications List of threat false string []
classifications
to search

2412
classification List of threat false string []
sNin classifications
not to search
classification Classification false string []
Sources sources list
classificatio Classification false string []
nSourcesNin sources list to
exclude
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports

2413
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
collectionIds List of false string []
collection IDs
to search
commandLine Free-text false string []
Arguments__c filter by
ontains threat
command
line
arguments
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
confidenceLev Filter threats false string []
els by a specific
confidence
level
confidenceLe Exclude false string []
velsNin threats with
specific
confidence
level
containerIma Free-text false string []
geName__con filter by the
tains endpoint
container
image name

2414
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
contentHash_ Free-text false string []
_contains filter by file
content hash
(supports
multiple
values)
contentHashe List of sha1 false string []
s hashes to
search for
countsFor comma- false string
separated list
of fields to be
shown
createdAt__g Created at false string
t greater than.
createdAt__g Created at false string
te greater or
equal than.
createdAt__lt Created at false string
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.

2415
detectionAge Free-text false string []
ntDomain__co filter by
ntains Agent
domain at
detection
time
(supports
multiple
values)
detectionAge Free-text false string []
ntVersion__co filter by
ntains Agent version
at detection
time
(supports
multiple
values)
detectionEng Included false string []
ines engines
detectionEng Excluded false string []
inesNin engines
displayName Display name false string
engines Included false string []
engines
enginesNin Excluded false string []
engines
externalTicke The threat false boolean
tExists contains
ticket number
externalTicke Free-text false string []
tId__contains filter by the
threat
external
ticket ID
(supports
multiple
values)
externalTicke External false string []
tIds ticket ID for
the threat
failedActions At least one false boolean

2416
action failed
on the threat
filePath__con Free-text false string []
tains filter by file
path
(supports
multiple
values)
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasAgentTags Include only false boolean
Threats
whose Agent
is assigned
any tags if
True, or none
if False
ids List of threat false string []
IDs
incidentStatu Filter threats false string []
ses by a specific
incident
status
incidentStatu Exclude false string []
sesNin threats with
specific
incident
statuses
initiatedBy Only include false string []
threats from
specific
initiating
sources
initiatedByNi Exclude false string []

2417
n threats with
specific
initiating
sources
initiatedByU Free-text false string []
sername__con filter by the
tains username
that initiated
that threat
(supports
multiple
values)
k8sClusterNa Free-text false string []
me__contains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name
(supports
multiple
values)
k8sNamespace Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels

2418
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNodeLabel Free-text false string []
s__contains filter by the
endpoint
Kubernetes
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple
values)
k8sPodName_ Free-text false string []
_contains filter by the
endpoint
Kubernetes
pod name
(supports
multiple
values)

2419
limit Limit false integer
mitigatedPre If the threat false boolean
emptively was detected
pre-execution
or post-
execution
mitigationSta Filter threats false string []
tuses by a specific
status
mitigationSta Filter threats false string []
tusesNin not by a
specific
status
noteExists The threat false boolean
contains at
least one
note
originatedPro Free-text false string []
cess__contain filter by the
s originated
process name
of the threat
(supports
multiple
values)
osArchs Included OS false string []
Architectures
osNames false string []
osNamesNin false string []
osTypes Included OS false string []
types
osTypesNin Excluded OS false string []
types
pendingActio At least one false boolean
ns action is
pending for
the Agent for
the threat
publisherNam Free-text false string []
e__contains filter by

2420
threat's
publisher
name
(supports
multiple
values)
query Full text false string
search for
fields:
threat_details,

content_hash,

computer_nam
e, file_path,
uuid,
detection_age
nt_version,
realtime_agen
t_version,
detection_age
nt_domain,
command_line
_arguments,
initiated_by_
username,
storyline,
originated_pro
cess,
k8s_cluster_n
ame,
k8s_node_nam
e,
k8s_node_labe
ls,
k8s_namespa
ce_name,
k8s_namespace
_labels,
k8s_controlle
r_name,
k8s_controller
_labels,
k8s_pod_name
,

2421
k8s_pod_label
s,
container_nam
e,
container_im
age_name,
container_labe
ls,
external_ticke
t_id
realtimeAgent Free-text false string []
Version__cont filter by
ains Agent version
at current
time
(supports
multiple
values)
rebootRequir A reboot is false boolean
ed required on
any endpoint
for at least
one action on
the threat
resolved This is used false boolean
for backward-
compatibility
with API 2.0.
siteIds List of Site false string []
IDs to filter
by
storyline__co Free-text false string []
ntains filter by
threat
storyline
(supports
multiple
values)
storylines List of Agent false string []
context to
search for
tenant Indicates a false boolean
tenant scope

2422
request
threatDetails Free-text false string []
__contains filter by
threat
details(suppor
ts multiple
values)
updatedAt__g Updated at false string
t greater than.
updatedAt__g Updated at false string
te greater or
equal than.
updatedAt__l Updated at false string
t lesser than.
updatedAt__l Updated at false string
te lesser or
equal than.
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

data Data false

2423
Add to Blocklist
POST /web/api/v2.1/threats/add-to-blacklist

Add threats that have a SHA1 hash and that match the filter to the Blocklist of the target scope: Global, Account, Site, or Group.
Your role must have permissions to change the Blocklist - Admin, IR Team, SOC - and your user scope access must include the Agent. The target scope is the Group, Site,
or Account of the Agent.

Response Messages
200 - Hash threat added to black list

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation
details Result details false Name Description Required Value
for each
threat analystVerdic Result of false enum
t changing the
threat's
analyst
verdict as
part of
adding the
threat to
blocklist or
exclusions
result Result of false enum
adding the
threat to

2424
blocklist or
exclusions
threatId Threat id false string

errors Errors false array

2425
Body Schema
Name Description Required Value
data Data true Name Description Required Value
targetScope Scope to be true enum
used for
Restrictions
description Description false string
externalTicke External false string
tId ticket id
note Note false string

filter Use any of true Name Description Required Value

the filtering
options to accountIds List of false string []
control the Account IDs
list of to filter by
affected agentIds List of Agent false string []
threats. You IDs
can use any
combination agentIsActive Include false boolean
of filters to Agents
narrow down currently
the list (For connected to
example the
"apply to only Management
active threats Console
from Linux agentMachine Include Agent false string []
endpoints"). Types machine
You can also types
leave this
field empty to agentMachine Excluded false string []
apply to all TypesNin Agent
available machine
threats. types
agentTagsDat Filter threats false string
a by assigned
tags to the
related agent.
Given in form
of a JSON
where each
key

2426
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
agentVersion Include Agent false string []
s versions
agentVersion Excluded false string []
sNin Agent
versions
analystVerdic Filter threats false string []
ts by a specific
analyst
verdict
analystVerdic Exclude false string []
tsNin threats with
specific
analyst
verdicts
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple

2427
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
classifications List of threat false string []
classifications
to search
classification List of threat false string []
sNin classifications
not to search
classification Classification false string []
Sources sources list
classificatio Classification false string []
nSourcesNin sources list to
exclude
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)

2428
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
collectionIds List of false string []
collection IDs
to search
commandLine Free-text false string []
Arguments__c filter by
ontains threat
command
line
arguments
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
confidenceLev Filter threats false string []
els by a specific
confidence
level

2429
confidenceLe Exclude false string []
velsNin threats with
specific
confidence
level
containerIma Free-text false string []
geName__con filter by the
tains endpoint
container
image name
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
contentHash_ Free-text false string []
_contains filter by file
content hash
(supports
multiple
values)
contentHashe List of sha1 false string []
s hashes to
search for
countsFor comma- false string
separated list
of fields to be
shown
createdAt__g Created at false string

2430
t greater than.
createdAt__g Created at false string
te greater or
equal than.
createdAt__lt Created at false string
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
detectionAge Free-text false string []
ntDomain__co filter by
ntains Agent
domain at
detection
time
(supports
multiple
values)
detectionAge Free-text false string []
ntVersion__co filter by
ntains Agent version
at detection
time
(supports
multiple
values)
detectionEng Included false string []
ines engines
detectionEng Excluded false string []
inesNin engines
displayName Display name false string
engines Included false string []
engines
enginesNin Excluded false string []
engines
externalTicke The threat false boolean
tExists contains
ticket number
externalTicke Free-text false string []
tId__contains filter by the

2431
threat
external
ticket ID
(supports
multiple
values)
externalTicke External false string []
tIds ticket ID for
the threat
failedActions At least one false boolean
action failed
on the threat
filePath__con Free-text false string []
tains filter by file
path
(supports
multiple
values)
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasAgentTags Include only false boolean
Threats
whose Agent
is assigned
any tags if
True, or none
if False
ids List of threat false string []
IDs
incidentStatu Filter threats false string []
ses by a specific
incident
status
incidentStatu Exclude false string []

2432
sesNin threats with
specific
incident
statuses
initiatedBy Only include false string []
threats from
specific
initiating
sources
initiatedByNi Exclude false string []
n threats with
specific
initiating
sources
initiatedByU Free-text false string []
sername__con filter by the
tains username
that initiated
that threat
(supports
multiple
values)
k8sClusterNa Free-text false string []
me__contains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes

2433
controller
name
(supports
multiple
values)
k8sNamespace Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNodeLabel Free-text false string []
s__contains filter by the
endpoint
Kubernetes
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels

2434
(supports
multiple
values)
k8sPodName_ Free-text false string []
_contains filter by the
endpoint
Kubernetes
pod name
(supports
multiple
values)
limit Limit false integer
mitigatedPre If the threat false boolean
emptively was detected
pre-execution
or post-
execution
mitigationSta Filter threats false string []
tuses by a specific
status
mitigationSta Filter threats false string []
tusesNin not by a
specific
status
noteExists The threat false boolean
contains at
least one
note
originatedPro Free-text false string []
cess__contain filter by the
s originated
process name
of the threat
(supports
multiple
values)
osArchs Included OS false string []
Architectures
osNames false string []
osNamesNin false string []
osTypes Included OS false string []

2435
types
osTypesNin Excluded OS false string []
types
pendingActio At least one false boolean
ns action is
pending for
the Agent for
the threat
publisherNam Free-text false string []
e__contains filter by
threat's
publisher
name
(supports
multiple
values)
query Full text false string
search for
fields:
threat_details,

content_hash,

2436
ls,
k8s_namespa
ce_name,
k8s_namespace
_labels,
k8s_controlle
r_name,
k8s_controller
_labels,
k8s_pod_name
,
k8s_pod_label
s,
container_nam
e,
container_im
age_name,
container_labe
ls,
external_ticke
t_id
realtimeAgent Free-text false string []
Version__cont filter by
ains Agent version
at current
time
(supports
multiple
values)
rebootRequir A reboot is false boolean
ed required on
any endpoint
for at least
one action on
the threat
resolved This is used false boolean
for backward-
compatibility
with API 2.0.
siteIds List of Site false string []
IDs to filter
by
storyline__co Free-text false string []
ntains filter by

2437
threat
storyline
(supports
multiple
values)
storylines List of Agent false string []
context to
search for
tenant Indicates a false boolean
tenant scope
request
threatDetails Free-text false string []
__contains filter by
threat
details(suppor
ts multiple
values)
updatedAt__g Updated at false string
t greater than.
updatedAt__g Updated at false string
te greater or
equal than.
updatedAt__l Updated at false string
t lesser than.
updatedAt__l Updated at false string
te lesser or
equal than.
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

2438
Fetch Threat File
POST /web/api/v2.1/threats/fetch-file

Fetch a file associated with the threat that matches the filter. Your user role must have permissions to Fetch Threat File - Admin, IR Team, SOC.

Response Messages
200 - Number of affected agents

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2439
Body Schema
Name Description Required Value
data Data true Name Description Required Value
password File true string
encryption
password

filter Use any of true Name Description Required Value

the filtering
options to accountIds List of false string []
control the Account IDs
list of to filter by
affected agentIds List of Agent false string []
threats. You IDs
can use any
combination agentIsActive Include false boolean
of filters to Agents
narrow down currently
the list (For connected to
example the
"apply to only Management
active threats Console
from Linux agentMachine Include Agent false string []
endpoints"). Types machine
You can also types
leave this
field empty to agentMachine Excluded false string []
apply to all TypesNin Agent
available machine
threats. Note: types
Filter must agentTagsDat Filter threats false string
match exactly a by assigned
one threat. tags to the
Bulk related agent.
operations Given in form
are not of a JSON
supported. where each
key
represents a
tag key, and
each value
represents a
list of string

2440
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
agentVersion Include Agent false string []
s versions
agentVersion Excluded false string []
sNin Agent
versions
analystVerdic Filter threats false string []
ts by a specific
analyst
verdict
analystVerdic Exclude false string []
tsNin threats with
specific
analyst
verdicts
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource

2441
group(support
s multiple
values)
classifications List of threat false string []
classifications
to search
classification List of threat false string []
sNin classifications
not to search
classification Classification false string []
Sources sources list
classificatio Classification false string []
nSourcesNin sources list to
exclude
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports

2442
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
collectionIds List of false string []
collection IDs
to search
commandLine Free-text false string []
Arguments__c filter by
ontains threat
command
line
arguments
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
confidenceLev Filter threats false string []
els by a specific
confidence
level
confidenceLe Exclude false string []
velsNin threats with
specific
confidence

2443
level
containerIma Free-text false string []
geName__con filter by the
tains endpoint
container
image name
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
contentHash_ Free-text false string []
_contains filter by file
content hash
(supports
multiple
values)
contentHashe List of sha1 false string []
s hashes to
search for
countsFor comma- false string
separated list
of fields to be
shown
createdAt__g Created at false string
t greater than.
createdAt__g Created at false string
te greater or

2444
equal than.
createdAt__lt Created at false string
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
detectionAge Free-text false string []
ntDomain__co filter by
ntains Agent
domain at
detection
time
(supports
multiple
values)
detectionAge Free-text false string []
ntVersion__co filter by
ntains Agent version
at detection
time
(supports
multiple
values)
detectionEng Included false string []
ines engines
detectionEng Excluded false string []
inesNin engines
displayName Display name false string
engines Included false string []
engines
enginesNin Excluded false string []
engines
externalTicke The threat false boolean
tExists contains
ticket number
externalTicke Free-text false string []
tId__contains filter by the
threat
external
ticket ID
(supports

2445
multiple
values)
externalTicke External false string []
tIds ticket ID for
the threat
failedActions At least one false boolean
action failed
on the threat
filePath__con Free-text false string []
tains filter by file
path
(supports
multiple
values)
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasAgentTags Include only false boolean
Threats
whose Agent
is assigned
any tags if
True, or none
if False
ids List of threat false string []
IDs
incidentStatu Filter threats false string []
ses by a specific
incident
status
incidentStatu Exclude false string []
sesNin threats with
specific
incident
statuses

2446
initiatedBy Only include false string []
threats from
specific
initiating
sources
initiatedByNi Exclude false string []
n threats with
specific
initiating
sources
initiatedByU Free-text false string []
sername__con filter by the
tains username
that initiated
that threat
(supports
multiple
values)
k8sClusterNa Free-text false string []
me__contains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name
(supports
multiple
values)

2447
k8sNamespace Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNodeLabel Free-text false string []
s__contains filter by the
endpoint
Kubernetes
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple
values)
k8sPodName_ Free-text false string []
_contains filter by the

2448
endpoint
Kubernetes
pod name
(supports
multiple
values)
mitigatedPre If the threat false boolean
emptively was detected
pre-execution
or post-
execution
mitigationSta Filter threats false string []
tuses by a specific
status
mitigationSta Filter threats false string []
tusesNin not by a
specific
status
noteExists The threat false boolean
contains at
least one
note
originatedPro Free-text false string []
cess__contain filter by the
s originated
process name
of the threat
(supports
multiple
values)
osArchs Included OS false string []
Architectures
osNames false string []
osNamesNin false string []
osTypes Included OS false string []
types
osTypesNin Excluded OS false string []
types
pendingActio At least one false boolean
ns action is
pending for

2449
the Agent for
the threat
publisherNam Free-text false string []
e__contains filter by
threat's
publisher
name
(supports
multiple
values)
query Full text false string
search for
fields:
threat_details,

content_hash,

2450
k8s_controller
_labels,
k8s_pod_name
,
k8s_pod_label
s,
container_nam
e,
container_im
age_name,
container_labe
ls,
external_ticke
t_id
realtimeAgent Free-text false string []
Version__cont filter by
ains Agent version
at current
time
(supports
multiple
values)
rebootRequir A reboot is false boolean
ed required on
any endpoint
for at least
one action on
the threat
resolved This is used false boolean
for backward-
compatibility
with API 2.0.
siteIds List of Site false string []
IDs to filter
by
storyline__co Free-text false string []
ntains filter by
threat
storyline
(supports
multiple
values)
storylines List of Agent false string []

2451
context to
search for
tenant Indicates a false boolean
tenant scope
request
threatDetails Free-text false string []
__contains filter by
threat
details(suppor
ts multiple
values)
updatedAt__g Updated at false string
t greater than.
updatedAt__g Updated at false string
te greater or
equal than.
updatedAt__l Updated at false string
t lesser than.
updatedAt__l Updated at false string
te lesser or
equal than.
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

2452
Disable Engines
POST /web/api/v2.1/threats/engines/disable

If your list of threats shows too many False Positives, use this command to troubleshoot the Agent Engines that return unexpected results in your deployment. Valid values:
"penetration", "dataFiles","exploits", "reputation", "executables", "preExecutionSuspicious", "preExecution", "lateralMovement", and "pup".

