Welcome to the Sentinel API (Beta) Documentation

Sentinel provides an Application Programming Interface (API) for programmatic access to Sentinel resources. The Sentinel API is currently being made available as a supported beta release. You are encouraged to use the API and will receive support when doing so, however, while the the API remains in beta status it may change without notice as a result of product updates. The temporary beta status of the API will remain in place while it matures. In a future release, the beta status will be removed, at which point changes to existing APIs will be limited and documented.


Getting Started

Access to the majority of the functionality in Sentinel is accessible via an Application Programming Interface (API). This API is an HTTP based one, and is a RESTful programming interface.

The intended uses of this API include both built-in user interfaces as well as external access to Sentinel. Users of Sentinel can externally access the API in order to integrate, automate, or to build an alternate user interface for the data with-in Sentinel. Some types of Sentinel users that this would be particularly useful for are Managed Security Service Providers (MSSPs), partners, and other users that need deeper access to the data with-in Sentinel. Typically, end users of Sentinel do not need to directly use this API. An example of how this API may be used is an MSSP accessing it from a web portal they've built that consolidates information from various services, including Sentinel. The APIs make it easy to retrieve display information so it can be shown in user interfaces other than the one built into Sentinel.

This API is an example of a RESTful API, with the following general characteristics:

The following table from Wikipedia describes the semantics based on the method/URL type combination. Note that not all APIs support all URL methods.
Collection URI, such as http://example.com/resources/ List the URIs and perhaps other details of the collection's members. Replace the entire collection with another collection. Create a new entry in the collection. The new entry's URL is assigned automatically and is usually returned by the operation. Delete the entire collection.
Element URI, such as http://example.com/resources/142 Retrieve a representation of the addressed member of the collection, expressed in an appropriate Internet media type. Replace the addressed member of the collection, or if it doesn't exist, create it. Treat the addressed member as a collection in its own right and create a new entry in it. Delete the addressed member of the collection.

API Security

Tokenized Security based upon SAML tokens is used in Sentinel. An Authentication Server is used to issue SAML tokens to be used in all REST interactions with Sentinel. The following diagram illustrates the security interaction flow.


  1. REST Client requests token from Authentication Server, passing credentials
  2. Authentication server authentications against Sentinel Configuration Database, or LDAP if so configured
  3. If OK, authentication process returns user info, including permissions
  4. SAML token returned to REST client
  5. All subsequent REST calls include this token on the authentication header, this is used to authorize/authenticate by the Sentinel server
  6. If user is authenticated, REST data is returned as requested
As a concrete example, let's look at this interaction using curl commands.

DataObject REST API

Many of the data structures used by Sentinel are presented via an HTTP API with common syntax and semantics that is named the Sentinel DataObject REST API.
Information about the Sentinel DataObject REST API is found here.

REST API methods


Advisor Data


API documentation

The API for api documentation generation.

Asset Data

An Asset Data object contains identification and location information about enterprise assets.



The API calls to obtain collection statistics


Associates a correlation event with the events that triggered the correlation event.

Data Collection

Data Collectors are objects that represent the various parts of a Sentinel system that monitor and report events that occur in the enterprise.

Data Sync

The API calls for data synchronization.

Distributed Search

The API calls for setting up distributed search.



Events and related objects are the fundamental building block of Sentinel data.


The API calls to manage lucene filters




Identities, Accounts, and associated objects are information about people in the enterprise that is monitored by the Sentinel System. Sentinel can determine which incoming events are associated with people and establish a link between the event and the Identity data of one or more persons.


Incident objects contain information about abnormal or suspicious events in the system.




Object representing a configured event action.




The API calls for running and viewing reports.

System Information


Tag objects define strings that can be used to annotate other objects, particularly Event objects.

Users and Roles

Users and Roles are the interface to Sentinel's user accounts and permissions. Permissions are assigned to users via a user's membership in Sentinel Roles (known internally as UserGroup objects).


General utility methods

Vulnerability Data

An Vulnerability Container object contains information about enterprise vulnerabilities.



Unsupported API methods

The methods documented here are for internal testing purposes only, and are not supported in any way. They may be removed in a future release without notice.