API Coverage.md

This document is an attempt to map the SentinelOne API Documentation to the related PS-SentinelOne command syntax

This documentation is still in progress.

Accounts

Create Account

Not Planned / Supported. Requires Global or Support permissions

Expire an Account

Not Planned / Supported. Requires Global or Support permissions

Generate/Regenerate Uninstall Password

Not Planned / Supported. Requires a ticket with Support to enable.

Get Account by ID

Get-S1Account -AccountID <id>

Get Accounts

Get-S1Account -Name <string> -AccountID <string[]> -Count <int> -SortBy {accountType | activeAgents | createdAt | expiration | id | name | numberOfSites | state | updatedAt} -SortOrder {asc | desc} -CountOnly

Get Uninstall Password

Not Planned / Supported. Seems to require Global or Support Permissions. Documentation doesn't specify.

Get Uninstall Password Metadata

Not Planned / Supported. Seems to require Global or Support Permissions. Documentation doesn't specify.

Reactivate Account

Not Planned / Supported. Requires Global or Support permissions

Revert Policy

Not Planned / Supported.

Revoke Uninstall Password

Not Planned / Supported.

Update Account

Not Planned / Supported. Requires Global or Support permissions

Activities

Get Activities

Get-S1Activity

Get Activity Types

Get-S1ActivityType

Last activity as Syslog message

Not currently supported. May be added in the future.

Agent Actions

Abort Scan

Invoke-S1AgentAction -AgentID <String[]> -AbortScan

Approve Uninstall

Invoke-S1AgentAction -AgentID <String[]> -ApproveUninstall

Broadcast Message

Invoke-S1AgentAction -AgentID <String[]> -SendMessage <String>

Can run Remote Shell

Invoke-S1AgentAction -AgentID <String[]> -CanRunRemoteShell

Connect to Network

Invoke-S1AgentAction -AgentID <String[]> -ConnectToNetwork

Decommission

Invoke-S1AgentAction -AgentID <String[]> -Decommission

Disable Agent

Invoke-S1AgentAction -AgentID <String[]> -DisableAgent

Disable Ranger

Invoke-S1AgentAction -AgentID <String[]> -DisableRanger

Disconnect from Network

Invoke-S1AgentAction -AgentID <String[]> -DisconnectFromNetwork

Enable Agent

Invoke-S1AgentAction -AgentID <String[]> -EnableAgent

Enable Ranger

Invoke-S1AgentAction -AgentID <String[]> -EnableRanger

Fetch Files

Invoke-S1FetchFile -AgentID <String> -FilePath <String[]> -Password <String>

Invoke-S1FetchFile -Agent <agent_id> -FilePath "/path/to/file", "C:\path\to\file" -Password "SuperSecretPassword"

Fetch Firewall Logs

Invoke-S1AgentAction -Agent <agent_id> -FetchFirewallLogs -ReportLocal <boolean> -ReportManagement <boolean>

Fetch Firewall Rules

Documentation currently only mentions the "native" format and "initial" states

Invoke-S1AgentAction -Agent <agent_id> -FetchFirewallRules -FirewallRuleFormat "native" -FirewallRuleState "initial"

Fetch Logs

Invoke-S1AgentAction -Agent <agent_id> -FetchLogs -PlatformLogs $true -AgentLogs $true -CustomerFacingLogs $true

Get Applications

Invoke-S1AgentAction -Agent <agent_id> -GetApplications

Initiate Scan

Invoke-S1AgentAction -Agent <agent_id> -Scan

Mark as up-to-date

Invoke-S1AgentAction -Agent <agent_id> -MarkAsUpToDate

Move between Sites

Invoke-S1AgentAction -Agent <agent_id> -MoveToSite -SiteID <site_id>

Move to Console

Invoke-S1AgentAction -Agent <agent_id> -MoveToConsole -ConsoleSiteToken <console_site_token>

