PSSymantecSEPM.psm1
|
#Region '.\Classes\Exceptions-Policy.ps1' 0 # Imported PSSymantecCloud module Classes # SEPM uses API v2 for exception policy # TODO confirm if same classes can be used for API v2 on SEPM # https://stackoverflow.com/a/74901407/2552996 class Extensions { [Collections.Generic.List[string]] $names = [Collections.Generic.List[string]]::new() [bool] $scheduled [Collections.Generic.List[string]] $features = [Collections.Generic.List[string]]::new() } class UpdateAllowlist { [object] $add [object] $remove UpdateAllowlist() { $AllowListStructureAdd = [AllowListStructure]::new() $AllowListStructureRemove = [AllowListStructure]::new() $this.add = $AllowListStructureAdd $this.remove = $AllowListStructureRemove } } class AllowListStructure { [object] $Applications [object] $Certificates [object] $webdomains [object] $ips_hosts [Extensions] $Extensions [object] $windows [object] $linux [object] $mac # Setting up the PSCustomObject structure from the JSON example : https://pastebin.com/FaKYpgw3 AllowListStructure() { $this.applications = [System.Collections.Generic.List[object]]::new() $this.Certificates = [System.Collections.Generic.List[object]]::new() $this.webdomains = [System.Collections.Generic.List[object]]::new() $this.ips_hosts = [System.Collections.Generic.List[object]]::new() # Extensions obj be hashtable. Converting to JSON will not be incorrect format (list instead of k/v pair) $this.extensions = [Extensions]::new() $this.windows = [PSCustomObject]@{ files = [System.Collections.Generic.List[object]]::new() directories = [System.Collections.Generic.List[object]]::new() } $this.Linux = [PSCustomObject]@{ files = [System.Collections.Generic.List[object]]::new() directories = [System.Collections.Generic.List[object]]::new() } $this.mac = [PSCustomObject]@{ files = [System.Collections.Generic.List[object]]::new() directories = [System.Collections.Generic.List[object]]::new() } } # method to add APPLICATIONS tab to the main obj [void] AddProcessFile( [string] $sha2, [string] $name ) { $this.applications.Add([pscustomobject]@{ processfile = [pscustomobject]@{ sha2 = $sha2 name = $name } }) } # Method to add CERTIFICATES tab to the main obj [void] AddCertificates( [string] $signature_issuer, [string] $signature_company_name, # [string] $signature_fingerprint, [string] $algorithm, [string] $value ) { # $this.certificates.Add() $this.certificates.Add([pscustomobject]@{ signature_issuer = $signature_issuer signature_company_name = $signature_company_name signature_fingerprint = [pscustomobject]@{ algorithm = $algorithm value = $value } }) } # Method to add WEBDOMAINS to the main obj [void] AddWebDomains( [string] $domain ) { $this.webdomains.add([PSCustomObject]@{ domain = $domain }) } # Method to add IPv4 addresses IPS_HOSTS to the main obj [void] AddIpsHostsIpv4Address( [string] $ip ) { $this.ips_hosts.add([PSCustomObject]@{ ip = $ip }) } # Method to add IPv4 subnet IPS_HOSTS to the main obj [void] AddIpsHostsIpv4Subnet( [string] $ip, [string] $mask ) { $this.ips_hosts.add([pscustomobject]@{ ipv4_subnet = [pscustomobject]@{ ip = $ip mask = $mask } }) } # method to add IPv6 subnet IPS_HOSTS to the main obj [void] AddIpsHostsIpv6Subnet( [string] $ipv6_subnet ) { $this.ips_hosts.add([pscustomobject]@{ ipv6_subnet = $ipv6_subnet }) } #method to add ip ranges to the main obj [void] AddIpsRange( [string] $ip_start, [string] $ip_end ) { $this.ips_hosts.add([pscustomobject]@{ ip_range = [pscustomobject]@{ ip_start = $ip_start ip_end = $ip_end } }) } # Method to add EXTENSIONS tab to the main obj [void] AddExtensions([Extensions] $Extension) { $this.Extensions = $Extension } # Method to add Windows FILES excel tab to obj [void] AddWindowsFiles( [string] $pathvariable, [string] $path, [bool] $scheduled, [array] $features ) { $this.windows.files.add([pscustomobject]@{ pathvariable = $pathvariable path = $path scheduled = $scheduled features = $features }) } # Method to add Linux FILES excel tab to obj [void] AddLinuxFiles( [string] $pathvariable, [string] $path, [bool] $scheduled, [array] $features ) { $this.linux.files.add([pscustomobject]@{ pathvariable = $pathvariable path = $path scheduled = $scheduled features = $features }) } # Method to add Mac FILES excel tab to obj [void] AddMacFiles( [string] $pathvariable, [string] $path, [bool] $scheduled, [array] $features ) { $this.mac.files.add([pscustomobject]@{ pathvariable = $pathvariable path = $path scheduled = $scheduled features = $features }) } # Method to add Windows DIRECTORIES excel tab to obj [void] AddWindowsDirectories( [string] $pathvariable, [string] $directory, [bool] $recursive, [bool] $scheduled, [array] $features ) { $this.windows.directories.add([pscustomobject]@{ pathvariable = $pathvariable directory = $directory recursive = $recursive scheduled = $scheduled features = $features }) } # Method to add Linux DIRECTORIES excel tab to obj [void] AddLinuxDirectories( [string] $pathvariable, [string] $directory, [bool] $recursive, [bool] $scheduled, [array] $features ) { $this.linux.directories.add([pscustomobject]@{ pathvariable = $pathvariable directory = $directory recursive = $recursive scheduled = $scheduled features = $features }) } # Method to add Mac DIRECTORIES excel tab to obj [void] AddMacDirectories( [string] $pathvariable, [string] $directory, [bool] $recursive, [bool] $scheduled, [array] $features ) { $this.mac.directories.add([pscustomobject]@{ pathvariable = $pathvariable directory = $directory recursive = $recursive scheduled = $scheduled features = $features }) } } # TODO - Verify the structure is the expected one when converting to JSON class DenyListStructure { [object] $blacklistrules [object] $nonperules denylistStructure() { $this.blacklistrules = [System.Collections.Generic.List[object]]::new() $this.nonperules = [System.Collections.Generic.List[object]]::new() } # Method to add blacklist rules to the main obj (called "Executable files" in the cloud policy) [void] AddBlacklistRules( [string] $sha2, [string] $name ) { $this.blacklistrules.Add([pscustomobject]@{ processfile = [pscustomobject]@{ sha2 = $sha2 name = $name } }) } # Method to add nonpe rules to the main obj (called "Non-executable files" in the cloud policy) [void] AddNonPeRules( [string] $file_name, [string] $file_sha2, [int] $file_size, [string] $file_directory, [string] $actor_directory, [string] $actor_sha2, [string] $actor_md5 ) { $this.nonperules.Add([pscustomobject]@{ file = [pscustomobject]@{ name = $file_name sha2 = $file_sha2 size = $file_size directory = $file_directory } }) # Add actor directory if it is not empty if ($actor_directory -ne "") { $this.nonperules.file.actor = [pscustomobject]@{ directory = $actor_directory } } # Add actor sha2 if it is not empty if ($actor_sha2 -ne "") { $this.nonperules.file.actor = [pscustomobject]@{ sha2 = $actor_sha2 } } # Add actor md5 if it is not empty if ($actor_md5 -ne "") { $this.nonperules.file.actor = [pscustomobject]@{ md5 = $actor_md5 } } } } class UpdateDenylist { [object] $add [object] $remove UpdateDenylist() { $DenyListStructureAdd = [DenyListStructure]::new() $DenyListStructureRemove = [DenyListStructure]::new() $this.add = $DenyListStructureAdd $this.remove = $DenyListStructureRemove } } #EndRegion '.\Classes\Exceptions-Policy.ps1' 311 #Region '.\Private\Build-SEPMQueryURI.ps1' 0 function Build-SEPMQueryURI { <# .SYNOPSIS Constructs a URI from a base URI and query strings .DESCRIPTION Constructs a URI from a base URI and query strings .PARAMETER BaseURI The base URI to use .PARAMETER QueryStrings A hashtable of query strings to add to the URI .NOTES helper function .EXAMPLE $BaseURI = "https://gdc8ap0030:8446/sepm/api/v1/computers" $QueryStrings = @{ sort = "COMPUTER_NAME" pageIndex = 1 pageSize = 100 } $URI = Build-SEPMQueryURI -BaseURI $BaseURI -QueryStrings $QueryStrings #> param ( [string]$BaseURI, [hashtable]$QueryStrings ) # Construct the URI $builder = New-Object System.UriBuilder($BaseURI) $query = [System.Web.HttpUtility]::ParseQueryString($builder.Query) foreach ($param in $QueryStrings.GetEnumerator()) { $query[$param.Key] = $param.Value } $builder.Query = $query.ToString() $BaseURI = $builder.ToString() return $BaseURI } #EndRegion '.\Private\Build-SEPMQueryURI.ps1' 40 #Region '.\Private\Import-SepmConfiguration.ps1' 0 function Import-SepmConfiguration { <# .SYNOPSIS Loads in the default configuration values, and then updates the individual properties with values that may exist in a file. .DESCRIPTION Loads in the default configuration values, and then updates the individual properties with values that may exist in a file. .PARAMETER Path The file that may or may not exist with a serialized version of the configuration values for this module. .OUTPUTS PSCustomObject .NOTES Internal helper method. No side-effects. .EXAMPLE Import-SepmConfiguration -Path 'c:\foo\config.json' Creates a new default config object and updates its values with any that are found within a deserialized object from the content in $Path. The configuration object is then returned. #> [CmdletBinding()] param( [string] $Path ) # Create a configuration object with all the default values. We can then update the values # with any that we find on disk. $config = [PSCustomObject]@{ 'ServerAddress' = '' 'port' = '8446' 'domain' = '' } $jsonObject = Read-SepmConfiguration -Path $Path Get-Member -InputObject $config -MemberType NoteProperty | ForEach-Object { $name = $_.Name $type = $config.$name.GetType().Name $config.$name = Resolve-PropertyValue -InputObject $jsonObject -Name $name -Type $type -DefaultValue $config.$name } return $config } #EndRegion '.\Private\Import-SepmConfiguration.ps1' 53 #Region '.\Private\Invoke-ABRestMethod.ps1' 0 function Invoke-ABRestMethod { <# .SYNOPSIS Invokes a REST method with a PS version-appropriate method .DESCRIPTION Invokes a REST method with a PS version-appropriate method Handles the differences between PS versions 5 and 6 for certificate validation skipping Tests the certificate of the server if self signed .NOTES Helper function for Invoke-ABRestMethod .PARAMETER params A hashtable of parameters to pass to the Invoke-RestMethod cmdlet .EXAMPLE $params = @{ Method = 'POST' Uri = $URI headers = $headers } Invoke-ABRestMethod -params $params #> param ( # Hashtable of parameters [Parameter( Mandatory = $true )] [hashtable] $params ) # Test the certificate if self signed if (-not $script:SkipCert) { Test-SEPMCertificate -URI $params.Uri } switch ($PSVersionTable.PSVersion.Major) { { $_ -ge 6 } { try { if ($script:SkipCert -eq $true) { $resp = Invoke-RestMethod @params -SkipCertificateCheck } else { $resp = Invoke-RestMethod @params } } catch { Write-Warning -Message "Error: $_" return "Error: $_" } } default { try { if ($script:SkipCert -eq $true) { Skip-Cert $resp = Invoke-RestMethod @params } else { $resp = Invoke-RestMethod @params } } catch { Write-Warning -Message "Error: $_" return "Error: $_" } } } # return the response return $resp } #EndRegion '.\Private\Invoke-ABRestMethod.ps1' 68 #Region '.\Private\Read-SepmConfiguration.ps1' 0 function Read-SepmConfiguration { <# .SYNOPSIS Loads in the default configuration values and returns the deserialized object. .DESCRIPTION Loads in the default configuration values and returns the deserialized object. .PARAMETER Path The file that may or may not exist with a serialized version of the configuration values for this module. .OUTPUTS PSCustomObject .NOTES Internal helper method. No side-effects. .EXAMPLE Read-SepmConfiguration -Path 'c:\foo\config.json' Returns back an object with the deserialized object contained in the specified file, if it exists and is valid. #> [CmdletBinding()] param( [string] $Path ) $content = Get-Content -Path $Path -Encoding UTF8 -ErrorAction Ignore if (-not [String]::IsNullOrEmpty($content)) { try { return ($content | ConvertFrom-Json) } catch { $message = 'The configuration file for this module is in an invalid state. Use Reset-SEPMConfiguration to recover.' Write-Warning -Message $message } } return [PSCustomObject]@{} } #EndRegion '.\Private\Read-SepmConfiguration.ps1' 43 #Region '.\Private\Resolve-PropertyValue.ps1' 0 function Resolve-PropertyValue { <# .SYNOPSIS Returns the requested property from the provided object, if it exists and is a valid value. Otherwise, returns the default value. .DESCRIPTION Returns the requested property from the provided object, if it exists and is a valid value. Otherwise, returns the default value. .PARAMETER InputObject The object to check the value of the requested property. .PARAMETER Name The name of the property on InputObject whose value is desired. .PARAMETER Type The type of the value stored in the Name property on InputObject. Used to validate that the property has a valid value. .PARAMETER DefaultValue The value to return if Name doesn't exist on InputObject or is of an invalid type. .EXAMPLE Resolve-PropertyValue -InputObject $config -Name defaultOwnerName -Type String -DefaultValue $null Checks $config to see if it has a property named "defaultOwnerName". If it does, and it's a string, returns that value, otherwise, returns $null (the DefaultValue). #> [CmdletBinding()] param( [PSCustomObject] $InputObject, [Parameter(Mandatory)] [string] $Name, [Parameter(Mandatory)] [ValidateSet('String', 'Boolean', 'Int32', 'Int64')] [String] $Type, $DefaultValue ) if ($null -eq $InputObject) { return $DefaultValue } $typeType = [String] if ($Type -eq 'Boolean') { $typeType = [Boolean] } if ($Type -eq 'Int32') { $typeType = [Int32] } if ($Type -eq 'Int64') { $typeType = [Int64] } $numberEquivalents = @('Int32', 'Int64', 'long', 'int') if (Test-PropertyExists -InputObject $InputObject -Name $Name) { if (($InputObject.$Name -is $typeType) -or (($Type -in $numberEquivalents) -and ($InputObject.$Name.GetType().Name -in $numberEquivalents))) { return $InputObject.$Name } else { return $DefaultValue } } else { return $DefaultValue } } #EndRegion '.\Private\Resolve-PropertyValue.ps1' 65 #Region '.\Private\Save-SepmConfiguration.ps1' 0 function Save-SepmConfiguration { <# .SYNOPSIS Serializes the provided settings object to disk as a JSON file. .DESCRIPTION Serializes the provided settings object to disk as a JSON file. .PARAMETER Configuration The configuration object to persist to disk. .PARAMETER Path The path to the file on disk that Configuration should be persisted to. .NOTES Internal helper method. .EXAMPLE Save-SepmConfiguration -Configuration $config -Path 'c:\foo\config.json' Serializes $config as a JSON object to 'c:\foo\config.json' #> [CmdletBinding(SupportsShouldProcess)] param( [Parameter(Mandatory)] [PSCustomObject] $Configuration, [Parameter(Mandatory)] [string] $Path ) if (-not $PSCmdlet.ShouldProcess('Sepm Configuration', 'Save')) { return } $null = New-Item -Path $Path -Force ConvertTo-Json -InputObject $Configuration | Set-Content -Path $Path -Force -ErrorAction SilentlyContinue -ErrorVariable ev if (($null -ne $ev) -and ($ev.Count -gt 0)) { $message = "Failed to persist these updated settings to disk. They will remain for this PowerShell session only." Write-Warning -Message $message } } #EndRegion '.\Private\Save-SepmConfiguration.ps1' 45 #Region '.\Private\Skip-Cert.ps1' 0 function Skip-Cert { <# .SYNOPSIS This function allows skipping the SSL/TLS Secure channel check in the event that there is not a valid certificate available .DESCRIPTION This function allows skipping the SSL/TLS Secure channel check in the event that there is not a valid certificate available .NOTES Required for self-signed certificates skipping with Windows Powershell 5.1 and below This function is used internally by the module and should not be called directly .PARAMETER None .EXAMPLE Skip-Cert .OUTPUTS None #> if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type) { $certCallback = @" using System; using System.Net; using System.Net.Security; using System.Security.Cryptography.X509Certificates; public class ServerCertificateValidationCallback { public static void Ignore() { if(ServicePointManager.ServerCertificateValidationCallback ==null) { ServicePointManager.ServerCertificateValidationCallback += delegate ( Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors ) { return true; }; } } } "@ Add-Type $certCallback } [ServerCertificateValidationCallback]::Ignore() } #EndRegion '.\Private\Skip-Cert.ps1' 48 #Region '.\Private\Test-PropertyExists.ps1' 0 function Test-PropertyExists { <# .SYNOPSIS Determines if an object contains a property with a specified name. .DESCRIPTION Determines if an object contains a property with a specified name. This is essentially using Get-Member to verify that a property exists, but additionally adds a check to ensure that InputObject isn't null. .PARAMETER InputObject The object to check to see if it has a property named Name. .PARAMETER Name The name of the property on InputObject that is being tested for. .EXAMPLE Test-PropertyExists -InputObject $listing -Name 'title' Returns $true if $listing is non-null and has a property named 'title'. Returns $false otherwise. .NOTES Internal-only helper method. #> [CmdletBinding()] [OutputType([bool])] [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "", Justification = "Exists isn't a noun and isn't violating the intention of this rule.")] param( [Parameter(Mandatory)] [AllowNull()] $InputObject, [Parameter(Mandatory)] [String] $Name ) return (($null -ne $InputObject) -and ($null -ne (Get-Member -InputObject $InputObject -Name $Name -MemberType Properties))) } #EndRegion '.\Private\Test-PropertyExists.ps1' 42 #Region '.\Private\Test-SEPMAccessToken.ps1' 0 function Test-SEPMAccessToken { <# .SYNOPSIS Test if the access token is still valid .DESCRIPTION Test if the access token is still valid. If no token is passed, will test the cached token. Returns $true if the token is still valid, $false otherwise .PARAMETER TokenInfo The token to test .OUTPUTS System.Boolean .NOTE Internal helper method. This function is used internally by the module and should not be called directly. #> param ( [Alias('AccessToken', 'Token')] [PSCustomObject]$TokenInfo ) # If no paramater is passed, test the cached token if ($null -eq $TokenInfo) { # if token in memory if (-not [string]::IsNullOrEmpty($script:accessToken.token) ) { # if token still valid if ($script:accessToken.tokenExpiration -gt (Get-Date)) { return $true } } } # Check if the access token has expired if ($TokenInfo.tokenExpiration -gt (Get-Date)) { return $true } # If we get here, no valid token was found return $false } #EndRegion '.\Private\Test-SEPMAccessToken.ps1' 44 #Region '.\Private\Test-SEPMCertificate.ps1' 0 function Test-SEPMCertificate { <# .SYNOPSIS This function tests a webserver to see if it is using a self-signed certificate .DESCRIPTION This function tests a webserver to see if it is using a self-signed certificate If so, sets the $script:SkipCert variable to $true to continue with the connection .PARAMETER URI The URI of the webserver to test .INPUTS System.String .OUTPUTS None .EXAMPLE Test-SEPMCertificate -URI https://www.example.com Tests the webserver at https://www.example.com to see if it is using a self-signed certificate #> [CmdletBinding()] param ( [Parameter( Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true )] [string] $URI ) try { # Test the certificate Invoke-WebRequest $URI # If no error, then the certificate is valid $script:SkipCert = $false } catch { # Get SEPM server name from URI $uriObject = New-Object System.Uri($URI) $domain = $uriObject.Host # Get the error message $message = "SSL Certificate test failed. The certificate for $domain is self-signed." Write-Warning -Message $message # Prompt for user input to continue $Response = Read-Host -Prompt 'Press enter to ignore this and continue without SSL/TLS secure channel for this session' if ($Response -eq "") { if ($PSVersionTable.PSVersion.Major -lt 6) { Skip-Cert } $script:SkipCert = $true } } } #EndRegion '.\Private\Test-SEPMCertificate.ps1' 56 #Region '.\Public\Add-SEPMFileFingerprintList.ps1' 0 function Add-SEPMFileFingerprintList { <# .SYNOPSIS Adds a blacklist as a file fingerprint list .DESCRIPTION Adds a blacklist as a file fingerprint list .PARAMETER name The name of the blacklist to be added .PARAMETER domainId The domain id of the domain to add the blacklist to Only takes the domain id. Can be found using Get-SEPMDomain .PARAMETER HashType The type of hash to use for the blacklist Valid values are SHA256 and MD5 .PARAMETER description The description of the blacklist .PARAMETER hashlist The hash list to add to the blacklist Can be generated using Get-FileHash or takes a string array of hashes .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE $DomainId = Get-SEPMDomain | Where-Object { $_.name -eq "Default" } $HashList = ls -file C:\Users\$env:USERNAME\Downloads\*.exe | Get-FileHash -algorithm SHA256 Add-SEPMFileFingerprintList -name "My Blacklist" -domainId $domainId -HashType "SHA256" -description "My Blacklist" -hashlist $hashlist.hash Gets the domain id for the default domain Create a hash list of all the files in the downloads folder of the currently logged in user Adds the hash list as a blacklist to the default domain #> [CmdletBinding()] param ( [Parameter()] [string]$name, [Parameter()] [string]$domainId, [Parameter()] [ValidateSet('SHA256', 'MD5')] [string]$HashType, [Parameter()] [string]$description, [Parameter()] $hashlist, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { $URI = $script:BaseURLv1 + "/policy-objects/fingerprints" # Construct the body & required fields $body = @{ name = $name domainId = $domainId hashType = $HashType description = $description data = $hashlist } $params = @{ Method = 'POST' Uri = $URI headers = $headers Body = $body | ConvertTo-Json ContentType = 'application/json' } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Add-SEPMFileFingerprintList.ps1' 95 #Region '.\Public\Clear-SepmAuthentication.ps1' 0 function Clear-SEPMAuthentication { <# .SYNOPSIS Clears out any API token from memory, as well as from local file storage. .DESCRIPTION Clears out any API token from memory, as well as from local file storage. .EXAMPLE Clear-SEPMAuthentication Clears out any API token from memory, as well as from local file storage. .NOTES This command will not clear your configuration settings. Please use Reset-SEPMConfiguration to accomplish that. #> $script:Credential = $null $script:accessToken = $null Remove-Item -Path $script:credentialsFilePath -Force -ErrorAction SilentlyContinue -ErrorVariable ev Remove-Item -Path $script:accessTokenFilePath -Force -ErrorAction SilentlyContinue -ErrorVariable ev if (($null -ne $ev) -and ($ev.Count -gt 0) -and ($ev[0].FullyQualifiedErrorId -notlike 'PathNotFound*')) { $message = "Experienced a problem trying to remove the file that persists the Access Token [$script:credentialsFilePath]." Write-Warning -Message $message } $message = "This has not cleared your configuration settings. Call Reset-SEPMConfiguration to accomplish that." Write-Verbose -Message $message } #EndRegion '.\Public\Clear-SepmAuthentication.ps1' 35 #Region '.\Public\Confirm-SEPMEventInfo.ps1' 0 function Confirm-SEPMEventInfo { <# # TODO add examples once finished .SYNOPSIS Post Acknowledgement For Notification .DESCRIPTION Acknowledges a specified event for a given event ID. A system administrator account is required for this REST API. .PARAMETER EventID The event ID to acknowledge. .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> $SEPMEvents = Confirm-SEPMEventInfo -eventID 30D8A67F0A6606220DEB5989DC3FAC50 #> [CmdletBinding()] param ( [Parameter( Mandatory = $true )] [string] $EventID, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/events/acknowledge/$eventID" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { $params = @{ Method = 'POST' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params # return the response return $resp } } #EndRegion '.