Skip to content

Get-S1Activity

SYNOPSIS

Retrieve SentinelOne activity logs based on specified filters.

SYNTAX

Get-S1Activity [[-ActivityType] <Int32[]>] [[-CreatedAfter] <DateTime>] [[-CreatedBefore] <DateTime>]
 [[-UserEmail] <String[]>] [[-UserID] <String[]>] [[-ThreatID] <String[]>] [[-RuleID] <String[]>]
 [-IncludeHidden] [[-Count] <Int32>] [-CountOnly] [[-AccountID] <String[]>] [[-SiteID] <String[]>]
 [[-GroupID] <String[]>] [[-AgentID] <String[]>] [[-ActivityID] <String[]>] [[-SortBy] <String>]
 [[-SortOrder] <String>] [<CommonParameters>]

DESCRIPTION

This function retrieves SentinelOne activity logs using various filters such as activity type, creation date, user email, user ID, threat ID, rule ID, and more. The results can be limited, sorted, or returned as a count-only response.

EXAMPLES

EXAMPLE 1

Get-S1Activity -ActivityType 101 -CreatedAfter (Get-Date).AddDays(-7)

Retrieves activities of type 101 created in the last 7 days.

EXAMPLE 2

Get-S1Activity -UserEmail "[email protected]" -Count 10

Retrieves up to 10 activities performed by the user with the email "user@example.com".

EXAMPLE 3

Get-S1Activity -CountOnly

Returns the count of all activities.

EXAMPLE 4

Get-S1Activity -SortBy "createdAt" -SortOrder "desc"

Retrieves activities sorted by creation date in descending order.

PARAMETERS

-ActivityType

Filter activities by specific activity codes (comma-separated list).

Type: Int32[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-CreatedAfter

Filter activities created after this date and time.

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-CreatedBefore

Filter activities created before this date and time.

Type: DateTime
Parameter Sets: (All)
Aliases:

Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-UserEmail

Filter activities by the email of the user who invoked them.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 4
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-UserID

Filter activities by the ID of the user who invoked them.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 5
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ThreatID

Filter activities by threat ID.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 6
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-RuleID

Filter activities by rule ID.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 7
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-IncludeHidden

Include hidden activities in the results.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-Count

Limit the number of retrieved activities.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 8
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False

-CountOnly

Return only the count of matching activities.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-AccountID

Filter activities by account ID.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 9
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SiteID

Filter activities by site ID.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 10
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-GroupID

Filter activities by group ID.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 11
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-AgentID

Filter activities by agent ID.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 12
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ActivityID

Filter activities by specific activity IDs.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 13
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SortBy

Sort the results by a specific property. Valid values are "activityType", "createdAt", or "id".

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 14
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SortOrder

Specify the sort order. Valid values are "asc" or "desc".

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 15
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES