Member-only story
EDR Telemetry Project: A Comprehensive Comparison
Endpoint Detection and Response (EDR) products have become essential to organizations’ cybersecurity strategies. As a result, understanding the telemetry provided by these products is crucial for building additional detections and conducting threat hunting.
Having the appropriate logs is important for creating detection rules as well as for responding to detection alerts. Trained analysts spend less time investigating those alerts or threat-hunting for other malicious activity when they have the logs they need. An EDR can be an invaluable source of telemetry that encapsulates numerous data points. Unfortunately, not all EDRs provide the same wealth of telemetry that would aid analysts in drawing conclusions more quickly during an investigation.
In this article, we will discuss the goal of the EDR Telemetry project, what it is, and what it is not, and how we think it can help EDR vendors and consumers alike.
Read for free: https://medium.com/detect-fyi/edr-telemetry-project-a-comprehensive-comparison-d5ed1745384b?sk=b5aade1de1afbabf687620a12aa7a581
What is EDR Telemetry?
EDR telemetry refers to the data collected and transmitted by Endpoint Detection and Response (EDR) products and tools. EDR products are designed to monitor, detect, and respond to potential threats and suspicious activities on endpoints, such as computers, servers, and other devices within a network. The telemetry data generated by EDR systems can be used to provide valuable insights into the security events and activities occurring on the endpoints.
In the context of this project, telemetry is defined as a source of data that is automatically collected and transmitted by a sensor in real time.
The Goal of the EDR Telemetry Project
The main goal of the EDR Telemetry project is to encourage EDR vendors to be more transparent about the telemetry they provide to their customers. Almost all EDR vendors have their detection rules hidden for many reasons, such as intellectual property protection and competitive advantage. However, we believe telemetry is slightly different, and vendors should be open about the raw telemetry their products can generate. When EDR vendors are open with their telemetry, users can better understand the data collected and use it to build custom detection rules tailored to their specific environments and…
