Universal Cloud REST API connector workflow for SentinelOne ActiveEDR

You can customize your workflow and workflow parameters based on the default workflow.

A workflow is an XML document that describes the event retrieval process. The workflow defines one or more parameters, which can be explicitly assigned values in the workflow XML or can derive values from the workflow parameter values XML document. The workflow consists of multiple actions that run sequentially.

SentinelOne ActiveEDR default workflow

Use the following XML to populate the Workflow field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.

<?xml version="1.0" encoding="UTF-8" ?>
<Workflow name="SentinelOneActiveEDR" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
        <Parameter name="api_token" label="API Token" required="true" secret="true" />
        <Parameter name="sentinelone_host" label="SentinelOne management console" required="true" />

        <ClearStatus />

        <Initialize path="/integration_name" value="SentinelOneActiveEDR"/>
        <Initialize path="/sentinelOneConsoleUrl" value="https://${/sentinelone_host}"/>
        <Initialize path="/logPrefix" value="[${/integration_name}][${/sentinelOneConsoleUrl}]" />

        <!-- Initialize bookmark to 1 week back in milliseconds -->
        <Initialize path="/starttimeMilli" value="${time() - (60000 * 60 * 24 * 7)}"/>
        <Set path="/endtimeMilli" value="${time()}"/>

        <!-- Date time format down to fraction-of-second -->
        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'" timeZone="UTC" time="${/starttimeMilli}" savePath="/starttime" />
        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'" timeZone="UTC" time="${/endtimeMilli}" savePath="/endtime" />
        <Log type="DEBUG" message="${/logPrefix} - starttime: ${/starttime}" />
        <Log type="DEBUG" message="${/logPrefix} - endtime: ${/endtime}" />

        <Initialize path="/limit" value="10"/>
        <Set path="/cursor" value=""/>
        <Set path="/pulledCount" value="0"/>

        <DoWhile condition="not empty(/cursor)">
            <CallEndpoint url="${/sentinelOneConsoleUrl}/web/api/v2.1/threats" method="GET" savePath="/sentinelOne/response">
                <QueryParameter name="updatedAt__gt" value="${/starttime}" />
                <QueryParameter name="updatedAt__lte" value="${/endtime}" />
                <QueryParameter name="limit" value="${/limit}" />
                <QueryParameter name="cursor" value="${/cursor}" omitIfEmpty="true"/> <!-- Always empty on first call until it gets populated -->
                <QueryParameter name="sortOrder" value="asc" />

                <RequestHeader name="Authorization" value="ApiToken ${/api_token}" />
                <RequestHeader name="Content-Type" value="application/json" />

            <If condition="/sentinelOne/response/status_code != 200">
                <Abort reason="API error occurred - ${/sentinelOne/response/status_code}: ${/sentinelOne/response/status_message}" />

            <!-- Post the events -->
            <If condition="${count(/sentinelOne/response/body/data)} > 0">
                <PostEvents path="/sentinelOne/response/body/data" source="${/sentinelone_host}" />

            <Set path="/pulledCount" value="${/pulledCount + count(/sentinelOne/response/body/data)}"/>
            <Log type="DEBUG" message="${/logPrefix} - Received: ${/pulledCount} events." />

            <!-- If we're on the last page, the cursor is set to null -->
            <Set path="/cursor" value="${/sentinelOne/response/body/pagination/nextCursor}"/>
        <Set path="/starttimeMilli" value="${/endtimeMilli}" />
        <Log type="DEBUG" message="${/logPrefix} - Update the bookmark to the running max time: ${/starttimeMilli}" />

        <DNSResolutionTest host="${/sentinelone_host}"/>
        <TCPConnectionTest host="${/sentinelone_host}"/>
        <SSLHandshakeTest host="${/sentinelone_host}" />
        <HTTPConnectionThroughProxyTest url="${/sentinelOneConsoleUrl}"/>

SentinelOne ActiveEDR default workflow parameter values

Use the following XML to populate the Workflow Parameter Values field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content to a text file. Replace the values for <your-api-token> and <your-sentinelone-host> with your own values. Then copy the updated content into the Workflow Parameter Values field.

<?xml version="1.0" encoding="UTF-8" ?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
        <Value name="api_token" value="<your-api-token>"/>
        <Value name="sentinelone_host" value="<your-sentinelone-host>"/>