n8n-nodes-sentinelone

!SentinelOne
!n8n
!TypeScript
!License

An n8n community node for interacting with the SentinelOne API v2.1. Manage your endpoint security infrastructure directly from your n8n workflows.

Features

$3

| Operation | Description |
|-----------|-------------|
| Get Activities | Retrieve activity/audit log entries with filtering |
| Get Activity Types | Get list of activity types for filtering |

$3

| Operation | Description |
|-----------|-------------|
| Abort Scan | Abort a running scan on agents |
| Connect to Network | Reconnect isolated agents to the network |
| Decommission | Decommission agents (remove from console) |
| Disable Agent | Disable protection on agents |
| Disconnect from Network | Quarantine/isolate agents from the network |
| Enable Agent | Enable protection on agents |
| Fetch Logs | Request agents to upload diagnostic logs |
| Get Agents | Retrieve agents with comprehensive filtering options |
| Get Applications | Get installed applications for specific agents |
| Get Passphrase | Get the passphrase for specific agents |
| Initiate Scan | Run full disk scans on targeted agents |
| Move to Site | Move agents to a different site |
| Restart Machine | Remotely restart endpoints |
| Shutdown | Remotely shut down endpoints |
| Uninstall Agent | Remove SentinelOne agents from endpoints |
| Update Software | Initiate agent software update |

$3

| Operation | Description |
|-----------|-------------|
| Create Rule | Create device control rules scoped to sites, groups, accounts, or global |
| Delete Rules | Delete device control rules by ID |
| Get Device Events | Retrieve device control events (blocked/allowed devices) |
| Get Device Rules | Retrieve device control rules with filtering by interface, device class, action, etc. |
| Update Rule | Update existing device control rules |

$3

| Operation | Description |
|-----------|-------------|
| Create Exclusion | Create whitelist/exclusion entries (path, hash, certificate, etc.) |
| Delete Exclusions | Delete exclusion entries by ID |
| Get Exclusions | Retrieve exclusions with filtering |
| Update Exclusion | Update existing exclusion entries |

$3

| Operation | Description |
|-----------|-------------|
| Get Groups | Retrieve groups with filtering |
| Move Agents | Move agents to a specific group |

$3

| Operation | Description |
|-----------|-------------|
| Get Verdict | Get the reputation/verdict for a SHA1 hash |

$3

| Operation | Description |
|-----------|-------------|
| Get Sites | Retrieve sites with filtering |

$3

| Operation | Description |
|-----------|-------------|
| Get Tags | Retrieve endpoint tags |
| Manage Tags | Add, remove, or override tags on agents |

$3

| Operation | Description |
|-----------|-------------|
| Get Threats | Retrieve threats with filtering by status, verdict, OS type, etc. |
| Mitigate Threat | Apply mitigation actions (kill, quarantine, remediate, rollback, un-quarantine, network-quarantine) |

Installation

$3

1. Go to Settings > Community Nodes
2. Select Install
3. Enter n8n-nodes-sentinelone
4. Agree to the risks and click Install

$3

``bash

`In your n8n installation directory`


npm install n8n-nodes-sentinelone


Credentials
You'll need to configure your SentinelOne API credentials:

| Field | Description | |-------|-------------| | API URL | Your SentinelOne console URL (e.g.,https://usea1-partners.sentinelone.net) | | API Token | Your API token from SentinelOne console |

`$3`

1. Log in to your SentinelOne Management Console 2. Navigate to Settings > Users 3. Select your user or create a service user 4. Click Generate API Token 5. Copy the token (it won't be shown again!)

`Operations Detail`

`$3`

Retrieve a list of agents with powerful filtering capabilities.

Filters Available: - Account/Site/Group IDs - Computer name (contains) - External IP (contains) - OS Types (Windows, macOS, Linux) - Machine Types (Desktop, Laptop, Server, Kubernetes, etc.) - Network Status (Connected, Disconnected) - Scan Status - Infection status - Agent version - And many more...

`$3`

Retrieve installed applications for specific agents.

Required: Agent IDs (comma-separated)

`$3`

Target agents by: - Agent IDs: Specific agent IDs (comma-separated) - Filter: Dynamic filter criteria (OS type, site, group, infection status, etc.)

`$3`

Retrieve threats with filtering: - Analyst Verdicts (True Positive, False Positive, Suspicious, Undefined) - Incident Statuses (In Progress, Resolved, Unresolved) - Mitigation Statuses (Mitigated, Active, Blocked, Pending, etc.) - Content Hash, Classification - Date ranges

`$3`

Apply mitigation actions: - Kill - Terminate the threat process - Quarantine - Quarantine the threat file - Remediate - Remediate the threat (macOS/Windows) - Rollback Remediation - Rollback remediation (Windows only) - Un-Quarantine - Release from quarantine - Network Quarantine - Network isolate the affected endpoint

`$3`

Create a new device control rule with: - Scope: Global (Tenant), Account, Site, or Group level - Interface: USB, Bluetooth, Thunderbolt, eSATA - Rule Type: Device Class, Vendor ID, Product ID, Device ID, Bluetooth Version - Action: Allow, Block, Read-Only - Status: Enabled or Disabled

`$3`

Retrieve device control rules with filtering: - Interfaces (USB, Bluetooth, Thunderbolt, eSATA) - Device Classes (Mass Storage, Printer, Portable Device, Communication) - Actions (Allow, Block, Read-Only) - Scopes (Account, Global, Group, Site) - Statuses (Enabled, Disabled)

`$3`

Update an existing device control rule by ID. Modifiable fields: - Rule Name, Action, Status, Device Class, Vendor ID, Product ID

`$3`

Delete device control rules by providing rule IDs (comma-separated).

`$3`

Retrieve device control events with filtering: - Event Types (Blocked, Allowed, Read-Only) - Interfaces, Agent IDs, Site/Group IDs - Date ranges, Computer name, Query search

`$3`

- Get Tags: Retrieve endpoint tags with filtering - Manage Tags: Add, remove, or override tags - Supports key-value pairs - Target by Agent IDs or filter criteria

`Example Workflows`

`$3`

`$3`

`Trigger: Schedule (Daily 8 AM) | SentinelOne: Get Agents (filter: isActive=true) | SentinelOne: Get Threats (filter: last 24 hours) | Function: Calculate statistics | Email: Send daily report`

`$3`

`Trigger: Webhook (new employee) | SentinelOne: Get Agents (filter: computerName contains "new-laptop") | SentinelOne: Manage Tags (action: add, key: department, value: engineering)`

`$3`

`Trigger: Schedule (Weekly) | SentinelOne: Get Device Rules (filter: interface=USB, action=Allow) | Function: Format audit report | Google Sheets: Append to compliance log`

`$3`

`Trigger: Webhook (new site created) | SentinelOne: Create Rule (scope: site, interface: USB, deviceClass: Mass Storage, action: Block) | SentinelOne: Get Device Events (filter: siteId, eventType: blocked) | Slack: Notify IT team of new policy`

`API Reference`

This node uses the SentinelOne API v2.1. For complete API documentation, visit your SentinelOne console's API documentation at:

`https://your-console.sentinelone.net/api-doc/overview``

Compatibility

- n8n Version: 0.5.0+
- Node.js: 18+
- SentinelOne API: v2.1

Support

- Issues: GitHub Issues
- SentinelOne Docs: Developer Portal

Changelog

$3

- Added new resources:
- Activity: Get audit log entries and activity types
- Exclusion: Full CRUD for whitelist/exclusion management
- Group: Get groups and move agents between groups
- Hash: Get reputation verdict for SHA1 hashes
- Site: Get sites with filtering
- Expanded Agent operations:
- Abort Scan, Decommission, Disable Agent, Enable Agent
- Fetch Logs, Get Passphrase, Move to Site, Update Software
- Now supports 9 resources with 30+ operations

