EDR-Telemetry icon indicating copy to clipboard operation
EDR-Telemetry copied to clipboard
verified publisher icon tsale

Add more telemetry coverage for MDE on Windows

Open jonade opened this issue 10 months ago • 0 comments

EDR Telemetry Pull Request

Contribution Details

Adding telemetry that is covered by MDE on Windows machines

Telemetry Validation

Documentation or Evidence:

  • [ ] Official documentation (link: )
  • [X] Screenshots attached
  • [ ] Sanitized logs provided
  • [ ] Private documentation (will share confidentially)

Type of Contribution

  • [X] Adding telemetry information for an existing EDR product
  • [ ] Adding a new EDR product that meets eligibility criteria
  • [ ] Proposing new event categories/sub-categories
  • [ ] Documentation improvement
  • [ ] Tool enhancement

Validation Details

EDR Product Information

  • EDR Product Name: Defender for Endpoint
  • EDR Version: Engine: 1.1.25030.1, Service: 4.18.25030.2
  • Operating System(s) Tested: Windows 11, 24H2

Testing Methodology

Running telemetry-generator.ps1 to generate

Additional Notes

  1. Service Creation image image
  1. Service Deletion image

Not entirely sure how to classify this one. It's huntable, but it was within the DeviceRegistryEvents table: image

  1. Virtual Disk Mount (iso) image image
  1. BITS Job image

Doesn't appear to be huntable, other than via the DeviceProcessEvents table. image

jonade avatar Apr 17 '25 10:04 jonade