Skip to content

Commit

Permalink
[SOAR-18473] SentinelOne - fedRAMP, SDK bump and vuln (#3010)
Browse files Browse the repository at this point in the history
* sentinelone - sdk and vuln

* fix schema
  • Loading branch information
rmurray-r7 authored Dec 18, 2024
1 parent 70912c9 commit 1be0264
Show file tree
Hide file tree
Showing 6 changed files with 82 additions and 16 deletions.
6 changes: 3 additions & 3 deletions plugins/sentinelone/.CHECKSUM
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"spec": "dac00ac144819c2b6ce56c06dcb348b6",
"manifest": "2f573b690ac68f509865a057c164c217",
"setup": "5188937ffa1bab0ae8d41c9584a192e2",
"spec": "175814e9d6bf3496067ab005bc81ab74",
"manifest": "bf2f37bb010ec31daf0a4aee3ae45b89",
"setup": "1e8d3387ed4d46dc2171d7ee9c3c4a2c",
"schemas": [
{
"identifier": "activities_list/schema.py",
Expand Down
2 changes: 1 addition & 1 deletion plugins/sentinelone/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.1.0
FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:6.2.2

LABEL organization=rapid7
LABEL sdk=python
Expand Down
2 changes: 1 addition & 1 deletion plugins/sentinelone/bin/komand_sentinelone
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ from sys import argv

Name = "SentinelOne"
Vendor = "rapid7"
Version = "11.1.2"
Version = "11.1.3"
Description = "The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne"


Expand Down
16 changes: 8 additions & 8 deletions plugins/sentinelone/help.md

Large diffs are not rendered by default.