\Public\Confirm-SEPMEventInfo.ps1' 59 #Region '.\Public\ConvertTo-FlatObject.ps1' 0 # From https://github.com/EvotecIT/PSSharedGoods/tree/master/Public/Converts Function ConvertTo-FlatObject { <# .SYNOPSIS Flattends a nested object into a single level object. .DESCRIPTION Flattends a nested object into a single level object. .PARAMETER Objects The object (or objects) to be flatten. .PARAMETER Separator The separator used between the recursive property names .PARAMETER Base The first index name of an embedded array: - 1, arrays will be 1 based: <Parent>.1, <Parent>.2, <Parent>.3, … - 0, arrays will be 0 based: <Parent>.0, <Parent>.1, <Parent>.2, … - "", the first item in an array will be unnamed and than followed with 1: <Parent>, <Parent>.1, <Parent>.2, … .PARAMETER Depth The maximal depth of flattening a recursive property. Any negative value will result in an unlimited depth and could cause a infinitive loop. .PARAMETER Uncut The maximal depth of flattening a recursive property. Any negative value will result in an unlimited depth and could cause a infinitive loop. .PARAMETER ExcludeProperty The propertys to be excluded from the output. .EXAMPLE $Object3 = [PSCustomObject] @{ "Name" = "Przemyslaw Klys" "Age" = "30" "Address" = @{ "Street" = "Kwiatowa" "City" = "Warszawa" "Country" = [ordered] @{ "Name" = "Poland" } List = @( [PSCustomObject] @{ "Name" = "Adam Klys" "Age" = "32" } [PSCustomObject] @{ "Name" = "Justyna Klys" "Age" = "33" } [PSCustomObject] @{ "Name" = "Justyna Klys" "Age" = 30 } [PSCustomObject] @{ "Name" = "Justyna Klys" "Age" = $null } ) } ListTest = @( [PSCustomObject] @{ "Name" = "Sława Klys" "Age" = "33" } ) } $Object3 | ConvertTo-FlatObject .NOTES Based on https://powersnippets.com/convertto-flatobject/ #> [CmdletBinding()] Param ( [Parameter(ValueFromPipeLine)][Object[]]$Objects, [String]$Separator = ".", [ValidateSet("", 0, 1)]$Base = 1, [int]$Depth = 5, [string[]] $ExcludeProperty, [Parameter(DontShow)][String[]]$Path, [Parameter(DontShow)][System.Collections.IDictionary] $OutputObject ) Begin { $InputObjects = [System.Collections.Generic.List[Object]]::new() } Process { foreach ($O in $Objects) { if ($null -ne $O) { $InputObjects.Add($O) } } } End { If ($PSBoundParameters.ContainsKey("OutputObject")) { $Object = $InputObjects[0] $Iterate = [ordered] @{} if ($null -eq $Object) { #Write-Verbose -Message "ConvertTo-FlatObject - Object is null" } elseif ($Object.GetType().Name -in 'String', 'DateTime', 'TimeSpan', 'Version', 'Enum') { $Object = $Object.ToString() } elseif ($Depth) { $Depth-- If ($Object -is [System.Collections.IDictionary]) { $Iterate = $Object } elseif ($Object -is [Array] -or $Object -is [System.Collections.IEnumerable]) { $i = $Base foreach ($Item in $Object.GetEnumerator()) { $NewObject = [ordered] @{} If ($Item -is [System.Collections.IDictionary]) { foreach ($Key in $Item.Keys) { if ($Key -notin $ExcludeProperty) { $NewObject[$Key] = $Item[$Key] } } } elseif ($Item -isnot [Array] -and $Item -isnot [System.Collections.IEnumerable]) { foreach ($Prop in $Item.PSObject.Properties) { if ($Prop.IsGettable -and $Prop.Name -notin $ExcludeProperty) { $NewObject["$($Prop.Name)"] = $Item.$($Prop.Name) } } } else { $NewObject = $Item } $Iterate["$i"] = $NewObject $i += 1 } } else { foreach ($Prop in $Object.PSObject.Properties) { if ($Prop.IsGettable -and $Prop.Name -notin $ExcludeProperty) { $Iterate["$($Prop.Name)"] = $Object.$($Prop.Name) } } } } If ($Iterate.Keys.Count) { foreach ($Key in $Iterate.Keys) { if ($Key -notin $ExcludeProperty) { ConvertTo-FlatObject -Objects @(, $Iterate["$Key"]) -Separator $Separator -Base $Base -Depth $Depth -Path ($Path + $Key) -OutputObject $OutputObject -ExcludeProperty $ExcludeProperty } } } else { $Property = $Path -Join $Separator if ($Property) { # We only care if property is not empty if ($Object -is [System.Collections.IDictionary] -and $Object.Keys.Count -eq 0) { $OutputObject[$Property] = $null } else { $OutputObject[$Property] = $Object } } } } elseif ($InputObjects.Count -gt 0) { foreach ($ItemObject in $InputObjects) { $OutputObject = [ordered]@{} ConvertTo-FlatObject -Objects @(, $ItemObject) -Separator $Separator -Base $Base -Depth $Depth -Path $Path -OutputObject $OutputObject -ExcludeProperty $ExcludeProperty [PSCustomObject] $OutputObject } } } } #EndRegion '.\Public\ConvertTo-FlatObject.ps1' 162 #Region '.\Public\Get-SEPClientDefVersions.ps1' 0 function Get-SEPClientDefVersions { <# .SYNOPSIS Gets a list of clients for a group by content version. .DESCRIPTION Gets a list of clients for a group by content version. .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPClientDefVersions version clientsCount ------- ------------ 2023-09-04 rev. 002 15 2023-09-03 rev. 002 4 2023-09-01 rev. 008 2 2023-08-31 rev. 021 2 2023-08-31 rev. 002 1 2023-08-29 rev. 003 1 Gets a list of clients grouped by content version. #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/stats/client/content" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPClientDefVersions.ps1' 60 #Region '.\Public\Get-SEPClientInfectedStatus.ps1' 0 function Get-SEPClientInfectedStatus { <# .SYNOPSIS Gets SEP Clients with Infected or Clean status .DESCRIPTION Gets SEP Clients with Infected or Clean status NOTES : Clean status is just Infected = 0 .INPUTS None .OUTPUTS List of SEP Clients with Infected status .PARAMETER Clean If specified, returns SEP Clients with Clean status .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE Get-SEPClientInfectedStatus Gets computer details for all computers in the domain .EXAMPLE Get-SEPClientInfectedStatus -Clean Gets computer details for all computers in the domain that are not infected #> [CmdletBinding()] param ( [Parameter()] [switch] $Clean, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { if ($SkipCertificateCheck) { $script:SkipCert = $true } } process { if ($clean) { $non_infected = Get-SEPComputers | Where-Object { $_.infected -ne 1 } return $non_infected } else { $infected = Get-SEPComputers | Where-Object { $_.infected -eq 1 } return $Infected } } } #EndRegion '.\Public\Get-SEPClientInfectedStatus.ps1' 55 #Region '.\Public\Get-SEPClientStatus.ps1' 0 function Get-SEPClientStatus { <# .SYNOPSIS Gets a list and count of the online and offline clients. .DESCRIPTION Gets a list and count of the online and offline clients. .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE C:\PSSymantecSEPM> Get-SEPClientStatus lastUpdated clientCountStatsList ----------- -------------------- 1693910248728 {@{status=ONLINE; clientsCount=212}, @{status=OFFLINE; clientsCount=48}} Gets a list and count of the online and offline clients. #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/stats/client/onlinestatus" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPClientStatus.ps1' 54 #Region '.\Public\Get-SEPClientVersion.ps1' 0 function Get-SEPClientVersion { <# .SYNOPSIS Gets a list and count of clients by client product version. .DESCRIPTION Gets a list and count of clients by client product version. .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> $SEPversions = Get-SEPClientVersion PS C:\PSSymantecSEPM> $SEPversions.clientVersionList version clientsCount formattedVersion ------- ------------ ---------------- 11.0.6000.550 1 11.0.6 (11.0 MR6) build 550 12.1.2015.2015 1 12.1.2 (12.1 RU2) build 2015 12.1.6867.6400 1 12.1.6 (12.1 RU6 MP4) build 6867 12.1.7004.6500 3 12.1.6 (12.1 RU6 MP5) build 7004 12.1.7454.7000 177 12.1.7 (12.1 RU7) build 7454 14.0.3752.1000 36 14.0.3 (14.0 RU3 MP7) build 1000 14.2.1031.0100 21 14.2.1 (14.2 RU1) build 0100 14.2.3335.1000 3 14.2.3 (14.2 RU3 MP3) build 1000 14.3.510.0000 12 14.3 (14.3) build 0000 14.3.558.0000 5 14.3 (14.3) build 0000 Gets a list and count of clients by client product version. #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/stats/client/version" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPClientVersion.ps1' 65 #Region '.\Public\Get-SEPComputers.ps1' 0 function Get-SEPComputers { <# .SYNOPSIS Gets the information about the computers in a specified domain .DESCRIPTION Gets the information about the computers in a specified domain. either from computer names or group names .PARAMETER ComputerName Specifies the name of the computer for which you want to get the information. Supports wildcards .PARAMETER GroupName Specifies the group full path name for which you want to get the information. Supports wildcards .PARAMETER IncludeSubGroups Specifies whether to include subgroups when querying by group name .EXAMPLE Get-SEPComputers Gets computer details for all computers in the domain .EXAMPLE "MyComputer1","MyComputer2" | Get-SEPComputers Gets computer details for the specified computer MyComputer via pipeline .EXAMPLE Get-SEPComputers -ComputerName "MyComputer*" Gets computer details for all computer names starting by MyComputer .EXAMPLE Get-SEPComputers -GroupName "My Company\EMEA\Workstations" Gets computer details for all computers in the specified group MyGroup .EXAMPLE Get-SEPComputers -GroupName "My Company\EMEA\Workstations" -IncludeSubGroups Gets computer details for all computers in the specified group MyGroup and its subgroups #> [CmdletBinding( DefaultParameterSetName = 'ComputerName' )] Param ( # ComputerName [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'ComputerName' )] [Alias("Hostname", "DeviceName", "Device", "Computer")] [String] $ComputerName, # group name [Parameter( ValueFromPipelineByPropertyName = $true, ParameterSetName = 'GroupName' )] [Alias("Group")] [String] $GroupName, # switch parameter to include subgroups [Parameter( ParameterSetName = 'GroupName' )] [switch] $IncludeSubGroups, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # Using computer name API call if ($ComputerName) { $allResults = @() $URI = $script:BaseURLv1 + "/computers" # URI query strings $QueryStrings = @{ sort = "COMPUTER_NAME" pageIndex = 1 pageSize = 100 computerName = $ComputerName } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings do { # Invoke the request params $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params # Process the response $allResults += $resp.content # Increment the page index & update URI $QueryStrings.pageIndex++ $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings } until ($resp.lastPage -eq $true) # return the response return $allResults } # Using computer name API call then filtering elseif ($GroupName) { $allResults = @() $URI = $script:BaseURLv1 + "/computers" # URI query strings $QueryStrings = @{ sort = "COMPUTER_NAME" pageIndex = 1 pageSize = 100 computerName = $ComputerName # empty string value to ensure the URI is constructed correctly & query all computers } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings do { # Invoke the request params $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params # Process the response $allResults += $resp.content # Increment the page index & update URI $QueryStrings.pageIndex++ $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings } until ($resp.lastPage -eq $true) # Filtering if ($IncludeSubGroups) { $allResults = $allResults | Where-Object { $_.group.name -like "$GroupName*" } } else { $allResults = $allResults | Where-Object { $_.group.name -eq $GroupName } } # return the response return $allResults } # No parameters else { $allResults = @() $URI = $script:BaseURLv1 + "/computers" # URI query strings $QueryStrings = @{ sort = "COMPUTER_NAME" pageIndex = 1 pageSize = 100 } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings do { # Invoke the request params $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params # Process the response $allResults += $resp.content # Increment the page index & update URI $QueryStrings.pageIndex++ $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings } until ($resp.lastPage -eq $true) # return the response return $allResults } } } #EndRegion '.\Public\Get-SEPComputers.ps1' 208 #Region '.