Reports
Overview
Get the reports that match the filter and the data of the reports. Other data in the response: schedule, Insight Type, name and ID of the user who created the report, the date range, and more.
The response contains an array of activities under the data field.
SentinelOne uses cursor-based pagination for the /reports endpoint. Cursor-based pagination relies on a pointer (cursor) that refers to the next set of results. Each API response contains a nextCursor field. You pass that cursor value in your next request using the cursor query parameter to get the next page. For that reason, we define, pagination as cursor and we should define an initialRequest and a nextRequest under collection.
Configuration
Parameters
Domain (sentinelOneDomain)
Secrets
After entering the required parameters and secrets, you can choose to manually enter the Sentinel One Web API Reports fields, or simply paste the desired YAML.
Configure as YAML
withTemporalWindow: true
temporalWindow:
duration: 5m
offset: 0
tz: UTC
format: RFC3339
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
paginationType: "cursor"
cursor: ".pagination.nextCursor"
limit: 100
initialRequest:
method: GET
url: "https://${parameters.sentinelOneDomain}/web/api/v2.1/reports"
headers:
- name: Accept
value: application/json
- name: Authorization
value: "ApiToken ${secrets.sentinelOneApiToken}"
queryParams:
- name: createdAt__gte
value: "${temporalWindow.from}"
- name: createdAt__lte
value: "${temporalWindow.to}"
nextRequest:
method: GET
url: "https://${parameters.sentinelOneDomain}/web/api/v2.1/reports"
headers:
- name: Accept
value: application/json
- name: Authorization
value: "ApiToken ${secrets.sentinelOneApiToken}"
output:
select: ".data"
map: "."
outputMode: element Manually Configure
Temporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Duration - 5 minutes (
5m) as default, adjust based on your needs.Offset - initial offset should be
0(the latest activity).Format -
RFC3339
Authentication Phase
OFF
Enumeration Phase
OFF
Collection Phase
Pagination Type* -
cursorCursor Selector* - the cursor defined is based on the request we get from the API as
.pagination.nextCursor.Initial Request
Method* -
GETURL* -
https://${parameters.sentinelOneDomain}/web/api/v2.1/reportsthe parameters variable will be replaced by the domain entered earlier.Headers
Name -
AcceptValue -
application/jsonName -
AuthorizationValue -
ApiToken ${secrets.sentinelOneApiToken}where the dynamic variable is replaced with the value in the Secrets field entered above.
Query Params - defines query string parameters that are appended to the URL when making the HTTP request. These parameters are commonly used to filter, paginate, or otherwise control the behavior of the API response.
Name -
createdAt_gte.createdAtrefers to the timestamp field in the API's data. _gteis a common query operator meaning "greater than or equal to".Value -
${temporalWindow.from}This is a dynamic value injected, representing the start time of the temporal window.Name -
createdAt_lte(less than or equal to).Value -
${temporalWindow.to}the end time of the temporal window.
Next Request
Method* -
GETURL* -
https://${parameters.sentinelOneDomain}/web/api/v2.1/reportsthe parameters variable will be replaced by the domain entered earlier.Headers
Name -
AcceptValue -
application/jsonName -
AuthorizationValue -
ApiToken ${secrets.sentinelOneApiToken}where the dynamic variable is replaced with the value in the Secrets field entered above.
Body type* - there is no required body type because the parameters are included in the URL. However, these fields are mandatory, so select
rawand enter the{}placeholder.
Output
Select -
.dataMap -
.Output Mode -
element
Click Create labels to move on to the next step and define the required Labels if needed.
Last updated
Was this helpful?