The OneView API lets you remotely manage the security of your endpoints. To use the API, a client credential pair is required.
To generate the credentials, log into OneView and go to Integrate.
For more information on APIs, see OneView API Documentation in the console or hover over the tooltip next to OAuth2 Clients on the Integrate page and click the link.
These are composable functions that you can use to call different API endpoints.
Below are some basic and common API examples using PowerShell.
Get-OneViewToken
Use this function in every file to get a token to authenticate other functions that call API endpoints.
#Requires -Version 3.0
# Set the security protocol to TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
function Get-OneViewToken {
<#
.SYNOPSIS
Authenticate to a OneView account, returning an OAuth2 token.
.DESCRIPTION
Authenticates via the OneView Public API using an OAuth2 Client Pair.
Client credentials should be stored/retrieved from secure store as they provide access to your OneView account.
Returns an authentication object containing OAuth2 Bearer Token and metadata with expiry and BaseUrl.
.PARAMETER ClientID
ClientID e.g. aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa
.PARAMETER ClientSecret
ClientSecret e.g. 000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB
.PARAMETER Scope
OPTIONAL - Specify the read, write, and/or execute scope of the token. Defaults to read write execute.
.PARAMETER Verbose
OPTIONAL - Indicates that additional details should be displayed.
This parameter uses the built-in -Verbose feature to show internal processing steps.
Example: Get-OneViewToken -AccountID $accountID -ClientID $clientID -ClientSecret $clientSecret -Verbose
.OUTPUTS
Outputs a OneView.Token PSCustomObject that can be used as a parameter or in a pipeline for other OneView API endpoints.
.NOTES
Header returned contains:
'Authorization' = $TokenRequest.access_token
The ClientID & ClientSecrect should be stoted/retreived from a secure credential store as it provides access to your OneView account.
.EXAMPLE
$clientID = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
$clientSecret = '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
$OneViewToken = Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret -Verbose
.EXAMPLE
Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
#>
Param (
[Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]
[ValidatePattern('^[{(]?([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})[)}]?$')]
[string] $ClientID,
[Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]
[ValidatePattern('^[a-f0-9]{64}$')]
[string] $ClientSecret,
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][ValidateSet('read','write','execute','read write','read execute','write execute','read write execute')]
[string] $Scope = 'read write execute',
[ValidateNotNullOrEmpty()][Parameter(Mandatory=$false)]
[string] $BaseUrl = 'https://api.malwarebytes.com/oneview'
)
Write-Verbose 'Executing function Get-OneViewToken'
Try {
$URI = $BaseUrl + '/oauth2/token'
Write-Verbose $URI
$credential_pair = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(($ClientID, $ClientSecret -join ':')))
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$headers = @{
'Authorization' = ('Basic', $credential_pair -join ' ');
'Content-Type' = 'application/x-www-form-urlencoded'
}
$headers | Select-Object -Property * | Out-String | Write-Verbose
$body = @{
scope="$Scope"
grant_type='client_credentials'
}
$body | Format-List | Out-String | Write-Verbose
$TokenRequest = Invoke-RestMethod -Method POST -Uri $URI -Body $body -Headers $headers
Write-Verbose -Message 'Creating OneViewToken object'
$OneViewToken = [PSCustomObject]@{
'PSTypeName' = 'OneView.Token'
'access_token' = $TokenRequest.access_token
'expires_in' = $TokenRequest.expires_in
'expires_at' = (Get-Date).AddSeconds($TokenRequest.expires_in)
'headers' = @{
'Authorization' = 'Bearer ' + $TokenRequest.access_token
'Content-Type' = 'application/json'
}
'scope' = $TokenRequest.scope
'token_type' = $TokenRequest.token_type
'baseurl' = $BaseUrl
}
$OneViewToken | Out-String | Write-Verbose
}
Catch {
Write-Host "The following error occured while obtaining the token from OneView: $_"
$ErrorRecord = $_
$Result = $ErrorRecord.ErrorDetails.Message | ConvertFrom-Json
Write-Host $Result
Return $ErrorRecord
}
Return $OneViewToken
}
Get-OneViewAccount
Use this function to get account details.
function Get-OneViewAccount {
<#
.SYNOPSIS
Receive OneView Account Details.
.DESCRIPTION
GET request that returns an overview of a OneView account's details.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Outputs the response which contains nebula_parent_account_id and account_id.
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewAccount -OneViewToken $OneViewToken
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewAccount
#>
Param (
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')]$OneViewToken,
[Parameter()] [switch] $DumpResponse
)
Write-Verbose 'Function Get-OneViewAccount'
Try {
$URI = 'https://api.malwarebytes.com/oneview/v1/info/account'
$request = Invoke-RestMethod -Method GET -Uri $URI -Headers $OneViewToken.Headers
}
Catch {
Write-Host "The following error occured while obtaining Account from OneView: $_"
$ErrorRecord = $_
Return $ErrorRecord
}
if ($DumpResponse) {
$request | ConvertTo-Json -Depth 5 | Out-Host
}
Return $request
}
Get-OneViewSite
Use this function to get all sites and their information.
function Get-OneViewSite {
<#
.SYNOPSIS
Receive OneView Site Details.
.DESCRIPTION
GET request that returns an overview of a OneView sites' details.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Outputs the response which includes site name, id, authorized users, account_id, account_token, and applied subscriptions overview.
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewSite -OneViewToken $OneViewToken
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewSite
#>
Param (
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')]$OneViewToken,
[Parameter()]
[switch] $DumpResponse
)
Write-Verbose 'Function Get-OneViewSite'
Try {
$URI = 'https://api.malwarebytes.com/oneview/v1/sites'
$request = Invoke-RestMethod -Method GET -Uri $URI -Headers $OneViewToken.Headers
}
Catch {
Write-Host "The following error occured while obtaining Site from OneView: $_"
$ErrorRecord = $_
Return $ErrorRecord
}
if ($DumpResponse) {
$request | ConvertTo-Json -Depth 5 | Out-Host
}
Return $request
}
Get-OneViewAccountIdsAndTokens
Use this function to get account_ids and account_tokens for all sites.
You can retrieve a printed output with the site name, account_id, account_token with -DumpResponse.
You can also get a hashtable returned with sites as keys and account_ids or account_tokens as values.
function Get-OneViewAccountIdsAndTokens {
<#
.SYNOPSIS
Receive OneView sites' nebula_account_ids and nebula_account_tokens from all sites.
.DESCRIPTION
Returns ids neccessary for other actions in API / deployment of endpoints.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.PARAMETER AccountIdHashtable
OPTIONAL - Return AccountIdHashtable with site name as the key and nebula_account_id as the value. - Note only select AccountIdHashtable or AccountTokenHashtable.
.PARAMETER AccountTokenHashtable
OPTIONAL - Return AccountTokenHashtable with site name as the key and nebula_token_id as the value. - Note only select AccountIdHashtable or AccountTokenHashtable.
.OUTPUTS
Sites' account_ids and account_tokens hash table, depending on the flag provided above.
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewAccountIdsAndTokens -OneViewToken $OneViewToken
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewAccountIdsAndTokens -DumpResponse
.EXAMPLE
$AccountTokens = Get-OneViewAccountIdsAndTokens -OneViewToken $OneViewToken -DumpResponse -AccountTokenHashtable
$AccountTokens | Format-Table
.NOTES
You can use the returned hash table's to get a site's id or token, i.e. $AccountTokens:
$my-site-acct-token = $AccountTokens['my-site']
.NOTES
Select a maximum of one hashtable to be returned.