$3

- Expanded Device Control operations:
- Create Rule (with site/group/account/global scoping)
- Update Rule
- Delete Rules
- Get Device Events
- Enhanced rule creation with support for device class, vendor ID, product ID, and Bluetooth version matching

$3

- Added Threat operations (Get Threats, Mitigate Threat)
- Added Device Control operations (Get Device Rules)
- Added Tag operations (Get Tags, Manage Tags)
- Enhanced filtering options for all operations

$3

- Initial release
- Agent operations (Get Agents, Get Applications, Actions)

License

MIT

---

Made with :purple_heart: for the n8n community

n8n-nodes-sentinelone

!SentinelOne
!n8n
!TypeScript
!License

An n8n community node for interacting with the SentinelOne API v2.1. Manage your endpoint security infrastructure directly from your n8n workflows.

Features

$3

| Operation | Description |
|-----------|-------------|
| Get Groups | Retrieve groups with filtering |
| Move Agents | Move agents to a specific group |

$3

| Operation | Description |
|-----------|-------------|
| Get Verdict | Get the reputation/verdict for a SHA1 hash |

$3

| Operation | Description |
|-----------|-------------|
| Get Sites | Retrieve sites with filtering |

$3

| Operation | Description |
|-----------|-------------|
| Get Tags | Retrieve endpoint tags |
| Manage Tags | Add, remove, or override tags on agents |

$3

Installation

$3

1. Go to Settings > Community Nodes
2. Select Install
3. Enter n8n-nodes-sentinelone
4. Agree to the risks and click Install

$3

``bash

`In your n8n installation directory`


npm install n8n-nodes-sentinelone


Credentials
You'll need to configure your SentinelOne API credentials:

| Field | Description | |-------|-------------| | API URL | Your SentinelOne console URL (e.g.,https://usea1-partners.sentinelone.net) | | API Token | Your API token from SentinelOne console |

`$3`

`Operations Detail`

`$3`

Retrieve a list of agents with powerful filtering capabilities.

`$3`

Retrieve installed applications for specific agents.

Required: Agent IDs (comma-separated)

`$3`

Target agents by: - Agent IDs: Specific agent IDs (comma-separated) - Filter: Dynamic filter criteria (OS type, site, group, infection status, etc.)

`$3`

Update an existing device control rule by ID. Modifiable fields: - Rule Name, Action, Status, Device Class, Vendor ID, Product ID

`$3`

Delete device control rules by providing rule IDs (comma-separated).

`$3`

Retrieve device control events with filtering: - Event Types (Blocked, Allowed, Read-Only) - Interfaces, Agent IDs, Site/Group IDs - Date ranges, Computer name, Query search

`$3`

- Get Tags: Retrieve endpoint tags with filtering - Manage Tags: Add, remove, or override tags - Supports key-value pairs - Target by Agent IDs or filter criteria

`Example Workflows`

`$3`

`Trigger: Schedule (Daily 8 AM) | SentinelOne: Get Agents (filter: isActive=true) | SentinelOne: Get Threats (filter: last 24 hours) | Function: Calculate statistics | Email: Send daily report`

`$3`

`Trigger: Webhook (new employee) | SentinelOne: Get Agents (filter: computerName contains "new-laptop") | SentinelOne: Manage Tags (action: add, key: department, value: engineering)`

`$3`

`Trigger: Schedule (Weekly) | SentinelOne: Get Device Rules (filter: interface=USB, action=Allow) | Function: Format audit report | Google Sheets: Append to compliance log`

`$3`

`API Reference`

This node uses the SentinelOne API v2.1. For complete API documentation, visit your SentinelOne console's API documentation at:

`https://your-console.sentinelone.net/api-doc/overview``

Compatibility

- n8n Version: 0.5.0+
- Node.js: 18+
- SentinelOne API: v2.1

Support

- Issues: GitHub Issues
- SentinelOne Docs: Developer Portal

Changelog

$3

- Initial release
- Agent operations (Get Agents, Get Applications, Actions)

License

MIT

---

Made with :purple_heart: for the n8n community