Description
n8n-nodes-sentinelone
!SentinelOne
!n8n
!TypeScript
!License
An n8n community node for interacting with the SentinelOne API v2.1. Manage your endpoint security infrastructure directly from your n8n workflows.
Features
Activity Operations (Audit Log)
| Operation | Description |
|———–|————-|
| Get Activities | Retrieve activity/audit log entries with filtering |
| Get Activity Types | Get list of activity types for filtering |
Agent Operations
| Operation | Description |
|———–|————-|
| Abort Scan | Abort a running scan on agents |
| Connect to Network | Reconnect isolated agents to the network |
| Decommission | Decommission agents (remove from console) |
| Disable Agent | Disable protection on agents |
| Disconnect from Network | Quarantine/isolate agents from the network |
| Enable Agent | Enable protection on agents |
| Fetch Logs | Request agents to upload diagnostic logs |
| Get Agents | Retrieve agents with comprehensive filtering options |
| Get Applications | Get installed applications for specific agents |
| Get Passphrase | Get the passphrase for specific agents |
| Initiate Scan | Run full disk scans on targeted agents |
| Move to Site | Move agents to a different site |
| Restart Machine | Remotely restart endpoints |
| Shutdown | Remotely shut down endpoints |
| Uninstall Agent | Remove SentinelOne agents from endpoints |
| Update Software | Initiate agent software update |
Device Control Operations
| Operation | Description |
|———–|————-|
| Create Rule | Create device control rules scoped to sites, groups, accounts, or global |
| Delete Rules | Delete device control rules by ID |
| Get Device Events | Retrieve device control events (blocked/allowed devices) |
| Get Device Rules | Retrieve device control rules with filtering by interface, device class, action, etc. |
| Update Rule | Update existing device control rules |
Exclusion Operations
| Operation | Description |
|———–|————-|
| Create Exclusion | Create whitelist/exclusion entries (path, hash, certificate, etc.) |
| Delete Exclusions | Delete exclusion entries by ID |
| Get Exclusions | Retrieve exclusions with filtering |
| Update Exclusion | Update existing exclusion entries |
Group Operations
| Operation | Description |
|———–|————-|
| Get Groups | Retrieve groups with filtering |
| Move Agents | Move agents to a specific group |
Hash Operations
| Operation | Description |
|———–|————-|
| Get Verdict | Get the reputation/verdict for a SHA1 hash |
Site Operations
| Operation | Description |
|———–|————-|
| Get Sites | Retrieve sites with filtering |
Tag Operations
| Operation | Description |
|———–|————-|
| Get Tags | Retrieve endpoint tags |
| Manage Tags | Add, remove, or override tags on agents |
Threat Operations
| Operation | Description |
|———–|————-|
| Get Threats | Retrieve threats with filtering by status, verdict, OS type, etc. |
| Mitigate Threat | Apply mitigation actions (kill, quarantine, remediate, rollback, un-quarantine, network-quarantine) |
Installation
Community Nodes (Recommended)
1. Go to Settings > Community Nodes
2. Select Install
3. Enter n8n-nodes-sentinelone
4. Agree to the risks and click Install
Manual Installation
In your n8n installation directory
npm install n8n-nodes-sentinelone
Credentials
You’ll need to configure your SentinelOne API credentials:
| Field | Description |
|——-|————-|
| API URL | Your SentinelOne console URL (e.g., https://usea1-partners.sentinelone.net) |
| API Token | Your API token from SentinelOne console |
Getting Your API Token
1. Log in to your SentinelOne Management Console
2. Navigate to Settings > Users
3. Select your user or create a service user
4. Click Generate API Token
5. Copy the token (it won’t be shown again!)
Operations Detail
Agent: Get Agents
Retrieve a list of agents with powerful filtering capabilities.
Filters Available:
- Account/Site/Group IDs
- Computer name (contains)
- External IP (contains)
- OS Types (Windows, macOS, Linux)
- Machine Types (Desktop, Laptop, Server, Kubernetes, etc.)
- Network Status (Connected, Disconnected)
- Scan Status
- Infection status
- Agent version
- And many more…
- Agent IDs: Specific agent IDs (comma-separated)
- Filter: Dynamic filter criteria (OS type, site, group, infection status, etc.)
