BlueApp for SentinelOne Actions

The BlueApp for SentinelOne provides a set of orchestration actions that you can use to identify threats and manage assets in your USM Anywhere environment. The following table lists the available actions from the BlueApp.

Important: Most BlueApp for SentinelOne actions can only be applied to associated events generated from the SentinelOne BlueApp scheduler or events that contain a SentinelOne threat identifier (ID). Events not associated with SentinelOne will not trigger most actions from USM Anywhere.

Events that do not contain a SentinelOne threat ID can be used to create a denylist entry enabling you to add any process or file to your denylist, not just ones that SentinelOne detects as suspicious.

Actions for the BlueApp for SentinelOne
Action Description
Initiate Scan Run this action to initiate a full disk scan on the endpoint asset
Mitigate Threats

Run this action to kill, remediate, rollback, quarantine, or un-quarantine a threat based on the analyst verdict of the threat

Add to Denylist

Run this action to add a threat to the denylist

Scope of restrictions can be defined by account, group, or site

Add to Exclusion List

Run this action to add a threat to exclusion list

Scope of restrictions can be defined by account, group, or site

Exclusion is defined by type (certificate, path, or hash)

Disconnect Asset from Network

Run this action to disconnect the asset from the network

Disable Agent Run this action to disable an asset, and disables detection, device control (Microsoft Windows only), firewall, SentinelOne Ranger scanning (Windows only), and anti-tampering (Windows only) on that asset
Enable Agent Run this action to enable an agent that has been previously disabled
Reconnect Asset to Network Run this action to reconnect the asset to the network
Restart Machine Run this action to restart the machine connected to the asset
Activity Logs Run this action to collect activity logs performed on SentinelOne
Add Note to Threats from Rule Run this action to add a note to threats from a rule
New Report Task Run this action to add a new report task

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from Alarms

You can launch an action directly from alarms or events. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an alarm or event.

To launch a SentinelOne response action for an alarm or event

  1. Go to Activity > Alarms or Activity > Events.
  2. Click the alarm or event to open the details.
  3. Click Select Action.
  4. In the Select Action dialog box, select Run SentinelOne Action.

  5. Select the app action and fill out the fields that are populated below.

  6. Click Run.

    After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.

Threat Hunting Library

The Threat Hunting Library is a tool that allows you to run predefined queries using the BlueApp for SentinelOne. The Hunting Library contains a list of queries you can select from and a list of endpoints you can click on to expand and see more information in relation to the queries. The Threat Hunting Library is only accessible to users receiving events from the configured BlueApp for SentinelOne.

To access the Threat Hunting Library, go to Data Sources > Threat Hunting Library.

Note: The ability to perform Queries with the BlueApp for SentinelOne is only available for customers with the SentinelOne Singularity Control license, the SentinelOne Singularity Complete license, or for customers who have AT&T Managed Endpoint Security with SentinelOne.