EDR-Telemetry icon indicating copy to clipboard operation
EDR-Telemetry copied to clipboard
verified publisher icon tsale

Updates for MDE on Windows and Linux

Open jonade opened this issue 3 months ago • 3 comments

EDR Telemetry Pull Request

Contribution Details

Telemetry Validation

Documentation or Evidence:

  • [ ] Official documentation (link: )
  • [X] Screenshots attached
  • [ ] Sanitized logs provided
  • [ ] Private documentation (will share confidentially)

Type of Contribution

  • [X] Adding telemetry information for an existing EDR product
  • [ ] Adding a new EDR product that meets eligibility criteria
  • [ ] Proposing new event categories/sub-categories
  • [ ] Documentation improvement
  • [ ] Tool enhancement

Validation Details

EDR Product Information

  • EDR Product Name: Defender for Endpoint
  • EDR Version: 1.1.25100.9002 (Win) / 1.1.25090.6000 (Linux)
  • Operating System(s) Tested: Windows 11 24H2, Ubuntu 24.04

Testing Methodology

Using the Windows / Linux testing script(s)

  • Running Set-MpPreference -DisableRealtimeMonitoring $true shows in the timeline view
image
  • Running the test script to create/modify/delete service, displays the events in timeline view
image

Additional Notes

jonade avatar Nov 10 '25 16:11 jonade

Hi @jonade , thanks again for another contribution to this project! 🙏

QQ - I assume that these events are not searchable through the search query so they’ll be marked down as “partially”. Could you please confirm?

tsale avatar Nov 10 '25 16:11 tsale

@tsale I always struggle to decide what qualifies as a Yes, and what as a Partial, when it comes to the AH queries (despite the FAQ), so I tried to follow existing telemetry as a guidance.

For the agent stop, it appears in multiple tables, DeviceEvents for the PowerShell command and WMI calls, and DeviceRegistryEvents for the modification of the setting that resulted.

For the Service Modification, the events show in AH due to writing the service files, but I guessed this wouldn't meet the threshold image

jonade avatar Nov 11 '25 11:11 jonade

@tsale I always struggle to decide what qualifies as a Yes, and what as a Partial, when it comes to the AH queries (despite the FAQ), so I tried to follow existing telemetry as a guidance.

For the agent stop, it appears in multiple tables, DeviceEvents for the PowerShell command and WMI calls, and DeviceRegistryEvents for the modification of the setting that resulted.

For the Service Modification, the events show in AH due to writing the service files, but I guessed this wouldn't meet the threshold image

Thanks for sharing this, and that’s a fair interpretation. For the Service Modification, you’re right that writing the service file under /etc/systemd/system/ shows up in AH due to file operations, but that alone wouldn’t qualify as implemented. To count as a Yes, we expect the product to capture the actual systemd or service configuration change event, not just the file write activity.

For a Partial label, we’re only looking for telemetry that directly represents the service modification action, such as a record showing a configuration change or systemd update. File creation or deletion events, even if part of the process, don’t qualify since they reflect generic file operations rather than the actual service modification.

Appreciate you double-checking and keeping the interpretation consistent across categories, it’s one of the trickier ones.

tsale avatar Nov 11 '25 21:11 tsale