Resources/Alerts-GET.ps1

function Get-S1Alerts {
<#
    .SYNOPSIS
        Get a list of alerts for a given scope
 
    .DESCRIPTION
        The Get-S1Alerts cmdlet gets a list of alerts for a given scope
 
    .PARAMETER accountIds
        List of Account IDs to filter by.
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER analystVerdict__in
        Filter threats by a analyst verdict.
 
        Allowed values:
        'FALSE_POSITIVE', 'SUSPICIOUS', 'TRUE_POSITIVE', 'UNDEFINED'
 
    .PARAMETER containerImageName__contains
        Free-text filter by the endpoint container image name.
 
    .PARAMETER containerLabels__contains
        Free-text filter by the endpoint container labels.
 
    .PARAMETER containerName__contains
        Free-text filter by the endpoint container name.
 
    .PARAMETER countOnly
        If true, only total number of items will be returned, without any of the actual objects.
 
    .PARAMETER createdAt__gt
        Returns alerts created after this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__gte
        Returns alerts created after or at this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__lt
        Returns alerts created before this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER createdAt__lte
        Returns alerts created before or at this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER cursor
        Cursor position returned by the last request. Use to iterate over more than 1000 items.
 
        Found under pagination
 
        Example: "YWdlbnRfaWQ6NTgwMjkzODE=".
 
    .PARAMETER disablePagination
        If true, all rules for requested scope will be returned
 
    .PARAMETER groupIds
        List of Group IDs to filter by.
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER ids
        A list of Alert IDs.
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER incidentStatus__in
        Filter threats by a incident status.
 
        Allowed values:
        'IN_PROGRESS', 'RESOLVED', 'UNRESOLVED'
 
    .PARAMETER k8sCluster__contains
        Free-text filter by the endpoint Kubernetes cluster name.
 
    .PARAMETER k8sControllerLabels__contains
        Free-text filter by the endpoint Kubernetes controller labels
 
    .PARAMETER k8sControllerName__contains
        Free-text filter by the endpoint Kubernetes controller name
 
    .PARAMETER k8sNamespaceLabels__contains
        Free-text filter by the endpoint Kubernetes namespace labels
 
    .PARAMETER k8sNamespaceName__contains
        Free-text filter by the endpoint Kubernetes namespace name
 
    .PARAMETER k8sNode__contains
        Free-text filter by the endpoint Kubernetes node name
 
    .PARAMETER k8sPod__contains
        Free-text filter by the endpoint Kubernetes pod name
 
    .PARAMETER k8sPodLabels__contains
        Free-text filter by the endpoint Kubernetes pod labels
 
    .PARAMETER limit
        Limit number of returned items (1-1000).
 
    .PARAMETER machineType__in
        Agent machine type
 
    .PARAMETER origAgentName__contains
        Free-text filter by agent name.
 
        Example: "ilia".
 
    .PARAMETER origAgentOsRevision__contains
        Free-text filter by agent OS revision.
 
        Example: "win7".
 
    .PARAMETER origAgentUuid__contains
        Free-text filter by agent UUID.
 
        Example: "win7".
 
    .PARAMETER origAgentVersion__contains
        Free-text filter by agent OS version.
 
        Example: "7.11".
 
    .PARAMETER osType__in
        Included OS types
 
    .PARAMETER query
        A free-text search term, will match applicable attributes (sub-String match).
 
        Note: Device's physical addresses will be matched if they start with the search term only (no match if they contain the term).
 
        Example: "Linux".
 
    .PARAMETER reportedAt__gt
        Returns agents reportedAt after this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER reportedAt__gte
        Returns agents reportedAt after or at this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER reportedAt__lt
        Returns agents reportedAt before this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER reportedAt__lte
        Returns agents reportedAt before or at this timestamp.
 
        Inputted data is converted to UTC time
 
        Example:
        yyyy-MM-ddTHH:mm:ss.ffffffZ
        2018-02-27T04:49:26.257525Z
 
    .PARAMETER ruleName__contains
        Free-text filter by rule name.
 
        Example: "rule1".
 
    .PARAMETER scopes
        Filter results by scope.
 
        Allowed values:
        'account', 'global', 'group', 'site'
 
    .PARAMETER severity__in
        Severity level
 
        Allowed values:
        'Critical', 'High', 'Low', 'Medium'
 
    .PARAMETER siteIds
        List of Site IDs to filter by.
 
        Example: "225494730938493804,225494730938493915".
 
    .PARAMETER skip
        Skip first number of items (0-1000). To iterate over more than 1000 items, use "cursor".
 
        Example: "150".
 
    .PARAMETER skipCount
        If true, total number of items will not be calculated, which speeds up execution time.
 
    .PARAMETER sortBy
        Sorts the returned results by a defined value
 
        Allowed values:
        'agentDetectionInfoMachineType', 'agentDetectionInfoName', 'agentDetectionInfoOsFamily', 'agentDetectionInfoOsName', 'agentDetectionInfoOsRevision',
        'agentDetectionInfoSiteId', 'agentDetectionInfoUuid', 'agentDetectionInfoVersion', 'alertInfoAlertId', 'alertInfoAnalystVerdict', 'alertInfoCreatedAt',
        'alertInfoDvEventId', 'alertInfoEventType', 'alertInfoHitType', 'alertInfoIncidentStatus', 'alertInfoReportedAt', 'alertInfoSource', 'analystVerdict',
        'containerInfoId', 'containerInfoImage', 'containerInfoLabels', 'containerInfoName', 'id', 'incidentStatus', 'kubernetesInfoCluster', 'kubernetesInfoControllerKind',
        'kubernetesInfoControllerLabels', 'kubernetesInfoControllerName', 'kubernetesInfoNamespace', 'kubernetesInfoNamespaceLabels', 'kubernetesInfoNode', 'kubernetesInfoPod',
        'kubernetesInfoPodLabels', 'osName', 'ruleInfoDescription', 'ruleInfoId', 'ruleInfoName', 'ruleInfoScopeLevel', 'ruleInfoSeverity', 'ruleInfoTreatAsThreat',
        'severity', 'sourceParentProcessInfoCommandline', 'sourceParentProcessInfoFileHashMd5', 'sourceParentProcessInfoFileHashSha1', 'sourceParentProcessInfoFileHashSha256',
        'sourceParentProcessInfoFilePath', 'sourceParentProcessInfoFileSignerIdentity', 'sourceParentProcessInfoIntegrityLevel', 'sourceParentProcessInfoName',
        'sourceParentProcessInfoPid', 'sourceParentProcessInfoPidStarttime', 'sourceParentProcessInfoStoryline', 'sourceParentProcessInfoSubsystem', 'sourceParentProcessInfoUser',
        'sourceProcessInfoCommandline', 'sourceProcessInfoFileHashMd5', 'sourceProcessInfoFileHashSha1', 'sourceProcessInfoFileHashSha256', 'sourceProcessInfoFilePath',
        'sourceProcessInfoFileSignerIdentity', 'sourceProcessInfoIntegrityLevel', 'sourceProcessInfoName', 'sourceProcessInfoPid', 'sourceProcessInfoPidStarttime',
        'sourceProcessInfoStoryline', 'sourceProcessInfoSubsystem', 'sourceProcessInfoUser'
 
 
    .PARAMETER sortOrder
        Sort direction
 
        Allowed values:
        'asc', 'desc'
 
    .PARAMETER sourceProcessCommandline__contains
        Free-text filter by source commandline.
 
        Example: "rule1".
 
    .PARAMETER sourceProcessFileHashMd5__contains
        Free-text filter by source md5.
 
        Example: "rule1".
 
    .PARAMETER sourceProcessFileHashSha1__contains
        Free-text filter by source sha1.
 
        Example: "rule1".
 
    .PARAMETER sourceProcessFileHashSha256__contains
        Free-text filter by source sha255.
 
        Example: "rule1".
 
    .PARAMETER sourceProcessFilePath__contains
        Free-text filter by source file path.
 
