You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please provide the below information so we can validate before merging:
Does the proposed EDR feature align with our definition of telemetry?(definition here)
Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?
1: Yes it does.
2: Documentation is hidden behind a support portal which requires registration. For customers/clients only.
3: Yes, these were/are provided to Kostas directly.
Type of change
Please delete options that are not relevant.
[X ] New feature (adding additional EDR product or proposing new event categories/sub-categories)
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
SentinelOne installed on a Ubuntu 22.04.4 VM on Proxmox
VM was left open for a few hours (even few days) so that telemetry could be passively collected
For each telemetry category (e.g.: Process, Network, File, Registry, etc.) the available "type" of events (e.g.: Process Creation) were queried for matching events
Event types that returned results were marked as "Yes" in the JSON. Event types that did not return any results were left alone for further testing
For event types that did not return any results, the lnx_telem_gen.py script was ran to generate matching telemetry.
New searches were executed for the event types that did not return any results before, to see if they did. If they did, they were marked as "Yes" in the JSON. If they didn't, they were marked as "No"
Test Configuration:
EDR version: SentinelOne 24.2.2.20
Operating System version: Ubuntu 22.04.4
Checklist:
My code follows the style guidelines of this project
I have performed a self-review of my own code
I have made corresponding changes to the documentation
I have added tests that prove my corrections or additions are accurate
I have checked my code and corrected any misspellings
Additional Information
The table is not yet completed. Posting here so we can discuss/see what is the verdict for the remaining items:
eBPF Event
Raw Access Read
Process Tampering
If these events are logged, there's high chances they are under the "Behavioral Indicators" event category.
I also checked if events from the "module", "drivers", "command_script" and "cross_process" were present. They weren't.
There are also "Behavioral Indicators" events for "New kernel module" loads. Not sure where those would be listed if these counts.
Description
Please provide the below information so we can validate before merging:
1: Yes it does.
2: Documentation is hidden behind a support portal which requires registration. For customers/clients only.
3: Yes, these were/are provided to Kostas directly.
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
Test Configuration:
Checklist:
Additional Information
The table is not yet completed. Posting here so we can discuss/see what is the verdict for the remaining items:
If these events are logged, there's high chances they are under the "Behavioral Indicators" event category.
I also checked if events from the "module", "drivers", "command_script" and "cross_process" were present. They weren't.
There are also "Behavioral Indicators" events for "New kernel module" loads. Not sure where those would be listed if these counts.
CSV
SentinelOne_categories_table.csv
The text was updated successfully, but these errors were encountered: