Endpoint URL: https://{your sentinelone console domain}/web/api/v2.1/threat-intelligence/iocs
Headers Required: Authorization Content-Type
Official Documentation: https://{your sentinelone console domain}/new-api-docs
Limitations of the SentinelOne AI SIEM Threat Intelligence API:
- It can take up to 25 minutes for a new IoC to become active.
- The database can hold up to 1 million IoC entries per scope and an error shows after the limit is reached.
- The DELETE command does not filter by method, pattern, or patternType.
These values under data are required fields: "source", "type", "value", and "method".
"Type" and "method" must be in upper case.
The “validUntil” field is mandatory, and must contain a date, for example, 2021-03-20 09:14:47.779000. “validUntil” determines when the IOC expires.
If the expiration date (“validUntil”) is left blank, by default it will be the upload date plus a default offset value:
- 14 days for IPs
- 90 days for URLs and domains
- 180 days for file hashes (SHA1, SHA256, and MD5)
The maximum offset values allowed are:
- 30 days for IPs
- 180 days for URLs and Domains
- 180 days for hashes (SHA1, SHA256, and MD5)
IOC types it can handle are (uppercase) SHA1, SHA256, MD5, IPV4, IPV6, DNS, URL
The upload date is when the API gets a request to create an IOC.
If the expiration date is later than the upload date plus the the maximum offset value allowed, it will be adjusted to the upload date plus the maximum offset value allowed.
Sample Add IOC Post Body
{ "filter": { "accountIds": [ "2229446855581298932" ] }, "data": [ { "value": "189.190.204.99", "type": "IPV4", "method": "EQUALS", "source": "CTI Server", "name": "Malicious ioc", "severity": 4 } ] }
Current limitations:
-
IOC activation: In some cases, it may take up to 30 minutes for a newly created IOC to become active and ready for matching.
-
Event processing: In some cases, matching an OCSF XDR event against IOCs may take up to 30 minutes after the event is ingested.
- Matched fields: Threat Intelligence currently matches IOCs automatically against the following OCSF fields below
Datasource fields SentinelOne compares against Threat IOCs submitted via API
file_result.hashes.value
load_balancer.dst_endpoint.container.hash.value
logon_process.parent_process.file.hashes.value
proxy.proxy_endpoint.container.hash.value
evidences.process.parent_process.file.signature.certificate.fingerprints.value
proxy.intermediate_ips
logon_process.parent_process.file.signature.digest.value
load_balancer.endpoint_connections.network_endpoint.proxy_endpoint.proxy_endpoint.ip
logon_process.file.signature.certificate.fingerprints.value
certificate.fingerprints.value
evidences.file.signature.certificate.fingerprints.value
evidences.actor.process.parent_process.container.hash.value
src_endpoint.proxy_endpoint.proxy_endpoint.hostname
load_balancer.endpoint_connections.network_endpoint.proxy_endpoint.proxy_endpoint.container.hash.value
email.x_originating_ip
process.file.signature.digest.value
proxy_tls.certificate.fingerprints.value
src_endpoint.proxy_endpoint.container.hash.value
evidences.process.container.hash.value
file_result.signature.digest.value
evidences.src_endpoint.proxy_endpoint.proxy_endpoint.intermediate_ips
load_balancer.endpoint_connections.network_endpoint.proxy_endpoint.hostname
databucket.file.hashes.value
file.hashes.value
actor.process.parent_process.file.signature.digest.value
logon_process.file.hashes.value
proxy_endpoint.proxy_endpoint.container.hash.value
evidences.actor.process.file.hashes.value
dst_endpoint.proxy_endpoint.proxy_endpoint.intermediate_ips
device.ip
evidences.src_endpoint.intermediate_ips
proxy_endpoint.proxy_endpoint.ip
process.parent_process.file.signature.certificate.fingerprints.value
relay.ip
src_endpoint.ip
evidences.src_endpoint.proxy_endpoint.proxy_endpoint.container.hash.value
driver.file.hashes.value
src_endpoint.hostname
job.file.signature.digest.value
proxy_http_request.url.url_string
load_balancer.dst_endpoint.proxy_endpoint.proxy_endpoint.intermediate_ips
actor.process.parent_process.file.hashes.value
evidences.process.file.signature.digest.value
evidences.src_endpoint.proxy_endpoint.ip
load_balancer.endpoint_connections.network_endpoint.proxy_endpoint.container.hash.value
load_balancer.endpoint_connections.network_endpoint.proxy_endpoint.intermediate_ips
proxy_endpoint.container.hash.value
proxy.ip
logon_process.container.hash.value
evidences.src_endpoint.proxy_endpoint.proxy_endpoint.hostname
web_resources_result.url_string
load_balancer.endpoint_connections.network_endpoint.intermediate_ips
api.response.containers.hash.value
proxy.proxy_endpoint.intermediate_ips
tls.ja3_hash.value
process.parent_process.file.hashes.value
load_balancer.dst_endpoint.proxy_endpoint.proxy_endpoint.ip
proxy.hostname
web_resources.url_string
evidences.actor.process.container.hash.value
module.file.signature.digest.value
evidences.dst_endpoint.proxy_endpoint.intermediate_ips
evidences.src_endpoint.ip
evidences.src_endpoint.hostname
load_balancer.dst_endpoint.hostname
dst_endpoint.proxy_endpoint.hostname
module.file.signature.certificate.fingerprints.value
src_url
