Get-SentinelOneCustomDetectionRules
SYNOPSIS
Get a list of Custom Detection Rules for a given scope.
SYNTAX
Get-SentinelOneCustomDetectionRules [-accountIds <Int64[]>] [-activeResponse] [-countOnly]
[-creator__contains <String[]>] [-cursor <String>] [-description__contains <String[]>] [-disablePagination]
[-expirationMode <String>] [-expired] [-groupIds <Int64[]>] [-ids <Int64[]>] [-limit <Int64>]
[-name__contains <String[]>] [-query <String[]>] [-queryType <String>] [-reachedLimit]
[-SentinelOneql__contains <String[]>] [-scopes <String[]>] [-siteIds <Int64[]>] [-skip <Int64>] [-skipCount]
[-sortBy <String>] [-sortOrder <String>] [-status <String[]>] [<CommonParameters>]
DESCRIPTION
The Get-SentinelOneCustomDetectionRules cmdlet gets a list of Custom Detection Rules for a given scope.
Note: You can create and see rules only for your highest available scope. For example, if your username has an access level of scope Account, you cannot see rules created for the Global scope or rules created for a specific Site.
EXAMPLES
EXAMPLE 1
Get-SentinelOneCustomDetectionRules
Returns the first 10 Custom Detection Rules for a given scope
EXAMPLE 2
1234567890,0987654321 | Get-SentinelOneCustomDetectionRules
Returns the first 10 Custom Detection Rules for a given scope from the defined sites
EXAMPLE 3
Get-SentinelOneCustomDetectionRules -cursor 'YWdlbnRfaWQ6NTgwMjkzODE='
Returns results after the defined cursor
The cursor value can be found under pagination
PARAMETERS
-accountIds
List of Account IDs to filter by.
Example: “225494730938493804,225494730938493915”.
Type: Int64[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-activeResponse
Rule active response status
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-countOnly
If true, only total number of items will be returned, without any of the actual objects.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-creator__contains
Free-text filter by rule creator
Example: “Service Pack 1”.
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-cursor
Cursor position returned by the last request. Use to iterate over more than 1000 items.
Found under pagination
Example: “YWdlbnRfaWQ6NTgwMjkzODE=”.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-description__contains
Free-text filter by rule description
Example: “Service Pack 1”.
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-disablePagination
If true, all rules for requested scope will be returned
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-expirationMode
Return rules with the filtered expiration mode.
Allowed values: ‘Permanent’, ‘Temporary’
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-expired
Rule expired or not
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-groupIds
List of Group IDs to filter by.
Example: “225494730938493804,225494730938493915”
Type: Int64[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ids
A list of Rules IDs.
Example: “225494730938493804,225494730938493915”.
Type: Int64[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-limit
Limit number of returned items (1-1000).
Type: Int64
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
-name__contains
Free-text filter by rule name
Example: “Service Pack 1”.
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-query
Free text search on fields name, description, agent_version, os_type, config
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-queryType
Return rules with the filtered type.
Allowed values: ‘events’, ‘processes’
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-reachedLimit
Rule reached limit or not
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-SentinelOneql__contains
Free-text filter by SentinelOne query
Example: “Service Pack 1”.
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-scopes
Return rules with the filtered expiration mode.
Allowed values: ‘account’, ‘global’, ‘group’, ‘site’
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-siteIds
List of Site IDs to filter by
Example: “225494730938493804,225494730938493915”.
Type: Int64[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
-skip
Skip first number of items (0-1000). To iterate over more than 1000 items, use “cursor”.
Example: “150”.
Type: Int64
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
-skipCount
If true, total number of items will not be calculated, which speeds up execution time.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-sortBy
Sorts the returned results by a defined value
Allowed values: ‘activeResponse’, ‘createdAt’, ‘description’, ‘expiration’, ‘expirationMode’, ‘expired’, ‘generatedAlerts’, ‘id’, ‘lastAlertTime’, ‘name’, ‘queryType’, ‘reachedLimit’, ‘scope’, ‘scopeHierarchy’, ‘severity’, ‘status’, ‘statusReason’, ‘updatedAt’
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-sortOrder
Sort direction
Allowed values: ‘asc’, ‘desc’
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-status
Included engines.
Allowed values: ‘Activating’, ‘Active’, ‘Deleted’, ‘Deleting’, ‘Disabled’, ‘Disabling’, ‘Draft’
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
INPUTS
OUTPUTS
NOTES
As of 2022-11: Cannot fully validate due to permissions