Response Messages
200 - Engines disabled

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2453
Body Schema
Name Description Required Value
data Data false Name Description Required Value
engines List of false string []
engines

2454
Exclusion Options
GET /web/api/v2.1/threats/{threat_id}/whitening-options

Get the Exclusion types that can be created from the detection data.
For example, if a threat is a file with a detected SHA1 hash and pathname, the values of the whiteningOptions in the response are "path" and "file_hash". This command
requires the ID of the threat, which you can get from "threats" (see Get Threats). To create an Exclusion, see Exclusions.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
threatPolicy Threat policy false string
threatType Threat type false string []
whiteningOpt Available false string []
ions exclusion
options

errors Errors false array

2455
Get Events
GET /web/api/v2.1/threats/{threat_id}/explore/events

Get all threat events.

Parameters
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
eventid optional Filter by a specific process key and its children
eventsubtypes optional Filter events by sub-type. Example: "PROCESSCREATION".
eventtypes optional Filter events by type. Example: "events".
limit optional Limit number of returned items (1-1000). Example: "10".
processname__like optional Filter by process name (substring)
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value

2456
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

2457
agentUuid Agent uuid true string
agentVersion Agent version true string
createdAt Created at true string
id Id true string
objectType Object type true enum
processName Process name true string
siteId Site id true string
siteName Site name true string
activeContent Active false string
FileId content file id
activeConten Active false string
tHash content hash
activeConten Active false string
tPath content path
connectionSt Connection false string
atus status
direction Direction false string
dnsRequest Dns request false string
dnsResponse Dns response false string
dstIp Dst ip false string
dstPort Dst port false integer
eventType Event type false string
fileFullName File full name false string
fileId File id false string
fileMd5 File md5 false string
fileSha1 File sha1 false string
fileSha256 File sha256 false string
fileSize File size false string
fileType File type false string
hasActiveCon Has active false boolean
tent content
indicatorCate Indicator false string
gory category
indicatorDesc Indicator false string

2458
ription description
indicatorMet Indicator false string
adata metadata
indicatorNam Indicator false string
e name
loginsBaseTy Logins base false string
pe type
loginsUserN Logins user false string
ame name
md5 Md5 false string
networkMeth Network false string
od method
networkSour Network false string
ce source
networkUrl Network url false string
oldFileMd5 Old file md5 false string
oldFileName Old file name false string
oldFileSha1 Old file sha1 false string
oldFileSha25 Old file false string
6 sha256
parentPid Parent pid false string
parentProces Parent false string
sGroupId process
group id
parentProcess Parent false boolean
IsMalicious process is
malicious
parentProce Parent false string
ssName process name
parentProces Parent false string
sUniqueKey process
unique key
pid Pid false string
processCmd Process cmd false string
processDispl Process false string
ayName display name

2459
processGroup Process false string
Id group id
processImage Process false string
Path image path
processImag Process false string
eSha1Hash image sha1
hash
processIntegr Process false string
ityLevel integrity level
processIsMali Process is false boolean
cious malicious
processIsRed Process is false string
irectedComm redirected
andProcessor command
processor
processIsWo Process is false string
w64 wow64
processRoot Process root false string
processSessio Process false string
nId session id
processStartT Process start false string
ime time
processSubSy Process sub false string
stem system
processUniqu Process false string
eKey unique key
processUser Process user false string
Name name
protocol Protocol false string
publisher Publisher false string
registryClassi Registry false string
fication classification
registryId Registry id false string
registryPath Registry path false string
relatedToThre Related to false boolean
at threat
rpid Rpid false string

2460
sha1 Sha1 false string
sha256 Sha256 false string
signatureSign Signature false string
edInvalidRea signed invalid
son reason
signedStatus Signed status false string
srcIp Src ip false string
srcPort Src port false integer
storyline Storyline false string
taskName Task name false string
taskPath Task path false string
threatStatus Threat status false string
tid Tid false string
trueContext [DEPRECATE false string
D] Use
"storyline"
instead
user User false string
verifiedStatus Verified false string
status

errors Errors false array

2461
Add to Exclusions
POST /web/api/v2.1/threats/add-to-exclusions

Add a threat to exclusions. The "whitening option" is required.

When you create an exclusion, you override the "malicious" verdict of the Agent for a detection. This can open holes in your security deployment. Use with caution.
Best practice: Use the most specific definition of the exclusion possible and the lowest mode possible.

BEST PRACTICE
Use the most specific definition of the exclusion possible and the lowest mode possible.

Response Messages
200 - Added to exclusions

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation
details Result details false Name Description Required Value
for each
threat analystVerdic Result of false enum
t changing the
threat's
analyst
verdict as
part of
adding the
threat to

2462
blocklist or
exclusions
result Result of false enum
adding the
threat to
blocklist or
exclusions
threatId Threat id false string

errors Errors false array

2463
Body Schema
Name Description Required Value
data Data true Name Description Required Value
targetScope Scope to be true enum
used for
Exclusions
type Selected true enum
Exclusion
type
actions Actions to false string []
perform
description Description false string
externalTicke External false string
tId ticket id
macroModule Macro false Name Description Required Value
s modules
description Description false string
hashes Hashes false string []

mode Exclusion false enum

mode (path
exclusion
only)
note Note false string
pathExclusio Excluded false string
nType path for a
path
exclusion list
value Optional. If false string
not provided,
the relevant
value from
the Threat
will be used

filter Use any of true Name Description Required Value

the filtering
options to accountIds List of false string []
control the Account IDs
list of to filter by

2464
affected agentIds List of Agent false string []
threats. You IDs
can use any
combination agentIsActive Include false boolean
of filters to Agents
narrow down currently
the list (For connected to
example the
"apply to only Management
active threats Console
from Linux agentMachine Include Agent false string []
endpoints"). Types machine
You can also types
leave this
field empty to agentMachine Excluded false string []
apply to all TypesNin Agent
available machine
threats. types
agentTagsDat Filter threats false string
a by assigned
tags to the
related agent.
Given in form
of a JSON
where each
key
represents a
tag key, and
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
agentVersion Include Agent false string []
s versions
agentVersion Excluded false string []
sNin Agent
versions
analystVerdic Filter threats false string []

2465
ts by a specific
analyst
verdict
analystVerdic Exclude false string []
tsNin threats with
specific
analyst
verdicts
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
classifications List of threat false string []
classifications
to search
classification List of threat false string []
sNin classifications
not to search
classification Classification false string []
Sources sources list
classificatio Classification false string []
nSourcesNin sources list to
exclude

2466
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider

2467
collectionIds List of false string []
collection IDs
to search
commandLine Free-text false string []
Arguments__c filter by
ontains threat
command
line
arguments
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
confidenceLev Filter threats false string []
els by a specific
confidence
level
confidenceLe Exclude false string []
velsNin threats with
specific
confidence
level
containerIma Free-text false string []
geName__con filter by the
tains endpoint
container
image name
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple

2468
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
contentHash_ Free-text false string []
_contains filter by file
content hash
(supports
multiple
values)
contentHashe List of sha1 false string []
s hashes to
search for
countsFor comma- false string
separated list
of fields to be
shown
createdAt__g Created at false string
t greater than.
createdAt__g Created at false string
te greater or
equal than.
createdAt__lt Created at false string
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
detectionAge Free-text false string []
ntDomain__co filter by
ntains Agent
domain at
detection
time
(supports
multiple
values)

2469
detectionAge Free-text false string []
ntVersion__co filter by
ntains Agent version
at detection
time
(supports
multiple
values)
detectionEng Included false string []
ines engines
detectionEng Excluded false string []
inesNin engines
displayName Display name false string
engines Included false string []
engines
enginesNin Excluded false string []
engines
externalTicke The threat false boolean
tExists contains
ticket number
externalTicke Free-text false string []
tId__contains filter by the
threat
external
ticket ID
(supports
multiple
values)
externalTicke External false string []
tIds ticket ID for
the threat
failedActions At least one false boolean
action failed
on the threat
filePath__con Free-text false string []
tains filter by file
path
(supports
multiple
values)
gcpServiceAc Free-text false string []

2470
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasAgentTags Include only false boolean
Threats
whose Agent
is assigned
any tags if
True, or none
if False
ids List of threat false string []
IDs
incidentStatu Filter threats false string []
ses by a specific
incident
status
incidentStatu Exclude false string []
sesNin threats with
specific
incident
statuses
initiatedBy Only include false string []
threats from
specific
initiating
sources
initiatedByNi Exclude false string []
n threats with
specific
initiating
sources
initiatedByU Free-text false string []
sername__con filter by the
tains username
that initiated
that threat

2471
(supports
multiple
values)
k8sClusterNa Free-text false string []
me__contains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name
(supports
multiple
values)
k8sNamespace Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name

2472
(supports
multiple
values)
k8sNodeLabel Free-text false string []
s__contains filter by the
endpoint
Kubernetes
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple
values)
k8sPodName_ Free-text false string []
_contains filter by the
endpoint
Kubernetes
pod name
(supports
multiple
values)
limit Limit false integer
mitigatedPre If the threat false boolean
emptively was detected
pre-execution
or post-
execution
mitigationSta Filter threats false string []
tuses by a specific

2473
status
mitigationSta Filter threats false string []
tusesNin not by a
specific
status
noteExists The threat false boolean
contains at
least one
note
originatedPro Free-text false string []
cess__contain filter by the
s originated
process name
of the threat
(supports
multiple
values)
osArchs Included OS false string []
Architectures
osNames false string []
osNamesNin false string []
osTypes Included OS false string []
types
osTypesNin Excluded OS false string []
types
pendingActio At least one false boolean
ns action is
pending for
the Agent for
the threat
publisherNam Free-text false string []
e__contains filter by
threat's
publisher
name
(supports
multiple
values)
query Full text false string
search for
fields:

2474
threat_details,

content_hash,

2475
realtimeAgent Free-text false string []
Version__cont filter by
ains Agent version
at current
time
(supports
multiple
values)
rebootRequir A reboot is false boolean
ed required on
any endpoint
for at least
one action on
the threat
resolved This is used false boolean
for backward-
compatibility
with API 2.0.
siteIds List of Site false string []
IDs to filter
by
storyline__co Free-text false string []
ntains filter by
threat
storyline
(supports
multiple
values)
storylines List of Agent false string []
context to
search for
tenant Indicates a false boolean
tenant scope
request
threatDetails Free-text false string []
__contains filter by
threat
details(suppor
ts multiple
values)
updatedAt__g Updated at false string
t greater than.

2476
updatedAt__g Updated at false string
te greater or
equal than.
updatedAt__l Updated at false string
t lesser than.
updatedAt__l Updated at false string
te lesser or
equal than.
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

2477
Export Threats
GET /web/api/v2.1/threats/export

Export data of threats (as seen in the Console > Incidents) that match the filter. Note: Use the filter. This command exports only 20,000 items (each datum is an item).

2478
classificationsources optional Classification sources list. Example: "Cloud".
classificationsourcesni optional Classification sources list to exclude. Example: "Cloud".
n
cloudaccount__contain optional Free-text filter by cloud account (supports multiple values)
s
cloudimage__contains optional Free-text filter by cloud image (supports multiple values)
cloudinstanceid__cont optional Free-text filter by cloud instance id(supports multiple values)
ains
cloudinstancesize__co optional Free-text filter by cloud instance size(supports multiple values)
ntains
cloudlocation__contai optional Free-text filter by cloud location (supports multiple values)
ns
cloudnetwork__contai optional Free-text filter by cloud network (supports multiple values)
ns
cloudprovider optional Agents from which cloud provider
cloudprovidernin optional Exclude Agents from these cloud provider
collectionids optional List of collection IDs to search. Example:
"225494730938493804,225494730938493915".
commandlineargument optional Free-text filter by threat command line arguments (supports multiple
s__contains values). Example: "/usr/sbin/,wget".
computername__conta optional Free-text filter by computer name (supports multiple values).
ins Example: "john-office,WIN".
confidencelevels optional Filter threats by a specific confidence level. Example: "malicious".
confidencelevelsnin optional Exclude threats with specific confidence level. Example: "malicious".
containerimagename__ optional Free-text filter by the endpoint container image name (supports
contains multiple values)
containerlabels__conta optional Free-text filter by the endpoint container labels (supports multiple
ins values)
containername__conta optional Free-text filter by the endpoint container name (supports multiple
ins values)
contenthash__contain optional Free-text filter by file content hash (supports multiple values).
s Example: "5f09bcff3".
contenthashes optional List of sha1 hashes to search for. Example:
"d,d,d,5,0,3,0,a,3,d,0,2,9,f,3,8,4,5,f,c,1,0,5,2,4,1,9,8,2,9,f,0,8,f,3,1,2,2,

2479
4,0".
countsfor optional comma-separated list of fields to be shown. Example:
"osTypes,machineTypes".
createdat__gt optional Created at greater than. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional Created at greater or equal than. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional Created at lesser than. Example: "2018-02-27T04:49:26.257525Z".
createdat__lte optional Created at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".
detectionagentdomain optional Free-text filter by Agent domain at detection time (supports multiple
__contains values). Example: "sentinel,sentinelone.com".
detectionagentversion optional Free-text filter by Agent version at detection time (supports multiple
__contains values). Example: "1.1.1.1,2.2.".
detectionengines optional Included engines. Example: "reputation".
detectionenginesnin optional Excluded engines. Example: "reputation".
displayname optional Display name
engines optional Included engines. Example: "reputation".
enginesnin optional Excluded engines. Example: "reputation".
externalticketexists optional The threat contains ticket number
externalticketid__cont optional Free-text filter by the threat external ticket ID (supports multiple
ains values)
externalticketids optional External ticket ID for the threat
failedactions optional At least one action failed on the threat
filepath__contains optional Free-text filter by file path (supports multiple values). Example:
"\MyUser\Downloads".
gcpserviceaccount__co optional Free-text filter by gcp service account (supports multiple values)
ntains
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
hasagenttags optional Include only Threats whose Agent is assigned any tags if True, or
none if False
ids optional List of threat IDs. Example:

