Last active
January 9, 2023 22:19
-
-
Save keyboardcrunch/9f92f9afa436a1e93526c908cca727d3 to your computer and use it in GitHub Desktop.
Granular Configuration Manager Compliance and Remediation scripts for SentinelOne Agent
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# Check installation compliance #> | |
| $Installed = Get-WmiObject -Class Win32Reg_AddRemovePrograms | Where-Object { $_.DisplayName -eq "Sentinel Agent" } | |
| If ( -Not $Installed ) { | |
| # Sentinel Agent not installed/missing. | |
| Return $false | |
| } Else { | |
| Return $true | |
| } | |
| <# ------------------------------------------------------------------- #> | |
| <# Check Agent loaded compliance #> | |
| $LatestVersion = get-childitem -Directory 'C:\Program Files\SentinelOne\' | Sort CreationTime -Descending | Select -First 1 | |
| $SentinelCtl = Join-Path -Path $LatestVersion.FullName -ChildPath "SentinelCtl.exe" | |
| $CtlStatus = & $SentinelCtl "status" | |
| $SvcStatus = $(Get-Service SentinelAgent).Status | |
| If ( $SvcStatus -eq "Running" ) { | |
| If ( $CtlStatus -contains "SentinelAgent is not loaded" ) { | |
| Return $false | |
| } Else { | |
| Return $true | |
| } | |
| } Else { | |
| Return $false | |
| } | |
| <# Agent load remediation #> | |
| $LatestVersion = get-childitem -Directory 'C:\Program Files\SentinelOne\' | Sort CreationTime -Descending | Select -First 1 | |
| $SentinelCtl = Join-Path -Path $LatestVersion.FullName -ChildPath "SentinelCtl.exe" | |
| Try { | |
| $CtlStatus = & $SentinelCtl load -a | |
| } Catch { | |
| Return $false | |
| } | |
| <# ------------------------------------------------------------------- #> | |
| <# Check Monitor loaded compliance #> | |
| $LatestVersion = get-childitem -Directory 'C:\Program Files\SentinelOne\' | Sort CreationTime -Descending | Select -First 1 | |
| $SentinelCtl = Join-Path -Path $LatestVersion.FullName -ChildPath "SentinelCtl.exe" | |
| $CtlStatus = & $SentinelCtl "status" | |
| If ( $CtlStatus -contains "SentinelMonitor is not loaded" ) { | |
| Return $false | |
| } Else { | |
| Return $true | |
| } | |
| <# Monitor load remediation #> | |
| $LatestVersion = get-childitem -Directory 'C:\Program Files\SentinelOne\' | Sort CreationTime -Descending | Select -First 1 | |
| $SentinelCtl = Join-Path -Path $LatestVersion.FullName -ChildPath "SentinelCtl.exe" | |
| Try { | |
| $CtlStatus = & $SentinelCtl load -m | |
| } Catch { | |
| Return $false | |
| } | |
| <# ------------------------------------------------------------------- #> | |
| <# Check Self-Protection compliance #> | |
| $LatestVersion = get-childitem -Directory 'C:\Program Files\SentinelOne\' | Sort CreationTime -Descending | Select -First 1 | |
| $SentinelCtl = Join-Path -Path $LatestVersion.FullName -ChildPath "SentinelCtl.exe" | |
| $CtlStatus = & $SentinelCtl "status" | |
| If ( $CtlStatus -contains "Self-Protection status: Off" ) { | |
| Return $false | |
| } Else { | |
| Return $true | |
| } | |
| <# Self-Protection remediation #> | |
| $LatestVersion = get-childitem -Directory 'C:\Program Files\SentinelOne\' | Sort CreationTime -Descending | Select -First 1 | |
| $SentinelCtl = Join-Path -Path $LatestVersion.FullName -ChildPath "SentinelCtl.exe" | |
| Try { | |
| $CtlStatus = & $SentinelCtl "protect" | |
| If ( $CtlStatus -contains "Protection is on" ) { | |
| Return $true | |
| } Else { | |
| Return $false | |
| } | |
| } Catch { | |
| Return $false | |
| } | |
| <# ------------------------------------------------------------------- #> | |
| <# Check online status #> | |