- Analyst Verdicts (True Positive, False Positive, Suspicious, Undefined)
- Incident Statuses (In Progress, Resolved, Unresolved)
- Mitigation Statuses (Mitigated, Active, Blocked, Pending, etc.)
- Content Hash, Classification
- Date ranges
- Kill – Terminate the threat process
- Quarantine – Quarantine the threat file
- Remediate – Remediate the threat (macOS/Windows)
- Rollback Remediation – Rollback remediation (Windows only)
- Un-Quarantine – Release from quarantine
- Network Quarantine – Network isolate the affected endpoint
- Scope: Global (Tenant), Account, Site, or Group level
- Interface: USB, Bluetooth, Thunderbolt, eSATA
- Rule Type: Device Class, Vendor ID, Product ID, Device ID, Bluetooth Version
- Action: Allow, Block, Read-Only
- Status: Enabled or Disabled
- Interfaces (USB, Bluetooth, Thunderbolt, eSATA)
- Device Classes (Mass Storage, Printer, Portable Device, Communication)
- Actions (Allow, Block, Read-Only)
- Scopes (Account, Global, Group, Site)
- Statuses (Enabled, Disabled)
- Rule Name, Action, Status, Device Class, Vendor ID, Product ID
- Event Types (Blocked, Allowed, Read-Only)
- Interfaces, Agent IDs, Site/Group IDs
- Date ranges, Computer name, Query search
- Get Tags: Retrieve endpoint tags with filtering
- Manage Tags: Add, remove, or override tags
Agent: Get Applications
Retrieve installed applications for specific agents.
Required: Agent IDs (comma-separated)
Agent: Actions (Scan, Connect, Disconnect, Restart, Shutdown, Uninstall)
Target agents by:
Threat: Get Threats
Retrieve threats with filtering:
Threat: Mitigate Threat
Apply mitigation actions:
Device Control: Create Rule
Create a new device control rule with:
Device Control: Get Device Rules
Retrieve device control rules with filtering:
Device Control: Update Rule
Update an existing device control rule by ID. Modifiable fields:
Device Control: Delete Rules
Delete device control rules by providing rule IDs (comma-separated).
Device Control: Get Device Events
Retrieve device control events with filtering:
Tag: Get Tags & Manage Tags
– Supports key-value pairs
– Target by Agent IDs or filter criteria
Example Workflows
Automated Threat Response
Trigger: Webhook from SIEM
|
SentinelOne: Get Threats (filter: unresolved)
|
IF: severity == high
|
SentinelOne: Mitigate Threat (action: quarantine)
|
SentinelOne: Disconnect from Network
|
Slack: Notify Security Team
Daily Security Report
Trigger: Schedule (Daily 8 AM)
|
SentinelOne: Get Agents (filter: isActive=true)
|
SentinelOne: Get Threats (filter: last 24 hours)
|
Function: Calculate statistics
|
Email: Send daily report
Endpoint Tagging Automation
Trigger: Webhook (new employee)
|
SentinelOne: Get Agents (filter: computerName contains "new-laptop")
|
SentinelOne: Manage Tags (action: add, key: department, value: engineering)
Device Control Audit
Trigger: Schedule (Weekly)
|
SentinelOne: Get Device Rules (filter: interface=USB, action=Allow)
|
Function: Format audit report
|
Google Sheets: Append to compliance log
Block USB Storage on New Sites
Trigger: Webhook (new site created)
|
SentinelOne: Create Rule (scope: site, interface: USB, deviceClass: Mass Storage, action: Block)
|
SentinelOne: Get Device Events (filter: siteId, eventType: blocked)
|
Slack: Notify IT team of new policy
API Reference
This node uses the SentinelOne API v2.1. For complete API documentation, visit your SentinelOne console’s API documentation at:
https://your-console.sentinelone.net/api-doc/overview
Compatibility
Support
Changelog
v0.4.0
– Activity: Get audit log entries and activity types
– Exclusion: Full CRUD for whitelist/exclusion management
– Group: Get groups and move agents between groups
– Hash: Get reputation verdict for SHA1 hashes
– Site: Get sites with filtering
– Abort Scan, Decommission, Disable Agent, Enable Agent
– Fetch Logs, Get Passphrase, Move to Site, Update Software
v0.3.0
– Create Rule (with site/group/account/global scoping)
– Update Rule
– Delete Rules
– Get Device Events
v0.2.0
v0.1.0
License
—
Made with :purple_heart: for the n8n community