2480
"225494730938493804,225494730938493915".
incidentstatuses optional Filter threats by a specific incident status. Example:
"unresolved,in_progress".
incidentstatusesnin optional Exclude threats with specific incident statuses. Example:
"unresolved,in_progress".
initiatedby optional Only include threats from specific initiating sources. Example:
"agent_policy,dv_command".
initiatedbynin optional Exclude threats with specific initiating sources. Example:
"agent_policy,dv_command".
initiatedbyusername__ optional Free-text filter by the username that initiated that threat (supports
contains multiple values). Example: "John,John Doe".
k8sclustername__cont optional Free-text filter by the endpoint Kubernetes cluster name (supports
ains multiple values)
k8scontrollerlabels__c optional Free-text filter by the endpoint Kubernetes controller labels
ontains (supports multiple values)
k8scontrollername__co optional Free-text filter by the endpoint Kubernetes controller name
ntains (supports multiple values)
k8snamespacelabels__ optional Free-text filter by the endpoint Kubernetes namespace labels
contains (supports multiple values)
k8snamespacename__c optional Free-text filter by the endpoint Kubernetes namespace name
ontains (supports multiple values)
k8snodelabels__contai optional Free-text filter by the endpoint Kubernetes node labels (supports
ns multiple values)
k8snodename__contai optional Free-text filter by the endpoint Kubernetes node name (supports
ns multiple values)
k8spodlabels__contain optional Free-text filter by the endpoint Kubernetes pod labels (supports
s multiple values)
k8spodname__contain optional Free-text filter by the endpoint Kubernetes pod name (supports
s multiple values)
mitigatedpreemptively optional If the threat was detected pre-execution or post-execution
mitigationstatuses optional Filter threats by a specific status. Example: "not_mitigated".
mitigationstatusesnin optional Filter threats not by a specific status. Example: "not_mitigated".
noteexists optional The threat contains at least one note
originatedprocess__co optional Free-text filter by the originated process name of the threat

2481
ntains (supports multiple values)
osarchs optional Included OS Architectures. Example: "32 bit".
osnames optional
osnamesnin optional
ostypes optional Included OS types. Example: "macos".
ostypesnin optional Excluded OS types. Example: "macos".
pendingactions optional At least one action is pending for the Agent for the threat
publishername__conta optional Free-text filter by threat's publisher name (supports multiple values).
ins Example: "GOOGLE,Apple Inc.".
query optional Full text search for fields: threat_details, content_hash,
computer_name, file_path, uuid, detection_agent_version,
realtime_agent_version, detection_agent_domain,
command_line_arguments, initiated_by_username, storyline,
originated_process, k8s_cluster_name, k8s_node_name,
k8s_node_labels, k8s_namespace_name, k8s_namespace_labels,
k8s_controller_name, k8s_controller_labels, k8s_pod_name,
k8s_pod_labels, container_name, container_image_name,
container_labels, external_ticket_id
realtimeagentversion_ optional Free-text filter by Agent version at current time (supports multiple
_contains values). Example: "1.1.1.1,2.2.".
rebootrequired optional A reboot is required on any endpoint for at least one action on the
threat
resolved optional This is used for backward-compatibility with API 2.0.
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
storyline__contains optional Free-text filter by threat storyline (supports multiple values).
Example: "0000C2E97648,0006FC73-77B4-470F-AAC7-".
storylines optional List of Agent context to search for
tenant optional Indicates a tenant scope request
threatdetails__contain optional Free-text filter by threat details(supports multiple values). Example:
s "malware.exe,virus.exe".
updatedat__gt optional Updated at greater than. Example:
"2018-02-27T04:49:26.257525Z".
updatedat__gte optional Updated at greater or equal than. Example:

2482
"2018-02-27T04:49:26.257525Z".
updatedat__lt optional Updated at lesser than. Example: "2018-02-27T04:49:26.257525Z".
updatedat__lte optional Updated at lesser or equal than. Example:
"2018-02-27T04:49:26.257525Z".
uuid__contains optional Free-text filter by Agent UUID (supports multiple values). Example:
"e92-01928,b055".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Add to Blocklist (Deep Visibility)

POST /web/api/v2.1/threats/dv-add-to-blacklist

From Deep Visibility results, add a SHA1 hash to the Blocklist. Set the scope of the Blocklist: Global, Account, Site, or Group. The SHA1 and the Agent ID are required (see Deep
Visibility > Get Events). Your role must have permissions to change the Blocklist - Admin, IR Team, SOC - and your user scope access must include the scope of the Agent. The
target scope is the Group, Site, or Account of the Agent.
Deep Visibility requires Complete SKU.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer

2483
entities
affected by
the requested
operation

errors Errors false array

2484
Body Schema
Name Description Required Value
data Data true Name Description Required Value
targetScope Scope of true enum
Restrictions
to which
each hash is
added
hashes List of hashes false Name Description Required Value
with their
source agents agentId Agent that true string
reported the
DV event
hash Hash to add false string
to
Restrictions

2485
Mark as Threat (Deep Visibility)
POST /web/api/v2.1/threats/dv-mark-as-threat

Mark an event from Deep Visibility data as a threat. (see Deep Visibility > Get Events).Your role must have permissions to Mark as Threat - Admin, IR Team, SOC. The item
becomes marked as a threat and the Management adds it to the blocklist. If this threat is detected on an endpoint, the Agent blocks it immediately.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2486
Body Schema
Name Description Required Value
data Data true Name Description Required Value
status Desired true enum
status to
mark the
events with
events List of DV false Name Description Required Value
events with
their agents agentId Agent that true string
reported the
DV event
storyline Storyline of true string
the marked
event

initiatedBy Initiated by false enum

2487
Export Mitigation Report
GET /web/api/v2.1/threats/mitigation-report/{report_id}

Export the mitigation report as a CSV file.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Updated Threat Incident

POST /web/api/v2.1/threats/incident

Update the incident details of a threat.

Response Messages
200 - Threats incident successfully updated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2488
threat analystVerdic Result of false enum
t changing the
threat's
analyst
verdict as
part of
changing the
threat's
status
result Result of false enum
changing the
threat's
status
threatId Threat id false string

errors Errors false array

2489
Body Schema
Name Description Required Value
data Data true Name Description Required Value
incidentStatu Incident true enum
s status
analystVerdic The analyst false enum
t verdict to set
for the
Threats

filter Filter true Name Description Required Value

2490
each value
represents a
list of string
values to
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
agentVersion Include Agent false string []
s versions
agentVersion Excluded false string []
sNin Agent
versions
analystVerdic Filter threats false string []
ts by a specific
analyst
verdict
analystVerdic Exclude false string []
tsNin threats with
specific
analyst
verdicts
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)

2491
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple
values)
classifications List of threat false string []
classifications
to search
classification List of threat false string []
sNin classifications
not to search
classification Classification false string []
Sources sources list
classificatio Classification false string []
nSourcesNin sources list to
exclude
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []

2492
__contains filter by cloud
location
(supports
multiple
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
collectionIds List of false string []
collection IDs
to search
commandLine Free-text false string []
Arguments__c filter by
ontains threat
command
line
arguments
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
confidenceLev Filter threats false string []
els by a specific
confidence
level
confidenceLe Exclude false string []

2493
velsNin threats with
specific
confidence
level
containerIma Free-text false string []
geName__con filter by the
tains endpoint
container
image name
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
contentHash_ Free-text false string []
_contains filter by file
content hash
(supports
multiple
values)
contentHashe List of sha1 false string []
s hashes to
search for
countsFor comma- false string
separated list
of fields to be
shown
createdAt__g Created at false string
t greater than.

2494
createdAt__g Created at false string
te greater or
equal than.
createdAt__lt Created at false string
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
detectionAge Free-text false string []
ntDomain__co filter by
ntains Agent
domain at
detection
time
(supports
multiple
values)
detectionAge Free-text false string []
ntVersion__co filter by
ntains Agent version
at detection
time
(supports
multiple
values)
detectionEng Included false string []
ines engines
detectionEng Excluded false string []
inesNin engines
displayName Display name false string
engines Included false string []
engines
enginesNin Excluded false string []
engines
externalTicke The threat false boolean
tExists contains
ticket number
externalTicke Free-text false string []
tId__contains filter by the
threat
external

2495
ticket ID
(supports
multiple
values)
externalTicke External false string []
tIds ticket ID for
the threat
failedActions At least one false boolean
action failed
on the threat
filePath__con Free-text false string []
tains filter by file
path
(supports
multiple
values)
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasAgentTags Include only false boolean
Threats
whose Agent
is assigned
any tags if
True, or none
if False
ids List of threat false string []
IDs
incidentStatu Filter threats false string []
ses by a specific
incident
status
incidentStatu Exclude false string []
sesNin threats with
specific

2496
incident
statuses
initiatedBy Only include false string []
threats from
specific
initiating
sources
initiatedByNi Exclude false string []
n threats with
specific
initiating
sources
initiatedByU Free-text false string []
sername__con filter by the
tains username
that initiated
that threat
(supports
multiple
values)
k8sClusterNa Free-text false string []
me__contains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name

2497
(supports
multiple
values)
k8sNamespace Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNodeLabel Free-text false string []
s__contains filter by the
endpoint
Kubernetes
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple

2498
values)
k8sPodName_ Free-text false string []
_contains filter by the
endpoint
Kubernetes
pod name
(supports
multiple
values)
limit Limit false integer
mitigatedPre If the threat false boolean
emptively was detected
pre-execution
or post-
execution
mitigationSta Filter threats false string []
tuses by a specific
status
mitigationSta Filter threats false string []
tusesNin not by a
specific
status
noteExists The threat false boolean
contains at
least one
note
originatedPro Free-text false string []
cess__contain filter by the
s originated
process name
of the threat
(supports
multiple
values)
osArchs Included OS false string []
Architectures
osNames false string []
osNamesNin false string []
osTypes Included OS false string []
types

2499
osTypesNin Excluded OS false string []
types
pendingActio At least one false boolean
ns action is
pending for
the Agent for
the threat
publisherNam Free-text false string []
e__contains filter by
threat's
publisher
name
(supports
multiple
values)
query Full text false string
search for
fields:
threat_details,

content_hash,

2500
ce_name,
k8s_namespace
_labels,
k8s_controlle
r_name,
k8s_controller
_labels,
k8s_pod_name
,
k8s_pod_label
s,
container_nam
e,
container_im
age_name,
container_labe
ls,
external_ticke
t_id
realtimeAgent Free-text false string []
Version__cont filter by
ains Agent version
at current
time
(supports
multiple
values)
rebootRequir A reboot is false boolean
ed required on
any endpoint
for at least
one action on
the threat
resolved This is used false boolean
for backward-
compatibility
with API 2.0.
siteIds List of Site false string []
IDs to filter
by
storyline__co Free-text false string []
ntains filter by
threat
storyline

2501
(supports
multiple
values)
storylines List of Agent false string []
context to
search for
tenant Indicates a false boolean
tenant scope
request
threatDetails Free-text false string []
__contains filter by
threat
details(suppor
ts multiple
values)
updatedAt__g Updated at false string
t greater than.
updatedAt__g Updated at false string
te greater or
equal than.
updatedAt__l Updated at false string
t lesser than.
updatedAt__l Updated at false string
te lesser or
equal than.
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

2502
Update Threat Analyst Verdict
POST /web/api/v2.1/threats/analyst-verdict

Change the verdict of a threat, as determined by a Console user.

Response Messages
200 - Threats analyst verdict successfully updated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation
details Result details false Name Description Required Value
for each
threat result Result of false enum
changing the
threat's
analyst
verdict
threatId Threat id false string

errors Errors false array

2503
Body Schema
Name Description Required Value
data Data true Name Description Required Value
analystVerdic Analyst true enum
t verdict

filter Filter true Name Description Required Value

2504
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
agentVersion Include Agent false string []
s versions
agentVersion Excluded false string []
sNin Agent
versions
analystVerdic Filter threats false string []
ts by a specific
analyst
verdict
analystVerdic Exclude false string []
tsNin threats with
specific
analyst
verdicts
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support

2505
s multiple
values)
classifications List of threat false string []
classifications
to search
classification List of threat false string []
sNin classifications
not to search
classification Classification false string []
Sources sources list
classificatio Classification false string []
nSourcesNin sources list to
exclude
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple

2506
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
collectionIds List of false string []
collection IDs
to search
commandLine Free-text false string []
Arguments__c filter by
ontains threat
command
line
arguments
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
confidenceLev Filter threats false string []
els by a specific
confidence
level
confidenceLe Exclude false string []
velsNin threats with
specific
confidence
level

2507
containerIma Free-text false string []
geName__con filter by the
tains endpoint
container
image name
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
contentHash_ Free-text false string []
_contains filter by file
content hash
(supports
multiple
values)
contentHashe List of sha1 false string []
s hashes to
search for
countsFor comma- false string
separated list
of fields to be
shown
createdAt__g Created at false string
t greater than.
createdAt__g Created at false string
te greater or
equal than.

2508
createdAt__lt Created at false string
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
detectionAge Free-text false string []
ntDomain__co filter by
ntains Agent
domain at
detection
time
(supports
multiple
values)
detectionAge Free-text false string []
ntVersion__co filter by
ntains Agent version
at detection
time
(supports
multiple
values)
detectionEng Included false string []
ines engines
detectionEng Excluded false string []
inesNin engines
displayName Display name false string
engines Included false string []
engines
enginesNin Excluded false string []
engines
externalTicke The threat false boolean
tExists contains
ticket number
externalTicke Free-text false string []
tId__contains filter by the
threat
external
ticket ID
(supports
multiple

2509
values)
externalTicke External false string []
tIds ticket ID for
the threat
failedActions At least one false boolean
action failed
on the threat
filePath__con Free-text false string []
tains filter by file
path
(supports
multiple
values)
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasAgentTags Include only false boolean
Threats
whose Agent
is assigned
any tags if
True, or none
if False
ids List of threat false string []
IDs
incidentStatu Filter threats false string []
ses by a specific
incident
status
incidentStatu Exclude false string []
sesNin threats with
specific
incident
statuses

2510
initiatedBy Only include false string []
threats from
specific
initiating
sources
initiatedByNi Exclude false string []
n threats with
specific
initiating
sources
initiatedByU Free-text false string []
sername__con filter by the
tains username
that initiated
that threat
(supports
multiple
values)
k8sClusterNa Free-text false string []
me__contains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name
(supports
multiple
values)

2511
k8sNamespace Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNodeLabel Free-text false string []
s__contains filter by the
endpoint
Kubernetes
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple
values)
k8sPodName_ Free-text false string []
_contains filter by the

2512
endpoint
Kubernetes
pod name
(supports
multiple
values)
limit Limit false integer
mitigatedPre If the threat false boolean
emptively was detected
pre-execution
or post-
execution
mitigationSta Filter threats false string []
tuses by a specific
status
mitigationSta Filter threats false string []
tusesNin not by a
specific
status
noteExists The threat false boolean
contains at
least one
note
originatedPro Free-text false string []
cess__contain filter by the
s originated
process name
of the threat
(supports
multiple
values)
osArchs Included OS false string []
Architectures
osNames false string []
osNamesNin false string []
osTypes Included OS false string []
types
osTypesNin Excluded OS false string []
types
pendingActio At least one false boolean

2513
ns action is
pending for
the Agent for
the threat
publisherNam Free-text false string []
e__contains filter by
threat's
publisher
name
(supports
multiple
values)
query Full text false string
search for
fields:
threat_details,

content_hash,

2514
k8s_controlle
r_name,
k8s_controller
_labels,
k8s_pod_name
,
k8s_pod_label
s,
container_nam
e,
container_im
age_name,
container_labe
ls,
external_ticke
t_id
realtimeAgent Free-text false string []
Version__cont filter by
ains Agent version
at current
time
(supports
multiple
values)
rebootRequir A reboot is false boolean
ed required on
any endpoint
for at least
one action on
the threat
resolved This is used false boolean
for backward-
compatibility
with API 2.0.
siteIds List of Site false string []
IDs to filter
by
storyline__co Free-text false string []
ntains filter by
threat
storyline
(supports
multiple
values)

2515
storylines List of Agent false string []
context to
search for
tenant Indicates a false boolean
tenant scope
request
threatDetails Free-text false string []
__contains filter by
threat
details(suppor
ts multiple
values)
updatedAt__g Updated at false string
t greater than.
updatedAt__g Updated at false string
te greater or
equal than.
updatedAt__l Updated at false string
t lesser than.
updatedAt__l Updated at false string
te lesser or
equal than.
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

2516
Update Threat External Ticket ID
POST /web/api/v2.1/threats/external-ticket-id

Change the external ticket ID of a threat.