\Public\Get-SEPFileDetails.ps1' 0 function Get-SEPFileDetails { <# .SYNOPSIS Gets the details of a binary file, such as the checksum and the file size .DESCRIPTION Gets the details of a binary file, such as the checksum and the file size .PARAMETER FileID The ID of the file to get the details of Is a required parameter Can be found in the command ID of the response from Send-SEPMCommandGetFile .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPFileDetails -FileID 12345678901234567890123456789 id fileSize checksum -- -------- -------- CD02BC8E0A6606D53533F2428BB86D4E 1071101 4BE0BB3B57044CAD186FB59C2B7A13BB #> [CmdletBinding()] param ( [Parameter()] [string] $FileID, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/command-queue/file/$FileID/details" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # URI query strings $QueryStrings = @{ file_id = $FileID } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPFileDetails.ps1' 68 #Region '.\Public\Get-SEPGUPList.ps1' 0 function Get-SEPGUPList { <# .SYNOPSIS Gets a list of group update providers .DESCRIPTION Gets a list of SEP clients acting as group update providers .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPGUPList Gets a list of GUPs clients .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPGUPList | Select-Object Computername, AgentVersion, IpAddress, port computerName agentVersion ipAddress port ------------ ------------ --------- ---- Server01 12.1.7454.7000 10.0.0.150 2967 Server02 14.3.558.0000 10.1.0.150 2967 Workstation01 12.1.7454.7000 192.168.0.1 2967 Workstation02 14.3.558.0000 192.168.1.1 2967 Gets a list of GUPs clients with specific properties #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/gup/status" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPGUPList.ps1' 62 #Region '.\Public\Get-SEPMAccessToken.ps1' 0 function Get-SEPMAccessToken { <# .SYNOPSIS Retrieves the API token for use in the rest of the module. .DESCRIPTION Retrieves the API token for use in the rest of the module. First will try to use the one that may have been provided as a parameter. If not provided, then will try to use the one already cached in memory. If still not found, will look to see if there is a file with the API token stored on disk Finally, if there is still no available token : - check if the SEPM server name is configured - check if the credentials are configured or stored on disk - query one from the SEPM server - store it in memory and on disk - return the token .PARAMETER AccessToken If provided, this will be returned instead of using the cached/configured value .OUTPUTS System.String #> [CmdletBinding()] [OutputType([PSCustomObject])] param( [PSCustomObject] $AccessToken ) # First will try to use the one that may have been provided as a parameter. if (-not [String]::IsNullOrEmpty($AccessToken.token)) { if (Test-SEPMAccessToken -Token $AccessToken) { $script:accessToken = $AccessToken return $AccessToken } } # If not provided, then will try to use the one already cached in memory. if (-not [String]::IsNullOrEmpty($script:accessToken)) { if (Test-SEPMAccessToken -Token $script:accessToken) { return $script:accessToken } } # If still not found, will look to see if there is a file with the API token stored in the disk if (Test-Path $script:accessTokenFilePath) { $AccessToken = Import-Clixml -Path $script:accessTokenFilePath -ErrorAction Ignore if (Test-SEPMAccessToken -Token $AccessToken) { $script:accessToken = $AccessToken return $script:accessToken } } # Finally, if there is still no available token, query one from the SEPM server. # Then caches the token in memory and stores it in a file on disk as a SecureString if ($null -eq $script:configuration.ServerAddress) { $message = "SEPM Server name not found. Provide server name :" Write-Warning -Message $message $ServerAddress = Read-Host -Prompt $message Set-SepmConfiguration -ServerAddress $ServerAddress } # Look for credentials stored in the disk if (Test-Path $script:credentialsFilePath) { $script:Credential = Import-Clixml -Path $script:credentialsFilePath -ErrorAction Ignore } if ($null -eq $script:Credential) { $message = "Credentials not found. Provide credentials :" Write-Warning -Message $message Set-SEPMAuthentication -credential (Get-Credential) } # Test the certificate of the SEPM server $URI_Authenticate = $script:BaseURLv1 + '/identity/authenticate' Test-SEPMCertificate -URI $URI_Authenticate # Construct the request $body = @{ "username" = $script:Credential.UserName "password" = ([System.Net.NetworkCredential]::new("", $script:Credential.Password).Password) "appName" = "PSSymantecSEPM PowerShell Module" "domain" = $script:configuration.domain } $Params = @{ Method = 'POST' Uri = $URI_Authenticate ContentType = "application/json" Body = ($body | ConvertTo-Json) } # Invoke the request and SkipCert if needed $Response = Invoke-ABRestMethod -params $Params # Sort the response $CachedToken = [PSCustomObject]@{ token = $response.token tokenExpiration = (Get-Date).AddSeconds($Response.tokenExpiration) SkipCert = $script:SkipCert } # Caches the token in memory $script:accessToken = $CachedToken # Stores it in a file on disk as a SecureString if (-not (Test-Path ($Script:accessTokenFilePath | Split-Path))) { New-Item -ItemType Directory -Path ($Script:accessTokenFilePath | Split-Path) -Force | Out-Null } $script:accessToken | Export-Clixml -Path $script:accessTokenFilePath -Force # return the token return $script:accessToken } #EndRegion '.\Public\Get-SEPMAccessToken.ps1' 115 #Region '.\Public\Get-SEPMAdmins.ps1' 0 Function Get-SEPMAdmins { <# .SYNOPSIS Displays a list of admins in the Symantec Database .DESCRIPTION Gets the list of administrators for a particular domain. The Git repo for this module can be found here: https://github.com/Douda/PSSymantecSEPM .PARAMETER AdminName Displays only a specific user from the Admin List .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE Get-SEPMAdmins .EXAMPLE Get-SEPMAdmins -AdminName admin #> [CmdletBinding()] Param ( # AdminName [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true )] [String] [Alias("Admin")] $AdminName, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/admin-users" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # URI query strings $QueryStrings = @{ domain = $script:configuration.domain } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params # Process the response if ([string]::IsNullOrEmpty($AdminName)) { return $resp } else { $resp = $resp | Where-Object { $_.loginName -eq $AdminName } return $resp } } } #EndRegion '.\Public\Get-SEPMAdmins.ps1' 83 #Region '.\Public\Get-SEPMCommandStatus.ps1' 0 function Get-SEPMCommandStatus { <# .SYNOPSIS Get Command Status Details .DESCRIPTION Gets the details of a command status .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> $status = Get-SEPMCommandStatus -Command_ID D17D6DF9877049559910DD7B0306711C content : {@{beginTime=; lastUpdateTime=; computerName=MyWorkstation01; computerIp=192.168.1.1; domainName=Default; currentLoginUserName=localadmin; stateId=0; subStateId=0; subStateDesc=; binaryFileId=; resultInXML=; computerId=ABCDEF2837CD5C4FD167AD5E2CB31C71; hardwareKey=ABCDEF2837CD5C4FD167AD5E2CB31C71}} number : 0 size : 20 sort : {@{direction=ASC; property=Begintime; ascending=True}} numberOfElements : 1 firstPage : True totalPages : 1 lastPage : True totalElements : 1 PS C:\PSSymantecSEPM> $status.content beginTime : lastUpdateTime : computerName : MyWorkstation01 computerIp : 192.168.1.1 domainName : Default currentLoginUserName : localadmin stateId : 0 subStateId : 0 subStateDesc : binaryFileId : resultInXML : computerId : ABCDEF2837CD5C4FD167AD5E2CB31C71 hardwareKey : ABCDEF2837CD5C4FD167AD5E2CB31C71 Gets the status of a command .PARAMETER Command_ID The ID of the command to get the status of #> [CmdletBinding()] param ( [Parameter( Mandatory = $true, ValueFromPipelineByPropertyName = $true )] [string] [Alias("ID", "CommandID")] $Command_ID, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/command-queue/$command_id" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPMCommandStatus.ps1' 88 #Region '.\Public\Get-SEPMDatabaseInfo.ps1' 0 function Get-SEPMDatabaseInfo { <# .SYNOPSIS Gets the database infromation of local site. .DESCRIPTION Gets the database infromation of local site .PARAMETER SkipCertificateCheck Skip certificate check .INPUTS None .OUTPUTS System.Object .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMDatabaseInfo name : SQLSRV01 description : address : SQLSRV01 instanceName : port : 1433 type : Microsoft SQL Server version : 12.00.5000 installedBySepm : False database : sem5 dbUser : sem5 dbPasswords : dbTLSRootCertificate : Gets detailed information on the database of the local site #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/admin/database" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPMDatabaseInfo.ps1' 67 #Region '.\Public\Get-SEPMDomain.ps1' 0 function Get-SEPMDomain { <# .SYNOPSIS Gets a list of all accessible domains .DESCRIPTION Gets a list of all accessible domains .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMDomain id : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX name : Default description : createdTime : 1360247301316 enable : True companyName : contactInfo : administratorCount : 15 Gets a list of all accessible domains #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/domains" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPMDomain.ps1' 60 #Region '.\Public\Get-SEPMEventInfo.ps1' 0 function Get-SEPMEventInfo { <# .SYNOPSIS Gets the information about the computers in a specified domain .DESCRIPTION Gets the information about the computers in a specified domain. A system administrator account is required for this REST API. .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> $SEPMEvents = Get-SEPMEventInfo lastUpdated totalUnacknowledgedMessages criticalEventsInfoList ----------- --------------------------- ---------------------- 1693911276712 4906 {@{eventId=XXXXXXXXXXXXXXXXXXXXXXXXX; eventDateTime=2023-08-12 19:22:21.0... PS C:\PSSymantecSEPM> $SEPMEvents.criticalEventsInfoList | Select-Object -First 1 eventId : XXXXXXXXXXXXXXXXXXXXXXXXX eventDateTime : 2023-08-12 19:22:21.0 subject : CRITICAL: OLD SONAR DEFINITIONS message : 306 computers found with SONAR definitions older than 7 days. acknowledged : 0 Example of an event gathered from the SEPM server. #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/events/critical" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPMEventInfo.ps1' 64 #Region '.\Public\Get-SEPMExceptionPolicy.ps1' 0 function Get-SEPMExceptionPolicy { <# .SYNOPSIS Get Exception Policy .DESCRIPTION Get Exception Policy details Note this is a V2 API call, and replies are originally JSON based .PARAMETER PolicyName The name of the policy to get the details of Is a required parameter .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMExceptionPolicy -PolicyName "Standard Servers - Exception policy" Name Value ---- ----- sources {} configuration {[files, System.Object[]], [non_pe_rules, System.Object[]], [directories, System.Object[]], [webdomains, System.Object[]]…} lockedoptions {[knownrisk, True], [extension, True], [file, True], [domain, True]…} enabled True desc name Standard Servers - Exception policy lastmodifiedtime 1646398353107 Shows an example of getting the Exception policy details for the policy named "Standard Servers - Exception policy" #> [CmdletBinding()] Param ( # PolicyName [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true )] [Alias("Policy_Name")] [String] $PolicyName, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } # BaseURL V2 $URI = $script:BaseURLv2 + "/policies/exceptions" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } # Stores the policy summary for all policies only once $policies = Get-SEPMPoliciesSummary } process { # Get Policy ID from policy name $policyID = $policies | Where-Object { $_.name -eq $PolicyName } | Select-Object -ExpandProperty id $policy_type = $policies | Where-Object { $_.name -eq $PolicyName } | Select-Object -ExpandProperty policytype if ($policy_type -ne "exceptions") { $message = "policy type is not of type EXCEPTIONS or does not exist - Please verify the policy name" Write-Error -Message $message throw $message } # Updating URI with policy ID $URI = $URI + "/" + $policyID # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers UseBasicParsing = $true } $resp = Invoke-ABRestMethod -params $params # JSON response to convert to PSObject $resp = $resp | ConvertFrom-Json -AsHashtable -Depth 100 # return the response return $resp } } #EndRegion '.\Public\Get-SEPMExceptionPolicy.ps1' 97 #Region '.\Public\Get-SEPMFileFingerprintList.ps1' 0 function Get-SEPMFileFingerprintList { <# TODO update help .SYNOPSIS Get File Finger Print List By Name .DESCRIPTION Gets the file fingerprint list for a specified Name as a set of hash values .PARAMETER FingerprintListName The name of the file fingerprint list .PARAMETER FingerprintListID The ID of the file fingerprint list .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMFileFingerprintList -FingerprintListName "Fingerprint list for workstations" id : 2A331150CDB44B9A9F1332E27321A1EE name : Fingerprint list for workstations hashType : MD5 source : WEBSERVICE description : data : {01BCE403043C0695EBB04D89C2B3A027, 03F3C0A7A2DD4EE1E81FABDBC557E2E8, 043A1B77C731F053FCA5DCC4AA18838F, 07996DCEEA57D8615B91A48AA7B49EC3…} groupIds : {46B9A36B0A66062224C839F606E6B1CE, AD3CD4620A95B05502CBDB658A6F7BE3, 09CC40530A6606221853DEA0AC606451, 96017A1E0A6906231EFEACCBD915B592…} Gets the file fingerprint list for a specified Name as a set of hash values .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMFileFingerprintList -FingerprintListID 2A331150CDB44B9A9F1332E27321A1EE id : 2A331150CDB44B9A9F1332E27321A1EE name : ASD01P0215 hashType : MD5 source : WEBSERVICE description : data : {01BCE403043C0695EBB04D89C2B3A027, 03F3C0A7A2DD4EE1E81FABDBC557E2E8, 043A1B77C731F053FCA5DCC4AA18838F, 07996DCEEA57D8615B91A48AA7B49EC3…} groupIds : {46B9A36B0A66062224C839F606E6B1CE, AD3CD4620A95B05502CBDB658A6F7BE3, 09CC40530A6606221853DEA0AC606451, 96017A1E0A6906231EFEACCBD915B592…} Gets the file fingerprint list for a specified ID as a set of hash values #> [CmdletBinding()] param ( [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true )] [string] $FingerprintListName, [Parameter( ValueFromPipelineByPropertyName = $true )] [string] $FingerprintListID, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { if ($FingerprintListName) { $URI = $script:BaseURLv1 + "/policy-objects/fingerprints" # URI query strings $QueryStrings = @{ name = $FingerprintListName } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params } if ($FingerprintListID) { $URI = $script:BaseURLv1 + "/policy-objects/fingerprints/$FingerprintListID" # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params } # return the response return $resp } } #EndRegion '.\Public\Get-SEPMFileFingerprintList.ps1' 114 #Region '.\Public\Get-SEPMFirewallPolicy.ps1' 0 function Get-SEPMFirewallPolicy { <# .SYNOPSIS Get Firewall Policy .DESCRIPTION Get Firewall Policy details .PARAMETER PolicyName The name of the policy to get the details of Is a required parameter .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMFirewallPolicy -PolicyName "Standard Servers - Firewall policy" sources : configuration : @{enforced_rules=System.Object[]; baseline_rules=System.Object[]; ignore_parent_rules=; smart_dhcp=False; smart_dns=False; smart_wins=False; token_ring_traffic=False; netbios_protection=False; reverse_dns=False; port_scan=False; dos=False; antimac_spoofing=False; autoblock=False; autoblock_duration=600; stealth_web=False; antiIP_spoofing=False; hide_os=False; windows_firewall=NO_ACTION; windows_firewall_notification=False; endpoint_notification=; p2p_auth=; mac=} enabled : True desc : Standard Server Firewall Policy - This policy is for standard servers. It is a strict policy that blocks all traffic except for the services that are explicitly allowed. name : Standard Servers - Firewall policy lastmodifiedtime : 1692253688318 Shows an example of getting the firewall policy details for the policy named "Standard Servers - Firewall policy" #> [CmdletBinding()] Param ( # PolicyName [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true )] [Alias("Policy_Name")] [String] $PolicyName, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/policies/firewall" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } # Stores the policy summary for all policies only once $policies = Get-SEPMPoliciesSummary } process { # Get Policy ID from policy name $policyID = $policies | Where-Object { $_.name -eq $PolicyName } | Select-Object -ExpandProperty id $policy_type = $policies | Where-Object { $_.name -eq $PolicyName } | Select-Object -ExpandProperty policytype if ($policy_type -ne "fw") { $message = "policy type is not of type FIREWALL or does not exist - Please verify the policy name" Write-Error -Message $message throw $message } # Updating URI with policy ID $URI = $URI + "/" + $policyID # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPMFirewallPolicy.ps1' 88 #Region '.\Public\Get-SEPMGroups.ps1' 0 function Get-SEPMGroups { <# .SYNOPSIS Gets a group list .DESCRIPTION Gets a group list .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\GitHub_Projects\PSSymantecSEPM> Get-SEPMGroups | Select-Object -First 1 id : XXXXXXXXXXXXXXXXXXXXXXXXX name : My Company description : fullPathName : My Company numberOfPhysicalComputers : 0 numberOfRegisteredUsers : 0 createdBy : XXXXXXXXXXXXXXXXXXXXXXXXX created : 1360247401336 lastModified : 1639056401576 policySerialNumber : 718B-09/04/2023 12:56:58 775 policyDate : 1693832218775 customIpsNumber : domain : @{id=XXXXXXXXXXXXXXXXXXXXXXXXX; name=Default} policyInheritanceEnabled : False Gets the first group of the list of groups #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/groups" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } # QueryString parameters for pagination $QueryStrings = @{ pageSize = 25 pageIndex = 1 } # Invoke the request do { try { # Invoke the request params $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params # Process the response $allResults += $resp.content # Increment the page index & update URI $QueryStrings.pageIndex++ $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings } catch { Write-Warning -Message "Error: $_" } } until ($resp.lastPage -eq $true) # return the response return $allResults } } #EndRegion '.\Public\Get-SEPMGroups.ps1' 95 #Region '.\Public\Get-SEPMIpsPolicy.ps1' 0 function Get-SEPMIpsPolicy { # TODO : returned object has empty configuration fields. Could be a bug ? # Example # PS C:\PSSymantecSEPM> $IPS_example | ConvertTo-Json # { # "sources": null, # "configuration": {}, # "enabled": true, # "desc": "Summary : added IP as excluded host to avoid ServiceNow discovery service conflicts", # "name": "Intrusion Prevention policy PRODUCTION", # "lastmodifiedtime": 1693559858824 # } <# .SYNOPSIS Get IPS Policy .DESCRIPTION Get IPS Policy details .PARAMETER PolicyName The name of the policy to get the details of Is a required parameter .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMIpsPolicy -PolicyName "Intrusion Prevention policy PRODUCTION" sources : configuration : enabled : True desc : IPS description field name : Intrusion Prevention policy PRODUCTION lastmodifiedtime : 1693559858824 Shows an example of getting the IPS policy details for the policy named "Intrusion Prevention policy PRODUCTION" #> [CmdletBinding()] Param ( # PolicyName [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true )] [Alias("Policy_Name")] [String] $PolicyName, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/policies/ips" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } # Stores the policy summary for all policies only once $policies = Get-SEPMPoliciesSummary } process { # Get Policy ID from policy name $policyID = $policies | Where-Object { $_.name -eq $PolicyName } | Select-Object -ExpandProperty id $policy_type = $policies | Where-Object { $_.name -eq $PolicyName } | Select-Object -ExpandProperty policytype if ($policy_type -ne "ips") { $message = "policy type is not of type IPS or does not exist - Please verify the policy name" Write-Error -Message $message throw $message } # Updating URI with policy ID $URI = $URI + "/" + $policyID # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers UseBasicParsing = $true } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPMIpsPolicy.ps1' 99 #Region '.\Public\Get-SEPMLatestDefinition.ps1' 0 function Get-SEPMLatestDefinition { <# .SYNOPSIS Get AV Def Latest Info .DESCRIPTION Gets the latest revision information for antivirus definitions from Symantec Security Response. .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMLatestDefinition contentName publishedBySymantec publishedBySEPM ----------- ------------------- --------------- AV_DEFS 9/4/2023 rev. 2 9/4/2023 rev. 2 Gets the latest revision information for antivirus definitions from Symantec Security Response. #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/content/avdef/latest" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPMLatestDefinition.ps1' 55 #Region '.\Public\Get-SEPMPoliciesSummary.ps1' 0 function Get-SEPMPoliciesSummary { <# .SYNOPSIS Get summary of all or feature specific policies .DESCRIPTION Get the policy summary for specified policy type. Also gets the list of groups to which the policies are assigned. .PARAMETER PolicyType The policy type for which the summary is to be retrieved. The valid values are hid, exceptions, mem, ntr, av, fw, ips, lu, hi, adc, msl, upgrade. If not specified, the summary for all policies is retrieved. .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMPoliciesSummary content : {@{sources=System.Object[]; enabled=True; desc=Created automatically during product ...}} size : 136 number : 0 sort : numberOfElements : 136 totalElements : 136 totalPages : 1 lastPage : True firstPage : True Get policy statistics for all policies and its assigned groups .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMPoliciesSummary -PolicyType fw Get policy statistics for firewall policies and its assigned groups #> [CmdletBinding()] param ( [Parameter()] [ValidateSet( 'hid', 'exceptions', 'mem', 'ntr', 'av', 'fw', 'ips', 'lucontent', 'lu', 'hi', 'adc', 'msl', # Currently getting an error when trying to get this policy type # {"errorCode":"400","appErrorCode":"","errorMessage":"The policy type argument is invalid."} # TODO: Investigate this error 'upgrade' )] [string] $PolicyType, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/policies/summary" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } # Get the list of groups and IDs to inject into the response $groups = Get-SEPMGroups } process { if (-not $PolicyType) { # Invoke the request try { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params # Add group FullPath to the response from their Group ID for ease of use # Parsing every response object foreach ($policy in $resp.content) { # Parsing every location this policy is applied to foreach ($location in $policy.assignedtolocations) { # Getting the group name from the group ID, and adding it to the response object $group = $groups | Where-Object { $_.id -match $location.groupid } | Get-Unique $location | Add-Member -NotePropertyName "groupNameFullPath" -NotePropertyValue $group.fullPathName } } } catch { Write-Warning -Message "Error: $_" } # return the response return $resp.content } if ($PolicyType) { $URI = $script:BaseURLv1 + "/policies/summary" + "/" + $PolicyType # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } # Invoke the request try { $resp = Invoke-ABRestMethod -params $params # Add group FullPath to the response from their Group ID for ease of use # Parsing every response object foreach ($policy in $resp.content) { # Parsing every location this policy is applied to foreach ($location in $policy.assignedtolocations) { # Getting the group name from the group ID, and adding it to the response object $group = $groups | Where-Object { $_.id -match $location.groupid } | Get-Unique $location | Add-Member -NotePropertyName "groupNameFullPath" -NotePropertyValue $group.fullPathName } } } catch { Write-Warning -Message "Error: $_" } # return the response return $resp.content } } } #EndRegion '.