AvantGuard - SentinelOne

Actions682

Overview

This node operation allows users to post an analyst verdict on cloud detection alerts via a web API. It is designed to send detailed analyst feedback on specific alerts, helping security teams to update the status or classification of alerts based on investigation results. Typical use cases include automating the submission of verdicts such as 'true positive' or 'false positive' for alerts detected in cloud environments, thereby integrating analyst insights into alert management workflows.

Properties

Name	Meaning
Data	The JSON payload containing the analyst verdict details to be posted. This includes fields such as 'analystVerdict' which indicates the analyst's conclusion about the alert.
Filter	A JSON object specifying criteria to filter which alerts the analyst verdict applies to. This can include various fields like process hashes, agent versions, severity, incident status, and timestamps to precisely target alerts.

Output

JSON

response - The JSON response from the API after posting the analyst verdict, typically containing confirmation or details about the updated alert.

Dependencies

Requires an API key credential for authentication with the AvantGuard SentinelOne API.
Depends on the '@avantguardllc/n8n-openapi-node' package for API interaction.
Needs the base URL of the SentinelOne API configured in credentials.

Troubleshooting

Ensure the 'Data' and 'Filter' JSON inputs are correctly formatted and valid JSON; parsing errors will cause the node to fail.
Authentication errors may occur if the API key credential is missing or invalid; verify credentials are correctly set.
If the API endpoint is unreachable, check network connectivity and the configured base URL.
Incorrect filter criteria may result in no alerts being matched; review filter fields and values carefully.
API rate limits or permission issues can cause errors; consult API documentation and adjust usage or permissions accordingly.