        Example: "rule1".
 
    .PARAMETER sourceProcessName__contains
        Free-text filter by source process name.
 
        Example: "proc1.exe".
 
    .PARAMETER sourceProcessStoryline__contains
        Free-text filter by source storyline.
 
        Example: "rule1".
 
    .PARAMETER tenant
        Indicates a tenant scope request
 
    .EXAMPLE
        Get-S1Alerts
 
        Returns the first 10 alerts
 
    .EXAMPLE
        Get-S1Alerts -createdAt__gt '2018-02-27 14:32'
 
        Returns alerts that were created after the defined dataTime
 
        DataTime values are converted to UTC, use -verbose to see the value it is converted to.
 
    .EXAMPLE
        Get-S1Alerts -cursor 'YWdlbnRfaWQ6NTgwMjkzODE='
 
        Returns alerts after the first 10 results
 
        The cursor value can be found under pagination
 
    .NOTES
        Review\validate every parameters & parameter help
        As of 2022-10
            Cannot pull data from /cloud-detection/alerts due to insufficient permissions
 
    .LINK
        https://celerium.github.io/SentinelOne-PowerShellWrapper/site/Alerts/Get-S1Alerts.html
#>


    [CmdletBinding( DefaultParameterSetName = 'index' )]
    Param (
        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$accountIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateSet( 'FALSE_POSITIVE', 'SUSPICIOUS', 'TRUE_POSITIVE', 'UNDEFINED' )]
        [String[]]$analystVerdict__in,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$containerImageName__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$containerLabels__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$containerName__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$countOnly,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [DateTime]$createdAt__gt,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [DateTime]$createdAt__gte,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [DateTime]$createdAt__lt,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [DateTime]$createdAt__lte,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$cursor,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$disablePagination,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$groupIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$ids,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateSet( 'IN_PROGRESS', 'RESOLVED', 'UNRESOLVED' )]
        [String[]]$incidentStatus__in,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$k8sCluster__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$k8sControllerLabels__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$k8sControllerName__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$k8sNamespaceLabels__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$k8sNamespaceName__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$k8sNode__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$k8sPod__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$k8sPodLabels__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateRange(1, 1000)]
        [Int64]$limit,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$machineType__in,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$origAgentName__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$origAgentOsRevision__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$origAgentUuid__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$origAgentVersion__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$osType__in,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String]$query,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [DateTime]$reportedAt__gt,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [DateTime]$reportedAt__gte,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [DateTime]$reportedAt__lt,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [DateTime]$reportedAt__lte,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$ruleName__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateSet( 'account', 'global', 'group', 'site' )]
        [String[]]$scopes,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateSet( 'Critical', 'High', 'Low', 'Medium' )]
        [String[]]$severity__in,