\Public\Get-SEPMPoliciesSummary.ps1' 143 #Region '.\Public\Get-SEPMReplicationStatus.ps1' 0 function Get-SEPMReplicationStatus { <# .SYNOPSIS Get Replication Status .DESCRIPTION Get Replication Status .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMReplicationStatus replicationStatus ----------------- @{siteName=Site Europe; siteLocation=Paris; replicationPartnerStatusList=System.Object[]; id=XXXXXXXXXXXXXXXXXXXXXXXX} Get a list of replication status with every remote site #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/replication/status" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPMReplicationStatus.ps1' 55 #Region '.\Public\Get-SEPMThreatStats.ps1' 0 function Get-SEPMThreatStats { <# .SYNOPSIS Gets threat statistics .DESCRIPTION Gets threat statistics .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMThreatStats Stats ----- @{lastUpdated=1693912098821; infectedClients=1} Gets threat statistics #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/stats/threat" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPMThreatStats.ps1' 55 #Region '.\Public\Get-SEPMVersion.ps1' 0 Function Get-SEPMVersion { <# .SYNOPSIS Gets the current version of Symantec Endpoint Protection Manager. .DESCRIPTION Gets the current version of Symantec Endpoint Protection Manager. This function dot not require authentication. .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Get-SEPMVersion API_SEQUENCE API_VERSION version ------------ ----------- ------- 230504014 14.3.7000 14.3.9816.7000 Gets the current version of Symantec Endpoint Protection Manager. #> [CmdletBinding()] param ( # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/version" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Get-SEPMVersion.ps1' 55 #Region '.\Public\Remove-SEPMFileFingerprintList.ps1' 0 function Remove-SEPMFileFingerprintList { <# .SYNOPSIS Deletes a file fingerprint list .DESCRIPTION Deletes a file fingerprint list, and removes it from a group to which it applies .PARAMETER FingerprintListName The name of the file fingerprint list .PARAMETER FingerprintListID The ID of the file fingerprint list .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Remove-SEPMFileFingerprintList -FingerprintListName "Fingerprint list for workstations" Removes the file fingerprint list with the name "Fingerprint list for workstations" .EXAMPLE PS C:\PSSymantecSEPM> "Fingerprint list for workstations" | Remove-SEPMFileFingerprintList Removes the file fingerprint list with the name "Fingerprint list for workstations" via the pipeline .EXAMPLE PS C:\PSSymantecSEPM> Remove-SEPMFileFingerprintList -FingerprintListID 2A331150CDB44B9A9F1332E27321A1EE Removes the file fingerprint list with the ID "2A331150CDB44B9A9F1332E27321A1EE" #> [CmdletBinding( DefaultParameterSetName = 'Name' )] param ( [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Name' )] [string] $FingerprintListName, [Parameter( ValueFromPipelineByPropertyName = $true, ParameterSetName = 'ID' )] [string] $FingerprintListID, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # Get the FingerprintListID if the FingerprintListName is provided if ($FingerprintListName) { $URI = $script:BaseURLv1 + "/policy-objects/fingerprints" $FingerprintListID = Get-SEPMFileFingerprintList -FingerprintListName $FingerprintListName | Select-Object -ExpandProperty id } $URI = $script:BaseURLv1 + "/policy-objects/fingerprints/$FingerprintListID" $params = @{ Method = 'DELETE' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Remove-SEPMFileFingerprintList.ps1' 86 #Region '.\Public\Reset-SepmConfiguration.ps1' 0 function Reset-SEPMConfiguration { <# .SYNOPSIS Clears out the user's configuration file and configures this session with all default configuration values. .DESCRIPTION Clears out the user's configuration file and configures this session with all default configuration values. .EXAMPLE Reset-SEPMConfiguration Deletes the local configuration file and loads in all default configuration values. .NOTES This command will not clear your authentication token. Please use Clear-SEPMAuthentication to accomplish that. #> $null = Remove-Item -Path $script:configurationFilePath -Force -ErrorAction SilentlyContinue -ErrorVariable ev if (($null -ne $ev) -and ($ev.Count -gt 0) -and ($ev[0].FullyQualifiedErrorId -notlike 'PathNotFound*')) { $message = "Reset was unsuccessful. Experienced a problem trying to remove the file [$script:configurationFilePath]." Write-Warning -Message $message } Initialize-SepmConfiguration $message = "This has not cleared your authentication token. Call Clear-SEPMAuthentication to accomplish that." Write-Verbose -Message $message } #EndRegion '.\Public\Reset-SepmConfiguration.ps1' 33 #Region '.\Public\Send-SEPMCommandClearIronCache.ps1' 0 function Send-SEPMCommandClearIronCache { <# # TODO update help .SYNOPSIS Send a quarantine/unquarantine command to SEP endpoints .DESCRIPTION Send a quarantine/unquarantine command to SEP endpoints .PARAMETER ComputerName The name of the computer to send the command to Cannot be used with GroupName .PARAMETER GroupName The name of the group to send the command to Cannot be used with ComputerName Does not include subgroups .PARAMETER Unquarantine Switch parameter to unquarantine the SEP client .PARAMETER SHA256 SHA256 hash of the suspicious file. Cannot be used with MD5 or SHA1 .PARAMETER MD5 MD5 hash of the suspicious file. Cannot be used with SHA256 or SHA1 .PARAMETER SHA1 SHA1 hash of the suspicious file. Cannot be used with SHA256 or MD5 .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE Send-SEPMCommandClearIronCache -ComputerName "Computer1" Sends a command to quarantine Computer1 .EXAMPLE "Computer1", "Computer2" | Send-SEPMCommandClearIronCache Sends a command to quarantine Computer1 and Computer2 .EXAMPLE Send-SEPMCommandClearIronCache -GroupName "My Company\EMEA\Workstations\Site1" Sends a command to quarantine all computers in "My Company\EMEA\Workstations\Site1" Does not include subgroups #> #TODO finish function [CmdletBinding()] param ( # ComputerName [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'ComputerName' )] [Alias("Hostname", "DeviceName", "Device", "Computer")] [String] $ComputerName, # group name [Parameter( ValueFromPipelineByPropertyName = $true, ParameterSetName = 'GroupName' )] [Alias("Group")] [String] $GroupName, # SHA256 hash of the suspicious file. [Parameter(ParameterSetName = 'SHA256Hash')] [Parameter(ParameterSetName = 'ComputerName')] [ValidateScript({ if ($_.Length -ne 64) { throw "SHA256 hash must be 64 characters long" } return $true })] [string] $SHA256, # MD5 hash of the suspicious file. [Parameter(ParameterSetName = 'MD5Hash')] [Parameter(ParameterSetName = 'ComputerName')] [ValidateScript({ if ($_.Length -ne 32) { throw "MD5 hash must be 32 characters long" } return $true })] [string] $MD5, # SHA1 hash of the suspicious file. [Parameter(ParameterSetName = 'SHA1Hash')] [Parameter(ParameterSetName = 'ComputerName')] [ValidateScript({ if ($_.Length -ne 40) { throw "SHA1 hash must be 40 characters long" } return $true })] [string] $SHA1, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { if ($ComputerName) { # Get computer ID(s) from computer name(s) $ComputerIDList = @() foreach ($C in $ComputerName) { $ComputerID = Get-SEPComputers -ComputerName $C | Select-Object -ExpandProperty uniqueId $ComputerIDList += $ComputerID } $URI = $script:BaseURLv1 + "/command-queue/ironcache" # URI query strings $QueryStrings = @{ computer_ids = $ComputerIDList } # Construct the URI $builder = New-Object System.UriBuilder($URI) $query = [System.Web.HttpUtility]::ParseQueryString($builder.Query) foreach ($param in $QueryStrings.GetEnumerator()) { $query[$param.Key] = $param.Value } $builder.Query = $query.ToString() $URI = $builder.ToString() # Building body and add correct hash to body # TODO verify this works $body = @{ FingerPrintListPayload = @{ data = @() } } $hashParameter = $PSCmdlet.MyInvocation.BoundParameters.Keys | Where-Object { $_ -in @('SHA256', 'MD5', 'SHA1') } switch ($hashParameter) { 'SHA256' { $body.FingerPrintListPayload.Add("hashType", "sha256") $body.FingerPrintListPayload.data += $SHA256 } 'MD5' { $body.FingerPrintListPayload.Add("hashType", "md5") $body.FingerPrintListPayload.data += $MD5 } 'SHA1' { $body.FingerPrintListPayload.Add("hashType", "sha1") $body.FingerPrintListPayload.data += $SHA1 } } # Invoke the request params $params = @{ Method = 'POST' Uri = $URI headers = $headers Body = $body | ConvertTo-Json ContentType = 'application/json' } $resp = Invoke-ABRestMethod -params $params # return the response return $resp } # If group name is specified elseif ($GroupName) { # Get group ID from group name $GroupID = Get-SEPMGroups | Where-Object { $_.fullPathName -eq $GroupName } | Select-Object -ExpandProperty id -First 1 $URI = $script:BaseURLv1 + "/command-queue/ironcache" # URI query strings $QueryStrings = @{ group_ids = $GroupID } # Construct the URI $builder = New-Object System.UriBuilder($URI) $query = [System.Web.HttpUtility]::ParseQueryString($builder.Query) foreach ($param in $QueryStrings.GetEnumerator()) { $query[$param.Key] = $param.Value } $builder.Query = $query.ToString() $URI = $builder.ToString() # Invoke the request params $params = @{ Method = 'POST' Uri = $URI headers = $headers ContentType = 'application/json' } $resp = Invoke-ABRestMethod -params $params # return the response return $resp } } } #EndRegion '.\Public\Send-SEPMCommandClearIronCache.ps1' 212 #Region '.\Public\Send-SEPMCommandGetFile.ps1' 0 function Send-SEPMCommandGetFile { <# .SYNOPSIS Sends a commands to request a suspicious file be uploaded back to Symantec Endpoint Protection Manager .DESCRIPTION Sends a commands to request a suspicious file be uploaded back to Symantec Endpoint Protection Manager .PARAMETER ComputerName The list of computers on which to search for the suspicious file. .PARAMETER SHA256 SHA256 hash of the suspicious file. .PARAMETER MD5 MD5 hash of the suspicious file. .PARAMETER SHA1 SHA1 hash of the suspicious file. .PARAMETER Source The source to search for the suspicious file Possible values are: FILESYSTEM (default), QUARANTINE, or BOTH. 12.1.x clients only use FILESYSTEM. .PARAMETER FilePath The file path of the suspicious file. .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Send-SEPMCommandGetFile -ComputerName MyWorkstation01 -SHA256 1234567890123456789012345678901234567890123456789012345678901234 -FilePath C:\Temp\malware.exe -Source BOTH Sends a command to request the following file C:\Temp\malware.exe be uploaded from MyWorkstation01 to Symantec Endpoint Protection Manager. Requests includes both the file system and quarantine locations to be looked at. #> [CmdletBinding()] param ( # The list of computers on which to search for the suspicious file. [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true )] [Alias("Hostname", "DeviceName", "Device", "Computer")] [String] $ComputerName, # SHA256 hash of the suspicious file. [Parameter(ParameterSetName = 'SHA256Hash')] [ValidateScript({ if ($_.Length -ne 64) { throw "SHA256 hash must be 64 characters long" } return $true })] [string] $SHA256, # MD5 hash of the suspicious file. [Parameter(ParameterSetName = 'MD5Hash')] [ValidateScript({ if ($_.Length -ne 32) { throw "MD5 hash must be 32 characters long" } return $true })] [string] $MD5, # SHA1 hash of the suspicious file. [Parameter(ParameterSetName = 'SHA1Hash')] [ValidateScript({ if ($_.Length -ne 40) { throw "SHA1 hash must be 40 characters long" } return $true })] [string] $SHA1, # The source to search for the suspicious file [Parameter()] [ValidateSet('FILESYSTEM ', 'QUARANTINE', 'BOTH')] [string] $Source, # The file path of the suspicious file. [Parameter()] [ValidateScript({ if ($_ -notmatch '^.