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter()]
[switch] $DumpResponse,
[Parameter()]
[switch] $AccountIdHashtable,
[Parameter()]
[switch] $AccountTokenHashtable
)
Begin {
Write-Verbose 'Initializing Get-OneViewAccountIdsAndTokens'
# Check if both $AccountIdHashtable and $AccountTokenHashtable are provided
if ($AccountIdHashtable -and $AccountTokenHashtable) {
throw "You cannot enable both -AccountIdHashtable and -AccountTokenHashtable"
}
}
Process {
Try {
$URI = 'https://api.malwarebytes.com/oneview/v1/sites'
$request = Invoke-RestMethod -Method GET -Uri $URI -Headers $OneViewToken.Headers
}
Catch {
Write-Error -Message "Error obtaining Sites from OneView: $($_.Exception.Message)"
throw
}
}
End {
$sites = $request.sites
if ($DumpResponse) {
Write-Host "Dumping Site names, nebula_account_ids, nebula_account_tokens"
$sites | ForEach-Object {
"Site name: $($_.company_name) - nebula_account_id: $($_.nebula_account_id) - nebula_account_token: $($_.nebula_account_token)"| Out-Host
}
}
if ($AccountIdHashtable -Or $AccountTokenHashtable) {
$ht = @{}
$sites | ForEach-Object {
$key = $_.company_name
$value = if ($AccountIdHashtable) {$_.nebula_account_id} else {$_.nebula_account_token}
$ht.add($key, $value)
}
return $ht
}
}
}
Get-OneViewDetection
Use this function get get detections from the sites whose account_id is provided.
function Get-OneViewDetection {
<#
.SYNOPSIS
Receive OneView Detections.
.DESCRIPTION
Returns detections from the sites whose "nebula_account_id" are provided to the "AccountIDs" parameter.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER AccountIDs
These are the nebula_account_ids (found from getting sites) from the sites.
One or more need to be provided, separated by commas. See examples below.
The detections from these sites will be returned.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Detections from the sites whose nebula_account_id is provided.
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewDetection -OneViewToken $OneViewToken -AccountIDs "1", "2", "3"
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewDetection -AccountIDs "1" -DumpResponse
.NOTES
Please note this defaults to the last week of detections.
If you need to change this timeframe, you can supply timeframes by placing start_date, scanned_at_before, etc. in the request body.
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter(Mandatory = $true)]
[string[]] $AccountIDs,
[Parameter()]
[switch] $DumpResponse
)
Begin {
Write-Verbose 'Initializing Get-OneViewDetection'
# Initialize detections as an empty array for consistent output
$detections = @()
$body = @{
next_cursor = ''
page_size = 2000
account_ids = $AccountIDs
}
}
Process {
Try {
$bodyJson = $body | ConvertTo-Json
$URI = 'https://api.malwarebytes.com/oneview/v1/detections'
$next_cursor = $body.next_cursor
do {
$body.next_cursor = $next_cursor
$bodyJson = $body | ConvertTo-Json
$request = Invoke-RestMethod -Method POST -Uri $URI -Body $bodyJson -Headers $OneViewToken.Headers
$detections += $request.detections
$next_cursor = $request.next_cursor
} while ($next_cursor -ne '')
}
Catch {
Write-Error -Message "Error obtaining Detections from OneView: $_"
}
}
End {
if ($DumpResponse) {
Write-Host "Dumping Detections"
# Convert to JSON for each item to ensure consistent detailed output
$detections | ForEach-Object { $_ | ConvertTo-Json -Depth 5 | Out-Host }
}
return $detections
}
}
Get-OneViewEndpoint
Use this function get endpoints from the sites whose nebula_account_id are provided to the AccountIDs parameter.
function Get-OneViewEndpoint {
<#
.SYNOPSIS
Receive OneView Endpoints.
.DESCRIPTION
Returns endpoints from the sites whose "nebula_account_id" are provided to the "AccountIDs" parameter.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER AccountIDs
These are the nebula_account_ids (found from getting sites) from the sites.
One or more need to be providing, separated by commas. See examples below.
The endpoints from these sites will be returned.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Endpoints from the sites whose nebula_account_id is provided.
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewEndpoint -OneViewToken $OneViewToken -AccountIDs "1", "2", "3"
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewEndpoint -AccountIDs "1" -DumpResponse
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter(Mandatory = $true)]
[string[]] $AccountIDs,
[Parameter()]
[switch] $DumpResponse
)
Begin {
Write-Verbose 'Initializing Get-OneViewEndpoint'
# Initialize endpoints as an empty array for consistent output
$endpoints = @()
$body = @{
next_cursor = ''
page_size = 2000
account_ids = $AccountIDs
}
}
Process {
Try {
$bodyJson = $body | ConvertTo-Json
$URI = 'https://api.malwarebytes.com/oneview/v1/endpoints'
$next_cursor = $body.next_cursor
do {
$body.next_cursor = $next_cursor
$bodyJson = $body | ConvertTo-Json
$request = Invoke-RestMethod -Method POST -Uri $URI -Body $bodyJson -Headers $OneViewToken.Headers
$endpoints += $request.endpoints
$next_cursor = $request.next_cursor
} while ($next_cursor -ne '')
}
Catch {
Write-Error -Message "Error obtaining Endpoints from OneView: $_"
}
}
End {
if ($DumpResponse) {
Write-Host "Dumping Endpoints"
# Convert to JSON for each item to ensure consistent detailed output
$endpoints | ForEach-Object { $_ | ConvertTo-Json -Depth 5 | Out-Host }
}
return $endpoints
}
}
Get-OneViewExclusion
Use this function to get either top-level exclusions or the exclusions from a site if SiteID is provided.
function Get-OneViewExclusion {
<#
.SYNOPSIS
Receive OneView Exclusions.
.DESCRIPTION
Returns either top-level exclusions or a site exclusions if a SiteID is provided.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER SiteID
OPTIONAL - Get a site's exclusions.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Outputs OneView level exclusions or a site's exclusions.
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewExclusion -OneViewToken $OneViewToken
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewExclusion -machine_id 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewExclusion -OneMonth # Get all events from the last month
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter(Mandatory = $false)]
[string] $SiteID,
[Parameter()]
[switch] $DumpResponse
)
Begin {
Write-Verbose 'Initializing Get-OneViewExclusion'
}
Process {
if (!($SiteID)) {
Try {
$URI = 'https://api.malwarebytes.com/oneview/v1/exclusions'
$request = Invoke-RestMethod -Method GET -Uri $URI -Headers $OneViewToken.Headers
} Catch {
Write-Error -Message "Error obtaining Exclusions from OneView: $($_.Exception.Message)"
}
} else {
Try {
$body = @{
account_ids = @($SiteID)
}
$bodyJson = $body | ConvertTo-Json
$URI = "https://api.malwarebytes.com/api/v2/rmm/accounts/exclusions"
$request = Invoke-RestMethod -Method POST -Uri $URI -Body $bodyJson -Headers $OneViewToken.Headers
} Catch {
Write-Error -Message "Error obtaining exclusions from site with nebula_account_id: $SiteID from OneView $($_.Exception.Message)"
}
}
}
End {
if ($DumpResponse) {
Write-Host "Dumping Exclusions"
# Convert to JSON for each item to ensure consistent detailed output
$request | ForEach-Object { $_ | ConvertTo-Json -Depth 5 | Out-Host }
}
return $request
}
}
Get-OneViewPolicy
Use this function to get OneView policies.
function Get-OneViewDetection {
<#
.SYNOPSIS
Receive OneView Policies.
.DESCRIPTION
Returns policies created in OneView.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
OneView policies.
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewDetection -OneViewToken $OneViewToken
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewDetection -DumpResponse
.NOTES
This will receive top-level OneView policies, not policies created at the site level.