proxy_endpoint.proxy_endpoint.hostname
src_endpoint.proxy_endpoint.ip
server_hassh.fingerprint.value
file.signature.certificate.fingerprints.value
evidences.actor.process.parent_process.file.signature.certificate.fingerprints.value
logon_process.file.signature.digest.value
load_balancer.dst_endpoint.proxy_endpoint.ip
actor.process.file.signature.certificate.fingerprints.value
evidences.process.parent_process.container.hash.value
proxy_endpoint.intermediate_ips
src_endpoint.proxy_endpoint.proxy_endpoint.intermediate_ips
process.file.signature.certificate.fingerprints.value
proxy_tls.ja3s_hash.value
load_balancer.endpoint_connections.network_endpoint.container.hash.value
src_endpoint.container.hash.value
proxy_endpoint.proxy_endpoint.intermediate_ips
load_balancer.endpoint_connections.network_endpoint.proxy_endpoint.proxy_endpoint.intermediate_ips
evidences.process.parent_process.file.hashes.value
dst_endpoint.proxy_endpoint.proxy_endpoint.container.hash.value
evidences.src_endpoint.proxy_endpoint.proxy_endpoint.ip
evidences.dst_endpoint.proxy_endpoint.ip
device.hostname
load_balancer.dst_endpoint.intermediate_ips
process.parent_process.file.signature.digest.value
load_balancer.endpoint_connections.network_endpoint.hostname
evidences.file.signature.digest.value
load_balancer.endpoint_connections.network_endpoint.proxy_endpoint.ip
tls.certificate.fingerprints.value
evidences.dst_endpoint.intermediate_ips
logon_process.parent_process.file.signature.certificate.fingerprints.value
evidences.process.file.signature.certificate.fingerprints.value
src_endpoint.proxy_endpoint.intermediate_ips
load_balancer.dst_endpoint.proxy_endpoint.proxy_endpoint.hostname
evidences.src_endpoint.proxy_endpoint.hostname
response.containers.hash.value
dst_endpoint.proxy_endpoint.container.hash.value
app.url_string
client_hassh.fingerprint.value
load_balancer.dst_endpoint.ip
kb_article_list.product.url_string
http_request.url.hostname
src_endpoint.proxy_endpoint.proxy_endpoint.container.hash.value
proxy_http_request.x_forwarded_for
proxy_http_request.url.hostname
file.signature.digest.value
dst_endpoint.proxy_endpoint.ip
evidences.dst_endpoint.container.hash.value
evidences.file.hashes.value
dst_endpoint.ip
device.network_interfaces.ip
evidences.actor.process.file.signature.digest.value
proxy.container.hash.value
evidences.api.response.containers.hash.value
evidences.src_endpoint.container.hash.value
relay.hostname
logon_process.parent_process.container.hash.value
load_balancer.endpoint_connections.network_endpoint.proxy_endpoint.proxy_endpoint.hostname
evidences.src_endpoint.proxy_endpoint.intermediate_ips
dst_endpoint.intermediate_ips
request.containers.hash.value
proxy.proxy_endpoint.hostname
url.url_string
evidences.dst_endpoint.proxy_endpoint.proxy_endpoint.ip
load_balancer.dst_endpoint.proxy_endpoint.intermediate_ips
src_endpoint.intermediate_ips
evidences.actor.process.file.signature.certificate.fingerprints.value
actor.process.file.hashes.value
evidences.dst_endpoint.proxy_endpoint.proxy_endpoint.hostname
job.file.hashes.value
evidences.dst_endpoint.proxy_endpoint.container.hash.value
evidences.dst_endpoint.ip
src_endpoint.proxy_endpoint.proxy_endpoint.ip
proxy.proxy_endpoint.ip
driver.file.signature.certificate.fingerprints.value
actor.process.parent_process.container.hash.value
evidences.process.file.hashes.value
evidences.query.hostname
databucket.file.signature.digest.value
device.container.hash.value
evidences.dst_endpoint.proxy_endpoint.proxy_endpoint.container.hash.value
query.hostname
evidences.dst_endpoint.hostname
device.network_interfaces.hostname
module.file.hashes.value
actor.process.parent_process.file.signature.certificate.fingerprints.value
http_request.x_forwarded_for
proxy_tls.ja3_hash.value
process.container.hash.value
dst_endpoint.proxy_endpoint.proxy_endpoint.hostname
process.file.hashes.value
dst_endpoint.proxy_endpoint.intermediate_ips
evidences.actor.process.parent_process.file.hashes.value
evidences.actor.process.parent_process.file.signature.digest.value
actor.process.container.hash.value
load_balancer.dst_endpoint.proxy_endpoint.hostname
load_balancer.dst_endpoint.proxy_endpoint.proxy_endpoint.container.hash.value
process.parent_process.container.hash.value
url.hostname
load_balancer.endpoint_connections.network_endpoint.ip
databucket.file.signature.certificate.fingerprints.value
evidences.process.parent_process.file.signature.digest.value
evidences.dst_endpoint.proxy_endpoint.proxy_endpoint.intermediate_ips
dst_endpoint.hostname
proxy_endpoint.ip
tls.ja3s_hash.value
dst_endpoint.container.hash.value
evidences.src_endpoint.proxy_endpoint.container.hash.value
src_endpoint.proxy_endpoint.hostname
file_result.signature.certificate.fingerprints.value
evidences.dst_endpoint.proxy_endpoint.hostname
job.file.signature.certificate.fingerprints.value
proxy_endpoint.hostname
api.request.containers.hash.value
driver.file.signature.digest.value
http_request.url.url_string
actor.process.file.signature.digest.value
load_balancer.dst_endpoint.proxy_endpoint.container.hash.value
dst_endpoint.proxy_endpoint.proxy_endpoint.ip
evidences.api.request.containers.hash.value