+\\[^\\]+\.[^\\]+$') { throw "The string must be a file path ending with a file name and an extension" } return $true })] [Alias("Path")] [string] $FilePath, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # Get computer ID(s) from computer name(s) $ComputerIDList = @() foreach ($C in $ComputerName) { $ComputerID = Get-SEPComputers -ComputerName $C | Select-Object -ExpandProperty uniqueId $ComputerIDList += $ComputerID } $URI = $script:BaseURLv1 + "/command-queue/files" # URI query strings $QueryStrings = @{ computer_ids = $ComputerIDList file_path = $FilePath source = $Source } # Add correct hash to query strings if ($SHA256) { $QueryStrings.Add("sha256", $SHA256) } elseif ($MD5) { $QueryStrings.Add("md5", $MD5) } elseif ($SHA1) { $QueryStrings.Add("sha1", $SHA1) } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings # prepare the parameters $params = @{ Method = 'POST' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Send-SEPMCommandGetFile.ps1' 147 #Region '.\Public\Send-SEPMCommandQuarantine.ps1' 0 function Send-SEPMCommandQuarantine { <# .SYNOPSIS Send a quarantine/unquarantine command to SEP endpoints .DESCRIPTION Send a quarantine/unquarantine command to SEP endpoints .PARAMETER ComputerName The name of the computer to send the command to Cannot be used with GroupName .PARAMETER GroupName The name of the group to send the command to Cannot be used with ComputerName Does not include subgroups .PARAMETER Unquarantine Switch parameter to unquarantine the SEP client .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE Send-SEPMCommandQuarantine -ComputerName "Computer1" Sends a command to quarantine Computer1 .EXAMPLE "Computer1", "Computer2" | Send-SEPMCommandQuarantine Sends a command to quarantine Computer1 and Computer2 .EXAMPLE Send-SEPMCommandQuarantine -GroupName "My Company\EMEA\Workstations\Site1" Sends a command to quarantine all computers in "My Company\EMEA\Workstations\Site1" Does not include subgroups #> [CmdletBinding()] param ( # ComputerName [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'ComputerName' )] [Alias("Hostname", "DeviceName", "Device", "Computer")] [String] $ComputerName, # group name [Parameter( ValueFromPipelineByPropertyName = $true, ParameterSetName = 'GroupName' )] [Alias("Group")] [String] $GroupName, # Unquarantine [Parameter()] [switch] $Unquarantine, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { if ($ComputerName) { # Get computer ID(s) from computer name(s) $ComputerIDList = @() foreach ($C in $ComputerName) { $ComputerID = Get-SEPComputers -ComputerName $C | Select-Object -ExpandProperty uniqueId $ComputerIDList += $ComputerID } $URI = $script:BaseURLv1 + "/command-queue/quarantine" # URI query strings $QueryStrings = @{ computer_ids = $ComputerIDList } # Add unquarantine if specified if ($Unquarantine) { $QueryStrings['undo'] = $true } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings # prepare the parameters $params = @{ Method = 'POST' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } # If group name is specified elseif ($GroupName) { # Get group ID from group name $GroupID = Get-SEPMGroups | Where-Object { $_.fullPathName -eq $GroupName } | Select-Object -ExpandProperty id -First 1 $URI = $script:BaseURLv1 + "/command-queue/quarantine" # URI query strings $QueryStrings = @{ group_ids = $GroupID } # Add unquarantine if specified if ($Unquarantine) { $QueryStrings['undo'] = $true } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings # prepare the parameters $params = @{ Method = 'POST' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } } #EndRegion '.\Public\Send-SEPMCommandQuarantine.ps1' 144 #Region '.\Public\Set-SepmAuthentication.ps1' 0 function Set-SEPMAuthentication { <# .SYNOPSIS Allows the user to configure the SEPM Authentication .DESCRIPTION Allows the user to configure the SEPM Authentication Username and password will be securely stored on the machine for use in all future PowerShell sessions. .PARAMETER Credentials A PSCredential object containing the username and password to use for authentication .EXAMPLE Set-SEPMAuthentication Credentials (Get-Credential) Prompts the user for username and password, saves them to disk and in the PS Session .EXAMPLE $Credentials = Get-Credential Set-SEPMAuthentication -Credential $cred #> [CmdletBinding()] param( [PSCredential] $Credentials ) # If no credentials are provided, prompt the user for them if ($Credentials -eq $null) { $Credentials = Get-Credential } # If the user provides a username and password, verify if password is not null or empty if ([String]::IsNullOrWhiteSpace($Credentials.GetNetworkCredential().Password)) { $message = "Password not provided. Provide correct credentials and try again." Write-Error -Message $message throw $message } # Setting script scope variable so that credentials can be used in other functions $script:Credential = $Credentials # Saving credentials to disk $Credentials | Export-Clixml -Path $script:credentialsFilePath -Force } #EndRegion '.\Public\Set-SepmAuthentication.ps1' 47 #Region '.\Public\Set-SepmConfiguration.ps1' 0 function Set-SepmConfiguration { <# .SYNOPSIS Change the value of a configuration property for the PSSymantecSEPM module .DESCRIPTION Change the value of a configuration property for the PSSymantecSEPM module A single call to this method can set any number or combination of properties. .PARAMETER ServerAddress The hostname of the SEPM instance to communicate with. .PARAMETER Port The port number of the SEPM instance to communicate with. .EXAMPLE Set-SepmConfiguration -ServerAddress "MySEPMServer" Set the SEPM server address to "MySEPMServer" .EXAMPLE Set-SepmConfiguration -ServerAddress "MySEPMServer" -Port 8446 Set the SEPM server address to "MySEPMServer" and the port to 8446 #> [CmdletBinding( PositionalBinding = $false )] param( [string] $ServerAddress, [int] $Port ) # Load in the persisted configuration object $persistedConfig = Read-SepmConfiguration -Path $script:configurationFilePath # Update the configuration object with any values that were provided as parameters $properties = Get-Member -InputObject $script:configuration -MemberType NoteProperty | Select-Object -ExpandProperty Name # $PSBoundParameters is a hashtable of all the parameters that were passed to this function # We can use this to determine which properties were passed in and update the configuration object # Allows to easily add new properties by adding a param function without having to update this function foreach ($name in $properties) { if ($PSBoundParameters.ContainsKey($name)) { $value = $PSBoundParameters.$name if ($value -is [switch]) { $value = $value.ToBool() } $script:configuration.$name = $value Add-Member -InputObject $persistedConfig -Name $name -Value $value -MemberType NoteProperty -Force } } # Persist the configuration object to disk Save-SepmConfiguration -Configuration $persistedConfig -Path $script:configurationFilePath } #EndRegion '.\Public\Set-SepmConfiguration.ps1' 56 #Region '.\Public\Start-SEPMReplication.ps1' 0 function Start-SEPMReplication { <# TODO update help .SYNOPSIS Initiates replication with a remote site .DESCRIPTION Initiates replication with a remote site .PARAMETER partnerSiteName The name of the remote site to replicate with .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Start-SEPMReplication -partnerSiteName "Remote site Americas" code ---- 0 Initiates replication with the remote site Americas. Response code 0 indicates success. #> [CmdletBinding()] param ( [Parameter()] [string] $partnerSiteName, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck # TODO known bug with SEPM API, these parameters are returning invalid option if not set to false # [switch] # $logs, # [switch] # $ContentAndPackages ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $URI = $script:BaseURLv1 + "/replication/replicatenow" $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # URI query strings $QueryStrings = @{ partnerSiteName = $partnerSiteName logs = $logs content = $ContentAndPackages } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings # prepare the parameters $params = @{ Method = 'POST' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } } #EndRegion '.\Public\Start-SEPMReplication.ps1' 78 #Region '.\Public\Start-SEPScan.ps1' 0 function Start-SEPScan { <# .SYNOPSIS Sends Active Scan command to the specified computer(s) or group(s) .DESCRIPTION Sends a command from SEPM to SEP endpoints to request an active scan on the endpoint(s) .PARAMETER ComputerName Specifies the name of the computer for which you want to send the command. Accepts pipeline input by Value and ByPropertyName .PARAMETER GroupName Specifies the group full path name for which you want to send the command .PARAMETER ActiveScan Specifies the type of scan to send to the endpoint(s) Valid values are ActiveScan and FullScan By default, the ActiveScan switch is used .PARAMETER FullScan Specifies the type of scan to send to the endpoint(s) Valid values are ActiveScan and FullScan By default, the ActiveScan switch is used .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE PS C:\PSSymantecSEPM> Start-SEPScan -ComputerName MyComputer01 -ActiveScan Sends an active scan command to the specified computer MyComputer01 .EXAMPLE "MyComputer1","MyComputer2" | Start-SEPScan Sends an active scan command to the specified computers MyComputer1 & MyComputer2 via pipeline By default, the ActiveScan switch is used .EXAMPLE Start-SEPScan -GroupName "My Company\EMEA\Workstations" -fullscan Sends a fullscan command to all endpoints part of the group "My Company\EMEA\Workstations" #> [CmdletBinding( DefaultParameterSetName = 'ComputerNameActiveScan' )] Param ( # ComputerName [Parameter( ParameterSetName = 'ComputerNameActiveScan', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true )] [Parameter( ParameterSetName = 'ComputerNameFullScan', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true )] [Alias("Hostname", "DeviceName", "Device", "Computer")] [String] $ComputerName, # group name [Parameter( ParameterSetName = 'GroupNameActiveScan', ValueFromPipelineByPropertyName = $true )] [Parameter( ParameterSetName = 'GroupNameFullScan', ValueFromPipelineByPropertyName = $true )] [Alias("Group")] [String] $GroupName, # ActiveScan [Parameter(ParameterSetName = 'ComputerNameActiveScan')] [Parameter(ParameterSetName = 'GroupNameActiveScan')] [switch] $ActiveScan, # FullScan [Parameter(ParameterSetName = 'ComputerNameFullScan')] [Parameter(ParameterSetName = 'GroupNameFullScan')] [switch] $FullScan, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # If specific computer name(s) are specified if ($ComputerName) { # Get computer ID(s) from computer name(s) $ComputerIDList = @() foreach ($C in $ComputerName) { $ComputerID = Get-SEPComputers -ComputerName $C | Select-Object -ExpandProperty uniqueId $ComputerIDList += $ComputerID } if ($ActiveScan) { $URI = $script:BaseURLv1 + "/command-queue/activescan" } if ($FullScan) { $URI = $script:BaseURLv1 + "/command-queue/fullscan" } # URI query strings $QueryStrings = @{ computer_ids = $ComputerIDList } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings # prepare the parameters $params = @{ Method = 'POST' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } # If by groupname elseif ($GroupName) { ####################################### # 1. finds all computers in the group # ####################################### $allComputers = @() $URI = $script:BaseURLv1 + "/computers" # URI query strings $QueryStrings = @{ sort = "COMPUTER_NAME" pageIndex = 1 pageSize = 100 computerName = $ComputerName # empty string value to ensure the URI is constructed correctly & query all computers } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings # Get computer list do { try { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params # Process the response $allComputers += $resp.content # Increment the page index & update URI $QueryStrings.pageIndex++ $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings } catch { Write-Warning -Message "Error: $_" } } until ($resp.lastPage -eq $true) # filter list by group name $allComputers = $allComputers | Where-Object { $_.group.name -eq $GroupName } ################################################# # 2. send command to all computers in the group # ################################################# if ($ActiveScan) { $URI = $script:BaseURLv1 + "/command-queue/activescan" } if ($FullScan) { $URI = $script:BaseURLv1 + "/command-queue/fullscan" } $AllResp = @() foreach ($id in $allComputers.uniqueId) { # URI query strings $QueryStrings = @{ computer_ids = $id } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings # prepare the parameters $params = @{ Method = 'POST' Uri = $URI headers = $headers } # Send command to each computers in the group $resp = Invoke-ABRestMethod -params $params $AllResp += $resp } # return the response return $AllResp } } } #EndRegion '.