Response Messages
200 - Threats external ticket id successfully updated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2517
Body Schema
Name Description Required Value
data Data true Name Description Required Value
externalTicke External true string
tId ticket id

filter Filter true Name Description Required Value

2518
filter by. To
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
agentVersion Include Agent false string []
s versions
agentVersion Excluded false string []
sNin Agent
versions
analystVerdic Filter threats false string []
ts by a specific
analyst
verdict
analystVerdic Exclude false string []
tsNin threats with
specific
analyst
verdicts
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support

2519
s multiple
values)
classifications List of threat false string []
classifications
to search
classification List of threat false string []
sNin classifications
not to search
classification Classification false string []
Sources sources list
classificatio Classification false string []
nSourcesNin sources list to
exclude
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple

2520
values)
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
collectionIds List of false string []
collection IDs
to search
commandLine Free-text false string []
Arguments__c filter by
ontains threat
command
line
arguments
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
confidenceLev Filter threats false string []
els by a specific
confidence
level
confidenceLe Exclude false string []
velsNin threats with
specific
confidence
level

2521
containerIma Free-text false string []
geName__con filter by the
tains endpoint
container
image name
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
contentHash_ Free-text false string []
_contains filter by file
content hash
(supports
multiple
values)
contentHashe List of sha1 false string []
s hashes to
search for
countsFor comma- false string
separated list
of fields to be
shown
createdAt__g Created at false string
t greater than.
createdAt__g Created at false string
te greater or
equal than.

2522
createdAt__lt Created at false string
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
detectionAge Free-text false string []
ntDomain__co filter by
ntains Agent
domain at
detection
time
(supports
multiple
values)
detectionAge Free-text false string []
ntVersion__co filter by
ntains Agent version
at detection
time
(supports
multiple
values)
detectionEng Included false string []
ines engines
detectionEng Excluded false string []
inesNin engines
displayName Display name false string
engines Included false string []
engines
enginesNin Excluded false string []
engines
externalTicke The threat false boolean
tExists contains
ticket number
externalTicke Free-text false string []
tId__contains filter by the
threat
external
ticket ID
(supports
multiple

2523
values)
externalTicke External false string []
tIds ticket ID for
the threat
failedActions At least one false boolean
action failed
on the threat
filePath__con Free-text false string []
tains filter by file
path
(supports
multiple
values)
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasAgentTags Include only false boolean
Threats
whose Agent
is assigned
any tags if
True, or none
if False
ids List of threat false string []
IDs
incidentStatu Filter threats false string []
ses by a specific
incident
status
incidentStatu Exclude false string []
sesNin threats with
specific
incident
statuses

2524
initiatedBy Only include false string []
threats from
specific
initiating
sources
initiatedByNi Exclude false string []
n threats with
specific
initiating
sources
initiatedByU Free-text false string []
sername__con filter by the
tains username
that initiated
that threat
(supports
multiple
values)
k8sClusterNa Free-text false string []
me__contains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name
(supports
multiple
values)

2525
k8sNamespace Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNodeLabel Free-text false string []
s__contains filter by the
endpoint
Kubernetes
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple
values)
k8sPodName_ Free-text false string []
_contains filter by the

2526
endpoint
Kubernetes
pod name
(supports
multiple
values)
limit Limit false integer
mitigatedPre If the threat false boolean
emptively was detected
pre-execution
or post-
execution
mitigationSta Filter threats false string []
tuses by a specific
status
mitigationSta Filter threats false string []
tusesNin not by a
specific
status
noteExists The threat false boolean
contains at
least one
note
originatedPro Free-text false string []
cess__contain filter by the
s originated
process name
of the threat
(supports
multiple
values)
osArchs Included OS false string []
Architectures
osNames false string []
osNamesNin false string []
osTypes Included OS false string []
types
osTypesNin Excluded OS false string []
types
pendingActio At least one false boolean

2527
ns action is
pending for
the Agent for
the threat
publisherNam Free-text false string []
e__contains filter by
threat's
publisher
name
(supports
multiple
values)
query Full text false string
search for
fields:
threat_details,

content_hash,

2528
k8s_controlle
r_name,
k8s_controller
_labels,
k8s_pod_name
,
k8s_pod_label
s,
container_nam
e,
container_im
age_name,
container_labe
ls,
external_ticke
t_id
realtimeAgent Free-text false string []
Version__cont filter by
ains Agent version
at current
time
(supports
multiple
values)
rebootRequir A reboot is false boolean
ed required on
any endpoint
for at least
one action on
the threat
resolved This is used false boolean
for backward-
compatibility
with API 2.0.
siteIds List of Site false string []
IDs to filter
by
storyline__co Free-text false string []
ntains filter by
threat
storyline
(supports
multiple
values)

2529
storylines List of Agent false string []
context to
search for
tenant Indicates a false boolean
tenant scope
request
threatDetails Free-text false string []
__contains filter by
threat
details(suppor
ts multiple
values)
updatedAt__g Updated at false string
t greater than.
updatedAt__g Updated at false string
te greater or
equal than.
updatedAt__l Updated at false string
t lesser than.
updatedAt__l Updated at false string
te lesser or
equal than.
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

2530
Download from cloud
GET /web/api/v2.1/threats/{threat_id}/download-from-cloud

Download threat file from cloud.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
downloadUrl Threat file false string
download
URL
fileName Threat file false string
name

errors Errors false array

2531
Disconnect Container
POST /web/api/v2.1/threats/actions/container-network-disconnect

Network quarantine a specific container

Response Messages
200 - Disconnect command was created

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2532
Body Schema
Name Description Required Value
data Data true Name Description Required Value
containerId Container id true string

filter Use any of true Name Description Required Value

2533
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
agentVersion Include Agent false string []
s versions
agentVersion Excluded false string []
sNin Agent
versions
analystVerdic Filter threats false string []
ts by a specific
analyst
verdict
analystVerdic Exclude false string []
tsNin threats with
specific
analyst
verdicts
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple

2534
values)
classifications List of threat false string []
classifications
to search
classification List of threat false string []
sNin classifications
not to search
classification Classification false string []
Sources sources list
classificatio Classification false string []
nSourcesNin sources list to
exclude
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)

2535
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
collectionIds List of false string []
collection IDs
to search
commandLine Free-text false string []
Arguments__c filter by
ontains threat
command
line
arguments
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
confidenceLev Filter threats false string []
els by a specific
confidence
level
confidenceLe Exclude false string []
velsNin threats with
specific
confidence
level
containerIma Free-text false string []

2536
geName__con filter by the
tains endpoint
container
image name
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
contentHash_ Free-text false string []
_contains filter by file
content hash
(supports
multiple
values)
contentHashe List of sha1 false string []
s hashes to
search for
countsFor comma- false string
separated list
of fields to be
shown
createdAt__g Created at false string
t greater than.
createdAt__g Created at false string
te greater or
equal than.
createdAt__lt Created at false string

2537
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
detectionAge Free-text false string []
ntDomain__co filter by
ntains Agent
domain at
detection
time
(supports
multiple
values)
detectionAge Free-text false string []
ntVersion__co filter by
ntains Agent version
at detection
time
(supports
multiple
values)
detectionEng Included false string []
ines engines
detectionEng Excluded false string []
inesNin engines
displayName Display name false string
engines Included false string []
engines
enginesNin Excluded false string []
engines
externalTicke The threat false boolean
tExists contains
ticket number
externalTicke Free-text false string []
tId__contains filter by the
threat
external
ticket ID
(supports
multiple
values)

2538
externalTicke External false string []
tIds ticket ID for
the threat
failedActions At least one false boolean
action failed
on the threat
filePath__con Free-text false string []
tains filter by file
path
(supports
multiple
values)
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasAgentTags Include only false boolean
Threats
whose Agent
is assigned
any tags if
True, or none
if False
ids List of threat false string []
IDs
incidentStatu Filter threats false string []
ses by a specific
incident
status
incidentStatu Exclude false string []
sesNin threats with
specific
incident
statuses
initiatedBy Only include false string []
threats from

2539
specific
initiating
sources
initiatedByNi Exclude false string []
n threats with
specific
initiating
sources
initiatedByU Free-text false string []
sername__con filter by the
tains username
that initiated
that threat
(supports
multiple
values)
k8sClusterNa Free-text false string []
me__contains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name
(supports
multiple
values)
k8sNamespace Free-text false string []

2540
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNodeLabel Free-text false string []
s__contains filter by the
endpoint
Kubernetes
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple
values)
k8sPodName_ Free-text false string []
_contains filter by the
endpoint

2541
Kubernetes
pod name
(supports
multiple
values)
limit Limit false integer
mitigatedPre If the threat false boolean
emptively was detected
pre-execution
or post-
execution
mitigationSta Filter threats false string []
tuses by a specific
status
mitigationSta Filter threats false string []
tusesNin not by a
specific
status
noteExists The threat false boolean
contains at
least one
note
originatedPro Free-text false string []
cess__contain filter by the
s originated
process name
of the threat
(supports
multiple
values)
osArchs Included OS false string []
Architectures
osNames false string []
osNamesNin false string []
osTypes Included OS false string []
types
osTypesNin Excluded OS false string []
types
pendingActio At least one false boolean
ns action is

2542
pending for
the Agent for
the threat
publisherNam Free-text false string []
e__contains filter by
threat's
publisher
name
(supports
multiple
values)
query Full text false string
search for
fields:
threat_details,

content_hash,

2543
r_name,
k8s_controller
_labels,
k8s_pod_name
,
k8s_pod_label
s,
container_nam
e,
container_im
age_name,
container_labe
ls,
external_ticke
t_id
realtimeAgent Free-text false string []
Version__cont filter by
ains Agent version
at current
time
(supports
multiple
values)
rebootRequir A reboot is false boolean
ed required on
any endpoint
for at least
one action on
the threat
resolved This is used false boolean
for backward-
compatibility
with API 2.0.
siteIds List of Site false string []
IDs to filter
by
storyline__co Free-text false string []
ntains filter by
threat
storyline
(supports
multiple
values)

2544
storylines List of Agent false string []
context to
search for
tenant Indicates a false boolean
tenant scope
request
threatDetails Free-text false string []
__contains filter by
threat
details(suppor
ts multiple
values)
updatedAt__g Updated at false string
t greater than.
updatedAt__g Updated at false string
te greater or
equal than.
updatedAt__l Updated at false string
t lesser than.
updatedAt__l Updated at false string
te lesser or
equal than.
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

2545
Reconnect Container
POST /web/api/v2.1/threats/actions/container-network-connect

Restore network to a container that was disconnected

Response Messages
200 - Reconnect command was created

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2546
Body Schema
Name Description Required Value
data Data true Name Description Required Value
containerId Container id true string

filter Use any of true Name Description Required Value

2547
filter by
unassigned
tag values,
use __nin
suffix in the
tag key.
agentVersion Include Agent false string []
s versions
agentVersion Excluded false string []
sNin Agent
versions
analystVerdic Filter threats false string []
ts by a specific
analyst
verdict
analystVerdic Exclude false string []
tsNin threats with
specific
analyst
verdicts
awsRole__con Free-text false string []
tains filter by aws
role(supports
multiple
values)
awsSecurityG Free-text false string []
roups__conta filter by aws
ins securityGroup
s(supports
multiple
values)
awsSubnetIds Free-text false string []
__contains filter by aws
subnet ids
(supports
multiple
values)
azureResourc Free-text false string []
eGroup__cont filter by azure
ains resource
group(support
s multiple

2548
values)
classifications List of threat false string []
classifications
to search
classification List of threat false string []
sNin classifications
not to search
classification Classification false string []
Sources sources list
classificatio Classification false string []
nSourcesNin sources list to
exclude
cloudAccount Free-text false string []
__contains filter by cloud
account
(supports
multiple
values)
cloudImage__ Free-text false string []
contains filter by cloud
image
(supports
multiple
values)
cloudInstance Free-text false string []
Id__contains filter by cloud
instance
id(supports
multiple
values)
cloudInstance Free-text false string []
Size__contain filter by cloud
s instance
size(supports
multiple
values)
cloudLocation Free-text false string []
__contains filter by cloud
location
(supports
multiple
values)

2549
cloudNetwork Free-text false string []
__contains filter by cloud
network
(supports
multiple
values)
cloudProvider Agents from false string []
which cloud
provider
cloudProvide Exclude false string []
rNin Agents from
these cloud
provider
collectionIds List of false string []
collection IDs
to search
commandLine Free-text false string []
Arguments__c filter by
ontains threat
command
line
arguments
(supports
multiple
values)
computerNam Free-text false string []
e__contains filter by
computer
name
(supports
multiple
values)
confidenceLev Filter threats false string []
els by a specific
confidence
level
confidenceLe Exclude false string []
velsNin threats with
specific
confidence
level
containerIma Free-text false string []

2550
geName__con filter by the
tains endpoint
container
image name
(supports
multiple
values)
containerLabe Free-text false string []
ls__contains filter by the
endpoint
container
labels
(supports
multiple
values)
containerNam Free-text false string []
e__contains filter by the
endpoint
container
name
(supports
multiple
values)
contentHash_ Free-text false string []
_contains filter by file
content hash
(supports
multiple
values)
contentHashe List of sha1 false string []
s hashes to
search for
countsFor comma- false string
separated list
of fields to be
shown
createdAt__g Created at false string
t greater than.
createdAt__g Created at false string
te greater or
equal than.
createdAt__lt Created at false string

2551
lesser than.
createdAt__lt Created at false string
e lesser or
equal than.
detectionAge Free-text false string []
ntDomain__co filter by
ntains Agent
domain at
detection
time
(supports
multiple
values)
detectionAge Free-text false string []
ntVersion__co filter by
ntains Agent version
at detection
time
(supports
multiple
values)
detectionEng Included false string []
ines engines
detectionEng Excluded false string []
inesNin engines
displayName Display name false string
engines Included false string []
engines
enginesNin Excluded false string []
engines
externalTicke The threat false boolean
tExists contains
ticket number
externalTicke Free-text false string []
tId__contains filter by the
threat
external
ticket ID
(supports
multiple
values)

2552
externalTicke External false string []
tIds ticket ID for
the threat
failedActions At least one false boolean
action failed
on the threat
filePath__con Free-text false string []
tains filter by file
path
(supports
multiple
values)
gcpServiceAc Free-text false string []
count__conta filter by gcp
ins service
account
(supports
multiple
values)
groupIds List of Group false string []
IDs to filter
by
hasAgentTags Include only false boolean
Threats
whose Agent
is assigned
any tags if
True, or none
if False
ids List of threat false string []
IDs
incidentStatu Filter threats false string []
ses by a specific
incident
status
incidentStatu Exclude false string []
sesNin threats with
specific
incident
statuses
initiatedBy Only include false string []
threats from

2553
specific
initiating
sources
initiatedByNi Exclude false string []
n threats with
specific
initiating
sources
initiatedByU Free-text false string []
sername__con filter by the
tains username
that initiated
that threat
(supports
multiple
values)
k8sClusterNa Free-text false string []
me__contains filter by the
endpoint
Kubernetes
cluster name
(supports
multiple
values)
k8sController Free-text false string []
Labels__conta filter by the
ins endpoint
Kubernetes
controller
labels
(supports
multiple
values)
k8sControlle Free-text false string []
rName__conta filter by the
ins endpoint
Kubernetes
controller
name
(supports
multiple
values)
k8sNamespace Free-text false string []

2554
Labels__conta filter by the
ins endpoint
Kubernetes
namespace
labels
(supports
multiple
values)
k8sNamespac Free-text false string []
eName__cont filter by the
ains endpoint
Kubernetes
namespace
name
(supports
multiple
values)
k8sNodeLabel Free-text false string []
s__contains filter by the
endpoint
Kubernetes
node labels
(supports
multiple
values)
k8sNodeName Free-text false string []
__contains filter by the
endpoint
Kubernetes
node name
(supports
multiple
values)
k8sPodLabels Free-text false string []
__contains filter by the
endpoint
Kubernetes
pod labels
(supports
multiple
values)
k8sPodName_ Free-text false string []
_contains filter by the
endpoint

2555
Kubernetes
pod name
(supports
multiple
values)
limit Limit false integer
mitigatedPre If the threat false boolean
emptively was detected
pre-execution
or post-
execution
mitigationSta Filter threats false string []
tuses by a specific
status
mitigationSta Filter threats false string []
tusesNin not by a
specific
status
noteExists The threat false boolean
contains at
least one
note
originatedPro Free-text false string []
cess__contain filter by the
s originated
process name
of the threat
(supports
multiple
values)
osArchs Included OS false string []
Architectures
osNames false string []
osNamesNin false string []
osTypes Included OS false string []
types
osTypesNin Excluded OS false string []
types
pendingActio At least one false boolean
ns action is

2556
pending for
the Agent for
the threat
publisherNam Free-text false string []
e__contains filter by
threat's
publisher
name
(supports
multiple
values)
query Full text false string
search for
fields:
threat_details,

content_hash,

2557
r_name,
k8s_controller
_labels,
k8s_pod_name
,
k8s_pod_label
s,
container_nam
e,
container_im
age_name,
container_labe
ls,
external_ticke
t_id
realtimeAgent Free-text false string []
Version__cont filter by
ains Agent version
at current
time
(supports
multiple
values)
rebootRequir A reboot is false boolean
ed required on
any endpoint
for at least
one action on
the threat
resolved This is used false boolean
for backward-
compatibility
with API 2.0.
siteIds List of Site false string []
IDs to filter
by
storyline__co Free-text false string []
ntains filter by
threat
storyline
(supports
multiple
values)

2558
storylines List of Agent false string []
context to
search for
tenant Indicates a false boolean
tenant scope
request
threatDetails Free-text false string []
__contains filter by
threat
details(suppor
ts multiple
values)
updatedAt__g Updated at false string
t greater than.
updatedAt__g Updated at false string
te greater or
equal than.
updatedAt__l Updated at false string
t lesser than.
updatedAt__l Updated at false string
te lesser or
equal than.
uuid__contain Free-text false string []
s filter by
Agent UUID
(supports
multiple
values)

2559
Get Threat Timeline
GET /web/api/v2.1/threats/{threat_id}/timeline

Get a threat's timeline.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
activitytypes optional Return only these activity codes (comma-separated list). Example:
"52,53,71,72".
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
query optional Full text search for fields: hash, primary_description,
secondary_description
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

2560
401 - Unauthorized access - please sign in and retry.

data Response false Name Description Required Value

data
accountId Related false string
account (If
applicable)
activityType Activity type false integer
agentId Related false string
Agent (If
applicable)
agentUpdated Agent's new false string
Version version (If
applicable)
createdAt Activity false string
creation time
(UTC)
data Extra activity false object
specific data

2561
groupId Related group false string
(If applicable)
hash Threat file false string
hash (If
applicable)
id Activity ID false string
osFamily Agent's OS false enum
type (if
applicable)
primaryDescri Primary false string
ption description
secondaryDes Secondary false string
cription description
siteId Related site false string
(If applicable)
threatId Related false string
threat (If
applicable)
updatedAt Activity last false string
updated time
(UTC)
userId The user who false string
invoked the
activity (If
applicable)

errors Errors false array

2562
Export Threat Timeline
GET /web/api/v2.1/export/threats/{threat_id}/timeline

Export a threat's timeline.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
activitytypes optional Return only these activity codes (comma-separated list). Example:
"52,53,71,72".
groupids optional List of Group IDs to filter by. Example:
"225494730938493804,225494730938493915".
query optional Full text search for fields: hash, primary_description,
secondary_description
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Export Events
GET /web/api/v2.1/export/threats/{threat_id}/explore/events

Export threat events in CSV or JSON format.

Parameters
format required Exported file format. Example: "json".
eventid optional Filter by a specific process key and its children

2563
eventsubtypes optional Filter events by sub-type. Example: "PROCESSCREATION".
eventtypes optional Filter events by type. Example: "events".
processname__like optional Filter by process name (substring)

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

update_exclusion

Update Exclusions
PUT /web/api/v2.1/unified-exclusions

Change the properties of an Exclusion through the data fields. To get the original data, run "exclusions" with a filter to give the item you want.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

404 - Exclusion not found

Response Schema
Name Description Required Value
data Response false
data
errors Errors false array

2564
Body Schema
Name Description Required Value
data Data true
filter Filter true Name Description Required Value
accountIds List of false string []
Account IDs
to filter by
groupIds List of Group false string []
IDs to filter
by
siteIds List of Site false string []
IDs to filter
by
tenant Indicates a false boolean
tenant scope
request

2565
Updates

Latest Packages by OS
GET /web/api/v2.1/update/agent/latest-packages

[DEPRECATED] Use "Latest packages" API call instead ("GET /web/api/v2.1/update/agent/packages").

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
packagetype optional Package type. Example: "Agent".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
osTypes Os types true Name Description Required Value
linux Linux false Name Description Required Value
accounts Accounts false Name De
where the
update id Id
package is name Na

2566
available for
download
createdAt Created at false string
fileExtension File extension false enum
fileName File name false string
fileSize File size false integer
(bytes)
id Id false string
link Link false
majorVersion Major version false string
minorVersion Minor version false string
osArch Package OS false enum
architecture
(32/64 bit),
applicable to
Windows
packages
only
osType Platform type false enum
packageType Package type false enum
platformType Platform type false enum
rangerVersion Ranger false string
version if
applicable
scopeLevel Package false enum
scope. If
"global", it will
be available
in all sites. If
"site", it will
be available
only to sites
specified in
the "siteIds"
attribute.
sha1 Package hash false string
sites Sites where false Name De

2567
the update id Id
package is
available for name Na
download
status Status false enum
supportedOsV Supported os false string
ersions versions
updatedAt Updated at false string
version Agent version false string

macos Macos false Name Description Required Value

accounts Accounts false Name De
where the
update id Id
package is name Na
available for
download
createdAt Created at false string
fileExtension File extension false enum
fileName File name false string
fileSize File size false integer
(bytes)
id Id false string
link Link false
majorVersion Major version false string
minorVersion Minor version false string
osArch Package OS false enum
architecture
(32/64 bit),
applicable to
Windows
packages
only
osType Platform type false enum
packageType Package type false enum
platformType Platform type false enum

2568
rangerVersion Ranger false string
version if
applicable
scopeLevel Package false enum
scope. If
"global", it will
be available
in all sites. If
"site", it will
be available
only to sites
specified in
the "siteIds"
attribute.
sha1 Package hash false string
sites Sites where false Name De
the update
package is id Id
available for name Na
download
status Status false enum
supportedOsV Supported os false string
ersions versions
updatedAt Updated at false string
version Agent version false string

windows Windows false Name Description Required Value

2569
link Link false
majorVersion Major version false string
minorVersion Minor version false string
osArch Package OS false enum
architecture
(32/64 bit),
applicable to
Windows
packages
only
osType Platform type false enum
packageType Package type false enum
platformType Platform type false enum
rangerVersion Ranger false string
version if
applicable
scopeLevel Package false enum
scope. If
"global", it will
be available
in all sites. If
"site", it will
be available
only to sites
specified in
the "siteIds"
attribute.
sha1 Package hash false string
sites Sites where false Name De
the update
package is id Id
available for name Na
download
status Status false enum
supportedOsV Supported os false string
ersions versions
updatedAt Updated at false string
version Agent version false string

2570
windowsLega Windows false Name Description Required Value
cy legacy
accounts Accounts false Name De
where the
update id Id
package is name Na
available for
download
createdAt Created at false string
fileExtension File extension false enum
fileName File name false string
fileSize File size false integer
(bytes)
id Id false string
link Link false
majorVersion Major version false string
minorVersion Minor version false string
osArch Package OS false enum
architecture
(32/64 bit),
applicable to
Windows
packages
only
osType Platform type false enum
packageType Package type false enum
platformType Platform type false enum
rangerVersion Ranger false string
version if
applicable
scopeLevel Package false enum
scope. If
"global", it will
be available
in all sites. If
"site", it will
be available
only to sites
specified in

2571
the "siteIds"
attribute.
sha1 Package hash false string
sites Sites where false Name De
the update
package is id Id
available for name Na
download
status Status false enum
supportedOsV Supported os false string
ersions versions
updatedAt Updated at false string
version Agent version false string

registrationT Registration false string

oken token

errors Errors false array

2572
Get Latest Packages
GET /web/api/v2.1/update/agent/packages

Get the Agent packages that are uploaded to your Management.

The response shows the data of each package, including the IDs, which you can use in other commands.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
accountname__contain optional Free-text filter by account name
s
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
cursor optional Cursor position returned by the last request. Use to iterate over
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
fileextension optional File extension. Example: ".msi".
fileextensions optional File extension. Example: ".msi".
filename__contains optional Free-text filter by file name
filesize__contains optional Free-text filter by file size
ids optional Package ID list. Example:
"225494730938493804,225494730938493915".
limit optional Limit number of returned items (1-1000). Example: "10".
majorversions optional Package major versions
minorversion optional Package minor version
minorversions optional Package minor versions
osarches optional Package OS architecture (32/64 bit), applicable to Windows
packages only. Example: "32 bit".
ostypes optional Os type in. Example: "macos".
packagetype optional Package type. Example: "Agent".
packagetypes optional Package type in. Example: "Agent".
platformtype optional Platform type. Example: "macos".

2573
platformtypes optional Platform type in. Example: "macos".
query optional A free-text search term, will match applicable attributes
rangerversion optional Ranger version. Example: "2.5.1.1320".
rangerversion__contai optional Free-text filter by ranger version
ns
sha1 optional Package hash. Example:
"2fd4e1c67a2d28fced849ee1bb76e7391b93eb12".
sha1__contains optional Free-text filter by SHA1 hash
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
sitename__contains optional Free-text filter by site name
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
status optional Status in. Example: "ga".
version optional Agent version. Example: "2.5.1.1320".
versionstr__contains optional Free-text filter by version string

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
pagination Pagination true Name Description Required Value
information
totalItems Total number true integer

2574
of items
found
matching
your query
nextCursor Pass this false string
value as
"cursor" on
your next
request, to
get the next
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
accounts Accounts false Name Description Required Value
where the
update id Id true string
package is name Name true string
available for
download
createdAt Created at false string
fileExtension File extension false enum
fileName File name false string
fileSize File size false integer
(bytes)
id Id false string
link Link false
majorVersion Major version false string
minorVersion Minor version false string
osArch Package OS false enum
architecture
(32/64 bit),
applicable to
Windows
packages
only

2575
osType Platform type false enum
packageType Package type false enum
platformType Platform type false enum
rangerVersion Ranger false string
version if
applicable
scopeLevel Package false enum
scope. If
"global", it will
be available
in all sites. If
"site", it will
be available
only to sites
specified in
the "siteIds"
attribute.
sha1 Package hash false string
sites Sites where false Name Description Required Value
the update
package is id Id true string
available for name Name true string
download
status Status false enum
supportedOsV Supported os false string
ersions versions
updatedAt Updated at false string
version Agent version false string

errors Errors false array

2576
Delete Packages
DELETE /web/api/v2.1/update/agent/packages

Delete Agent packages from your Management. Use the IDs from Get Latest Packages.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2577
Body Schema
Name Description Required Value
data Data true Name Description Required Value
ids Package IDs false string []
to delete

2578
Update package
PUT /web/api/v2.1/update/agent/packages/{package_id}

Update the metadata for an existing package.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - Package not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
status Status true enum
accounts Accounts false Name Description Required Value
where the
update id Id true string
package is name Name true string
available for
download
createdAt Created at false string
fileExtension File extension false enum
fileName File name false string
fileSize File size false integer
(bytes)
id Id false string
link Link false
minorVersion Minor version false string

2579
osArch Package OS false enum
architecture
(32/64 bit),
applicable to
Windows
packages
only
osType Platform type false enum
packageType Package type false enum
platformType Platform type false enum
rangerVersion Ranger false string
version if
applicable
scopeLevel Package false enum
scope. If
"global", it will
be available
in all sites. If
"site", it will
be available
only to sites
specified in
the "siteIds"
attribute.
sha1 Package hash false string
sites Sites where false Name Description Required Value
the update
package is id Id true string
available for name Name true string
download
supportedOsV Supported os false string
ersions versions
updatedAt Updated at false string
version Agent version false string

errors Errors false array

2580
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accountIds List of false string []
accounts to
make the
package
available in.
Applicable
only if
scopeLevel is
set to
"account".
minorVersion Minor version false string
osArch Package OS false enum
architecture
(32/64 bit),
applicable to
Windows
packages
only
rangerVersion Ranger false string
version if
applicable
scopeLevel Package false enum
scope. If
"global", it will
be available
in all sites. If
"site", it will
be available
only to sites
specified in
the "siteIds"
attribute.
siteIds List of sites false string []
to make the
package
available in.
Applicable
only if

2581
scopeLevel is
set to "site".
status Status false enum
supportedOsV Supported os false string
ersions versions
version Agent version false string

2582
Upload Agent Package
POST /web/api/v2.1/upload/agent/software

If you have an On-Prem Management or you are a participant in the Beta program, you can use this command to upload an Agent package to the Management. Then you
can deploy the Agent to update endpoints.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2583
applicable to
Windows
packages
only
osType Platform type false enum
packageType Package type false enum
platformType Platform type false enum
rangerVersion Ranger false string
version if
applicable
scopeLevel Package false enum
scope. If
"global", it will
be available
in all sites. If
"site", it will
be available
only to sites
specified in
the "siteIds"
attribute.
sha1 Package hash false string
sites Sites where false Name Description Required Value
the update
package is id Id true string
available for name Name true string
download
supportedOsV Supported os false string
ersions versions
updatedAt Updated at false string
version Agent version false string

errors Errors false array

2584
Body Schema
Name Description Required Value
formData false Name Description Required Value
file File true file
status Status. true enum
Example: "ga".
accountIds List of false string []
accounts to
make the
package
available in.
Applicable
only if
scopeLevel is
set to
"account".
Example:
"2254947309
38493804,22
54947309384
93915".
minorVersion Package false string
minor
version.
Example:
"SP1".
osType Platform false enum
type.
Example:
"macos".
platformType Platform false enum
type.
Example:
"macos".
scopeLevel Package false enum
scope. If
"global", it will
be available
in all sites.
Otherwise, it
will only be

2585
available to
the sites/
accounts
specified
in"siteIds"/"a
ccountIds"
attribute.
Example:
"site".
siteIds List of sites false string []
to make the
package
available in.
Applicable
only if
scopeLevel is
set to "site".
Example:
"2254947309
38493804,22
54947309384
93915".
version Version. false string
Example:
"2.5.1.1320".

2586
Upload System Package
POST /web/api/v2.1/upload/software

If you have an On-Prem Management or otherwise require a manual package upload, use this command to upload an Agent package or a Management package. Then you
can deploy the update (see Deploy System Package).

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2587
Body Schema
Name Description Required Value
formData false Name Description Required Value
file File true file

2588
Deploy System Package
POST /web/api/v2.1/upload/software/deploy

If you have an On-Prem Management or you are a participant in the Beta program, you can upload a Management package and then use this command to deploy the new
Management. You must first upload the package (see Upload System Package).

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2589
Download Agent Package
GET /web/api/v2.1/update/agent/download/{package_id}

[DEPRECATED] Download an agent package by package ID.Rate limit: 2 call per minute for each different user token

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Package not found

Download Package
GET /web/api/v2.1/update/agent/download/{site_id}/{package_id}

Download a package by site_id ("sites") and filename.

Rate limit: 2 call per minute for each user token.
Use this command to manually deploy Agent updates that cannot be deployed with the update-software command (see Agent Actions > Update Software) or through the
Console.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

404 - Package not found or bad site

Users

User by token
GET /web/api/v2.1/user

2590
Get a user by token.

Response Messages
200 - User retrieved correctly.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
scope User Scope true enum
agreedEula True if EULA false boolean
was agreed
for user's
sites
agreementUrl Link to EULA false string
agreement if
it was not
agreed yet
allowRemoteS [DEPRECATE false boolean
hell D] Unused
field. The
user's role
will
determine if

2591
it is allowed
to use
remote_shell.
apiToken Api token false Name Description Required Value
createdAt Created at false string
expiresAt Expires at false string

canGenerateA Can generate false boolean

piToken api token
dateJoined Date joined false string
elevatedSess Defines for false integer
ionDurationM how many
inutes minutes can
the user call
protected
actions once
their session
is elevated.
email Email false string
emailReadOnl True if email false boolean
y cannot be
modified
emailVerified True if user false boolean
verification
completed
successfully
firstLogin First login false string
fullName Full name false string
fullNameRea True if full false boolean
dOnly name cannot
be modified
groupsReadO [Deprecated] false boolean
nly
id Id false string
isExternalLog Is external false boolean
inUser login user
isSystem false boolean
lastLogin Last login false string

2592
lowestRole [DEPRECATE false string
D] in RBAC
there's no
'lowest' role.
Returns
Admin if user
has admin
permission
on all sites,
otherwise a
different role.
primaryTwoF Primary two false string
aMethod fa method
scopeRoles Roles of the false Name Description Required Value
scope user
accountName Scope name true string
name Scope name true string
id Scope ID false string
roleId ID of the false string
wanted role
roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id or
role_name
instead.

siteRoles [DEPRECATE false Name Description Required Value

D] Role and
site ids for id Site ID true string
the user. name Site name true string
Using
scopeRoles is roleId ID of the false string
more wanted role

2593
consistent. roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id
instead.

source Source false string

tenantRoles [DEPRECATE false undefined []
D] Role ids
for the tenant
user. Using
scopeRoles is
more
consistent.
twoFaConfigu User 2FA false boolean
red Auth is
configured
twoFaEnable Two fa false boolean
d enabled
twoFaEnable True if two fa false boolean
dReadOnly option
cannot be
modified
twoFaStatus State of 2FA false enum
setup

errors Errors false array

2594
List users
GET /web/api/v2.1/users

Get a list of users.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
apitokenexpiresat__b optional Date range for when the API token expires (format:
etween <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
apitokenexpiresat__gt optional API token expires after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
apitokenexpiresat__gt optional API token expires after or at this timestamp. Example:
e "2018-02-27T04:49:26.257525Z".
apitokenexpiresat__lt optional API token expires before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
apitokenexpiresat__lte optional API token expires before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cangenerateapitoken optional Can generate api token
countonly optional If true, only total number of items will be returned, without any of
the actual objects.
createdat__between optional Date range for when the user was created (format:
<from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional User was created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional User was created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional User was created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional User was created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cursor optional Cursor position returned by the last request. Use to iterate over

2595
more than 1000 items. Example:
"YWdlbnRfaWQ6NTgwMjkzODE=".
datejoined optional Date joined. Example: "2018-02-27T04:49:26.257525Z".
email optional Email. Example: "[email protected]".
email__contains optional Match email partially (substring)
emailreadonly optional True if email cannot be changed
emailverified optional Return only verified/unverified users
firstlogin optional First login. Example: "2018-02-27T04:49:26.257525Z".
fullname optional Full name
fullname__contains optional Match full name partially (substring)
fullnamereadonly optional True if full name cannot be changed
groupsreadonly optional [DEPRECATED] True if permissions cannot be changed
hasvalidapitoken optional Has valid api token
ids optional List of user IDs to filter by. Example:
"225494730938493804,225494730938493915".
lastactivation__betwe optional Date range for when the user was last active (format:
en <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
lastactivation__gt optional User was last active after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastactivation__gte optional User was last active after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastactivation__lt optional User was last active before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastactivation__lte optional User was last active before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastlogin optional Last login. Example: "2018-02-27T04:49:26.257525Z".
limit optional Limit number of returned items (1-1000). Example: "10".
primarytwofamethod optional Primary two fa method
query optional Full text search for fields: full_name, email, description
roleids optional List of rbac roles to filter by. Example:
"225494730938493804,225494730938493915".

2596
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
skip optional Skip first number of items (0-1000). To iterate over more than 1000
items, use "cursor". Example: "150".
skipcount optional If true, total number of items will not be calculated, which speeds up
execution time.
sortby optional The column to sort the results by. Example: "id".
sortorder optional Sort direction. Example: "asc".
source optional User Source. Example: "mgmt".
sources optional Source in. Example: "mgmt".
twofaenabled optional Two fa enabled
twofastatus optional Two fa status
twofastatuses optional Two fa status in

Response Messages
200 - List of users retrieved successfully.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

2597
page of
results (Will
be "null"
when last
page
reached)

data Response false Name Description Required Value

data
scope User Scope true enum
agreedEula True if EULA false boolean
was agreed
for user's
sites
agreementUrl Link to EULA false string
agreement if
it was not
agreed yet
allowRemoteS [DEPRECATE false boolean
hell D] Unused
field. The
user's role
will
determine if
it is allowed
to use
remote_shell.
apiToken Api token false Name Description Required Value
createdAt Created at false string
expiresAt Expires at false string

canGenerateA Can generate false boolean

piToken api token
dateJoined Date joined false string
email Email false string
emailReadOnl True if email false boolean
y cannot be
modified
emailVerified True if user false boolean
verification
completed

2598
successfully
firstLogin First login false string
fullName Full name false string
fullNameRea True if full false boolean
dOnly name cannot
be modified
groupsReadO [Deprecated] false boolean
nly
id Id false string
isSystem false boolean
lastLogin Last login false string
lowestRole [DEPRECATE false string
D] in RBAC
there's no
'lowest' role.
Returns
Admin if user
has admin
permission
on all sites,
otherwise a
different role.
primaryTwoF Primary two false string
aMethod fa method
scopeRoles Roles of the false Name Description Required Value
scope user
accountName Scope name true string
name Scope name true string
id Scope ID false string
roleId ID of the false string
wanted role
roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List

2599
containing
the desired
role name in
this scope.
Use role_id or
role_name
instead.

siteRoles [DEPRECATE false Name Description Required Value

D] Role and
site ids for id Site ID true string
the user. name Site name true string
Using
scopeRoles is roleId ID of the false string
more wanted role
consistent. roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id
instead.

source Source false string

2600
twoFaEnable True if two fa false boolean
dReadOnly option
cannot be
modified
twoFaStatus State of 2FA false string
setup

errors Errors false array

2601
Create User
POST /web/api/v2.1/users

Create a new user.

Response Messages
200 - User created successfully.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Not enough permissions to create user.

2602
Name Description Required Value
createdAt Created at false string
expiresAt Expires at false string

canGenerateA Can generate false boolean

2603
'lowest' role.
Returns
Admin if user
has admin
permission
on all sites,
otherwise a
different role.
primaryTwoF Primary two false string
aMethod fa method
scopeRoles Roles of the false Name Description Required Value
scope user
accountName Scope name true string
name Scope name true string
id Scope ID false string
roleId ID of the false string
wanted role
roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id or
role_name
instead.

siteRoles [DEPRECATE false Name Description Required Value

2604
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id
instead.

source Source false string

errors Errors false array

2605
Body Schema
Name Description Required Value
data Data true Name Description Required Value
email The email of true string
the user
fullName Full name of true string
the user
scope User scope true enum
allowRemoteS [DEPRECATE false boolean
hell D] Unused
field. The
user's role
will
determine if
it is allowed
to use
remote_shell.
password User false string
password.
Not allowed
if automatic
onboarding
feature is
enabled.
scopeRoles List of id and false Name Description Required Value
role id, id is
mandatory id Scope ID false string
for user in roleId ID of the false string
scope wanted role
account/site.
Role name is roleName [DEPRECATE false string
deprecated D] Name of
and will work the role, will
only for work only for
predefined predefined
roles, please roles
use role id. roles [DEPRECATE false string []
User in D] List
tenant containing
(global) role the desired
does not

2606
need to role name in
provide an id. this scope.
Use role_id or
role_name
instead.

siteRoles [DEPRECATE false Name Description Required Value

D] Please use
scopeRoles id Site ID true string
instead. name [DEPRECATE false string
D] Site name
roleId ID of the false string
wanted role
roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id
instead.

tenantRoles [DEPRECATE false string []

D] Use roles
instead. List
of tenant
roles.
twoFaEnable Two fa false boolean
d enabled

2607
Export Users
GET /web/api/v2.1/export/users

Export User data to a CSV, for Users that match the filter.

Parameters
accountids optional List of Account IDs to filter by. Example:
"225494730938493804,225494730938493915".
apitokenexpiresat__b optional Date range for when the API token expires (format:
etween <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
apitokenexpiresat__gt optional API token expires after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
apitokenexpiresat__gt optional API token expires after or at this timestamp. Example:
e "2018-02-27T04:49:26.257525Z".
apitokenexpiresat__lt optional API token expires before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
apitokenexpiresat__lte optional API token expires before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
cangenerateapitoken optional Can generate api token
createdat__between optional Date range for when the user was created (format:
<from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
createdat__gt optional User was created after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__gte optional User was created after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lt optional User was created before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
createdat__lte optional User was created before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
datejoined optional Date joined. Example: "2018-02-27T04:49:26.257525Z".
email optional Email. Example: "[email protected]".

2608
email__contains optional Match email partially (substring)
emailreadonly optional True if email cannot be changed
emailverified optional Return only verified/unverified users
firstlogin optional First login. Example: "2018-02-27T04:49:26.257525Z".
fullname optional Full name
fullname__contains optional Match full name partially (substring)
fullnamereadonly optional True if full name cannot be changed
groupsreadonly optional [DEPRECATED] True if permissions cannot be changed
hasvalidapitoken optional Has valid api token
ids optional List of user IDs to filter by. Example:
"225494730938493804,225494730938493915".
lastactivation__betwe optional Date range for when the user was last active (format:
en <from_timestamp>-<to_timestamp>, inclusive). Example:
"1514978890136-1514978650130".
lastactivation__gt optional User was last active after this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastactivation__gte optional User was last active after or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastactivation__lt optional User was last active before this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastactivation__lte optional User was last active before or at this timestamp. Example:
"2018-02-27T04:49:26.257525Z".
lastlogin optional Last login. Example: "2018-02-27T04:49:26.257525Z".
primarytwofamethod optional Primary two fa method
query optional Full text search for fields: full_name, email, description
roleids optional List of rbac roles to filter by. Example:
"225494730938493804,225494730938493915".
siteids optional List of Site IDs to filter by. Example:
"225494730938493804,225494730938493915".
source optional User Source. Example: "mgmt".
sources optional Source in. Example: "mgmt".
twofaenabled optional Two fa enabled

2609
twofastatus optional Two fa status
twofastatuses optional Two fa status in

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Get User
GET /web/api/v2.1/users/{user_id}

Get a user by ID.

Response Messages
200 - User retrieved successfully.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions.

404 - Could not retrieve user.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
scope User Scope true enum
account Relevant if false Name Description Required Value
the user is a
site level user id The id of the false string
or single account
account name The name of false string
the account

2610
agreedEula True if EULA false boolean
was agreed
for user's
sites
agreementUrl Link to EULA false string
agreement if
it was not
agreed yet
allowRemoteS [DEPRECATE false boolean
hell D] Unused
field. The
user's role
will
determine if
it is allowed
to use
remote_shell.
apiToken Api token false Name Description Required Value
createdAt Created at false string
expiresAt Expires at false string

canGenerateA Can generate false boolean

2611
fullName Full name false string
fullNameRea True if full false boolean
dOnly name cannot
be modified
groupsReadO [Deprecated] false boolean
nly
id Id false string
isExternalLog Is external false boolean
inUser login user
isSystem false boolean
lastLogin Last login false string
lowestRole [DEPRECATE false string
D] in RBAC
there's no
'lowest' role.
Returns
Admin if user
has admin
permission
on all sites,
otherwise a
different role.
pages Pages false Name Description Required Value
identifier Identifier false string
name Name false string
permissions Permissions false Name Description Required Value
additionalDes Additional false string
cription description
dependsOn Depends on false string []
description Description false string
disabledReas Disabled false string
on reason
disabledReas Disabled false string
onCode reason code
groupName Group name false string
identifier Identifier false string

2612
title Title false string
type Type false string
value Value false boolean

primaryTwoF Primary two false string

aMethod fa method
scopeRoles Roles of the false Name Description Required Value
scope user
accountName Scope name true string
name Scope name true string
id Scope ID false string
roleId ID of the false string
wanted role
roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id or
role_name
instead.

siteRoles [DEPRECATE false Name Description Required Value

2613
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id
instead.

source Source false string

errors Errors false array

2614
Delete User
DELETE /web/api/v2.1/users/{user_id}

Delete a user by ID.

Response Messages
200 - User deleted successfully.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2615
Update User
PUT /web/api/v2.1/users/{user_id}

Change properties of the user of the given ID.

Response Messages
200 - User updated successfully.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Forbidden.

404 - User not found.

409 - User or Email already taken.

2616
it is allowed
to use
remote_shell.
apiToken Api token false Name Description Required Value
createdAt Created at false string
expiresAt Expires at false string

canGenerateA Can generate false boolean

2617
lowestRole [DEPRECATE false string
D] in RBAC
there's no
'lowest' role.
Returns
Admin if user
has admin
permission
on all sites,
otherwise a
different role.
primaryTwoF Primary two false string
aMethod fa method
scopeRoles Roles of the false Name Description Required Value
scope user
accountName Scope name true string
name Scope name true string
id Scope ID false string
roleId ID of the false string
wanted role
roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id or
role_name
instead.

siteRoles [DEPRECATE false Name Description Required Value

D] Role and
site ids for id Site ID true string
the user. name Site name true string
Using
scopeRoles is roleId ID of the false string
more wanted role

2618
consistent. roleName [DEPRECATE false string
D] Name of
the role, will
work only for
predefined
roles
roles [DEPRECATE false string []
D] List
containing
the desired
role name in
this scope.
Use role_id
instead.

source Source false string

errors Errors false array

2619
Body Schema
Name Description Required Value
data Data true Name Description Required Value
scope User scope true enum
allowRemoteS [DEPRECATE false boolean
hell D] Unused
field. The
user's role
will
determine if
it is allowed
to use
remote_shell.
canGenerateA Can generate false boolean
piToken api token
currentPassw User false string
ord password,
new name for
backward
compatibility
email [DEPRECATE false string
D] The email
of the user
fullName Full name of false string
the user
id Id false string
password User false string
password
scopeRoles List of id and false Name Description Required Value
role id, id is
mandatory id Scope ID false string
for user in roleId ID of the false string
scope wanted role
account/site.
Role name is roleName [DEPRECATE false string
deprecated D] Name of
and will work the role, will
only for work only for
predefined predefined
roles, please roles

2620
use role id. roles [DEPRECATE false string []
User in D] List
tenant containing
(global) role the desired
does not role name in
need to this scope.
provide an id. Use role_id or
role_name
instead.

siteRoles [DEPRECATE false Name Description Required Value

tenantRoles [DEPRECATE false string []

D] Use roles
instead. List
of tenant
roles.
twoFaCode Two-Factor false string
Authorization
code
twoFaEnable Two fa false boolean
d enabled

2621
Bulk Delete Users
POST /web/api/v2.1/users/delete-users

Delete all users that match the filter.

Response Messages
400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
apiTokenExpi Date range false string
resAt__betwe for when the
en API token
expires
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
apiTokenExpi API token false string
resAt__gt expires after
this
timestamp
apiTokenExpi API token false string
resAt__gte expires after
or at this
timestamp
apiTokenExpir API token false string
esAt__lt expires
before this
timestamp
apiTokenExpir API token false string
esAt__lte expires

2622
before or at
this
timestamp
canGenerateA Can generate false boolean
piToken api token
createdAt__b Date range false string
etween for when the
user was
created
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
createdAt__g User was false string
t created after
this
timestamp
createdAt__g User was false string
te created after
or at this
timestamp
createdAt__lt User was false string
created
before this
timestamp
createdAt__lt User was false string
e created
before or at
this
timestamp
dateJoined Date joined false string
email Email false string
email__contai Match email false string []
ns partially
(substring)
emailReadOnl True if email false boolean
y cannot be
changed
emailVerified Return only false boolean
verified/

2623
unverified
users
firstLogin First login false string
fullName Full name false string
fullName__co Match full false string []
ntains name
partially
(substring)
fullNameRea True if full false boolean
dOnly name cannot
be changed
groupsReadO [DEPRECATE false boolean
nly D] True if
permissions
cannot be
changed
hasValidApiT Has valid api false boolean
oken token
ids List of user false string []
IDs to filter
by
lastActivatio Date range false string
n__between for when the
user was last
active
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActivation User was last false string
__gt active after
this
timestamp
lastActivatio User was last false string
n__gte active after or
at this
timestamp
lastActivation User was last false string
__lt active before
this

2624
timestamp
lastActivation User was last false string
__lte active before
or at this
timestamp
lastLogin Last login false string
primaryTwoF Primary two false string
aMethod fa method
query Full text false string
search for
fields:
full_name,
email,
description
roleIds List of rbac false string []
roles to filter
by
source User Source false enum
sources Source in false string []
twoFaEnable Two fa false boolean
d enabled
twoFaStatus Two fa status false string
twoFaStatuse Two fa status false string []
s in

data Data false

2625
Generate iFrame Token
POST /web/api/v2.1/users/generate-iframe-token

Get a new iFrame token with the provided limitations.

