Celerium_SentinelOneAPI
Buy me a coffee
Whether you use this project, have learned something from it, or just like it, please consider supporting it by buying me a coffee, so I can dedicate more time on open-source projects like this :)
About The Project
-
:warning: As of 2023-11, Module is being overhauled to v2.0
-
:warning: As of 2022-11, SentinelOne has almost 400 endpoints and only the GET endpoints have been wrapped. The other endpoints will come later after the core functionality of this module has been validated.
- See the RoadMap below for more information on whats next
The SentinelOneAPI offers users the ability to extract data from SentinelOne into third-party reporting tools and aims to abstract away the details of interacting with SentinelOne’s API endpoints in such a way that is consistent with PowerShell nomenclature. This gives system administrators and PowerShell developers a convenient and familiar way of using SentinelOne’s API to create documentation scripts, automation, and integrations.
- :book: Project documentation can be found on Github Pages
- :book: SentinelOne’s REST API documentation can be found under your management portal https://your_mgmt_Address/api-doc/overview.
SentinelOne features a REST API that makes use of common HTTPs GET actions. In order to maintain PowerShell best practices, only approved verbs are used.
- GET -> Get-
- GET -> Connect-
- GET -> Export-
- :warning:POST -> New-
- :warning:PUT -> Set-
- :warning:DELETE -> Remove-
Additionally, PowerShell’s verb-noun
nomenclature is respected. Each noun is prefixed with SentinelOne
in an attempt to prevent naming problems.
For example, one might access the /sites
endpoint by running the following PowerShell command with the appropriate parameters:
- :book: Note: All commands contain an alias of ‘S1’
Get-SentinelOneSites
or
Get-S1Sites
Install
This module can be installed directly from the PowerShell Gallery with the following command:
Install-Module -Name SentinelOneAPI
- :information_source: This module supports PowerShell 5.0+ and should work in PowerShell Core.
- :information_source: If you are running an older version of PowerShell, or if PowerShellGet is unavailable, you can manually download the main branch and place the SentinelOneAPI folder into the (default)
C:\Program Files\WindowsPowerShell\Modules
folder.
Project documentation can be found on Github Pages
- A full list of functions can be retrieved by running
Get-Command -Module SentinelOneAPI
. - Help info and a list of parameters can be found by running
Get-Help <command name>
, such as:
Get-Help Get-SentinelOneSites
Get-Help Get-SentinelOneSites -Full
Initial Setup
After installing this module, you will need to configure both the base URI & API key that are used to talk with the SentinelOne API.
- Run
Add-SentinelOneBaseURI
-baseMgmt_uri ‘https://Mgmt-Console-Uri.sentinelone.net'`- By default, you will need to define your management consoles url.
- The ‘baseApi_uri’ parameter allows you to adjust in the event the API version is updated. By default it uses
/web/api/v2.1
- If you have your own API gateway or proxy, you may put in your own custom URI by specifying the
-base_uri
parameter:Add-SentinelOneBaseURI -base_uri http://myapi.gateway.celerium.org
- Run
Add-SentinelOneAPIKey -Api_Key 123456789
- It will prompt you to enter your API key if you do not specify them.
- SentinelOne API keys can be generated by going to *SentinelOne > User > Options
- [optional] Run
Export-SentinelOneModuleSettings
- This will create a config file at
%UserProfile%\SentinelOneAPI
that holds the base uri & API key information. - Next time you run
Import-Module -Name SentinelOneAPI
, this configuration file will automatically be loaded. - :warning: Exporting module settings encrypts your API key in a format that can only be unencrypted by the user principal that encrypted the secret. It makes use of .NET DPAPI, which for Windows uses reversible encrypted tied to your user principal. This means that you cannot copy your configuration file to another computer or user account and expect it to work.
- :warning: However in Linux\Unix operating systems the secret keys are more obfuscated than encrypted so it is recommend to use a more secure & cross-platform storage method.
- This will create a config file at
Usage
To view documentation for the module as well as any commands you can browse the online Github pages
As a quick summary though you can reference the following notes:
- Each
Get-SentinelOne*
function will respond with the raw data that SentinelOne’s API provides. - A full list of functions can be retrieved by running
Get-Command -Module SentinelOneAPI
. - Help info and a list of parameters can be found by running
Get-Help <command name>
, such as:
Get-Help Get-SentinelOneSites
Get-Help Get-SentinelOneSites -Full
- All commands contain an alias of ‘S1’
Get-Help Get-S1Sites
Get-Help Get-S1Sites -Full
Roadmap
- Add Changelog
- Example scripts & reports
- Implement other METHODS
( DELETE, POST, PUT )
- Validate GET command structure, parameters and usage
Not all commands are fully validated due to various api issues and or permissions
See the open issues for a full list of proposed features (and known issues).
Contributing
Contributions are what makes the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag “enhancement”. Don’t forget to give the project a star! Thanks again!
See the CONTRIBUTING guide for more information about contributing.
License
Distributed under the MIT License. See LICENSE
for more information.
Contact
Acknowledgments
Big thank you to the following people and services as they have provided me with lots of helpful information as I continue this project!