70 changes: 68 additions & 2 deletions plugins/sentinelone/plugin.spec.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,47 @@ extension: plugin
products: [insightconnect]
name: sentinelone
title: SentinelOne
version: 11.1.2
version: 11.1.3
connection_version: 10
cloud_ready: true
fedramp_ready: true
sdk:
type: slim
version: 6.1.0
version: 6.2.2
user: nobody
supported_versions: ["2.1.0"]
description: The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne
vendor: rapid7
support: rapid7
status: []
key_features:
- "Get activities"
- "Get activity types"
- "Blacklist hashes"
- "Run agent actions"
- "Reload agent modules"
- "Get information about agents"
- "Search agents"
- "Get information about agent applications"
- "Create, get and cancel query"
- "Create IOC threat"
- "Enable and disable agent"
- "Fetch files"
- "Get events"
- "Get information about threats"
- "Manage threats"
- "Quarantine endpoints"
- "Run remote scripts"
- "Check account name availability"
- "Execute scans"
- "Trigger workflows on security alerts"
links:
- "[SentinelOne Product Page](https://www.sentinelone.com/)"
references:
- "[SentinelOne Product Page](https://www.sentinelone.com/)"
requirements:
- "SentinelOne API key"
troubleshooting: "* To generate an API key, create a new Service User or select an existing one with adequate permissions from the SentinelOne console\n* To convert `threat` into an array use Type Converter Plugin\n* For the Trigger settings, only set the Resolved field to False if solely resolved threats should be retrieved (i.e. setting to False will not include unresolved threats)\n* The Run Remote Script action may require starting a protected actions session to function properly. To do this, in the `code` input field, enter the passcode from a third-party app, such as Duo Mobile or Google Authenticator, set up in two-factor authentication. Entering the code is not required each time you run the action, because the session is valid for 30 minutes"
resources:
source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/plugins/sentinelone
license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE
Expand All @@ -29,6 +57,44 @@ hub_tags:
use_cases: [threat_detection_and_response]
keywords: [sentinelone, endpoint, detection, cloud_enabled]
features: []
version_history:
- "11.1.3 - Updated SDK to the latest version (v6.2.2) | Address vulnerabilities"
- "11.1.2 - Resolve issue where unexpected timestamps returned from SentinelOne were not parsed in task `Monitor Logs` | Update plugin to be FedRAMP compliant"
- "11.1.1 - Updated Plugin connection to improve `instance` input usability"
- "11.1.0 - Added connection test for task `Monitor Logs` | Update SDK"
- "11.0.0 - Removed `Monitor Logs` task input options | Update SDK"
- "10.0.0 - Added `Monitor Logs` task | Removed `User Type` from connection | A Service User API Key must now be provided to provide enhanced security"
- "9.1.2 - Retry functionality added to requests to SenintelOne that result in a 429 (too many requests) or 503 (service unavailable) error."
- "9.1.1 - `Threats Fetch File`: Updated action to prevent possible movement through file system"
- "9.1.0 - `Move Agent to Another Site`: Action added"
- "9.0.0 - Update plugin to allow cloud connections to be configured | Rename URL input to Instance in connection | Code refactor"
- "8.1.0 - Added New actions: Fetch file for agent ID and Run remote script. Updated description for Trigger resolved field"
- "8.0.1 - Search Agents: Remove duplicate results when Case Sensitive is false"
- "8.0.0 - Connection: Added Service user (API only user type) authentication | Removed Basic Authentication"
- "7.1.0 - Update for Blacklist action: Fix for unblocked action | Update for Quarantine action: unification of the output data when action fails | Add troubleshooting information about use Type Converter | Mark as Benign action: update description"
- "7.0.0 - Add new actions Update Analyst Verdict and Update Incident Status | Fix Get Agent Details and Search Agents actions to handle more response scenarios | Add option to authentication with API key"
- "6.2.0 - New actions Create Query, Get Query Status, Cancel Running Query, Get Events, Get Events By Type"
- "6.1.0 - Add new actions Disable Agent and Enable Agent"
- "6.0.0 - Add `operational_state` field to input of Get Agent Details and Search Agent actions | Update schema to return new outputs such as Active Directory, firewall, location, and quarantine information for Get Agent Details and Search Agent actions | Use API version 2.1 | Update capitalization according to style in Activities List action for Created Than Date and Less Than Dates inputs to Greater than Date and Less than Date"
- "5.0.1 - Correct spelling in help.md"
- "5.0.0 - Consolidate various Agent actions | Use API version 2.1 where possible | Delete obsolete Blacklist by IOC Hash and Agent Processes"
- "4.1.1 - Update the Get Threat Summary action to return all threat summaries instead of 10"
- "4.1.0 - Add case sensitivity option for Agent lookups"
- "4.0.1 - Fix Agent Active parameter in Get Agent Details action | Update Quarantine action whitelist for IP addresses"
- "4.0.0 - Update ID input for Fetch Threats File action to a string"
- "3.1.0 - Add new action Fetch Threats File"
- "3.0.0 - Update help.md for the Extension Library | Update title in action Blacklist by IOC Hash, Get Activities, Count Summary and Connect to Network"
- "2.1.1 - Upgrade trigger Get Threats to only return threats since trigger start"
- "2.1.0 - Add `agent_active` field to input in action Search Agents"
- "2.0.0 - Upgrade trigger input Agent is Active to default true"
- "1.4.0 - New actions Quarantine, Get Agent Details, Search Agents"
- "1.3.0 - Add new action Blacklist"
- "1.2.2 - Update error message in Connection"
- "1.2.1 - Update to use the `komand/python-3-37-slim-plugin` Docker image to reduce plugin size"
- "1.2.0 - New spec and help.md format for the Extension Library | New actions activities_list, activities_types, agents_abort_scan, agents_connect, agents_decommission, agents_disconnect, agents_fetch_logs, agents_initiate, agents_processes, agents_reload, agents_restart, agents_shutdown, agents_summary, agents_uninstall, apps_by_agent_ids, name_available"
- "1.1.0 - New trigger Get Threats | New actions Mitigate Threat, Mark as Benign, Mark as Threat and Create IOC Threat"
- "1.0.1 - Update to add Blacklist by IOC Hash and Blacklist by Content Hash"
- "1.0.0 - Initial plugin"
types:
activityTypes:
id:
Expand Down
2 changes: 1 addition & 1 deletion plugins/sentinelone/setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@


setup(name="sentinelone-rapid7-plugin",
version="11.1.2",
version="11.1.3",
description="The SentinelOne plugin allows you to manage and mitigate all your security operations through SentinelOne",
author="rapid7",
author_email="",
Expand Down

0 comments on commit 1be0264

Please sign in to comment.