Response Messages
200 - User created successfully.

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Not enough permissions to create user.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
iframeToken User's iframe true string
token

errors Errors false array

2626
Body Schema
Name Description Required Value
data Data true Name Description Required Value
accountId Account id true string
agentUuids A list of false string []
included
UUIDs
role [DEPRECATE false string
D]Name of
the role
roleName RBAC role false string
name
userName The false string
username
that will be
displayed

2627
Enable 2FA
POST /web/api/v2.1/users/2fa/enable

Enable two-factor authentication for a given user.

Response Messages
200 - 2FA successfully enabled

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - No permission for the action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2628
Body Schema
Name Description Required Value
data Data true Name Description Required Value
id User ID true string
currentPassw Current false string
ord password
twoFaCode Two-Factor false string
Authorization
code

2629
Disable 2FA
POST /web/api/v2.1/users/2fa/disable

Disable Two-Factor Authentication for one user. This requires the ID of the user (run "users").

Response Messages
200 - 2FA successfully disabled

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - No permission for the action

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2630
Body Schema
Name Description Required Value
data Data true Name Description Required Value
id User ID true string
currentPassw Current false string
ord password
twoFaCode Two-Factor false string
Authorization
code

2631
Generate API Token
POST /web/api/v2.1/users/generate-api-token

Get the API token for the authenticated user.

Response Messages
200 - API token delivered to user

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
token User's API true string
token

errors Errors false array

2632
Body Schema
Name Description Required Value
data Data false Name Description Required Value
forceLegacy Temporary false boolean
attribute for
WA: If the
flag is set to
True the
legacy token
will be
generated
even if the
auth_tokens
global switch
is turned on

2633
Revoke API Token
POST /web/api/v2.1/users/revoke-api-token

Revoke an API token.

Response Messages
200 - Api token revoked

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - User not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2634
Body Schema
Name Description Required Value
data Data true Name Description Required Value
id User ID true string
currentPassw Current false string
ord password
twoFaCode Two-Factor false string
Authorization
code

2635
API Token by User ID
GET /web/api/v2.1/users/{user_id}/api-token-details

Get the details of the API token generated for a given user.

Response Messages
200 - Success

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - User not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
createdAt Created at false string
expiresAt Expires at false string

errors Errors false array

2636
API Token Details
POST /web/api/v2.1/users/api-token-details

Get details of the API token that matches the filter.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
createdAt Created at false string
expiresAt Expires at false string

errors Errors false array

2637
Body Schema
Name Description Required Value
data Data false Name Description Required Value
apiToken Api token false string

2638
Enable 2FA App
POST /web/api/v2.1/users/enable-app

Enable support for the 2FA app (such as Duo or Google Authenticator) that your Console users will use to log in.

Response Messages
200 - 2FA app enabled

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2639
Body Schema
Name Description Required Value
data Data true Name Description Required Value
code Code false string
id Id false string

2640
Request 2FA App
POST /web/api/v2.1/users/request-app

Request 2FA App response.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
code Code false string
qrCode Qr code false string

errors Errors false array

2641
Body Schema
Name Description Required Value
currentPassw User false string
ord password

2642
Change Password
POST /web/api/v2.1/users/change-password

Change the user password.

Response Messages
200 - Password changed

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - User not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2643
Body Schema
Name Description Required Value
data Data true Name Description Required Value
id User ID true string
confirmNewP Confirm new false string
assword password
currentPassw Current false string
ord password
newPassword New false string
password
twoFaCode Two-Factor false string
Authorization
code

2644
Auth App
POST /web/api/v2.1/users/auth/app

Authenticate a user with a third-party app, such as DUO or Google Authenticator, for deployments that require Two Factor Authentication.

Response Messages
200 - Authenticated

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
token Generated true string
authenticatio
n token
csrf Generated false string
csrf token
status User false enum
verification
status
twoFaMetho Two-factor false enum
d authenticatio
n method (if
enabled)

errors Errors false array

2645
Body Schema
Name Description Required Value
data Data true Name Description Required Value
code Code false string
rememberMe User should false boolean
be
remembered
across
sessions

2646
Sign EULA
POST /web/api/v2.1/users/auth/eula

Mark the End User License Agreement (EULA) as signed for user scopes.

Response Messages
200 - Authenticated

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2647
Check Global User
GET /web/api/v2.1/users/tenant-admin-auth-check

See if logged in user is a user with the Global scope of access.

Response Messages
200 - User is Global.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2648
Check Remote Shell Permissions
GET /web/api/v2.1/users/rs-auth-check

See if the logged in user is allowed to use Remote Shell.

Response Messages
200 - User is allowed to use remote shell feature.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2649
Check Viewer
GET /web/api/v2.1/users/viewer-auth-check

See if the logged in user has only viewer permissions.

Response Messages
200 - User is a viewer.

401 - Unauthorized access - please sign in and retry.

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2650
Email Verification
POST /web/api/v2.1/users/onboarding/verify

When a new user verifies their email, the Management gets a token. Use this command to verify the token and set a new password.

Response Messages
200 - User successfully verified

400 - Invalid user input received. See error details for further information.

401 - Verification failed

404 - A user matching the input verification token wasn't found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2651
Body Schema
Name Description Required Value
data Data true Name Description Required Value
password User selected true string
password
token Verification true string
token
resetPasswor Reset false boolean
dFlow password
flow

2652
Validate Verification Token
GET /web/api/v2.1/users/onboarding/validate-token

When a new user verifies their email, the Management gets a token. Use this command to validate the token.

Parameters
token required Verification token
resetpasswordflow optional Reset password flow

Response Messages
200 - Token is valid

400 - Invalid user input received. See error details for further information.

401 - Verification failed

404 - A user matching the input verification token wasn't found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
success Indicates a false boolean
successful
operation

errors Errors false array

2653
Send Verification Email
POST /web/api/v2.1/users/onboarding/send-verification-email

Send verification email to users that match the filter. Warning: Active users will be locked out of the Management Console until they verify (unless
set_user_password_methods is on)their email. If your Management Console has Onboarding enabled, when you create a new user, the user gets an email invitation. If the
user does not respond in time or loses the email, you can send it again. You can send the email invitation to multiple users. Your SMTP server must be correctly configured
in Settings > SMTP for the Global scope. Changing the Global SMTP settings requires an Admin role with Global scope or Support.

Response Messages
200 - Success

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2654
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
apiTokenExpi Date range false string
resAt__betwe for when the
en API token
expires
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
apiTokenExpi API token false string
resAt__gt expires after
this
timestamp
apiTokenExpi API token false string
resAt__gte expires after
or at this
timestamp
apiTokenExpir API token false string
esAt__lt expires
before this
timestamp
apiTokenExpir API token false string
esAt__lte expires
before or at
this
timestamp
canGenerateA Can generate false boolean
piToken api token
createdAt__b Date range false string
etween for when the
user was
created
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)

2655
createdAt__g User was false string
t created after
this
timestamp
createdAt__g User was false string
te created after
or at this
timestamp
createdAt__lt User was false string
created
before this
timestamp
createdAt__lt User was false string
e created
before or at
this
timestamp
dateJoined Date joined false string
email Email false string
email__contai Match email false string []
ns partially
(substring)
emailReadOnl True if email false boolean
y cannot be
changed
emailVerified Return only false boolean
verified/
unverified
users
firstLogin First login false string
fullName Full name false string
fullName__co Match full false string []
ntains name
partially
(substring)
fullNameRea True if full false boolean
dOnly name cannot
be changed
groupsReadO [DEPRECATE false boolean
nly D] True if

2656
permissions
cannot be
changed
hasValidApiT Has valid api false boolean
oken token
ids List of user false string []
IDs to filter
by
lastActivatio Date range false string
n__between for when the
user was last
active
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActivation User was last false string
__gt active after
this
timestamp
lastActivatio User was last false string
n__gte active after or
at this
timestamp
lastActivation User was last false string
__lt active before
this
timestamp
lastActivation User was last false string
__lte active before
or at this
timestamp
lastLogin Last login false string
primaryTwoF Primary two false string
aMethod fa method
query Full text false string
search for
fields:
full_name,
email,

2657
description
roleIds List of rbac false string []
roles to filter
by
source User Source false enum
sources Source in false string []
twoFaEnable Two fa false boolean
d enabled
twoFaStatus Two fa status false string
twoFaStatuse Two fa status false string []
s in

data Data false

2658
Reset 2FA
POST /web/api/v2.1/users/reset-2fa

Reset 2FA for users.

Response Messages
200 - 2FA reset completed

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - User not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2659
Body Schema
Name Description Required Value
data Data true Name Description Required Value
enroll [DEPRECATE false boolean
D] Not used,
deprecated
ids A list of user false string []
ids

2660
Delete 2FA
POST /web/api/v2.1/users/delete-2fa

Delete 2FA for users.

Response Messages
200 - 2FA delete completed

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - User not found

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2661
Body Schema
Name Description Required Value
data Data true Name Description Required Value
ids A list of user false string []
ids

2662
Enroll 2FA
POST /web/api/v2.1/users/enroll-2fa

Enroll users for 2FA setup.

Response Messages
200 - 2FA enrollment completed

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

404 - User not found

errors Errors false array

2663
Body Schema
Name Description Required Value
data Data true Name Description Required Value
ids A list of user false string []
ids

2664
Redirect to SSO
GET /web/api/v2.1/users/login/sso-saml2

If SSO is enabled for a deployment or scope, and a user attempts to log in with name and password, this command redirects the login to SSO.

Parameters
email optional Email address of the user trying to log in. Example:
"[email protected]".
scopeid optional The scope the desired SSO IdP is configured on. email is irrelevant
when using scope_id. If both are provided, email is ignored. Example:
"225494730938493804".

Response Messages
302 - Login redirected.

400 - Invalid user input received. See error details for further information.

401 - Not authenticated user.

Redirect to SSO for re-authentication

GET /web/api/v2.1/users/sso-saml2/re-auth

Initiates re-authentication with user's identity provider.

Response Messages
302 - Redirect user to their IDP for re-authentication.

401 - Unauthorized access - please sign in and retry.

403 - User is not allowed to re-authenticate with their IDP

500 - Error in SAML handler initialization.

2665
Auth by SSO
POST /web/api/v2.1/users/login/sso-saml2/{scope_id}

Authenticate a Single Sign-On response over SAML v2 protocol.

Response Messages
302 - SSO authenticated.

401 - Not authenticated user.

404 - Site not found.

Authenticate a user by username and password and return an authentication token. Rate limit: 1 call per second for each different IP address that communicates with the
Console.

Response Messages
200 - User authenticated successfully.

400 - Invalid user input received. See error details for further information.

401 - Login failed. May be the result of bad credentials, or a wrong authentication method if SSO or 2FA is required. A temporary token might be provided to do the required
next step. The error code defines the cause and the next step. <br>Basic error codes:<ul><li>4010010 - authentication failed,</li><li>4010020 - SSO login required - /users/
login/sso-saml2,</li><li>4010040 - generic login error,</li><li>4010080 - user is locked,</li></ul>Error codes related to password changes and expiration:<ul><li>4010091 -
user must change password - /users/login/set-password,</li><li>4010092 - password expired - /users/login/set-password,</li><li>4010093 - password expires soon - /
users/login-continue.</li></ul>Error codes related to LDAP (Active Directory):<ul><li>4010050 - generic LDAP error,</li><li>4010060 - user has no email,</li><li>4010070
- user is disabled.</li></ul>Error codes related to 2FA:<ul><li>4010035 - 2FA configuration - /users/request-app,</li><li>4010030 - 2FA required - /users/auth/app,</
li><li>4010031 - 2FA not enrolled,</li><li>4010032 - 2FA enrollment expired.</li></ul>

Response Schema
Name Description Required Value
data Response false

2666
data Name Description Required Value
token Generated true string
authenticatio
n token
csrf Generated false string
csrf token
status User false enum
verification
status
twoFaMetho Two-factor false enum
d authenticatio
n method (if
enabled)

errors Errors false array

2667
Body Schema
Name Description Required Value
password Your true string
password
username The user true string
email
rememberMe User should false boolean
be
remembered
across
sessions

2668
Logout
POST /web/api/v2.1/users/logout

Log out the authenticated user.

Response Messages
200 - User logged out successfully.

401 - Unauthorized access - please sign in and retry.

Login by API Token

POST /web/api/v2.1/users/login/by-api-token

Log in to the API with a token. To learn more about temporary and 6-month tokens and how to generate them, see https://support.sentinelone.com/hc/en-us/
articles/360004195934.

Response Messages
200 - user logged in

400 - Invalid user input received. See error details for further information.

401 - User authentication failed

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
token User token true string
realUser When logging false string
in from Atlas,
specifies the
actual user
who logged

2669
in
redirectTo Relative url to false string
redirect to
redirectToPar Query false string
ams params for
the redirect
to, without '?'
prefix
removedSave Removed false string
dScope saved scope

errors Errors false array

2670
Body Schema
Name Description Required Value
data Data false Name Description Required Value
apiToken Api token false string
reason When logging false string
in from Atlas,
specifies the
login reason

2671
Login by Token
GET /web/api/v2.1/users/login/by-token

Log in with user token.

Parameters
token required User token. Example:
"bfd9070c1afa88516d3cdfd722e62fe433e42bad6bb14da27088140
ad785585f8582adaccd56fb69".
redirectto optional Relative url to redirect to
redirecttoparams optional Query params for the redirect to, without '?' prefix
removedsavedscope optional Removed saved scope

Response Messages
200 - user logged in

400 - Invalid user input received. See error details for further information.

401 - User authentication failed

Continue with login due to upcoming password expiration or SSO 2FA setup
POST /web/api/v2.1/users/login-continue

For SSO 2FA setup tokens, allows users to skip setting up the 2FA and proceed with their login.
Accepts a temporary token from SSO login flow with error code 4010035.

For password expiration tokens, allows users to decide if they want to change their soon to expire password now or later.
Users can also choose not to receive the notification again for this password cycle.
Accepts a temporary token from /users/login with error code 4010093.

Response Messages
200 - Login can continue

2672
400 - Invalid user input received. See error details for further information.

401 - Unauthorized. <br>In password expiration flow, a temporary token might be provided to do the required next step. The error code defines the cause and the next step.
<br>Error codes:<ul><li>4010010 - invalid token,</li><li>4010094 - change password with /users/login/set-password</li></ul>

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
token Generated true string
authenticatio
n token
csrf Generated false string
csrf token

errors Errors false array

2673
Body Schema
Name Description Required Value
data Data true Name Description Required Value
token Temporary true string
JWT
dontShowAga Indicates if false boolean
in the user
wants to skip
the continue
next time
resetPasswor Indicates if false boolean
d the user
wants to
change the
password

2674
Set a New Password
POST /web/api/v2.1/users/login/set-password

Sets a new password for the user.

Used by forced password reset and password expiration flows.
Accepts temporary tokens from /users/login with error codes 4010091 and 4010092.

Response Messages
200 - Password was set

400 - Invalid user input received. See error details for further information.

401 - Unauthorized

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
token Generated true string
authenticatio
n token
csrf Generated false string
csrf token

errors Errors false array

2675
Body Schema
Name Description Required Value
data Data true Name Description Required Value
password The new true string
password
token Verification true string
token

2676
Prompt reset password
POST /web/api/v2.1/users/login/send-reset-password-email

Prompt reset password for users.

