This is a PowerShell script module that provides command-line interaction and automation using the SentinelOne REST API.
Development is ongoing, with the goal to add support for the majority of the API set, and an attempt to provide examples for various capabilities.
Installation of this module currently consists of a pair of scripts that will copy the module to one of the PowerShell module paths, and check PowerShell module paths to remove it.
Install
.\Install-Module.ps1Uninstall
.\Uninstall-Module.ps1PS-SentinelOne includes commandlets to configure information specific to your environment, such as the URI of your SentinelOne console, and your API Token.
You may choose to cache this information for the current session, or save the information to disk. Saved API Tokens are protected by using secure strings.
Commandlets will utilize the URI and API Token cached in the current session. If no URI or API Token is cached, an attempt will be mode to retrieve any settings that have been saved to disk.
Set the base URI for your management console, and your API Token for this session
PS > Set-S1ModuleConfiguration -URI "https://management-tenant.sentinelone.net" -ApiToken "<API Token>"Set the base URI for your management console, and authenticate with your credentials for a temporary token Note: You must have a URI set in order to authenticate, otherwise the commandlet will not know where to connect to perform authentication.
PS > Set-S1ModuleConfiguration -URI "https://management-tenant.sentinelone.net"
PS > Get-S1Token
Windows PowerShell credential request.
Input SentinelOne username and password to authenticate for a temporary API token.
User: john.smith@acme.com
Password for user john.smith@acme.com: **************Check the settings in the current session
PS > Get-S1ModuleConfigurationSave to disk the base URI for your management console and your API Token.
PS > Set-S1ModuleConfiguration -URI "https://management-tenant.sentinelone.net" -ApiToken "<API Token>" -PersistReview any settings saved to disk
PS > Get-S1ModuleConfiguration -PersistedImport settings saved to disk into the current session
PS > Get-S1ModuleConfiguration -Persisted -CacheSaved settings do not need to be manually imported into the current session. If there are settings saved to disk and the current session has none configured, the module will automatically import the saved settings when running your first commandlet that requires them. You can test this by doing the following
PS > Import-Module .\PS-SentinelOne.psm1
PS > Get-S1ModuleConfiguration
Name Value
---- -----
ConfPath C:\Users\<username>\AppData\Local\PS-SentinelOne\config.json
PS > Get-S1Site
<OUTPUT REMOVED>
PS > Get-S1ModuleConfiguration
Name Value
---- -----
ManagementURL https://management-tenant.sentinelone.net
ApiToken <API Token as Secure String>
ConfPath C:\Users\<username>\AppData\Local\PS-SentinelOne\config.jsonFor API coverage, see the API Coverage documentation
The examples below need to be revised and expanded upon, please bare with me.
- Accounts
- Sites
- Groups
- Agents
- Exclusions (Whitelist)
- Blacklist
- Applications
- Agent Actions
- Updates
PS > Get-S1AccountPS > Get-S1SitePS > $Account = Get-S1Account -Name "My Account"
PS > Get-S1Site -AccountID $Account.idPS > Get-S1Site -State active # Tab complete capabilityPS > Get-S1Site -Name "My Site"PS > $Site = Get-S1Site -Name "My Site"
PS > $Groups = Get-S1Group -SiteID $Site.idPS > $Site = Get-S1Site -Name "My Site"
PS > $Groups = Get-S1Group -SiteID $Site.id -Name "Default Group"PS > $Site = Get-S1Site -Name "My Site"
PS > $NewGroup = New-S1Group -Name "Test" -SiteID $Site.idPS > $Site = Get-S1Site -Name "My Site"
PS > $Group = New-S1Group -Name "Test" -SiteID $Site.id
PS > Remove-S1Group -GroupID $Group.id
success
-------
TruePS > $Group = Get-S1Group -Name "Default Group"
PS > Get-S1Agent -GroupID $Group.idPS > Get-S1Agent -Domain acmePS > Get-S1Agent -OSType macosPS > Get-S1Agent -MitigationMode detectPS > Get-S1Agent -Infected truePS > $Agent = Get-S1Agent -Name "Deathstar"
PS > Get-S1Passphrase -AgentID $Agent.idPS > $TargetSite = Get-S1Site -Name "Rebel Alliance"
PS > Get-S1Exclusion -SiteID $TargetSite.id -Type white_hashPS > $TargetSite = Get-S1Site -Name "Rebel Alliance"