| <# | |
| 1 - Agent start | |
| 2 - Policy from Console | |
| 3 - Policy Override | |
| 5 - Communication failure | |
| 31 - Malware detected | |
| 32 - Mitigation Report | |
| 55 - Full disk scan | |
| 58 - Failed to execute command Mark group status | |
| 68 - Mark as threat true context from DV | |
| 72 - Failed to mark as threat, marked as exclusion. | |
| 77 - Device Control events | |
| #> | |
| $OpsEvents = Get-WinEvent -LogName 'SentinelOne/Operational' -MaxEvents 5 | Select Id -Unique | |
| If ( $OpsEvents.Id.Count -eq 1 ) { | |
| If ( $OpsEvents.Id -eq 5 ) { # Offline | |
| Return $false | |
| } | |
| } Else { # Mixed console activity | |
| Return $true | |
| } | |
| <# ------------------------------------------------------------------- #> | |
| <# Check service status #> | |
| <# | |
| Device Types | |
| 1 - Workstation | |
| 2 - Domain Controller | |
| 3 - Non-DC Server | |
| #> | |
| $DeviceType = $(Get-CimInstance -ClassName Win32_OperatingSystem).ProductType | |
| $ServiceCompliance = $true | |
| If ( $DeviceType -eq 1 ) { | |
| $SentinelServices = @("SentinelAgent", "SentinelHelperService", "LogProcessorService", "SentinelStaticEngine") | |
| } Else { | |
| # StaticEngine may be turned off on servers for performance | |
| $SentinelServices = @("SentinelAgent", "SentinelHelperService", "LogProcessorService") | |
| } | |
| ForEach ($Service in $SentinelServices) { | |
| $ServiceStatus = Get-Service $Service | |
| If ($ServiceStatus.Status -ne "Running") { | |
| $ServiceCompliance = $false | |
| } | |
| } | |
| Return $ServiceCompliance | |
| <# Self-Protection remediation #> | |
| <# | |
| Device Types | |
| 1 - Workstation | |
| 2 - Domain Controller | |
| 3 - Non-DC Server | |
| #> | |
| $DeviceType = $(Get-CimInstance -ClassName Win32_OperatingSystem).ProductType | |
| If ( $DeviceType -eq 1 ) { | |
| $SentinelServices = @("SentinelAgent", "SentinelHelperService", "LogProcessorService", "SentinelStaticEngine") | |
| } Else { | |
| # StaticEngine may be turned off on servers for performance | |
| $SentinelServices = @("SentinelAgent", "SentinelHelperService", "LogProcessorService") | |
| } | |
| ForEach ($Service in $SentinelServices) { | |
| $ServiceStatus = Get-Service $Service | |
| If ($ServiceStatus.Status -ne "Running") { | |
| Start-Service $Service -ErrorAction Continue | |
| } | |
| } | |
| <# ------------------------------------------------------------------- #> | |
| <# Check last log event #> | |
| <# | |
| EventID 2 for policy sync should be every X minutes, so 1+ day without log events signals an agent issue. | |
| #> | |
| $LastLogEntry = $(Get-Date) - $(Get-WinEvent -LogName 'SentinelOne/Operational' -MaxEvents 1).TimeCreated | |
| If ( $LastLogEntry.Days -ge "1" ) { | |
| Return $false # Non-compliant | |
| } Else { | |
| Return $true | |
| } |
Added check for enumerating SentinelOne service status. SentinelStaticEngine (on-write static engine) is off on the servers in my test environment, so it's off in my script (just for servers).
21.5.4.291 x64 Windows Agent we noted an issue where Agent stopped reporting in and the early indicator was a lack of Eventlog writes, which should happen every few minutes for policy sync.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Changed script from grabbing latest version path from Add/Remove programs to grabbing latest installation folder, Agent 4.6.14.304 only shows partial version number in Add/Remove registry version value and the versioning scheme is going to undergo more changes soon.