Package Information
Downloads: 46 weekly / 127 monthly
Latest Version: 0.4.0
Author: jmeltz
Available Nodes
Documentation
n8n-nodes-sentinelone
An n8n community node for interacting with the SentinelOne API v2.1. Manage your endpoint security infrastructure directly from your n8n workflows.
Features
Activity Operations (Audit Log)
| Operation | Description |
|---|---|
| Get Activities | Retrieve activity/audit log entries with filtering |
| Get Activity Types | Get list of activity types for filtering |
Agent Operations
| Operation | Description |
|---|---|
| Abort Scan | Abort a running scan on agents |
| Connect to Network | Reconnect isolated agents to the network |
| Decommission | Decommission agents (remove from console) |
| Disable Agent | Disable protection on agents |
| Disconnect from Network | Quarantine/isolate agents from the network |
| Enable Agent | Enable protection on agents |
| Fetch Logs | Request agents to upload diagnostic logs |
| Get Agents | Retrieve agents with comprehensive filtering options |
| Get Applications | Get installed applications for specific agents |
| Get Passphrase | Get the passphrase for specific agents |
| Initiate Scan | Run full disk scans on targeted agents |
| Move to Site | Move agents to a different site |
| Restart Machine | Remotely restart endpoints |
| Shutdown | Remotely shut down endpoints |
| Uninstall Agent | Remove SentinelOne agents from endpoints |
| Update Software | Initiate agent software update |
Device Control Operations
| Operation | Description |
|---|---|
| Create Rule | Create device control rules scoped to sites, groups, accounts, or global |
| Delete Rules | Delete device control rules by ID |
| Get Device Events | Retrieve device control events (blocked/allowed devices) |
| Get Device Rules | Retrieve device control rules with filtering by interface, device class, action, etc. |
| Update Rule | Update existing device control rules |
Exclusion Operations
| Operation | Description |
|---|---|
| Create Exclusion | Create whitelist/exclusion entries (path, hash, certificate, etc.) |
| Delete Exclusions | Delete exclusion entries by ID |
| Get Exclusions | Retrieve exclusions with filtering |
| Update Exclusion | Update existing exclusion entries |
Group Operations
| Operation | Description |
|---|---|
| Get Groups | Retrieve groups with filtering |
| Move Agents | Move agents to a specific group |
Hash Operations
| Operation | Description |
|---|---|
| Get Verdict | Get the reputation/verdict for a SHA1 hash |
Site Operations
| Operation | Description |
|---|---|
| Get Sites | Retrieve sites with filtering |
Tag Operations
| Operation | Description |
|---|---|
| Get Tags | Retrieve endpoint tags |
| Manage Tags | Add, remove, or override tags on agents |
Threat Operations
| Operation | Description |
|---|---|
| Get Threats | Retrieve threats with filtering by status, verdict, OS type, etc. |
| Mitigate Threat | Apply mitigation actions (kill, quarantine, remediate, rollback, un-quarantine, network-quarantine) |
Installation
Community Nodes (Recommended)
- Go to Settings > Community Nodes
- Select Install
- Enter
n8n-nodes-sentinelone - Agree to the risks and click Install
Manual Installation
# In your n8n installation directory
npm install n8n-nodes-sentinelone
Credentials
You'll need to configure your SentinelOne API credentials:
| Field | Description |
|---|---|
| API URL | Your SentinelOne console URL (e.g., https://usea1-partners.sentinelone.net) |
| API Token | Your API token from SentinelOne console |
Getting Your API Token
- Log in to your SentinelOne Management Console
- Navigate to Settings > Users
- Select your user or create a service user
- Click Generate API Token
- Copy the token (it won't be shown again!)
Operations Detail
Agent: Get Agents
Retrieve a list of agents with powerful filtering capabilities.
Filters Available:
- Account/Site/Group IDs
- Computer name (contains)
- External IP (contains)
- OS Types (Windows, macOS, Linux)
- Machine Types (Desktop, Laptop, Server, Kubernetes, etc.)
- Network Status (Connected, Disconnected)
- Scan Status
- Infection status
- Agent version
- And many more...
Agent: Get Applications
Retrieve installed applications for specific agents.
Required: Agent IDs (comma-separated)
Agent: Actions (Scan, Connect, Disconnect, Restart, Shutdown, Uninstall)
Target agents by:
- Agent IDs: Specific agent IDs (comma-separated)
- Filter: Dynamic filter criteria (OS type, site, group, infection status, etc.)
Threat: Get Threats
Retrieve threats with filtering:
- Analyst Verdicts (True Positive, False Positive, Suspicious, Undefined)
- Incident Statuses (In Progress, Resolved, Unresolved)
- Mitigation Statuses (Mitigated, Active, Blocked, Pending, etc.)
