# SentinelOne Account Management Notebook

This jupyter notebook is a quick means to working with the SentinelOne Management API without having to write out all the code, or really understand the code that is written.

## Requirements
- Python3
- Python modules: Numpy, Pandas, SentinelOne-Management-SDK

## Setup
You'll need to download the SentinelOne Management SDK from the `Console > ? > API Doc` page. Just follow the setup instructions for the SDK.

```
python3 -m pip install numpy pandas
python3 -m pip install sentinel-mgmt-sdk.tar.gz
```

## Initialization
Now you'll need to grab your API token from the `My User > Options` link at the top right of your SentinelOne console. Store this somewhere safe, it is only shown to you once. Now continue by filling in your api_token and console host 
below and clicking run.


In [None]:
import json
from management.mgmtsdk_v2.mgmt import Management
from management.mgmtsdk_v2.services.threat import ThreatQueryFilter
from management.mgmtsdk_v2.services.exclusion import ExclusionQueryFilter
try:
    import numpy as np
    import pandas as pd
except:
    print("Error importing Numpy or Pandas")


console_host = "whatever.sentinelone.net"
api_token = ""
sentinel = Management(hostname=console_host, api_token=api_token)

## List Sites
List all sites and their account tied to your SentinelOne Management console.

In [None]:
sites = sentinel.sites.get()
sites_json = sites.json['data']['sites']
sites_table = pd.DataFrame(sites_json)
sites_table[['accountId','accountName','name','activeLicenses','totalLicenses']]


## List Groups
List all groups and their information under your SentinelOne Management console.

In [None]:
groups = sentinel.groups.get()
groups_json = groups.json['data']
groups_table = pd.DataFrame(groups_json)
groups_table[['rank','name','type','filterName','inherits','id','totalAgents']]

## List Exclusions

In [None]:
'''
TODO
This is yet to be working, unsure exactly how the services.exclusion Class works or exactly what ExclusionQueryFilter variables are missing when getting close to a solution.
'''

GroupIds = "802789373973781586,818161910241064680,818866271331510917,830332126885336267,831033687467027125,831043493045222214,921612686215306963,926093061711828666,937650447030801373,937657426017292877"

from management.mgmtsdk_v2.services.exclusion import ExclusionQueryFilter
filter = ExclusionQueryFilter()
filter.apply('groupIds', GroupIds, op="eq"'type', "path", op="eq"))
exclusions = sentinel.exclusions.get_white(query_filter=filter)
exlusions.json

## Lookup Agent Information
Just update the `hostname` variable with a partial match, the query filter on line 5 uses the CONTAIN operator.

In [None]:
hostname = "SAMPLECOMPUTER"


filter = ThreatQueryFilter()
filter.apply('computerName', hostname, op='contains')
endpoints = sentinel.agents.get(query_filter=filter)
ep_json = endpoints.json['data']
ep_table = pd.DataFrame(ep_json)
ep_table[['computerName','siteName','agentVersion','scanStatus','scanFinishedAt','threatRebootRequired','userActionsNeeded']]

## View Active Threats
List all unresolved threats.

In [None]:
threats = sentinel.threats.get(resolved=False)
threats_json = threats.json['data']
if threats_json != []:
    threat_table = pd.DataFrame(threats_json)
    threat_table[['agentId','agentComputerName','threatAgentVersion','agentInfected','agentIsActive','siteName','threatName']]
else:
    print("\r\nNo active threats.")