Resources/Activities-GET.ps1

function Export-S1Activities {
<#
    .SYNOPSIS
        Exports the activities, and their data, that match the filters.
 
    .DESCRIPTION
        The Export-S1Activities cmdlet get the activities, and their data, that match the filters.
 
        Recommend that you set some values for the filters. The full list will be too large to be useful.
 
    .PARAMETER accountIds
        Returns accounts under the defined ids
 
    .PARAMETER activityTypes
        Returns only the defined activity codes (comma-separated list).
 
        Select a code from the drop-down, or see the id field from the Get activity types command.
 
        Example: "52,53,71,72".
 
    .PARAMETER activityUuids
        Returns activities by specific activity UUIDs.
 
        Example: "a2c8037c-e6df-436d-b92b-bc09a418717e,f15b308b-fab9-4c0b-b6f5-17d236a7bf55".
 
    .PARAMETER agentIds
        Returns activities related to specified agents.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER alertIds
        Returns activities related to specified alerts.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER createdAt__between
        Returns activities created in the range of a start timestamp and an end timestamp.
 
        Example: "1514978764288-1514978999999"
 
    .PARAMETER createdAt__gt
        Returns activities created after this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__gte
        Returns activities created after or at this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__lt
        Returns activities created before this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__lte
        Returns activities created before or at this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER groupIds
        List of Group IDs to filter by.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER ids
        Filter activities by specific activity IDs.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER includeHidden
        Include internal activities hidden from display.
 
    .PARAMETER rowsLimit
        Limit number of returned items (1-10000).
 
    .PARAMETER ruleIds
        Returns activities related to specified rules
 
    .PARAMETER siteIds
        List of Site IDs to filter by
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER threatIds
        Returns activities related to specified threats
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER userEmails
        Using the defined email addresses this returns the user who invoked the activity (If applicable)
 
    .PARAMETER userIds
        Using the defined userIds this returns the user who invoked the activity (If applicable).
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER fileName
        Name of the file
 
        Example: 'MySites-2022'
 
        The default name format is 'sites-yyyy-MM-dd_HHmmss'
 
    .PARAMETER filePath
        The location to save the file to
 
        Example: 'C:\Logs'
 
        The default save location is the current working directory
 
    .PARAMETER showReport
        Open the location where the file was saved to
 
    .EXAMPLE
        Export-S1Activities
 
        Returns the last 100 activities and saves the results to a CSV in the current working directory
 
    .EXAMPLE
        Export-S1Activities -accountIds 1234567890
 
        Returns the account matching the defined accountId value and saves the results to a CSV in the current working directory
 
    .EXAMPLE
        Export-S1Activities -activityTypes 133 -sortBy createdAt -sortOrder dec
 
        Returns failed login attempts and saves the results to a CSV in the current working directory
 
        Data is sorted by createdAt (Newest to Oldest)
 
    .EXAMPLE
        Export-S1Activities -userEmails someuser@somesite.xyz
 
        Returns activities for the accounts matching the entered address and saves the results to a CSV in the current working directory
 
        Data is sorted by createdAt (Oldest to Newest)
 
    .EXAMPLE
        Export-S1Activities -createdAt__gte '2022-02-27T04:49:26.257525Z'
 
        Returns activities created after or at this timestamp.
 
    .EXAMPLE
        Export-S1Activities -siteId 1234567890,0987654321 -fileName MySites -filePath C:\Logs -showReport
 
        Returns the site with the matching id defined, saves the CSV file in the defined directory with the defined named
        and opens the location to were the file is saved.
 
    .NOTES
        N\A
 
    .LINK
        https://celerium.github.io/SentinelOne-PowerShellWrapper/site/Activities/Export-S1Activities.html
 
#>


    [CmdletBinding( DefaultParameterSetName = 'index' )]
    Param (
        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$accountIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$activityTypes,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$activityUuids,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$agentIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$alertIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$createdAt__between,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__gt,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__gte,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__lt,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__lte,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$groupIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$ids,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$includeHidden,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64]$rowsLimit,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$ruleIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$siteIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$threatIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$userEmails,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$userIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$fileName = "activities-$( Get-date -Format 'yyyy-MM-dd_HHmmss' )",

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$filePath = $( (Get-Location).Path ),

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$showReport
    )

    process{

        Write-Verbose "Running the [ $($PSCmdlet.ParameterSetName) ] parameterSet"

        Switch ($PSCmdlet.ParameterSetName){
            'index'         {$resource_uri = "/export/activities"}
        }

        $excludedParameters =   'Debug','ErrorAction','ErrorVariable','InformationAction',
                                'InformationVariable','OutBuffer','OutVariable','PipelineVariable',
                                'Verbose','WarningAction','WarningVariable',
                                'fileName','filePath','showReport'

        $body = @{}

        if ($PSCmdlet.ParameterSetName -eq 'index') {

            ForEach ( $Key in $PSBoundParameters.GetEnumerator() ){

                if( $excludedParameters -contains $Key.Key ){$null}
                elseif ( $Key.Value.GetType().IsArray ){
                    Write-Verbose "[ $($Key.Key) ] is an array parameter"
                    $body += @{ $Key.Key = $Key.Value -join (',') }
                }
                elseif ( $Key.Value.GetType().FullName -eq 'System.DateTime' ){
                    Write-Verbose "[ $($Key.Key) ] is a dateTime parameter"
                    $universalTime = ($Key.Value).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.ffffffZ')

                    Write-Verbose "Converting [ $($Key.Value) ] to [ $universalTime ]"
                    $body += @{ $Key.Key = $universalTime }
                }
                else{
                    $body += @{ $Key.Key = $Key.Value }
                }

            }

        }

        try {

            $fileOutput = "$filePath\$filename.csv"

            if ( (Test-Path -Path $filePath -PathType Container) -eq $false ){
                New-Item -Path $filePath -ItemType Directory > $null
            }

            $ApiToken = Get-S1APIKey -PlainText
            $S1_Headers.Add('Authorization', "ApiToken $ApiToken")

            Invoke-RestMethod -Method Get -Uri ( $S1_Base_URI + $resource_uri ) -Headers $S1_Headers -Body $body -OutFile $fileOutput `
                -ErrorAction Stop -ErrorVariable rest_error

        } catch {
            Write-Error $_
        } finally {
            [void] ( $S1_Headers.Remove('Authorization') )
        }

        if (Test-Path -Path $fileOutput -PathType Leaf){

            Write-Verbose "[ $($fileName) ] was saved to [ $($filePath) ]"

            if ($showReport){
                Invoke-Item -Path $filePath
            }

        }
        else{Write-Warning "[ $($fileName) ] was not saved to [ $($filePath) ]"}

    }

}



function Get-S1Activities {
<#
    .SYNOPSIS
        Get the activities, and their data, that match the filters.
 
    .DESCRIPTION
        The Get-S1Activities cmdlet get the activities, and their data, that match the filters.
 
        Recommend that you set some values for the filters. The full list will be too large to be useful.
 
    .PARAMETER accountIds
        Returns accounts under the defined ids
 
    .PARAMETER activityTypes
        Returns only the defined activity codes (comma-separated list).
 
        Select a code from the drop-down, or see the id field from the Get activity types command.
 
        Example: "52,53,71,72".
 
    .PARAMETER activityUuids
        Returns activities by specific activity UUIDs.
 
        Example: "a2c8037c-e6df-436d-b92b-bc09a418717e,f15b308b-fab9-4c0b-b6f5-17d236a7bf55".
 
    .PARAMETER agentIds
        Returns activities related to specified agents.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER alertIds
        Returns activities related to specified alerts.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER countOnly
        If true, only total number of items will be returned, without any of the actual objects.
 
    .PARAMETER createdAt__between
        Returns activities created in the range of a start timestamp and an end timestamp.
 
        Example: "1514978764288-1514978999999"
 
    .PARAMETER createdAt__gt
        Returns activities created after this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__gte
        Returns activities created after or at this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__lt
        Returns activities created before this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__lte
        Returns activities created before or at this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER cursor
        Cursor position returned by the last request. Use to iterate over more than 1000 items.
 
        Found under pagination
 
        Example: "YWdlbnRfaWQ6NTgwMjkzODE=".
 
    .PARAMETER groupIds
        List of Group IDs to filter by.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER ids
        Filter activities by specific activity IDs.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER includeHidden
        Include internal activities hidden from display.
 
    .PARAMETER limit
        Limit number of returned items (1-1000).
 
    .PARAMETER ruleIds
        Returns activities related to specified rules
 
    .PARAMETER siteIds
        List of Site IDs to filter by
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER skip
        Skip first number of items (0-1000). To iterate over more than 1000 items, use "cursor".
 
        Example: "150".
 
    .PARAMETER skipCount
        If true, total number of items will not be calculated, which speeds up execution time.
 
    .PARAMETER sortBy
        Sorts the returned results by a defined value
 
        Allowed values:
        'activityType', 'createdAt', 'id'
 
    .PARAMETER sortOrder
        Sort direction
 
        Allowed values:
        'asc', 'desc'
 
    .PARAMETER threatIds
        Returns activities related to specified threats
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER typesOnly
        Returns a list of activity types
 
        This is useful to see valid values to filter activities in other commands.
 
    .PARAMETER userEmails
        Using the defined email addresses this returns the user who invoked the activity (If applicable)
 
    .PARAMETER userIds
        Using the defined userIds this returns the user who invoked the activity (If applicable).
 
        Example: "225494730938493804,225494730938493915".
 
    .EXAMPLE
        Get-S1Activities
 
        Returns the first 10 and data is sorted by their created at date. (Oldest > Newest)
 
    .EXAMPLE
        Get-S1Activities -accountIds 1234567890
 
        Returns the account matching the defined accountId value
 
    .EXAMPLE
        1234567890 | Get-S1Activities
 
        Returns the account matching the defined accountId value
 
    .EXAMPLE
        Get-S1Activities -activityTypes 133 -sortBy createdAt -sortOrder dec
 
        Returns failed login attempts
 
        Data is sorted by createdAt (Newest to Oldest)
 
    .EXAMPLE
        Get-S1Activities -userEmails someuser@somesite.xyz
 
        Returns activities for the accounts matching the entered address
 
        Data is sorted by createdAt (Oldest to Newest)
 
    .EXAMPLE
        Get-S1Activities -createdAt__gte '2022-02-27T04:49:26.257525Z'
 
        Returns activities created after or at this timestamp.
 
    .EXAMPLE
        Get-S1Activities -cursor 'YWdlbnRfaWQ6NTgwMjkzODE='
 
        Returns data after the first 10 results
 
        The cursor value can be found under pagination
 
    .NOTES
        N\A
 
    .LINK
        https://celerium.github.io/SentinelOne-PowerShellWrapper/site/Activities/Get-S1Activities.html
 
#>


    [CmdletBinding( DefaultParameterSetName = 'index' )]
    Param (
        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$accountIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$activityTypes,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$activityUuids,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$agentIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$alertIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$countOnly,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$createdAt__between,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__gt,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__gte,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__lt,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__lte,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$cursor,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$groupIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$ids,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$includeHidden,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateRange(1, 1000)]
        [Int64]$limit,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$ruleIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$siteIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateRange(1, 1000)]
        [Int64]$skip,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$skipCount,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateSet( 'activityType', 'createdAt', 'id' )]
        [String]$sortBy,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateSet( 'asc', 'desc' )]
        [String]$sortOrder,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$threatIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'indexByType' )]
        [Switch]$typesOnly,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$userEmails,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$userIds
    )

    process{

        Write-Verbose "Running the [ $($PSCmdlet.ParameterSetName) ] parameterSet"

        Switch ($PSCmdlet.ParameterSetName){
            'index'         {$resource_uri = "/activities"}
            'indexByType'   {$resource_uri = "/activities/types"}
        }

        $excludedParameters =   'Debug','ErrorAction','ErrorVariable','InformationAction',
                                'InformationVariable','OutBuffer','OutVariable','PipelineVariable',
                                'Verbose','WarningAction','WarningVariable'

        $body = @{}

        if ($PSCmdlet.ParameterSetName -eq 'index') {

            ForEach ( $Key in $PSBoundParameters.GetEnumerator() ){

                if( $excludedParameters -contains $Key.Key ){$null}
                elseif ( $Key.Value.GetType().IsArray ){
                    Write-Verbose "[ $($Key.Key) ] is an array parameter"
                    $body += @{ $Key.Key = $Key.Value -join (',') }
                }
                elseif ( $Key.Value.GetType().FullName -eq 'System.DateTime' ){
                    Write-Verbose "[ $($Key.Key) ] is a dateTime parameter"
                    $universalTime = ($Key.Value).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.ffffffZ')

                    Write-Verbose "Converting [ $($Key.Value) ] to [ $universalTime ]"
                    $body += @{ $Key.Key = $universalTime }
                }
                else{
                    $body += @{ $Key.Key = $Key.Value }
                }

            }

        }

        try {
            $ApiToken = Get-S1APIKey -PlainText
            $S1_Headers.Add('Authorization', "ApiToken $ApiToken")

            $rest_output = Invoke-RestMethod -Method Get -Uri ( $S1_Base_URI + $resource_uri ) -Headers $S1_Headers -Body $body -ErrorAction Stop -ErrorVariable rest_error
        } catch {
            Write-Error $_
        } finally {
            [void] ( $S1_Headers.Remove('Authorization') )
        }

        $data = @{}
        $data = $rest_output
        return $data

    }

}



function Get-S1ActivitiesAsSyslog {
<#
    .SYNOPSIS
        Get the activities, and their data as Syslog, that match the filters.
 
    .DESCRIPTION
        The Get-S1ActivitiesAsSyslog cmdlet get the activities, and their data, that match the filters.
 
        Recommend that you set some values for the filters. The full list will be too large to be useful.
 
        Per S1 - This is not intended for production purposes.
 
    .PARAMETER accountIds
        Returns accounts under the defined ids
 
    .PARAMETER activityTypes
        Returns only the defined activity codes (comma-separated list).
 
        Select a code from the drop-down, or see the id field from the Get activity types command.
 
        Example: "52,53,71,72".
 
    .PARAMETER activityUuids
        Returns activities by specific activity UUIDs.
 
        Example: "a2c8037c-e6df-436d-b92b-bc09a418717e,f15b308b-fab9-4c0b-b6f5-17d236a7bf55".
 
    .PARAMETER agentIds
        Returns activities related to specified agents.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER alertIds
        Returns activities related to specified alerts.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER countOnly
        If true, only total number of items will be returned, without any of the actual objects.
 
    .PARAMETER createdAt__between
        Returns activities created in the range of a start timestamp and an end timestamp.
 
        Example: "1514978764288-1514978999999"
 
    .PARAMETER createdAt__gt
        Returns activities created after this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__gte
        Returns activities created after or at this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__lt
        Returns activities created before this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__lte
        Returns activities created before or at this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER cursor
        Cursor position returned by the last request. Use to iterate over more than 1000 items.
 
        Found under pagination
 
        Example: "YWdlbnRfaWQ6NTgwMjkzODE=".
 
    .PARAMETER groupIds
        List of Group IDs to filter by.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER ids
        Filter activities by specific activity IDs.
 
        Example: "225494730938493804,225494730938493915"
 
    .PARAMETER includeHidden
        Include internal activities hidden from display.
 
    .PARAMETER limit
        Limit number of returned items (1-10000).
 
    .PARAMETER ruleIds
        Returns activities related to specified rules
 
    .PARAMETER siteIds
        List of Site IDs to filter by
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER skip
        Skip first number of items (0-1000). To iterate over more than 1000 items, use "cursor".
 
        Example: "150".
 
    .PARAMETER skipCount
        If true, total number of items will not be calculated, which speeds up execution time.
 
    .PARAMETER sortBy
        Sorts the returned results by a defined value
 
        Allowed values:
        'activityType', 'createdAt', 'id'
 
    .PARAMETER sortOrder
        Sort direction
 
        Allowed values:
        'asc', 'desc'
 
    .PARAMETER threatIds
        Returns activities related to specified threats
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER typesOnly
        Returns a list of activity types
 
        This is useful to see valid values to filter activities in other commands.
 
    .PARAMETER userEmails
        Using the defined email addresses this returns the user who invoked the activity (If applicable)
 
    .PARAMETER userIds
        Using the defined userIds this returns the user who invoked the activity (If applicable).
 
        Example: "225494730938493804,225494730938493915".
 
