Adding SentinelOne Telemetry Updates

[thiboog]

Pull Request Template

Description

Please provide the below information so we can validate before merging:

1. Does the proposed EDR feature align with our definition of telemetry?(definition here)
2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

1: Yes\ 2: No\ 3: Yes

Type of change

Please delete options that are not relevant.

• [x] Feature Improvement (non-breaking change which fixes an issue)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

Test Configuration:

• EDR version: 23.4
• Operating System version: Windows 11

Checklist:

• [x] My code follows the style guidelines of this project
• [x] I have performed a self-review of my own code
• [x] I have made corresponding changes to the documentation
• [x] I have added tests that prove my corrections or additions are accurate
• [x] I have checked my code and corrected any misspellings

---

Hi @tsale, Based of my usage of SentinelOne EDR, you’ll find a new telemetry file update. I'm providing screenshots for every telemetry sub-category.

For Windows EventLogs telemetry, you can enable additional Windows EventLog telemetry using the SentinelOne agent through the policy page. By default each endpoint where this is enabled will grab a set of Windows EventLogs (System, Security, Application channels) and you can narrow it down to specific channels, provider names and levels.

For USB device unmount and mount events, you need to enable audit of USB events first, default is disabled. Once you enable it you’ll have events available automatically for hunting and alerting.

• User Account Activity - Local Account Creation - ✅Implemented

• User Account Activity - Local Account Modification - 🪵Via Windows EventLogs

• User Account Activity - Local Account Deletion - 🪵Via Windows EventLogs

• User Account Activity - Account LogOff - 🪵Via Windows EventLogs

• Service Activity - Service Creation - ✅Implemented

• Service Activity - Service Modification - 🎚️Via EnablingTelemetry

• Service Activity - Service Deletion - ✅Implemented

• Driver/Module Activity - Driver Unload - ⚠️Partially Implemented (partially because it only shows a specific driver unload method use by attacker instead of every unloaded drivers)

• Device Operations - USB Device Unmount - 🎚️Via EnablingTelemetry

• Other Relevant Events - Group Policy Modification - ✅Implemented

• WMI Activity - WmiEventConsumerToFilter - ✅Implemented
• WMI Activity - WmiEventConsumer - ✅Implemented
• WMI Activity - WmiEventFilter - ✅Implemented

Let me know if you need more details.

[thiboog]

Hi @tsale and @inodee, Do you think we can have a look together to merge this PR ? Thanks in advance for your help.

[tsale]

Hi @thiboog and thank you very much for this PR. I'll have a look when I get some time. Thanks for your your patience.

[thiboog]

Hi @thiboog and thank you very much for this PR. I'll have a look when I get some time. Thanks for your your patience.

No worries, just wanted to make sure you had this in your radar. Let me know if you need additional details.

[tsale]

Hey @thiboog, quick question: when you enable the Collection of the Windows Event Logs (XDR Collections), because some of the logs are not enabled by default, does the end user have to enable those logs in order for your agent to collect them?

Additionally, you have "service deletion" as implemented, but the screenshot shows a service being stopped, not deleted. Maybe we should add service stopped in the project, but right now, we only have the deletion.

[thiboog]

Hi @tsale,

When you select "Windows Event Logs" as seen on the screenshot, by default the agent will collect every EventIDs from Security, Application, System, Setup and Forwarded Events channels without doing anything extra. You can extend that collection to any Windows or 3rd party Windows Event Log provider with an additional configuration setting.

For the Service Deletion part, it's true SentinelOne does not have that visibility today. They will have the telemetry on the service binary being deleted (File Delete) and registry value being deleted (Registry Key/Value Delete) but not a dedicated event for it. I personally find more value in Service Stopped telemetry as reference by T1489 whereas Service Deletion is not reference as a used MITRE technique by attackers but that's probably another debate :)

It would be nice if you could add that "Service Stopped" sub-category indeed.

Let me know if you want other details.

[thiboog]

Thanks @tsale, I've done the requested changes.