check_sentinelone

                                        
Icinga check plugin for threats on the SentinelOne Cloud service

                    

        
        

            
            

                

    

    
check_sentinelone


Check for threats on the SentinelOne Cloud service.


You need to provide the URL of your instance and an authentication token, which is user specific.
It is recommended to create a new user with "Viewer" permissions only.


Threats will be listed until their incident state has been resolved, or with the --ignore-in-progress flag, is no
longer "unresolved". Mitigated threats appear as warning.


Usage


Arguments:
  -H, --url string             Management URL (e.g. https://your-site.sentinelone.net) (env:SENTINELONE_URL)
  -T, --token string           API AuthToken (env:SENTINELONE_TOKEN)
      --site string            Only list threats belonging to a named site
      --ignore-in-progress     Ignore threats, where the incident status is in-progress
      --computer-name string   Only list threats belonging to the specified computer name
  -t, --timeout int            Abort the check after n seconds (default 30)
  -d, --debug                  Enable debug mode
  -v, --verbose                Enable verbose mode
  -V, --version                Print version and exit


Example


$ check_sentinelone --url https://your-site.sentinelone.net --token secret --site Customer
CRITICAL - site Customer - 13 threats found, 3 not mitigated

## Your Account / Customer / Default Group

[2020-08-12 12:59 CEST] [WARNING] fileserver: (Downloader) PDFCreator-1_9_4-setup.exe (Marked as benign)
[2020-07-03 08:23 CEST] [WARNING] fileserver: (PUA) cdbxp_setup_4.5.7.6321.exe (Mitigated)
[2020-07-02 23:12 CEST] [WARNING] fileserver: (Trojan) 2-1.exe (Mitigated)
[2020-07-02 23:12 CEST] [WARNING] fileserver: (Trojan) 4-0.exe (Mitigated)
[2020-07-02 23:12 CEST] [WARNING] fileserver: (Trojan) 7-0.exe (Mitigated)
[2020-07-02 23:12 CEST] [WARNING] fileserver: (Trojan) 13-0.exe (Mitigated)
[2020-07-02 23:12 CEST] [WARNING] fileserver: (Trojan) 1-0.exe (Mitigated)
[2020-07-02 23:12 CEST] [WARNING] fileserver: (Trojan) 14-0.exe (Mitigated)
[2020-07-02 23:12 CEST] [WARNING] fileserver: (Trojan) 12-0.exe (Mitigated)
[2020-07-02 22:05 CEST] [CRITICAL] fileserver: (Adware) cdbxp_setup_4.5.8.7035.exe (Not mitigated)
[2020-07-02 22:05 CEST] [WARNING] fileserver: (Adware) cdbxp_setup_4-{DFBDE0DF-DBEC-4437-A6D6-76CD670E9503}-v297222.exe (Mitigated)
[2020-07-02 21:58 CEST] [CRITICAL] fileserver: (Adware) cdbxp_setup_4.5.8.7035.exe (Not mitigated)
[2020-07-02 21:58 CEST] [CRITICAL] fileserver: (Adware) cdbxp_setup_4.5.8.7035.exe (Not mitigated)
| threats=13 threats_not_mitigated=3


API Documentation


Full API documentation is available in api-docs under your Sentinel One dashboard.


This is only available for customers as fair as we know.


License


Copyright (c) 2020 info@netways.de" rel="nofollow">NETWAYS GmbH \
Copyright (c) 2020 markus.frosch@netways.de" rel="nofollow">Markus Frosch


This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.


This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.


You should have received a copy of the GNU General Public License
along with this program.  If not, see gnu.org/licenses.