- Content Hash, Classification
- Date ranges
Threat: Mitigate Threat
Apply mitigation actions:
- Kill - Terminate the threat process
- Quarantine - Quarantine the threat file
- Remediate - Remediate the threat (macOS/Windows)
- Rollback Remediation - Rollback remediation (Windows only)
- Un-Quarantine - Release from quarantine
- Network Quarantine - Network isolate the affected endpoint
Device Control: Create Rule
Create a new device control rule with:
- Scope: Global (Tenant), Account, Site, or Group level
- Interface: USB, Bluetooth, Thunderbolt, eSATA
- Rule Type: Device Class, Vendor ID, Product ID, Device ID, Bluetooth Version
- Action: Allow, Block, Read-Only
- Status: Enabled or Disabled
Device Control: Get Device Rules
Retrieve device control rules with filtering:
- Interfaces (USB, Bluetooth, Thunderbolt, eSATA)
- Device Classes (Mass Storage, Printer, Portable Device, Communication)
- Actions (Allow, Block, Read-Only)
- Scopes (Account, Global, Group, Site)
- Statuses (Enabled, Disabled)
Device Control: Update Rule
Update an existing device control rule by ID. Modifiable fields:
- Rule Name, Action, Status, Device Class, Vendor ID, Product ID
Device Control: Delete Rules
Delete device control rules by providing rule IDs (comma-separated).
Device Control: Get Device Events
Retrieve device control events with filtering:
- Event Types (Blocked, Allowed, Read-Only)
- Interfaces, Agent IDs, Site/Group IDs
- Date ranges, Computer name, Query search
Tag: Get Tags & Manage Tags
- Get Tags: Retrieve endpoint tags with filtering
- Manage Tags: Add, remove, or override tags
- Supports key-value pairs
- Target by Agent IDs or filter criteria
Example Workflows
Automated Threat Response
Trigger: Webhook from SIEM
|
SentinelOne: Get Threats (filter: unresolved)
|
IF: severity == high
|
SentinelOne: Mitigate Threat (action: quarantine)
|
SentinelOne: Disconnect from Network
|
Slack: Notify Security Team
Daily Security Report
Trigger: Schedule (Daily 8 AM)
|
SentinelOne: Get Agents (filter: isActive=true)
|
SentinelOne: Get Threats (filter: last 24 hours)
|
Function: Calculate statistics
|
Email: Send daily report
Endpoint Tagging Automation
Trigger: Webhook (new employee)
|
SentinelOne: Get Agents (filter: computerName contains "new-laptop")
|
SentinelOne: Manage Tags (action: add, key: department, value: engineering)
Device Control Audit
Trigger: Schedule (Weekly)
|
SentinelOne: Get Device Rules (filter: interface=USB, action=Allow)
|
Function: Format audit report
|
Google Sheets: Append to compliance log
Block USB Storage on New Sites
Trigger: Webhook (new site created)
|
SentinelOne: Create Rule (scope: site, interface: USB, deviceClass: Mass Storage, action: Block)
|
SentinelOne: Get Device Events (filter: siteId, eventType: blocked)
|
Slack: Notify IT team of new policy
API Reference
This node uses the SentinelOne API v2.1. For complete API documentation, visit your SentinelOne console's API documentation at:
https://your-console.sentinelone.net/api-doc/overview
Compatibility
- n8n Version: 0.5.0+
- Node.js: 18+
- SentinelOne API: v2.1
Support
- Issues: GitHub Issues
- SentinelOne Docs: Developer Portal
Changelog
v0.4.0
- Added new resources:
- Activity: Get audit log entries and activity types
- Exclusion: Full CRUD for whitelist/exclusion management
- Group: Get groups and move agents between groups
- Hash: Get reputation verdict for SHA1 hashes
- Site: Get sites with filtering
- Expanded Agent operations:
- Abort Scan, Decommission, Disable Agent, Enable Agent
- Fetch Logs, Get Passphrase, Move to Site, Update Software
- Now supports 9 resources with 30+ operations
v0.3.0
- Expanded Device Control operations:
- Create Rule (with site/group/account/global scoping)
- Update Rule
- Delete Rules
- Get Device Events
- Enhanced rule creation with support for device class, vendor ID, product ID, and Bluetooth version matching
v0.2.0
- Added Threat operations (Get Threats, Mitigate Threat)
- Added Device Control operations (Get Device Rules)
- Added Tag operations (Get Tags, Manage Tags)
- Enhanced filtering options for all operations
v0.1.0
- Initial release
- Agent operations (Get Agents, Get Applications, Actions)
License
Made with :purple_heart: for the n8n community