PS > Get-S1Exclusion -SiteID $TargetSite.id -Type pathPS > $TargetSite = Get-S1Site -Name "Rebel Alliance"
PS > Get-S1Blacklist -SiteID $TargetSite.idPS > $TargetSite = Get-S1Site -Name "Rebel Alliance"
PS > New-S1Blacklist -Hash "2EF7BDE608CE5404E97D5F042F95F89F1C232871" -Description "Terrible" -OSType windows -SiteID $TargetSite.idPS > $Agent = Get-S1Agent -Name "Deathstar"
PS > Get-S1Application -AgentID $Agent.idPS > $ChromeInstances = Get-S1Application -ApplicationName "Google Chrome"PS > $Agent = Get-S1Agent -Name "Deathstar"
PS > Get-S1AvailableActions -AgentID $Agent.id
isDisabled name Example
---------- ---- -------
False fetchLogs Invoke-S1AgentAction -AgentID <agent_id> -FetchLogs
False initiateScan Invoke-S1AgentAction -AgentID <agent_id> -Scan
False abortScan Invoke-S1AgentAction -AgentID <agent_id> -AbortScan
False disconnectFromNetwork Invoke-S1AgentAction -AgentID <agent_id> -DisconnectFromNetwork
False reconnectToNetwork Invoke-S1AgentAction -AgentID <agent_id> -ReconnectToNetwork
False updateSoftware
False sendMessage Invoke-S1AgentAction -AgentID <agent_id> -SendMessage <message>
False shutDown
False decommission Invoke-S1AgentAction -AgentID <agent_id> -Decommission
False reboot
False reloadConf Invoke-S1AgentAction -AgentID <agent_id> -Reload <log, static, agent, monitor>
False uninstall
False approveUninstall Invoke-S1AgentAction -AgentID <agent_id> -ApproveUninstall
False rejectUninstall Invoke-S1AgentAction -AgentID <agent_id> -RejectUninstall
False moveToAnotherSite Invoke-S1AgentAction -AgentID <agent_id> -MoveToSite -TargetSiteID <site.id>
False configureFirewallLogging
False remoteShell
False clearRemoteShellSession
False purgeResearchData
False purgeCrashDumps
False flushEventsQueue
False resetLocalConfiguration Invoke-S1AgentAction -AgentID <agent_id> -ResetLocalConfig
True restartServices
False markAsUpToDate
False protect Invoke-S1AgentAction -AgentID <agent_id> -Protect
False unprotect Invoke-S1AgentAction -AgentID <agent_id> -Unprotect
False revokeToken
False purgeDB
False controlCrashDumps
False controlResearchData
False eventsThrottling
False configuration
False migrateAgent
False randomizeUUID
False fileFetch
False showApplications
False showPassphrase
False searchOnDeepVisibility
False viewThreats
False setCustomerIdentifier
True enableRanger
True disableRangerPS > $Agent = Get-S1Agent -Name "Deathstar"
PS > $TargetGroup = Get-S1Group -Name "Destroyed Battle Stations"
PS > Move-S1Agent -AgentID $Agents.id -TargetGroupID $TargetGroup.idPS > $Agent = Get-S1Agent -Name "Kashyyyk"
PS > $TargetSite = Get-S1Site -Name "Rebel Alliance"
PS > Move-S1Agent -AgentID $Agents.id -TargetSiteID $TargetSite.idPS > $Agents = Get-S1Agent -ScanStatus aborted
PS > Invoke-S1AgentAction -AgentID $Agents.id -Scan
Scan initiated for X agentsPS > $Started = Get-S1Agent -ScanStatus started
PS > Invoke-S1AgentAction -AgentID $Started.id -AbortScan
Scan aborted for X agentsPS > $Agent = Get-S1Agent -Name "Deathstar"
PS > Invoke-S1FetchFile -AgentID $Agent.id -FilePath "/path/to/file" -Password ExecuteOrder66!
success
-------
TruePS > $Agent = Get-S1Agent -Name "Deathstar"
PS > Invoke-S1AgentAction -AgentID $Agent.id -FetchLogs
Fetch Logs initiated for 1 agentsPS > $Agent = Get-S1Agent -Name "Deathstar"
PS > Invoke-S1AgentAction -AgentID $Agent.id -SendMessage "Do I execute order 66?"PS > $Agent = Get-S1Agent -Name "Deathstar"
PS > Invoke-S1AgentAction -AgentID $Agent.id -DisconnectFromNetworkPS > $Agent = Get-S1Agent -Name "Deathstar"
PS > Invoke-S1AgentAction -AgentID $Agent.id -ReconnectToNetworkPS > $Site = Get-S1Site -Name "Rebel Alliance"
PS > Get-S1Package -SiteID $Site.idPS > $Site = Get-S1Site -Name "Rebel Alliance"
PS > Get-S1Package -SiteID $Site.id -FileExtension ".exe" -PackageType "Agent" -OSType "windows"PS > $Site = Get-S1Site -Name "Rebel Alliance"
PS > $Package = Get-S1Package -SiteID $Site.id -FileExtension .exe -PackageType Agent -OSType windows | Where-Object { $_.status -like "GA*" } | Sort -Descending version | Select-Object -First 1
PS > $Agent = Get-S1Agent -Name "Deathstar"
PS > Invoke-S1AgentUpdate -AgentID $Agent.id -PackageID $Package.id
Update initiated for 1 agents