\Public\Start-SEPScan.ps1' 221 #Region '.\Public\Update-SEPClientDefinitions.ps1' 0 function Update-SEPClientDefinitions { <# .SYNOPSIS Sends a command from SEPM to SEP endpoints to update content .DESCRIPTION Sends a command from SEPM to SEP endpoints to update content .PARAMETER ComputerName The name of the computer to send the command to cannot be used with GroupName .PARAMETER GroupName The name of the group to send the command to cannot be used with ComputerName .PARAMETER IncludeSubGroups Specifies whether to include subgroups when querying by group name .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE Update-SEPClientDefinitions -ComputerName "Computer1" Sends a command to update content to Computer1 .EXAMPLE "Computer1", "Computer2" | Update-SEPClientDefinitions Sends a command to update content to Computer1 and Computer2 .EXAMPLE Update-SEPClientDefinitions -GroupName "My Company\EMEA\Workstations" Sends a command to update content to all computers in "My Company\EMEA\Workstations" .EXAMPLE Update-SEPClientDefinitions -GroupName "My Company\EMEA\Workstations" -IncludeSubGroups Sends a command to update content to all computers in "My Company\EMEA\Workstations" and all subgroups #> [CmdletBinding()] param ( # ComputerName [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'ComputerName' )] [Alias("Hostname", "DeviceName", "Device", "Computer")] [String] $ComputerName, # group name [Parameter( ValueFromPipelineByPropertyName = $true, ParameterSetName = 'GroupName' )] [Alias("Group")] [String] $GroupName, # switch parameter to include subgroups [Parameter( ParameterSetName = 'GroupName' )] [switch] $IncludeSubGroups, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { if ($ComputerName) { # Get computer ID(s) from computer name(s) $ComputerIDList = @() foreach ($C in $ComputerName) { $ComputerID = Get-SEPComputers -ComputerName $C | Select-Object -ExpandProperty uniqueId $ComputerIDList += $ComputerID } $URI = $script:BaseURLv1 + "/command-queue/updatecontent" # URI query strings $QueryStrings = @{ computer_ids = $ComputerIDList } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings # prepare the parameters $params = @{ Method = 'POST' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params return $resp } # If by groupname elseif ($GroupName) { ####################################### # 1. finds all computers in the group # ####################################### $allComputers = @() $URI = $script:BaseURLv1 + "/computers" # URI query strings $QueryStrings = @{ sort = "COMPUTER_NAME" pageIndex = 1 pageSize = 100 computerName = $ComputerName # empty string value to ensure the URI is constructed correctly & query all computers } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings # Get computer list do { try { # prepare the parameters $params = @{ Method = 'GET' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params # Process the response $allComputers += $resp.content # Increment the page index & update URI $QueryStrings.pageIndex++ $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings } catch { Write-Warning -Message "Error: $_" } } until ($resp.lastPage -eq $true) # filter list by group name # if IncludeSubGroups is specified, then get all computers from subgroups if ($IncludeSubGroups) { # get all subgroups $allComputers = $allComputers | Where-Object { $_.group.name -like "$GroupName*" } } else { $allComputers = $allComputers | Where-Object { $_.group.name -eq $GroupName } } ################################################# # 2. send command to all computers in the group # ################################################# $URI = $script:BaseURLv1 + "/command-queue/updatecontent" $AllResp = @() # Send command to each computers in the group individually foreach ($id in $allComputers.uniqueId) { # URI query strings $QueryStrings = @{ computer_ids = $id } # Construct the URI $URI = Build-SEPMQueryURI -BaseURI $URI -QueryStrings $QueryStrings # prepare the parameters $params = @{ Method = 'POST' Uri = $URI headers = $headers } $resp = Invoke-ABRestMethod -params $params $AllResp += $resp } # return the response return $AllResp } } } #EndRegion '.\Public\Update-SEPClientDefinitions.ps1' 194 #Region '.\Public\Update-SEPMFileFingerprintList.ps1' 0 function Update-SEPMFileFingerprintList { <# .SYNOPSIS Updates an existing fingerprint list .DESCRIPTION Updates an existing fingerprint list When updating the list, overwrite the entire list with the new list .PARAMETER FingerprintListName The name of the file fingerprint list Cannot be used with FingerprintListID parameter .PARAMETER FingerprintListID The ID of the file fingerprint list Cannot be used with FingerprintListName parameter .PARAMETER name The name of the fingerprint list that will appear on SEPM .PARAMETER domainId The domain id of the domain to add the fingerprint list to Only takes the domain id. Can be found using Get-SEPMDomain .PARAMETER HashType The type of hash to use for the fingerprint list Valid values are SHA256 and MD5 .PARAMETER description The description of the fingerprint list .PARAMETER hashlist The hash list to add to the fingerprint list Can be generated using Get-FileHash or takes a string array of hashes .PARAMETER SkipCertificateCheck Skip certificate check .EXAMPLE $domainId = Get-SEPMDomain | Where-Object { $_.name -eq "Default" } | Select-Object -ExpandProperty id $hashlist = ls -file C:\Users\$env:USERNAME\Downloads\*.exe | Get-FileHash -algorithm SHA256 Update-SEPMFileFingerprintList -FingerprintListName "Downloaded .exe files" -name "Workstations downloaded files" -domainId $DomainId -HashType "SHA256" -description "Contains the list of .exe files downloaded with a specific workstations" -hashlist $hashlist.hash Gets the domain id for the default domain Create a hash list of all the files in the downloads folder of the currently logged in user Updates the fingerprint list "Downloaded .exe files" with the new hash list The fingerprint list needs to be existing before it can be updated #> [CmdletBinding( DefaultParameterSetName = 'Name' )] param ( [Parameter()] [string]$name, [Parameter()] [string]$domainId, [Parameter()] [ValidateSet('SHA256', 'MD5')] [string]$HashType, [Parameter()] [string]$description, [Parameter( ValueFromPipeline = $true )] $hashlist, [Parameter( ParameterSetName = 'Name' )] [string] $FingerprintListName, [Parameter( ParameterSetName = 'ID' )] [string] $FingerprintListID, # Skip certificate check [Parameter()] [switch] $SkipCertificateCheck ) begin { # initialize the configuration $test_token = Test-SEPMAccessToken if (-not $test_token) { Get-SEPMAccessToken | Out-Null } if ($SkipCertificateCheck) { $script:SkipCert = $true } $headers = @{ "Authorization" = "Bearer " + $script:accessToken.token "Content" = 'application/json' } } process { # Get the FingerprintListID if the FingerprintListName is provided if ($FingerprintListName) { $URI = $script:BaseURLv1 + "/policy-objects/fingerprints" $FingerprintListID = Get-SEPMFileFingerprintList -FingerprintListName $FingerprintListName | Select-Object -ExpandProperty id } $URI = $script:BaseURLv1 + "/policy-objects/fingerprints/$FingerprintListID" # Construct the body & required fields $body = @{ name = $name domainId = $domainId hashType = $HashType description = $description data = $hashlist } $params = @{ Method = 'POST' Uri = $URI headers = $headers Body = $body | ConvertTo-Json ContentType = 'application/json' } $resp = Invoke-ABRestMethod -params $params # return the response return $resp } } #EndRegion '.\Public\Update-SEPMFileFingerprintList.ps1' 126 #Region '.\Public\zz_Initialize-SEPMConfiguration.ps1' 0 #################################### # Init script for the whole module # #################################### ## This is the initialization script for the module. It is invoked at the end of the module's ## prefix file as "zz_" to load this module at last. This is done to ensure that all other functions are first loaded ## This function should be private but will stay Public for the moment as it needs to be the last function to be loaded in the module ## TODO make this function private # The credentials used to authenticate to the SEPM server. [PSCredential] $script:Credential = $null [PSCustomObject] $script:accessToken = $null # SEPM Server configuration [string] $script:ServerAddress = $null [string] $script:BaseURLv1 = $null [string] $script:BaseURLv2 = $null [bool] $script:SkipCert = $false # Needed for self-signed certificates # The location of the file that we'll store any settings that can/should roam with the user. [string] $script:configurationFilePath = [System.IO.Path]::Combine( [System.Environment]::GetFolderPath('ApplicationData'), 'PSSymantecSEPM', 'config.json') # The location of the file that we'll store credentials [string] $script:credentialsFilePath = [System.IO.Path]::Combine( [System.Environment]::GetFolderPath('ApplicationData'), 'PSSymantecSEPM', 'creds.xml') # The location of the file that we'll store the Access Token SecureString # which cannot/should not roam with the user. [string] $script:accessTokenFilePath = [System.IO.Path]::Combine( [System.Environment]::GetFolderPath('LocalApplicationData'), 'PSSymantecSEPM', 'accessToken.xml') # The session-cached copy of the module's configuration properties [PSCustomObject] $script:configuration = $null function Initialize-SepmConfiguration { <# .SYNOPSIS Populates the configuration of the module for this session, loading in any values that may have been saved to disk. .DESCRIPTION Populates the configuration of the module for this session, loading in any values that may have been saved to disk. .NOTES Internal helper method. This is actually invoked at the END of this file. #> [CmdletBinding()] param() $script:configuration = Import-SepmConfiguration -Path $script:configurationFilePath if ($script:configuration) { if ([string]::IsNullOrEmpty($script:configuration.ServerAddress)) { Set-SEPMAuthentication } $script:BaseURLv1 = "https://" + $script:configuration.ServerAddress + ":" + $script:configuration.port + "/sepm/api/v1" $script:BaseURLv2 = "https://" + $script:configuration.ServerAddress + ":" + $script:configuration.port + "/sepm/api/v2" } if (Test-Path $script:credentialsFilePath) { $script:Credential = Import-Clixml -Path $script:credentialsFilePath -ErrorAction SilentlyContinue } if (Test-Path $script:accessTokenFilePath) { $script:accessToken = Import-Clixml -Path $script:accessTokenFilePath -ErrorAction SilentlyContinue } } # Invoke the initialization method to populate the configuration Initialize-SepmConfiguration #EndRegion '.\Public\zz_Initialize-SEPMConfiguration.ps1' 77 |