Skip to content
This repository has been archived by the owner on Nov 8, 2019. It is now read-only.

jan-tee/cycli-examples

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
Add_Devices_From_Excel_To_Zone.ps1
Add_Devices_From_Excel_To_Zone.ps1
 
 
Add_Devices_From_Excel_To_Zone.xlsx
Add_Devices_From_Excel_To_Zone.xlsx
 
 
Backup-Tenant.ps1
Backup-Tenant.ps1
 
 
Devices_With_Threats.ps1
Devices_With_Threats.ps1
 
 
Download_Trusted_Local_files.ps1
Download_Trusted_Local_files.ps1
 
 
Get-All-TDRs.md
Get-All-TDRs.md
 
 
Get-All-TDRs.ps1
Get-All-TDRs.ps1
 
 
HashesFromExcel.ps1
HashesFromExcel.ps1
 
 
HashesFromExcel.xlsx
HashesFromExcel.xlsx
 
 
Identify_Duplicate_Devices-README.md
Identify_Duplicate_Devices-README.md
 
 
Identify_Duplicate_Devices.ps1
Identify_Duplicate_Devices.ps1
 
 
Identify_Duplicate_Devices_by_MAC.ps1
Identify_Duplicate_Devices_by_MAC.ps1
 
 
Identify_NonDomain_Devices.ps1
Identify_NonDomain_Devices.ps1
 
 
LICENSE
LICENSE
 
 
Migration.ps1
Migration.ps1
 
 
README.md
README.md
 
 
Report_AD_Coverage.ps1
Report_AD_Coverage.ps1
 
 
Waive_Device_Threats-README.md
Waive_Device_Threats-README.md
 
 
Waive_Device_Threats.ps1
Waive_Device_Threats.ps1
 
 

Repository files navigation

cycli-examples

CyCLI Powershell module usage examples

One-liner examples

Add all hashes from an Excel file to Global Quarantine list

(import-excel .\HashesFromExcel.xlsx).Hash | Add-CyHashToGlobalList -List GlobalQuarantineList -Category None -Reason "Test" -Verbose

Safelist all Trusted-Local files

This will globally safelist all Trusted-Local classified detections that are currently quarantined.

(get-cydevicelist | %{ Get-CyDeviceThreatList -Device $_  | where classification -eq "Trusted" | where status -eq "Quarantined" }).sha256 | Sort-Object -Unique | Add-CyHashToGlobalList -List GlobalSafeList -Category None -Reason "Trusted-Local"

List devices that have been offline for longer than 5 days

get-cydevicelist | Get-CyDeviceDetail | where date_offline -ne $null | where date_offline -lt (Get-Date).AddDays(-5)

Get all script exclusions from all policies

Get-CyPolicyList | %{ (Get-CyPolicy -Policy $_) | script_control.global_settings.allowed_folders }

Get all mem def exclusions from all policies

Get-CyPolicyList | Get-CyPolicy | %{ $_.memoryviolation_actions.memory_exclusion_list }

Export all policies and all settings to JSON

get-cypolicylist | Get-CyPolicy | convertto-json | Out-File Policies.json

Create a new policy

$p = New-CyPolicy -Name "Blank Policy" -User myconsoleuser@company.com
$p | Update-CyPolicy -User myconsoleuser@company.com

Assigning policy

$policy = get-cypolicylist | where name -eq "ALLOW (Files: Alert, Mem: Alert, Script: Alert)"
$device = get-cydevicelist | where name -eq "JTIETZE-OPTICS1"
Set-CyPolicyForDevice -Device $device -Policy $policy

Add a memory and a scan exclusion to an existing policy, and commit policy to console

$p = (Get-CyPolicyList)[0] | Get-CyPolicy
$p | Add-CyPolicyListSetting -Type MemDefExclusionPath -Value "\\some\app.exe"
$p | Add-CyPolicyListSetting -Type ScanExclusion -Value "c:\\somedir\\somewhere\\"
$p | Update-CyPolicy -User myconsoleuser@company.com

Clone a policy

Copy-CyPolicy -SourcePolicyName "SCADA (Files: Block, Mem: Terminate, Script: Block, App Control: On)" -TargetPolicyName "SCADA2" -User myconsoleuser@company.com

Get detections with severity "low"

Get-CyDetectionList | where severity -ne "Low" | ft

Update detections

Update all detections on one system:

(Get-CyDetectionList) | Where-Object { $_.Device.Name -eq "OCULEUS" } | Update-CyDetection -Status 'False Positive'

About

Examples for the CyCLI Powershell module

Topics

powershell cycli

Resources

Readme

License

MIT license
Activity

Stars

12 stars

Watchers

7 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages