# Reports

## Overview

Get the reports that match the filter and the data of the reports. Other data in the response: schedule, Insight Type, name and ID of the user who created the report, the date range, and more.

* The response contains an array of activities under the data field.

SentinelOne uses cursor-based pagination for the /reports endpoint. Cursor-based pagination relies on a pointer (cursor) that refers to the next set of results. Each API response contains a nextCursor field. You pass that cursor value in your next request using the cursor query parameter to get the next page. For that reason, we define, pagination as cursor and we should define an initialRequest and a nextRequest under collection.

## Configuration

### Parameters

* Domain (`sentinelOneDomain`)

### Secrets

* `SentinelOneApiToken` corresponds to the API Token used to authenticate the connection to Sentinel One.

<figure><picture><source srcset="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2Fg8cfP6r9Yo4nADVfVEaM%2F2025-07-11_10-25-59.png?alt=media&#x26;token=0cb20b1e-b5fa-43cb-b29d-d79d4418c7af" media="(prefers-color-scheme: dark)"><img src="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2F0hzyZQcDgkU8yDlbfGeo%2Flight-medium%20(16).png?alt=media&#x26;token=59d928e2-2f67-418b-bd6d-cb20f270b64f" alt=""></picture><figcaption></figcaption></figure>

To add a Secret, open the **Secret** fields and click **New secret**:

* Give the secret a **Name**.
* Turn off the **Expiration date** option.
* Click **Add new value** and paste the secret corresponding to the value.
* Click **Save**.

<figure><picture><source srcset="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2FlUo7CuVpPgIVm5VNjLw6%2Fnenenew.png?alt=media&#x26;token=eb7a7231-0ac2-4099-93f9-18f9ead5add1" media="(prefers-color-scheme: dark)"><img src="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2FTSD53FxGQOjijA3W3DhE%2Fimage.png?alt=media&#x26;token=9941a3c0-100a-4759-b603-30079fbc90de" alt=""></picture><figcaption></figcaption></figure>

{% hint style="info" %}
Learn more about secrets in Onum in [this article](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management).
{% endhint %}

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the Sentinel One Web API **Reports** fields, or simply paste the desired YAML.

### Configure as YAML

```yaml
withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
  paginationType: "cursor"
  cursorSelector: ".pagination.nextCursor"
  limit: 100
  initialRequest:
    method: GET
    url: "https://${parameters.sentinelOneDomain}/web/api/v2.1/reports"
    headers:
      - name: Accept
        value: application/json
      - name: Authorization
        value: "ApiToken ${secrets.sentinelOneApiToken}"
    queryParams: 
      - name: createdAt__gte
        value: "${temporalWindow.from}"
      - name: createdAt__lte
        value: "${temporalWindow.to}"
  nextRequest:
    method: GET
    url: "https://${parameters.sentinelOneDomain}/web/api/v2.1/reports"
    headers:
      - name: Accept
        value: application/json
      - name: Authorization
        value: "ApiToken ${secrets.sentinelOneApiToken}"
  output:
    select: ".data"
    map: "."
    outputMode: element 
```

### **Manually Configure**

**Temporal Window**

Toggle **ON** to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

* **Duration -** 5 minutes (`5m`) as default, adjust based on your needs.
* **Offset -** `5m`
* **Format** - `RFC3339`

**Authentication Phase**

**OFF**&#x20;

#### **Enumeration Phase**

**OFF**

#### **Collection Phase**

* **Pagination Type**<mark style="color:red;">**\***</mark>**&#x20;-** `cursor`
* **Cursor Selector**<mark style="color:red;">**\***</mark>**&#x20;-** the cursor defined is based on the request we get from the API as `.pagination.nextCursor`.
* **Initial Request**&#x20;

  * **Method**<mark style="color:red;">**\***</mark>**&#x20;-** `GET`
  * **URL**<mark style="color:red;">**\***</mark>**&#x20;-** `https://${parameters.sentinelOneDomain}/web/api/v2.1/reports` the parameters variable will be replaced by the domain entered earlier.
  * **Headers**&#x20;
    * **Name** - `Accept`
    * **Value -** `application/json`
    * **Name** - `Authorization`
    * **Value -** `ApiToken ${secrets.sentinelOneApiToken}` where the dynamic variable is replaced with the value in the **Secrets** field entered above.
  * **Query Params** - defines query string parameters that are appended to the URL when making the HTTP request. These parameters are commonly used to filter, paginate, or otherwise control the behavior of the API response.
    * **Name** -`createdAt_gte`. `createdAt` refers to the **ti**mestamp field in the API's data. \_`gte` is a common query operator meaning "greater than or equal to".
    * **Value** - `${temporalWindow.from}`This is a dynamic value injected, representing the start time of the temporal window.
    * **Name** -`createdAt_lte`(less than or equal to).
    * **Value** -`${temporalWindow.to}` the end time of the temporal window.

  **Next Request**&#x20;

  * **Method**<mark style="color:red;">**\***</mark>**&#x20;-** `GET`
  * **URL**<mark style="color:red;">**\***</mark>**&#x20;-** `https://${parameters.sentinelOneDomain}/web/api/v2.1/reports` the parameters variable will be replaced by the domain entered earlier.
  * **Headers**&#x20;
    * **Name** - `Accept`
    * **Value -** `application/json`
    * **Name** - `Authorization`
    * **Value -** `ApiToken ${secrets.sentinelOneApiToken}` where the dynamic variable is replaced with the value in the **Secrets** field entered above.
  * **Body type**<mark style="color:red;">**\***</mark>**&#x20;-** there is no required body type because the parameters are included in the URL. However, these fields are mandatory, so select `raw` and enter the `{}` placeholder.
* **Output**&#x20;
  * **Select -** `.data`
  * **Map -** `.`
  * **Output Mode** - `element`

<figure><picture><source srcset="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2FqwRqcDe5IUHcRkloiJ6k%2F2025-07-15_11-12-41.png?alt=media&#x26;token=63da2856-3009-4322-9b98-40932c543b45" media="(prefers-color-scheme: dark)"><img src="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2F7Cd0axGFO8Lg7UpdLKrV%2F2025-07-15_11-07-00.png?alt=media&#x26;token=a3232cf4-cf3f-47ff-babe-8543b34dfbe7" alt=""></picture><figcaption></figcaption></figure>

Click **Create labels** to move on to the next step and define the required [Labels](https://docs.onum.com/the-workspace/listeners/labels) if needed.