USM Anywhere™

AlienApp for SentinelOne Orchestration

The AlienApp for SentinelOne provides a set of orchestration actions that you can use to identify vulnerabilities and manage assets in your USM Anywhere environment. The following table lists the available actions from the AlienApp.

Important: Most AlienApp for SentinelOne actions can only be applied to associated events generated from the SentinelOne AlienApp scheduler or events that contain a SentinelOne threat identifier (ID). Events not associated with SentinelOne will not trigger most actions from USM Anywhere.

Events that do not contain a SentinelOne threat ID can be used to create a blacklist entry enabling you to add any process or file to your blacklist, not just ones that SentinelOne detects as suspicious.

Actions for the AlienApp for SentinelOne
Action Function
Initiate Scan Initiate a full disk scan on the endpoint asset.
Mitigate Threats

Gives the option to kill, remediate, rollback, quarantine, or un-quarantine a threat based on the analyst verdict of the threat.

Add to Blacklist

Add a threat to the blacklist.

Scope of restrictions can be defined by account, group, or site.

Add to Exclusion List

Add threat to exclusion list.

Scope of restrictions can be defined by account, group, or site.

Exclusion is defined by type (certificate, path, or hash).

Disconnect Asset from Network

Disconnect the asset from the network.

Disable Agent Disables an asset, and disables detection, device control (Microsoft Windows only), firewall, SentinelOne Ranger scanning (Windows only), and anti-tampering (Windows only) on that asset.
Enable Agent Enables an agent that has been previously disabled.
Reconnect Asset to Network Reconnect the asset to the network.
Restart Machine Restart the machine connected to the asset.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.