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter()]
[switch] $DumpResponse
)
Begin {
Write-Verbose 'Initializing Get-OneViewDetection'
}
Process {
Try {
$URI = 'https://api.malwarebytes.com/oneview/v1/policies'
$request = Invoke-RestMethod -Method GET -Uri $URI -Headers $OneViewToken.Headers
}
Catch {
Write-Error -Message "Error obtaining Policies from OneView: $_"
}
}
End {
if ($DumpResponse) {
Write-Host "Dumping Policies"
# Convert to JSON for each item to ensure consistent detailed output
$request | ForEach-Object { $_ | ConvertTo-Json -Depth 5 | Out-Host }
}
return $request
}
}
Get-OneViewSiteEvents
Use this function to get top-level events or the events from a site.
function Get-OneViewSiteEvents {
<#
.SYNOPSIS
Receive a OneView Site's Events.
.DESCRIPTION
Returns either all events from a specific site.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER SiteID
OPTIONAL - The site's nebula_account_id.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Outputs events within the time frame.
.EXAMPLE
$OneViewToken = Get-OneViewToken -AccountID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewSiteEvents -OneViewToken $OneViewToken
.EXAMPLE
Get-OneViewToken -AccountID $accountID -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewSiteEvents -machine_id 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
.EXAMPLE
Get-OneViewToken -AccountID $accountID -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewSiteEvents -OneMonth # Get all events from the last month
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter(Mandatory = $true)]
[string]$SiteID,
[Parameter()]
[switch] $DumpResponse
)
Begin {
Write-Verbose 'Initializing Get-OneViewSiteEvents'
# Initialize exclusions as an empty array for consistent output
$events = @()
$next_cursor = ''
$page_size = 2000 # Set the desired page size
}
Process {
Try {
$URI = "https://api.malwarebytes.com/oneview/v1/accounts/$($SiteID)/events"
$URI += "?page_size=$page_size"
do {
# Build the URI correctly with next_cursor if available
if ($next_cursor) {
$uriWithCursor = "$URI&next_cursor=$next_cursor"
} else {
$uriWithCursor = $URI
}
$request = Invoke-RestMethod -Method GET -Uri $uriWithCursor -Headers $OneViewToken.Headers
$events += $request.events
$next_cursor = $request.next_cursor
} while ($next_cursor -ne '')
} Catch {
Write-Error -Message "Error obtaining Events from site with nebula_account_id: $SiteID from OneView $($_.Exception.Message)"
}
}
End {
if ($DumpResponse) {
Write-Host "Dumping Events"
# Convert to JSON for each item to ensure consistent detailed output
$events | ForEach-Object { $_ | ConvertTo-Json -Depth 5 | Out-Host }
}
return $events
}
}
Get-OneViewSiteGroup
Use this function to get the groups from a site.
function Get-OneViewSiteGroup {
<#
.SYNOPSIS
Remove a OneView Site's Groups.
.DESCRIPTION
GET request that returns a site's groups.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER NebulaAccountId
The Nebula Account ID of the site to get groups. This corresponds to the 'nebula_account_id' in Get-OneViewSite response.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Outputs the response which contains product, term type, term length, usage and allocations, and other metadata.
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewSiteGroup -OneViewToken $OneViewToken -NebulaAccountId 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewSiteGroup -NebulaAccountId 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
#>
Param (
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')]$OneViewToken,
[Parameter(Mandatory=$true)]
[ValidatePattern('^[{(]?([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})[)}]?$')]
[string]$NebulaAccountId,
[Parameter()] [switch] $DumpResponse
)
Write-Verbose 'Function Get-OneViewSiteGroup'
Try {
$URI = "https://api.malwarebytes.com/oneview/v1/accounts/$($NebulaAccountId)/groups"
$request = Invoke-RestMethod -Method Get -Uri $URI -Headers $OneViewToken.Headers
}
Catch {
Write-Host "The following error occured while getting groups from OneView: $_"
$ErrorRecord = $_
Return $ErrorRecord
}
if ($DumpResponse) {
$request | ConvertTo-Json -Depth 5 | Out-Host
}
Return $request
}
Get-OneViewSitePolicy
Use this function to get the policies from a site.
function Get-OneViewSitePolicy {
<#
.SYNOPSIS
Receive OneView Policies accessible to a site.
