Some employees discuss their experience using SentinelOne on VDI servers, and how they created a script to alert for quarantine actions by searching the SentinelOne/Operational log. This script allows ControlUp to trigger from the application log. Some mention using S1 console and Splunk dashboard for monitoring. There is also a link to the script provided.
Read the entire ‘Automation and Monitoring with SentinelOne and ControlUp’ thread below:
Anyone do any work in the SentinelOne space? Logs analysis, etc? Looking to see if others have creative ways to grab logs form instant clones before the users log off. Or any other SentinelOne related tasks.
We use SentinelOne on our VDI servers. Its managed by another department. They disabled the tray icon and ability to open the app so we had no way of knowing if something was quarantined without asking them for logs from SentinelOne console. Fortunately they allowed event logs (SentinelOne has ability to disable on client side) so we created a script to search SentinelOne/Operational log for time period of past 30 min for event IDs 31, 32, and 27 which are related to quarantine actions. If found on server, the script generates an event in Application log with info found. Typically it will include the file that was quarantined. We do this so we can use ControlUp to trigger from the event in application log since Controlup cant see the Operational log from SentinelOne. We setup two triggers. One scheduled trigger to run the script on VDI servers in use every 30 minutes. Another event log trigger to that alerts for the application log event on the VDI servers if any quarantine action was found.
Here is the script. It can be used to search any event log by changing the logname and event ids to filter
“`$machineName = $args[0]
$minutesback = $args[1]
[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
[datetime]$StartTime = (Get-Date).AddMinutes(-$minutesback)
$filter = @{
<# how many minutes in the past we may look #>
starttime = $StartTime;
<# only specific events #>
Id = @(32, 27);
<# search logs #>
logname = "SentinelOne/Operational"
}
[int]$exitCode = 0
try{
[array]$Events = Get-WinEvent -ComputerName $machineName -FilterHashtable $filter -ErrorAction SilentlyContinue | Sort-Object -Property Id | Select-Object machinename,timecreated,logname,id,message
if($null -ne $Events) {
$allfilter = @{
<# how many minutes in the past we may look #>
starttime = $StartTime;
<# only specific events #>
Id = @(31, 32, 27);
<# search logs #>
logname = "SentinelOne/Operational"
}
[array]$AllEvents = Get-WinEvent -ComputerName $machineName -FilterHashtable $allfilter -ErrorAction SilentlyContinue | Sort-Object -Property Id | Select-Object machinename,timecreated,logname,id,message
$Eventmessage = $AllEvents | Format-List -Property message | Out-String
$Eventtime = (($AllEvents | Select-Object -First 1).timecreated).ToLongTimeString()
Write-EventLog -ComputerName $machineName -LogName "Application" -Source "ControlUp Agent" -EventID 5000 -EntryType Warning -Category 0 -Message "Found Sentinel One alert at $Eventtime $($Eventmessage)"
}
}
catch {
Write-Host "Could not find relevant events in the SentinelOne/Operational log. `nThe checks should be run every $($minutesback) mins or less"
Exit 1
}
exit $exitCode“`
where do the logs end up? All I see is a success message
Sure
thx
Event log will be created in Application log on the server only if there are event ids found in the Applications and Services Logs > SentinelOne/Operational
in the specific time frame
ah, i was thinking the output would be to console so I could capture them before the user logs off and event viewer is lost.
Are you trying to capture all the logs from SentinelOne/Operational event log?
was jsut curious what others are doing. we have access to the S1 console as well as having all activity sent to a syslog collector and presented in a Splunk dashboard
Ahh ok. Yea this was implemented because we dont have access to S1 console or any visibility into the activity and we needed to find a proactive way to ensure S1 wasnt killing our companies own in-house developed apps
that makes since
Continue reading and comment on the thread ‘Automation and Monitoring with SentinelOne and ControlUp’. Not a member? Join Here!
Categories: All Archives, ControlUp Scripts & Triggers