Export-SentinelOneExclusions

SYNOPSIS

Export a csv of all the items in the Exclusions that match the filter.

SYNTAX

Export-SentinelOneExclusions [-accountIds <String[]>] [-createdAt__between <String>] [-createdAt__gt <DateTime>]
 [-createdAt__gte <DateTime>] [-createdAt__lt <DateTime>] [-createdAt__lte <DateTime>]
 [-description__contains <String[]>] [-groupIds <Int64[]>] [-ids <Int64[]>] [-includeChildren]
 [-includeParents] [-modes <String[]>] [-pathExclusionTypes <String[]>] [-osTypes <String[]>] [-query <String>]
 [-recommendations <String[]>] [-siteIds <Int64[]>] [-source <String[]>] [-tenant] [-type <String>]
 [-types <String[]>] [-unified] [-updatedAt__between <String>] [-updatedAt__gt <DateTime>]
 [-updatedAt__gte <DateTime>] [-updatedAt__lt <DateTime>] [-updatedAt__lte <DateTime>]
 [-user__contains <String[]>] [-userIds <String[]>] [-value <String>] [-value__contains <String[]>]
 [-fileName <String>] [-filePath <String>] [-showReport] [<CommonParameters>]

DESCRIPTION

The Export-SentinelOneExclusions cmdlet exports a csv of all the items in the Exclusions that match the filter.

To see items from the Global Exclusion scope, make sure “tenant” is “true” and no other scope ID is given.

EXAMPLES

EXAMPLE 1

Export-SentinelOneExclusions

If less then 10k results then it returns a top level blacklist and saves the results to a csv in the current working directory

fileName: blacklists-2022-10-29_105845.

EXAMPLE 2

225494730938493804 | Export-SentinelOneExclusions

If less then 10k results then it returns a blacklist for the defined site and saves the results to a csv in the current working directory

fileName: blacklists-2022-10-29_105845.csv

EXAMPLE 3

Export-SentinelOneExclusions -siteIds 225494730938493804  -fileName MyFile -filePath C:\Logs -showReport

If less then 10k results then it returns a blacklist for the defined site, saves the results to a csv in the defined directory with the defined name and opens the location to were the file is saved.

fileName: MyFile.csv

PARAMETERS

-accountIds

List of Account IDs to filter by.

Example: “225494730938493804,225494730938493915”.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-createdAt__between

Date range for creation time (format: <from_timestamp>-<to_timestamp>, inclusive).

Example: “1514978890136-1514978650130”.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-createdAt__gt

Returns exclusions created after this timestamp.

Inputted data is converted to UTC time

Example: yyyy-MM-ddTHH:mm:ss.ffffffZ 2018-02-27T04:49:26.257525Z

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-createdAt__gte

Returns exclusions created after or at this timestamp.

Inputted data is converted to UTC time

Example: yyyy-MM-ddTHH:mm:ss.ffffffZ 2018-02-27T04:49:26.257525Z

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-createdAt__lt

Returns exclusions created before this timestamp.

Inputted data is converted to UTC time

Example: yyyy-MM-ddTHH:mm:ss.ffffffZ 2018-02-27T04:49:26.257525Z

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-createdAt__lte

Returns exclusions created before or at this timestamp.

Inputted data is converted to UTC time

Example: yyyy-MM-ddTHH:mm:ss.ffffffZ 2018-02-27T04:49:26.257525Z

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-description__contains

Free-text filter by description

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-groupIds

List of Group IDs to filter by.

Example: “225494730938493804,225494730938493915”.

Type: Int64[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ids

List of IDs to filter by.

Example: “225494730938493804,225494730938493915”.

Type: Int64[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-includeChildren

Return filters from children scope levels

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-includeParents

Return filters from parent scope levels

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-modes

List of modes to filter by (Path exclusions only).

Allowed values: ‘disable_all_monitors’, ‘disable_all_monitors_deep’, ‘disable_in_process_monitor’, ‘disable_in_process_monitor_deep’, ‘suppress’, ‘suppress_app_control’, ‘suppress_dfi_only’, ‘suppress_dynamic_only’

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-pathExclusionTypes

List of excluded paths in an exclusion (Path exclusions only).

Allowed values: ‘file’, ‘folder’, ‘subfolder’

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-osTypes

List of Os types to filter by.

Allowed values: ‘linux’, ‘macos’, ‘windows’, ‘windows_legacy’

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-query

A free-text search term, will match applicable attributes

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-recommendations

List of recommendations to filter by.

Allowed values: ‘None’, ‘Not allowed’, ‘Not recommended’

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-siteIds

List of Site IDs to filter by.

Example: “225494730938493804,225494730938493915”

Type: Int64[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-source

List sources to filter by.

Allowed values: ‘action_from_threat’, ‘catalog’, ‘cloud’, ‘user’

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-tenant

Indicates a tenant scope request

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-type

Type

Allowed values: ‘black_hash’

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-types

Type

Allowed values: ‘black_hash’

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-unified

Unified

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-updatedAt__between

Date range for update time (format: <from_timestamp>-<to_timestamp>, inclusive).

Example: “1514978890136-1514978650130”.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-updatedAt__gt

Returns exclusions updated after this timestamp.

Inputted data is converted to UTC time

Example: yyyy-MM-ddTHH:mm:ss.ffffffZ 2018-02-27T04:49:26.257525Z

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-updatedAt__gte

Returns exclusions updated after or at this timestamp.

Inputted data is converted to UTC time

Example: yyyy-MM-ddTHH:mm:ss.ffffffZ 2018-02-27T04:49:26.257525Z

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-updatedAt__lt

Returns exclusions updated before this timestamp.

Inputted data is converted to UTC time

Example: yyyy-MM-ddTHH:mm:ss.ffffffZ 2018-02-27T04:49:26.257525Z

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-updatedAt__lte

Returns exclusions updated before or at this timestamp.

Inputted data is converted to UTC time

Example: yyyy-MM-ddTHH:mm:ss.ffffffZ 2018-02-27T04:49:26.257525Z

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-user__contains

Free-text filter by user name

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-userIds

List of user ids to filter by.

Example: “225494730938493804,225494730938493915”.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-value

value

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-value__contains

Free-text filter by value

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-fileName

Name of the file

Example: ‘MyAgents-2022’

The default name format is ‘exclusions-yyyy-MM-dd_HHmmss’

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: "exclusions-$( Get-date -Format 'yyyy-MM-dd_HHmmss' )"
Accept pipeline input: False
Accept wildcard characters: False

-filePath

The location to save the file to

Example: ‘C:\Logs’

The default save location is the current working directory

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: $( (Get-Location).Path )
Accept pipeline input: False
Accept wildcard characters: False

-showReport

Open the location where the file was saved to

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

N\A

RELATED LINKS

https://celerium.github.io/SentinelOne-PowerShellWrapper/site/ExclusionsAndBlacklist/Export-SentinelOneExclusions.html