Randomize UUID

Invoke-S1AgentAction -Agent <agent_id> -RandomizeUUID

Reject Uninstall

Invoke-S1AgentAction -Agent <agent_id> -RejectUninstall

Reset Local Config

Invoke-S1AgentAction -Agent <agent_id> -ResetLocalConfig

Restart

Invoke-S1AgentAction -Agent <agent_id> -Restart

Set External ID

Invoke-S1AgentAction -Agent <agent_id> -SetExternalID <external_id>

Set Persistent Configuration Overrides

Not Planned / Supported. Requires Global or Support permissions

Shutdown

Invoke-S1AgentAction -Agent <agent_id> -Shutdown

Start Remote Profiling

Invoke-S1AgentAction -Agent <agent_id> -StartRemoteProfiling -TimeoutInSeconds 60

Start Remote Shell

Not yet implemented

Stop Remote Profiling

Invoke-S1AgentAction -Agent <agent_id> -StopRemoteProfiling

Terminate Remote Shell

Not yet implemented

Uninstall

Invoke-S1AgentAction -Agent <agent_id> -Uninstall

Update Software

Invoke-S1AgentAction -AgentID $Agent.id -UpdateSoftware -PackageID $Package.id -UpdateTiming immediately

Agent Support Actions

Clear Remote Shell

Not yet implemented

Agents

Applications

Get-S1Application -AgentID <agent_id>

Count Agents

Not yet implemented

Export Agent Logs

Not yet implemented

Export Agents

Not yet implemented

Get Agents

Get-S1Agent -Name <String> -ScanStatus <String[]> -MachineType <String[]> -OSType <String[]> -MitigationMode <String> -Infected <String> -AppVulnerabilityStatus <String[]> -IsPendingUninstall <String> -IsUninstalled <String> -IsDecommissioned <String> -ADQuery <String[]> -Domain <String[]> -LocalIP <String[]> -AgentID <String[]> -GroupID <String[]> -SiteID <String[]> -AccountID <String[]>

Get Passphrase

Get-S1Passphrase

Processes

Not implemented. Labeled as obsolete

Application Inventory

Counters

Not implemented. Labeled as deprecated.

Grouped App inventory

Not implemented. Labeled as deprecated.

Application Risk

Export Applications

Not implemented

Get Applications

Get-S1Application -ApplicationName <String[]> -ApplicationID <String[]> -GroupID <String[]> -SiteID <String[]> -AccountID <String[]> -RiskLevel <String[]> -ApplicationType <String[]> -OS <String[]> -MachineType <String[]> -Decommissioned <String>

Get CVEs

Not implemented

Config Overrides

Custom Detection Rule

Deep Visibility

Device Control

Exclusions and Blacklist

Filters

Firewall Control

Forensics

Gateways

Groups

Hashes

Locations

Network Quarantine Control

Policies

RBAC

Ranger

Reports

Rogues

Settings

Sites

System

Cache Status

Get-S1System -CacheStatus

Database Status

Get-S1System -DatabaseStatus

Get System Config

Not implemented

Set System Config

Not implemented

System Info

Get-S1System -Info

System Status

Get-S1System -Status

Tags

Threat Notes

Threats

Updates

Delete Packages

Not currently supported.

Deploy System Package

Not currently supported.

Download Agent Package

Not currently supported. Labeled as Deprecated.

Download Package

Get Latest Packages

Available options:

Get-S1Package -OSType <String[]> -Status <String[]> -PackageType <String> -FileExtension <String> -Query <String> -Version <String> -PackageID <String[]> -AccountID <String[]> -SiteID <String[]>

Specific example:

Get-S1Package -Status ga -OSType windows -FileExtension .exe -Version "4.6.12.241" -Query "64bit"

Latest Packages by OS

Not currently supported. Labeled as Deprecated.

Update package

Not currently supported.

Upload Agent Package

Not currently supported.

Upload System Package

Not currently supported.

Users

Alerts

Tasks_Configurations