.DESCRIPTION
Returns site-level and global policies.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
A OneView site's policies.
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewSitePolicy -OneViewToken $OneViewToken -AccountID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewSitePolicy -DumpResponse -AccountID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
.NOTES
This will return by policies that created on the site provided as well as the global policies.
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter(Mandatory = $true)]
[string] $AccountID,
[Parameter()]
[switch] $DumpResponse
)
Begin {
Write-Verbose 'Initializing Get-OneViewSitePolicy'
}
Process {
Try {
$URI = "https://api.malwarebytes.com/api/v2/rmm/accounts/$($AccountID)/policies"
$request = Invoke-RestMethod -Method GET -Uri $URI -Headers $OneViewToken.Headers
}
Catch {
Write-Error -Message "Error obtaining Policies from OneView: $_"
}
}
End {
if ($DumpResponse) {
Write-Host "Dumping Policies"
# Convert to JSON for each item to ensure consistent detailed output
$request | ForEach-Object { $_ | ConvertTo-Json -Depth 5 | Out-Host }
}
return $request
}
}
Get-OneViewSiteQuarantine
Use this function to get the quarantine of a given site.
function Get-OneViewSitesQuarantine {
<#
.SYNOPSIS
Gathers quarantine items from a site.
.DESCRIPTION
Gathers all quarantine items from a site in a specified time frame: OneWeek, OneMonth, ThreeMonths, OneYear.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER SiteID
OPTIONAL - The site's nebula_account_id.
.PARAMETER OneWeek, OneMonth, ThreeMonths, OneYear
Mutually exclusive time frame, defaults to OneWeek.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Outputs quarantined items.
.EXAMPLE
Get-OneViewSiteQuarantine -OneViewToken $OneViewToken
.EXAMPLE
Get-OneViewToken -AccountID $accountID -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewSiteQuarantine -PolicyID "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa"
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter(Mandatory = $true)]
[string]$SiteID,
[switch]$OneWeek,
[switch]$OneMonth,
[switch]$ThreeMonths,
[switch]$OneYear,
[Parameter()]
[switch] $DumpResponse
)
Begin {
Write-Verbose 'Initializing Get-OneViewQuarantine'
# Initialize exclusions as an empty array for consistent output
$quarantine = @()
$next_cursor = ''
$page_size = 2000 # Set the desired page size
$useSinceDate = $false
}
Process {
# Collect all switches in an array
$selectedSwitches = @($OneWeek, $OneMonth, $ThreeMonths, $OneYear)
# Check how many switches are set to true
$countSelected = ($selectedSwitches | Where-Object { $_ }).Count
# Validate: Only allow 0 or 1 switch
if ($countSelected -gt 1) {
throw "You can specify only one time range option: -OneWeek, -OneMonth, -ThreeMonths, or -OneYear."
}
switch ($countSelected) {
1 {
$useSinceDate = $true
# Determine which switch was selected
if ($OneWeek) { $offset = -7 }
if ($OneMonth) { $offset = -30 }
if ($ThreeMonths) { $offset = -90 }
if ($OneYear) { $offset = -365 }
}
0 {
$offset = -7 # Default start date of a week ago
}
}
$dateStr = (Get-Date).AddDays($offset).ToString("yyyy-MM-ddTHH:mm:ssZ")
Try {
$URI = "https://api.malwarebytes.com/oneview/v1/accounts/$($SiteID)/quarantine"
# Start forming the URI with page_size and 'start'
if ($useSinceDate) {
$URI += "?since=$dateStr&page_size=$page_size"
} else {
$URI += "?page_size=$page_size"
}
do {
# Build the URI correctly with next_cursor if available
if ($next_cursor) {
$uriWithCursor = "$URI&next_cursor=$next_cursor"
} else {
$uriWithCursor = $URI
}
$request = Invoke-RestMethod -Method GET -Uri $uriWithCursor -Headers $OneViewToken.Headers
$quarantine += $request.quarantined_threats
$next_cursor = $request.next_cursor
} while ($next_cursor -ne '')
} Catch {
Write-Error -Message "Error obtaining Quarantine from site with nebula_account_id: $SiteID from OneView $($_.Exception.Message)"
}
}
End {
if ($DumpResponse) {
Write-Host "Dumping Quarantine"
# Convert to JSON for each item to ensure consistent detailed output
$quarantine | ForEach-Object { $_ | ConvertTo-Json -Depth 5 | Out-Host }
}
return $quarantine
}
}
Get-OneViewSiteSchedule
Use this function get the schedules from a site.