    .EXAMPLE
        Get-S1ActivitiesAsSyslog
 
        Returns the first 10 and data is sorted by their created at date. (Oldest > Newest)
 
    .EXAMPLE
        Get-S1ActivitiesAsSyslog -accountIds 1234567890
 
        Returns the account matching the defined accountId value
 
    .EXAMPLE
        1234567890 | Get-S1ActivitiesAsSyslog
 
        Returns the account matching the defined accountId value
 
    .EXAMPLE
        Get-S1ActivitiesAsSyslog -activityTypes 133 -sortBy createdAt -sortOrder dec
 
        Returns failed login attempts
 
        Data is sorted by createdAt (Newest to Oldest)
 
    .EXAMPLE
        Get-S1ActivitiesAsSyslog -userEmails someuser@somesite.xyz
 
        Returns activities for the accounts matching the entered address
 
        Data is sorted by createdAt (Oldest to Newest)
 
    .EXAMPLE
        Get-S1ActivitiesAsSyslog -createdAt__gte '2022-02-27T04:49:26.257525Z'
 
        Returns activities created after or at this timestamp.
 
    .EXAMPLE
        Get-S1ActivitiesAsSyslog -cursor 'YWdlbnRfaWQ6NTgwMjkzODE='
 
        Returns data after the first 10 results
 
        The cursor value can be found under pagination
 
    .NOTES
        2022-10: Cannot validate as no scope has syslog enabled at the present time
 
    .LINK
        https://celerium.github.io/SentinelOne-PowerShellWrapper/site/Activities/Get-S1ActivitiesAsSyslog.html
 
#>


    [CmdletBinding( DefaultParameterSetName = 'index' )]
    Param (
        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$accountIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$activityTypes,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$activityUuids,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$agentIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$alertIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$countOnly,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$createdAt__between,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__gt,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__gte,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__lt,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [DateTime]$createdAt__lte,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$cursor,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$groupIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$ids,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$includeHidden,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64]$limit,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$ruleIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$siteIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateRange(1, 1000)]
        [Int64]$skip,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$skipCount,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateSet( 'activityType', 'createdAt', 'id' )]
        [String]$sortBy,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateSet( 'asc', 'desc' )]
        [String]$sortOrder,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$threatIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'indexByType' )]
        [Switch]$typesOnly,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$userEmails,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$userIds
    )

    process{

        Write-Verbose "Running the [ $($PSCmdlet.ParameterSetName) ] parameterSet"

        Switch ($PSCmdlet.ParameterSetName){
            'index'         {$resource_uri = "/last-activity-as-syslog"}
            'indexByType'   {$resource_uri = "/activities/types"}
        }

        $excludedParameters =   'Debug','ErrorAction','ErrorVariable','InformationAction',
                                'InformationVariable','OutBuffer','OutVariable','PipelineVariable',
                                'Verbose','WarningAction','WarningVariable'

        $body = @{}

        if ($PSCmdlet.ParameterSetName -eq 'index') {

            ForEach ( $Key in $PSBoundParameters.GetEnumerator() ){

                if( $excludedParameters -contains $Key.Key ){$null}
                elseif ( $Key.Value.GetType().IsArray ){
                    Write-Verbose "[ $($Key.Key) ] is an array parameter"
                    $body += @{ $Key.Key = $Key.Value -join (',') }
                }
                elseif ( $Key.Value.GetType().FullName -eq 'System.DateTime' ){
                    Write-Verbose "[ $($Key.Key) ] is a dateTime parameter"
                    $universalTime = ($Key.Value).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.ffffffZ')

                    Write-Verbose "Converting [ $($Key.Value) ] to [ $universalTime ]"
                    $body += @{ $Key.Key = $universalTime }
                }
                else{
                    $body += @{ $Key.Key = $Key.Value }
                }

            }

        }

        try {
            $ApiToken = Get-S1APIKey -PlainText
            $S1_Headers.Add('Authorization', "ApiToken $ApiToken")

            $rest_output = Invoke-RestMethod -Method Get -Uri ( $S1_Base_URI + $resource_uri ) -Headers $S1_Headers -Body $body -ErrorAction Stop -ErrorVariable rest_error
        } catch {
            Write-Error $_
        } finally {
            [void] ( $S1_Headers.Remove('Authorization') )
        }

        $data = @{}
        $data = $rest_output
        return $data

    }

}