SentinelOne Integration

vjwchoi · March 16, 2023, 12:23am

Hello all,

I 'm using the SentinelOne plugin well, I have one request for “Get notes”.
Currently the “Get notes” function gets only the latest note but I want to get all notes.
Could you enhance this function?

Thanks and regards,

jw0802 · March 16, 2023, 7:53pm

In SentinelOne, GET /web/api/v2.1/threats/{threat_id}/notes has a default limit of 10, but you can specify 1-1000. In Swimlane 10.x, the SentinelOne plugin’s GET THREAT NOTES task has 2 inputs: threat_id & result_limit - the last one isn’t a required input, though. Try setting your workflow to use the optional input for the task to use a result_limit of 1000 and see what you get.

vjwchoi · March 16, 2023, 9:15pm

In this case, one threat has several notes.
If I get through the API, there is no problem.

jw0802 · March 17, 2023, 1:05am

https://apphub.swimlane.com/swimbundles/swimlane/sw_sentinelone
What are you setting for the result_limit input parameter?

vjwchoi · March 25, 2023, 1:31pm

I set result_limit to 5, it seems normal in debugger mode but actually it can get just one result.
Debugger result, raw_json has several array results as [0],[1],[2] but I cannot get the results.

Topic		Replies	Views
Looking for suggestions to efficiently search for Records Integrations	1	648	October 20, 2022
Iterate over "child reports/references" and bring in "indicators/data" , like soc integration "SOC - Retrive threat intel" Tools playbook , help	4	1782	October 16, 2019
Security visualization and graph databases Knowledge base	0	1543	May 2, 2018
How do you weed through your alerts? Threat intel alert , siem , process , workflow	2	1347	December 19, 2017
EU GDPR Compliance Risk management process	1	1013	December 16, 2017

SentinelOne Integration

Related Topics