Response Messages
200 - Prompt reset password completed

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2677
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
apiTokenExpi Date range false string
resAt__betwe for when the
en API token
expires
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
apiTokenExpi API token false string
resAt__gt expires after
this
timestamp
apiTokenExpi API token false string
resAt__gte expires after
or at this
timestamp
apiTokenExpir API token false string
esAt__lt expires
before this
timestamp
apiTokenExpir API token false string
esAt__lte expires
before or at
this
timestamp
canGenerateA Can generate false boolean
piToken api token
createdAt__b Date range false string
etween for when the
user was
created
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)

2678
createdAt__g User was false string
t created after
this
timestamp
createdAt__g User was false string
te created after
or at this
timestamp
createdAt__lt User was false string
created
before this
timestamp
createdAt__lt User was false string
e created
before or at
this
timestamp
dateJoined Date joined false string
email Email false string
email__contai Match email false string []
ns partially
(substring)
emailReadOnl True if email false boolean
y cannot be
changed
emailVerified Return only false boolean
verified/
unverified
users
firstLogin First login false string
fullName Full name false string
fullName__co Match full false string []
ntains name
partially
(substring)
fullNameRea True if full false boolean
dOnly name cannot
be changed
groupsReadO [DEPRECATE false boolean
nly D] True if

2679
permissions
cannot be
changed
hasValidApiT Has valid api false boolean
oken token
ids List of user false string []
IDs to filter
by
lastActivatio Date range false string
n__between for when the
user was last
active
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActivation User was last false string
__gt active after
this
timestamp
lastActivatio User was last false string
n__gte active after or
at this
timestamp
lastActivation User was last false string
__lt active before
this
timestamp
lastActivation User was last false string
__lte active before
or at this
timestamp
lastLogin Last login false string
primaryTwoF Primary two false string
aMethod fa method
query Full text false string
search for
fields:
full_name,
email,

2680
description
roleIds List of rbac false string []
roles to filter
by
source User Source false enum
sources Source in false string []
twoFaEnable Two fa false boolean
d enabled
twoFaStatus Two fa status false string
twoFaStatuse Two fa status false string []
s in

data Data false

2681
Reset password on next login
POST /web/api/v2.1/users/login/force-reset-password-on-login

Force users to reset their password on next login.

Response Messages
200 - Users marked to reset password on next login successfully

400 - Invalid user input received. See error details for further information.

401 - Unauthorized access - please sign in and retry.

403 - Insufficient permissions

Response Schema
Name Description Required Value
data Response false Name Description Required Value
data
affected Number of false integer
entities
affected by
the requested
operation

errors Errors false array

2682
Body Schema
Name Description Required Value
filter Filter true Name Description Required Value
apiTokenExpi Date range false string
resAt__betwe for when the
en API token
expires
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
apiTokenExpi API token false string
resAt__gt expires after
this
timestamp
apiTokenExpi API token false string
resAt__gte expires after
or at this
timestamp
apiTokenExpir API token false string
esAt__lt expires
before this
timestamp
apiTokenExpir API token false string
esAt__lte expires
before or at
this
timestamp
canGenerateA Can generate false boolean
piToken api token
createdAt__b Date range false string
etween for when the
user was
created
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)

2683
createdAt__g User was false string
t created after
this
timestamp
createdAt__g User was false string
te created after
or at this
timestamp
createdAt__lt User was false string
created
before this
timestamp
createdAt__lt User was false string
e created
before or at
this
timestamp
dateJoined Date joined false string
email Email false string
email__contai Match email false string []
ns partially
(substring)
emailReadOnl True if email false boolean
y cannot be
changed
emailVerified Return only false boolean
verified/
unverified
users
firstLogin First login false string
fullName Full name false string
fullName__co Match full false string []
ntains name
partially
(substring)
fullNameRea True if full false boolean
dOnly name cannot
be changed
groupsReadO [DEPRECATE false boolean
nly D] True if

2684
permissions
cannot be
changed
hasValidApiT Has valid api false boolean
oken token
ids List of user false string []
IDs to filter
by
lastActivatio Date range false string
n__between for when the
user was last
active
(format:
<from_times
tamp>-
<to_timestam
p>, inclusive)
lastActivation User was last false string
__gt active after
this
timestamp
lastActivatio User was last false string
n__gte active after or
at this
timestamp
lastActivation User was last false string
__lt active before
this
timestamp
lastActivation User was last false string
__lte active before
or at this
timestamp
lastLogin Last login false string
primaryTwoF Primary two false string
aMethod fa method
query Full text false string
search for
fields:
full_name,
email,

2685
description
roleIds List of rbac false string []
roles to filter
by
source User Source false enum
sources Source in false string []
twoFaEnable Two fa false boolean
d enabled
twoFaStatus Two fa status false string
twoFaStatuse Two fa status false string []
s in

data Data false

2686
2687

SentinelOne Api Documentation Version 2 1
No ratings yet
SentinelOne Api Documentation Version 2 1
3,013 pages
Examen sc-200-01-07-2024
No ratings yet
Examen sc-200-01-07-2024
13 pages
SentinelOne User Guide v1.0
100% (2)
SentinelOne User Guide v1.0
10 pages
Cortex Xsiam Admin Guide
No ratings yet
Cortex Xsiam Admin Guide
1,003 pages
Kakanin Corner - Final Defense
74% (23)
Kakanin Corner - Final Defense
193 pages
Microsoft Teams Integration With SentinelOne
No ratings yet
Microsoft Teams Integration With SentinelOne
2 pages
Sentinel One SOP
No ratings yet
Sentinel One SOP
4 pages
SentinelOne - IR Handbook - SentinelOne-IR-Handbook
No ratings yet
SentinelOne - IR Handbook - SentinelOne-IR-Handbook
2 pages
156-585 Free Questions: Check Point Certified Troubleshooting Expert
No ratings yet
156-585 Free Questions: Check Point Certified Troubleshooting Expert
11 pages
Forcepoint DLP Admin Guide
No ratings yet
Forcepoint DLP Admin Guide
496 pages
Crowdstrike Falcom University
No ratings yet
Crowdstrike Falcom University
4 pages
SentinelOne Agent Troubleshooting.pptx
No ratings yet
SentinelOne Agent Troubleshooting.pptx
35 pages
Amazon GuardDuty Introduction
No ratings yet
Amazon GuardDuty Introduction
43 pages
Splunk Test Blueprint Soar Automation Developer
No ratings yet
Splunk Test Blueprint Soar Automation Developer
5 pages
SentinelOne DV Cheatsheet Opt2-2
No ratings yet
SentinelOne DV Cheatsheet Opt2-2
3 pages
SentinelOne Training
No ratings yet
SentinelOne Training
6 pages
Mass Deployment Methods For SentinelOne Agents
100% (1)
Mass Deployment Methods For SentinelOne Agents
2 pages
IBM QRadar SIEM V7.3.2 Deployment C1000-055 Dumps
No ratings yet
IBM QRadar SIEM V7.3.2 Deployment C1000-055 Dumps
11 pages
Top Security Orchestration Use Cases
No ratings yet
Top Security Orchestration Use Cases
17 pages
Crowdstrike SIEM Connector V1
No ratings yet
Crowdstrike SIEM Connector V1
17 pages
17 Soar
No ratings yet
17 Soar
70 pages
ARMANA SentinelOne TechBrief 0116
No ratings yet
ARMANA SentinelOne TechBrief 0116
7 pages
Bluecoat Manual
100% (1)
Bluecoat Manual
990 pages
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
No ratings yet
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
6 pages
Trellix Data Loss Prevention 11 10 X Product Guide December 2023
No ratings yet
Trellix Data Loss Prevention 11 10 X Product Guide December 2023
869 pages
Compare Xcitium To SentinelOne
No ratings yet
Compare Xcitium To SentinelOne
1 page
s1 University Ds
No ratings yet
s1 University Ds
2 pages
Checkpoint Firewall Ports PDF
No ratings yet
Checkpoint Firewall Ports PDF
3 pages
Migrating SentinelOne Agents To Pax8-SentinelOne Console May 2020 PDF
No ratings yet
Migrating SentinelOne Agents To Pax8-SentinelOne Console May 2020 PDF
12 pages
Fortigate Security: Data Leak Prevention (DLP)
No ratings yet
Fortigate Security: Data Leak Prevention (DLP)
35 pages
DLP Help Forcepoint
No ratings yet
DLP Help Forcepoint
512 pages
FireEye Endpoint Security HX Series
No ratings yet
FireEye Endpoint Security HX Series
20 pages
SentinelOne GDPR-Datasheet
No ratings yet
SentinelOne GDPR-Datasheet
2 pages
This Study Resource Was: 156-585 Free Questions Good Demo For Check Point 156-585 Exam
No ratings yet
This Study Resource Was: 156-585 Free Questions Good Demo For Check Point 156-585 Exam
7 pages
CP R81.10 QoS AdminGuide
No ratings yet
CP R81.10 QoS AdminGuide
111 pages
SentinelOne - Services and Ports
No ratings yet
SentinelOne - Services and Ports
23 pages
Splunk Peak Threat Hunting Framework
No ratings yet
Splunk Peak Threat Hunting Framework
31 pages
SentinelOne Deep Visibility Overview
No ratings yet
SentinelOne Deep Visibility Overview
3 pages
Trend Vision One - Forensics Presentation Slides
No ratings yet
Trend Vision One - Forensics Presentation Slides
9 pages
SandBlast Network PTK Training Labs-V7.12 CloudShare
No ratings yet
SandBlast Network PTK Training Labs-V7.12 CloudShare
60 pages
Proofpoint Email Protection Presentation
No ratings yet
Proofpoint Email Protection Presentation
54 pages
Technical Overview: Azure Sentinel Level 400
No ratings yet
Technical Overview: Azure Sentinel Level 400
40 pages
Illumio Core: Security Policy Guide
No ratings yet
Illumio Core: Security Policy Guide
179 pages
McAfee Threat Hunting Solution Brief
No ratings yet
McAfee Threat Hunting Solution Brief
3 pages
SC 200t00a Enu Powerpoint 02
No ratings yet
SC 200t00a Enu Powerpoint 02
39 pages
Manage Microsoft Sentinel Analytics Rules Slides
No ratings yet
Manage Microsoft Sentinel Analytics Rules Slides
24 pages
Six Steps To Successful and Efficient: Threat Hunting
No ratings yet
Six Steps To Successful and Efficient: Threat Hunting
14 pages
Content (2) - 1
No ratings yet
Content (2) - 1
158 pages
Trend Micro Endpoint Cheat Sheet
No ratings yet
Trend Micro Endpoint Cheat Sheet
2 pages
Skybox NetworkAssurance UsersGuide V10!0!300
No ratings yet
Skybox NetworkAssurance UsersGuide V10!0!300
149 pages
Mcafee Mvision Endpoint Installation Guide
No ratings yet
Mcafee Mvision Endpoint Installation Guide
14 pages
PSE Cortex Demo
No ratings yet
PSE Cortex Demo
4 pages
Analytics-Based Investigation & Automated Response With AWS + Splunk Security Solutions
No ratings yet
Analytics-Based Investigation & Automated Response With AWS + Splunk Security Solutions
37 pages
Forcepoint DLP System Engineer Instructor-Led: Datasheet May 2022
No ratings yet
Forcepoint DLP System Engineer Instructor-Led: Datasheet May 2022
5 pages
Tenable
No ratings yet
Tenable
23 pages
Guide To Enterprise Ransomware Protection
No ratings yet
Guide To Enterprise Ransomware Protection
29 pages
Intrusion DPS
No ratings yet
Intrusion DPS
26 pages
Mcafee Web Gateway 8.0.x Interface Reference Guide 1-2-2020
No ratings yet
Mcafee Web Gateway 8.0.x Interface Reference Guide 1-2-2020
335 pages
CCIE SCOR v1.0 - 350-701 - Expert - 05-Oct-21
No ratings yet
CCIE SCOR v1.0 - 350-701 - Expert - 05-Oct-21
165 pages
SC 103 Endpoint and Intercept X Sales Overview v2.0.0
No ratings yet
SC 103 Endpoint and Intercept X Sales Overview v2.0.0
19 pages
Trend Micro Vision One Licensing Overview 2021
No ratings yet
Trend Micro Vision One Licensing Overview 2021
15 pages
Database Surnames Organisations
No ratings yet
Database Surnames Organisations
4 pages
Annamalai University: Distance Education / Open University (Including Lateral Entry / Double Degree) PROGRAMMES
No ratings yet
Annamalai University: Distance Education / Open University (Including Lateral Entry / Double Degree) PROGRAMMES
14 pages
MikroTik Price List-May 2023-01.05.2023
No ratings yet
MikroTik Price List-May 2023-01.05.2023
5 pages
ENRTL-RK Rate Based PZ+MDEA Model
No ratings yet
ENRTL-RK Rate Based PZ+MDEA Model
41 pages
Fab Filter
No ratings yet
Fab Filter
109 pages
Unit 2 Marketing Strategies and Planning-MBA-MM
No ratings yet
Unit 2 Marketing Strategies and Planning-MBA-MM
16 pages
GNED-05 - PURPOSIVE COMMUNICATION - Final
No ratings yet
GNED-05 - PURPOSIVE COMMUNICATION - Final
16 pages
HTTP://WWW - Ebay.com/sch/i.html? From R40& Sacat 0& NKW Magnets& PGN 5& SKC 200&rt NC
No ratings yet
HTTP://WWW - Ebay.com/sch/i.html? From R40& Sacat 0& NKW Magnets& PGN 5& SKC 200&rt NC
36 pages
Business Ethics
No ratings yet
Business Ethics
19 pages
Functions of RBI (Reserve Bank of India)
No ratings yet
Functions of RBI (Reserve Bank of India)
14 pages
..Summary - Fabiola Yapurasi
No ratings yet
..Summary - Fabiola Yapurasi
8 pages
Literature Review On Cash Management PDF
100% (2)
Literature Review On Cash Management PDF
4 pages
MadXAbhi - Digital Electronics - by MadXAbhi - Robot
No ratings yet
MadXAbhi - Digital Electronics - by MadXAbhi - Robot
9 pages
Talend Data Quality Datasheet
No ratings yet
Talend Data Quality Datasheet
2 pages
A Project Report On Titled "A Study On Consumer's Expectation & Perceptions Before Buying A House. Training Undertaken at
No ratings yet
A Project Report On Titled "A Study On Consumer's Expectation & Perceptions Before Buying A House. Training Undertaken at
7 pages
1.10 Principles For Building A High - Quality System of Assessment-By Reporter
No ratings yet
1.10 Principles For Building A High - Quality System of Assessment-By Reporter
12 pages
Achieve3000 - Lesson
No ratings yet
Achieve3000 - Lesson
15 pages
pkglist.x86_64
No ratings yet
pkglist.x86_64
109 pages
The Most Powerful Diesel Engine in The World
No ratings yet
The Most Powerful Diesel Engine in The World
8 pages
15 - Venue Exam Answer
No ratings yet
15 - Venue Exam Answer
6 pages
Quiz Submissions - Quiz 3.1
No ratings yet
Quiz Submissions - Quiz 3.1
3 pages
Mail - Sakshi Kumari - Outlook
No ratings yet
Mail - Sakshi Kumari - Outlook
6 pages
Cargador de Anfo
No ratings yet
Cargador de Anfo
2 pages
Partg - Guidelines On Fire Engineering: Ove Arup & Partners Hong Kong LTD
No ratings yet
Partg - Guidelines On Fire Engineering: Ove Arup & Partners Hong Kong LTD
27 pages
Nebulization
No ratings yet
Nebulization
4 pages
1267 CHT 004 - A Commissioning Sequence
No ratings yet
1267 CHT 004 - A Commissioning Sequence
29 pages
Adr Assignment SUFIYAN PDF
No ratings yet
Adr Assignment SUFIYAN PDF
69 pages
Tef2017 1000 Names-1
No ratings yet
Tef2017 1000 Names-1
2 pages
How To Remove The Deck From A John Deere 455
No ratings yet
How To Remove The Deck From A John Deere 455
3 pages