        [Parameter( Mandatory = $false, ValueFromPipeline = $true, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [Int64[]]$siteIds,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateRange(1, 1000)]
        [Int64]$skip,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$skipCount,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateSet(    'agentDetectionInfoMachineType', 'agentDetectionInfoName', 'agentDetectionInfoOsFamily', 'agentDetectionInfoOsName', 'agentDetectionInfoOsRevision',
                        'agentDetectionInfoSiteId', 'agentDetectionInfoUuid', 'agentDetectionInfoVersion', 'alertInfoAlertId', 'alertInfoAnalystVerdict', 'alertInfoCreatedAt',
                        'alertInfoDvEventId', 'alertInfoEventType', 'alertInfoHitType', 'alertInfoIncidentStatus', 'alertInfoReportedAt', 'alertInfoSource', 'analystVerdict',
                        'containerInfoId', 'containerInfoImage', 'containerInfoLabels', 'containerInfoName', 'id', 'incidentStatus', 'kubernetesInfoCluster', 'kubernetesInfoControllerKind',
                        'kubernetesInfoControllerLabels', 'kubernetesInfoControllerName', 'kubernetesInfoNamespace', 'kubernetesInfoNamespaceLabels', 'kubernetesInfoNode', 'kubernetesInfoPod',
                        'kubernetesInfoPodLabels', 'osName', 'ruleInfoDescription', 'ruleInfoId', 'ruleInfoName', 'ruleInfoScopeLevel', 'ruleInfoSeverity', 'ruleInfoTreatAsThreat',
                        'severity', 'sourceParentProcessInfoCommandline', 'sourceParentProcessInfoFileHashMd5', 'sourceParentProcessInfoFileHashSha1', 'sourceParentProcessInfoFileHashSha256',
                        'sourceParentProcessInfoFilePath', 'sourceParentProcessInfoFileSignerIdentity', 'sourceParentProcessInfoIntegrityLevel', 'sourceParentProcessInfoName',
                        'sourceParentProcessInfoPid', 'sourceParentProcessInfoPidStarttime', 'sourceParentProcessInfoStoryline', 'sourceParentProcessInfoSubsystem', 'sourceParentProcessInfoUser',
                        'sourceProcessInfoCommandline', 'sourceProcessInfoFileHashMd5', 'sourceProcessInfoFileHashSha1', 'sourceProcessInfoFileHashSha256', 'sourceProcessInfoFilePath',
                        'sourceProcessInfoFileSignerIdentity', 'sourceProcessInfoIntegrityLevel', 'sourceProcessInfoName', 'sourceProcessInfoPid', 'sourceProcessInfoPidStarttime',
                        'sourceProcessInfoStoryline', 'sourceProcessInfoSubsystem', 'sourceProcessInfoUser'
                    )]
        [String]$sortBy,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateSet( 'asc', 'desc' )]
        [String]$sortOrder,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$sourceProcessCommandline__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$sourceProcessFileHashMd5__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$sourceProcessFileHashSha1__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$sourceProcessFileHashSha256__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$sourceProcessFilePath__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$sourceProcessName__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [ValidateNotNullOrEmpty()]
        [String[]]$sourceProcessStoryline__contains,

        [Parameter( Mandatory = $false, ParameterSetName = 'index' )]
        [Switch]$tenant

    )

    process {

        Write-Verbose "Running the [ $($PSCmdlet.ParameterSetName) ] parameterSet"

        Switch ($PSCmdlet.ParameterSetName){
            'index'  {$resource_uri = "/cloud-detection/alerts"}
        }

        $excludedParameters =   'Debug','ErrorAction','ErrorVariable','InformationAction',
                                'InformationVariable','OutBuffer','OutVariable','PipelineVariable',
                                'Verbose','WarningAction','WarningVariable'

        $body = @{}

        if ( $PSCmdlet.ParameterSetName -eq 'index' ) {

            ForEach ( $Key in $PSBoundParameters.GetEnumerator() ){

                if( $excludedParameters -contains $Key.Key ){$null}
                elseif ( $Key.Value.GetType().IsArray ){
                    Write-Verbose "[ $($Key.Key) ] is an array parameter"
                    $body += @{ $Key.Key = $Key.Value -join (',') }
                }
                elseif ( $Key.Value.GetType().FullName -eq 'System.DateTime' ){
                    Write-Verbose "[ $($Key.Key) ] is a dateTime parameter"
                    $universalTime = ($Key.Value).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.ffffffZ')

                    Write-Verbose "Converting [ $($Key.Value) ] to [ $universalTime ]"
                    $body += @{ $Key.Key = $universalTime }
                }
                else{
                    $body += @{ $Key.Key = $Key.Value }
                }

            }
        }

        try {
            $ApiToken = Get-S1APIKey -PlainText
            $S1_Headers.Add('Authorization', "ApiToken $ApiToken")

            $rest_output = Invoke-RestMethod -Method Get -Uri ( $S1_Base_URI + $resource_uri ) -Headers $S1_Headers -Body $body -ErrorAction Stop -ErrorVariable rest_error
        } catch {
            Write-Error $_
        } finally {
            [void] ( $S1_Headers.Remove('Authorization') )
        }

        $data = @{}
        $data = $rest_output
        return $data

    }

}