Install Windows forwarder with SentinelOne Remote Script Orchestrator

Prerequisite(s)

• Stairwell Environment ID
• Stairwell Forwarder Authentication Token
• .NET Core 5.0 or newer (Included in the 'Bundled' installer)
• SentinelOne Remote Script Orchestrator (S1 RSO)

📘

S1 RSO

S1 RSO requires an additional license from S1, but is some cases S1 will turn this on in the event of an active security incident. If you do not have a license for RSO, please email your S1 contact to enable.

More information can be found online at https://www.sentinelone.com/blog/feature-spotlight-introducing-remoteops-custom-script-actions

🚧

Warning!

The initial scan (we refer to as the backscan) is a comprehensive physical disk scan that is very resource intensive for a short period of time. We do not recommend installing the forwarder on critical assets early in your deployment. Think of your first several deployments as "sacrificial" in that they will take the biggest hit because they will be uploading the greatest number of unique files and each subsequent install will have less and less unique files and therefore, shorter and less intensive backscans.

Installation

• Create the custom script that will be loaded into S1 RSO

function runfunc(  
    [Parameter(Mandatory = $true)][string]$environment_id,   
    [Parameter(Mandatory = $true)][string]$token  
) {    
    #Do your script actions here  
    $TempFolder = ([io.path]\::GetTempPath())  
    $InceptionInstallerPath = Join-Path $TempFolder "InceptionForwarderBundle.exe"  
    try {  
        $ProgressPreference = 'SilentlyContinue'  
        Invoke-WebRequest -Uri "<https://downloads.stairwell.com/windows/latest/InceptionForwarderBundle.exe"> -OutFile $InceptionInstallerPath  
    }  
    catch {  
        Write-Error "Error downloading the inception installer. Error $PSItem"  
        exit 1  
    }  
    Start-Process -FilePath $InceptionInstallerPath -Wait -NoNewWindow -ArgumentList "/install", "ENVIRONMENT_ID=$($environment_id)", "TOKEN=$($token)", "/quiet", "/norestart"  
    # optional - DOSCAN=0 to not backscan  
}
runfunc @Args # kick off the script

• Upload and configure the script into the RemoteOps Script Library within S1 with the following information
  • Script Details
    • Script Name: Stairwell Forwarder Installer
    • Script Type: Action
    • OS Type: Windows
    • Script Upload
    • Upload script
  • Script Settings
    • Script Execution Timeout: 3600 Seconds
    • Input Examples: ENVID and TOKEN here
  • Summary
• Submit
• Schedule or Deploy to assets or group as needed
  • Select Endpoints
  • Search for and select the applicable endpoint(s)
  • Select Actions ➡️ Run Script
  • Complete the Script Configuration
    • Script Selection
      • Select the desired script
    • Input/Output
      • Script Input: ENVID and TOKEN
      • Output Destination: None - No Output Handling Needed
    • Verify automation tasks

📘

If using Powershell, be aware of policy execution and how to successfully deploy with a policy of restricted if applicable.

Confirm Installation

• Navigate to https://app.stairwell.com and log in
• Click on Assets
• Click on the newly created asset name(s) to confirm the retrieval of files
• Take note of the data under All Objects

📘

It may take a few minutes for file ingestion to begin and show in the application.