Add USB Mount support for SentinelOne

[xC0uNt3r7hr34t]

Description

Please provide the below information so we can validate before merging:

1. Does the proposed EDR feature align with our definition of telemetry?( YES (https://github.com/tsale/EDR-Telemetry/wiki/FAQ#5-how-is-telemetry-defined-in-this-context))
2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee) - documentation is private
3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

Type of change

Please delete options that are not relevant.

• [x] Feature Improvement (non-breaking change which fixes an issue)
• [ ] New feature (adding additional EDR product or proposing new event categories/sub-categories)
• [ ] This change requires a documentation update
• [ ] New tool (suggesting additional tools for improving collection and analysis)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

• Enable Device Control feature and enable proper logging for desired devices
• plug a usb device into system with SentinelOne agent installed and policy applied
• verify via api or audit log of generated event.

Test Configuration:

• EDR version: console W, agent version 22.3.4.612
• Operating System version: Win11

Checklist:

• [x] My code follows the style guidelines of this project
• [x] I have performed a self-review of my own code
• [x] I have made corresponding changes to the documentation
• [x] I have added tests that prove my corrections or additions are accurate
• [x] I have checked my code and corrected any misspellings

Don't stress yourself out, just answer the above to the best of your ability and we can discuss in the comments 🙂

[tsale]

Thanks for this PR @xC0uNt3r7hr34t. Can you please confirm the below?

Enable Device Control feature and enable proper logging for desired devices

This does not appear to be on by default. We only take into consideration Out Of The Box telemetry that don't need additional configuration(i.e. enabling features).

[xC0uNt3r7hr34t]

Quite a lot of SentinelOne features are not enabled by default. It is a simple on/off switch for device control which would then start collecting logs for USB devices. The same actually goes for URL events (a checkbox is required in the policy settings), and named Pipes are also currently off by default. I will have to look if there are any others disabled by default. I missed some of this originally not realizing we were focused on the "on by default" only telemetry. Would these be something we would consider as partially implemented since the capability exists but it needs to be configured? Maybe a future improvement of how to show that as it can change perception of a tools visibility due to certain features being turned off by default.

[tsale]

Hey @xC0uNt3r7hr34t, this was a tricky issue to tackle and we needed time to discuss and decide how to move forward.

Considering that is quite easy to enable the telemetry on some vendors, as you said similar to an on/off switch, we decided to introduce new icon/description to represent this option within the table.

We see the need to including the features that enable additional telemetry as part of the EDR product (this is not a different module at extra cost). Although, we don't think this would be accurately represented via the "Amber/Partially Implemented" icon. Therefore, we will be introducing the below:

Icon:🎚️ Description: Via Additional Feature

The description is subject to change before we implement the changes. Feel free to suggest a better one 🙂 Additionally, I'm looking forward to hearing your thoughts on these proposed changes. Thank you for your contribution!