Skip to content

Celerium/SentinelOne-PowerShellWrapper

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation


_CeleriumDemo
Celerium_SentinelOneAPI

Az_Pipeline GitHub_Pages

PoshGallery_Version PoshGallery_Platforms PoshGallery_Downloads codeSize

Contributors Forks Stargazers Issues

Blog GitHub_License


Buy me a coffee

Whether you use this project, have learned something from it, or just like it, please consider supporting it by buying me a coffee, so I can dedicate more time on open-source projects like this :)

Buy Me A Coffee




About The Project

  • ⚠️ As of 2023-11, Module is being overhauled to v2.0

  • ⚠️ As of 2022-11, SentinelOne has almost 400 endpoints and only the GET endpoints have been wrapped. The other endpoints will come later after the core functionality of this module has been validated.

    • See the RoadMap below for more information on whats next

The SentinelOneAPI offers users the ability to extract data from SentinelOne into third-party reporting tools and aims to abstract away the details of interacting with SentinelOne's API endpoints in such a way that is consistent with PowerShell nomenclature. This gives system administrators and PowerShell developers a convenient and familiar way of using SentinelOne's API to create documentation scripts, automation, and integrations.

  • 📖 Project documentation can be found on Github Pages
  • 📖 SentinelOne's REST API documentation can be found under your management portal https://your_mgmt_Address/api-doc/overview.

SentinelOne features a REST API that makes use of common HTTPs GET actions. In order to maintain PowerShell best practices, only approved verbs are used.

  • GET -> Get-
  • GET -> Connect-
  • GET -> Export-
  • ⚠️POST -> New-
  • ⚠️PUT -> Set-
  • ⚠️DELETE -> Remove-

Additionally, PowerShell's verb-noun nomenclature is respected. Each noun is prefixed with SentinelOne in an attempt to prevent naming problems.

For example, one might access the /sites endpoint by running the following PowerShell command with the appropriate parameters:

  • 📖 Note: All commands contain an alias of 'S1'
Get-SentinelOneSites

or

Get-S1Sites

(back to top)

Install

This module can be installed directly from the PowerShell Gallery with the following command:

Install-Module -Name SentinelOneAPI
  • ℹ️ This module supports PowerShell 5.0 and should work in PowerShell Core.
  • ℹ️ If you are running an older version of PowerShell, or if PowerShellGet is unavailable, you can manually download the main branch and place the SentinelOneAPI folder into the (default) C:\Program Files\WindowsPowerShell\Modules folder.

Project documentation can be found on Github Pages

  • A full list of functions can be retrieved by running Get-Command -Module SentinelOneAPI.
  • Help info and a list of parameters can be found by running Get-Help <command name>, such as:
Get-Help Get-SentinelOneSites
Get-Help Get-SentinelOneSites -Full

(back to top)

Initial Setup

After installing this module, you will need to configure both the base URI & API key that are used to talk with the SentinelOne API.

  1. Run Add-SentinelOneBaseURI -baseMgmt_uri 'https://Mgmt-Console-Uri.sentinelone.net'`
    • By default, you will need to define your management consoles url.
    • The 'baseApi_uri' parameter allows you to adjust in the event the API version is updated. By default it uses /web/api/v2.1
    • If you have your own API gateway or proxy, you may put in your own custom URI by specifying the -base_uri parameter:
      • Add-SentinelOneBaseURI -base_uri http://myapi.gateway.celerium.org

  1. Run Add-SentinelOneAPIKey -Api_Key 123456789
    • It will prompt you to enter your API key if you do not specify them.
    • SentinelOne API keys can be generated by going to *SentinelOne > User > Options

  1. [optional] Run Export-SentinelOneModuleSettings
    • This will create a config file at %UserProfile%\SentinelOneAPI that holds the base uri & API key information.
    • Next time you run Import-Module -Name SentinelOneAPI, this configuration file will automatically be loaded.
    • ⚠️ Exporting module settings encrypts your API key in a format that can only be unencrypted by the user principal that encrypted the secret. It makes use of .NET DPAPI, which for Windows uses reversible encrypted tied to your user principal. This means that you cannot copy your configuration file to another computer or user account and expect it to work.
    • ⚠️ However in Linux\Unix operating systems the secret keys are more obfuscated than encrypted so it is recommend to use a more secure & cross-platform storage method.

(back to top)

Usage

To view documentation for the module as well as any commands you can browse the online Github pages

As a quick summary though you can reference the following notes:

  • Each Get-SentinelOne* function will respond with the raw data that SentinelOne's API provides.
  • A full list of functions can be retrieved by running Get-Command -Module SentinelOneAPI.
  • Help info and a list of parameters can be found by running Get-Help <command name>, such as:
Get-Help Get-SentinelOneSites
Get-Help Get-SentinelOneSites -Full
  • All commands contain an alias of 'S1'
Get-Help Get-S1Sites
Get-Help Get-S1Sites -Full

(back to top)

Roadmap

  • Add Changelog
  • Example scripts & reports
  • Implement other METHODS ( DELETE, POST, PUT )
  • Validate GET command structure, parameters and usage
    • Not all commands are fully validated due to various api issues and or permissions

See the open issues for a full list of proposed features (and known issues).

(back to top)


Contributing

Contributions are what makes the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

See the CONTRIBUTING guide for more information about contributing.

(back to top)

License

Distributed under the MIT License. See LICENSE for more information.

GitHub_License

(back to top)

Contact

· Website · Email · Reddit ·

(back to top)

Acknowledgments

Big thank you to the following people and services as they have provided me with lots of helpful information as I continue this project!

(back to top)