npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

n8n-nodes-sentinelone

v0.4.0

Published

n8n node for SentinelOne API - Manage agents, threats, device control, and tags

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jmeltzjmeltz

Keywords

n8n-community-node-packagesentinelonesecurityendpointedrthreatdevice-controlxdr

Readme

n8n-nodes-sentinelone

SentinelOne n8n TypeScript License

An n8n community node for interacting with the SentinelOne API v2.1. Manage your endpoint security infrastructure directly from your n8n workflows.

Features

Activity Operations (Audit Log)

| Operation | Description | |-----------|-------------| | Get Activities | Retrieve activity/audit log entries with filtering | | Get Activity Types | Get list of activity types for filtering |

Agent Operations

| Operation | Description | |-----------|-------------| | Abort Scan | Abort a running scan on agents | | Connect to Network | Reconnect isolated agents to the network | | Decommission | Decommission agents (remove from console) | | Disable Agent | Disable protection on agents | | Disconnect from Network | Quarantine/isolate agents from the network | | Enable Agent | Enable protection on agents | | Fetch Logs | Request agents to upload diagnostic logs | | Get Agents | Retrieve agents with comprehensive filtering options | | Get Applications | Get installed applications for specific agents | | Get Passphrase | Get the passphrase for specific agents | | Initiate Scan | Run full disk scans on targeted agents | | Move to Site | Move agents to a different site | | Restart Machine | Remotely restart endpoints | | Shutdown | Remotely shut down endpoints | | Uninstall Agent | Remove SentinelOne agents from endpoints | | Update Software | Initiate agent software update |

Device Control Operations

| Operation | Description | |-----------|-------------| | Create Rule | Create device control rules scoped to sites, groups, accounts, or global | | Delete Rules | Delete device control rules by ID | | Get Device Events | Retrieve device control events (blocked/allowed devices) | | Get Device Rules | Retrieve device control rules with filtering by interface, device class, action, etc. | | Update Rule | Update existing device control rules |

Exclusion Operations

| Operation | Description | |-----------|-------------| | Create Exclusion | Create whitelist/exclusion entries (path, hash, certificate, etc.) | | Delete Exclusions | Delete exclusion entries by ID | | Get Exclusions | Retrieve exclusions with filtering | | Update Exclusion | Update existing exclusion entries |

Group Operations

| Operation | Description | |-----------|-------------| | Get Groups | Retrieve groups with filtering | | Move Agents | Move agents to a specific group |

Hash Operations

| Operation | Description | |-----------|-------------| | Get Verdict | Get the reputation/verdict for a SHA1 hash |

Site Operations

| Operation | Description | |-----------|-------------| | Get Sites | Retrieve sites with filtering |

Tag Operations

| Operation | Description | |-----------|-------------| | Get Tags | Retrieve endpoint tags | | Manage Tags | Add, remove, or override tags on agents |

Threat Operations

| Operation | Description | |-----------|-------------| | Get Threats | Retrieve threats with filtering by status, verdict, OS type, etc. | | Mitigate Threat | Apply mitigation actions (kill, quarantine, remediate, rollback, un-quarantine, network-quarantine) |

Installation

Community Nodes (Recommended)

  1. Go to Settings > Community Nodes
  2. Select Install
  3. Enter n8n-nodes-sentinelone
  4. Agree to the risks and click Install

Manual Installation

# In your n8n installation directory
npm install n8n-nodes-sentinelone

Credentials

You'll need to configure your SentinelOne API credentials:

| Field | Description | |-------|-------------| | API URL | Your SentinelOne console URL (e.g., https://usea1-partners.sentinelone.net) | | API Token | Your API token from SentinelOne console |

Getting Your API Token

  1. Log in to your SentinelOne Management Console
  2. Navigate to Settings > Users
  3. Select your user or create a service user
  4. Click Generate API Token
  5. Copy the token (it won't be shown again!)

Operations Detail

Agent: Get Agents

Retrieve a list of agents with powerful filtering capabilities.

Filters Available:

  • Account/Site/Group IDs
  • Computer name (contains)
  • External IP (contains)
  • OS Types (Windows, macOS, Linux)
  • Machine Types (Desktop, Laptop, Server, Kubernetes, etc.)
  • Network Status (Connected, Disconnected)
  • Scan Status
  • Infection status
  • Agent version
  • And many more...

Agent: Get Applications

Retrieve installed applications for specific agents.

Required: Agent IDs (comma-separated)

Agent: Actions (Scan, Connect, Disconnect, Restart, Shutdown, Uninstall)

Target agents by:

  • Agent IDs: Specific agent IDs (comma-separated)
  • Filter: Dynamic filter criteria (OS type, site, group, infection status, etc.)

