SentinelOne

Subscribe
Download 31
Last updated May 5, 2026

sentinelone-threats

Enumerate threats in the SentinelOne service.

sentinelone-threats [profile=PROFILE] [duration=DURATION] [from=FROM] [to=TO] [order=ORDER]
profile=PROFILE
Connect profile code of SentinelOne
duration=DURATION
Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example, 10s means data from 10 seconds earlier.
from=FROM
Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
to=TO
End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
order=ORDER
asc or desc.

Output Fields

FieldTypeNameDescription
_timeDateEvent timee.g. 2026-05-05 16:02:18+0900
profileStringConnect profileSentinelOne connect profile code
threat_idStringThreat IDe.g. 1234567890123456789
threat_nameStringThreat namee.g. Invscenter.sys
classificationStringClassificatione.g. Malware, Trojan, Ransomware
classification_sourceStringClassification sourcee.g. Cloud, Engine
confidence_levelStringAI confidence levele.g. malicious, suspicious, na
verdictStringAnalyst verdicte.g. true_positive, false_positive, suspicious, undefined
verdict_descStringAnalyst verdict descriptione.g. True positive
incident_statusStringIncident statuse.g. unresolved, in_progress, resolved
incident_status_descStringIncident status descriptione.g. Resolved
mitigation_statusStringMitigation statuse.g. mitigated, active, blocked, pending
mitigation_status_descStringMitigation status descriptione.g. Mitigated
initiated_byStringInitiated bye.g. agent_policy, dv_command, full_disk_scan
initiated_by_descStringInitiated by descriptione.g. Agent Policy
detection_typeStringDetection typee.g. Static, Dynamic
enginesStringDetection enginesComma separated list. e.g. Driver Blocking, On-Write Static AI
file_pathStringFile pathe.g. \Device\HarddiskVolume3\WINDOWS\System32\drivers\PROCEXP1...
file_extensionStringFile extensione.g. SYS
file_extension_typeStringFile extension typee.g. Executable
file_sizeLongFile sizeIn bytes (size)
file_verificationStringFile verification typee.g. SignedVerified, NotSigned
file_md5StringFile MD516진수 32자
file_sha1StringFile SHA116진수 40자
file_sha256StringFile SHA25616진수 64자
originator_processStringOriginating processe.g. handle64.exe
signerStringSigner identitye.g. MICROSOFT WINDOWS HARDWARE COMPATIBILITY
signer_validBooleanIs valid certificatee.g. false
certificate_idStringCertificate IDe.g. BEIJING AOLANDE INFORMATION TECHNOLOGY CO., LTD.
process_userStringProcess usere.g. DESKTOP-EXAMPLE\demouser
storylineStringStorylinee.g. 1234567890ABCDEF
is_filelessBooleanIs filelesse.g. false
auto_resolvedBooleanAutomatically resolvede.g. false
reboot_requiredBooleanReboot requirede.g. false
pending_actionsStringPending actionse.g. false
external_ticket_idStringExternal ticket ID
collection_idStringCollection IDe.g. 1234567890123456789
hostnameStringEndpoint nameAgent computer name
agent_idStringAgent IDe.g. 1234567890123456789
agent_uuidStringAgent UUIDe.g. 0123456789abcdef0123456789abcdef
agent_domainStringAgent domaine.g. WORKGROUP
machine_typeStringMachine typee.g. laptop
agent_os_nameStringOS namee.g. Windows 11 Pro
os_familyStringOS familye.g. windows
agent_os_revStringOS revisione.g. 26200
is_infectedBooleanIs infectede.g. false
is_activeBooleanIs activee.g. true
is_decommissionedBooleanIs decommissionede.g. false
network_statusStringNetwork statuse.g. connected, disconnected
scan_statusStringScan statuse.g. finished
scan_startedDateScan started timee.g. 2025-03-11 14:26:48+0900
scan_finishedDateScan finished timee.g. 2025-03-12 14:17:33+0900
realtime_agent_verStringRealtime agent versione.g. 24.1.5.277
realtime_account_idStringRealtime account IDe.g. 1234567890123456789
realtime_account_nameStringRealtime account namee.g. ACME Corp
realtime_site_idStringRealtime site IDe.g. 1234567890123456789
realtime_site_nameStringRealtime site namee.g. ACME-Site
realtime_group_idStringRealtime group IDe.g. 1234567890123456789
realtime_group_nameStringRealtime group namee.g. ACME-Group
realtime_reboot_requiredBooleanRealtime reboot requirede.g. false
account_idStringAccount IDe.g. 1234567890123456789
account_nameStringAccount namee.g. ACME Corp
site_idStringSite IDe.g. 1234567890123456789
site_nameStringSite namee.g. ACME-Site
group_idStringGroup IDe.g. 1234567890123456789
group_nameStringGroup namee.g. ACME-Group
agent_ipIPAgent IPe.g. 192.168.30.112
external_ipIPExternal IPe.g. 85.237.230.62
nt_userStringLast logged in usere.g. demouser
nt_domainStringAgent NT domaine.g. WORKGROUP
indicatorsStringIndicatorsList of {category, description, ids, tactics}
mitigation_status_listStringMitigation status listList of mitigation actions and statuses
identifiedDateIdentification timee.g. 2026-05-05 16:02:18+0900
first_seenDateFirst seen time
last_seenDateLast seen time
reportedDateReport timee.g. 2026-05-05 16:02:18+0900
createdDateCreation timee.g. 2026-05-05 16:02:18+0900
updatedDateUpdated timee.g. 2026-05-05 16:07:37+0900