function Get-OneViewSiteSchedule {
<#
.SYNOPSIS
Gathers schedules.
.DESCRIPTION
Gathers all schedules from a OneView site, includes global schedules.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER SiteID
Required, the nebula_account_id of the site.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Outputs all schedules applicable to site in question.
.EXAMPLE
Get-OneViewSiteSchedule -OneViewToken $OneViewToken -SiteID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewSiteSchedule -SiteID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter(Mandatory = $true)]
[string] $SiteID,
[Parameter()]
[switch] $DumpResponse
)
Begin {
Write-Verbose 'Initializing Get-OneViewSiteSchedule'
# Initialize schedules as an empty array for consistent output
$schedules = @()
}
Process {
Try {
$URI = "https://api.malwarebytes.com/oneview/v1/accounts/$($SiteID)/schedules"
$next_cursor = ''
$page_size = 2000 # Set the desired page size
do {
# Build the URI correctly with next_cursor if available
if ($next_cursor) {
$uriWithCursor = "$($URI)?next_cursor=$next_cursor&page_size=$page_size"
} else {
$uriWithCursor = "$($URI)?page_size=$page_size"
}
$request = Invoke-RestMethod -Method GET -Uri $uriWithCursor -Headers $OneViewToken.Headers
$schedules += $request.schedules
$next_cursor = $request.next_cursor
} while ($next_cursor -ne '')
}
Catch {
Write-Error -Message "Error obtaining Schedules from site with nebula_account_id: $SiteID from OneView $($_.Exception.Message)"
}
}
End {
if ($DumpResponse) {
Write-Host "Dumping Schedules"
# Convert to JSON for each item to ensure consistent detailed output
$schedules | ForEach-Object { $_ | ConvertTo-Json -Depth 5 | Out-Host }
}
return $schedules
}
}
Get-OneViewSiteSuspiciousActivity
Use this function get the Suspicious Activity from a site
function Get-OneViewSiteSuspiciousActivity {
<#
.SYNOPSIS
Gathers Suspicious Activities.
.DESCRIPTION
Gathers Suspicious Activities from OneView a site. Iterates through paginated response.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER SiteID
Required, the nebula_account_id of the site.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Outputs Suspicious Activities.
.EXAMPLE
Get-OneViewSiteSuspiciousActivity -OneViewToken $OneViewToken
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewSiteSuspiciousActivity
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter(Mandatory = $true)]
[string] $SiteID,
[Parameter()]
[switch] $DumpResponse
)
Begin {
Write-Verbose 'Initializing Get-OneViewSiteSuspiciousActivity'
# Initialize Suspicious Activities as an empty array for consistent output
$sa = @()
}
Process {
Try {
$URI = "https://api.malwarebytes.com/oneview/v1/accounts/$($SiteID)/sa"
$next_cursor = ''
$page_size = 2000 # Set the desired page size
do {
# Build the URI correctly with next_cursor if available
if ($next_cursor) {
$uriWithCursor = "$($URI)?next_cursor=$next_cursor&page_size=$page_size"
} else {
$uriWithCursor = "$($URI)?page_size=$page_size"
}
$request = Invoke-RestMethod -Method GET -Uri $uriWithCursor -Headers $OneViewToken.Headers
$sa += $request.sa
$next_cursor = $request.next_cursor
} while ($next_cursor -ne '')
}
Catch {
Write-Error -Message "Error obtaining Suspicious Activities from site with nebula_account_id: $SiteID from OneView $($_.Exception.Message)"
}
}
End {
if ($DumpResponse) {
Write-Host "Dumping Suspicious Activities"
# Convert to JSON for each item to ensure consistent detailed output
$sa | ForEach-Object { $_ | ConvertTo-Json -Depth 5 | Out-Host }
}
return $sa
}
}
Get-OneViewSubscription
Use this function to get the subscription information from a site
function Get-OneViewSubscription {
<#
.SYNOPSIS
Receive OneView Site's Subscription Details.
.DESCRIPTION
GET request that returns a site's subscriptions including products and their usage and allocations.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER SiteID
The id of the site to receive subscription. This corresponds to the 'id' in Get-OneViewSite response.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Outputs the response which contains product, term type, term length, usage and allocations, and other metadata.
.EXAMPLE
$OneViewToken = Get-OneViewToken -ClientID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa' -ClientSecret '000000ABCDEF000000ABCDEF000000AB000000ABCDEF000000ABCDEF000000AB'
Get-OneViewSubscription -OneViewToken $OneViewToken -SiteID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewSubscription -SiteID 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa'
#>
Param (
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')]$OneViewToken,
[Parameter(Mandatory=$true)]
[ValidatePattern('^[a-fA-F0-9]{72}$')]
[string]$SiteID,
[Parameter()] [switch] $DumpResponse
)
Write-Verbose 'Function Get-OneViewSubscription'
Try {
$URI = "https://api.malwarebytes.com/oneview/v2/sites/$($SiteID)/subscriptions"
$request = Invoke-RestMethod -Method GET -Uri $URI -Headers $OneViewToken.Headers
}
Catch {
Write-Host "The following error occured while obtaining Subscription from OneView: $_"
$ErrorRecord = $_
Return $ErrorRecord
}
if ($DumpResponse) {
$request | ConvertTo-Json -Depth 5 | Out-Host
}
Return $request
}
Get-OneViewUsers
Use this to see the users of your OneView account.
function Get-OneViewUsers {
<#
.SYNOPSIS
Gathers all users.
.DESCRIPTION
Gathers all users from OneView. Iterates through paginated response.
.PARAMETER OneView.Token
Can be provided as a parameter or in a pipeline; see .EXAMPLE.
.PARAMETER DumpResponse
OPTIONAL - Print the entire formatted response to screen.
.OUTPUTS
Outputs all users.
.EXAMPLE
Get-OneViewUsers -OneViewToken $OneViewToken
.EXAMPLE
Get-OneViewToken -ClientID $clientID -ClientSecret $clientSecret | Get-OneViewUsers
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[PSTypeName('OneView.Token')] $OneViewToken,
[Parameter()]
[switch] $DumpResponse
)
Begin {
Write-Verbose 'Initializing Get-OneViewUsers'
# Initialize users as an empty array for consistent output
$users = @()
}
Process {
Try {
$URI = 'https://api.malwarebytes.com/oneview/v1/users'
$next_cursor = ''
$page_size = 2000 # Set the desired page size
do {
# Build the URI correctly with next_cursor if available
if ($next_cursor) {
$uriWithCursor = "$($URI)?next_cursor=$next_cursor&page_size=$page_size"
} else {
$uriWithCursor = "$($URI)?page_size=$page_size"
}
$request = Invoke-RestMethod -Method GET -Uri $uriWithCursor -Headers $OneViewToken.Headers
$users += $request.users
$next_cursor = $request.next_cursor
} while ($next_cursor -ne '')
}
Catch {
Write-Error -Message "Error obtaining users from OneView $($_.Exception.Message)"
}
}
End {
if ($DumpResponse) {
Write-Host "Dumping Users"
# Convert to JSON for each item to ensure consistent detailed output
$users | ForEach-Object { $_ | ConvertTo-Json -Depth 5 | Out-Host }
}
return $users
}
}