Threat: Get Threats

Retrieve threats with filtering:

  • Analyst Verdicts (True Positive, False Positive, Suspicious, Undefined)
  • Incident Statuses (In Progress, Resolved, Unresolved)
  • Mitigation Statuses (Mitigated, Active, Blocked, Pending, etc.)
  • Content Hash, Classification
  • Date ranges

Threat: Mitigate Threat

Apply mitigation actions:

  • Kill - Terminate the threat process
  • Quarantine - Quarantine the threat file
  • Remediate - Remediate the threat (macOS/Windows)
  • Rollback Remediation - Rollback remediation (Windows only)
  • Un-Quarantine - Release from quarantine
  • Network Quarantine - Network isolate the affected endpoint

Device Control: Create Rule

Create a new device control rule with:

  • Scope: Global (Tenant), Account, Site, or Group level
  • Interface: USB, Bluetooth, Thunderbolt, eSATA
  • Rule Type: Device Class, Vendor ID, Product ID, Device ID, Bluetooth Version
  • Action: Allow, Block, Read-Only
  • Status: Enabled or Disabled

Device Control: Get Device Rules

Retrieve device control rules with filtering:

  • Interfaces (USB, Bluetooth, Thunderbolt, eSATA)
  • Device Classes (Mass Storage, Printer, Portable Device, Communication)
  • Actions (Allow, Block, Read-Only)
  • Scopes (Account, Global, Group, Site)
  • Statuses (Enabled, Disabled)

Device Control: Update Rule

Update an existing device control rule by ID. Modifiable fields:

  • Rule Name, Action, Status, Device Class, Vendor ID, Product ID

Device Control: Delete Rules

Delete device control rules by providing rule IDs (comma-separated).

Device Control: Get Device Events

Retrieve device control events with filtering:

  • Event Types (Blocked, Allowed, Read-Only)
  • Interfaces, Agent IDs, Site/Group IDs
  • Date ranges, Computer name, Query search

Tag: Get Tags & Manage Tags

  • Get Tags: Retrieve endpoint tags with filtering
  • Manage Tags: Add, remove, or override tags
    • Supports key-value pairs
    • Target by Agent IDs or filter criteria

Example Workflows

Automated Threat Response

Trigger: Webhook from SIEM
    |
SentinelOne: Get Threats (filter: unresolved)
    |
IF: severity == high
    |
SentinelOne: Mitigate Threat (action: quarantine)
    |
SentinelOne: Disconnect from Network
    |
Slack: Notify Security Team

Daily Security Report

Trigger: Schedule (Daily 8 AM)
    |
SentinelOne: Get Agents (filter: isActive=true)
    |
SentinelOne: Get Threats (filter: last 24 hours)
    |
Function: Calculate statistics
    |
Email: Send daily report

Endpoint Tagging Automation

Trigger: Webhook (new employee)
    |
SentinelOne: Get Agents (filter: computerName contains "new-laptop")
    |
SentinelOne: Manage Tags (action: add, key: department, value: engineering)

Device Control Audit

Trigger: Schedule (Weekly)
    |
SentinelOne: Get Device Rules (filter: interface=USB, action=Allow)
    |
Function: Format audit report
    |
Google Sheets: Append to compliance log

Block USB Storage on New Sites

Trigger: Webhook (new site created)
    |
SentinelOne: Create Rule (scope: site, interface: USB, deviceClass: Mass Storage, action: Block)
    |
SentinelOne: Get Device Events (filter: siteId, eventType: blocked)
    |
Slack: Notify IT team of new policy

API Reference

This node uses the SentinelOne API v2.1. For complete API documentation, visit your SentinelOne console's API documentation at:

https://your-console.sentinelone.net/api-doc/overview

Compatibility

  • n8n Version: 0.5.0+
  • Node.js: 18+
  • SentinelOne API: v2.1

Support

Changelog

v0.4.0

  • Added new resources:
    • Activity: Get audit log entries and activity types
    • Exclusion: Full CRUD for whitelist/exclusion management
    • Group: Get groups and move agents between groups
    • Hash: Get reputation verdict for SHA1 hashes
    • Site: Get sites with filtering
  • Expanded Agent operations:
    • Abort Scan, Decommission, Disable Agent, Enable Agent
    • Fetch Logs, Get Passphrase, Move to Site, Update Software
  • Now supports 9 resources with 30+ operations

v0.3.0

  • Expanded Device Control operations:
    • Create Rule (with site/group/account/global scoping)
    • Update Rule
    • Delete Rules
    • Get Device Events
  • Enhanced rule creation with support for device class, vendor ID, product ID, and Bluetooth version matching

v0.2.0

  • Added Threat operations (Get Threats, Mitigate Threat)
  • Added Device Control operations (Get Device Rules)
  • Added Tag operations (Get Tags, Manage Tags)
  • Enhanced filtering options for all operations

v0.1.0

  • Initial release
  • Agent operations (Get Agents, Get Applications, Actions)

License

MIT

Made with :purple_heart: for the n8n community