Closed thiboog closed 2 weeks ago
Hi @tsale and @inodee, Do you think we can have a look together to merge this PR ? Thanks in advance for your help.
Hi @thiboog and thank you very much for this PR. I'll have a look when I get some time. Thanks for your your patience.
Hi @thiboog and thank you very much for this PR. I'll have a look when I get some time. Thanks for your your patience.
No worries, just wanted to make sure you had this in your radar. Let me know if you need additional details.
Hey @thiboog, quick question: when you enable the Collection of the Windows Event Logs (XDR Collections), because some of the logs are not enabled by default, does the end user have to enable those logs in order for your agent to collect them?
Additionally, you have "service deletion" as implemented, but the screenshot shows a service being stopped, not deleted. Maybe we should add service stopped in the project, but right now, we only have the deletion.
Hi @tsale,
When you select "Windows Event Logs" as seen on the screenshot, by default the agent will collect every EventIDs from Security, Application, System, Setup and Forwarded Events channels without doing anything extra. You can extend that collection to any Windows or 3rd party Windows Event Log provider with an additional configuration setting.
For the Service Deletion part, it's true SentinelOne does not have that visibility today. They will have the telemetry on the service binary being deleted (File Delete) and registry value being deleted (Registry Key/Value Delete) but not a dedicated event for it. I personally find more value in Service Stopped telemetry as reference by T1489 whereas Service Deletion is not reference as a used MITRE technique by attackers but that's probably another debate :)
It would be nice if you could add that "Service Stopped" sub-category indeed.
Let me know if you want other details.
Thanks @tsale, I've done the requested changes.
Pull Request Template
Description
Please provide the below information so we can validate before merging:
1: Yes\ 2: No\ 3: Yes
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
Test Configuration:
Checklist:
Hi @tsale, Based of my usage of SentinelOne EDR, you’ll find a new telemetry file update. I'm providing screenshots for every telemetry sub-category.
For Windows EventLogs telemetry, you can enable additional Windows EventLog telemetry using the SentinelOne agent through the policy page. By default each endpoint where this is enabled will grab a set of Windows EventLogs (System, Security, Application channels) and you can narrow it down to specific channels, provider names and levels.
For USB device unmount and mount events, you need to enable audit of USB events first, default is disabled. Once you enable it you’ll have events available automatically for hunting and alerting.
Let me know if you need more details.