EDR Telemetry Project: Exciting New Updates and Insights
The EDR Telemetry Project is back with another round of updates! This project is all about helping security researchers, threat hunters, and organizations understand the strengths and gaps in Endpoint Detection and Response (EDR) solutions.
In our latest updates, we’ve added support for new platforms, refined our scoring, and improved the way telemetry data is categorized. What’s even more exciting is seeing EDR vendors actively engaging with the project and enhancing their products based on our findings.
Let’s break down the key changes, why they matter, and how you can get involved!
What’s New in the EDR Telemetry Project?
Elastic 8.16 Support
We’ve ensured that our telemetry now supports the latest version of Elastic Stack, Elastic 8.16. This means that if you’re using Elastic for security analytics, you’ll continue to get accurate telemetry data for your investigations.
đź”— Pull Request: Update WMI for Elastic 8.16 (#87)
FortiEDR Integration
We’re thrilled to add FortiEDR to the project! This addition helps broaden our visibility and understanding of how FortiEDR handles telemetry collection.
🔗 Pull Request: EDR Addition — FortiEDR (#84)
Uptycs EDR Integration
Another big win — Uptycs EDR is now part of the project. This addition offers fresh insights into Uptycs’ telemetry collection capabilities and helps expand our coverage.
đź”— Pull Request: Addition of Uptycs EDR (#66)
Trend Micro and Qualys Updates
We’ve refined telemetry descriptions and scoring for both Trend Micro and Qualys. These changes reflect the latest improvements made by these vendors, showing their commitment to enhancing their products based on our findings.
đź”— Pull Requests:
Contributors Wall
We’re excited to announce the addition of the Contributors Wall to recognize those who have made significant contributions to the project. A special shoutout to , who made it into the Contributors Wall thanks to their amazing contributions and ongoing support! Their dedication has helped improve the project, and we are grateful for their involvement.
đź”— Pull Request: Update Contributors Wall (#96)
Moving to a New Website and Building a Community
We’ve transitioned from displaying project results on a Google Spreadsheet to a dedicated website. This move makes the information easier to access, navigate, and future-proof for additional features and improvements. We’ve put significant effort into ensuring the website is accessible and user-friendly.
We’ve also launched a Discord community where members can discuss everything related to EDR telemetry, ask questions, and share insights. To maintain an active and high-quality community, participation is available to those who:
- Contribute to the project,
- Provide a one-off donation or
- Sponsor the project.
This approach helps ensure that the Discord server remains a space for valuable discussions and meaningful engagement.
Refining Telemetry Descriptions: What’s New?
In this round of updates, we’ve made important changes to how we categorize telemetry collection methods. These updates ensure clearer, more accurate descriptions of how EDRs capture telemetry. The scoring for the “Via EventLogs” has also been updated to reflect these refined definitions. This change improves clarity by ensuring more precise evaluations of each EDR solution’s capabilities, adjusting the score from 0.75 to 0.5 to better align with the updated categorization criteria.
🪵Via EventLogs
Telemetry, categorized as “Via EventLogs,” refers to data that is collected from Windows Event Logs — but only if event logging is enabled at the system level. The EDR itself does not independently collect this telemetry through Event Tracing for Windows (ETW). This distinction helps clarify the reliance on system-level logging configurations.
🎚️ Via EnablingTelemetry
“Via EnablingTelemetry” describes telemetry that an EDR can collect, but only if an additional feature or setting is enabled. This capability is not turned on by default and often requires administrative action to activate. Understanding this helps users differentiate between out-of-the-box capabilities and those that need manual configuration.
đź”— Scores: https://www.edr-telemetry.com/scores.html
Telemetry Events vs. Inferred Activity
We’ve also defined the difference between Telemetry Events and Inferred Activity in the project.
- Telemetry Events are direct, observable data points collected by the EDR.
- Inferred Activity refers to conclusions the EDR draws based on existing telemetry data rather than direct observation.
You can read more about this distinction in our Telemetry Events vs. Inferred Activity guide. A detailed blog post explaining this further will be coming soon!
Telemetry Definition Clarification
For clarity, we’ve also updated how telemetry is defined in the context of this project. This updated definition reflects our commitment to providing precise and consistent terminology for telemetry collection. It helps ensure everyone understands what data is captured during installation processes and how it contributes to the overall EDR evaluation.
You can check out the detailed explanation in our FAQ section.
EDR Telemetry for this project is defined as a source of data or an event that is automatically collected and transmitted by a sensor in real-time or close to real-time as the event occurs. It does NOT include historical events prior to EDR installation, live querying of artifacts, or access to artifacts on a system.
These changes provide more transparency, helping end users understand what makes an EDR eligible for this project.
Why These Updates Matter
Transparency and Accuracy
The EDR Telemetry Project is all about transparency. By providing clear insights into how telemetry is collected and what each EDR solution captures, we empower security teams to make informed decisions.
Driving Vendor Engagement
One of the most exciting aspects of this project is seeing EDR vendors like Trend Micro, Qualys, and Uptycs engage with the findings. Notably, Trend Micro updated their telemetry documentation to match the project’s categories and sub-categories structure, further enhancing clarity and alignment with industry standards (Trend Micro Telemetry Documentation). These vendors are actively improving their products based on the gaps identified by the community. This collaboration helps everyone because of the transparency that these companies are providing to their customers.
How You Can Get Involved
The EDR Telemetry Project thrives on community contributions. Whether you’re a researcher, a security enthusiast, or part of an EDR vendor team, your input matters!
Ways to Participate:
- Explore the Project: Check out the latest updates on GitHub.\ đź”— EDR Telemetry Project on GitHub
- Contribute: Found a gap or want to add new telemetry insights? Submit a pull request or open an issue.
- Join Our Discord Community: Engage in discussions about EDR telemetry and related topics. To join, contribute to the project, sponsor it, or make a one-time contribution. This helps us maintain a high-quality, active community.
- Give Feedback: Your feedback helps refine the project and make it better for everyone.
Let’s Keep Improving Together!
These latest updates are a big step forward, but there’s always more work to be done. By collaborating and sharing insights, we can continue to improve and provide transparency behind various EDRs.
Thank you to everyone who contributed to this round of updates, and a special shoutout to vendors who are actively engaging and improving their products based on these findings. Let’s keep the momentum going!
đź”— Join the conversation and explore the project: EDR Telemetry Project
Next Steps for the Project
The next steps for the EDR Telemetry Project are highlighted in our roadmap. Our primary focus right now is to release the Linux version, which will feature multiple EDR vendors from the start. We’re putting in the effort to make this a reality before the end of the year!
Stay tuned for more updates as we continue to expand and enhance the project. Your feedback and contributions are invaluable in helping us achieve these goals!
